Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[7.x](backport #27878) [Heartbeat] Setuid to regular user / lower capabilities when possible #28377

Merged
merged 4 commits into from
Oct 14, 2021
Merged

[7.x](backport #27878) [Heartbeat] Setuid to regular user / lower capabilities when possible #28377

merged 4 commits into from
Oct 14, 2021

Conversation

mergify[bot]
Copy link
Contributor

@mergify mergify bot commented Oct 13, 2021
edited by zube bot
Loading

This is an automatic backport of pull request #27878 done by Mergify.
Cherry-pick of a78a980 has failed:

On branch mergify/bp/7.x/pr-27878
Your branch is up to date with 'origin/7.x'.

You are currently cherry-picking commit a78a980da2.
  (fix conflicts and run "git cherry-pick --continue")
  (use "git cherry-pick --skip" to skip this patch)
  (use "git cherry-pick --abort" to cancel the cherry-pick operation)

Changes to be committed:
	modified:   CHANGELOG.next.asciidoc
	modified:   dev-tools/notice/overrides.json
	modified:   dev-tools/packaging/templates/docker/Dockerfile.elastic-agent.tmpl
	modified:   dev-tools/packaging/templates/docker/Dockerfile.tmpl
	modified:   go.sum
	modified:   heartbeat/beater/heartbeat.go
	modified:   heartbeat/scripts/mage/package.go
	new file:   heartbeat/security.go
	modified:   packetbeat/scripts/mage/package.go
	modified:   x-pack/heartbeat/monitors/browser/browser.go
	modified:   x-pack/heartbeat/monitors/browser/source/local.go
	modified:   x-pack/heartbeat/monitors/browser/source/zipurl.go
	deleted:    x-pack/heartbeat/seccomp_linux.go

Unmerged paths:
  (use "git add <file>..." to mark resolution)
	both modified:   NOTICE.txt
	both modified:   dev-tools/packaging/packages.yml
	both modified:   go.mod

To fix up this pull request, you can check it out locally. See documentation: https://docs.github.com/en/github/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/checking-out-pull-requests-locally

Mergify commands and options

More conditions and actions can be found in the documentation.

You can also trigger Mergify actions by commenting on this pull request:

  • @Mergifyio refresh will re-evaluate the rules
  • @Mergifyio rebase will rebase this PR on its base branch
  • @Mergifyio update will merge the base branch into this PR
  • @Mergifyio backport <destination> will backport this PR on <destination> branch

Additionally, on Mergify dashboard you can:

  • look at your merge queues
  • generate the Mergify configuration with the config editor.

Finally, you can contact us on https://mergify.io/

@andrewvc
[Heartbeat] Setuid to regular user / lower capabilities when possible (
51a7648 
…#27878)

partial fix for #27648 , this PR:

Detects if the user is running as root then:
Checks to see if an environment variable BEAT_SETUID_AS (set in our Docker.tmpl) is present
Attempts to Setuid , Setgid and Setgroups to that user / groups
Invokes setcap to drop all privileges except NET_RAW+ep
This PR also fixes the broken syscall filtering in heartbeat, some non-syscall strings were breaking that.

With the changes here elastic-agent can still run as root, but the subprocesses can lower their privileges ASAP. This should also make it possible for heartbeat to safely run ICMP pings and synthetics. Synthetics must run as non-root, but ICMP requires NET_RAW. This lets us be consistent in our docs with the recommendation that elastic-agent run as root.

(cherry picked from commit a78a980)

# Conflicts:
#	NOTICE.txt
#	dev-tools/packaging/packages.yml
#	go.mod
@mergify mergify bot requested a review from a team as a code owner October 13, 2021 00:38
@mergify mergify bot added backport conflicts There is a conflict in the backported pull request labels Oct 13, 2021
@botelastic botelastic bot added the needs_team Indicates that the issue/PR needs a Team:* label label Oct 13, 2021
@elasticmachine
Copy link
Collaborator

elasticmachine commented Oct 13, 2021
edited by jenkins-beats-ci bot
Loading

💚 Build Succeeded

the below badges are clickable and redirect to their specific view in the CI or DOCS
Pipeline View Test View Changes Artifacts preview preview

Expand to view the summary

Build stats

  • Duration: 177 min 40 sec

❕ Flaky test report

No test was executed to be analysed.

🤖 GitHub comments

To re-run your PR in the CI, just comment with:

  • /test : Re-trigger the build.

  • /package : Generate the packages and run the E2E tests.

  • /beats-tester : Run the installation tests with beats-tester.

@andrewvc andrewvc added the Team:obs-ds-hosted-services Label for the Observability Hosted Services team label Oct 13, 2021
@elasticmachine
Copy link
Collaborator

Pinging @elastic/uptime (Team:Uptime)

@botelastic botelastic bot removed the needs_team Indicates that the issue/PR needs a Team:* label label Oct 13, 2021
@andrewvc
Copy link
Contributor

/package

@andrewvc
Copy link
Contributor

/test

@andrewvc andrewvc merged commit 7ac56da into 7.x Oct 14, 2021
@andrewvc andrewvc deleted the mergify/bp/7.x/pr-27878 branch October 14, 2021 01:51
@v1v v1v mentioned this pull request Oct 20, 2021
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@andrewvc andrewvc

Labels
backport conflicts There is a conflict in the backported pull request Team:obs-ds-hosted-services Label for the Observability Hosted Services team
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@elasticmachine @andrewvc