From 37fbbc826dfb608e5b4f6fb7d9058bae8d27ce22 Mon Sep 17 00:00:00 2001 From: Stuart Geipel Date: Fri, 13 Dec 2024 16:59:46 -0500 Subject: [PATCH] [NPM-3662] Add sestatus to agent flare (#32068) --- cmd/system-probe/api/debug/handlers_linux.go | 41 +++++++++++++++++++ .../api/debug/handlers_nolinux.go | 20 +++++++++ cmd/system-probe/api/server.go | 2 + pkg/ebpf/debug_handlers.go | 5 +-- pkg/flare/archive_linux.go | 7 ++++ ...agent-flare-sestatus-5820cfc79ec91d1f.yaml | 11 +++++ 6 files changed, 83 insertions(+), 3 deletions(-) create mode 100644 cmd/system-probe/api/debug/handlers_linux.go create mode 100644 cmd/system-probe/api/debug/handlers_nolinux.go create mode 100644 releasenotes/notes/agent-flare-sestatus-5820cfc79ec91d1f.yaml diff --git a/cmd/system-probe/api/debug/handlers_linux.go b/cmd/system-probe/api/debug/handlers_linux.go new file mode 100644 index 0000000000000..d2bd7dfbd5f48 --- /dev/null +++ b/cmd/system-probe/api/debug/handlers_linux.go @@ -0,0 +1,41 @@ +// Unless explicitly stated otherwise all files in this repository are licensed +// under the Apache License Version 2.0. +// This product includes software developed at Datadog (https://www.datadoghq.com/). +// Copyright 2024-present Datadog, Inc. + +//go:build linux + +// Package debug contains handlers for debug information global to all of system-probe +package debug + +import ( + "context" + "errors" + "fmt" + "net/http" + "os/exec" + "time" +) + +// HandleSelinuxSestatus reports the output of sestatus as an http result +func HandleSelinuxSestatus(w http.ResponseWriter, r *http.Request) { + ctx, cancel := context.WithTimeout(r.Context(), 5*time.Second) + defer cancel() + + cmd := exec.CommandContext(ctx, "sestatus") + output, err := cmd.CombinedOutput() + + var execError *exec.Error + var exitErr *exec.ExitError + + if err != nil { + // don't 500 for ExitErrors etc, to report "normal" failures to the selinux_sestatus.log file + if !errors.As(err, &execError) && !errors.As(err, &exitErr) { + w.WriteHeader(500) + } + fmt.Fprintf(w, "command failed: %s\n%s", err, output) + return + } + + w.Write(output) +} diff --git a/cmd/system-probe/api/debug/handlers_nolinux.go b/cmd/system-probe/api/debug/handlers_nolinux.go new file mode 100644 index 0000000000000..1475d821c1e6e --- /dev/null +++ b/cmd/system-probe/api/debug/handlers_nolinux.go @@ -0,0 +1,20 @@ +// Unless explicitly stated otherwise all files in this repository are licensed +// under the Apache License Version 2.0. +// This product includes software developed at Datadog (https://www.datadoghq.com/). +// Copyright 2024-present Datadog, Inc. + +//go:build !linux + +// Package debug contains handlers for debug information global to all of system-probe +package debug + +import ( + "io" + "net/http" +) + +// HandleSelinuxSestatus is not supported +func HandleSelinuxSestatus(w http.ResponseWriter, _ *http.Request) { + w.WriteHeader(500) + io.WriteString(w, "HandleSelinuxSestatus is not supported on this platform") +} diff --git a/cmd/system-probe/api/server.go b/cmd/system-probe/api/server.go index 3e4a71056f143..d81007a0c8f0d 100644 --- a/cmd/system-probe/api/server.go +++ b/cmd/system-probe/api/server.go @@ -15,6 +15,7 @@ import ( gorilla "github.com/gorilla/mux" + "github.com/DataDog/datadog-agent/cmd/system-probe/api/debug" "github.com/DataDog/datadog-agent/cmd/system-probe/api/module" "github.com/DataDog/datadog-agent/cmd/system-probe/api/server" sysconfigtypes "github.com/DataDog/datadog-agent/cmd/system-probe/config/types" @@ -58,6 +59,7 @@ func StartServer(cfg *sysconfigtypes.Config, telemetry telemetry.Component, wmet if runtime.GOOS == "linux" { mux.HandleFunc("/debug/ebpf_btf_loader_info", ebpf.HandleBTFLoaderInfo) + mux.HandleFunc("/debug/selinux_sestatus", debug.HandleSelinuxSestatus) } go func() { diff --git a/pkg/ebpf/debug_handlers.go b/pkg/ebpf/debug_handlers.go index ea10d22a844c2..04cba9faed556 100644 --- a/pkg/ebpf/debug_handlers.go +++ b/pkg/ebpf/debug_handlers.go @@ -6,10 +6,9 @@ package ebpf import ( + "fmt" "io" "net/http" - - "github.com/DataDog/datadog-agent/pkg/util/log" ) // HandleBTFLoaderInfo responds with where the system-probe found BTF data (and @@ -17,7 +16,7 @@ import ( func HandleBTFLoaderInfo(w http.ResponseWriter, _ *http.Request) { info, err := GetBTFLoaderInfo() if err != nil { - log.Errorf("unable to get ebpf_btf_loader info: %s", err) + fmt.Fprintf(w, "unable to get ebpf_btf_loader info: %s", err) w.WriteHeader(500) return } diff --git a/pkg/flare/archive_linux.go b/pkg/flare/archive_linux.go index 1c9b5d7a4ad48..dafe8bd41d1bc 100644 --- a/pkg/flare/archive_linux.go +++ b/pkg/flare/archive_linux.go @@ -38,6 +38,7 @@ func addSystemProbePlatformSpecificEntries(fb flaretypes.FlareBuilder) { _ = fb.AddFileFromFunc(filepath.Join("system-probe", "conntrack_cached.log"), getSystemProbeConntrackCached) _ = fb.AddFileFromFunc(filepath.Join("system-probe", "conntrack_host.log"), getSystemProbeConntrackHost) _ = fb.AddFileFromFunc(filepath.Join("system-probe", "ebpf_btf_loader.log"), getSystemProbeBTFLoaderInfo) + _ = fb.AddFileFromFunc(filepath.Join("system-probe", "selinux_sestatus.log"), getSystemProbeSelinuxSestatus) } } @@ -148,3 +149,9 @@ func getSystemProbeBTFLoaderInfo() ([]byte, error) { url := sysprobeclient.DebugURL("/ebpf_btf_loader_info") return getHTTPData(sysProbeClient, url) } + +func getSystemProbeSelinuxSestatus() ([]byte, error) { + sysProbeClient := sysprobeclient.Get(getSystemProbeSocketPath()) + url := sysprobeclient.DebugURL("/selinux_sestatus") + return getHTTPData(sysProbeClient, url) +} diff --git a/releasenotes/notes/agent-flare-sestatus-5820cfc79ec91d1f.yaml b/releasenotes/notes/agent-flare-sestatus-5820cfc79ec91d1f.yaml new file mode 100644 index 0000000000000..e7bac3330c728 --- /dev/null +++ b/releasenotes/notes/agent-flare-sestatus-5820cfc79ec91d1f.yaml @@ -0,0 +1,11 @@ +# Each section from every release note are combined when the +# CHANGELOG.rst is rendered. So the text needs to be worded so that +# it does not depend on any information only available in another +# section. This may mean repeating some details, but each section +# must be readable independently of the other. +# +# Each section note must be formatted as reStructuredText. +--- +enhancements: + - | + Added the output of ``sestatus`` into the Agent flare. This information will appear in ``system-probe/selinux_sestatus.log``.