-
Notifications
You must be signed in to change notification settings - Fork 4.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Cherry-pick #20054 to 7.8: [Filebeat] Chmod/Chown seccomp fix #20062
Conversation
* Fix fchmod syscall seccomp policy * Fix chown * Add changelog entry (cherry picked from commit bf56f6c)
Pinging @elastic/siem (Team:SIEM) |
💔 Build FailedExpand to view the summary
Build stats
Test stats 🧪
Steps errorsExpand to view the steps failures
Log outputExpand to view the last 100 lines of log output
|
…lastic#20062) * [Filebeat] Chmod/Chown seccomp fix (elastic#20054) * Fix fchmod syscall seccomp policy * Fix chown * Add changelog entry (cherry picked from commit f4b2c48) * fix changelog
Cherry-pick of PR #20054 to 7.8 branch. Original message:
What does this PR do?
So, to support changing the file permissions dynamically for the filebeat unix socket input under seccomp, I had previously leveraged the fact that
chmod
was already in our whitelist--corresponding to this call--which was initially added in this commit, and also added a whitelist entry forchown
to supportos.Chown
.However, interestingly enough, on Linux systems
syscall.Chmod
andsyscall.Chown
don't actually call thechown
orchmod
syscalls at all (good naming convention, right?). Instead they usefchownat
andfchmodat
--see here.Currently filebeat is broken under seccomp without these additional entries.
Checklist
[ ] I have commented my code, particularly in hard-to-understand areas[ ] I have made corresponding changes to the documentation[ ] I have made corresponding change to the default configuration files[ ] I have added tests that prove my fix is effective or that my feature worksCHANGELOG.next.asciidoc
orCHANGELOG-developer.next.asciidoc
.