Skip to content

Commit

Permalink
[CWS] No warning log when a persisted profile already exists (DataDog…
Browse files Browse the repository at this point in the history
  • Loading branch information
YoannGh authored Nov 27, 2024
1 parent c5298c3 commit fd5358b
Showing 1 changed file with 22 additions and 11 deletions.
33 changes: 22 additions & 11 deletions pkg/security/security_profile/profile/profile_dir.go
Original file line number Diff line number Diff line change
Expand Up @@ -48,6 +48,11 @@ type profileFSEntry struct {
selector cgroupModel.WorkloadSelector
}

type existingProfileInfo struct {
path string
selector string
}

// DirectoryProvider is a ProfileProvider that fetches Security Profiles from the filesystem
type DirectoryProvider struct {
sync.Mutex
Expand Down Expand Up @@ -213,24 +218,24 @@ func (dp *DirectoryProvider) listProfiles() ([]string, error) {
return output, nil
}

func (dp *DirectoryProvider) loadProfile(profilePath string) error {
func (dp *DirectoryProvider) loadProfile(profilePath string) (*existingProfileInfo, error) {
profile, err := LoadProtoFromFile(profilePath)
if err != nil {
return fmt.Errorf("couldn't load profile %s: %w", profilePath, err)
return nil, fmt.Errorf("couldn't load profile %s: %w", profilePath, err)
}

if len(profile.ProfileContexts) == 0 {
return fmt.Errorf("couldn't load profile %s: it did not contains any version", profilePath)
return nil, fmt.Errorf("couldn't load profile %s: it did not contains any version", profilePath)
}

imageName, imageTag := profile.Selector.GetImageName(), profile.Selector.GetImageTag()
if imageTag == "" || imageName == "" {
return fmt.Errorf("couldn't load profile %s: it did not contains any valid image_name (%s) or image_tag (%s)", profilePath, imageName, imageTag)
return nil, fmt.Errorf("couldn't load profile %s: it did not contains any valid image_name (%s) or image_tag (%s)", profilePath, imageName, imageTag)
}

workloadSelector, err := cgroupModel.NewWorkloadSelector(imageName, imageTag)
if err != nil {
return err
return nil, err
}
profileManagerSelector := workloadSelector
profileManagerSelector.Tag = "*"
Expand All @@ -241,7 +246,7 @@ func (dp *DirectoryProvider) loadProfile(profilePath string) error {
// prioritize a persited profile over activity dumps
if _, ok := dp.profileMapping[profileManagerSelector]; ok {
dp.Unlock()
return fmt.Errorf("ignoring %s: a persisted profile already exists for workload %s", profilePath, profileManagerSelector.String())
return &existingProfileInfo{path: profilePath, selector: profileManagerSelector.String()}, nil
}

// update profile mapping
Expand All @@ -260,7 +265,7 @@ func (dp *DirectoryProvider) loadProfile(profilePath string) error {
seclog.Debugf("security profile %s loaded from file system", workloadSelector)

if propagateCb == nil {
return nil
return nil, nil
}

// check if this profile matches a workload selector
Expand All @@ -269,7 +274,7 @@ func (dp *DirectoryProvider) loadProfile(profilePath string) error {
propagateCb(workloadSelector, profile)
}
}
return nil
return nil, nil
}

func (dp *DirectoryProvider) loadProfiles() error {
Expand All @@ -279,8 +284,11 @@ func (dp *DirectoryProvider) loadProfiles() error {
}

for _, profilePath := range files {
if err = dp.loadProfile(profilePath); err != nil {
existingProfile, err := dp.loadProfile(profilePath)
if err != nil {
seclog.Errorf("couldn't load profile: %v", err)
} else if existingProfile != nil {
seclog.Debugf("ignoring %s: a persisted profile already exists for workload %s", existingProfile.path, existingProfile.selector)
}
}
return nil
Expand Down Expand Up @@ -340,13 +348,16 @@ func (dp *DirectoryProvider) onHandleFilesFromWatcher() {

var filesToCleanup []string
for file := range dp.newFiles {
if err := dp.loadProfile(file); err != nil {
existingProfile, err := dp.loadProfile(file)
if err != nil {
if errors.Is(err, cgroupModel.ErrNoImageProvided) {
seclog.Debugf("couldn't load new profile %s: %v", file, err)
} else {
seclog.Warnf("couldn't load new profile %s: %v", file, err)
}

filesToCleanup = append(filesToCleanup, file)
} else if existingProfile != nil {
seclog.Debugf("ignoring %s: a persisted profile already exists for workload %s", existingProfile.path, existingProfile.selector)
filesToCleanup = append(filesToCleanup, file)
}
}
Expand Down

0 comments on commit fd5358b

Please sign in to comment.