Skip to content

Backport #48127 and #48236#48488

Merged
gh-worker-dd-mergequeue-cf854d[bot] merged 2 commits into7.78.xfrom
alex/backport-48462-to-7.78.x-v3
Mar 27, 2026
Merged

Backport #48127 and #48236#48488
gh-worker-dd-mergequeue-cf854d[bot] merged 2 commits into7.78.xfrom
alex/backport-48462-to-7.78.x-v3

Conversation

@AlexandreYang
Copy link
Copy Markdown
Member

@AlexandreYang AlexandreYang commented Mar 27, 2026

Backport:

#48127
#48462

Motivation:

Need to start pentest for the Restricted Shell feature.

The backport is low risk since those PAR action are behind FF.

AlexandreYang and others added 2 commits March 27, 2026 13:26
@AlexandreYang @datadog-datadog-prod-us1
Add restricted_shell allowed_paths for rshell (#48127)
5597cca 
<!-- dd-meta {"pullId":"c2960337-1304-4d38-b522-5285faa7a280","source":"chat","resourceId":"e1770736-c3aa-4752-a8c6-77212765f0c7","workflowId":"a58e22a0-26bb-4586-bcd6-bd4c67edd5e1","codeChangeId":"a58e22a0-26bb-4586-bcd6-bd4c67edd5e1","sourceType":"slack"} -->

Add restricted shell allowed path config

The rshell runner currently hardcodes allowed paths (`/var/log`) in code, which makes policy changes require code changes and deploys. This change moves path policy into configuration so operators can manage rshell filesystem access through `datadog.yaml` and environment variables.

- `go test ./pkg/privateactionrunner/bundles/remoteaction/rshell`
- `go test -tags test ./pkg/config/setup -run 'TestPrivateActionRunner|TestRestrictedShell'`
- `go test -tags test ./pkg/privateactionrunner/adapters/config -run 'TestFromDDConfig|TestFromDDConfigRestrictedShellAllowedPaths'`
- `Format` tool run (goimports/gofmt on changed Go files)
- `Lint` tool run (golangci-lint execution attempted, but failed due to local toolchain mismatch: golangci-lint built with go1.24 while repo targets go1.25.7)

This preserves existing rshell default behavior by defaulting `restricted_shell.allowed_paths` to `/var/log`.

---

PR by Bits - [View session in Datadog](https://app.datadoghq.com/code/e1770736-c3aa-4752-a8c6-77212765f0c7)

Comment @DataDog to request changes

Co-authored-by: datadog-datadog-prod-us1[bot] <88084959+datadog-datadog-prod-us1[bot]@users.noreply.github.com>
Co-authored-by: alexandre.yang <alexandre.yang@datadoghq.com>
@AlexandreYang
Revert "Revert "feat(par): add default restricted shell paths with co…
38eac76 
…ntainer-aware prefixing"" (#48462)

Reverts #48460

Revert + this test fix:

All tests pass. Here's a summary of the fix:

  Root cause: Both filepath.Join calls used OS path separators. On Windows, filepath.Join("/host", "/var/log") produces \host\var\log, breaking tests that expected Linux-style paths. Similarly,
  filepath.Join("/host", "/proc") produced \host\proc which didn't match the mock key /host/proc, causing resolveProcPath to fall back to /proc.

  Fix: Replaced filepath.Join with path.Join (POSIX package) in three files:
  - pkg/config/setup/privateactionrunner.go — container path prefix joining
  - pkg/config/setup/privateactionrunner_test.go — test assertion using same join
  - pkg/privateactionrunner/bundles/remoteaction/rshell/run_command.go — resolveProcPath

  These are Linux container paths (/host/...) that must always use forward slashes regardless of the host OS.

Co-authored-by: alexandre.yang <alexandre.yang@datadoghq.com>
@dd-octo-sts dd-octo-sts Bot added internal Identify a non-fork PR team/action-platform labels Mar 27, 2026
@github-actions github-actions Bot added the medium review PR review might take time label Mar 27, 2026
@AlexandreYang AlexandreYang marked this pull request as ready for review March 27, 2026 12:30
@AlexandreYang AlexandreYang requested a review from a team as a code owner March 27, 2026 12:30
@AlexandreYang AlexandreYang requested review from merchristK and removed request for a team March 27, 2026 12:30
@AlexandreYang AlexandreYang added the changelog/no-changelog No changelog entry needed label Mar 27, 2026
chatgpt-codex-connector[bot]
chatgpt-codex-connector Bot reviewed Mar 27, 2026
View reviewed changes
Copy link
Copy Markdown

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 38eac76b86

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread pkg/config/setup/privateactionrunner.go
Comment on lines +86 to +89
if env.IsContainerized() {
for i, v := range defaultPaths {
hostPath := path.Join(containerizedPathPrefix, v)
defaultPaths[i] = hostPath
Copy link
Copy Markdown

@chatgpt-codex-connector chatgpt-codex-connector Bot Mar 27, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1 Badge Preserve /var/log fallback when /host mount is absent

This unconditionally rewrites the default restricted-shell allowlist to /host/var/log in containerized mode, even when that host mount is not present. In those environments (for example Fargate or sidecars without host-volume mounts), runCommand now passes a non-existent directory to interp.AllowedPaths, and runner construction fails with failed to create runner, so every rshell command is rejected. We should gate the /host rewrite on path existence (or fall back to /var/log) the same way proc-path resolution already does.

Useful? React with 👍 / 👎.

@agent-platform-auto-pr
Copy link
Copy Markdown
Contributor

agent-platform-auto-pr Bot commented Mar 27, 2026
edited
Loading

Files inventory check summary

File checks results against ancestor 183e910c:

Results for datadog-agent_7.78.0~rc.3.git.10.38eac76.pipeline.104743243-1_amd64.deb:

No change detected

@agent-platform-auto-pr
Copy link
Copy Markdown
Contributor

agent-platform-auto-pr Bot commented Mar 27, 2026
edited
Loading

Static quality checks

✅ Please find below the results from static quality gates
Comparison made with ancestor 183e910
📊 Static Quality Gates Dashboard
🔗 SQG Job

Successful checks

Info

Quality gate Change Size (prev → curr → max)
agent_deb_amd64 +23.99 KiB (0.00% increase) 751.536 → 751.559 → 753.380
agent_deb_amd64_fips +4.02 KiB (0.00% increase) 708.499 → 708.503 → 713.900
agent_msi +10.52 KiB (0.00% increase) 604.613 → 604.623 → 1062.520
agent_rpm_amd64 +23.99 KiB (0.00% increase) 751.519 → 751.543 → 753.350
agent_rpm_amd64_fips +4.02 KiB (0.00% increase) 708.482 → 708.486 → 713.880
agent_rpm_arm64 +15.99 KiB (0.00% increase) 729.867 → 729.882 → 735.290
agent_rpm_arm64_fips +12.02 KiB (0.00% increase) 689.843 → 689.855 → 696.840
agent_suse_amd64 +23.99 KiB (0.00% increase) 751.519 → 751.543 → 753.350
agent_suse_amd64_fips +4.02 KiB (0.00% increase) 708.482 → 708.486 → 713.880
agent_suse_arm64 +15.99 KiB (0.00% increase) 729.867 → 729.882 → 735.290
agent_suse_arm64_fips +12.02 KiB (0.00% increase) 689.843 → 689.855 → 696.840
docker_agent_amd64 +19.99 KiB (0.00% increase) 811.846 → 811.866 → 815.700
docker_agent_arm64 +15.99 KiB (0.00% increase) 814.956 → 814.972 → 821.970
docker_agent_jmx_amd64 +19.99 KiB (0.00% increase) 1002.762 → 1002.781 → 1006.580
docker_agent_jmx_arm64 +15.98 KiB (0.00% increase) 994.650 → 994.666 → 1001.570
dogstatsd_deb_amd64 +4.01 KiB (0.01% increase) 29.870 → 29.874 → 30.610
dogstatsd_deb_arm64 +4.01 KiB (0.01% increase) 28.023 → 28.027 → 29.110
dogstatsd_rpm_amd64 +4.01 KiB (0.01% increase) 29.870 → 29.874 → 30.610
dogstatsd_suse_amd64 +4.01 KiB (0.01% increase) 29.870 → 29.874 → 30.610
12 successful checks with minimal change (< 2 KiB)
Quality gate Current Size
agent_heroku_amd64 313.134 MiB
docker_cluster_agent_amd64 205.324 MiB
docker_cluster_agent_arm64 219.677 MiB
docker_cws_instrumentation_amd64 7.142 MiB
docker_cws_instrumentation_arm64 6.689 MiB
docker_dogstatsd_amd64 39.230 MiB
docker_dogstatsd_arm64 37.445 MiB
iot_agent_deb_amd64 43.257 MiB
iot_agent_deb_arm64 40.304 MiB
iot_agent_deb_armhf 41.052 MiB
iot_agent_rpm_amd64 43.258 MiB
iot_agent_suse_amd64 43.258 MiB
On-wire sizes (compressed)
Quality gate Change Size (prev → curr → max)
agent_deb_amd64 +92.18 KiB (0.05% increase) 174.750 → 174.840 → 178.360
agent_deb_amd64_fips +15.06 KiB (0.01% increase) 165.386 → 165.400 → 172.790
agent_heroku_amd64 +3.0 KiB (0.00% increase) 74.974 → 74.977 → 79.970
agent_msi -16.0 KiB (0.01% reduction) 138.320 → 138.305 → 146.220
agent_rpm_amd64 -8.25 KiB (0.00% reduction) 177.615 → 177.607 → 181.830
agent_rpm_amd64_fips +20.05 KiB (0.01% increase) 167.597 → 167.616 → 173.370
agent_rpm_arm64 +62.34 KiB (0.04% increase) 159.512 → 159.573 → 163.060
agent_rpm_arm64_fips +29.23 KiB (0.02% increase) 151.404 → 151.433 → 156.170
agent_suse_amd64 -8.25 KiB (0.00% reduction) 177.615 → 177.607 → 181.830
agent_suse_amd64_fips +20.05 KiB (0.01% increase) 167.597 → 167.616 → 173.370
agent_suse_arm64 +62.34 KiB (0.04% increase) 159.512 → 159.573 → 163.060
agent_suse_arm64_fips +29.23 KiB (0.02% increase) 151.404 → 151.433 → 156.170
docker_agent_amd64 neutral 268.105 MiB → 272.480
docker_agent_arm64 +4.11 KiB (0.00% increase) 255.326 → 255.330 → 261.060
docker_agent_jmx_amd64 -4.51 KiB (0.00% reduction) 336.758 → 336.754 → 341.100
docker_agent_jmx_arm64 +3.18 KiB (0.00% increase) 319.964 → 319.967 → 325.620
docker_cluster_agent_amd64 +12.6 KiB (0.02% increase) 71.931 → 71.943 → 72.920
docker_cluster_agent_arm64 -10.18 KiB (0.01% reduction) 67.529 → 67.519 → 68.220
docker_cws_instrumentation_amd64 neutral 2.999 MiB → 3.330
docker_cws_instrumentation_arm64 neutral 2.729 MiB → 3.090
docker_dogstatsd_amd64 neutral 15.171 MiB → 15.820
docker_dogstatsd_arm64 neutral 14.485 MiB → 14.830
dogstatsd_deb_amd64 neutral 7.890 MiB → 8.790
dogstatsd_deb_arm64 neutral 6.775 MiB → 7.710
dogstatsd_rpm_amd64 neutral 7.901 MiB → 8.800
dogstatsd_suse_amd64 neutral 7.901 MiB → 8.800
iot_agent_deb_amd64 +2.99 KiB (0.03% increase) 11.393 → 11.396 → 12.040
iot_agent_deb_arm64 neutral 9.699 MiB → 10.450
iot_agent_deb_armhf neutral 9.938 MiB → 10.620
iot_agent_rpm_amd64 +2.1 KiB (0.02% increase) 11.410 → 11.412 → 12.060
iot_agent_suse_amd64 +2.1 KiB (0.02% increase) 11.410 → 11.412 → 12.060

@cit-pr-commenter-54b7da
Copy link
Copy Markdown

cit-pr-commenter-54b7da Bot commented Mar 27, 2026
edited
Loading

Regression Detector

Regression Detector Results

Metrics dashboard
Target profiles
Run ID: 5dea40b1-ef60-4460-ba64-21f672377a2a

Baseline: 183e910
Comparison: 38eac76
Diff

Optimization Goals: ✅ No significant changes detected

Experiments ignored for regressions

Regressions in experiments with settings containing erratic: true are ignored.

perf experiment goal Δ mean % Δ mean % CI trials links
docker_containers_cpu % cpu utilization +0.49 [-2.57, +3.55] 1 Logs

Fine details of change detection per experiment

perf experiment goal Δ mean % Δ mean % CI trials links
quality_gate_logs % cpu utilization +1.71 [+0.10, +3.32] 1 Logs bounds checks dashboard
docker_containers_cpu % cpu utilization +0.49 [-2.57, +3.55] 1 Logs
ddot_metrics_sum_cumulativetodelta_exporter memory utilization +0.37 [+0.14, +0.59] 1 Logs
otlp_ingest_logs memory utilization +0.30 [+0.20, +0.40] 1 Logs
file_tree memory utilization +0.23 [+0.18, +0.29] 1 Logs
file_to_blackhole_500ms_latency egress throughput +0.06 [-0.33, +0.46] 1 Logs
ddot_logs memory utilization +0.05 [-0.00, +0.11] 1 Logs
file_to_blackhole_1000ms_latency egress throughput +0.04 [-0.39, +0.47] 1 Logs
otlp_ingest_metrics memory utilization +0.04 [-0.12, +0.20] 1 Logs
uds_dogstatsd_to_api ingress throughput +0.03 [-0.19, +0.26] 1 Logs
uds_dogstatsd_to_api_v3 ingress throughput +0.00 [-0.20, +0.21] 1 Logs
ddot_metrics_sum_cumulative memory utilization +0.00 [-0.14, +0.15] 1 Logs
tcp_dd_logs_filter_exclude ingress throughput -0.00 [-0.11, +0.11] 1 Logs
ddot_metrics memory utilization -0.02 [-0.21, +0.17] 1 Logs
quality_gate_idle_all_features memory utilization -0.03 [-0.07, +0.00] 1 Logs bounds checks dashboard
file_to_blackhole_0ms_latency egress throughput -0.04 [-0.52, +0.45] 1 Logs
file_to_blackhole_100ms_latency egress throughput -0.04 [-0.14, +0.05] 1 Logs
docker_containers_memory memory utilization -0.08 [-0.15, -0.00] 1 Logs
quality_gate_metrics_logs memory utilization -0.09 [-0.32, +0.15] 1 Logs bounds checks dashboard
ddot_metrics_sum_delta memory utilization -0.13 [-0.29, +0.04] 1 Logs
quality_gate_idle memory utilization -0.16 [-0.21, -0.11] 1 Logs bounds checks dashboard
uds_dogstatsd_20mb_12k_contexts_20_senders memory utilization -0.28 [-0.34, -0.22] 1 Logs
tcp_syslog_to_blackhole ingress throughput -0.70 [-0.84, -0.57] 1 Logs

Bounds Checks: ✅ Passed

perf experiment bounds_check_name replicates_passed observed_value links
docker_containers_cpu simple_check_run 10/10 726 ≥ 26
docker_containers_memory memory_usage 10/10 277.44MiB ≤ 370MiB
docker_containers_memory simple_check_run 10/10 702 ≥ 26
file_to_blackhole_0ms_latency memory_usage 10/10 0.19GiB ≤ 1.20GiB
file_to_blackhole_0ms_latency missed_bytes 10/10 0B = 0B
file_to_blackhole_1000ms_latency memory_usage 10/10 0.23GiB ≤ 1.20GiB
file_to_blackhole_1000ms_latency missed_bytes 10/10 0B = 0B
file_to_blackhole_100ms_latency memory_usage 10/10 0.20GiB ≤ 1.20GiB
file_to_blackhole_100ms_latency missed_bytes 10/10 0B = 0B
file_to_blackhole_500ms_latency memory_usage 10/10 0.21GiB ≤ 1.20GiB
file_to_blackhole_500ms_latency missed_bytes 10/10 0B = 0B
quality_gate_idle intake_connections 10/10 3 = 3 bounds checks dashboard
quality_gate_idle memory_usage 10/10 174.82MiB ≤ 175MiB bounds checks dashboard
quality_gate_idle_all_features intake_connections 10/10 2 ≤ 3 bounds checks dashboard
quality_gate_idle_all_features memory_usage 10/10 492.27MiB ≤ 550MiB bounds checks dashboard
quality_gate_logs intake_connections 10/10 3 ≤ 6 bounds checks dashboard
quality_gate_logs memory_usage 10/10 212.22MiB ≤ 220MiB bounds checks dashboard
quality_gate_logs missed_bytes 10/10 0B = 0B bounds checks dashboard
quality_gate_metrics_logs cpu_usage 10/10 369.91 ≤ 2000 bounds checks dashboard
quality_gate_metrics_logs intake_connections 10/10 4 ≤ 6 bounds checks dashboard
quality_gate_metrics_logs memory_usage 10/10 419.55MiB ≤ 475MiB bounds checks dashboard
quality_gate_metrics_logs missed_bytes 10/10 0B = 0B bounds checks dashboard

Explanation

Confidence level: 90.00%
Effect size tolerance: |Δ mean %| ≥ 5.00%

Performance changes are noted in the perf column of each table:

  • ✅ = significantly better comparison variant performance
  • ❌ = significantly worse comparison variant performance
  • ➖ = no significant change in performance

A regression test is an A/B test of target performance in a repeatable rig, where "performance" is measured as "comparison variant minus baseline variant" for an optimization goal (e.g., ingress throughput). Due to intrinsic variability in measuring that goal, we can only estimate its mean value for each experiment; we report uncertainty in that value as a 90.00% confidence interval denoted "Δ mean % CI".

For each experiment, we decide whether a change in performance is a "regression" -- a change worth investigating further -- if all of the following criteria are true:

  1. Its estimated |Δ mean %| ≥ 5.00%, indicating the change is big enough to merit a closer look.

  2. Its 90.00% confidence interval "Δ mean % CI" does not contain zero, indicating that if our statistical model is accurate, there is at least a 90.00% chance there is a difference in performance between baseline and comparison variants.

  3. Its configuration does not mark it "erratic".

CI Pass/Fail Decision

Passed. All Quality Gates passed.

  • quality_gate_metrics_logs, bounds check cpu_usage: 10/10 replicas passed. Gate passed.
  • quality_gate_metrics_logs, bounds check intake_connections: 10/10 replicas passed. Gate passed.
  • quality_gate_metrics_logs, bounds check missed_bytes: 10/10 replicas passed. Gate passed.
  • quality_gate_metrics_logs, bounds check memory_usage: 10/10 replicas passed. Gate passed.
  • quality_gate_idle_all_features, bounds check intake_connections: 10/10 replicas passed. Gate passed.
  • quality_gate_idle_all_features, bounds check memory_usage: 10/10 replicas passed. Gate passed.
  • quality_gate_idle, bounds check memory_usage: 10/10 replicas passed. Gate passed.
  • quality_gate_idle, bounds check intake_connections: 10/10 replicas passed. Gate passed.
  • quality_gate_logs, bounds check missed_bytes: 10/10 replicas passed. Gate passed.
  • quality_gate_logs, bounds check intake_connections: 10/10 replicas passed. Gate passed.
  • quality_gate_logs, bounds check memory_usage: 10/10 replicas passed. Gate passed.

@gh-worker-dd-mergequeue-cf854d gh-worker-dd-mergequeue-cf854d Bot merged commit 89c54a2 into 7.78.x Mar 27, 2026
287 of 293 checks passed
@gh-worker-dd-mergequeue-cf854d gh-worker-dd-mergequeue-cf854d Bot deleted the alex/backport-48462-to-7.78.x-v3 branch March 27, 2026 13:35
@github-actions github-actions Bot added this to the 7.78.0 milestone Mar 27, 2026
@AlexandreYang AlexandreYang added the qa/done QA done before merge and regressions are covered by tests label Mar 27, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@chatgpt-codex-connector chatgpt-codex-connector[bot] chatgpt-codex-connector[bot] left review comments

@merchristK merchristK merchristK approved these changes

Assignees

No one assigned

Labels

changelog/no-changelog No changelog entry needed internal Identify a non-fork PR medium review PR review might take time qa/done QA done before merge and regressions are covered by tests team/action-platform

Projects

None yet

Milestone

7.78.0

Development

Successfully merging this pull request may close these issues.

2 participants

@AlexandreYang @merchristK