[Heartbeat][Agent] Seccomp / synthetics bugfix improvements (#28514)

andrewvc · web-flow · commit 81c38fc4c009 · 2021-10-19T13:10:51.000-05:00
Fixes a variety of seccomp and synthetics execution related issues:

Adds the setcap syscall, which chrome invokes to drop all privileges. Chrome crashes w/o this.
Adds the getgroups syscall, which we use to log the active groups
Improves logging for process execution failures with more detail
diff --git a/heartbeat/beater/heartbeat.go b/heartbeat/beater/heartbeat.go
@@ -39,6 +39,7 @@ import (
 	"github.com/elastic/beats/v7/libbeat/management"
 	"github.com/elastic/beats/v7/x-pack/functionbeat/function/core"
 
+	_ "github.com/elastic/beats/v7/heartbeat/security"
 	_ "github.com/elastic/beats/v7/libbeat/processors/script"
 )
 
diff --git a/heartbeat/security/security.go b/heartbeat/security/security.go
@@ -19,7 +19,7 @@
 //go:build linux
 // +build linux
 
-package main
+package security
 
 import (
 	"fmt"
@@ -139,6 +139,7 @@ func setSeccompRules() error {
 		"bind",
 		"brk",
 		"capget",
+		"capset",
 		"chdir",
 		"chmod",
 		"chown",
@@ -165,6 +166,7 @@ func setSeccompRules() error {
 		"getdents64",
 		"getegid",
 		"geteuid",
+		"getgroups",
 		"getgid",
 		"getpeername",
 		"getpgrp",
diff --git a/heartbeat/security/security_all.go b/heartbeat/security/security_all.go
@@ -0,0 +1,22 @@
+// Licensed to Elasticsearch B.V. under one or more contributor
+// license agreements. See the NOTICE file distributed with
+// this work for additional information regarding copyright
+// ownership. Elasticsearch B.V. licenses this file to you under
+// the Apache License, Version 2.0 (the "License"); you may
+// not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+package security
+
+// Empty file so that non-linux platforms have *something*
+// to import, thus preventing mage from complaining
+// no files are imported from the package
diff --git a/x-pack/heartbeat/monitors/browser/synthexec/synthexec.go b/x-pack/heartbeat/monitors/browser/synthexec/synthexec.go
@@ -173,13 +173,15 @@ func runCmd(
 		wg.Done()
 	}()
 	err = cmd.Start()
+	if err != nil {
+		logp.Warn("Could not start command %s: %s", cmd, err)
+		return nil, err
+	}
 
 	// Kill the process if the context ends
 	go func() {
-		select {
-		case <-ctx.Done():
-			cmd.Process.Kill()
-		}
+		<-ctx.Done()
+		cmd.Process.Kill()
 	}()
 
 	// Close mpx after the process is done and all events have been sent / consumed
@@ -194,7 +196,7 @@ func runCmd(
 				Type:  "cmd/status",
 				Error: &SynthError{Name: "cmdexit", Message: str},
 			})
-			logp.Warn("Error executing command '%s': %s", cmd.String(), err)
+			logp.Warn("Error executing command '%s' (%d): %s", cmd.String(), cmd.ProcessState.ExitCode(), err)
 		}
 		wg.Wait()
 		mpx.Close()

Original file line number	Diff line number	Diff line change
`@@ -39,6 +39,7 @@ import (`
`39`	`39`	`"github.com/elastic/beats/v7/libbeat/management"`
`40`	`40`	`"github.com/elastic/beats/v7/x-pack/functionbeat/function/core"`
`41`	`41`
	`42`	`+ _ "github.com/elastic/beats/v7/heartbeat/security"`
`42`	`43`	`_ "github.com/elastic/beats/v7/libbeat/processors/script"`
`43`	`44`	`)`
`44`	`45`