From 87730adcff8b58ce55c6d3f8fe9223c7d39c69ef Mon Sep 17 00:00:00 2001
From: Christian Pointner <equinox@spreadspace.org>
Date: Tue, 29 Aug 2023 21:11:55 +0200
Subject: prometheus/smartmon textfile collector: since this unit needs
 CAP_SYS_ADMIN we need to forbid @mount syscalls to prevent the process from
 escaping the sandbox

---
 .../node/templates/textfile-collector-scripts/smartmon.service.j2        | 1 +
 1 file changed, 1 insertion(+)

(limited to 'roles/monitoring')

diff --git a/roles/monitoring/prometheus/exporter/node/templates/textfile-collector-scripts/smartmon.service.j2 b/roles/monitoring/prometheus/exporter/node/templates/textfile-collector-scripts/smartmon.service.j2
index 8d91677b..71ce0492 100644
--- a/roles/monitoring/prometheus/exporter/node/templates/textfile-collector-scripts/smartmon.service.j2
+++ b/roles/monitoring/prometheus/exporter/node/templates/textfile-collector-scripts/smartmon.service.j2
@@ -26,6 +26,7 @@ RestrictNamespaces=true
 RestrictRealtime=true
 RestrictAddressFamilies=AF_UNIX
 SystemCallArchitectures=native
+SystemCallFilter=~@mount
 
 [Install]
 WantedBy=multi-user.target
-- 
cgit v1.2.3