From 6766cfaf65d12a546d5615007bb497adbea83f9e Mon Sep 17 00:00:00 2001
From: Christiano Haesbaert <haesbaert@elastic.co>
Date: Fri, 18 Oct 2024 16:31:51 +0200
Subject: [PATCH] [auditbeat] Allow memfd_create(2) in seccomp for
 add_session_metadata@ebpf (#41297)

Quark was falling back into kprobe since ebpf would fail with EPERM at
memfd_create(2).

```
$ strace -f auditbeat ....
[pid  2917] memfd_create("libbpf-placeholder-fd", MFD_CLOEXEC) = -1 EPERM (Operation not permitted)
```

With this my test case where kprobe is disabled now uses ebpf when I select
backend "auto", before it was falling back to procfsprovider.
---
 x-pack/auditbeat/seccomp_linux.go | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/x-pack/auditbeat/seccomp_linux.go b/x-pack/auditbeat/seccomp_linux.go
index 709d973465d..5dd05618d31 100644
--- a/x-pack/auditbeat/seccomp_linux.go
+++ b/x-pack/auditbeat/seccomp_linux.go
@@ -35,5 +35,13 @@ func init() {
 		); err != nil {
 			panic(err)
 		}
+
+		// The sessionmd processor kerneltracingprovider needs
+		// memfd_create to operate via EBPF
+		if err := seccomp.ModifyDefaultPolicy(seccomp.AddSyscall,
+			"memfd_create",
+		); err != nil {
+			panic(err)
+		}
 	}
 }