You were right to start by translating it into hex, but there’s another step needed - Notice how the operation is “SCMP_CMP_MASKED_EQ”. This is a bitmask. The argument that’s being filtered with this mask is the 0th argument to the clone syscall, which is the ‘flags’ argument. So decompose this mask into its constituent parts and dereference them using the kernel headers that define the clone flags:
According to /usr/include/linux/sched.h, the value 0x7C020000 corresponds to the combination of all of the following flags:
#define CLONE_NEWNS 0x00020000 /* New mount namespace group */
#define CLONE_NEWUTS 0x04000000 /* New utsname namespace */
#define CLONE_NEWIPC 0x08000000 /* New ipc namespace */
#define CLONE_NEWUSER 0x10000000 /* New user namespace */
#define CLONE_NEWPID 0x20000000 /* New pid namespace */
#define CLONE_NEWNET 0x40000000 /* New network namespace */
So basically this rule in seccomp.json says “Anyone can call clone(2) as long as they don’t set any of these potentially dangerous flags when doing so”.