From addd465a56a8404c1ca09918f3ba9da7d438a45f Mon Sep 17 00:00:00 2001 From: Andrew Cholakian Date: Mon, 18 Oct 2021 08:05:57 -0500 Subject: [PATCH] Revert "[Heartbeat] Setuid to regular user / lower capabilities when possible (#27878)" This reverts commit a78a980da2efbff2dcb32f44ed00852bf64af1d4. --- NOTICE.txt | 812 ------------------ dev-tools/notice/overrides.json | 2 - dev-tools/packaging/packages.yml | 2 +- .../docker/Dockerfile.elastic-agent.tmpl | 12 +- .../templates/docker/Dockerfile.tmpl | 12 +- go.mod | 2 - go.sum | 4 - heartbeat/beater/heartbeat.go | 7 +- heartbeat/scripts/mage/package.go | 2 +- heartbeat/security.go | 237 ----- packetbeat/scripts/mage/package.go | 2 +- x-pack/heartbeat/monitors/browser/browser.go | 11 +- .../monitors/browser/source/local.go | 3 +- .../monitors/browser/source/zipurl.go | 7 +- x-pack/heartbeat/seccomp_linux.go | 83 ++ 15 files changed, 107 insertions(+), 1091 deletions(-) delete mode 100644 heartbeat/security.go create mode 100644 x-pack/heartbeat/seccomp_linux.go diff --git a/NOTICE.txt b/NOTICE.txt index faa87a5077c..ae81d5f1a1d 100644 --- a/NOTICE.txt +++ b/NOTICE.txt @@ -18948,412 +18948,6 @@ Contents of probable licence file $GOMODCACHE/k8s.io/client-go@v0.21.1/LICENSE: limitations under the License. --------------------------------------------------------------------------------- -Dependency : kernel.org/pub/linux/libs/security/libcap/cap -Version: v1.2.57 -Licence type (autodetected): BSD-3-Clause --------------------------------------------------------------------------------- - -Contents of probable licence file $GOMODCACHE/kernel.org/pub/linux/libs/security/libcap/cap@v1.2.57/License: - -Unless otherwise *explicitly* stated, the following text describes the -licensed conditions under which the contents of this libcap/cap release -may be used and distributed. - -The licensed conditions are one or the other of these two Licenses: - - - BSD 3-clause - - GPL v2.0 - -------------------------------------------------------------------------- -BSD 3-clause: -------------- - -Redistribution and use in source and binary forms of libcap/cap, with -or without modification, are permitted provided that the following -conditions are met: - -1. Redistributions of source code must retain any existing copyright - notice, and this entire permission notice in its entirety, - including the disclaimer of warranties. - -2. Redistributions in binary form must reproduce all prior and current - copyright notices, this list of conditions, and the following - disclaimer in the documentation and/or other materials provided - with the distribution. - -3. The name of any author may not be used to endorse or promote - products derived from this software without their specific prior - written permission. - -THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED -WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF -MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. -IN NO EVENT SHALL THE AUTHOR(S) BE LIABLE FOR ANY DIRECT, INDIRECT, -INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, -BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS -OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND -ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR -TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE -USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH -DAMAGE. - -------------------------------------------------------------------------- -GPL v2.0: ---------- - -ALTERNATIVELY, this product may be distributed under the terms of the -GNU General Public License (v2.0 - see below), in which case the -provisions of the GNU GPL are required INSTEAD OF the above -restrictions. (This clause is necessary due to a potential conflict -between the GNU GPL and the restrictions contained in a BSD-style -copyright.) - -------------------------- -Full text of gpl-2.0.txt: -------------------------- - - GNU GENERAL PUBLIC LICENSE - Version 2, June 1991 - - Copyright (C) 1989, 1991 Free Software Foundation, Inc., - 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA - Everyone is permitted to copy and distribute verbatim copies - of this license document, but changing it is not allowed. - - Preamble - - The licenses for most software are designed to take away your -freedom to share and change it. By contrast, the GNU General Public -License is intended to guarantee your freedom to share and change free -software--to make sure the software is free for all its users. This -General Public License applies to most of the Free Software -Foundation's software and to any other program whose authors commit to -using it. (Some other Free Software Foundation software is covered by -the GNU Lesser General Public License instead.) You can apply it to -your programs, too. - - When we speak of free software, we are referring to freedom, not -price. Our General Public Licenses are designed to make sure that you -have the freedom to distribute copies of free software (and charge for -this service if you wish), that you receive source code or can get it -if you want it, that you can change the software or use pieces of it -in new free programs; and that you know you can do these things. - - To protect your rights, we need to make restrictions that forbid -anyone to deny you these rights or to ask you to surrender the rights. -These restrictions translate to certain responsibilities for you if you -distribute copies of the software, or if you modify it. - - For example, if you distribute copies of such a program, whether -gratis or for a fee, you must give the recipients all the rights that -you have. You must make sure that they, too, receive or can get the -source code. And you must show them these terms so they know their -rights. - - We protect your rights with two steps: (1) copyright the software, and -(2) offer you this license which gives you legal permission to copy, -distribute and/or modify the software. - - Also, for each author's protection and ours, we want to make certain -that everyone understands that there is no warranty for this free -software. If the software is modified by someone else and passed on, we -want its recipients to know that what they have is not the original, so -that any problems introduced by others will not reflect on the original -authors' reputations. - - Finally, any free program is threatened constantly by software -patents. We wish to avoid the danger that redistributors of a free -program will individually obtain patent licenses, in effect making the -program proprietary. To prevent this, we have made it clear that any -patent must be licensed for everyone's free use or not licensed at all. - - The precise terms and conditions for copying, distribution and -modification follow. - - GNU GENERAL PUBLIC LICENSE - TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION - - 0. This License applies to any program or other work which contains -a notice placed by the copyright holder saying it may be distributed -under the terms of this General Public License. The "Program", below, -refers to any such program or work, and a "work based on the Program" -means either the Program or any derivative work under copyright law: -that is to say, a work containing the Program or a portion of it, -either verbatim or with modifications and/or translated into another -language. (Hereinafter, translation is included without limitation in -the term "modification".) Each licensee is addressed as "you". - -Activities other than copying, distribution and modification are not -covered by this License; they are outside its scope. The act of -running the Program is not restricted, and the output from the Program -is covered only if its contents constitute a work based on the -Program (independent of having been made by running the Program). -Whether that is true depends on what the Program does. - - 1. You may copy and distribute verbatim copies of the Program's -source code as you receive it, in any medium, provided that you -conspicuously and appropriately publish on each copy an appropriate -copyright notice and disclaimer of warranty; keep intact all the -notices that refer to this License and to the absence of any warranty; -and give any other recipients of the Program a copy of this License -along with the Program. - -You may charge a fee for the physical act of transferring a copy, and -you may at your option offer warranty protection in exchange for a fee. - - 2. You may modify your copy or copies of the Program or any portion -of it, thus forming a work based on the Program, and copy and -distribute such modifications or work under the terms of Section 1 -above, provided that you also meet all of these conditions: - - a) You must cause the modified files to carry prominent notices - stating that you changed the files and the date of any change. - - b) You must cause any work that you distribute or publish, that in - whole or in part contains or is derived from the Program or any - part thereof, to be licensed as a whole at no charge to all third - parties under the terms of this License. - - c) If the modified program normally reads commands interactively - when run, you must cause it, when started running for such - interactive use in the most ordinary way, to print or display an - announcement including an appropriate copyright notice and a - notice that there is no warranty (or else, saying that you provide - a warranty) and that users may redistribute the program under - these conditions, and telling the user how to view a copy of this - License. (Exception: if the Program itself is interactive but - does not normally print such an announcement, your work based on - the Program is not required to print an announcement.) - -These requirements apply to the modified work as a whole. If -identifiable sections of that work are not derived from the Program, -and can be reasonably considered independent and separate works in -themselves, then this License, and its terms, do not apply to those -sections when you distribute them as separate works. But when you -distribute the same sections as part of a whole which is a work based -on the Program, the distribution of the whole must be on the terms of -this License, whose permissions for other licensees extend to the -entire whole, and thus to each and every part regardless of who wrote it. - -Thus, it is not the intent of this section to claim rights or contest -your rights to work written entirely by you; rather, the intent is to -exercise the right to control the distribution of derivative or -collective works based on the Program. - -In addition, mere aggregation of another work not based on the Program -with the Program (or with a work based on the Program) on a volume of -a storage or distribution medium does not bring the other work under -the scope of this License. - - 3. You may copy and distribute the Program (or a work based on it, -under Section 2) in object code or executable form under the terms of -Sections 1 and 2 above provided that you also do one of the following: - - a) Accompany it with the complete corresponding machine-readable - source code, which must be distributed under the terms of Sections - 1 and 2 above on a medium customarily used for software interchange; or, - - b) Accompany it with a written offer, valid for at least three - years, to give any third party, for a charge no more than your - cost of physically performing source distribution, a complete - machine-readable copy of the corresponding source code, to be - distributed under the terms of Sections 1 and 2 above on a medium - customarily used for software interchange; or, - - c) Accompany it with the information you received as to the offer - to distribute corresponding source code. (This alternative is - allowed only for noncommercial distribution and only if you - received the program in object code or executable form with such - an offer, in accord with Subsection b above.) - -The source code for a work means the preferred form of the work for -making modifications to it. For an executable work, complete source -code means all the source code for all modules it contains, plus any -associated interface definition files, plus the scripts used to -control compilation and installation of the executable. However, as a -special exception, the source code distributed need not include -anything that is normally distributed (in either source or binary -form) with the major components (compiler, kernel, and so on) of the -operating system on which the executable runs, unless that component -itself accompanies the executable. - -If distribution of executable or object code is made by offering -access to copy from a designated place, then offering equivalent -access to copy the source code from the same place counts as -distribution of the source code, even though third parties are not -compelled to copy the source along with the object code. - - 4. You may not copy, modify, sublicense, or distribute the Program -except as expressly provided under this License. Any attempt -otherwise to copy, modify, sublicense or distribute the Program is -void, and will automatically terminate your rights under this License. -However, parties who have received copies, or rights, from you under -this License will not have their licenses terminated so long as such -parties remain in full compliance. - - 5. You are not required to accept this License, since you have not -signed it. However, nothing else grants you permission to modify or -distribute the Program or its derivative works. These actions are -prohibited by law if you do not accept this License. Therefore, by -modifying or distributing the Program (or any work based on the -Program), you indicate your acceptance of this License to do so, and -all its terms and conditions for copying, distributing or modifying -the Program or works based on it. - - 6. Each time you redistribute the Program (or any work based on the -Program), the recipient automatically receives a license from the -original licensor to copy, distribute or modify the Program subject to -these terms and conditions. You may not impose any further -restrictions on the recipients' exercise of the rights granted herein. -You are not responsible for enforcing compliance by third parties to -this License. - - 7. If, as a consequence of a court judgment or allegation of patent -infringement or for any other reason (not limited to patent issues), -conditions are imposed on you (whether by court order, agreement or -otherwise) that contradict the conditions of this License, they do not -excuse you from the conditions of this License. If you cannot -distribute so as to satisfy simultaneously your obligations under this -License and any other pertinent obligations, then as a consequence you -may not distribute the Program at all. For example, if a patent -license would not permit royalty-free redistribution of the Program by -all those who receive copies directly or indirectly through you, then -the only way you could satisfy both it and this License would be to -refrain entirely from distribution of the Program. - -If any portion of this section is held invalid or unenforceable under -any particular circumstance, the balance of the section is intended to -apply and the section as a whole is intended to apply in other -circumstances. - -It is not the purpose of this section to induce you to infringe any -patents or other property right claims or to contest validity of any -such claims; this section has the sole purpose of protecting the -integrity of the free software distribution system, which is -implemented by public license practices. Many people have made -generous contributions to the wide range of software distributed -through that system in reliance on consistent application of that -system; it is up to the author/donor to decide if he or she is willing -to distribute software through any other system and a licensee cannot -impose that choice. - -This section is intended to make thoroughly clear what is believed to -be a consequence of the rest of this License. - - 8. If the distribution and/or use of the Program is restricted in -certain countries either by patents or by copyrighted interfaces, the -original copyright holder who places the Program under this License -may add an explicit geographical distribution limitation excluding -those countries, so that distribution is permitted only in or among -countries not thus excluded. In such case, this License incorporates -the limitation as if written in the body of this License. - - 9. The Free Software Foundation may publish revised and/or new versions -of the General Public License from time to time. Such new versions will -be similar in spirit to the present version, but may differ in detail to -address new problems or concerns. - -Each version is given a distinguishing version number. If the Program -specifies a version number of this License which applies to it and "any -later version", you have the option of following the terms and conditions -either of that version or of any later version published by the Free -Software Foundation. If the Program does not specify a version number of -this License, you may choose any version ever published by the Free Software -Foundation. - - 10. If you wish to incorporate parts of the Program into other free -programs whose distribution conditions are different, write to the author -to ask for permission. For software which is copyrighted by the Free -Software Foundation, write to the Free Software Foundation; we sometimes -make exceptions for this. Our decision will be guided by the two goals -of preserving the free status of all derivatives of our free software and -of promoting the sharing and reuse of software generally. - - NO WARRANTY - - 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY -FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN -OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES -PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED -OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF -MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS -TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE -PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, -REPAIR OR CORRECTION. - - 12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING -WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR -REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, -INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING -OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED -TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY -YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER -PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE -POSSIBILITY OF SUCH DAMAGES. - - END OF TERMS AND CONDITIONS - - How to Apply These Terms to Your New Programs - - If you develop a new program, and you want it to be of the greatest -possible use to the public, the best way to achieve this is to make it -free software which everyone can redistribute and change under these terms. - - To do so, attach the following notices to the program. It is safest -to attach them to the start of each source file to most effectively -convey the exclusion of warranty; and each file should have at least -the "copyright" line and a pointer to where the full notice is found. - - - Copyright (C) - - This program is free software; you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation; either version 2 of the License, or - (at your option) any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License along - with this program; if not, write to the Free Software Foundation, Inc., - 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. - -Also add information on how to contact you by electronic and paper mail. - -If the program is interactive, make it output a short notice like this -when it starts in an interactive mode: - - Gnomovision version 69, Copyright (C) year name of author - Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'. - This is free software, and you are welcome to redistribute it - under certain conditions; type `show c' for details. - -The hypothetical commands `show w' and `show c' should show the appropriate -parts of the General Public License. Of course, the commands you use may -be called something other than `show w' and `show c'; they could even be -mouse-clicks or menu items--whatever suits your program. - -You should also get your employer (if you work as a programmer) or your -school, if any, to sign a "copyright disclaimer" for the program, if -necessary. Here is a sample; alter the names: - - Yoyodyne, Inc., hereby disclaims all copyright interest in the program - `Gnomovision' (which makes passes at compilers) written by James Hacker. - - , 1 April 1989 - Ty Coon, President of Vice - -This General Public License does not permit incorporating your program into -proprietary programs. If your program is a subroutine library, you may -consider it more useful to permit linking proprietary applications with the -library. If this is what you want to do, use the GNU Lesser General -Public License instead of this License. - - ================================================================================ @@ -36326,412 +35920,6 @@ Contents of probable licence file $GOMODCACHE/k8s.io/utils@v0.0.0-20201110183641 limitations under the License. --------------------------------------------------------------------------------- -Dependency : kernel.org/pub/linux/libs/security/libcap/psx -Version: v1.2.57 -Licence type (autodetected): BSD-3-Clause --------------------------------------------------------------------------------- - -Contents of probable licence file $GOMODCACHE/kernel.org/pub/linux/libs/security/libcap/psx@v1.2.57/License: - -Unless otherwise *explicitly* stated, the following text describes the -licensed conditions under which the contents of this libcap/psx release -may be used and distributed. - -The licensed conditions are one or the other of these two Licenses: - - - BSD 3-clause - - GPL v2.0 - -------------------------------------------------------------------------- -BSD 3-clause: -------------- - -Redistribution and use in source and binary forms of libcap/psx, with -or without modification, are permitted provided that the following -conditions are met: - -1. Redistributions of source code must retain any existing copyright - notice, and this entire permission notice in its entirety, - including the disclaimer of warranties. - -2. Redistributions in binary form must reproduce all prior and current - copyright notices, this list of conditions, and the following - disclaimer in the documentation and/or other materials provided - with the distribution. - -3. The name of any author may not be used to endorse or promote - products derived from this software without their specific prior - written permission. - -THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED -WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF -MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. -IN NO EVENT SHALL THE AUTHOR(S) BE LIABLE FOR ANY DIRECT, INDIRECT, -INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, -BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS -OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND -ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR -TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE -USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH -DAMAGE. - -------------------------------------------------------------------------- -GPL v2.0: ---------- - -ALTERNATIVELY, this product may be distributed under the terms of the -GNU General Public License (v2.0 - see below), in which case the -provisions of the GNU GPL are required INSTEAD OF the above -restrictions. (This clause is necessary due to a potential conflict -between the GNU GPL and the restrictions contained in a BSD-style -copyright.) - -------------------------- -Full text of gpl-2.0.txt: -------------------------- - - GNU GENERAL PUBLIC LICENSE - Version 2, June 1991 - - Copyright (C) 1989, 1991 Free Software Foundation, Inc., - 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA - Everyone is permitted to copy and distribute verbatim copies - of this license document, but changing it is not allowed. - - Preamble - - The licenses for most software are designed to take away your -freedom to share and change it. By contrast, the GNU General Public -License is intended to guarantee your freedom to share and change free -software--to make sure the software is free for all its users. This -General Public License applies to most of the Free Software -Foundation's software and to any other program whose authors commit to -using it. (Some other Free Software Foundation software is covered by -the GNU Lesser General Public License instead.) You can apply it to -your programs, too. - - When we speak of free software, we are referring to freedom, not -price. Our General Public Licenses are designed to make sure that you -have the freedom to distribute copies of free software (and charge for -this service if you wish), that you receive source code or can get it -if you want it, that you can change the software or use pieces of it -in new free programs; and that you know you can do these things. - - To protect your rights, we need to make restrictions that forbid -anyone to deny you these rights or to ask you to surrender the rights. -These restrictions translate to certain responsibilities for you if you -distribute copies of the software, or if you modify it. - - For example, if you distribute copies of such a program, whether -gratis or for a fee, you must give the recipients all the rights that -you have. You must make sure that they, too, receive or can get the -source code. And you must show them these terms so they know their -rights. - - We protect your rights with two steps: (1) copyright the software, and -(2) offer you this license which gives you legal permission to copy, -distribute and/or modify the software. - - Also, for each author's protection and ours, we want to make certain -that everyone understands that there is no warranty for this free -software. If the software is modified by someone else and passed on, we -want its recipients to know that what they have is not the original, so -that any problems introduced by others will not reflect on the original -authors' reputations. - - Finally, any free program is threatened constantly by software -patents. We wish to avoid the danger that redistributors of a free -program will individually obtain patent licenses, in effect making the -program proprietary. To prevent this, we have made it clear that any -patent must be licensed for everyone's free use or not licensed at all. - - The precise terms and conditions for copying, distribution and -modification follow. - - GNU GENERAL PUBLIC LICENSE - TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION - - 0. This License applies to any program or other work which contains -a notice placed by the copyright holder saying it may be distributed -under the terms of this General Public License. The "Program", below, -refers to any such program or work, and a "work based on the Program" -means either the Program or any derivative work under copyright law: -that is to say, a work containing the Program or a portion of it, -either verbatim or with modifications and/or translated into another -language. (Hereinafter, translation is included without limitation in -the term "modification".) Each licensee is addressed as "you". - -Activities other than copying, distribution and modification are not -covered by this License; they are outside its scope. The act of -running the Program is not restricted, and the output from the Program -is covered only if its contents constitute a work based on the -Program (independent of having been made by running the Program). -Whether that is true depends on what the Program does. - - 1. You may copy and distribute verbatim copies of the Program's -source code as you receive it, in any medium, provided that you -conspicuously and appropriately publish on each copy an appropriate -copyright notice and disclaimer of warranty; keep intact all the -notices that refer to this License and to the absence of any warranty; -and give any other recipients of the Program a copy of this License -along with the Program. - -You may charge a fee for the physical act of transferring a copy, and -you may at your option offer warranty protection in exchange for a fee. - - 2. You may modify your copy or copies of the Program or any portion -of it, thus forming a work based on the Program, and copy and -distribute such modifications or work under the terms of Section 1 -above, provided that you also meet all of these conditions: - - a) You must cause the modified files to carry prominent notices - stating that you changed the files and the date of any change. - - b) You must cause any work that you distribute or publish, that in - whole or in part contains or is derived from the Program or any - part thereof, to be licensed as a whole at no charge to all third - parties under the terms of this License. - - c) If the modified program normally reads commands interactively - when run, you must cause it, when started running for such - interactive use in the most ordinary way, to print or display an - announcement including an appropriate copyright notice and a - notice that there is no warranty (or else, saying that you provide - a warranty) and that users may redistribute the program under - these conditions, and telling the user how to view a copy of this - License. (Exception: if the Program itself is interactive but - does not normally print such an announcement, your work based on - the Program is not required to print an announcement.) - -These requirements apply to the modified work as a whole. If -identifiable sections of that work are not derived from the Program, -and can be reasonably considered independent and separate works in -themselves, then this License, and its terms, do not apply to those -sections when you distribute them as separate works. But when you -distribute the same sections as part of a whole which is a work based -on the Program, the distribution of the whole must be on the terms of -this License, whose permissions for other licensees extend to the -entire whole, and thus to each and every part regardless of who wrote it. - -Thus, it is not the intent of this section to claim rights or contest -your rights to work written entirely by you; rather, the intent is to -exercise the right to control the distribution of derivative or -collective works based on the Program. - -In addition, mere aggregation of another work not based on the Program -with the Program (or with a work based on the Program) on a volume of -a storage or distribution medium does not bring the other work under -the scope of this License. - - 3. You may copy and distribute the Program (or a work based on it, -under Section 2) in object code or executable form under the terms of -Sections 1 and 2 above provided that you also do one of the following: - - a) Accompany it with the complete corresponding machine-readable - source code, which must be distributed under the terms of Sections - 1 and 2 above on a medium customarily used for software interchange; or, - - b) Accompany it with a written offer, valid for at least three - years, to give any third party, for a charge no more than your - cost of physically performing source distribution, a complete - machine-readable copy of the corresponding source code, to be - distributed under the terms of Sections 1 and 2 above on a medium - customarily used for software interchange; or, - - c) Accompany it with the information you received as to the offer - to distribute corresponding source code. (This alternative is - allowed only for noncommercial distribution and only if you - received the program in object code or executable form with such - an offer, in accord with Subsection b above.) - -The source code for a work means the preferred form of the work for -making modifications to it. For an executable work, complete source -code means all the source code for all modules it contains, plus any -associated interface definition files, plus the scripts used to -control compilation and installation of the executable. However, as a -special exception, the source code distributed need not include -anything that is normally distributed (in either source or binary -form) with the major components (compiler, kernel, and so on) of the -operating system on which the executable runs, unless that component -itself accompanies the executable. - -If distribution of executable or object code is made by offering -access to copy from a designated place, then offering equivalent -access to copy the source code from the same place counts as -distribution of the source code, even though third parties are not -compelled to copy the source along with the object code. - - 4. You may not copy, modify, sublicense, or distribute the Program -except as expressly provided under this License. Any attempt -otherwise to copy, modify, sublicense or distribute the Program is -void, and will automatically terminate your rights under this License. -However, parties who have received copies, or rights, from you under -this License will not have their licenses terminated so long as such -parties remain in full compliance. - - 5. You are not required to accept this License, since you have not -signed it. However, nothing else grants you permission to modify or -distribute the Program or its derivative works. These actions are -prohibited by law if you do not accept this License. Therefore, by -modifying or distributing the Program (or any work based on the -Program), you indicate your acceptance of this License to do so, and -all its terms and conditions for copying, distributing or modifying -the Program or works based on it. - - 6. Each time you redistribute the Program (or any work based on the -Program), the recipient automatically receives a license from the -original licensor to copy, distribute or modify the Program subject to -these terms and conditions. You may not impose any further -restrictions on the recipients' exercise of the rights granted herein. -You are not responsible for enforcing compliance by third parties to -this License. - - 7. If, as a consequence of a court judgment or allegation of patent -infringement or for any other reason (not limited to patent issues), -conditions are imposed on you (whether by court order, agreement or -otherwise) that contradict the conditions of this License, they do not -excuse you from the conditions of this License. If you cannot -distribute so as to satisfy simultaneously your obligations under this -License and any other pertinent obligations, then as a consequence you -may not distribute the Program at all. For example, if a patent -license would not permit royalty-free redistribution of the Program by -all those who receive copies directly or indirectly through you, then -the only way you could satisfy both it and this License would be to -refrain entirely from distribution of the Program. - -If any portion of this section is held invalid or unenforceable under -any particular circumstance, the balance of the section is intended to -apply and the section as a whole is intended to apply in other -circumstances. - -It is not the purpose of this section to induce you to infringe any -patents or other property right claims or to contest validity of any -such claims; this section has the sole purpose of protecting the -integrity of the free software distribution system, which is -implemented by public license practices. Many people have made -generous contributions to the wide range of software distributed -through that system in reliance on consistent application of that -system; it is up to the author/donor to decide if he or she is willing -to distribute software through any other system and a licensee cannot -impose that choice. - -This section is intended to make thoroughly clear what is believed to -be a consequence of the rest of this License. - - 8. If the distribution and/or use of the Program is restricted in -certain countries either by patents or by copyrighted interfaces, the -original copyright holder who places the Program under this License -may add an explicit geographical distribution limitation excluding -those countries, so that distribution is permitted only in or among -countries not thus excluded. In such case, this License incorporates -the limitation as if written in the body of this License. - - 9. The Free Software Foundation may publish revised and/or new versions -of the General Public License from time to time. Such new versions will -be similar in spirit to the present version, but may differ in detail to -address new problems or concerns. - -Each version is given a distinguishing version number. If the Program -specifies a version number of this License which applies to it and "any -later version", you have the option of following the terms and conditions -either of that version or of any later version published by the Free -Software Foundation. If the Program does not specify a version number of -this License, you may choose any version ever published by the Free Software -Foundation. - - 10. If you wish to incorporate parts of the Program into other free -programs whose distribution conditions are different, write to the author -to ask for permission. For software which is copyrighted by the Free -Software Foundation, write to the Free Software Foundation; we sometimes -make exceptions for this. Our decision will be guided by the two goals -of preserving the free status of all derivatives of our free software and -of promoting the sharing and reuse of software generally. - - NO WARRANTY - - 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY -FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN -OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES -PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED -OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF -MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS -TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE -PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, -REPAIR OR CORRECTION. - - 12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING -WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR -REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, -INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING -OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED -TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY -YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER -PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE -POSSIBILITY OF SUCH DAMAGES. - - END OF TERMS AND CONDITIONS - - How to Apply These Terms to Your New Programs - - If you develop a new program, and you want it to be of the greatest -possible use to the public, the best way to achieve this is to make it -free software which everyone can redistribute and change under these terms. - - To do so, attach the following notices to the program. It is safest -to attach them to the start of each source file to most effectively -convey the exclusion of warranty; and each file should have at least -the "copyright" line and a pointer to where the full notice is found. - - - Copyright (C) - - This program is free software; you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation; either version 2 of the License, or - (at your option) any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License along - with this program; if not, write to the Free Software Foundation, Inc., - 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. - -Also add information on how to contact you by electronic and paper mail. - -If the program is interactive, make it output a short notice like this -when it starts in an interactive mode: - - Gnomovision version 69, Copyright (C) year name of author - Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'. - This is free software, and you are welcome to redistribute it - under certain conditions; type `show c' for details. - -The hypothetical commands `show w' and `show c' should show the appropriate -parts of the General Public License. Of course, the commands you use may -be called something other than `show w' and `show c'; they could even be -mouse-clicks or menu items--whatever suits your program. - -You should also get your employer (if you work as a programmer) or your -school, if any, to sign a "copyright disclaimer" for the program, if -necessary. Here is a sample; alter the names: - - Yoyodyne, Inc., hereby disclaims all copyright interest in the program - `Gnomovision' (which makes passes at compilers) written by James Hacker. - - , 1 April 1989 - Ty Coon, President of Vice - -This General Public License does not permit incorporating your program into -proprietary programs. If your program is a subroutine library, you may -consider it more useful to permit linking proprietary applications with the -library. If this is what you want to do, use the GNU Lesser General -Public License instead of this License. - - -------------------------------------------------------------------------------- Dependency : sigs.k8s.io/structured-merge-diff/v4 Version: v4.1.0 diff --git a/dev-tools/notice/overrides.json b/dev-tools/notice/overrides.json index 6e2e2a2f505..3d81c36d3f6 100644 --- a/dev-tools/notice/overrides.json +++ b/dev-tools/notice/overrides.json @@ -11,5 +11,3 @@ {"name": "github.com/munnerz/goautoneg", "licenceType": "BSD-3-Clause"} {"name": "github.com/pelletier/go-buffruneio", "licenceType": "MIT"} {"name": "github.com/urso/magetools", "licenceType": "Apache-2.0"} -{"name": "kernel.org/pub/linux/libs/security/libcap/cap", "licenceType": "BSD-3-Clause", "note": "dual licensed as GPL-v2 and BSD"} -{"name": "kernel.org/pub/linux/libs/security/libcap/psx", "licenceType": "BSD-3-Clause", "note": "dual licensed as GPL-v2 and BSD"} \ No newline at end of file diff --git a/dev-tools/packaging/packages.yml b/dev-tools/packaging/packages.yml index a9f5f245eba..c0dc436f034 100644 --- a/dev-tools/packaging/packages.yml +++ b/dev-tools/packaging/packages.yml @@ -432,7 +432,7 @@ shared: dockerfile: 'Dockerfile.elastic-agent.tmpl' docker_entrypoint: 'docker-entrypoint.elastic-agent.tmpl' user: '{{ .BeatName }}' - linux_capabilities: 'cap_net_raw+eip' + linux_capabilities: '' image_name: '' files: 'elastic-agent.yml': diff --git a/dev-tools/packaging/templates/docker/Dockerfile.elastic-agent.tmpl b/dev-tools/packaging/templates/docker/Dockerfile.elastic-agent.tmpl index 0044852b149..bbd31850ccb 100644 --- a/dev-tools/packaging/templates/docker/Dockerfile.elastic-agent.tmpl +++ b/dev-tools/packaging/templates/docker/Dockerfile.elastic-agent.tmpl @@ -17,6 +17,9 @@ RUN mkdir -p {{ $beatHome }}/data {{ $beatHome }}/data/elastic-agent-{{ commit_s rm {{ $beatBinary }} && \ ln -s {{ $beatHome }}/data/elastic-agent-{{ commit_short }}/elastic-agent {{ $beatBinary }} && \ chmod 0755 {{ $beatHome }}/data/elastic-agent-*/elastic-agent && \ +{{- if .linux_capabilities }} + setcap {{ .linux_capabilities }} {{ $beatBinary }} && \ +{{- end }} {{- range $i, $modulesd := .ModulesDirs }} chmod 0775 {{ $beatHome}}/{{ $modulesd }} && \ {{- end }} @@ -27,20 +30,11 @@ RUN mkdir -p {{ $beatHome }}/data {{ $beatHome }}/data/elastic-agent-{{ commit_s {{- end }} true -{{- if .linux_capabilities }} -# Since the beat is stored at the other end of a symlink we must follow the symlink first -# For security reasons setcap does not support symlinks. This is smart in the general case -# but in our specific case since we're building a trusted image from trusted binaries this is -# fine. Thus, we use readlink to follow the link and setcap on the actual binary -RUN readlink -f {{ $beatBinary }} | xargs setcap {{ .linux_capabilities }} -{{- end }} - FROM {{ .from }} # Contains the elastic agent image variant, an empty string for the standard variant # or "complete" for the bigger one. ENV ELASTIC_AGENT_IMAGE_VARIANT={{.Variant}} -ENV BEAT_SETUID_AS={{ .user }} {{- if contains .from "ubi-minimal" }} RUN for iter in {1..10}; do microdnf update -y && microdnf install -y shadow-utils jq && microdnf clean all && exit_code=0 && break || exit_code=$? && echo "microdnf error: retry $iter in 10s" && sleep 10; done; (exit $exit_code) diff --git a/dev-tools/packaging/templates/docker/Dockerfile.tmpl b/dev-tools/packaging/templates/docker/Dockerfile.tmpl index e9060517947..829d004b9b6 100644 --- a/dev-tools/packaging/templates/docker/Dockerfile.tmpl +++ b/dev-tools/packaging/templates/docker/Dockerfile.tmpl @@ -13,19 +13,14 @@ RUN mkdir -p {{ $beatHome }}/data {{ $beatHome }}/logs && \ find {{ $beatHome }} -type d -exec chmod 0755 {} \; && \ find {{ $beatHome }} -type f -exec chmod 0644 {} \; && \ chmod 0755 {{ $beatBinary }} && \ +{{- if .linux_capabilities }} + setcap {{ .linux_capabilities }} {{ $beatBinary }} && \ +{{- end }} {{- range $i, $modulesd := .ModulesDirs }} chmod 0775 {{ $beatHome}}/{{ $modulesd }} && \ {{- end }} chmod 0775 {{ $beatHome }}/data {{ $beatHome }}/logs -{{- if .linux_capabilities }} -# Since the beat is stored at the other end of a symlink we must follow the symlink first -# For security reasons setcap does not support symlinks. This is smart in the general case -# but in our specific case since we're building a trusted image from trusted binaries this is -# fine. Thus, we use readlink to follow the link and setcap on the actual binary -RUN readlink -f {{ $beatBinary }} | xargs setcap {{ .linux_capabilities }} -{{- end }} - FROM {{ .from }} {{- if contains .from "ubi-minimal" }} @@ -132,7 +127,6 @@ USER {{ .user }} {{- if (and (eq .BeatName "heartbeat") (not (contains .from "ubi-minimal"))) }} # Setup synthetics env vars ENV ELASTIC_SYNTHETICS_CAPABLE=true -ENV BEAT_SETUID_AS={{ .user }} ENV SUITES_DIR={{ $beatHome }}/suites ENV NODE_VERSION=14.17.5 ENV PATH="$NODE_PATH/node/bin:$PATH" diff --git a/go.mod b/go.mod index 5a4166a251c..b39d9a8ec8f 100644 --- a/go.mod +++ b/go.mod @@ -191,7 +191,6 @@ require ( k8s.io/api v0.21.1 k8s.io/apimachinery v0.21.1 k8s.io/client-go v0.21.1 - kernel.org/pub/linux/libs/security/libcap/cap v1.2.57 ) require ( @@ -283,7 +282,6 @@ require ( k8s.io/klog/v2 v2.8.0 // indirect k8s.io/kube-openapi v0.0.0-20210305001622-591a79e4bda7 // indirect k8s.io/utils v0.0.0-20201110183641-67b214c5f920 // indirect - kernel.org/pub/linux/libs/security/libcap/psx v1.2.57 // indirect sigs.k8s.io/structured-merge-diff/v4 v4.1.0 // indirect sigs.k8s.io/yaml v1.2.0 // indirect ) diff --git a/go.sum b/go.sum index e9f77d064c9..673a40a1002 100644 --- a/go.sum +++ b/go.sum @@ -1344,10 +1344,6 @@ k8s.io/klog/v2 v2.8.0/go.mod h1:hy9LJ/NvuK+iVyP4Ehqva4HxZG/oXyIS3n3Jmire4Ec= k8s.io/kube-openapi v0.0.0-20210305001622-591a79e4bda7 h1:vEx13qjvaZ4yfObSSXW7BrMc/KQBBT/Jyee8XtLf4x0= k8s.io/kube-openapi v0.0.0-20210305001622-591a79e4bda7/go.mod h1:wXW5VT87nVfh/iLV8FpR2uDvrFyomxbtb1KivDbvPTE= k8s.io/kubernetes v1.13.0/go.mod h1:ocZa8+6APFNC2tX1DZASIbocyYT5jHzqFVsY5aoB7Jk= -kernel.org/pub/linux/libs/security/libcap/cap v1.2.57 h1:2nmqI+aw7EQZuelYktkQHBE4jESD2tOR+lOJEnv/Apo= -kernel.org/pub/linux/libs/security/libcap/cap v1.2.57/go.mod h1:uI99C3r4SXvJeuqoEtx/eWt7UbmfqqZ80H8q+9t/A7I= -kernel.org/pub/linux/libs/security/libcap/psx v1.2.57 h1:NOFATXSf5z/cMR3HIwQ3Xrd3nwnWl5xThmNr5U/F0pI= -kernel.org/pub/linux/libs/security/libcap/psx v1.2.57/go.mod h1:+l6Ee2F59XiJ2I6WR5ObpC1utCQJZ/VLsEbQCD8RG24= k8s.io/utils v0.0.0-20201110183641-67b214c5f920 h1:CbnUZsM497iRC5QMVkHwyl8s2tB3g7yaSHkYPkpgelw= k8s.io/utils v0.0.0-20201110183641-67b214c5f920/go.mod h1:jPW/WVKK9YHAvNhRxK0md/EJ228hCsBRufyofKtW8HA= rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8= diff --git a/heartbeat/beater/heartbeat.go b/heartbeat/beater/heartbeat.go index 00ad0ead3c9..c7024e8033b 100644 --- a/heartbeat/beater/heartbeat.go +++ b/heartbeat/beater/heartbeat.go @@ -20,8 +20,11 @@ package beater import ( "errors" "fmt" +<<<<<<< HEAD "sync" "syscall" +======= +>>>>>>> parent of a78a980da2... [Heartbeat] Setuid to regular user / lower capabilities when possible (#27878) "time" "github.com/elastic/beats/v7/heartbeat/config" @@ -85,9 +88,7 @@ func New(b *beat.Beat, rawConfig *common.Config) (beat.Beater, error) { // Run executes the beat. func (bt *Heartbeat) Run(b *beat.Beat) error { logp.Info("heartbeat is running! Hit CTRL-C to stop it.") - groups, _ := syscall.Getgroups() - logp.Info("Effective user/group ids: %d/%d, with groups: %v", syscall.Geteuid(), syscall.Getegid(), groups) - + if bt.config.RunOnce != nil { err := bt.runRunOnce(b) if err != nil { diff --git a/heartbeat/scripts/mage/package.go b/heartbeat/scripts/mage/package.go index 0897c897d13..0094cff2d2e 100644 --- a/heartbeat/scripts/mage/package.go +++ b/heartbeat/scripts/mage/package.go @@ -48,7 +48,7 @@ func CustomizePackaging() { pkgType := args.Types[0] switch pkgType { case devtools.Docker: - args.Spec.ExtraVar("linux_capabilities", "cap_net_raw+eip") + args.Spec.ExtraVar("linux_capabilities", "cap_net_raw=eip") args.Spec.Files[monitorsDTarget] = monitorsD case devtools.TarGz, devtools.Zip: args.Spec.Files[monitorsDTarget] = monitorsD diff --git a/heartbeat/security.go b/heartbeat/security.go deleted file mode 100644 index e8d85e0330f..00000000000 --- a/heartbeat/security.go +++ /dev/null @@ -1,237 +0,0 @@ -// Licensed to Elasticsearch B.V. under one or more contributor -// license agreements. See the NOTICE file distributed with -// this work for additional information regarding copyright -// ownership. Elasticsearch B.V. licenses this file to you under -// the Apache License, Version 2.0 (the "License"); you may -// not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, -// software distributed under the License is distributed on an -// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -// KIND, either express or implied. See the License for the -// specific language governing permissions and limitations -// under the License. - -// TODO: Support other architectures (e.g. arm) -//go:build linux -// +build linux - -package main - -import ( - "fmt" - "os" - "os/user" - "runtime" - "strconv" - "syscall" - - "kernel.org/pub/linux/libs/security/libcap/cap" - - "github.com/elastic/beats/v7/libbeat/common/seccomp" -) - -func init() { - // Here we set a bunch of linux specific security stuff. - // In the context of a container, where users frequently run as root, we follow BEAT_SETUID_AS to setuid/gid - // and add capabilities to make this actually run as a regular user. This also helps Node.js in synthetics, which - // does not want to run as root. It's also just generally more secure. - if localUserName := os.Getenv("BEAT_SETUID_AS"); localUserName != "" && syscall.Geteuid() == 0 { - err := changeUser(localUserName) - if err != nil { - panic(err) - } - } - - // Attempt to set capabilities before we setup seccomp rules - // Note that we discard any errors because they are not actionable. - // The beat should use `getcap` at a later point to examine available capabilities - // rather than relying on errors from `setcap` - setCapabilities() - - switch runtime.GOARCH { - case "amd64", "386": - err := setSeccompRules() - if err != nil { - panic(err) - } - } -} - -func changeUser(localUserName string) error { - localUser, err := user.Lookup(localUserName) - if err != nil { - return fmt.Errorf("could not lookup '%s': %w", localUser, err) - } - localUserUid, err := strconv.Atoi(localUser.Uid) - if err != nil { - return fmt.Errorf("could not parse UID '%s' as int: %w", localUser.Uid, err) - } - localUserGid, err := strconv.Atoi(localUser.Gid) - if err != nil { - return fmt.Errorf("could not parse GID '%s' as int: %w", localUser.Uid, err) - } - // We include the root group because the docker image contains many directories (data,logs) - // that are owned by root:root with 0775 perms. The heartbeat user is in both groups - // in the container, but we need to repeat that here. - err = syscall.Setgroups([]int{localUserGid, 0}) - if err != nil { - return fmt.Errorf("could not set groups: %w", err) - } - - // Set the main group as localUserUid so new files created are owned by the user's group - err = syscall.Setgid(localUserGid) - if err != nil { - return fmt.Errorf("could not set gid to %d: %w", localUserGid, err) - } - - // Note this is not the regular SetUID! Look at the 'cap' package docs for it, it preserves - // capabilities post-SetUID, which we use to lock things down immediately - err = cap.SetUID(localUserUid) - if err != nil { - return fmt.Errorf("could not setuid to %d: %w", localUserUid, err) - } - - // This may not be necessary, but is good hygeine, we do some shelling out to node/npm etc. - // and $HOME should reflect the user's preferences - return os.Setenv("HOME", localUser.HomeDir) -} - -func setCapabilities() error { - // Start with an empty capability set - newcaps := cap.NewSet() - // Both permitted and effective are required! Permitted makes the permmission - // possible to get, effective makes it 'active' - err := newcaps.SetFlag(cap.Permitted, true, cap.NET_RAW) - if err != nil { - return fmt.Errorf("error setting permitted setcap: %w", err) - } - err = newcaps.SetFlag(cap.Effective, true, cap.NET_RAW) - if err != nil { - return fmt.Errorf("error setting effective setcap: %w", err) - } - - // We do not want these capabilities to be inherited by subprocesses - err = newcaps.SetFlag(cap.Inheritable, false, cap.NET_RAW) - if err != nil { - return fmt.Errorf("error setting inheritable setcap: %w", err) - } - - // Apply the new capabilities to the current process (incl. all threads) - err = newcaps.SetProc() - if err != nil { - return fmt.Errorf("error setting new process capabilities via setcap: %w", err) - } - - return nil -} - -func setSeccompRules() error { - // We require a number of syscalls to run. This list was generated with - // mage build && env ELASTIC_SYNTHETICS_CAPABLE=true strace -f --output=syscalls ./heartbeat --path.config sample-synthetics-config/ -e - // then grepping for 'EPERM' in the 'syscalls' file. - syscalls := []string{ - "access", - "arch_prctl", - "bind", - "brk", - "capget", - "chdir", - "chmod", - "chown", - "clone", - "close", - "connect", - "creat", - "dup2", - "epoll_ctl", - "epoll_pwait", - "eventfd2", - "execve", - "exit", - "faccessat", - "fadvise64", - "fallocate", - "fcntl", - "flock", - "fstat", - "fsync", - "futex", - "capget", - "getcwd", - "getdents64", - "getegid", - "geteuid", - "getgid", - "getpeername", - "getpgrp", - "getpid", - "getppid", - "getpriority", - "getrandom", - "getresuid", - "getresgid", - "getrusage", - "getsockname", - "gettid", - "getuid", - "ioctl", - "inotify_init", - "lchown", - "link", - "lseek", - "madvise", - "memfd_create", - "mkdir", - "mkdirat", - "mlock", - "mmap", - "mprotect", - "munmap", - "nanosleep", - "name_to_handle_at", - "newfstatat", - "openat", - "pipe", - "pipe2", - "poll", - "prctl", - "pread64", - "prlimit64", - "pwrite64", - "read", - "readlink", - "readlinkat", - "recvfrom", - "rename", - "rmdir", - "rt_sigaction", - "rt_sigprocmask", - "rt_sigreturn", - "sched_getaffinity", - "sched_getparam", - "sched_getscheduler", - "select", - "sendto", - "set_robust_list", - "set_tid_address", - "setpriority", - "setsid", - "sigaltstack", - "socket", - "socketpair", - "stat", - "statx", - "symlink", - "umask", - "uname", - "unlink", - "utimensat", - "write", - } - - return seccomp.ModifyDefaultPolicy(seccomp.AddSyscall, syscalls...) -} diff --git a/packetbeat/scripts/mage/package.go b/packetbeat/scripts/mage/package.go index fe5e55bb305..e81176615ba 100644 --- a/packetbeat/scripts/mage/package.go +++ b/packetbeat/scripts/mage/package.go @@ -60,7 +60,7 @@ func CustomizePackaging() { args.Spec.ReplaceFile("/etc/{{.BeatName}}/{{.BeatName}}.yml", configYml) args.Spec.ReplaceFile("/etc/{{.BeatName}}/{{.BeatName}}.reference.yml", referenceConfigYml) case devtools.Docker: - args.Spec.ExtraVar("linux_capabilities", "cap_net_raw,cap_net_admin+eip") + args.Spec.ExtraVar("linux_capabilities", "cap_net_raw,cap_net_admin=eip") default: panic(errors.Errorf("unhandled package type: %v", pkgType)) } diff --git a/x-pack/heartbeat/monitors/browser/browser.go b/x-pack/heartbeat/monitors/browser/browser.go index ba2de896d3c..1e37961a4e8 100644 --- a/x-pack/heartbeat/monitors/browser/browser.go +++ b/x-pack/heartbeat/monitors/browser/browser.go @@ -7,8 +7,8 @@ package browser import ( "fmt" "os" + "os/user" "sync" - "syscall" "github.com/elastic/beats/v7/heartbeat/monitors/plugin" "github.com/elastic/beats/v7/libbeat/common" @@ -35,9 +35,12 @@ func create(name string, cfg *common.Config) (p plugin.Plugin, err error) { logp.Info("Synthetic browser monitor detected! Please note synthetic monitors are a beta feature!") }) - // We do not use user.Current() which does not reflect setuid changes! - if syscall.Geteuid() == 0 { - return plugin.Plugin{}, fmt.Errorf("script monitors cannot be run as root!") + curUser, err := user.Current() + if err != nil { + return plugin.Plugin{}, fmt.Errorf("could not determine current user for script monitor %w: ", err) + } + if curUser.Uid == "0" { + return plugin.Plugin{}, fmt.Errorf("script monitors cannot be run as root! Current UID is %s", curUser.Uid) } s, err := NewSuite(cfg) diff --git a/x-pack/heartbeat/monitors/browser/source/local.go b/x-pack/heartbeat/monitors/browser/source/local.go index e4a4563dc65..ea0ce32f1d6 100644 --- a/x-pack/heartbeat/monitors/browser/source/local.go +++ b/x-pack/heartbeat/monitors/browser/source/local.go @@ -11,7 +11,6 @@ import ( "os/exec" "path" "path/filepath" - "syscall" "github.com/elastic/beats/v7/libbeat/logp" @@ -143,6 +142,6 @@ func runSimpleCommand(cmd *exec.Cmd, dir string) error { cmd.Dir = dir logp.Info("Running %s in %s", cmd, dir) output, err := cmd.CombinedOutput() - logp.Info("Ran %s (%d) got '%s': (%s) as (%d/%d)", cmd, cmd.ProcessState.ExitCode(), string(output), err, syscall.Getuid(), syscall.Geteuid()) + logp.Info("Ran %s got %s", cmd, string(output)) return err } diff --git a/x-pack/heartbeat/monitors/browser/source/zipurl.go b/x-pack/heartbeat/monitors/browser/source/zipurl.go index 2f2cc0bb6ff..7c07ab83fcf 100644 --- a/x-pack/heartbeat/monitors/browser/source/zipurl.go +++ b/x-pack/heartbeat/monitors/browser/source/zipurl.go @@ -113,10 +113,8 @@ func unzip(tf *os.File, targetDir string, folder string) error { for _, f := range rdr.File { err = unzipFile(targetDir, folder, f) if err != nil { - rmErr := os.RemoveAll(targetDir) - if rmErr != nil { - return fmt.Errorf("could not remove directory after encountering error unzipping file: %w, (original unzip error: %s)", rmErr, err) - } + // TODO: err handlers + os.RemoveAll(targetDir) return err } } @@ -199,6 +197,7 @@ func retryingZipRequest(method string, z *ZipURLSource) (resp *http.Response, er } func zipRequest(method string, z *ZipURLSource) (*http.Response, error) { + req, err := http.NewRequest(method, z.URL, nil) if err != nil { return nil, fmt.Errorf("could not issue request to: %s %w", z.URL, err) diff --git a/x-pack/heartbeat/seccomp_linux.go b/x-pack/heartbeat/seccomp_linux.go new file mode 100644 index 00000000000..eee23080c82 --- /dev/null +++ b/x-pack/heartbeat/seccomp_linux.go @@ -0,0 +1,83 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +package main + +import ( + "runtime" + + "github.com/elastic/beats/v7/libbeat/common/seccomp" +) + +func init() { + switch runtime.GOARCH { + case "amd64", "386": + // We require a number of syscalls to run. This list was generated with + // mage build && env ELASTIC_SYNTHETICS_CAPABLE=true strace --output=syscalls ./heartbeat --path.config sample-synthetics-config/ -e + // then filtered through: cat syscalls | cut -d '(' -f 1 | egrep '\w+' -o | sort | uniq | xargs -n1 -IFF echo \"FF\" + // We should tighten this up before GA. While it is true that there are probably duplicate + // syscalls here vs. the base, this is probably OK for now. + syscalls := []string{ + "access", + "arch_prctl", + "bind", + "brk", + "clone", + "close", + "epoll_ctl", + "epoll_pwait", + "execve", + "exited", + "fcntl", + "flock", + "fstat", + "futex", + "geteuid", + "getgid", + "getpid", + "getppid", + "getrandom", + "getsockname", + "gettid", + "getuid", + "ioctl", + "mlock", + "mmap", + "mprotect", + "munmap", + "newfstatat", + "openat", + "prctl", + "pread64", + "prlimit64", + "read", + "readlinkat", + "recvfrom", + "rt_sigaction", + "rt_sigprocmask", + "rt_sigreturn", + "sched_getaffinity", + "sendto", + "set_robust_list", + "set_tid_address", + "si_code", + "sigaltstack", + "SIGINT", + "SIGURG", + "SI_KERNEL", + "si_pid", + "si_signo", + "SI_TKILL", + "si_uid", + "socket", + "umask", + "uname", + "with", + "write"} + + if err := seccomp.ModifyDefaultPolicy(seccomp.AddSyscall, syscalls...); err != nil { + panic(err) + } + } +}