[NPM-3662] Add sestatus to agent flare

cmd/system-probe/api/debug/handlers_linux.go

@@ -0,0 +1,29 @@
+// Unless explicitly stated otherwise all files in this repository are licensed
+// under the Apache License Version 2.0.
+// This product includes software developed at Datadog (https://www.datadoghq.com/).
+// Copyright 2024-present Datadog, Inc.
+
+//go:build linux
+
+// Package debug contains handlers for debug information global to all of system-probe
+package debug
+
+import (
+	"errors"
+	"fmt"
+	"net/http"
+	"os/exec"
+)
+
+// HandleSelinuxSestatus reports the output of sestatus as an http result
+func HandleSelinuxSestatus(w http.ResponseWriter, _ *http.Request) {
+	cmd := exec.Command("sestatus")
+	output, err := cmd.CombinedOutput()
+	// don't report ExitErrors since we are using the combined output which will already include stderr
+	if err != nil && !errors.Is(err, &exec.ExitError{}) {
+		fmt.Fprintf(w, "sestatus command failed: %s", err)
+		return
+	}
+
+	w.Write(output)
+}

cmd/system-probe/api/debug/handlers_nolinux.go

@@ -0,0 +1,21 @@
+// Unless explicitly stated otherwise all files in this repository are licensed
+// under the Apache License Version 2.0.
+// This product includes software developed at Datadog (https://www.datadoghq.com/).
+// Copyright 2024-present Datadog, Inc.
+
+//go:build !linux
+
+// Package debug contains handlers for debug information global to all of system-probe
+package debug
+
+import (
+	"io"
+	"net/http"
+)
+
+// HandleSelinuxSestatus is not supported
+func HandleSelinuxSestatus(w http.ResponseWriter, _ *http.Request) {
+	io.WriteString(w, "HandleSelinuxSestatus is not supported on this platform")
+	w.WriteHeader(500)
+	return
+}

cmd/system-probe/api/server.go

@@ -15,6 +15,7 @@ import (
 
 	gorilla "github.com/gorilla/mux"
 
+	"github.com/DataDog/datadog-agent/cmd/system-probe/api/debug"
 	"github.com/DataDog/datadog-agent/cmd/system-probe/api/module"
 	"github.com/DataDog/datadog-agent/cmd/system-probe/api/server"
 	sysconfigtypes "github.com/DataDog/datadog-agent/cmd/system-probe/config/types"
@@ -57,6 +58,7 @@ func StartServer(cfg *sysconfigtypes.Config, telemetry telemetry.Component, wmet
 
 	if runtime.GOOS == "linux" {
 		mux.HandleFunc("/debug/ebpf_btf_loader_info", ebpf.HandleBTFLoaderInfo)
+		mux.HandleFunc("/debug/selinux_sestatus", debug.HandleSelinuxSestatus)
 	}
 
 	go func() {

pkg/ebpf/debug_handlers.go

@@ -6,18 +6,17 @@
 package ebpf
 
 import (
+	"fmt"
 	"io"
 	"net/http"
-
-	"github.com/DataDog/datadog-agent/pkg/util/log"
 )
 
 // HandleBTFLoaderInfo responds with where the system-probe found BTF data (and
 // if it was in a pre-bundled tarball, where within that tarball it came from)
 func HandleBTFLoaderInfo(w http.ResponseWriter, _ *http.Request) {
 	info, err := GetBTFLoaderInfo()
 	if err != nil {
-		log.Errorf("unable to get ebpf_btf_loader info: %s", err)
+		fmt.Fprintf(w, "unable to get ebpf_btf_loader info: %s", err)
 		w.WriteHeader(500)
 		return
 	}

pkg/flare/archive_linux.go

@@ -33,6 +33,7 @@ func addSystemProbePlatformSpecificEntries(fb flaretypes.FlareBuilder) {
 		_ = fb.AddFileFromFunc(filepath.Join("system-probe", "conntrack_cached.log"), getSystemProbeConntrackCached)
 		_ = fb.AddFileFromFunc(filepath.Join("system-probe", "conntrack_host.log"), getSystemProbeConntrackHost)
 		_ = fb.AddFileFromFunc(filepath.Join("system-probe", "ebpf_btf_loader.log"), getSystemProbeBTFLoaderInfo)
+		_ = fb.AddFileFromFunc(filepath.Join("system-probe", "selinux_sestatus.log"), getSystemProbeSelinuxSestatus)
 	}
 }
 
@@ -143,3 +144,9 @@ func getSystemProbeBTFLoaderInfo() ([]byte, error) {
 	url := sysprobeclient.DebugURL("/ebpf_btf_loader_info")
 	return getHTTPData(sysProbeClient, url)
 }
+
+func getSystemProbeSelinuxSestatus() ([]byte, error) {
+	sysProbeClient := sysprobeclient.Get(getSystemProbeSocketPath())
+	url := sysprobeclient.DebugURL("/debug/selinux_sestatus")
+	return getHTTPData(sysProbeClient, url)
+}