From dd3f47f0fb299aa5de9c5c1468faacc1b9b3c27f Mon Sep 17 00:00:00 2001
From: Adrian Serrano <adrisr83@gmail.com>
Date: Wed, 24 Jul 2019 00:31:22 +0200
Subject: [PATCH] Add missing syscalls to i386 seccomp policy (#13008) (#13030)

This included fstatat64 which is called by os.Stat() and used in quite a few places around Beats codebase.

Fixes #12990

(cherry picked from commit 3addc97316a2b4a4bdc9b54c11be8ffd9a9fe972)
---
 CHANGELOG.next.asciidoc                    |  2 +
 libbeat/common/seccomp/policy_linux_386.go |  4 ++
 libbeat/tests/system/test_seccomp.py       | 44 ++++++++++++++++++++++
 3 files changed, 50 insertions(+)
 create mode 100644 libbeat/tests/system/test_seccomp.py

diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc
index 8b8365a76a6..87f4e3d3c18 100644
--- a/CHANGELOG.next.asciidoc
+++ b/CHANGELOG.next.asciidoc
@@ -30,6 +30,8 @@ https://github.com/elastic/beats/compare/v7.2.0...7.2[Check the HEAD diff]
 
 *Affecting all Beats*
 
+- Fix seccomp policy preventing some features to function properly on 32bit Linux systems. {issue}12990[12990] {pull}13008[13008]
+
 *Auditbeat*
 
 *Filebeat*
diff --git a/libbeat/common/seccomp/policy_linux_386.go b/libbeat/common/seccomp/policy_linux_386.go
index 043ccf7d8ae..3f08248958a 100644
--- a/libbeat/common/seccomp/policy_linux_386.go
+++ b/libbeat/common/seccomp/policy_linux_386.go
@@ -50,6 +50,7 @@ func init() {
 					"fdatasync",
 					"flock",
 					"fstat64",
+					"fstatat64",
 					"fsync",
 					"ftruncate64",
 					"futex",
@@ -61,6 +62,7 @@ func init() {
 					"getpid",
 					"getppid",
 					"getrandom",
+					"getrlimit",
 					"getrusage",
 					"gettid",
 					"gettimeofday",
@@ -84,6 +86,7 @@ func init() {
 					"pipe2",
 					"poll",
 					"pread64",
+					"prlimit64",
 					"pselect6",
 					"pwrite64",
 					"read",
@@ -106,6 +109,7 @@ func init() {
 					"setuid32",
 					"sigaltstack",
 					"socketcall",
+					"splice",
 					"stat",
 					"stat64",
 					"statfs64",
diff --git a/libbeat/tests/system/test_seccomp.py b/libbeat/tests/system/test_seccomp.py
new file mode 100644
index 00000000000..b33eafa9458
--- /dev/null
+++ b/libbeat/tests/system/test_seccomp.py
@@ -0,0 +1,44 @@
+import platform
+import unittest
+from base import BaseTest
+
+
+def is_version_below(version, target):
+    t = map(int, target.split('.'))
+    v = map(int, version.split('.'))
+    v += [0] * (len(t) - len(v))
+    for i in range(len(t)):
+        if v[i] != t[i]:
+            return v[i] < t[i]
+    return False
+
+
+# Require Linux greater or equal than 3.17 and 386/amd64 platform
+def is_seccomp_supported():
+    p = platform.platform().split('-')
+    if p[0] != 'Linux':
+        return False
+    if is_version_below(p[1], '3.17'):
+        return False
+    return {'i386', 'i686', 'x86_64', 'amd64'}.intersection(p)
+
+
+@unittest.skipUnless(is_seccomp_supported(), "Requires Linux 3.17 or greater and i386/amd64 architecture")
+class Test(BaseTest):
+    """
+    Test Beat seccomp policy is loaded
+    """
+
+    def setUp(self):
+        super(BaseTest, self).setUp()
+
+    def test_seccomp_installed(self):
+        """
+        Test seccomp policy is installed
+        """
+        self.render_config_template(
+        )
+        proc = self.start_beat(extra_args=["-N"])
+        self.wait_until(lambda: self.log_contains("Syscall filter successfully installed"))
+
+        proc.kill_and_wait()