Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

libbeat/common/seccomp: provide default policy for linux arm64 #27955

Merged
merged 1 commit into from
Sep 19, 2021
Merged

libbeat/common/seccomp: provide default policy for linux arm64 #27955

merged 1 commit into from
Sep 19, 2021

Conversation

efd6
Copy link
Contributor

@efd6 efd6 commented Sep 16, 2021

What does this PR do?

This change adds a default seccomp policy for GOOS=linux GOARCH=arm64.

Why is it important?

Arm64 is an increasingly important target, so adding seccomp protection to that arch is a valuable addition.

Checklist

  • My code follows the style guidelines of this project
  • I have commented my code, particularly in hard-to-understand areas
    - [ ] I have made corresponding changes to the documentation
    - [ ] I have made corresponding change to the default configuration files
    - [ ] I have added tests that prove my fix is effective or that my feature works
  • I have added an entry in CHANGELOG.next.asciidoc or CHANGELOG-developer.next.asciidoc.

Author's Checklist

  • Ideally, this would be tested on an arm64 builder.

Note that unlike GOARCH!=arm64 arm64 does not have fork or vfork syscalls. However, Go's fork exec does not use fork(2) from what I can see, rather using clone(2) https://linux.die.net/man/2/clone. Perhaps clone should be added to this and the arm policy? (It's worth noting that clone is in the whitelist for amd64 and 386).

How to test this PR locally

Standard testing.

Related issues

N/A

Use cases

N/A

Screenshots

N/A

Logs

N/A

@botelastic botelastic bot added the needs_team Indicates that the issue/PR needs a Team:* label label Sep 16, 2021
@botelastic
Copy link

botelastic bot commented Sep 16, 2021

This pull request doesn't have a Team:<team> label.

@efd6 efd6 force-pushed the seccomp/arm64 branch 2 times, most recently from cf100d6 to c7ea2e1 Compare September 16, 2021 00:42
@elasticmachine
Copy link
Collaborator

elasticmachine commented Sep 16, 2021
edited by jenkins-beats-ci bot
Loading

💚 Build Succeeded

the below badges are clickable and redirect to their specific view in the CI or DOCS
Pipeline View Test View Changes Artifacts preview preview

Expand to view the summary

Build stats

  • Start Time: 2021-09-16T01:18:33.374+0000

  • Duration: 222 min 44 sec

  • Commit: 46b7a26

Test stats 🧪

Test Results
Failed 0
Passed 54031
Skipped 5327
Total 59358

Trends 🧪

Image of Build Times

Image of Tests

💚 Flaky test report

Tests succeeded.

Expand to view the summary

Test stats 🧪

Test Results
Failed 0
Passed 54031
Skipped 5327
Total 59358

andrewkroh
andrewkroh approved these changes Sep 16, 2021
View reviewed changes
Copy link
Member

@andrewkroh andrewkroh left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM.

It's worth noting that clone is in the whitelist for amd64 and 386

IIRC I think we would have allowed only certain clone flags if we had that ability in our generated seccomp filters. But we didn't have argument filtering in go-seccomp-bpf.

@efd6 efd6 merged commit 01bd66d into elastic:master Sep 19, 2021
@efd6 efd6 deleted the seccomp/arm64 branch September 19, 2021 22:25
v1v added a commit to v1v/beats that referenced this pull request Sep 20, 2021
@v1v
Merge remote-tracking branch 'upstream/master' into feature/e2e-fleet
10d1617 
* upstream/master: (658 commits)
  Add complete k8s metadata through composable provider (elastic#27691)
  Revert "Fix issue where --insecure didn't propogate to Fleet Server ES connection (elastic#27969)" (elastic#27997)
  Remove deprecated kafka fields (elastic#27938)
  [Filebeat] Add Base64 encoded HMAC & UUID template functions to httpjson input (elastic#27873)
  Improve httpjson template function join (elastic#27996)
  Remove kubernetes.container.image alias (elastic#27898)
  [Elastic Agent] Golden files for program tests (elastic#27862)
  [Elastic Agent] Disable modules.d in metricbeat (elastic#27860)
  libbeat/common/seccomp: provide default policy for linux arm64 (elastic#27955)
  Fix logger statement in aws-s3 input (elastic#27982)
  Fix wrong merge (elastic#27976)
  Fix issue where --insecure didn't propogate to Fleet Server ES connection (elastic#27969)
  Forward-port 7.14.2 changelog to master (elastic#27975)
  [Filebeat] Removing duplicate modules (aliases) Observability (elastic#27919)
  Fix path in vagrant windows script (elastic#27966)
  [Filebeat] Removing duplicate modules (aliases) and Cyberark (elastic#27915)
  No changelog for 8.0.0-alpha2 (elastic#27961)
  Add write access to 'url.value' from 'request.transforms'. (elastic#27937)
  Docker: remove deprecated fields (elastic#27933)
  Filebeat: Make all filesets disabled in default configuration (elastic#27762)
  ...
Icedroid pushed a commit to Icedroid/beats that referenced this pull request Nov 1, 2021
@efd6
libbeat/common/seccomp: provide default policy for linux arm64 (elast…
598b511 
…ic#27955)
@andrewkroh andrewkroh added the backport-v7.16.0 Automated backport with mergify label Nov 10, 2021
mergify bot pushed a commit that referenced this pull request Nov 10, 2021
@efd6
libbeat/common/seccomp: provide default policy for linux arm64 (#27955)
c10815a 
(cherry picked from commit 01bd66d)
@mergify mergify bot mentioned this pull request Nov 10, 2021
Merged
@andrewkroh andrewkroh mentioned this pull request Nov 10, 2021
Merged
andrewkroh pushed a commit that referenced this pull request Nov 11, 2021
@mergify @efd6
libbeat/common/seccomp: provide default policy for linux arm64 (#27955)…
0a2e393 
… (#28922)

(cherry picked from commit 01bd66d)

Co-authored-by: Dan Kortschak <90160302+efd6@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@andrewkroh andrewkroh andrewkroh approved these changes

Assignees
No one assigned
Labels
backport-v7.16.0 Automated backport with mergify enhancement needs_team Indicates that the issue/PR needs a Team:* label
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@efd6 @elasticmachine @andrewkroh