nixcfg/cluster/prod/app/telemetry/config/smartctl-seccomp.json

{
	"defaultAction": "SCMP_ACT_ERRNO",
	"defaultErrnoRet": 1,
	"architectures": [
           "SCMP_ARCH_X86_64"
	],
	"syscalls": [
		{
			"names": [
				"rt_sigaction",
				"rt_sigprocmask",
				"getpid",
				"fcntl",
				"fstatfs",
				"gettid",
				"futex",
				"getdents64",
				"epoll_ctl",
				"tgkill",
				"openat",
				"read",
				"close",
				"nanosleep",
				"getsockname",
				"setsockopt",
				"chdir",
				"capget",
				"prctl",
				"accept4",
				"fstat",
				"getcwd",
				"setuid",
				"setgid",
				"setgroups",
				"capset",
				"newfstatat",
				"write",
				"writev",
				"mmap",
				"brk",
				"rt_sigreturn",
				"access",
				"execve",
				"getppid",
				"exit_group",
				"faccessat2",
				"mprotect",
				"pread64",
				"arch_prctl",
				"set_tid_address",
				"set_robust_list",
				"rseq",
				"munmap",
				"madvise",
				"sigaltstack",
				"statfs",
				"waitid",
				"readlinkat",
				"eventfd2",
				"epoll_create1",
				"pipe2",
				"pidfd_send_signal",
				"pidfd_open",
				"readlink",
				"epoll_pwait",
				"dup3",
				"bind",
				"listen",
				"getrliimt",
				"sched_getaffinity",
				"sched_yield"
			],
			"action": "SCMP_ACT_ALLOW",
			"comment": "globally needed by the go runtime"
		},
		{
			"names": [
                                "open",
                                "uname"
			],
			"action": "SCMP_ACT_ALLOW",
			"comment": "Used by smartctl"
		},
		{
			"names": [
                                "ioctl"
			],
			"action": "SCMP_ACT_ALLOW",
			"comment": "allow SG_IO (aka SCSCI commands) on ioctl as it's what's used to read SMART data",
			"args": [
				{
					"index": 1,
					"value": 8837,
					"op": "SCMP_CMP_EQ"
				}
			]
		},
		{
			"names": [
                                "ioctl"
			],
			"action": "SCMP_ACT_ALLOW",
			"comment": "allow NVME_IOCTL_ID command (0x4e40) on ioctl as it's what's used to read data on NVMe devices",
			"args": [
				{
					"index": 1,
					"value": 20032,
					"op": "SCMP_CMP_EQ"
				}
			]
		},
		{
			"names": [
                                "ioctl"
			],
			"action": "SCMP_ACT_ALLOW",
			"comment": "allow NVME_IOCTL_ADMIN_CMD command (0xc0484e41) on ioctl as it's what's used to read data on NVMe devices. For some reason, it needs to be encoded as 0xffffffffc0484e41",
			"args": [
				{
					"index": 1,
					"value": 18446744072640548417,
					"op": "SCMP_CMP_EQ"
				}
			]
		},
		{
			"names": [
                                "ioctl"
			],
			"action": "SCMP_ACT_ERRNO",
			"comment": "Debug to allow/deny all ioctl (change to _LOG, _ALLOW, or _ERRNO appropriately)"
		},
		{
			"names": [
				"clone"
			],
			"action": "SCMP_ACT_ALLOW",
			"comment": "partially allow clone as per docker config",
			"args": [
				{
					"index": 0,
					"value": 2114060288,
					"op": "SCMP_CMP_MASKED_EQ"
				}
			]
		},
				{
			"names": [
				"clone3"
			],
			"action": "SCMP_ACT_ERRNO",
			"comment": "disable clone3 in a specific way as per docker's default config",
			"errnoRet": 38
		},
		{
			"names": [
				"socket"
			],
			"action": "SCMP_ACT_ALLOW",
			"comment": "allow IPv4 sockets",
			"args": [
				{
					"index": 0,
					"value": 2,
					"op": "SCMP_CMP_EQ"
				}
			]
		}
	]
}