diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index 5a27a9980ea..8a2efe16a90 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -13,6 +13,7 @@ https://github.com/elastic/beats/compare/v8.8.1\...main[Check the HEAD diff] - Update Go version to 1.22.5. {pull}40082[40082] - Fix FQDN being lowercased when used as `host.hostname` {issue}39993[39993] - Beats won't log start up information when running under the Elastic Agent {40390}40390[40390] +- Elevate effective capability set to match the Permitted set for agentbeat {pull}40466[40466] - Filebeat now needs `dup3`, `faccessat2`, `prctl` and `setrlimit` syscalls to run the journald input. If this input is not being used, the syscalls are not needed. All Beats have those syscalls allowed now because the default seccomp policy is global to all Beats. {pull}40061[40061] *Auditbeat* diff --git a/x-pack/agentbeat/capabilities_linux.go b/x-pack/agentbeat/capabilities_linux.go new file mode 100644 index 00000000000..02fc6d78963 --- /dev/null +++ b/x-pack/agentbeat/capabilities_linux.go @@ -0,0 +1,96 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +package main + +import ( + "fmt" + "os" + + "kernel.org/pub/linux/libs/security/libcap/cap" +) + +type capProc interface { + GetFlag(vec cap.Flag, val cap.Value) (bool, error) + SetFlag(vec cap.Flag, enable bool, val ...cap.Value) error + SetProc() error +} + +var ( + // for unit-testing + capProcFunc = func() capProc { + return cap.GetProc() + } +) + +func initCapabilities() { + isRoot, err := hasRoot() + if err != nil { + fmt.Fprintf(os.Stderr, "Warning: %v\n", err) + } + if !isRoot { + if err := raiseEffectiveCapabilities(); err != nil { + fmt.Fprintf(os.Stderr, "Warning: %v\n", err) + } + } +} + +// raiseEffectiveCapabilities raises the capabilities of the Effective and Inheritable sets to match +// the ones in the Permitted set. Note that any capabilities that are not part of the Bounding set +// are exclude by the OS from the Permitted set. +func raiseEffectiveCapabilities() error { + procCaps := capProcFunc() + + setProc := false + + for val := cap.Value(0); val < cap.MaxBits(); val++ { + permittedHasCap, err := procCaps.GetFlag(cap.Permitted, val) + if err != nil { + return fmt.Errorf("get cap from permitted failed: %w", err) + } + if !permittedHasCap { + continue + } + + effectiveHasCap, err := procCaps.GetFlag(cap.Effective, val) + if err != nil { + return fmt.Errorf("get cap from effective failed: %w", err) + } + if !effectiveHasCap { + err = procCaps.SetFlag(cap.Effective, true, val) + if err != nil { + return fmt.Errorf("set cap to permitted failed: %w", err) + } + setProc = true + } + + inheritableHasCap, err := procCaps.GetFlag(cap.Inheritable, val) + if err != nil { + return fmt.Errorf("get cap from effective failed: %w", err) + } + if !inheritableHasCap { + err = procCaps.SetFlag(cap.Inheritable, true, val) + if err != nil { + return fmt.Errorf("set cap to inheritable failed: %w", err) + } + setProc = true + } + } + + if !setProc { + return nil + } + + if err := procCaps.SetProc(); err != nil { + return fmt.Errorf("set proc failed: %w", err) + } + + return nil +} + +// hasRoot returns true if the user has root permissions. +// Added extra `nil` value to return since the hasRoot for windows will return an error as well +func hasRoot() (bool, error) { + return os.Geteuid() == 0, nil +} diff --git a/x-pack/agentbeat/capabilities_other.go b/x-pack/agentbeat/capabilities_other.go new file mode 100644 index 00000000000..f21e5b0d4f0 --- /dev/null +++ b/x-pack/agentbeat/capabilities_other.go @@ -0,0 +1,9 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +//go:build !linux + +package main + +func initCapabilities() {} diff --git a/x-pack/agentbeat/main.go b/x-pack/agentbeat/main.go index f7c36c2f7d3..d2de2544cae 100644 --- a/x-pack/agentbeat/main.go +++ b/x-pack/agentbeat/main.go @@ -70,8 +70,12 @@ func prepareCommand(rootCmd *cmd.BeatsRootCmd) *cobra.Command { // filename, as all the beats set this in the initialization. err := cfgfile.ChangeDefaultCfgfileFlag(rootCmd.Use) if err != nil { - panic(fmt.Errorf("failed to set default config file path: %v", err)) + panic(fmt.Errorf("failed to set default config file path: %w", err)) } + + // elevate Effective capabilities to match the Permitted set. + // required for unprivileged mode + initCapabilities() return nil } return &rootCmd.Command