fluent-bit: Systemd input doesn't work properly with SELinux policy deny_execmem

Bug Report

When first enabling the deny_execmem SELinux policy (a policy which will deny mapped memory to be both executable and writable at the same time). And after that running fluent-bit with the systemd input, it will get denied by this policy and just hang there forever doing nothing. I ran into this when upgrading from fluent-bit 1.9.6 to 2.0.4 (and I confirmed this is still the case with 2.0.6)

To Reproduce

[root@localhost ~]# /opt/fluent-bit/bin/fluent-bit -i systemd -o stdout > /dev/null 
Fluent Bit v2.0.6
* Copyright (C) 2015-2022 The Fluent Bit Authors
* Fluent Bit is a CNCF sub-project under the umbrella of Fluentd
* https://fluentbit.io

[2022/12/02 09:55:20] [ info] [fluent bit] version=2.0.6, commit=, pid=36650
[2022/12/02 09:55:20] [ info] [storage] ver=1.3.0, type=memory, sync=normal, checksum=off, max_chunks_up=128
[2022/12/02 09:55:20] [ info] [cmetrics] version=0.5.7
[2022/12/02 09:55:20] [ info] [ctraces ] version=0.2.5
[2022/12/02 09:55:20] [ info] [input:systemd:systemd.0] initializing
[2022/12/02 09:55:20] [ info] [input:systemd:systemd.0] storage_strategy='memory' (memory only)
[2022/12/02 09:55:20] [ info] [sp] stream processor started
[2022/12/02 09:55:20] [ info] [output:stdout:stdout.0] worker #0 started
^C[2022/12/02 09:55:21] [engine] caught signal (SIGINT)
[2022/12/02 09:55:21] [ warn] [engine] service will shutdown in max 5 seconds
[2022/12/02 09:55:21] [ info] [input] pausing systemd.0
[2022/12/02 09:55:22] [ info] [engine] service has stopped (0 pending tasks)
[2022/12/02 09:55:22] [ info] [input] pausing systemd.0
[2022/12/02 09:55:22] [ info] [output:stdout:stdout.0] thread worker #0 stopping...
[2022/12/02 09:55:22] [ info] [output:stdout:stdout.0] thread worker #0 stopped
[root@localhost ~]# setsebool -P deny_execmem on
[root@localhost ~]# /opt/fluent-bit/bin/fluent-bit -i systemd -o stdout
Fluent Bit v2.0.6
* Copyright (C) 2015-2022 The Fluent Bit Authors
* Fluent Bit is a CNCF sub-project under the umbrella of Fluentd
* https://fluentbit.io

It will hang like this forever and it doesn’t respond to SIGTERM either, has to be killed from another session. I also added some additional logs from /var/log/audit/audit.log

[root@localhost log]# cat /var/log/audit/audit.log | grep -i fluent
type=AVC msg=audit(1669972062.414:96): avc:  denied  { execmem } for  pid=1817 comm="fluent-bit" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process permissive=0
type=SYSCALL msg=audit(1669972062.414:96): arch=c000003e syscall=10 success=no exit=-13 a0=7f5ec3aab000 a1=800000 a2=7 a3=ffffffffffffffc0 items=0 ppid=1692 pid=1817 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="fluent-bit" exe="/opt/fluent-bit/bin/fluent-bit" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)ARCH=x86_64 SYSCALL=mprotect AUID="root" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root"

Steps to reproduce the problem:

Install a SELinux distro, I initially ran into it on Fedora CoreOS with the docker images. But I confirmed this behavior on CentOS 9 as well.
Install fluent-bit, I followed the instructions on the website https://docs.fluentbit.io/manual/installation/linux/redhat-centos#install-on-redhat-centos
Enable the deny_execmem flag using setsebool -P deny_execmem on
Run fluent-bit with the systemd input enabled /opt/fluent-bit/bin/fluent-bit -i systemd -o stdout for example

Expected behavior I would expect fluent-bit to run as normal

Your Environment

Version used: 2.0.6
Configuration: None, I narrowed it down enough that it can run from command line right away fluent-bit -i systemd -o stdout
Environment name and version (e.g. Kubernetes? What version?):
Server type and version:
Operating System and version: CentOS 9
Filters and plugins: systemd

Additional context I ran into this while upgrading fluent-bit on a hardened server, where we set a lot of extra SELinux policies. And it basically stopped working completely with our existing configuration.

About this issue

Original URL
State: closed
Created 2 years ago
Reactions: 3
Comments: 16 (5 by maintainers)

Most upvoted comments

https://github.com/fluent/fluent-bit/blob/v2.0.6/lib/wasm-micro-runtime-fast-jit-06-29-2022/CMakeLists.txt#L114-L120 I think these lines relate this issue.

I enabled these lines, but the file was not used to build fluent-bit.

@cosmo0920 Any ideas ?

nokute78 on Dec 16, 2022

Note: When FLB_WASM is enabled, hello_world doesn’t work because of “permission denied”.

Following command also fails with same error. hello_world also doesn’t use wasm plugin…

ldd build/bin/hello_world
/lib64/ld-linux-x86-64.so.2 build/bin/hello_world

nokute78 on Dec 10, 2022

Workaround is to disable FLB_WASM. Some wasm sources try to call mprotect and it failed. Cc @cosmo0920

cmake .. -DFLB_WASM=off && make

$ find . -name "*.[ch]"|xargs grep os_mprotect --color
./lib/wasm-micro-runtime-fast-jit-06-29-2022/core/iwasm/aot/aot_loader.c:        os_mprotect(mmap_addr, total_size, map_prot);
./lib/wasm-micro-runtime-fast-jit-06-29-2022/core/iwasm/aot/aot_loader.c:        os_mprotect(module->extra_plt_data, module->extra_plt_data_size,
./lib/wasm-micro-runtime-fast-jit-06-29-2022/core/iwasm/aot/aot_loader.c:            os_mprotect(data_section->data, data_section->size, map_prot);
./lib/wasm-micro-runtime-fast-jit-06-29-2022/core/iwasm/aot/aot_runtime.c:    if (os_mprotect(p, total_size, MMAP_PROT_READ | MMAP_PROT_WRITE) != 0) {
./lib/wasm-micro-runtime-fast-jit-06-29-2022/core/iwasm/aot/aot_runtime.c:    if (os_mprotect(memory_inst->memory_data_end.ptr,
./lib/wasm-micro-runtime-fast-jit-06-29-2022/core/shared/platform/rt-thread/rtt_platform.c:os_mprotect(void *addr, size_t size, int prot)
./lib/wasm-micro-runtime-fast-jit-06-29-2022/core/shared/platform/riot/riot_platform.c:os_mprotect(void *addr, size_t size, int prot)
./lib/wasm-micro-runtime-fast-jit-06-29-2022/core/shared/platform/windows/win_memmap.c:os_mprotect(void *addr, size_t size, int prot)
./lib/wasm-micro-runtime-fast-jit-06-29-2022/core/shared/platform/alios/alios_platform.c:os_mprotect(void *addr, size_t size, int prot)
./lib/wasm-micro-runtime-fast-jit-06-29-2022/core/shared/platform/zephyr/zephyr_platform.c:os_mprotect(void *addr, size_t size, int prot)
./lib/wasm-micro-runtime-fast-jit-06-29-2022/core/shared/platform/include/platform_api_vmcore.h:os_mprotect(void *addr, size_t size, int prot);
./lib/wasm-micro-runtime-fast-jit-06-29-2022/core/shared/platform/common/posix/posix_memmap.c:os_mprotect(void *addr, size_t size, int prot)
./lib/wasm-micro-runtime-fast-jit-06-29-2022/core/shared/platform/common/posix/posix_thread.c:    if (os_mprotect(stack_min_addr, page_size * guard_page_count,
./lib/wasm-micro-runtime-fast-jit-06-29-2022/core/shared/platform/common/posix/posix_thread.c:    os_mprotect(stack_min_addr, page_size * guard_page_count,
./lib/wasm-micro-runtime-fast-jit-06-29-2022/core/shared/platform/linux-sgx/sgx_platform.c:os_mprotect(void *addr, size_t size, int prot)
./lib/wasm-micro-runtime-fast-jit-06-29-2022/core/shared/platform/linux-sgx/sgx_platform.c:        os_printf("os_mprotect(addr=0x%" PRIx64 ", size=%u, prot=0x%x) failed.",
./lib/wasm-micro-runtime-fast-jit-06-29-2022/core/shared/platform/nuttx/nuttx_platform.c:os_mprotect(void *addr, size_t size, int prot)
./lib/wasm-micro-runtime-fast-jit-06-29-2022/core/shared/platform/esp-idf/espidf_memmap.c:os_mprotect(void *addr, size_t size, int prot)

nokute78 on Dec 4, 2022