Seccomp default policy is missing clock_nanosleep #33792

izaneuski · 2022-11-23T13:02:25Z

On some ubuntu hosts I'm facing high CPU consumption by auditbeat(7.16.3&8.5.1) and journalbeat(7.15.2) with default config.
During investigation with strace found out:

clock_nanosleep(CLOCK_REALTIME, 0, {tv_sec=0, tv_nsec=100000000}, NULL) = -1 EPERM (Operation not permitted)
clock_nanosleep(CLOCK_REALTIME, 0, {tv_sec=0, tv_nsec=100000000}, NULL) = -1 EPERM (Operation not permitted)
clock_nanosleep(CLOCK_REALTIME, 0, {tv_sec=0, tv_nsec=100000000}, NULL) = -1 EPERM (Operation not permitted)

Fixed by adding to beat config:

seccomp:
  syscalls:
  - action: allow
    names:
    - clock_nanosleep

Version:

ldd --version
ldd (Ubuntu GLIBC 2.31-0ubuntu9.9) 2.31

Operating System:

cat /etc/os-release
NAME="Ubuntu"
VERSION="20.04.5 LTS (Focal Fossa)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 20.04.5 LTS"
VERSION_ID="20.04"
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
VERSION_CODENAME=focal
UBUNTU_CODENAME=focal

uname -a
Linux ip-10-224-140-239 5.15.0-1023-aws #27~20.04.1-Ubuntu SMP Wed Oct 26 20:02:26 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux

Discuss Forum URL:
https://discuss.elastic.co/t/seccomp-default-policy-is-missing-clock-nanosleep/319637/1

The text was updated successfully, but these errors were encountered:

elasticmachine · 2022-11-23T14:07:55Z

Pinging @elastic/elastic-agent-data-plane (Team:Elastic-Agent-Data-Plane)

elasticmachine · 2022-11-23T20:10:47Z

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

Fixes elastic#33792

…3831) * Add clock_nanosleep to seccomp allowlist Fixes #33792 * Update github.com/elastic/go-seccomp-bpf to v1.3.0 It added support for Linux v6.0 syscall names.

…3831) * Add clock_nanosleep to seccomp allowlist Fixes #33792 * Update github.com/elastic/go-seccomp-bpf to v1.3.0 It added support for Linux v6.0 syscall names. (cherry picked from commit 141ad33)

…3831) (#33869) * Add clock_nanosleep to seccomp allowlist Fixes #33792 * Update github.com/elastic/go-seccomp-bpf to v1.3.0 It added support for Linux v6.0 syscall names. (cherry picked from commit 141ad33) Co-authored-by: Andrew Kroh <andrew.kroh@elastic.co>

…3831) * Add clock_nanosleep to seccomp allowlist Fixes #33792 * Update github.com/elastic/go-seccomp-bpf to v1.3.0 It added support for Linux v6.0 syscall names.

botelastic bot added the needs_team Indicates that the issue/PR needs a Team:* label label Nov 23, 2022

belimawr added the Team:Elastic-Agent-Data-Plane Label for the Agent Data Plane team label Nov 23, 2022

botelastic bot removed the needs_team Indicates that the issue/PR needs a Team:* label label Nov 23, 2022

cmacknz added the Team:Security-External Integrations label Nov 23, 2022

cmacknz added the bug label Nov 23, 2022

andrewkroh mentioned this issue Nov 27, 2022

[libbeat] Allow clock_nanosleep in the default seccomp profiles #33831

Merged

6 tasks

andrewkroh added a commit to andrewkroh/beats that referenced this issue Nov 28, 2022

Add clock_nanosleep to seccomp allowlist

4dac32e

Fixes elastic#33792

andrewkroh closed this as completed in #33831 Nov 29, 2022

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Seccomp default policy is missing clock_nanosleep #33792

Seccomp default policy is missing clock_nanosleep #33792

izaneuski commented Nov 23, 2022

elasticmachine commented Nov 23, 2022

elasticmachine commented Nov 23, 2022

Seccomp default policy is missing clock_nanosleep #33792

Seccomp default policy is missing clock_nanosleep #33792

Comments

izaneuski commented Nov 23, 2022

elasticmachine commented Nov 23, 2022

elasticmachine commented Nov 23, 2022