Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Filebeat] Chmod/Chown seccomp fix #20054

Merged
merged 3 commits into from
Jul 20, 2020
Merged

[Filebeat] Chmod/Chown seccomp fix #20054

merged 3 commits into from
Jul 20, 2020

Conversation

andrewstucki
Copy link
Contributor

@andrewstucki andrewstucki commented Jul 20, 2020
edited
Loading

What does this PR do?

So, to support changing the file permissions dynamically for the filebeat unix socket input under seccomp, I had previously leveraged the fact that chmod was already in our whitelist--corresponding to this call--which was initially added in this commit, and also added a whitelist entry for chown to support os.Chown.

However, interestingly enough, on Linux systems syscall.Chmod and syscall.Chown don't actually call the chown or chmod syscalls at all (good naming convention, right?). Instead they use fchownat and fchmodat--see here.

Currently filebeat is broken under seccomp without these additional entries.

Checklist

  • My code follows the style guidelines of this project
  • [ ] I have commented my code, particularly in hard-to-understand areas
  • [ ] I have made corresponding changes to the documentation
  • [ ] I have made corresponding change to the default configuration files
  • [ ] I have added tests that prove my fix is effective or that my feature works
  • I have added an entry in CHANGELOG.next.asciidoc or CHANGELOG-developer.next.asciidoc.

@botelastic botelastic bot added the needs_team Indicates that the issue/PR needs a Team:* label label Jul 20, 2020
@botelastic botelastic bot removed the needs_team Indicates that the issue/PR needs a Team:* label label Jul 20, 2020
@andrewstucki andrewstucki added the Filebeat Filebeat label Jul 20, 2020
@andrewstucki andrewstucki changed the title Chmod seccomp fix [Filebeat] Chmod/Chown seccomp fix Jul 20, 2020
@andrewstucki
Copy link
Contributor Author

BTW, since the seccomp policy is in libbeat itself and technically this affects anything that could potentially use os.Chmod/os.Chown--I added the changelog entry to the section for "Affecting all Beats"--let me know if you want me to switch it to "Filebeat"--since it's the only beat that I know for sure uses those two standard library functions.

@elasticmachine
Copy link
Collaborator

elasticmachine commented Jul 20, 2020
edited by jenkins-beats-ci bot
Loading

💚 Build Succeeded

Pipeline View Test View Changes Artifacts preview

Expand to view the summary

Build stats

  • Build Cause: [Pull request #20054 updated]

  • Start Time: 2020-07-20T12:57:16.761+0000

  • Duration: 89 min 28 sec

Test stats 🧪

Test Results
Failed 0
Passed 17703
Skipped 1902
Total 19605

Steps errors

Expand to view the steps failures

  • Name: Report to Codecov

    • Description: curl -sSLo codecov https://codecov.io/bash for i in auditbeat filebeat heartbeat libbeat metricbeat packetbeat winlogbeat journalbeat do FILE="${i}/build/coverage/full.cov" if [ -f "${FILE}" ]; then bash codecov -f "${FILE}" fi done

    • Duration: 2 min 22 sec

    • Start Time: 2020-07-20T14:10:39.115+0000

    • log

@andrewstucki andrewstucki added the needs_backport PR is waiting to be backported to other branches. label Jul 20, 2020
@andrewstucki andrewstucki merged commit bf56f6c into elastic:master Jul 20, 2020
@andrewstucki andrewstucki mentioned this pull request Jul 20, 2020
Merged
2 tasks
@andrewstucki andrewstucki added v7.10.0 and removed needs_backport PR is waiting to be backported to other branches. labels Jul 20, 2020
andrewstucki pushed a commit to andrewstucki/beats that referenced this pull request Jul 20, 2020
[Filebeat] Chmod/Chown seccomp fix (elastic#20054)
3fa612a 
* Fix fchmod syscall seccomp policy

* Fix chown

* Add changelog entry

(cherry picked from commit bf56f6c)
@andrewstucki andrewstucki mentioned this pull request Jul 20, 2020
Merged
2 tasks
andrewstucki pushed a commit to andrewstucki/beats that referenced this pull request Jul 20, 2020
[Filebeat] Chmod/Chown seccomp fix (elastic#20054)
aa112b7 
* Fix fchmod syscall seccomp policy

* Fix chown

* Add changelog entry

(cherry picked from commit bf56f6c)
@andrewstucki andrewstucki mentioned this pull request Jul 20, 2020
Merged
2 tasks
andrewstucki pushed a commit to andrewstucki/beats that referenced this pull request Jul 20, 2020
[Filebeat] Chmod/Chown seccomp fix (elastic#20054)
40c4062 
* Fix fchmod syscall seccomp policy

* Fix chown

* Add changelog entry

(cherry picked from commit bf56f6c)
andrewstucki pushed a commit that referenced this pull request Jul 20, 2020
Cherry-pick #20054 to 7.8: [Filebeat] Chmod/Chown seccomp fix (#20062)
94f7632 
* [Filebeat] Chmod/Chown seccomp fix (#20054)

* Fix fchmod syscall seccomp policy

* Fix chown

* Add changelog entry

(cherry picked from commit bf56f6c)

* fix changelog
andrewstucki pushed a commit that referenced this pull request Jul 20, 2020
[Filebeat] Chmod/Chown seccomp fix (#20054) (#20060)
edfd0b7 
* Fix fchmod syscall seccomp policy

* Fix chown

* Add changelog entry

(cherry picked from commit bf56f6c)
andrewstucki pushed a commit that referenced this pull request Jul 22, 2020
Cherry-pick #20054 to 7.9: [Filebeat] Chmod/Chown seccomp fix (#20061)
de94cf0 
* [Filebeat] Chmod/Chown seccomp fix (#20054)

* Fix fchmod syscall seccomp policy

* Fix chown

* Add changelog entry

(cherry picked from commit bf56f6c)

* Fix changelog
@andrewstucki andrewstucki deleted the chmod-seccomp-fix branch July 29, 2020 02:30
melchiormoulin pushed a commit to melchiormoulin/beats that referenced this pull request Oct 14, 2020
@melchiormoulin
[Filebeat] Chmod/Chown seccomp fix (elastic#20054)
55f9a40 
* Fix fchmod syscall seccomp policy

* Fix chown

* Add changelog entry
leweafan pushed a commit to leweafan/beats that referenced this pull request Apr 28, 2023
Cherry-pick elastic#20054 to 7.9: [Filebeat] Chmod/Chown seccomp fix (e…
888d4d0 
…lastic#20061)

* [Filebeat] Chmod/Chown seccomp fix (elastic#20054)

* Fix fchmod syscall seccomp policy

* Fix chown

* Add changelog entry

(cherry picked from commit f4b2c48)

* Fix changelog
leweafan pushed a commit to leweafan/beats that referenced this pull request Apr 28, 2023
Cherry-pick elastic#20054 to 7.8: [Filebeat] Chmod/Chown seccomp fix (e…
6873227 
…lastic#20062)

* [Filebeat] Chmod/Chown seccomp fix (elastic#20054)

* Fix fchmod syscall seccomp policy

* Fix chown

* Add changelog entry

(cherry picked from commit f4b2c48)

* fix changelog
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@marc-gr marc-gr marc-gr approved these changes

@andrewkroh andrewkroh Awaiting requested review from andrewkroh

Assignees
No one assigned
Labels
bug Filebeat Filebeat v7.8.1 v7.9.0 v7.10.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@andrewstucki @elasticmachine @marc-gr