From 970055a72e1702bca4f098213ea8e1b5f7d55bdf Mon Sep 17 00:00:00 2001
From: Panos Koutsovasilis <panos.koutsovasilis@elastic.co>
Date: Wed, 29 May 2024 18:24:18 +0300
Subject: [PATCH] fix(auditbeat/fim/kprobes): do add syscalls in default
 seccomp policy for arm64

---
 ...eccomp_linux.go => seccomp_linux_amd64.go} | 30 ++++++++-----------
 1 file changed, 12 insertions(+), 18 deletions(-)
 rename auditbeat/module/file_integrity/kprobes/{seccomp_linux.go => seccomp_linux_amd64.go} (54%)

diff --git a/auditbeat/module/file_integrity/kprobes/seccomp_linux.go b/auditbeat/module/file_integrity/kprobes/seccomp_linux_amd64.go
similarity index 54%
rename from auditbeat/module/file_integrity/kprobes/seccomp_linux.go
rename to auditbeat/module/file_integrity/kprobes/seccomp_linux_amd64.go
index 90336f66795..ee281831b25 100644
--- a/auditbeat/module/file_integrity/kprobes/seccomp_linux.go
+++ b/auditbeat/module/file_integrity/kprobes/seccomp_linux_amd64.go
@@ -18,27 +18,21 @@
 package kprobes
 
 import (
-	"runtime"
-
 	"github.com/elastic/beats/v7/libbeat/common/seccomp"
 )
 
 func init() {
-	switch runtime.GOARCH {
-	case "amd64", "386", "arm64":
-		// The module/file_integrity with kprobes BE uses additional syscalls
-		if err := seccomp.ModifyDefaultPolicy(seccomp.AddSyscall,
-			"eventfd2",        // required by auditbeat/tracing
-			"mount",           // required by auditbeat/tracing
-			"perf_event_open", // required by auditbeat/tracing
-			"ppoll",           // required by auditbeat/tracing
-			"umount2",         // required by auditbeat/tracing
-			"truncate",        // required during kprobes verification
-			"utime",           // required during kprobes verification
-			"utimensat",       // required during kprobes verification
-			"setxattr",        // required during kprobes verification
-		); err != nil {
-			panic(err)
-		}
+	if err := seccomp.ModifyDefaultPolicy(seccomp.AddSyscall,
+		"eventfd2",        // required by auditbeat/tracing
+		"mount",           // required by auditbeat/tracing
+		"perf_event_open", // required by auditbeat/tracing
+		"ppoll",           // required by auditbeat/tracing
+		"umount2",         // required by auditbeat/tracing
+		"truncate",        // required during kprobes verification
+		"utime",           // required during kprobes verification
+		"utimensat",       // required during kprobes verification
+		"setxattr",        // required during kprobes verification
+	); err != nil {
+		panic(err)
 	}
 }