[NPM-3665] Include semodule -l in agent flare (#32189)

Co-authored-by: DeForest Richards <[email protected]>
DataDog · Dec 18, 2024 · f51b26c · f51b26c
1 parent f4ae8f0
commit f51b26c
Show file tree

Hide file tree

Showing 5 changed files with 47 additions and 7 deletions.
diff --git a/cmd/system-probe/api/debug/handlers_linux.go b/cmd/system-probe/api/debug/handlers_linux.go
@@ -17,19 +17,18 @@ import (
 	"time"
 )
 
-// HandleSelinuxSestatus reports the output of sestatus as an http result
-func HandleSelinuxSestatus(w http.ResponseWriter, r *http.Request) {
-	ctx, cancel := context.WithTimeout(r.Context(), 5*time.Second)
-	defer cancel()
-
-	cmd := exec.CommandContext(ctx, "sestatus")
+// handleCommand runs commandName with the provided arguments and writes it to the HTTP response.
+// If the command exits with a failure or doesn't exist in the PATH, it will still 200 but report the failure.
+// Any other kind of error will 500.
+func handleCommand(ctx context.Context, w http.ResponseWriter, commandName string, args ...string) {
+	cmd := exec.CommandContext(ctx, commandName, args...)
 	output, err := cmd.CombinedOutput()
 
 	var execError *exec.Error
 	var exitErr *exec.ExitError
 
 	if err != nil {
-		// don't 500 for ExitErrors etc, to report "normal" failures to the selinux_sestatus.log file
+		// don't 500 for ExitErrors etc, to report "normal" failures to the flare log file
 		if !errors.As(err, &execError) && !errors.As(err, &exitErr) {
 			w.WriteHeader(500)
 		}
@@ -39,3 +38,19 @@ func HandleSelinuxSestatus(w http.ResponseWriter, r *http.Request) {
 
 	w.Write(output)
 }
+
+// HandleSelinuxSestatus reports the output of sestatus as an http result
+func HandleSelinuxSestatus(w http.ResponseWriter, r *http.Request) {
+	ctx, cancel := context.WithTimeout(r.Context(), 5*time.Second)
+	defer cancel()
+
+	handleCommand(ctx, w, "sestatus")
+}
+
+// HandleSelinuxSemoduleList reports the output of semodule -l as an http result
+func HandleSelinuxSemoduleList(w http.ResponseWriter, r *http.Request) {
+	ctx, cancel := context.WithTimeout(r.Context(), 5*time.Second)
+	defer cancel()
+
+	handleCommand(ctx, w, "semodule", "-l")
+}
diff --git a/cmd/system-probe/api/debug/handlers_nolinux.go b/cmd/system-probe/api/debug/handlers_nolinux.go
@@ -18,3 +18,9 @@ func HandleSelinuxSestatus(w http.ResponseWriter, _ *http.Request) {
 	w.WriteHeader(500)
 	io.WriteString(w, "HandleSelinuxSestatus is not supported on this platform")
 }
+
+// HandleSelinuxSemoduleList is not supported
+func HandleSelinuxSemoduleList(w http.ResponseWriter, _ *http.Request) {
+	w.WriteHeader(500)
+	io.WriteString(w, "HandleSelinuxSemoduleList is not supported on this platform")
+}
diff --git a/cmd/system-probe/api/server.go b/cmd/system-probe/api/server.go
@@ -60,6 +60,7 @@ func StartServer(cfg *sysconfigtypes.Config, telemetry telemetry.Component, wmet
 	if runtime.GOOS == "linux" {
 		mux.HandleFunc("/debug/ebpf_btf_loader_info", ebpf.HandleBTFLoaderInfo)
 		mux.HandleFunc("/debug/selinux_sestatus", debug.HandleSelinuxSestatus)
+		mux.HandleFunc("/debug/selinux_semodule_list", debug.HandleSelinuxSemoduleList)
 	}
 
 	go func() {

diff --git a/pkg/flare/archive_linux.go b/pkg/flare/archive_linux.go
@@ -39,6 +39,7 @@ func addSystemProbePlatformSpecificEntries(fb flaretypes.FlareBuilder) {
 		_ = fb.AddFileFromFunc(filepath.Join("system-probe", "conntrack_host.log"), getSystemProbeConntrackHost)
 		_ = fb.AddFileFromFunc(filepath.Join("system-probe", "ebpf_btf_loader.log"), getSystemProbeBTFLoaderInfo)
 		_ = fb.AddFileFromFunc(filepath.Join("system-probe", "selinux_sestatus.log"), getSystemProbeSelinuxSestatus)
+		_ = fb.AddFileFromFunc(filepath.Join("system-probe", "selinux_semodule_list.log"), getSystemProbeSelinuxSemoduleList)
 	}
 }
 
@@ -155,3 +156,9 @@ func getSystemProbeSelinuxSestatus() ([]byte, error) {
 	url := sysprobeclient.DebugURL("/selinux_sestatus")
 	return getHTTPData(sysProbeClient, url)
 }
+
+func getSystemProbeSelinuxSemoduleList() ([]byte, error) {
+	sysProbeClient := sysprobeclient.Get(getSystemProbeSocketPath())
+	url := sysprobeclient.DebugURL("/selinux_semodule_list")
+	return getHTTPData(sysProbeClient, url)
+}
diff --git a/releasenotes/notes/flare-semodule-list-883aecc886cd62ac.yaml b/releasenotes/notes/flare-semodule-list-883aecc886cd62ac.yaml
@@ -0,0 +1,11 @@
+# Each section from every release note are combined when the
+# CHANGELOG.rst is rendered. So the text needs to be worded so that
+# it does not depend on any information only available in another
+# section. This may mean repeating some details, but each section
+# must be readable independently of the other.
+#
+# Each section note must be formatted as reStructuredText.
+---
+enhancements:
+  - |
+    Added the output of ``semodule -l`` to the Agent flare; this information appears in ``system-probe/selinux_semodule_list.log``.