Request 1130993 (accepted)

Overview

Request 1130993 accepted

Repair startup failure from prohibited system calls.

```
type=SECCOMP msg=audit(1701717734.613:2217): auid=4294967295 uid=472 gid=468 ses=4294967295 subj=mtail (enforce) pid=26617 comm="mtail" exe="/usr/sbin/mtail" sig=31 arch=c000003e syscall=160 compat=0 ip=0x564d954b636e code=0x80000000
```

Adjusting the deny list was attempted, but not successful.
Instead, replace the deny- with an allow-list.

Created by crameleon 12 months ago
In state accepted

Submit mtail

Comments for request 1130993 6

Witek Bedyk (witekbedyk) - 12 months ago

target maintainer

I think the service needs more permissions. Starting the service on Leap 15.5 results in:

tail.go:380] open /var/log/messages: permission denied

Georg Pfuetzenreuter (crameleon) - 12 months ago

author source maintainer

Thanks for the input! I did not realize this as I was feeding mtail from a named pipe and not from a file. Will check again.

Georg Pfuetzenreuter (crameleon) - 12 months ago

author source maintainer

Upon checking, I found your issue to not be related with this patch. The systemd hardening options do not prohibit reading /var/log/messages. You need to give the application access to files it should read either by adding the mtail user to the respective group, or - probably better - by using ACLs.

I successfully used the following together with -logs /var/log/messages:

setfacl -m u:mtail:r /var/log/messages

I'm not sure there's a good way to include this with the package and whether it should be a default in the first place.

But I also agree that a packaged service should be able to start up out of the box. Unfortunately -logs is a mandatory argument, hence it needs some file to read in order to start up.

Witek Bedyk (witekbedyk) - 12 months ago

target maintainer

We could add setacl command in the %post section. I would use the mtail group instead of the user though.

As it is not directly related with systemd hardening, could be done in the follow-up change.

Georg Pfuetzenreuter (crameleon) - 12 months ago

author source maintainer

I'm not sure we should assume people want to have mtail read /var/log/messages. It just so happens to be the default -logs argument someone defined in the sysconfig file we ship.

But yes, let's treat it separately.

Witek Bedyk (witekbedyk) - 12 months ago

target maintainer

Debian package includes even more files on default:

https://salsa.debian.org/go-team/packages/mtail/-/blob/debian/sid/debian/default#L2

I think the package should provide a sensible running configuration. But that's out of scope for this change.