Add syscalls required to call journalctl

This commit adds the missing syscalls to our seccomp policy so Filebeat can start the journalctl process. The syscalls were acquired by running Filebeat with the seccomp default action set to "log", and running Auditbeat to collect those logs and convert the syscall number into a name accepted by our seccomp policy.
elastic · Aug 7, 2024 · 284f7b1 · 284f7b1
1 parent 146d285
commit 284f7b1
Show file tree

Hide file tree

Showing 3 changed files with 12 additions and 6 deletions.
diff --git a/libbeat/common/seccomp/policy_linux_386.go b/libbeat/common/seccomp/policy_linux_386.go
@@ -41,14 +41,15 @@ func init() {
 					"close",
 					"dup",
 					"dup2",
+					"dup3",
 					"epoll_create",
 					"epoll_create1",
 					"epoll_ctl",
 					"epoll_wait",
-					"exec",
 					"execve",
 					"exit",
 					"exit_group",
+					"faccessat2",
 					"fchdir",
 					"fchmod",
 					"fchmodat",
@@ -58,7 +59,6 @@ func init() {
 					"fcntl64",
 					"fdatasync",
 					"flock",
-					"fork",
 					"fstat64",
 					"fstatat64",
 					"fsync",
@@ -95,6 +95,7 @@ func init() {
 					"pipe",
 					"pipe2",
 					"poll",
+					"prctl",
 					"pread64",
 					"prlimit64",
 					"pselect6",
@@ -117,6 +118,7 @@ func init() {
 					"setgid32",
 					"setgroups32",
 					"setitimer",
+					"setrlimit",
 					"setuid32",
 					"sigaltstack",
 					"socketcall",

diff --git a/libbeat/common/seccomp/policy_linux_amd64.go b/libbeat/common/seccomp/policy_linux_amd64.go
@@ -45,15 +45,16 @@ func init() {
 					"connect",
 					"dup",
 					"dup2",
+					"dup3",
 					"epoll_create",
 					"epoll_create1",
 					"epoll_ctl",
 					"epoll_pwait",
 					"epoll_wait",
-					"exec",
 					"execve",
 					"exit",
 					"exit_group",
+					"faccessat2",
 					"fchdir",
 					"fchmod",
 					"fchmodat",
@@ -62,7 +63,6 @@ func init() {
 					"fcntl",
 					"fdatasync",
 					"flock",
-					"fork",
 					"fstat",
 					"fstatfs",
 					"fsync",
@@ -106,6 +106,7 @@ func init() {
 					"pipe2",
 					"poll",
 					"ppoll",
+					"prctl",
 					"pread64",
 					"pselect6",
 					"pwrite64",
@@ -129,6 +130,7 @@ func init() {
 					"sendto",
 					"set_robust_list",
 					"setitimer",
+					"setrlimit",
 					"setsockopt",
 					"shutdown",
 					"sigaltstack",

diff --git a/libbeat/common/seccomp/seccomp-profiler-allow.txt b/libbeat/common/seccomp/seccomp-profiler-allow.txt
@@ -31,5 +31,7 @@ wait4
 execve
 
 # Jounrald input
-exec
-fork
+dup3
+faccessat2
+prctl
+setrlimit