[NPM-3662] Add sestatus to agent flare (#32068)

DataDog · Dec 13, 2024 · 37fbbc8 · 37fbbc8
1 parent e87eaec
commit 37fbbc8
Show file tree

Hide file tree

Showing 6 changed files with 83 additions and 3 deletions.
diff --git a/cmd/system-probe/api/debug/handlers_linux.go b/cmd/system-probe/api/debug/handlers_linux.go
@@ -0,0 +1,41 @@
+// Unless explicitly stated otherwise all files in this repository are licensed
+// under the Apache License Version 2.0.
+// This product includes software developed at Datadog (https://www.datadoghq.com/).
+// Copyright 2024-present Datadog, Inc.
+
+//go:build linux
+
+// Package debug contains handlers for debug information global to all of system-probe
+package debug
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"net/http"
+	"os/exec"
+	"time"
+)
+
+// HandleSelinuxSestatus reports the output of sestatus as an http result
+func HandleSelinuxSestatus(w http.ResponseWriter, r *http.Request) {
+	ctx, cancel := context.WithTimeout(r.Context(), 5*time.Second)
+	defer cancel()
+
+	cmd := exec.CommandContext(ctx, "sestatus")
+	output, err := cmd.CombinedOutput()
+
+	var execError *exec.Error
+	var exitErr *exec.ExitError
+
+	if err != nil {
+		// don't 500 for ExitErrors etc, to report "normal" failures to the selinux_sestatus.log file
+		if !errors.As(err, &execError) && !errors.As(err, &exitErr) {
+			w.WriteHeader(500)
+		}
+		fmt.Fprintf(w, "command failed: %s\n%s", err, output)
+		return
+	}
+
+	w.Write(output)
+}
diff --git a/cmd/system-probe/api/debug/handlers_nolinux.go b/cmd/system-probe/api/debug/handlers_nolinux.go
@@ -0,0 +1,20 @@
+// Unless explicitly stated otherwise all files in this repository are licensed
+// under the Apache License Version 2.0.
+// This product includes software developed at Datadog (https://www.datadoghq.com/).
+// Copyright 2024-present Datadog, Inc.
+
+//go:build !linux
+
+// Package debug contains handlers for debug information global to all of system-probe
+package debug
+
+import (
+	"io"
+	"net/http"
+)
+
+// HandleSelinuxSestatus is not supported
+func HandleSelinuxSestatus(w http.ResponseWriter, _ *http.Request) {
+	w.WriteHeader(500)
+	io.WriteString(w, "HandleSelinuxSestatus is not supported on this platform")
+}
diff --git a/cmd/system-probe/api/server.go b/cmd/system-probe/api/server.go
@@ -15,6 +15,7 @@ import (
 
 	gorilla "github.com/gorilla/mux"
 
+	"github.com/DataDog/datadog-agent/cmd/system-probe/api/debug"
 	"github.com/DataDog/datadog-agent/cmd/system-probe/api/module"
 	"github.com/DataDog/datadog-agent/cmd/system-probe/api/server"
 	sysconfigtypes "github.com/DataDog/datadog-agent/cmd/system-probe/config/types"
@@ -58,6 +59,7 @@ func StartServer(cfg *sysconfigtypes.Config, telemetry telemetry.Component, wmet
 
 	if runtime.GOOS == "linux" {
 		mux.HandleFunc("/debug/ebpf_btf_loader_info", ebpf.HandleBTFLoaderInfo)
+		mux.HandleFunc("/debug/selinux_sestatus", debug.HandleSelinuxSestatus)
 	}
 
 	go func() {

diff --git a/pkg/ebpf/debug_handlers.go b/pkg/ebpf/debug_handlers.go
@@ -6,18 +6,17 @@
 package ebpf
 
 import (
+	"fmt"
 	"io"
 	"net/http"
-
-	"github.com/DataDog/datadog-agent/pkg/util/log"
 )
 
 // HandleBTFLoaderInfo responds with where the system-probe found BTF data (and
 // if it was in a pre-bundled tarball, where within that tarball it came from)
 func HandleBTFLoaderInfo(w http.ResponseWriter, _ *http.Request) {
 	info, err := GetBTFLoaderInfo()
 	if err != nil {
-		log.Errorf("unable to get ebpf_btf_loader info: %s", err)
+		fmt.Fprintf(w, "unable to get ebpf_btf_loader info: %s", err)
 		w.WriteHeader(500)
 		return
 	}

diff --git a/pkg/flare/archive_linux.go b/pkg/flare/archive_linux.go
@@ -38,6 +38,7 @@ func addSystemProbePlatformSpecificEntries(fb flaretypes.FlareBuilder) {
 		_ = fb.AddFileFromFunc(filepath.Join("system-probe", "conntrack_cached.log"), getSystemProbeConntrackCached)
 		_ = fb.AddFileFromFunc(filepath.Join("system-probe", "conntrack_host.log"), getSystemProbeConntrackHost)
 		_ = fb.AddFileFromFunc(filepath.Join("system-probe", "ebpf_btf_loader.log"), getSystemProbeBTFLoaderInfo)
+		_ = fb.AddFileFromFunc(filepath.Join("system-probe", "selinux_sestatus.log"), getSystemProbeSelinuxSestatus)
 	}
 }
 
@@ -148,3 +149,9 @@ func getSystemProbeBTFLoaderInfo() ([]byte, error) {
 	url := sysprobeclient.DebugURL("/ebpf_btf_loader_info")
 	return getHTTPData(sysProbeClient, url)
 }
+
+func getSystemProbeSelinuxSestatus() ([]byte, error) {
+	sysProbeClient := sysprobeclient.Get(getSystemProbeSocketPath())
+	url := sysprobeclient.DebugURL("/selinux_sestatus")
+	return getHTTPData(sysProbeClient, url)
+}
diff --git a/releasenotes/notes/agent-flare-sestatus-5820cfc79ec91d1f.yaml b/releasenotes/notes/agent-flare-sestatus-5820cfc79ec91d1f.yaml
@@ -0,0 +1,11 @@
+# Each section from every release note are combined when the
+# CHANGELOG.rst is rendered. So the text needs to be worded so that
+# it does not depend on any information only available in another
+# section. This may mean repeating some details, but each section
+# must be readable independently of the other.
+#
+# Each section note must be formatted as reStructuredText.
+---
+enhancements:
+  - |
+    Added the output of ``sestatus`` into the Agent flare. This information will appear in ``system-probe/selinux_sestatus.log``.