Allow clone3 syscall in seccomp filters

[BlackYoup]

What does this PR do?

This PR allows the clone3 syscall to be used in the seccomp filters.

clone3 is a linux syscall that is now used by glibc starting version
2.34. It is used when pthread_create() gets called. Current seccomp
filters do not allow this syscall leading to crashes like
runtime/cgo: pthread_create failed: Operation not permitted

See elastic/apm-server#6238 for more details

Why is it important?

This is important because it can lead to crashes in softwares using libbeat as a dependency, as it does for apm-server. As soon as glibc 2.34 hits the mainstream distributions, this might become a more encountered problem. Usage of this syscall only requires a glibc update, meaning that binaries compiled before the glibc update will also be impacted.

Checklist

• My code follows the style guidelines of this project
• I have commented my code, particularly in hard-to-understand areas
• I have made corresponding changes to the documentation
• I have made corresponding change to the default configuration files
• I have added tests that prove my fix is effective or that my feature works
• I have added an entry in CHANGELOG.next.asciidoc or CHANGELOG-developer.next.asciidoc.

Author's Checklist

• Should the syscall be allowed for ARM?

How to test this PR locally

I'm not too sure how to do that here. Any pointers would be greatly appreciated. Bare minimum is to have glibc 2.34 installed but I don't know how to trigger the bug directly from the beats project.

Related issues

• Relates runtime/cgo: pthread_create failed: Operation not permitted on glibc 2.34 apm-server#6238

Use cases

This PR allows an additional linux syscall, namely clone3, to be used to create new threads.

Screenshots

Logs

[mergify]

This pull request does not have a backport label. Could you fix it @BlackYoup? 🙏
To fixup this pull request, you need to add the backport labels for the needed
branches, such as:

• backport-v./d./d./d is the label to automatically backport to the 7./d branch. /d is the digit

NOTE: backport-skip has been added to this pull request.

[BlackYoup]

This pull request does not have a backport label. Could you fix it @BlackYoup? pray
To fixup this pull request, you need to add the backport labels for the needed
branches, such as:

* `backport-v./d./d./d` is the label to automatically backport to the `7./d` branch. `/d` is the digit

NOTE: backport-skip has been added to this pull request.

Sorry, I couldn't add a bug label (or didn't find how to) nor can add a label now.

[elasticmachine]

💚 Build Succeeded

the below badges are clickable and redirect to their specific view in the CI or DOCS

Expand to view the summary

Build stats

• Start Time: 2021-10-07T13:58:44.752+0000

• Duration: 153 min 7 sec

• Commit: 2855e04

Test stats 🧪

Test	Results
Failed	0
Passed	53657
Skipped	5346
Total	59003

💚 Flaky test report

Tests succeeded.

🤖 GitHub comments

To re-run your PR in the CI, just comment with:

• /test : Re-trigger the build.

• /package : Generate the packages and run the E2E tests.

• /beats-tester : Run the installation tests with beats-tester.

[mergify]

This pull request does not have a backport label. Could you fix it @BlackYoup? 🙏
To fixup this pull request, you need to add the backport labels for the needed
branches, such as:

• backport-v./d./d./d is the label to automatically backport to the 7./d branch. /d is the digit

NOTE: backport-skip has been added to this pull request.

[andrewkroh]

LGTM. This is another case of where if go-seccomp-bpf supported argument filtering we would restrict what flags could be used with clone3 to limit the ability to start new processes.

[andrewkroh]

run tests

[simitt]

@ruflin or @andrewkroh is there anything blocking from merging this in?

[andrewkroh]

It's ready to merge from my POV.

[mergify]

This pull request is now in conflicts. Could you fix it? 🙏
To fixup this pull request, you can check out it locally. See documentation: https://help.github.com/articles/checking-out-pull-requests-locally/

git fetch upstream
git checkout -b seccomp-clone3 upstream/seccomp-clone3
git merge upstream/master
git push upstream seccomp-clone3

[simitt]

Thank you @BlackYoup for the fix!

[rforberger]

It still happens to me on Fedora 35 with
metricbeat-7.15.2-1.x86_64
filebeat-7.15.2-1.x86_64
When is it going to be fixed there?

[der-eismann]

Can confirm that beats 7.15.2 x64 are still broken on Fedora 35, however the workaround mentioned here works fine.

//Edit: I noticed that with the workaround there is still a warning saying the following, but at least it's running

found unknown syscalls for arch x86_64: clone3

[rforberger]

Even with
metricbeat-7.16.0-1.x86_64
filebeat-7.16.0-1.x86_64
on Fedora 35 amd64 I still have the problem, that the beats won't start.
I don't want to apply the workarround, because I think it's insecure.
Can anyone fix it? :)

[andrewkroh]

In 7.16.0 the clone3 syscall is recognized by the seccomp filter config. So you could specify the exact same seccomp policy as is applied in the fixed branch via your config file.

• Config format: https://www.elastic.co/guide/en/beats/filebeat/current/linux-seccomp.html
• Fixed policy that includes clone3.

  beats/libbeat/common/seccomp/policy_linux_amd64.go

  Lines 30 to 143 in 4de6952

  	Names: []string{
  	"accept",
  	"accept4",
  	"access",
  	"arch_prctl",
  	"bind",
  	"brk",
  	"chmod",
  	"chown",
  	"clock_gettime",
  	"clone",
  	"clone3",
  	"close",
  	"connect",
  	"dup",
  	"dup2",
  	"epoll_create",
  	"epoll_create1",
  	"epoll_ctl",
  	"epoll_pwait",
  	"epoll_wait",
  	"exit",
  	"exit_group",
  	"fchdir",
  	"fchmod",
  	"fchmodat",
  	"fchown",
  	"fchownat",
  	"fcntl",
  	"fdatasync",
  	"flock",
  	"fstat",
  	"fstatfs",
  	"fsync",
  	"ftruncate",
  	"futex",
  	"getcwd",
  	"getdents",
  	"getdents64",
  	"geteuid",
  	"getgid",
  	"getpeername",
  	"getpid",
  	"getppid",
  	"getrandom",
  	"getrlimit",
  	"getrusage",
  	"getsockname",
  	"getsockopt",
  	"gettid",
  	"gettimeofday",
  	"getuid",
  	"inotify_add_watch",
  	"inotify_init1",
  	"inotify_rm_watch",
  	"ioctl",
  	"kill",
  	"listen",
  	"lseek",
  	"lstat",
  	"madvise",
  	"mincore",
  	"mkdirat",
  	"mmap",
  	"mprotect",
  	"munmap",
  	"nanosleep",
  	"newfstatat",
  	"open",
  	"openat",
  	"pipe",
  	"pipe2",
  	"poll",
  	"ppoll",
  	"pread64",
  	"pselect6",
  	"pwrite64",
  	"read",
  	"readlink",
  	"readlinkat",
  	"recvfrom",
  	"recvmmsg",
  	"recvmsg",
  	"rename",
  	"renameat",
  	"rt_sigaction",
  	"rt_sigprocmask",
  	"rt_sigreturn",
  	"sched_getaffinity",
  	"sched_yield",
  	"sendfile",
  	"sendmmsg",
  	"sendmsg",
  	"sendto",
  	"set_robust_list",
  	"setitimer",
  	"setsockopt",
  	"shutdown",
  	"sigaltstack",
  	"socket",
  	"splice",
  	"stat",
  	"statfs",
  	"sysinfo",
  	"tgkill",
  	"time",
  	"tkill",
  	"uname",
  	"unlink",
  	"unlinkat",
  	"wait4",
  	"waitid",
  	"write",
  	"writev",

  .

#28330 needs merged to get the fix into 7.16.

[rforberger]

@andrewkroh thanks, but I don't want to touch the config file.
I am waiting for the fix to come into 7.16. Thanks again.

[rforberger]

It works now again with version 7.16.2-1.