fix(auditbeat/fim/kprobes): do add syscalls in default seccomp policy…

… for arm64
elastic · May 29, 2024 · 970055a · 970055a
1 parent de49583
commit 970055a
Showing 1 changed file with 12 additions and 18 deletions.
diff --git a/...e/file_integrity/kprobes/seccomp_linux.go → ..._integrity/kprobes/seccomp_linux_amd64.go b/...e/file_integrity/kprobes/seccomp_linux.go → ..._integrity/kprobes/seccomp_linux_amd64.go
@@ -18,27 +18,21 @@
 package kprobes
 
 import (
- "runtime"
-
  "github.com/elastic/beats/v7/libbeat/common/seccomp"
 )
 
 func init() {
- switch runtime.GOARCH {
- case "amd64", "386", "arm64":
- // The module/file_integrity with kprobes BE uses additional syscalls
- if err := seccomp.ModifyDefaultPolicy(seccomp.AddSyscall,
- "eventfd2", // required by auditbeat/tracing
- "mount", // required by auditbeat/tracing
- "perf_event_open", // required by auditbeat/tracing
- "ppoll", // required by auditbeat/tracing
- "umount2", // required by auditbeat/tracing
- "truncate", // required during kprobes verification
- "utime", // required during kprobes verification
- "utimensat", // required during kprobes verification
- "setxattr", // required during kprobes verification
- ); err != nil {
- panic(err)
- }
+ if err := seccomp.ModifyDefaultPolicy(seccomp.AddSyscall,
+ "eventfd2", // required by auditbeat/tracing
+ "mount", // required by auditbeat/tracing
+ "perf_event_open", // required by auditbeat/tracing
+ "ppoll", // required by auditbeat/tracing
+ "umount2", // required by auditbeat/tracing
+ "truncate", // required during kprobes verification
+ "utime", // required during kprobes verification
+ "utimensat", // required during kprobes verification
+ "setxattr", // required during kprobes verification
+ ); err != nil {
+ panic(err)
  }
 }