Wednesday, June 15, 2016

Adding seccomp support to Elasticsearch on ARM

Linux kernel supports seccomp since 2.6.12.  The ARM support was added in 2012.

However, the current Elasticsearch source only supports seccomp on x86 and amd84 platforms.  When starting Elasticsearch on an ARM platform, you will see bootstrap failed to install seccomp filters:

[2016-06-15 22:11:00,078][WARN ][bootstrap                ] unable to install syscall filter: seccomp unavailable: 'arm' architecture unsupported

To add support for ARM platforms, it is just a matter of finding the correct audit code of ARM architecture and the appropriate syscall number of blocked functions.

Here is the code change required:

diff --git a/core/src/main/java/org/elasticsearch/bootstrap/ b/core/src/main/java/org/elasticsearch/bootstrap/
index 46908e6..d94c848 100644
--- a/core/src/main/java/org/elasticsearch/bootstrap/
+++ b/core/src/main/java/org/elasticsearch/bootstrap/
@@ -243,6 +243,9 @@ final class Seccomp {
         Map<String,Arch> m = new HashMap<>();
         m.put("amd64", new Arch(0xC000003E, 0x3FFFFFFF, 57, 58, 59, 322, 317));
         m.put("i386",  new Arch(0x40000003, 0xFFFFFFFF, 2, 190, 11, 358, 354));
+        // ARM syscall number ref based on kernel 4.6
+        //
+        m.put("arm", new Arch(0x40000028, 0xFFFFFFFF, 2, 190, 11, 387, 383));
         ARCHITECTURES = Collections.unmodifiableMap(m);

Also forked the Elasticsearch github source for that.


Louis Erickson said...

Thanks for sharing the patch and the branch. Any idea if they would take or have taken a pull request to put this straightforward improvement into their main line?

Anonymous said...

Could you please help me know how the value0xFFFFFFFF for syscall limit was obtained using the reference link mentioned by you?

Clarence said...

The 0xffffffff is the system call number limit. The .S source file mentioned in the comment is for looking up the sys call number of sys_fork, sys_vfork etc.

Anonymous said...

Thanks. I wanted to know how the value of system call number limit(0xffffffff) was calculated. Does it depend on NR_syscalls value? Is there any algorithm to be used to obtain the value 0xffffffff ?

Clarence said...

You can refer to the definition of the internal static class Arch

and it says the parameter is "syscall limit (necessary for blacklisting on amd64, to ban 32-bit syscalls)".

Also, you can refer to the man page

and see the values used for 32-bit vs 64-bit systems