Wednesday, June 15, 2016

Adding seccomp support to Elasticsearch on ARM

Linux kernel supports seccomp since 2.6.12.  The ARM support was added in 2012.

However, the current Elasticsearch source only supports seccomp on x86 and amd84 platforms.  When starting Elasticsearch on an ARM platform, you will see bootstrap failed to install seccomp filters:

[2016-06-15 22:11:00,078][WARN ][bootstrap                ] unable to install syscall filter: seccomp unavailable: 'arm' architecture unsupported


To add support for ARM platforms, it is just a matter of finding the correct audit code of ARM architecture and the appropriate syscall number of blocked functions.

Here is the code change required:


diff --git a/core/src/main/java/org/elasticsearch/bootstrap/Seccomp.java b/core/src/main/java/org/elasticsearch/bootstrap/Seccomp.java
index 46908e6..d94c848 100644
--- a/core/src/main/java/org/elasticsearch/bootstrap/Seccomp.java
+++ b/core/src/main/java/org/elasticsearch/bootstrap/Seccomp.java
@@ -243,6 +243,9 @@ final class Seccomp {
         Map<String,Arch> m = new HashMap<>();
         m.put("amd64", new Arch(0xC000003E, 0x3FFFFFFF, 57, 58, 59, 322, 317));
         m.put("i386",  new Arch(0x40000003, 0xFFFFFFFF, 2, 190, 11, 358, 354));
+        // ARM syscall number ref based on kernel 4.6
+        // https://github.com/torvalds/linux/blob/v4.6/arch/arm/kernel/calls.S
+        m.put("arm", new Arch(0x40000028, 0xFFFFFFFF, 2, 190, 11, 387, 383));
         ARCHITECTURES = Collections.unmodifiableMap(m);
     }


Also forked the Elasticsearch github source for that.
at

5 comments:

  1. UnknownJuly 30, 2017 at 10:44 PM

    Thanks for sharing the patch and the branch. Any idea if they would take or have taken a pull request to put this straightforward improvement into their main line?

    ReplyDelete
  2. AnonymousSeptember 21, 2017 at 4:53 AM

    Could you please help me know how the value0xFFFFFFFF for syscall limit was obtained using the reference link mentioned by you?

    ReplyDelete
  3. ClarenceSeptember 21, 2017 at 7:59 PM

    The 0xffffffff is the system call number limit. The .S source file mentioned in the comment is for looking up the sys call number of sys_fork, sys_vfork etc.

    ReplyDelete
  4. AnonymousSeptember 21, 2017 at 9:50 PM

    Thanks. I wanted to know how the value of system call number limit(0xffffffff) was calculated. Does it depend on NR_syscalls value? Is there any algorithm to be used to obtain the value 0xffffffff ?

    ReplyDelete
  5. ClarenceSeptember 23, 2017 at 4:00 PM

    You can refer to the definition of the internal static class Arch
    https://github.com/kitsook/elasticsearch/blob/seccomp-ARM-support/core/src/main/java/org/elasticsearch/bootstrap/Seccomp.java

    and it says the parameter is "syscall limit (necessary for blacklisting on amd64, to ban 32-bit syscalls)".

    Also, you can refer to the man page
    http://man7.org/linux/man-pages/man2/seccomp.2.html

    and see the values used for 32-bit vs 64-bit systems

    ReplyDelete