From 46d01fc263701bcb42d69e2f1bddf828b6dad8d7 Mon Sep 17 00:00:00 2001
From: Jonathon Anderson <anderson.jonathonm@gmail.com>
Date: Wed, 29 Oct 2025 23:39:03 +0000
Subject: [PATCH] seccomp: allow perf_event_open if CAP_PERFMON

Previously perf_event_open was only allowed if both CAP_SYS_ADMIN and
CAP_PERFMON were granted. CAP_SYS_ADMIN in particular is a very
overloaded capability and is best avoided. This commit enables
perf_event_open if either (or both) capabilities are set, in particular
this enables containers with only CAP_PERFMON to profile itself.

This change does not deny anything new, nor does it enable
perf_event_open by default.

Signed-off-by: Jonathon Anderson <anderson.jonathonm@gmail.com>
---
 common/pkg/seccomp/default_linux.go | 4 ++--
 common/pkg/seccomp/seccomp.json     | 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/common/pkg/seccomp/default_linux.go b/common/pkg/seccomp/default_linux.go
index 3013765667..33d881472c 100644
--- a/common/pkg/seccomp/default_linux.go
+++ b/common/pkg/seccomp/default_linux.go
@@ -616,6 +616,7 @@ func DefaultProfile() *Seccomp {
 			Names: []string{
 				"bpf",
 				"lookup_dcookie",
+				"perf_event_open",
 				"quotactl",
 				"quotactl_fd",
 				"setdomainname",
@@ -631,7 +632,6 @@ func DefaultProfile() *Seccomp {
 		{
 			Names: []string{
 				"lookup_dcookie",
-				"perf_event_open",
 				"quotactl",
 				"quotactl_fd",
 				"setdomainname",
@@ -927,7 +927,7 @@ func DefaultProfile() *Seccomp {
 			ErrnoRet: &eperm,
 			Args:     []*Arg{},
 			Excludes: Filter{
-				Caps: []string{"CAP_SYS_ADMIN", "CAP_BPF"},
+				Caps: []string{"CAP_SYS_ADMIN", "CAP_PERFMON"},
 			},
 		},
 		{
diff --git a/common/pkg/seccomp/seccomp.json b/common/pkg/seccomp/seccomp.json
index 92d882b5cc..5d02eb50cd 100644
--- a/common/pkg/seccomp/seccomp.json
+++ b/common/pkg/seccomp/seccomp.json
@@ -693,6 +693,7 @@
 			"names": [
 				"bpf",
 				"lookup_dcookie",
+				"perf_event_open",
 				"quotactl",
 				"quotactl_fd",
 				"setdomainname",
@@ -712,7 +713,6 @@
 		{
 			"names": [
 				"lookup_dcookie",
-				"perf_event_open",
 				"quotactl",
 				"quotactl_fd",
 				"setdomainname",
@@ -1105,7 +1105,7 @@
 			"excludes": {
 				"caps": [
 					"CAP_SYS_ADMIN",
-					"CAP_BPF"
+					"CAP_PERFMON"
 				]
 			},
 			"errnoRet": 1,