[Backport 7.79.x] [ACTP] PAR: intersect rshell allow-lists with datadog.yaml

[dd-octo-sts]

Backport 3b6248b from #49536.

---

Summary

Adds an optional operator-side allowlist for both rshell commands and filesystem paths, layered on top of the backend-injected lists. The effective list passed to rshell is the intersection of the two.

Also nests the existing config keys under a common restricted_shell object:

Before	After
private_action_runner.restricted_shell_allowed_paths	private_action_runner.restricted_shell.allowed_paths
— (new)	private_action_runner.restricted_shell.allowed_commands

Paired with dd-source PR that injects allowedPaths into every runCommand task.

The allow-list resolution

For each axis (allowedCommands, allowedPaths), the handler computes an effective list that rshell actually sees. It's the intersection of two sources:

1. The backend-injected list — carried in the task envelope (inputs.allowedCommands, inputs.allowedPaths) and sourced from Balto by wf-actions-server. Customers cannot override this.
2. The operator list — from datadog.yaml (or the matching DD_PRIVATE_ACTION_RUNNER_RESTRICTED_SHELL_ALLOWED_* env var).

Rules

• If the backend provides nothing (field absent / JSON null) or an empty list → rshell is given an empty list → nothing is allowed on that axis. The operator cannot grant what the backend withheld.
• If datadog.yaml does not configure the key (default behavior) → the operator does not restrict → the backend list passes through unchanged (everything the backend allowed is allowed).
• If datadog.yaml sets an explicit empty list [] → the operator explicitly blocks everything on that axis → intersection is empty.
• Both sides non-empty → intersection.
  • Commands: exact match on the bare name (operator may write cat or rshell:cat).
  • Paths: sub-path-aware narrowing. If the backend allows /var/log and the operator allows /var/log/nginx, the effective list is /var/log/nginx (the narrower of the two wins). Prefix siblings like /var/logger do not count as under /var/log.

Truth table

backend list	datadog.yaml	effective
nil / []	any	empty → nothing allowed
non-empty	key unset	backend list, as-is
non-empty	[]	empty → nothing allowed
non-empty	non-empty	intersection

This makes the backend the authoritative gate and the operator config a pure tightening layer — symmetric across both axes.

Test plan

• Unit tests cover: pass-through (operator unset), intersection (both set), explicit empty (either side), disjoint (dropped), path prefix-sibling not matching, path normalization & dedupe, end-to-end cat blocked outside the intersection.
• go test -tags test ./pkg/config/setup/... ./pkg/privateactionrunner/adapters/config/... ./pkg/privateactionrunner/bundles/remoteaction/rshell/... — green locally.
• Waiting on CI.

🤖 Generated with Claude Code

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 9e791505f6

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

[chatgpt-codex-connector]

Preserve legacy restricted shell paths config key

This commit switches the configured key to private_action_runner.restricted_shell.allowed_paths but does not keep a compatibility alias for the previously supported private_action_runner.restricted_shell_allowed_paths; on upgrade, existing datadog.yaml files using the old key will no longer be recognized, so operator path filtering is silently disabled (IsConfigured stays false and the backend list passes through). In a security-sensitive allow-list feature, this backward-incompatible rename can unexpectedly widen access.

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

Normalize rshell command names before intersecting

The intersection uses exact string matching against backend command entries, but operator config values are treated as bare command names (for example cat), while rshell tasks in this codebase use namespaced values like rshell:cat; when restricted_shell.allowed_commands is set with bare names, the lookup never matches and all commands are denied. Normalize either side (e.g., strip or add the rshell: prefix) before matching to avoid false-empty intersections.

Useful? React with 👍 / 👎.

[dd-octo-sts]

Files inventory check summary

File checks results against ancestor 9198f7b4:

Results for datadog-agent_7.79.0~rc.2.git.3.9e79150.pipeline.109034550-1_amd64.deb:

No change detected

[cit-pr-commenter-54b7da]

Regression Detector

Regression Detector Results

Metrics dashboard
Target profiles
Run ID: 36333d89-c590-4400-87b7-034c9abe5ff6

Baseline: 9198f7b
Comparison: 9e79150
Diff

Optimization Goals: ✅ No significant changes detected

Experiments ignored for regressions

Regressions in experiments with settings containing erratic: true are ignored.

perf	experiment	goal	Δ mean %	Δ mean % CI	trials	links
➖	docker_containers_cpu	% cpu utilization	-0.43	[-3.48, +2.61]	1	Logs

Fine details of change detection per experiment

perf	experiment	goal	Δ mean %	Δ mean % CI	trials	links
➖	quality_gate_metrics_logs	memory utilization	+0.91	[+0.68, +1.15]	1	Logs bounds checks dashboard
➖	tcp_syslog_to_blackhole	ingress throughput	+0.85	[+0.67, +1.02]	1	Logs
➖	otlp_ingest_metrics	memory utilization	+0.51	[+0.35, +0.67]	1	Logs
➖	ddot_logs	memory utilization	+0.48	[+0.41, +0.55]	1	Logs
➖	quality_gate_idle_all_features	memory utilization	+0.45	[+0.42, +0.49]	1	Logs bounds checks dashboard
➖	ddot_metrics	memory utilization	+0.24	[+0.05, +0.43]	1	Logs
➖	file_to_blackhole_0ms_latency	egress throughput	+0.04	[-0.49, +0.58]	1	Logs
➖	ddot_metrics_sum_cumulativetodelta_exporter	memory utilization	+0.03	[-0.19, +0.26]	1	Logs
➖	file_to_blackhole_500ms_latency	egress throughput	+0.01	[-0.39, +0.41]	1	Logs
➖	uds_dogstatsd_to_api	ingress throughput	+0.01	[-0.20, +0.21]	1	Logs
➖	ddot_metrics_sum_delta	memory utilization	+0.00	[-0.18, +0.18]	1	Logs
➖	tcp_dd_logs_filter_exclude	ingress throughput	-0.00	[-0.10, +0.09]	1	Logs
➖	uds_dogstatsd_to_api_v3	ingress throughput	-0.01	[-0.21, +0.20]	1	Logs
➖	file_to_blackhole_100ms_latency	egress throughput	-0.03	[-0.15, +0.08]	1	Logs
➖	file_to_blackhole_1000ms_latency	egress throughput	-0.05	[-0.48, +0.38]	1	Logs
➖	otlp_ingest_logs	memory utilization	-0.08	[-0.17, +0.02]	1	Logs
➖	uds_dogstatsd_20mb_12k_contexts_20_senders	memory utilization	-0.34	[-0.40, -0.28]	1	Logs
➖	file_tree	memory utilization	-0.37	[-0.43, -0.32]	1	Logs
➖	docker_containers_cpu	% cpu utilization	-0.43	[-3.48, +2.61]	1	Logs
➖	ddot_metrics_sum_cumulative	memory utilization	-0.49	[-0.64, -0.33]	1	Logs
➖	quality_gate_idle	memory utilization	-0.49	[-0.55, -0.44]	1	Logs bounds checks dashboard
➖	docker_containers_memory	memory utilization	-0.64	[-0.72, -0.56]	1	Logs
➖	quality_gate_logs	% cpu utilization	-1.37	[-2.98, +0.24]	1	Logs bounds checks dashboard

Bounds Checks: ✅ Passed

perf	experiment	bounds_check_name	replicates_passed	observed_value	links
✅	docker_containers_cpu	simple_check_run	10/10	698 ≥ 26
✅	docker_containers_memory	memory_usage	10/10	273.61MiB ≤ 370MiB
✅	docker_containers_memory	simple_check_run	10/10	683 ≥ 26
✅	file_to_blackhole_0ms_latency	memory_usage	10/10	0.19GiB ≤ 1.20GiB
✅	file_to_blackhole_0ms_latency	missed_bytes	10/10	0B = 0B
✅	file_to_blackhole_1000ms_latency	memory_usage	10/10	0.24GiB ≤ 1.20GiB
✅	file_to_blackhole_1000ms_latency	missed_bytes	10/10	0B = 0B
✅	file_to_blackhole_100ms_latency	memory_usage	10/10	0.20GiB ≤ 1.20GiB
✅	file_to_blackhole_100ms_latency	missed_bytes	10/10	0B = 0B
✅	file_to_blackhole_500ms_latency	memory_usage	10/10	0.22GiB ≤ 1.20GiB
✅	file_to_blackhole_500ms_latency	missed_bytes	10/10	0B = 0B
✅	quality_gate_idle	intake_connections	10/10	4 = 4	bounds checks dashboard
✅	quality_gate_idle	memory_usage	10/10	175.13MiB ≤ 181MiB	bounds checks dashboard
✅	quality_gate_idle_all_features	intake_connections	10/10	4 = 4	bounds checks dashboard
✅	quality_gate_idle_all_features	memory_usage	10/10	504.85MiB ≤ 550MiB	bounds checks dashboard
✅	quality_gate_logs	intake_connections	10/10	4 ≤ 6	bounds checks dashboard
✅	quality_gate_logs	memory_usage	10/10	208.24MiB ≤ 220MiB	bounds checks dashboard
✅	quality_gate_logs	missed_bytes	10/10	0B = 0B	bounds checks dashboard
✅	quality_gate_metrics_logs	cpu_usage	10/10	362.75 ≤ 2000	bounds checks dashboard
✅	quality_gate_metrics_logs	intake_connections	10/10	4 ≤ 6	bounds checks dashboard
✅	quality_gate_metrics_logs	memory_usage	10/10	416.66MiB ≤ 475MiB	bounds checks dashboard
✅	quality_gate_metrics_logs	missed_bytes	10/10	0B = 0B	bounds checks dashboard

Explanation

Confidence level: 90.00%
Effect size tolerance: |Δ mean %| ≥ 5.00%

Performance changes are noted in the perf column of each table:

• ✅ = significantly better comparison variant performance
• ❌ = significantly worse comparison variant performance
• ➖ = no significant change in performance

A regression test is an A/B test of target performance in a repeatable rig, where "performance" is measured as "comparison variant minus baseline variant" for an optimization goal (e.g., ingress throughput). Due to intrinsic variability in measuring that goal, we can only estimate its mean value for each experiment; we report uncertainty in that value as a 90.00% confidence interval denoted "Δ mean % CI".

For each experiment, we decide whether a change in performance is a "regression" -- a change worth investigating further -- if all of the following criteria are true:

1. Its estimated |Δ mean %| ≥ 5.00%, indicating the change is big enough to merit a closer look.

2. Its 90.00% confidence interval "Δ mean % CI" does not contain zero, indicating that if our statistical model is accurate, there is at least a 90.00% chance there is a difference in performance between baseline and comparison variants.

3. Its configuration does not mark it "erratic".

CI Pass/Fail Decision

✅ Passed. All Quality Gates passed.

• quality_gate_metrics_logs, bounds check cpu_usage: 10/10 replicas passed. Gate passed.
• quality_gate_metrics_logs, bounds check intake_connections: 10/10 replicas passed. Gate passed.
• quality_gate_metrics_logs, bounds check memory_usage: 10/10 replicas passed. Gate passed.
• quality_gate_metrics_logs, bounds check missed_bytes: 10/10 replicas passed. Gate passed.
• quality_gate_idle, bounds check memory_usage: 10/10 replicas passed. Gate passed.
• quality_gate_idle, bounds check intake_connections: 10/10 replicas passed. Gate passed.
• quality_gate_idle_all_features, bounds check intake_connections: 10/10 replicas passed. Gate passed.
• quality_gate_idle_all_features, bounds check memory_usage: 10/10 replicas passed. Gate passed.
• quality_gate_logs, bounds check intake_connections: 10/10 replicas passed. Gate passed.
• quality_gate_logs, bounds check missed_bytes: 10/10 replicas passed. Gate passed.
• quality_gate_logs, bounds check memory_usage: 10/10 replicas passed. Gate passed.