[auditbeat] Allow memfd_create(2) in seccomp for add_session_metadata…

…@ebpf (#41297) Quark was falling back into kprobe since ebpf would fail with EPERM at memfd_create(2). ``` $ strace -f auditbeat .... [pid 2917] memfd_create("libbpf-placeholder-fd", MFD_CLOEXEC) = -1 EPERM (Operation not permitted) ``` With this my test case where kprobe is disabled now uses ebpf when I select backend "auto", before it was falling back to procfsprovider.
elastic · Oct 18, 2024 · 6766cfa · 6766cfa
1 parent b493c7f
commit 6766cfa
Showing 1 changed file with 8 additions and 0 deletions.
diff --git a/x-pack/auditbeat/seccomp_linux.go b/x-pack/auditbeat/seccomp_linux.go
@@ -35,5 +35,13 @@ func init() {
 		); err != nil {
 			panic(err)
 		}
+
+		// The sessionmd processor kerneltracingprovider needs
+		// memfd_create to operate via EBPF
+		if err := seccomp.ModifyDefaultPolicy(seccomp.AddSyscall,
+			"memfd_create",
+		); err != nil {
+			panic(err)
+		}
 	}
 }