[agentbeat] Fix agentbeat capabilities (#40466)

* chore: add effective capabiltiies in agentbeat * chore: comments * fix: changelog * fix: add license * fix: lint * fix: goimports * fix: remove HasRoot for other OSes --------- Co-authored-by: Pierre HILBERT <[email protected]>
elastic · Aug 12, 2024 · 36cef2f · 36cef2f
1 parent 7b041ba
commit 36cef2f
Show file tree

Hide file tree

Showing 4 changed files with 111 additions and 1 deletion.
diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc
@@ -13,6 +13,7 @@ https://github.com/elastic/beats/compare/v8.8.1\...main[Check the HEAD diff]
 - Update Go version to 1.22.5. {pull}40082[40082]
 - Fix FQDN being lowercased when used as `host.hostname` {issue}39993[39993]
 - Beats won't log start up information when running under the Elastic Agent {40390}40390[40390]
+- Elevate effective capability set to match the Permitted set for agentbeat {pull}40466[40466]
 - Filebeat now needs `dup3`, `faccessat2`, `prctl` and `setrlimit` syscalls to run the journald input. If this input is not being used, the syscalls are not needed. All Beats have those syscalls allowed now because the default seccomp policy is global to all Beats. {pull}40061[40061]
 
 *Auditbeat*

diff --git a/x-pack/agentbeat/capabilities_linux.go b/x-pack/agentbeat/capabilities_linux.go
@@ -0,0 +1,96 @@
+// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+// or more contributor license agreements. Licensed under the Elastic License;
+// you may not use this file except in compliance with the Elastic License.
+
+package main
+
+import (
+	"fmt"
+	"os"
+
+	"kernel.org/pub/linux/libs/security/libcap/cap"
+)
+
+type capProc interface {
+	GetFlag(vec cap.Flag, val cap.Value) (bool, error)
+	SetFlag(vec cap.Flag, enable bool, val ...cap.Value) error
+	SetProc() error
+}
+
+var (
+	// for unit-testing
+	capProcFunc = func() capProc {
+		return cap.GetProc()
+	}
+)
+
+func initCapabilities() {
+	isRoot, err := hasRoot()
+	if err != nil {
+		fmt.Fprintf(os.Stderr, "Warning: %v\n", err)
+	}
+	if !isRoot {
+		if err := raiseEffectiveCapabilities(); err != nil {
+			fmt.Fprintf(os.Stderr, "Warning: %v\n", err)
+		}
+	}
+}
+
+// raiseEffectiveCapabilities raises the capabilities of the Effective and Inheritable sets to match
+// the ones in the Permitted set. Note that any capabilities that are not part of the Bounding set
+// are exclude by the OS from the Permitted set.
+func raiseEffectiveCapabilities() error {
+	procCaps := capProcFunc()
+
+	setProc := false
+
+	for val := cap.Value(0); val < cap.MaxBits(); val++ {
+		permittedHasCap, err := procCaps.GetFlag(cap.Permitted, val)
+		if err != nil {
+			return fmt.Errorf("get cap from permitted failed: %w", err)
+		}
+		if !permittedHasCap {
+			continue
+		}
+
+		effectiveHasCap, err := procCaps.GetFlag(cap.Effective, val)
+		if err != nil {
+			return fmt.Errorf("get cap from effective failed: %w", err)
+		}
+		if !effectiveHasCap {
+			err = procCaps.SetFlag(cap.Effective, true, val)
+			if err != nil {
+				return fmt.Errorf("set cap to permitted failed: %w", err)
+			}
+			setProc = true
+		}
+
+		inheritableHasCap, err := procCaps.GetFlag(cap.Inheritable, val)
+		if err != nil {
+			return fmt.Errorf("get cap from effective failed: %w", err)
+		}
+		if !inheritableHasCap {
+			err = procCaps.SetFlag(cap.Inheritable, true, val)
+			if err != nil {
+				return fmt.Errorf("set cap to inheritable failed: %w", err)
+			}
+			setProc = true
+		}
+	}
+
+	if !setProc {
+		return nil
+	}
+
+	if err := procCaps.SetProc(); err != nil {
+		return fmt.Errorf("set proc failed: %w", err)
+	}
+
+	return nil
+}
+
+// hasRoot returns true if the user has root permissions.
+// Added extra `nil` value to return since the hasRoot for windows will return an error as well
+func hasRoot() (bool, error) {
+	return os.Geteuid() == 0, nil
+}
diff --git a/x-pack/agentbeat/capabilities_other.go b/x-pack/agentbeat/capabilities_other.go
@@ -0,0 +1,9 @@
+// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+// or more contributor license agreements. Licensed under the Elastic License;
+// you may not use this file except in compliance with the Elastic License.
+
+//go:build !linux
+
+package main
+
+func initCapabilities() {}
diff --git a/x-pack/agentbeat/main.go b/x-pack/agentbeat/main.go
@@ -70,8 +70,12 @@ func prepareCommand(rootCmd *cmd.BeatsRootCmd) *cobra.Command {
 		// filename, as all the beats set this in the initialization.
 		err := cfgfile.ChangeDefaultCfgfileFlag(rootCmd.Use)
 		if err != nil {
-			panic(fmt.Errorf("failed to set default config file path: %v", err))
+			panic(fmt.Errorf("failed to set default config file path: %w", err))
 		}
+
+		// elevate Effective capabilities to match the Permitted set.
+		// required for unprivileged mode
+		initCapabilities()
 		return nil
 	}
 	return &rootCmd.Command