Add umask and mremap to Auditbeat seccomp policy (#12617)

While running on CentOS 7 with the system/package dataset Auditbeat was violating its seccomp policy. This adds the syscalls that it was using to the default seccomp policy for Auditbeat. Fixes #12578
elastic · Jun 20, 2019 · 81d2b9b · 81d2b9b
1 parent 31193b8
commit 81d2b9b
Show file tree

Hide file tree

Showing 4 changed files with 69 additions and 0 deletions.
diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc
@@ -86,6 +86,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
 - Package dataset: Improve dpkg parsing. {pull}12325[12325]
 - System module: Start system module without host ID. {pull}12373[12373]
 - Host dataset: Fix reboot detection logic. {pull}12591[12591]
+- Add syscalls used by librpm for the system/package dataset to the default Auditbeat seccomp policy. {issue}12578[12578] {pull}12617[12617]
 
 *Filebeat*
 

diff --git a/Vagrantfile b/Vagrantfile
@@ -223,6 +223,17 @@ Vagrant.configure(2) do |config|
     end
   end
 
+  config.vm.define "centos7", primary: true do |c|
+    c.vm.box = "bento/centos-7"
+    c.vm.network :forwarded_port, guest: 22, host: 2231,  id: "ssh", auto_correct: true
+
+    c.vm.provision "shell", inline: $unixProvision, privileged: false
+    c.vm.provision "shell", inline: linuxGvmProvision, privileged: false
+    c.vm.provision "shell", inline: "yum install -y make gcc python-pip python-virtualenv git"
+
+    c.vm.synced_folder ".", "/vagrant", type: "virtualbox"
+  end
+
 end
 
 # -*- mode: ruby -*-

diff --git a/libbeat/common/seccomp/seccomp.go b/libbeat/common/seccomp/seccomp.go
@@ -27,6 +27,14 @@ import (
 	"github.com/elastic/go-seccomp-bpf"
 )
 
+// PolicyChangeType specifies the type of change to make to a seccomp policy.
+type PolicyChangeType uint8
+
+const (
+	// AddSyscall changes a policy by adding a syscall.
+	AddSyscall PolicyChangeType = iota
+)
+
 var (
 	defaultPolicy    *seccomp.Policy
 	registeredPolicy *seccomp.Policy
@@ -134,3 +142,29 @@ func getPolicy(c *common.Config) (*seccomp.Policy, error) {
 
 	return policy, nil
 }
+
+// ModifyDefaultPolicy modifies the syscalls in the default policy. Any callers
+// of this function must first check the architecture because policies are
+// architecture specific.
+func ModifyDefaultPolicy(changeType PolicyChangeType, syscalls ...string) error {
+	if defaultPolicy == nil {
+		return errors.New("no default policy exists (check the architecture)")
+	}
+
+	switch changeType {
+	case AddSyscall:
+		list := defaultPolicy.Syscalls[0].Names
+		for _, newSyscall := range syscalls {
+			for _, existingSyscall := range list {
+				if newSyscall == existingSyscall {
+					break
+				}
+
+				list = append(list, newSyscall)
+			}
+		}
+		defaultPolicy.Syscalls[0].Names = list
+	}
+
+	return nil
+}
diff --git a/x-pack/auditbeat/seccomp_linux.go b/x-pack/auditbeat/seccomp_linux.go
@@ -0,0 +1,23 @@
+// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+// or more contributor license agreements. Licensed under the Elastic License;
+// you may not use this file except in compliance with the Elastic License.
+
+package main
+
+import (
+	"runtime"
+
+	"github.com/elastic/beats/libbeat/common/seccomp"
+)
+
+func init() {
+	switch runtime.GOARCH {
+	case "amd64", "386":
+		// The system/package dataset uses librpm which has additional syscall
+		// requirements beyond the default policy from libbeat so whitelist
+		// these additional syscalls.
+		if err := seccomp.ModifyDefaultPolicy(seccomp.AddSyscall, "umask", "mremap"); err != nil {
+			panic(err)
+		}
+	}
+}