Move ebpf watcher to libbeat

elastic · Jan 30, 2024 · 9c59a7b · 9c59a7b
1 parent 7fe0ba4
commit 9c59a7b
Show file tree

Hide file tree

Showing 12 changed files with 137 additions and 72 deletions.
diff --git a/NOTICE.txt b/NOTICE.txt
@@ -12257,11 +12257,11 @@ SOFTWARE.
 
 --------------------------------------------------------------------------------
 Dependency : github.com/elastic/ebpfevents
-Version: v0.3.1
+Version: v0.3.2
 Licence type (autodetected): Apache-2.0
 --------------------------------------------------------------------------------
 
-Contents of probable licence file $GOMODCACHE/github.com/elastic/[email protected].1/LICENSE.txt:
+Contents of probable licence file $GOMODCACHE/github.com/elastic/[email protected].2/LICENSE.txt:
 
 The https://github.com/elastic/ebpfevents repository contains source code under
 various licenses:

diff --git a/go.mod b/go.mod
@@ -200,7 +200,7 @@ require (
 	github.com/aws/smithy-go v1.13.5
 	github.com/awslabs/kinesis-aggregation/go/v2 v2.0.0-20220623125934-28468a6701b5
 	github.com/elastic/bayeux v1.0.5
-	github.com/elastic/ebpfevents v0.3.1
+	github.com/elastic/ebpfevents v0.3.2
 	github.com/elastic/elastic-agent-autodiscover v0.6.7
 	github.com/elastic/elastic-agent-libs v0.7.5
 	github.com/elastic/elastic-agent-shipper-client v0.5.1-0.20230228231646-f04347b666f3

diff --git a/go.sum b/go.sum
@@ -660,8 +660,8 @@ github.com/elastic/bayeux v1.0.5 h1:UceFq01ipmT3S8DzFK+uVAkbCdiPR0Bqei8qIGmUeY0=
 github.com/elastic/bayeux v1.0.5/go.mod h1:CSI4iP7qeo5MMlkznGvYKftp8M7qqP/3nzmVZoXHY68=
 github.com/elastic/dhcp v0.0.0-20200227161230-57ec251c7eb3 h1:lnDkqiRFKm0rxdljqrj3lotWinO9+jFmeDXIC4gvIQs=
 github.com/elastic/dhcp v0.0.0-20200227161230-57ec251c7eb3/go.mod h1:aPqzac6AYkipvp4hufTyMj5PDIphF3+At8zr7r51xjY=
-github.com/elastic/ebpfevents v0.3.1 h1:cUP3QXx6MhRGVXWZSgNalY8y5Vd1dgC56DMfeejnXFU=
-github.com/elastic/ebpfevents v0.3.1/go.mod h1:o21z5xup/9dK8u0Hg9bZRflSqqj1Zu5h2dg2hSTcUPQ=
+github.com/elastic/ebpfevents v0.3.2 h1:UJ8kW5jw2TpUR5MEMaZ1O62sK9JQ+5xTlj+YpQC6BXc=
+github.com/elastic/ebpfevents v0.3.2/go.mod h1:o21z5xup/9dK8u0Hg9bZRflSqqj1Zu5h2dg2hSTcUPQ=
 github.com/elastic/elastic-agent-autodiscover v0.6.7 h1:+KVjltN0rPsBrU8b156gV4lOTBgG/vt0efFCFARrf3g=
 github.com/elastic/elastic-agent-autodiscover v0.6.7/go.mod h1:hFeFqneS2r4jD0/QzGkrNk0YVdN0JGh7lCWdsH7zcI4=
 github.com/elastic/elastic-agent-client/v7 v7.6.0 h1:FEn6FjzynW4TIQo5G096Tr7xYK/P5LY9cSS6wRbXZTc=

diff --git a/libbeat/ebpf/seccomp_linux.go b/libbeat/ebpf/seccomp_linux.go
@@ -0,0 +1,42 @@
+// Licensed to Elasticsearch B.V. under one or more contributor
+// license agreements. See the NOTICE file distributed with
+// this work for additional information regarding copyright
+// ownership. Elasticsearch B.V. licenses this file to you under
+// the Apache License, Version 2.0 (the "License"); you may
+// not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+//go:build linux
+
+package ebpf
+
+import (
+	"runtime"
+
+	"github.com/elastic/beats/v7/libbeat/common/seccomp"
+)
+
+func init() {
+	switch runtime.GOARCH {
+	case "amd64", "arm64":
+		syscalls := []string{
+			"bpf",
+			"eventfd2",        // needed by ringbuf
+			"perf_event_open", // needed by tracepoints
+			"openat",          // needed to create map
+			"newfstatat",      // needed for BTF
+		}
+		if err := seccomp.ModifyDefaultPolicy(seccomp.AddSyscall, syscalls...); err != nil {
+			panic(err)
+		}
+	}
+}
diff --git a/libbeat/ebpf/types.go b/libbeat/ebpf/types.go
@@ -0,0 +1,29 @@
+// Licensed to Elasticsearch B.V. under one or more contributor
+// license agreements. See the NOTICE file distributed with
+// this work for additional information regarding copyright
+// ownership. Elasticsearch B.V. licenses this file to you under
+// the Apache License, Version 2.0 (the "License"); you may
+// not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+package ebpf
+
+import (
+	"github.com/elastic/ebpfevents"
+)
+
+type EventMask uint64
+
+type Watcher interface {
+	Subscribe(string, EventMask) <-chan ebpfevents.Record
+	Unsubscribe(string)
+}
diff --git a/.../auditbeat/internal/ebpf/watcher_linux.go → libbeat/ebpf/watcher_linux.go b/.../auditbeat/internal/ebpf/watcher_linux.go → libbeat/ebpf/watcher_linux.go
@@ -1,6 +1,19 @@
-// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
-// or more contributor license agreements. Licensed under the Elastic License;
-// you may not use this file except in compliance with the Elastic License.
+// Licensed to Elasticsearch B.V. under one or more contributor
+// license agreements. See the NOTICE file distributed with
+// this work for additional information regarding copyright
+// ownership. Elasticsearch B.V. licenses this file to you under
+// the Apache License, Version 2.0 (the "License"); you may
+// not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
 
 //go:build linux
 

diff --git a/libbeat/ebpf/watcher_other.go b/libbeat/ebpf/watcher_other.go
@@ -0,0 +1,28 @@
+// Licensed to Elasticsearch B.V. under one or more contributor
+// license agreements. See the NOTICE file distributed with
+// this work for additional information regarding copyright
+// ownership. Elasticsearch B.V. licenses this file to you under
+// the Apache License, Version 2.0 (the "License"); you may
+// not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+//go:build !linux
+
+package ebpf
+
+import "errors"
+
+var ErrNotSupported = errors.New("not supported")
+
+func NewWatcher() (Watcher, error) {
+	return nil, ErrNotSupported
+}
diff --git a/...k/auditbeat/internal/ebpf/watcher_test.go → libbeat/ebpf/watcher_test.go b/...k/auditbeat/internal/ebpf/watcher_test.go → libbeat/ebpf/watcher_test.go
@@ -1,6 +1,19 @@
-// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
-// or more contributor license agreements. Licensed under the Elastic License;
-// you may not use this file except in compliance with the Elastic License.
+// Licensed to Elasticsearch B.V. under one or more contributor
+// license agreements. See the NOTICE file distributed with
+// this work for additional information regarding copyright
+// ownership. Elasticsearch B.V. licenses this file to you under
+// the Apache License, Version 2.0 (the "License"); you may
+// not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
 
 //go:build linux
 

diff --git a/x-pack/auditbeat/internal/ebpf/seccomp_linux.go b/x-pack/auditbeat/internal/ebpf/seccomp_linux.go
diff --git a/x-pack/auditbeat/internal/ebpf/types.go b/x-pack/auditbeat/internal/ebpf/types.go
diff --git a/x-pack/auditbeat/internal/ebpf/watcher_other.go b/x-pack/auditbeat/internal/ebpf/watcher_other.go
diff --git a/x-pack/auditbeat/processors/add_session_metadata/provider/ebpf_provider/ebpf_provider.go b/x-pack/auditbeat/processors/add_session_metadata/provider/ebpf_provider/ebpf_provider.go
@@ -13,7 +13,7 @@ import (
 	"github.com/mohae/deepcopy"
 
 	"github.com/elastic/beats/v7/libbeat/beat"
-	"github.com/elastic/beats/v7/x-pack/auditbeat/internal/ebpf"
+	"github.com/elastic/beats/v7/libbeat/ebpf"
 	"github.com/elastic/beats/v7/x-pack/auditbeat/processors/add_session_metadata/processdb"
 	"github.com/elastic/beats/v7/x-pack/auditbeat/processors/add_session_metadata/provider"
 	"github.com/elastic/beats/v7/x-pack/auditbeat/processors/add_session_metadata/types"