Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Heartbeat] Drop only inheritable cap set and defer setuid to node fork #33584

Merged
merged 11 commits into from
Jan 24, 2023
Merged

[Heartbeat] Drop only inheritable cap set and defer setuid to node fork #33584

merged 11 commits into from
Jan 24, 2023

Conversation

emilioalvap
Copy link
Collaborator

@emilioalvap emilioalvap commented Nov 4, 2022
edited
Loading

What does this PR do?

Fixes #33292.

Only drop inheritable cap set and move setuid/setgid to node fork.

Still need to validate with inline and zip urls.

Process tree:
image

Caps:
image

Checklist

  • My code follows the style guidelines of this project
  • I have commented my code, particularly in hard-to-understand areas
  • I have made corresponding changes to the documentation
  • I have made corresponding change to the default configuration files
  • I have added tests that prove my fix is effective or that my feature works
  • I have added an entry in CHANGELOG.next.asciidoc or CHANGELOG-developer.next.asciidoc.

How to test this PR locally

Build heartbeat locally and mount it into an elastic-agent-complete container.

@emilioalvap emilioalvap added bug Team:obs-ds-hosted-services Label for the Observability Hosted Services team labels Nov 4, 2022
@emilioalvap emilioalvap requested a review from andrewvc November 4, 2022 18:15
@botelastic botelastic bot added needs_team Indicates that the issue/PR needs a Team:* label and removed needs_team Indicates that the issue/PR needs a Team:* label labels Nov 4, 2022
@mergify
Copy link
Contributor

mergify bot commented Nov 4, 2022

This pull request does not have a backport label.
If this is a bug or security fix, could you label this PR @emilioalvap? 🙏.
For such, you'll need to label your PR with:

  • The upcoming major version of the Elastic Stack
  • The upcoming minor version of the Elastic Stack (if you're not pushing a breaking change)

To fixup this pull request, you need to add the backport labels for the needed
branches, such as:

  • backport-v8./d.0 is the label to automatically backport to the 8./d branch. /d is the digit

@elasticmachine
Copy link
Collaborator

elasticmachine commented Nov 4, 2022
edited by jenkins-beats-ci bot
Loading

💚 Build Succeeded

the below badges are clickable and redirect to their specific view in the CI or DOCS
Pipeline View Test View Changes Artifacts preview preview

Expand to view the summary

Build stats

  • Start Time: 2023-01-24T14:40:32.401+0000

  • Duration: 49 min 13 sec

Test stats 🧪

Test Results
Failed 0
Passed 1889
Skipped 25
Total 1914

💚 Flaky test report

Tests succeeded.

🤖 GitHub comments

Expand to view the GitHub comments

To re-run your PR in the CI, just comment with:

  • /test : Re-trigger the build.

  • /package : Generate the packages and run the E2E tests.

  • /beats-tester : Run the installation tests with beats-tester.

  • run elasticsearch-ci/docs : Re-trigger the docs validation. (use unformatted text in the comment!)

emilioalvap
emilioalvap commented Dec 5, 2022
View reviewed changes
x-pack/heartbeat/monitors/browser/synthexec/synthexec_linux.go
//go:build linux || darwin
// +build linux darwin
//go:build linux
// +build linux
Copy link
Collaborator Author

@emilioalvap emilioalvap Dec 5, 2022
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pdeathsig is Linux only, removing darwin from build tags to reflect that

@emilioalvap emilioalvap changed the title [Draft][Heartbeat] Drop only inheritable cap set and defer setuid to node fork [Heartbeat] Drop only inheritable cap set and defer setuid to node fork Dec 5, 2022
@emilioalvap emilioalvap marked this pull request as ready for review December 5, 2022 17:54
@emilioalvap emilioalvap requested a review from a team as a code owner December 5, 2022 17:54
@elasticmachine
Copy link
Collaborator

Pinging @elastic/uptime (Team:Uptime)

@sonarqubecloud
Copy link

sonarqubecloud bot commented Dec 5, 2022

SonarCloud Quality Gate failed.    Quality Gate failed

Bug A 0 Bugs
Vulnerability A 0 Vulnerabilities
Security Hotspot A 0 Security Hotspots
Code Smell A 0 Code Smells

No Coverage information No Coverage information
4.8% 4.8% Duplication

@emilioalvap
Copy link
Collaborator Author

/test

@emilioalvap
Copy link
Collaborator Author

/test

@emilioalvap
Copy link
Collaborator Author

emilioalvap commented Jan 16, 2023
edited
Loading

Tested the following scenarios:

  • Heartbeat docker - root -> Monitors cannot be run as root err msg:
io:job could not be initialized: script monitors cannot be run as root
  • Heartbeat docker - non root -> No changes to process euid, dropping limited caps.
root@30728e612bb0:/usr/share/heartbeat# cat /proc/{8,23}/status | grep -E 'Name|Cap|Uid|Groups|Umask'
Name:   heartbeat
Uid:    1000    1000    1000    1000
Groups: 0 1000
CapInh: 0000000000000000
CapPrm: 0000000000002000
CapEff: 0000000000002000
CapBnd: 00000000a80425fb
CapAmb: 0000000000000000
Name:   node
Uid:    1000    1000    1000    1000
Groups: 0 1000
CapInh: 0000000000000000
CapPrm: 0000000000000000
CapEff: 0000000000000000
CapBnd: 00000000a80425fb
CapAmb: 0000000000000000
  • Elastic agent docker - root -> All caps dropped, effective euid for node includes root (0):
root@dc536c6b5a5b:/usr/share/elastic-agent# cat /proc/{44,120}/status | grep -E 'Name|Cap|Uid|Groups|Umask'
Name:   heartbeat
Umask:  0007
Uid:    0       0       0       0
Groups: 0
CapInh: 0000000000000000
CapPrm: 00000000a80425fb
CapEff: 00000000a80425fb
CapBnd: 00000000a80425fb
CapAmb: 0000000000000000
Name:   node
Umask:  0007
Uid:    1000    1000    1000    1000
Groups: 0
CapInh: 0000000000000000
CapPrm: 0000000000000000
CapEff: 0000000000000000
CapBnd: 00000000a80425fb
CapAmb: 0000000000000000
  • Elastic agent docker - non-root -> No changes to process euid, dropping limited caps.
root@ad2b16ed53b1:/usr/share/elastic-agent# cat /proc/{44,121}/status | grep -E 'Name|Cap|Uid|Groups|Umask'
Name:   heartbeat
Umask:  0007
Uid:    1000    1000    1000    1000
Groups: 0 1000
CapInh: 0000000000000000
CapPrm: 0000000000002080
CapEff: 0000000000002080
CapBnd: 00000000a80425fb
CapAmb: 0000000000000000
Name:   node
Umask:  0007
Uid:    1000    1000    1000    1000
Groups: 0 1000
CapInh: 0000000000000000
CapPrm: 0000000000000000
CapEff: 0000000000000000
CapBnd: 00000000a80425fb
CapAmb: 0000000000000000

cc @andrewvc @v, this should be green for review.

andrewvc
andrewvc approved these changes Jan 18, 2023
View reviewed changes
Copy link
Contributor

@andrewvc andrewvc left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@emilioalvap emilioalvap added the backport-skip Skip notification from the automated backport with mergify label Jan 24, 2023
@emilioalvap emilioalvap merged commit a065bd0 into elastic:main Jan 24, 2023
chrisberkhout pushed a commit that referenced this pull request Jun 1, 2023
@emilioalvap @andrewvc @chrisberkhout
[Heartbeat] Drop only inheritable cap set and defer setuid to node fo…
e027904 
…rk (#33584)

* [Heartbeat] Drop only inheritable cap set and defer setuid to node fork

* Update heartbeat/security/security.go

* Fix linter

* Fix linter, add definition for darwin

* Fix linter for darwin

* Fix linter

* Fix linter

* Add changelog

Co-authored-by: Andrew Cholakian <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@andrewvc andrewvc andrewvc approved these changes

Assignees

@emilioalvap emilioalvap

Labels
backport-skip Skip notification from the automated backport with mergify bug Team:obs-ds-hosted-services Label for the Observability Hosted Services team
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Heartbeat on Agent failed to start due to permission denied
3 participants
@emilioalvap @elasticmachine @andrewvc