2 files changed, 28 insertions, 7 deletions

diff --git a/TODO b/TODO
index 38b9040477..f0ba992d1f 100644
--- a/TODO
+++ b/TODO
@@ -29,10 +29,6 @@ Features:
 * Add service setting to run a service within the specified VRF. i.e. do the
   equivalent of "ip vrf exec".
 
-* systemd-analyze syscall-filter should show a list of syscalls listed in
-  @known but not in other groups (at least at debug level), since they are
-  candidates to be added to them.
-
 * export action of device object on sd-device, so that monitor becomes useful
 
 * add root=tmpfs that mounts a tmpfs to /sysroot (to be used in combination
diff --git a/src/analyze/analyze.c b/src/analyze/analyze.c
index 591ba6d33c..9a0b1a7bbf 100644
--- a/src/analyze/analyze.c
+++ b/src/analyze/analyze.c
@@ -1685,7 +1685,7 @@ static int load_kernel_syscalls(Set **ret) {
         return 0;
 }
 
-static void kernel_syscalls_remove(Set *s, const SyscallFilterSet *set) {
+static void syscall_set_remove(Set *s, const SyscallFilterSet *set) {
         const char *syscall;
 
         NULSTR_FOREACH(syscall, set->value) {
@@ -1716,9 +1716,14 @@ static int dump_syscall_filters(int argc, char *argv[], void *userdata) {
         (void) pager_open(arg_pager_flags);
 
         if (strv_isempty(strv_skip(argv, 1))) {
-                _cleanup_set_free_ Set *kernel = NULL;
+                _cleanup_set_free_ Set *kernel = NULL, *known = NULL;
+                const char *sys;
                 int i, k;
 
+                NULSTR_FOREACH(sys, syscall_filter_sets[SYSCALL_FILTER_SET_KNOWN].value)
+                        if (set_put_strdup(&known, sys) < 0)
+                                return log_oom();
+
                 k = load_kernel_syscalls(&kernel);
 
                 for (i = 0; i < _SYSCALL_FILTER_SET_MAX; i++) {
@@ -1727,10 +1732,30 @@ static int dump_syscall_filters(int argc, char *argv[], void *userdata) {
                                 puts("");
 
                         dump_syscall_filter(set);
-                        kernel_syscalls_remove(kernel, set);
+                        syscall_set_remove(kernel, set);
+                        if (i != SYSCALL_FILTER_SET_KNOWN)
+                                syscall_set_remove(known, set);
                         first = false;
                 }
 
+                if (!set_isempty(known)) {
+                        _cleanup_free_ char **l = NULL;
+                        char **syscall;
+
+                        printf("\n"
+                               "# %sUngrouped System Calls%s (known but not included in any of the groups except @known):\n",
+                               ansi_highlight(), ansi_normal());
+
+                        l = set_get_strv(known);
+                        if (!l)
+                                return log_oom();
+
+                        strv_sort(l);
+
+                        STRV_FOREACH(syscall, l)
+                                printf("#   %s\n", *syscall);
+                }
+
                 if (k < 0) {
                         fputc('\n', stdout);
                         fflush(stdout);