Add custom seccomp policy to journalbeat

[kvch]

A new call sd_journal_wait was added to Journalbeat in https://github.com/elastic/beats/pull/9994. To perform this call, Journalbeat needs a custom seccomp profile.

I have added configuration to the template. However, I am not sure where to put the new file which stores the seccomp profile. Maybe @jarpy could you point me to the right folder to put it under?

[andrewkroh]

What syscall(s) does this profile whitelist that is not whitelisted by default seccomp profile used by docker? Or asked another way, what syscall does sd_journal_wait use that is being denied by Docker’s default whitelist policy?

[kvch]

The tool you have referred to in the README of seccomp added three additional syscalls: getrlimit, splice and wait4.

[andrewkroh]

The policy provided here is more restrictive that the default Docker policy. I diff'ed the two policy's and from what I see no new syscalls are white-listed therefore it's probably not worth the effort of adding a custom policy to Docker since Journalbeat will be applying a policy when it starts up.

The only reason I would add a custom policy to Docker would be if we needed to allow syscalls that are restricted by default by Docker.

The tool you have referred to in the README of seccomp added three additional syscalls: getrlimit, splice and wait4.

Did you already white-list those syscalls in Journalbeat's internal seccomp policy for amd64?

[kvch]

Yes, I did. So I guess this is unnecessary.