[Heartbeat] Add prctl dumpable flag reset after cap drop (#38269)

Enforce dumpable attribute on heartbeat process for /proc/io to be readable by elastic-agent. --------- Co-authored-by: Vignesh Shanmugam <[email protected]>
elastic · Mar 14, 2024 · 9c9ae35 · 9c9ae35
1 parent 361a62f
commit 9c9ae35
Show file tree

Hide file tree

Showing 2 changed files with 15 additions and 0 deletions.
diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc
@@ -107,6 +107,7 @@ fields added to events containing the Beats version. {pull}37553[37553]
 - Fix panics when parsing dereferencing invalid parsed url. {pull}34702[34702]
 - Fix setuid root when running under cgroups v2. {pull}37794[37794]
 - Adjust State loader to only retry when response code status is 5xx {pull}37981[37981]
+- Reset prctl dumpable flag after cap drop. {pull}38269[38269] 
 
 *Metricbeat*
 

diff --git a/heartbeat/security/security.go b/heartbeat/security/security.go
@@ -26,6 +26,7 @@ import (
 	"strconv"
 	"syscall"
 
+	"golang.org/x/sys/unix"
 	"kernel.org/pub/linux/libs/security/libcap/cap"
 )
 
@@ -46,6 +47,9 @@ func init() {
 	// The beat should use `getcap` at a later point to examine available capabilities
 	// rather than relying on errors from `setcap`
 	_ = setCapabilities()
+
+	// Make heartbeat dumpable so elastic-agent can access process metrics.
+	_ = setDumpable()
 }
 
 func setNodeProcAttr(localUserName string) error {
@@ -99,3 +103,13 @@ func setCapabilities() error {
 
 	return nil
 }
+
+// Enforce PR_SET_DUMPABLE=true to allow user-level access to /proc/<pid>/io.
+func setDumpable() error {
+	_, err := cap.Prctl(unix.PR_SET_DUMPABLE, 1)
+	if err != nil {
+		return fmt.Errorf("error setting dumpable flag via prctl: %w", err)
+	}
+
+	return nil
+}