prometheus/smartmon textfile collector: since this unit needs CAP_SYS_ADMIN we need to forbid @mount syscalls to prevent the process from escaping the sandbox

author: Christian Pointner <equinox@spreadspace.org> 2023-08-29 21:11:55 +0200
committer: Christian Pointner <equinox@spreadspace.org> 2023-08-29 21:11:55 +0200
commit: 87730adcff8b58ce55c6d3f8fe9223c7d39c69ef (patch)
tree: afe1dbef0d1b2863200d664a94842e76e331c4c3 /roles/monitoring/prometheus/exporter/node
parent: grafana: delete automatically installed dashboards that are no longer needed (diff)
1 files changed, 1 insertions, 0 deletions
diff --git a/roles/monitoring/prometheus/exporter/node/templates/textfile-collector-scripts/smartmon.service.j2 b/roles/monitoring/prometheus/exporter/node/templates/textfile-collector-scripts/smartmon.service.j2
index 8d91677b..71ce0492 100644
--- a/roles/monitoring/prometheus/exporter/node/templates/textfile-collector-scripts/smartmon.service.j2
+++ b/roles/monitoring/prometheus/exporter/node/templates/textfile-collector-scripts/smartmon.service.j2
@@ -26,6 +26,7 @@ RestrictNamespaces=true
 RestrictRealtime=true
 RestrictAddressFamilies=AF_UNIX
 SystemCallArchitectures=native
+SystemCallFilter=~@mount
 
 [Install]
 WantedBy=multi-user.target
author	Christian Pointner <equinox@spreadspace.org>	2023-08-29 21:11:55 +0200
committer	Christian Pointner <equinox@spreadspace.org>	2023-08-29 21:11:55 +0200
commit	87730adcff8b58ce55c6d3f8fe9223c7d39c69ef (patch)
tree	afe1dbef0d1b2863200d664a94842e76e331c4c3 /roles/monitoring/prometheus/exporter/node
parent	grafana: delete automatically installed dashboards that are no longer needed (diff)