summaryrefslogtreecommitdiff
path: root/roles/monitoring/prometheus/exporter/node
diff options
context:
space:
mode:
authorChristian Pointner <equinox@spreadspace.org>2023-08-29 21:11:55 +0200
committerChristian Pointner <equinox@spreadspace.org>2023-08-29 21:11:55 +0200
commit87730adcff8b58ce55c6d3f8fe9223c7d39c69ef (patch)
treeafe1dbef0d1b2863200d664a94842e76e331c4c3 /roles/monitoring/prometheus/exporter/node
parentgrafana: delete automatically installed dashboards that are no longer needed (diff)
prometheus/smartmon textfile collector: since this unit needs CAP_SYS_ADMIN we need to forbid @mount syscalls to prevent the process from escaping the sandbox
Diffstat (limited to 'roles/monitoring/prometheus/exporter/node')
-rw-r--r--roles/monitoring/prometheus/exporter/node/templates/textfile-collector-scripts/smartmon.service.j21
1 files changed, 1 insertions, 0 deletions
diff --git a/roles/monitoring/prometheus/exporter/node/templates/textfile-collector-scripts/smartmon.service.j2 b/roles/monitoring/prometheus/exporter/node/templates/textfile-collector-scripts/smartmon.service.j2
index 8d91677b..71ce0492 100644
--- a/roles/monitoring/prometheus/exporter/node/templates/textfile-collector-scripts/smartmon.service.j2
+++ b/roles/monitoring/prometheus/exporter/node/templates/textfile-collector-scripts/smartmon.service.j2
@@ -26,6 +26,7 @@ RestrictNamespaces=true
RestrictRealtime=true
RestrictAddressFamilies=AF_UNIX
SystemCallArchitectures=native
+SystemCallFilter=~@mount
[Install]
WantedBy=multi-user.target