x-pack/auditbeat/module/system/process: don't try to hash files in other namespaces

CHANGELOG.next.asciidoc

@@ -144,6 +144,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
 
 *Auditbeat*
 
+- system/process: Prevent hashing files in other mnt namespaces. {issue}25777[25777] {issue}29678[29678] {pull}29786[29786]
 
 *Filebeat*
 

x-pack/auditbeat/module/system/process/namepace_linux.go

@@ -0,0 +1,57 @@
+// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+// or more contributor license agreements. Licensed under the Elastic License;
+// you may not use this file except in compliance with the Elastic License.
+
+//go:build linux
+// +build linux
+
+package process
+
+import (
+	"fmt"
+	"os"
+	"syscall"
+
+	"github.com/pkg/errors"
+)
+
+// isNsSharedWith returns whether the process with the given pid shares the
+// namespace ns with the current process.
+func isNsSharedWith(pid int, ns string) (yes bool, err error) {
+	self, err := selfNsIno(ns)
+	if err != nil {
+		return false, err
+	}
+	other, err := nsIno(pid, ns)
+	if err != nil {
+		return false, err
+	}
+	return self == other, nil
+}
+
+// selfNsIno returns the inode number for the namespace ns for this process.
+func selfNsIno(ns string) (ino uint64, err error) {
+	fi, err := os.Stat(fmt.Sprintf("/proc/self/ns/%s", ns))
+	if err != nil {
+		return 0, err
+	}
+	sysInfo, ok := fi.Sys().(*syscall.Stat_t)
+	if !ok {
+		return 0, errors.New("not a stat_t")
+	}
+	return sysInfo.Ino, nil
+}
+
+// nsIno returns the inode number for the namespace ns for the process with
+// the given pid.
+func nsIno(pid int, ns string) (ino uint64, err error) {
+	fi, err := os.Stat(fmt.Sprintf("/proc/%d/ns/%s", pid, ns))
+	if err != nil {
+		return 0, err
+	}
+	sysInfo, ok := fi.Sys().(*syscall.Stat_t)
+	if !ok {
+		return 0, errors.New("not a stat_t")
+	}
+	return sysInfo.Ino, nil
+}

x-pack/auditbeat/module/system/process/namepace_other.go

@@ -0,0 +1,13 @@
+// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+// or more contributor license agreements. Licensed under the Elastic License;
+// you may not use this file except in compliance with the Elastic License.
+
+//go:build !linux
+// +build !linux
+
+package process
+
+// isNsSharedWith returns true and nil.
+func isNsSharedWith(pid int, ns string) (yes bool, err error) {
+	return true, nil
+}

x-pack/auditbeat/module/system/process/process.go

@@ -319,15 +319,26 @@ func (ms *MetricSet) enrichProcess(process *Process) {
 	}
 
 	if process.Info.Exe != "" {
+		sharedMntNS, err := isNsSharedWith(process.Info.PID, "mnt")
+		if err != nil {
+			if process.Error == nil {
+				process.Error = errors.Wrapf(err, "failed to get namespaces for %v PID %v", process.Info.Exe,
+					process.Info.PID)
+			}
+			return
+		}
+		if !sharedMntNS {
+			return
+		}
 		hashes, err := ms.hasher.HashFile(process.Info.Exe)
 		if err != nil {
 			if process.Error == nil {
 				process.Error = errors.Wrapf(err, "failed to hash executable %v for PID %v", process.Info.Exe,
 					process.Info.PID)
 			}
-		} else {
-			process.Hashes = hashes
+			return
 		}
+		process.Hashes = hashes
 	}
 }