Merge branch 'main' into dependabot/github_actions/actions/setup-node…

…-4.1.0

.github/CODEOWNERS

@@ -148,7 +148,6 @@
 /.gitlab/powershell_script_deploy                    @DataDog/agent-delivery @DataDog/windows-agent
 
 /.gitlab/choco_build/choco_build.yml                 @DataDog/agent-delivery @DataDog/windows-agent
-/.gitlab/choco_deploy/choco_deploy.yml               @DataDog/agent-delivery @DataDog/windows-agent
 
 /.gitlab/integration_test/windows.yml                @DataDog/agent-devx-infra @DataDog/windows-agent
 

.gitlab-ci.yml

@@ -6,7 +6,6 @@ include:
   - .gitlab/check_deploy/check_deploy.yml
   - .gitlab/check_merge/do_not_merge.yml
   - .gitlab/choco_build/choco_build.yml
-  - .gitlab/choco_deploy/choco_deploy.yml
   - .gitlab/powershell_script_signing/powershell_script_signing.yml
   - .gitlab/powershell_script_deploy/powershell_script_deploy.yml
   - .gitlab/common/shared.yml
@@ -86,7 +85,7 @@ stages:
   - deploy_dca
   - choco_and_install_script_build
   - trigger_release
-  - choco_and_install_script_deploy
+  - install_script_deploy
   - internal_image_deploy
   - e2e_deploy
   - install_script_testing

.gitlab/.ci-linters.yml

@@ -83,7 +83,6 @@ job-owners:
     - new-e2e-unit-tests
     - ot_agent_deb-arm64-a7
     - ot_agent_deb-x64-a7
-    - publish_choco_7_x64
     - publish_fakeintake
     - publish_fakeintake_latest
     - rc_kubernetes_deploy

.gitlab/choco_build/choco_build.yml

@@ -2,34 +2,8 @@
 # choco_build stage
 # Contains jobs which build the chocolatey Agent package.
 
-# Not currently used in the pipeline.
-windows_choco_offline_7_x64:
-  rules:
-    !reference [.manual]
-  stage: choco_and_install_script_build
-  tags: ["runner:windows-docker", "windowsversion:1809"]
-  needs: ["windows_msi_and_bosh_zip_x64-a7"]
-  variables:
-    ARCH: "x64"
-  script:
-    - $ErrorActionPreference = "Stop"
-    - Get-ChildItem omnibus\pkg
-    - copy omnibus\pkg\*.msi .\chocolatey\datadog-agent\offline\tools\
-    - >
-      docker run --rm
-      -v "$(Get-Location):c:\mnt"
-      -e AWS_NETWORKING=true
-      registry.ddbuild.io/ci/datadog-agent-buildimages/windows_1809_${ARCH}${Env:DATADOG_AGENT_WINBUILDIMAGES_SUFFIX}:${Env:DATADOG_AGENT_WINBUILDIMAGES}
-      powershell.exe -C "C:\mnt\tasks\winbuildscripts\Generate-Chocolatey-Package.ps1 -InstallMethod offline -Flavor $FLAVOR -InstallDeps 1"
-    - If ($lastExitCode -ne "0") { throw "Previous command returned $lastExitCode" }
-    - copy build-out\*.nupkg omnibus\pkg
-  artifacts:
-    expire_in: 2 weeks
-    paths:
-      - omnibus/pkg
-
-# The online version of the choco job gets the msi package through the gitlab artifacts
-.windows_choco_online_7_x64:
+# The choco job gets the msi package through the gitlab artifacts
+.windows_choco_7_x64:
   rules:
     !reference [.on_deploy_stable_or_beta_repo_branch]
   stage: choco_and_install_script_build
@@ -39,11 +13,7 @@ windows_choco_offline_7_x64:
   script:
     - '$_instance_id = (iwr  -UseBasicParsing http://169.254.169.254/latest/meta-data/instance-id).content ; Write-Host "Running on instance $($_instance_id)"'
     - $ErrorActionPreference = "Stop"
-    - mkdir temp\
-    - copy omnibus\pkg\*.msi temp\
-    - if (Test-Path omnibus) { remove-item -recurse -force omnibus }
     - if (Test-Path build-out) { remove-item -recurse -force build-out }
-    - mkdir omnibus\pkg
     - >
       docker run --rm
       -v "$(Get-Location):c:\mnt"
@@ -52,10 +22,8 @@ windows_choco_offline_7_x64:
       -e BUCKET_BRANCH="$BUCKET_BRANCH"
       -e AWS_NETWORKING=true
       registry.ddbuild.io/ci/datadog-agent-buildimages/windows_1809_${ARCH}${Env:DATADOG_AGENT_WINBUILDIMAGES_SUFFIX}:${Env:DATADOG_AGENT_WINBUILDIMAGES}
-      powershell.exe -C "C:\mnt\tasks\winbuildscripts\Generate-Chocolatey-Package.ps1 -InstallMethod online -MSIDirectory c:\mnt\temp -Flavor $FLAVOR -InstallDeps 1"
+      powershell.exe -C "C:\mnt\tasks\winbuildscripts\Generate-Chocolatey-Package.ps1 -MSIDirectory c:\mnt\omnibus\pkg -Flavor $FLAVOR -InstallDeps 1"
     - If ($lastExitCode -ne "0") { throw "Previous command returned $lastExitCode" }
-    - Remove-Item -Path "temp\" -Recurse -Force
-    - copy build-out\*.nupkg omnibus\pkg
     - $CopyNupkgToS3 = "$S3_CP_CMD --recursive --exclude '*' --include '*.nupkg' build-out $S3_RELEASE_ARTIFACTS_URI/choco/nupkg"
     - Invoke-Expression $CopyNupkgToS3
   artifacts:
@@ -65,8 +33,8 @@ windows_choco_offline_7_x64:
   # Sometimes Chocolatey is flakey
   retry: 2
 
-windows_choco_online_7_x64:
-  extends: .windows_choco_online_7_x64
+windows_choco_7_x64:
+  extends: .windows_choco_7_x64
   # On dev/PR branches:
   #   - if the job is run manually it will create a package, but before the
   #     package can be installed, the deploy_windows_testing-a7 job must
@@ -75,8 +43,8 @@ windows_choco_online_7_x64:
   variables:
     FLAVOR: "datadog-agent"
 
-windows_choco_online_7_x64-fips:
-  extends: .windows_choco_online_7_x64
+windows_choco_7_x64-fips:
+  extends: .windows_choco_7_x64
   # On dev/PR branches:
   #   - if the job is run manually it will create a package, but before the
   #     package can be installed, the deploy_windows_testing-a7-fips job must

.gitlab/kernel_matrix_testing/security_agent.yml

@@ -216,26 +216,6 @@ kmt_run_secagent_tests_x64_ebpfless:
     - !reference [.collect_outcomes_kmt]
     - !reference [.upload_junit_kmt]
 
-kmt_run_secagent_tests_x64_fentry:
-  extends:
-    - .kmt_run_secagent_tests
-  image: registry.ddbuild.io/ci/datadog-agent-buildimages/system-probe_x64$DATADOG_AGENT_SYSPROBE_BUILDIMAGES_SUFFIX:$DATADOG_AGENT_SYSPROBE_BUILDIMAGES
-  tags: ["arch:amd64"]
-  needs:
-    - kmt_setup_env_secagent_x64
-    - upload_dependencies_secagent_x64
-    - upload_secagent_tests_x64
-  variables:
-    ARCH: "x86_64"
-  parallel:
-    matrix:
-      - TAG:
-          - "amazon_2023"
-        TEST_SET: [cws_fentry]
-  after_script:
-    - !reference [.collect_outcomes_kmt]
-    - !reference [.upload_junit_kmt]
-
 kmt_run_secagent_tests_x64_docker:
   extends:
     - .kmt_run_secagent_tests
@@ -350,26 +330,6 @@ kmt_run_secagent_tests_arm64_ebpfless:
     - !reference [.collect_outcomes_kmt]
     - !reference [.upload_junit_kmt]
 
-kmt_run_secagent_tests_arm64_fentry:
-  extends:
-    - .kmt_run_secagent_tests
-  image: registry.ddbuild.io/ci/datadog-agent-buildimages/system-probe_arm64$DATADOG_AGENT_SYSPROBE_BUILDIMAGES_SUFFIX:$DATADOG_AGENT_SYSPROBE_BUILDIMAGES
-  tags: ["arch:arm64"]
-  needs:
-    - kmt_setup_env_secagent_arm64
-    - upload_dependencies_secagent_arm64
-    - upload_secagent_tests_arm64
-  variables:
-    ARCH: "arm64"
-  parallel:
-    matrix:
-      - TAG:
-          - "ubuntu_24.04"
-        TEST_SET: [cws_fentry]
-  after_script:
-    - !reference [.collect_outcomes_kmt]
-    - !reference [.upload_junit_kmt]
-
 kmt_run_secagent_tests_arm64_docker:
   extends:
     - .kmt_run_secagent_tests
@@ -426,7 +386,6 @@ kmt_secagent_tests_join_arm64:
     - kmt_run_secagent_tests_arm64
     - kmt_run_secagent_tests_arm64_ad
     - kmt_run_secagent_tests_arm64_ebpfless
-    - kmt_run_secagent_tests_arm64_fentry
     - kmt_run_secagent_tests_arm64_docker
 
 kmt_secagent_cleanup_arm64:
@@ -449,7 +408,6 @@ kmt_secagent_tests_join_x64:
     - kmt_run_secagent_tests_x64_required
     - kmt_run_secagent_tests_x64_ad
     - kmt_run_secagent_tests_x64_ebpfless
-    - kmt_run_secagent_tests_x64_fentry
     - kmt_run_secagent_tests_x64_docker
 
 kmt_secagent_cleanup_x64:

.gitlab/powershell_script_deploy/powershell_script_deploy.yml

@@ -5,7 +5,7 @@
 powershell_script_deploy:
   image: registry.ddbuild.io/ci/datadog-agent-buildimages/gitlab_agent_deploy$DATADOG_AGENT_BUILDIMAGES_SUFFIX:$DATADOG_AGENT_BUILDIMAGES
   tags: ["arch:amd64"]
-  stage: choco_and_install_script_deploy
+  stage: install_script_deploy
   rules:
     !reference [.manual]
   needs: ["powershell_script_signing"]
@@ -19,7 +19,7 @@ powershell_script_deploy:
 windows_bootstrapper_deploy:
   image: registry.ddbuild.io/ci/datadog-agent-buildimages/gitlab_agent_deploy$DATADOG_AGENT_BUILDIMAGES_SUFFIX:$DATADOG_AGENT_BUILDIMAGES
   tags: ["arch:amd64"]
-  stage: choco_and_install_script_deploy
+  stage: install_script_deploy
   rules:
     !reference [.manual]
   needs: ["windows-installer-amd64"]

chocolatey/datadog-agent/online/datadog-agent-online.nuspec → chocolatey/datadog-agent/datadog-agent.nuspec

@@ -1,4 +1,4 @@
-<?xml version="1.0" encoding="utf-8"?>
+<?xml version="1.0" encoding="utf-8"?>
 <package xmlns="http://schemas.microsoft.com/packaging/2015/06/nuspec.xsd">
   <metadata>
     <id>datadog-agent</id>

cmd/system-probe/api/debug/handlers_linux.go

@@ -17,19 +17,18 @@ import (
 	"time"
 )
 
-// HandleSelinuxSestatus reports the output of sestatus as an http result
-func HandleSelinuxSestatus(w http.ResponseWriter, r *http.Request) {
-	ctx, cancel := context.WithTimeout(r.Context(), 5*time.Second)
-	defer cancel()
-
-	cmd := exec.CommandContext(ctx, "sestatus")
+// handleCommand runs commandName with the provided arguments and writes it to the HTTP response.
+// If the command exits with a failure or doesn't exist in the PATH, it will still 200 but report the failure.
+// Any other kind of error will 500.
+func handleCommand(ctx context.Context, w http.ResponseWriter, commandName string, args ...string) {
+	cmd := exec.CommandContext(ctx, commandName, args...)
 	output, err := cmd.CombinedOutput()
 
 	var execError *exec.Error
 	var exitErr *exec.ExitError
 
 	if err != nil {
-		// don't 500 for ExitErrors etc, to report "normal" failures to the selinux_sestatus.log file
+		// don't 500 for ExitErrors etc, to report "normal" failures to the flare log file
 		if !errors.As(err, &execError) && !errors.As(err, &exitErr) {
 			w.WriteHeader(500)
 		}
@@ -39,3 +38,19 @@ func HandleSelinuxSestatus(w http.ResponseWriter, r *http.Request) {
 
 	w.Write(output)
 }
+
+// HandleSelinuxSestatus reports the output of sestatus as an http result
+func HandleSelinuxSestatus(w http.ResponseWriter, r *http.Request) {
+	ctx, cancel := context.WithTimeout(r.Context(), 5*time.Second)
+	defer cancel()
+
+	handleCommand(ctx, w, "sestatus")
+}
+
+// HandleSelinuxSemoduleList reports the output of semodule -l as an http result
+func HandleSelinuxSemoduleList(w http.ResponseWriter, r *http.Request) {
+	ctx, cancel := context.WithTimeout(r.Context(), 5*time.Second)
+	defer cancel()
+
+	handleCommand(ctx, w, "semodule", "-l")
+}

cmd/system-probe/api/debug/handlers_nolinux.go

@@ -18,3 +18,9 @@ func HandleSelinuxSestatus(w http.ResponseWriter, _ *http.Request) {
 	w.WriteHeader(500)
 	io.WriteString(w, "HandleSelinuxSestatus is not supported on this platform")
 }
+
+// HandleSelinuxSemoduleList is not supported
+func HandleSelinuxSemoduleList(w http.ResponseWriter, _ *http.Request) {
+	w.WriteHeader(500)
+	io.WriteString(w, "HandleSelinuxSemoduleList is not supported on this platform")
+}

cmd/system-probe/api/server.go

@@ -60,6 +60,7 @@ func StartServer(cfg *sysconfigtypes.Config, telemetry telemetry.Component, wmet
 	if runtime.GOOS == "linux" {
 		mux.HandleFunc("/debug/ebpf_btf_loader_info", ebpf.HandleBTFLoaderInfo)
 		mux.HandleFunc("/debug/selinux_sestatus", debug.HandleSelinuxSestatus)
+		mux.HandleFunc("/debug/selinux_semodule_list", debug.HandleSelinuxSemoduleList)
 	}
 
 	go func() {

pkg/config/setup/system_probe.go

@@ -371,9 +371,9 @@ func InitSystemProbeConfig(cfg pkgconfigmodel.Config) {
 	eventMonitorBindEnvAndSetDefault(cfg, join(evNS, "network.classifier_handle"), 0)
 	eventMonitorBindEnvAndSetDefault(cfg, join(evNS, "network.raw_classifier_handle"), 0)
 	eventMonitorBindEnvAndSetDefault(cfg, join(evNS, "event_stream.use_ring_buffer"), true)
-	eventMonitorBindEnvAndSetDefault(cfg, join(evNS, "event_stream.use_fentry"), false)
-	eventMonitorBindEnvAndSetDefault(cfg, join(evNS, "event_stream.use_fentry_amd64"), false)
-	eventMonitorBindEnvAndSetDefault(cfg, join(evNS, "event_stream.use_fentry_arm64"), false)
+	eventMonitorBindEnvAndSetDefault(cfg, join(evNS, "event_stream.use_fentry"), true)
+	eventMonitorBindEnv(cfg, join(evNS, "event_stream.use_fentry_amd64"))
+	eventMonitorBindEnv(cfg, join(evNS, "event_stream.use_fentry_arm64"))
 	eventMonitorBindEnv(cfg, join(evNS, "event_stream.buffer_size"))
 	eventMonitorBindEnvAndSetDefault(cfg, join(evNS, "envs_with_value"), []string{"LD_PRELOAD", "LD_LIBRARY_PATH", "PATH", "HISTSIZE", "HISTFILESIZE", "GLIBC_TUNABLES"})
 	eventMonitorBindEnvAndSetDefault(cfg, join(evNS, "runtime_compilation.enabled"), false)