github-louis-fruleux
commented
1 year ago Hello @DomineCore, same issue here, they didn't want to open sys_admin (rightly). So we injected a custom seccomp and opened only the perf_even_open syscall which was enough for us (raw EC2 debian + docker)
If you have the latest docker version, there is a profile for this: CAP_PERFMON (but I haven't try it though)
DomineCore
Security department within my company does not allow open containers sys_admin permissions, because it is easy to produce risk. After my guess and actual test, to the open container perf_event_open permission also can achieve the same effect, whether can give other users clue in the document?