-
Notifications
You must be signed in to change notification settings - Fork 134
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[elastic-agent] apm-server permissions for forking java-attacher #95
Comments
Pinging @elastic/elastic-agent-control-plane (Team:Elastic-Agent-Control-Plane) |
@stuartnelson3 from what i understand even if you set those specific permissions through Kibana it does not end up in the Agent config right? |
I'm not sure if setting these permissions is possible through kibana; i believe all services/integrations are running with a static set of allowed systemcalls. |
Revert the following PR once this issue has been resolved: elastic/kibana#122164 |
I do need @ruflin opinion here :-) |
After doing some - "fork" # apm-server
- "execve" # apm-server
- "prlimit64" # java-attacher
- "socketpair" # java-attacher
- "vfork" # java-attacher
- "getegid" # java-attacher The full policy is available here: https://gist.github.com/stuartnelson3/0fecf0f25198b3b791aa3faa59f96cae Only the commented syscalls (copied above) are not part of the default amd64 policy. For completeness, we would have to also have a list for each of the following:
|
Can you share an example on how this is exactly done? When running under Elastic Agent, what is the expected behaviour. Should the apm-server always have these permissions or only when enabled through the UI? @Mpdreamz Would be great if you could also chime in here. |
@stuartnelson3 We will discuss about it during the 8.2 release cycle. We will then get in touch with you to find a proper solution. |
Adding some more context to this. As of today, standalone beats offer a When the Elastic Agent manages processes, there is currently no way of providing a custom seccomp policy per process (beat), but seccomp is still enabled by default. This locks the permissions to the default policy and is more restrictive than it was for standalone beats.
This is currently blocking the APM team from making progress with enabling the Java Auto Attacher feature (elastic/apm-server#7023). |
Sorry, this is not intentional, to clarify even more I am still surprised seccomp was still in beta, it's been in the code for at least ~3 years, this is also something we should take care. We do not have a plan or strategy at how we would lock down elastic-agent or process, custom seccomp policies seems a good way to do it, and making it user-configurable is something we should do. AFAIK We had a discussion in elastic/beats#29809 to allow developers to a We can also discuss if we can create seccomp rules associated with a specific integration but that would require a more deeper discussion, I think we should eventually need it. I've created #90 on our side to track the work on it. |
Yeah,
The current implementation has the Beat process setting its seccomp policy early in the startup. Once it's set it cannot be changed unless the process is restarted. So if Agent wanted to modify the policy to align with the requirements of a particular integration or use-case then Agent would be required to restart the process with a different seccomp policy. I wanted to mention this because IIUC the Beat processes are not restarted when integration policies are changed. |
I have just realized that the attacher also forks itself, which might require additional permissions. Background: Question: when we allow APM Server to fork the java attacher, what are the seccomp permissions for the java attacher? Can it fork itself? To we need to add another explicit inclusion rule? |
This is what I though, I believe we could force a restart on theses options change, I believe we do it for output. IIRC. |
@felixbarny from the
I have to dig deeper but you can restrict a child more looking at https://stackoverflow.com/questions/65153051/install-seccomp-filter-in-child |
IINM, APM Server already restarts when anything in the policy changes. @axw can you confirm? |
@felixbarny no, policy changes don't restart the process. The server creates a new listening socket, new aggregation processors, etc., to which new requests are sent; and then drains the existing listening socket's requests. We could restart the process, but I think I'd rather just always allow the java-attacher program to be executed. |
Looking at the code, it appears that the root user is exempt from this check, and allowed to attach to a processor require of the user/group that started it? https://hg.openjdk.java.net/jdk/jdk/file/932418820c80/src/jdk.attach/linux/native/libattach/VirtualMachineImpl.c#l161
The attacher requires |
Great question, Stuart. The capability for a root user to attach to other users has been added via https://bugs.openjdk.java.net/browse/JDK-8197387 and is not available for all the Java versions that we support. |
Also, on Windows and macOS, the temporary directory is not shared across users. Instead, each user has their own and the name of the directory is not necessarily known to the root user. The attachment procedure involves creating a temp file and then writing to a socket that the target VM creates in the temp dir. Therefore, to my knowledge, on Windows and macOS, there's not a good alternative around self-forking/switching user/ |
@stuartnelson3 can this be closed now that we have decided to remove seccomp from APM Server (elastic/apm-server#7305)? |
yep! this is no longer needed. |
Recent
apm-server
releases now come with thejava-attacher.jar
bundled along, so that anapm-server
can fork and run a configuredjava-attacher
.In standalone mode, this requires that the user provide permissions to the
apm-server
to fork a process, otherwise the operation errors:Currently, when running
apm-server
in managed mode (under theelastic-agent
), these permissions are not set, even though the user has the ability to configure thejava-attacher
from kibana.Are there plans for how to address this?
@felixbarny @ruflin
The text was updated successfully, but these errors were encountered: