Add missing syscalls to i386 seccomp policy (elastic#13008) (elastic#…

…13029) This included fstatat64 which is called by os.Stat() and used in quite a few places around Beats codebase. Fixes elastic#12990 (cherry picked from commit 33d267d)
leweafan · Jul 23, 2019 · 44c1f8f · 44c1f8f
1 parent 168ff90
commit 44c1f8f
Show file tree

Hide file tree

Showing 3 changed files with 49 additions and 0 deletions.
diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc
@@ -77,6 +77,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
 - Add additional nil pointer checks to Docker client code to deal with vSphere Integrated Containers {pull}12628[12628]
 - Fix Central Management enroll under Windows {issue}12797[12797] {pull}12799[12799]
 - Fixed a crash under Windows when fetching processes information. {pull}12833[12833]
+- Fix seccomp policy preventing some features to function properly on 32bit Linux systems. {issue}12990[12990] {pull}13008[13008]
 
 *Auditbeat*
 

diff --git a/libbeat/common/seccomp/policy_linux_386.go b/libbeat/common/seccomp/policy_linux_386.go
@@ -50,6 +50,7 @@ func init() {
 					"fdatasync",
 					"flock",
 					"fstat64",
+					"fstatat64",
 					"fsync",
 					"ftruncate64",
 					"futex",
@@ -61,6 +62,7 @@ func init() {
 					"getpid",
 					"getppid",
 					"getrandom",
+					"getrlimit",
 					"getrusage",
 					"gettid",
 					"gettimeofday",
@@ -84,6 +86,7 @@ func init() {
 					"pipe2",
 					"poll",
 					"pread64",
+					"prlimit64",
 					"pselect6",
 					"pwrite64",
 					"read",
@@ -106,6 +109,7 @@ func init() {
 					"setuid32",
 					"sigaltstack",
 					"socketcall",
+					"splice",
 					"stat",
 					"stat64",
 					"statfs64",

diff --git a/libbeat/tests/system/test_seccomp.py b/libbeat/tests/system/test_seccomp.py
@@ -0,0 +1,44 @@
+import platform
+import unittest
+from base import BaseTest
+
+
+def is_version_below(version, target):
+    t = map(int, target.split('.'))
+    v = map(int, version.split('.'))
+    v += [0] * (len(t) - len(v))
+    for i in range(len(t)):
+        if v[i] != t[i]:
+            return v[i] < t[i]
+    return False
+
+
+# Require Linux greater or equal than 3.17 and 386/amd64 platform
+def is_seccomp_supported():
+    p = platform.platform().split('-')
+    if p[0] != 'Linux':
+        return False
+    if is_version_below(p[1], '3.17'):
+        return False
+    return {'i386', 'i686', 'x86_64', 'amd64'}.intersection(p)
+
+
+@unittest.skipUnless(is_seccomp_supported(), "Requires Linux 3.17 or greater and i386/amd64 architecture")
+class Test(BaseTest):
+    """
+    Test Beat seccomp policy is loaded
+    """
+
+    def setUp(self):
+        super(BaseTest, self).setUp()
+
+    def test_seccomp_installed(self):
+        """
+        Test seccomp policy is installed
+        """
+        self.render_config_template(
+        )
+        proc = self.start_beat(extra_args=["-N"])
+        self.wait_until(lambda: self.log_contains("Syscall filter successfully installed"))
+
+        proc.kill_and_wait()