[8.18](backport #46372) libbeat: add 'eventfd2' to default seccomp policy (#46447)

* libbeat: add 'eventfd2' to default seccomp policy (#46372)

Since Go introduced https://go.dev/cl/560615 it uses `eventfd2`, which was not part of our default seccomp policy. Due to the `google.golang.org/protobuf` dependency `eventfd2` during its initialisation, before our seccomp policy be applied, thus it worked.
However once filebeat is reexeced, for example, due to a CA change, the seccomp policy would be in place and prevent `eventfd2` call, crashing filebeat.

This change adds `eventfd2` to the default seccomp policy

This also adjusts Beat.doReexec to use os.Executable isntead of manually building the binary path.

(cherry picked from commit 7162773)

# Conflicts:
#	libbeat/tests/integration/elasticsearch_test.go

---------

Co-authored-by: Anderson Queiroz <[email protected]>

Author: mergify[bot]

CHANGELOG.next.asciidoc

@@ -80,6 +80,7 @@ https://github.com/elastic/beats/compare/v8.8.1\...main[Check the HEAD diff]
 - Lower logging level to debug when attempting to configure beats with unknown fields from autodiscovered events/environments {pull}[37816][37816]
 - Set timeout of 1 minute for FQDN requests {pull}37756[37756]
 - 'add_cloud_metadata' processor - improve AWS provider HTTP client overriding to support custom certificate bundle handling {pull}44189[44189]
+- Fixed a panic when the beat restarts itself by adding 'eventfd2' to default seccomp policy {issue}46372[46372]
 - Update Go version to 1.24.7 {pull}46070[46070].
 
 *Auditbeat*

libbeat/cmd/instance/beat_reexec_unix.go

@@ -22,18 +22,16 @@ package instance
 import (
 	"fmt"
 	"os"
-	"path/filepath"
 
 	"golang.org/x/sys/unix"
 )
 
 func (b *Beat) doReexec() error {
-	pwd, err := os.Getwd()
+	binary, err := os.Executable()
 	if err != nil {
 		return fmt.Errorf("could not get working directory: %w", err)
 	}
 
-	binary := filepath.Join(pwd, os.Args[0])
 	if err := unix.Exec(binary, os.Args, os.Environ()); err != nil {
 		return fmt.Errorf("could not exec '%s', err: %w", binary, err)
 	}

libbeat/common/seccomp/policy_linux_386.go

@@ -46,6 +46,7 @@ func init() {
 					"epoll_create1",
 					"epoll_ctl",
 					"epoll_wait",
+					"eventfd2",
 					"execve",
 					"exit",
 					"exit_group",

libbeat/common/seccomp/policy_linux_amd64.go

@@ -51,6 +51,7 @@ func init() {
 					"epoll_ctl",
 					"epoll_pwait",
 					"epoll_wait",
+					"eventfd2",
 					"execve",
 					"exit",
 					"exit_group",

libbeat/tests/integration/elasticsearch_test.go

@@ -21,15 +21,19 @@ package integration
 
 import (
 	"errors"
+	"fmt"
 	"io"
 	"net/http"
+	"os"
+	"path/filepath"
 	"testing"
 	"time"
 
 	"github.com/gofrs/uuid/v5"
 	"github.com/rcrowley/go-metrics"
 	"github.com/stretchr/testify/require"
 
+	"github.com/elastic/elastic-agent-libs/testing/certutil"
 	"github.com/elastic/mock-es/pkg/api"
 )
 
@@ -94,6 +98,61 @@ func TestESOutputRecoversFromNetworkError(t *testing.T) {
 	s.Close()
 }
 
+func TestReloadCA(t *testing.T) {
+	mockbeat := NewBeat(t, "mockbeat", "../../libbeat.test")
+
+	esAddr := "localhost:4242"
+	s, _ := startMockES(t, esAddr)
+	defer s.Close()
+
+	_, _, pair, err := certutil.NewRootCA()
+	require.NoError(t, err, "could not generate root CA")
+	caPath := filepath.Join(os.TempDir(), "ca.pem")
+	err = os.WriteFile(caPath, pair.Cert, 0644)
+	require.NoError(t, err, "could not write CA")
+
+	mockbeat.WriteConfigFile(fmt.Sprintf(`
+output.elasticsearch:
+  allow_older_versions: true
+  hosts: ["%s"]
+  ssl:
+    certificate_authorities: "%s"
+    restart_on_cert_change.enabled: true
+    restart_on_cert_change.period: 1s
+logging.level: debug
+`, esAddr, caPath))
+
+	mockbeat.Start()
+
+	// 1. wait mockbeat to start
+	mockbeat.WaitForLogs(
+		fmt.Sprint("mockbeat start running"),
+		10*time.Second,
+		"did not find 'mockbeat start running' log")
+
+	// 2. "rotate" the CA. Just write it again
+	err = os.WriteFile(caPath, pair.Cert, 0644)
+	require.NoError(t, err, "could not rotate CA")
+
+	// 3. Wait for cert change detection logs
+	mockbeat.WaitForLogs(
+		fmt.Sprintf("some of the following files have been modified: [%s]", caPath),
+		10*time.Second,
+		"did not detect CA rotation")
+
+	// 4. Wait for CA load log
+	mockbeat.WaitForLogs(
+		fmt.Sprintf("Successfully loaded CA certificate: %s", caPath),
+		10*time.Second,
+		"did not find 'Successfully loaded CA' log")
+
+	// 5. wait mockbeat to start again
+	mockbeat.WaitForLogs(
+		fmt.Sprint("mockbeat start running"),
+		10*time.Second,
+		"did not find 'mockbeat start running' log again")
+}
+
 func startMockES(t *testing.T, addr string) (*http.Server, metrics.Registry) {
 	uid := uuid.Must(uuid.NewV4())
 	mr := metrics.NewRegistry()
@@ -107,9 +166,9 @@ func startMockES(t *testing.T, addr string) (*http.Server, metrics.Registry) {
 	}()
 
 	require.Eventually(t, func() bool {
-		resp, err := http.Get("http://" + addr) //nolint: noctx // It's just a test
+		resp, err := http.Get("http://" + addr) //nolint:noctx // It's just a test
 		if err != nil {
-			//nolint: errcheck // We're just draining the body, we can ignore the error
+			//nolint:errcheck // We're just draining the body, we can ignore the error
 			io.Copy(io.Discard, resp.Body)
 			resp.Body.Close()
 			return false