---
apiVersion: security-profiles-operator.x-k8s.io/v1beta1
kind: SeccompProfile
metadata:
  name: confine-nginx-explicit-allow
  namespace: seccomp-test
spec:
  defaultAction: SCMP_ACT_ERRNO
  architectures:
  - SCMP_ARCH_X86_64
  - SCMP_ARCH_X86
  - SCMP_ARCH_X32
  syscalls:
  - action: SCMP_ACT_ALLOW
    names:
    - accept
    - accept4
    - access
    - afs_syscall
    - alarm
    - arch_prctl
    - bind
    - brk
    - capget
    - capset
    - chdir
    - chmod
    - chown
    - chroot
    - clock_getres
    - clock_gettime
    - clock_nanosleep
    - clock_settime
    - clone
    - close
    - connect
    - copy_file_range
    - creat
    - create_module
    - dup
    - dup2
    - epoll_create
    - epoll_create1
    - epoll_ctl
    - epoll_ctl_old
    - epoll_pwait
    - epoll_wait
    - epoll_wait_old
    - eventfd2
    - execve
    - execveat
    - exit
    - exit_group
    - faccessat
    - fadvise64
    - fallocate
    - fchdir
    - fchmod
    - fchown
    - fcntl
    - fdatasync
    - fgetxattr
    - flistxattr
    - fremovexattr
    - fsetxattr
    - fstat
    - fstatfs
    - fsync
    - ftruncate
    - futex
    - get_kernel_syms
    - getcwd
    - getdents
    - getdents64
    - getegid
    - geteuid
    - getgid
    - getgroups
    - getpgrp
    - getpid
    - getpmsg
    - getppid
    - getrandom
    - getresgid
    - getresuid
    - getrlimit
    - getrusage
    - getsid
    - getsockname
    - getsockopt
    - gettid
    - gettimeofday
    - getuid
    - getxattr
    - inotify_add_watch
    - inotify_init1
    - inotify_rm_watch
    - io_destroy
    - io_getevents
    - io_setup
    - ioctl
    - keyctl
    - kill
    - lgetxattr
    - link
    - listen
    - listxattr
    - llistxattr
    - lremovexattr
    - lseek
    - lsetxattr
    - lstat
    - madvise
    - memfd_create
    - mkdir
    - mlock
    - mlock2
    - mmap
    - mount
    - mprotect
    - mremap
    - munmap
    - name_to_handle_at
    - nanosleep
    - newfstatat
    - nfsservctl
    - open
    - openat
    - pipe
    - pipe2
    - pkey_alloc
    - pkey_free
    - pkey_mprotect
    - poll
    - ppoll
    - prctl
    - pread64
    - preadv2
    - prlimit64
    - putpmsg
    - pwrite64
    - pwritev
    - pwritev2
    - query_module
    - read
    - readlink
    - readlinkat
    - readv
    - recvfrom
    - recvmsg
    - removexattr
    - rename
    - request_key
    - rmdir
    - rt_sigaction
    - rt_sigprocmask
    - rt_sigreturn
    - rt_sigsuspend
    - rt_sigtimedwait
    - sched_get_priority_max
    - sched_get_priority_min
    - sched_getaffinity
    - sched_getparam
    - sched_getscheduler
    - sched_setaffinity
    - sched_setparam
    - sched_setscheduler
    - sched_yield
    - security
    - select
    - sendfile
    - sendmsg
    - sendto
    - set_robust_list
    - set_tid_address
    - setdomainname
    - setgid
    - setgroups
    - sethostname
    - setitimer
    - setns
    - setpgid
    - setpriority
    - setresgid
    - setresuid
    - setrlimit
    - setsid
    - setsockopt
    - setuid
    - setxattr
    - shmat
    - shmdt
    - shmget
    - shutdown
    - sigaltstack
    - signalfd
    - socket
    - socketpair
    - splice
    - stat
    - statfs
    - sysinfo
    - tgkill
    - time
    - timerfd_create
    - timerfd_settime
    - times
    - tuxcall
    - umask
    - umount2
    - uname
    - unlink
    - unlinkat
    - uselib
    - utimensat
    - utimes
    - vfork
    - vserver
    - wait4
    - waitid
    - write
    - writev