Skip to content

Commit

Permalink
[auditbeat/fim/kprobes] Correct seccomp policy for arm64 (#39759)
Browse files Browse the repository at this point in the history 
* fix(auditbeat/fim/kprobes): do add syscalls in default seccomp policy for arm64

* doc: update CHANGELOG.next.asciidoc

(cherry picked from commit 7a561ff)
  • Loading branch information
@pkoutsovasilis @mergify
pkoutsovasilis authored and mergify[bot] committed May 29, 2024
1 parent 35eccb8 commit fadad7a
Show file tree
Hide file tree
Showing 2 changed files with 13 additions and 19 deletions.
2 changes: 1 addition & 1 deletion CHANGELOG.next.asciidoc
View file
Original file line number Diff line number Diff line change
Expand Up @@ -101,7 +101,7 @@ https:/elastic/beats/compare/v8.8.1\...main[Check the HEAD diff]
- Prevent scenario of losing children-related file events in a directory for recursive fsnotify backend of auditbeat file integrity module {pull}39133[39133]
- Allow extra syscalls by auditbeat required in FIM with kprobes back-end {pull}39361[39361]
- Fix losing events in FIM for OS X by allowing always to walk an added directory to monitor {pull}39362[39362]

- Fix seccomp policy of FIM kprobes backend on arm64 {pull}39759[39759]



Expand Down
30 changes: 12 additions & 18 deletions ...e/file_integrity/kprobes/seccomp_linux.go → ..._integrity/kprobes/seccomp_linux_amd64.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -18,27 +18,21 @@
package kprobes

import (
"runtime"

"github.com/elastic/beats/v7/libbeat/common/seccomp"
)

func init() {
switch runtime.GOARCH {
case "amd64", "386", "arm64":
// The module/file_integrity with kprobes BE uses additional syscalls
if err := seccomp.ModifyDefaultPolicy(seccomp.AddSyscall,
"eventfd2", // required by auditbeat/tracing
"mount", // required by auditbeat/tracing
"perf_event_open", // required by auditbeat/tracing
"ppoll", // required by auditbeat/tracing
"umount2", // required by auditbeat/tracing
"truncate", // required during kprobes verification
"utime", // required during kprobes verification
"utimensat", // required during kprobes verification
"setxattr", // required during kprobes verification
); err != nil {
panic(err)
}
if err := seccomp.ModifyDefaultPolicy(seccomp.AddSyscall,
"eventfd2", // required by auditbeat/tracing
"mount", // required by auditbeat/tracing
"perf_event_open", // required by auditbeat/tracing
"ppoll", // required by auditbeat/tracing
"umount2", // required by auditbeat/tracing
"truncate", // required during kprobes verification
"utime", // required during kprobes verification
"utimensat", // required during kprobes verification
"setxattr", // required during kprobes verification
); err != nil {
panic(err)
}
}

0 comments on commit fadad7a

Please sign in to comment.