[auditbeat] Allow memfd_create(2) in seccomp for add_session_metadata… #41297

haesbaert · 2024-10-17T21:07:29Z

Quark was falling back into kprobe since ebpf would fail with EPERM at memfd_create(2).

$ strace -f auditbeat ....
[pid  2917] memfd_create("libbpf-placeholder-fd", MFD_CLOEXEC) = -1 EPERM (Operation not permitted)

With this my test case where kprobe is disabled now uses ebpf when I select backend "auto", before it was falling back to procfsprovider.

Proposed commit message

Checklist

My code follows the style guidelines of this project
I have commented my code, particularly in hard-to-understand areas
~~I have made corresponding changes to the documentation~~
~~I have made corresponding change to the default configuration files~~
~~I have added tests that prove my fix is effective or that my feature works~~
~~I have added an entry in CHANGELOG.next.asciidoc or CHANGELOG-developer.next.asciidoc.~~

How to test this PR locally

Change QQ_ALL_BACKENDS to QQ_EBPF and kerneltracingprovider will fallback into procfs, with the fix it doesn't.

…@ebpf Quark was falling back into kprobe since ebpf would fail with EPERM at memfd_create(2). ``` $ strace -f auditbeat .... [pid 2917] memfd_create("libbpf-placeholder-fd", MFD_CLOEXEC) = -1 EPERM (Operation not permitted) ``` With this my test case where kprobe is disabled now uses ebpf when I select backend "auto", before it was falling back to procfsprovider.

mergify · 2024-10-17T21:08:06Z

This pull request does not have a backport label.
If this is a bug or security fix, could you label this PR @haesbaert? 🙏.
For such, you'll need to label your PR with:

The upcoming major version of the Elastic Stack
The upcoming minor version of the Elastic Stack (if you're not pushing a breaking change)

To fixup this pull request, you need to add the backport labels for the needed
branches, such as:

backport-8./d is the label to automatically backport to the 8./d branch. /d is the digit

mergify · 2024-10-17T21:08:06Z

backport-8.x has been added to help with the transition to the new branch 8.x.
If you don't need it please use backport-skip label and remove the backport-8.x label.

elasticmachine · 2024-10-18T06:59:34Z

Pinging @elastic/sec-linux-platform (Team:Security-Linux Platform)

The whole idea of "the user should not even know which backend is being used", worked a bit too much. This was prompted by a bug in beats where seccomp was blocking a syscall needed for EBPF, and so it fell back to kprobe all the time and the user had no proper way to notice this. Related to elastic/beats#41297 Purposedly stashed this into stats to make it hard to retrieve from quark.c, if we start doing `if (qq->backend == QQ_EBPF)` we lost the war.

…@ebpf (#41297) Quark was falling back into kprobe since ebpf would fail with EPERM at memfd_create(2). ``` $ strace -f auditbeat .... [pid 2917] memfd_create("libbpf-placeholder-fd", MFD_CLOEXEC) = -1 EPERM (Operation not permitted) ``` With this my test case where kprobe is disabled now uses ebpf when I select backend "auto", before it was falling back to procfsprovider. (cherry picked from commit 6766cfa)

…@ebpf (elastic#41297) Quark was falling back into kprobe since ebpf would fail with EPERM at memfd_create(2). ``` $ strace -f auditbeat .... [pid 2917] memfd_create("libbpf-placeholder-fd", MFD_CLOEXEC) = -1 EPERM (Operation not permitted) ``` With this my test case where kprobe is disabled now uses ebpf when I select backend "auto", before it was falling back to procfsprovider.

The whole idea of "the user should not even know which backend is being used", worked a bit too much. This was prompted by a bug in beats where seccomp was blocking a syscall needed for EBPF, and so it fell back to kprobe all the time and the user had no proper way to notice this. Related to elastic/beats#41297 Purposedly stashed this into stats to make it hard to retrieve from quark.c, if we start doing `if (qq->backend == QQ_EBPF)` we lost the war.

…@ebpf (#41297) (#41316) Quark was falling back into kprobe since ebpf would fail with EPERM at memfd_create(2). ``` $ strace -f auditbeat .... [pid 2917] memfd_create("libbpf-placeholder-fd", MFD_CLOEXEC) = -1 EPERM (Operation not permitted) ``` With this my test case where kprobe is disabled now uses ebpf when I select backend "auto", before it was falling back to procfsprovider. (cherry picked from commit 6766cfa) Co-authored-by: Christiano Haesbaert <[email protected]>

…@ebpf (#41297) (#41317) Quark was falling back into kprobe since ebpf would fail with EPERM at memfd_create(2). ``` $ strace -f auditbeat .... [pid 2917] memfd_create("libbpf-placeholder-fd", MFD_CLOEXEC) = -1 EPERM (Operation not permitted) ``` With this my test case where kprobe is disabled now uses ebpf when I select backend "auto", before it was falling back to procfsprovider. (cherry picked from commit 6766cfa) Co-authored-by: Christiano Haesbaert <[email protected]>

haesbaert added the bugfix label Oct 17, 2024

haesbaert requested a review from a team as a code owner October 17, 2024 21:07

botelastic bot added the needs_team Indicates that the issue/PR needs a Team:* label label Oct 17, 2024

mergify bot assigned haesbaert Oct 17, 2024

mergify bot added the backport-8.x Automated backport to the 8.x branch with mergify label Oct 17, 2024

haesbaert added the backport-8.16 Automated backport with mergify label Oct 17, 2024

mjwolf approved these changes Oct 17, 2024

View reviewed changes

haesbaert added the Team:Security-Linux Platform Linux Platform Team in Security Solution label Oct 18, 2024

botelastic bot removed the needs_team Indicates that the issue/PR needs a Team:* label label Oct 18, 2024

haesbaert mentioned this pull request Oct 18, 2024

Stash the active backend in quark_queue_stats{} elastic/quark#84

Merged

mjwolf merged commit 6766cfa into main Oct 18, 2024

mjwolf deleted the seccomp-memfd branch October 18, 2024 14:31

This was referenced Oct 18, 2024

[8.16](backport #41297) [auditbeat] Allow memfd_create(2) in seccomp for add_session_metadata… #41316

Merged

[8.x](backport #41297) [auditbeat] Allow memfd_create(2) in seccomp for add_session_metadata… #41317

Merged

khushijain21 mentioned this pull request Jun 23, 2025

test4 #44958

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

[auditbeat] Allow memfd_create(2) in seccomp for add_session_metadata… #41297

[auditbeat] Allow memfd_create(2) in seccomp for add_session_metadata… #41297

Uh oh!

haesbaert commented Oct 17, 2024 •

edited

Loading

Uh oh!

mergify bot commented Oct 17, 2024

Uh oh!

mergify bot commented Oct 17, 2024

Uh oh!

elasticmachine commented Oct 18, 2024

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants

[auditbeat] Allow memfd_create(2) in seccomp for add_session_metadata… #41297

[auditbeat] Allow memfd_create(2) in seccomp for add_session_metadata… #41297

Uh oh!

Conversation

haesbaert commented Oct 17, 2024 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Proposed commit message

Checklist

How to test this PR locally

Uh oh!

mergify bot commented Oct 17, 2024

Uh oh!

mergify bot commented Oct 17, 2024

Uh oh!

elasticmachine commented Oct 18, 2024

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants

haesbaert commented Oct 17, 2024 •

edited

Loading