superboum · March 18, 2025 22:35
diff --git a/prometheus-seccomp.json b/prometheus-seccomp.json
 {
 	"defaultAction": "SCMP_ACT_ERRNO",
 	"defaultErrnoRet": 1,
 	"architectures": [
           "SCMP_ARCH_X86_64"
 	],
 	"syscalls": [
 		{
 			"names": [
 				"rt_sigaction",
 				"rt_sigprocmask",
 				"getpid",
 				"fcntl",
 				"fstatfs",
 				"gettid",
 				"futex",
 				"getdents64",
 				"epoll_ctl",
 				"tgkill",
 				"openat",
 				"read",
 				"close",
 				"nanosleep",
 				"getsockname",
 				"setsockopt",
 				"chdir",
 				"capget",
 				"prctl",
 				"accept4",
 				"fstat",
 				"getcwd",
 				"setuid",
 				"setgid",
 				"setgroups",
 				"capset",
 				"newfstatat",
 				"write",
 				"mmap",
 				"brk",
 				"rt_sigreturn",
 				"access",
 				"execve",
 				"getppid",
 				"exit_group",
 				"faccessat2",
 				"mprotect",
 				"pread64",
 				"arch_prctl",
 				"set_tid_address",
 				"set_robust_list",
 				"rseq",
 				"munmap",
 				"madvise",
 				"sigaltstack",
 				"statfs",
 				"waitid",
 				"readlinkat",
 				"eventfd2",
 				"epoll_create1",
 				"pipe2",
 				"pidfd_send_signal",
 				"pidfd_open",
 				"readlink",
 				"epoll_pwait",
 				"dup3",
 				"bind",
 				"listen"
 			],
 			"action": "SCMP_ACT_ALLOW",
 			"comment": "globally needed by the go runtime"
 		},
 		{
                        "names": [
                                "ioctl"
 			],
 			"action": "SCMP_ACT_ALLOW",
 			"comment": "allow only SG_IO (aka SCSCI commands) on ioctl as it's what's used to read SMART data",
 			"args": [
 				{
 					"index": 1,
 					"value": 8837,
 					"op": "SCMP_CMP_EQ"
 				}
 			]
 		},
 		{
 			"names": [
 				"clone"
 			],
 			"action": "SCMP_ACT_ALLOW",
 			"comment": "partially allow clone as per docker config",
 			"args": [
 				{
 					"index": 0,
 					"value": 2114060288,
 					"op": "SCMP_CMP_MASKED_EQ"
 				}
 			]
 		},
 				{
 			"names": [
 				"clone3"
 			],
 			"action": "SCMP_ACT_ERRNO",
 			"comment": "disable clone3 in a specific way as per docker's default config",
 			"errnoRet": 38
 		},
 		{
 			"names": [
                                "ioctl"
 			],
 			"action": "SCMP_ACT_ALLOW",
 			"comment": "allow NVME_IOCTL_ID command (0x4e40) on ioctl as it's what's used to read data on NVMe devices",
 			"args": [
 				{
 					"index": 1,
 					"value": 20032,
 					"op": "SCMP_CMP_EQ"
 				}
 			]
 		},
 		{
 			"names": [
                                "ioctl"
 			],
 			"action": "SCMP_ACT_ALLOW",
 			"comment": "allow NVME_IOCTL_ADMIN_CMD command (0xc0484e41) on ioctl as it's what's used to read data on NVMe devices",
 			"args": [
 				{
 					"index": 1,
 					"value": 3225964097,
 					"op": "SCMP_CMP_EQ"
 				}
 			]
 		},
 		{
 			"names": [
 				"socket"
 			],
 			"action": "SCMP_ACT_ALLOW",
 			"comment": "allow IPv4 sockets",
 			"args": [
 				{
 					"index": 0,
 					"value": 2,
 					"op": "SCMP_CMP_EQ"
 				}
 			]
 		}
 	]
 }
	{
	"defaultAction": "SCMP_ACT_ERRNO",
	"defaultErrnoRet": 1,
	"architectures": [
	"SCMP_ARCH_X86_64"
	],
	"syscalls": [
	{
	"names": [
	"rt_sigaction",
	"rt_sigprocmask",
	"getpid",
	"fcntl",
	"fstatfs",
	"gettid",
	"futex",
	"getdents64",
	"epoll_ctl",
	"tgkill",
	"openat",
	"read",
	"close",
	"nanosleep",
	"getsockname",
	"setsockopt",
	"chdir",
	"capget",
	"prctl",
	"accept4",
	"fstat",
	"getcwd",
	"setuid",
	"setgid",
	"setgroups",
	"capset",
	"newfstatat",
	"write",
	"mmap",
	"brk",
	"rt_sigreturn",
	"access",
	"execve",
	"getppid",
	"exit_group",
	"faccessat2",
	"mprotect",
	"pread64",
	"arch_prctl",
	"set_tid_address",
	"set_robust_list",
	"rseq",
	"munmap",
	"madvise",
	"sigaltstack",
	"statfs",
	"waitid",
	"readlinkat",
	"eventfd2",
	"epoll_create1",
	"pipe2",
	"pidfd_send_signal",
	"pidfd_open",
	"readlink",
	"epoll_pwait",
	"dup3",
	"bind",
	"listen"
	],
	"action": "SCMP_ACT_ALLOW",
	"comment": "globally needed by the go runtime"
	},
	{
	"names": [
	"ioctl"
	],
	"action": "SCMP_ACT_ALLOW",
	"comment": "allow only SG_IO (aka SCSCI commands) on ioctl as it's what's used to read SMART data",
	"args": [
	{
	"index": 1,
	"value": 8837,
	"op": "SCMP_CMP_EQ"
	}
	]
	},
	{
	"names": [
	"clone"
	],
	"action": "SCMP_ACT_ALLOW",
	"comment": "partially allow clone as per docker config",
	"args": [
	{
	"index": 0,
	"value": 2114060288,
	"op": "SCMP_CMP_MASKED_EQ"
	}
	]
	},
	{
	"names": [
	"clone3"
	],
	"action": "SCMP_ACT_ERRNO",
	"comment": "disable clone3 in a specific way as per docker's default config",
	"errnoRet": 38
	},
	{
	"names": [
	"ioctl"
	],
	"action": "SCMP_ACT_ALLOW",
	"comment": "allow NVME_IOCTL_ID command (0x4e40) on ioctl as it's what's used to read data on NVMe devices",
	"args": [
	{
	"index": 1,
	"value": 20032,
	"op": "SCMP_CMP_EQ"
	}
	]
	},
	{
	"names": [
	"ioctl"
	],
	"action": "SCMP_ACT_ALLOW",
	"comment": "allow NVME_IOCTL_ADMIN_CMD command (0xc0484e41) on ioctl as it's what's used to read data on NVMe devices",
	"args": [
	{
	"index": 1,
	"value": 3225964097,
	"op": "SCMP_CMP_EQ"
	}
	]
	},
	{
	"names": [
	"socket"
	],
	"action": "SCMP_ACT_ALLOW",
	"comment": "allow IPv4 sockets",
	"args": [
	{
	"index": 0,
	"value": 2,
	"op": "SCMP_CMP_EQ"
	}
	]
	}
	]
	}