From da6bc264d214d467e9070d38908a6d72c83bef70 Mon Sep 17 00:00:00 2001
From: "mergify[bot]" <37929162+mergify[bot]@users.noreply.github.com>
Date: Thu, 30 May 2024 07:41:38 +0300
Subject: [PATCH] [auditbeat/fim/kprobes] Correct seccomp policy for arm64
 (#39759) (#39762)

* fix(auditbeat/fim/kprobes): do add syscalls in default seccomp policy for arm64

* doc: update CHANGELOG.next.asciidoc

(cherry picked from commit 7a561ffa3329a90d9e363d3b6c30926cdc1d296e)

Co-authored-by: Panos Koutsovasilis <panos.koutsovasilis@elastic.co>
---
 CHANGELOG.next.asciidoc                       |  2 +-
 ...eccomp_linux.go => seccomp_linux_amd64.go} | 30 ++++++++-----------
 2 files changed, 13 insertions(+), 19 deletions(-)
 rename auditbeat/module/file_integrity/kprobes/{seccomp_linux.go => seccomp_linux_amd64.go} (54%)

diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc
index 3c262ca54037..3ace36a91c89 100644
--- a/CHANGELOG.next.asciidoc
+++ b/CHANGELOG.next.asciidoc
@@ -101,7 +101,7 @@ https://github.com/elastic/beats/compare/v8.8.1\...main[Check the HEAD diff]
 - Prevent scenario of losing children-related file events in a directory for recursive fsnotify backend of auditbeat file integrity module {pull}39133[39133]
 - Allow extra syscalls by auditbeat required in FIM with kprobes back-end {pull}39361[39361]
 - Fix losing events in FIM for OS X by allowing always to walk an added directory to monitor {pull}39362[39362]
-
+- Fix seccomp policy of FIM kprobes backend on arm64 {pull}39759[39759]
 
 
 
diff --git a/auditbeat/module/file_integrity/kprobes/seccomp_linux.go b/auditbeat/module/file_integrity/kprobes/seccomp_linux_amd64.go
similarity index 54%
rename from auditbeat/module/file_integrity/kprobes/seccomp_linux.go
rename to auditbeat/module/file_integrity/kprobes/seccomp_linux_amd64.go
index 90336f66795c..ee281831b251 100644
--- a/auditbeat/module/file_integrity/kprobes/seccomp_linux.go
+++ b/auditbeat/module/file_integrity/kprobes/seccomp_linux_amd64.go
@@ -18,27 +18,21 @@
 package kprobes
 
 import (
-	"runtime"
-
 	"github.com/elastic/beats/v7/libbeat/common/seccomp"
 )
 
 func init() {
-	switch runtime.GOARCH {
-	case "amd64", "386", "arm64":
-		// The module/file_integrity with kprobes BE uses additional syscalls
-		if err := seccomp.ModifyDefaultPolicy(seccomp.AddSyscall,
-			"eventfd2",        // required by auditbeat/tracing
-			"mount",           // required by auditbeat/tracing
-			"perf_event_open", // required by auditbeat/tracing
-			"ppoll",           // required by auditbeat/tracing
-			"umount2",         // required by auditbeat/tracing
-			"truncate",        // required during kprobes verification
-			"utime",           // required during kprobes verification
-			"utimensat",       // required during kprobes verification
-			"setxattr",        // required during kprobes verification
-		); err != nil {
-			panic(err)
-		}
+	if err := seccomp.ModifyDefaultPolicy(seccomp.AddSyscall,
+		"eventfd2",        // required by auditbeat/tracing
+		"mount",           // required by auditbeat/tracing
+		"perf_event_open", // required by auditbeat/tracing
+		"ppoll",           // required by auditbeat/tracing
+		"umount2",         // required by auditbeat/tracing
+		"truncate",        // required during kprobes verification
+		"utime",           // required during kprobes verification
+		"utimensat",       // required during kprobes verification
+		"setxattr",        // required during kprobes verification
+	); err != nil {
+		panic(err)
 	}
 }