Backport #48127 and #48236 #48484
Conversation
<!-- dd-meta {"pullId":"c2960337-1304-4d38-b522-5285faa7a280","source":"chat","resourceId":"e1770736-c3aa-4752-a8c6-77212765f0c7","workflowId":"a58e22a0-26bb-4586-bcd6-bd4c67edd5e1","codeChangeId":"a58e22a0-26bb-4586-bcd6-bd4c67edd5e1","sourceType":"slack"} -->
Add restricted shell allowed path config
The rshell runner currently hardcodes allowed paths (`/var/log`) in code, which makes policy changes require code changes and deploys. This change moves path policy into configuration so operators can manage rshell filesystem access through `datadog.yaml` and environment variables.
- `go test ./pkg/privateactionrunner/bundles/remoteaction/rshell`
- `go test -tags test ./pkg/config/setup -run 'TestPrivateActionRunner|TestRestrictedShell'`
- `go test -tags test ./pkg/privateactionrunner/adapters/config -run 'TestFromDDConfig|TestFromDDConfigRestrictedShellAllowedPaths'`
- `Format` tool run (goimports/gofmt on changed Go files)
- `Lint` tool run (golangci-lint execution attempted, but failed due to local toolchain mismatch: golangci-lint built with go1.24 while repo targets go1.25.7)
This preserves existing rshell default behavior by defaulting `restricted_shell.allowed_paths` to `/var/log`.
---
PR by Bits - [View session in Datadog](https://app.datadoghq.com/code/e1770736-c3aa-4752-a8c6-77212765f0c7)
Comment @DataDog to request changes
Co-authored-by: datadog-datadog-prod-us1[bot] <88084959+datadog-datadog-prod-us1[bot]@users.noreply.github.com>
Co-authored-by: alexandre.yang <alexandre.yang@datadoghq.com>
…efixing (#48236) ## Summary - Add `/proc` and `/etc/os-release` to the default allowed paths for the PAR restricted shell - Automatically prepend `/host` to all default paths when running in a containerized environment (detected via `env.IsContainerized()`) - Paths remain user-overridable via config or `DD_PRIVATE_ACTION_RUNNER_RESTRICTED_SHELL_ALLOWED_PATHS` ## Test plan - [ ] Verify default paths are `/var/log`, `/proc`, `/etc/os-release` on bare metal - [ ] Verify default paths are `/host/var/log`, `/host/proc`, `/host/etc/os-release` in a containerized environment - [ ] Verify env var override still works as expected 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-authored-by: matthew.deguzman <matthew.deguzman@datadoghq.com>
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: d3757cabb7
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
|
|
||
| // NewRshellBundle creates the rshell bundle with its registered actions. | ||
| func NewRshellBundle() types.Bundle { | ||
| func NewRshellBundle(allowedPaths []string) types.Bundle { |
There was a problem hiding this comment.
Changing NewRshellBundle to require allowedPaths breaks the !kubeapiserver registry path because pkg/privateactionrunner/bundles/registry.go still calls NewRshellBundle() with no arguments. This backport updates only registry_kubeapiserver.go, so builds that compile the non-kubeapiserver registry will fail until that call site also passes configuration.RShellAllowedPaths (or another explicit argument).
Useful? React with 👍 / 👎.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
There was a problem hiding this comment.
I think you need to update registry.go as well with the new allowed paths
There was a problem hiding this comment.
@merchristK you mean this? 4ae288b
just made the fix
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 4ae288b8e2
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
Files inventory check summaryFile checks results against ancestor 183e910c: Results for datadog-agent_7.78.0~rc.3.git.11.4ae288b.pipeline.104740304-1_amd64.deb:No change detected |
3 participants
Backport:
#48127
#48462
Motivation:
Need to start pentest for the Restricted Shell feature.
The backport is low risk since those PAR action are behind FF.