From 9ce468e30f95d32f993d14ab0ce7c67b1b25f1f1 Mon Sep 17 00:00:00 2001
From: Dominique Martinet <dominique.martinet@atmark-techno.com>
Date: Tue, 4 Jun 2024 15:24:47 +0900
Subject: [PATCH] seccomp: allow perf_event_open if CAP_PERFMON

This doesn't deny anything new (perf_event_open is currently allowed for
SYS_ADMIN)

Signed-off-by: Dominique Martinet <dominique.martinet@atmark-techno.com>
---
 common/pkg/seccomp/default_linux.go | 23 ++++++++++++++++++++-
 common/pkg/seccomp/seccomp.json     | 32 ++++++++++++++++++++++++++++-
 2 files changed, 53 insertions(+), 2 deletions(-)

diff --git a/common/pkg/seccomp/default_linux.go b/common/pkg/seccomp/default_linux.go
index 01ec26226f..4354eb22aa 100644
--- a/common/pkg/seccomp/default_linux.go
+++ b/common/pkg/seccomp/default_linux.go
@@ -616,7 +616,6 @@ func DefaultProfile() *Seccomp {
 				"bpf",
 				"fanotify_init",
 				"lookup_dcookie",
-				"perf_event_open",
 				"quotactl",
 				"quotactl_fd",
 				"setdomainname",
@@ -920,6 +919,28 @@ func DefaultProfile() *Seccomp {
 				Caps: []string{"CAP_BPF"},
 			},
 		},
+		{
+			Names: []string{
+				"perf_event_open",
+			},
+			Action:   ActErrno,
+			Errno:    "EPERM",
+			ErrnoRet: &eperm,
+			Args:     []*Arg{},
+			Excludes: Filter{
+				Caps: []string{"CAP_SYS_ADMIN", "CAP_BPF"},
+			},
+		},
+		{
+			Names: []string{
+				"perf_event_open",
+			},
+			Action: ActAllow,
+			Args:   []*Arg{},
+			Includes: Filter{
+				Caps: []string{"CAP_PERFMON"},
+			},
+		},
 	}
 
 	return &Seccomp{
diff --git a/common/pkg/seccomp/seccomp.json b/common/pkg/seccomp/seccomp.json
index 7956ecd59d..a690bc1112 100644
--- a/common/pkg/seccomp/seccomp.json
+++ b/common/pkg/seccomp/seccomp.json
@@ -693,7 +693,6 @@
 				"bpf",
 				"fanotify_init",
 				"lookup_dcookie",
-				"perf_event_open",
 				"quotactl",
 				"quotactl_fd",
 				"setdomainname",
@@ -1095,6 +1094,37 @@
 				]
 			},
 			"excludes": {}
+		},
+		{
+			"names": [
+				"perf_event_open"
+			],
+			"action": "SCMP_ACT_ERRNO",
+			"args": [],
+			"comment": "",
+			"includes": {},
+			"excludes": {
+				"caps": [
+					"CAP_SYS_ADMIN",
+					"CAP_BPF"
+				]
+			},
+			"errnoRet": 1,
+			"errno": "EPERM"
+		},
+		{
+			"names": [
+				"perf_event_open"
+			],
+			"action": "SCMP_ACT_ALLOW",
+			"args": [],
+			"comment": "",
+			"includes": {
+				"caps": [
+					"CAP_PERFMON"
+				]
+			},
+			"excludes": {}
 		}
 	]
 }
\ No newline at end of file