Skip to content

feat(par): add default restricted shell paths with container-aware prefixing#48236

Merged
gh-worker-dd-mergequeue-cf854d[bot] merged 18 commits intomainfrom
matt-dz/par-restricted-shell-container-paths
Mar 26, 2026
Merged

feat(par): add default restricted shell paths with container-aware prefixing#48236
gh-worker-dd-mergequeue-cf854d[bot] merged 18 commits intomainfrom
matt-dz/par-restricted-shell-container-paths

Conversation

@matt-dz
Copy link
Copy Markdown
Contributor

@matt-dz matt-dz commented Mar 23, 2026

Summary

  • Add /proc and /etc/os-release to the default allowed paths for the PAR restricted shell
  • Automatically prepend /host to all default paths when running in a containerized environment (detected via env.IsContainerized())
  • Paths remain user-overridable via config or DD_PRIVATE_ACTION_RUNNER_RESTRICTED_SHELL_ALLOWED_PATHS

Test plan

  • Verify default paths are /var/log, /proc, /etc/os-release on bare metal
  • Verify default paths are /host/var/log, /host/proc, /host/etc/os-release in a containerized environment
  • Verify env var override still works as expected

🤖 Generated with Claude Code

@dd-octo-sts dd-octo-sts bot added internal Identify a non-fork PR team/action-platform labels Mar 23, 2026
@github-actions github-actions bot added the short review PR is simple enough to be reviewed quickly label Mar 23, 2026
@agent-platform-auto-pr
Copy link
Copy Markdown
Contributor

agent-platform-auto-pr bot commented Mar 23, 2026

Files inventory check summary

File checks results against ancestor 1548dc21:

Results for datadog-agent_7.79.0~devel.git.206.acdc417.pipeline.104533204-1_amd64.deb:

No change detected

@agent-platform-auto-pr
Copy link
Copy Markdown
Contributor

agent-platform-auto-pr bot commented Mar 23, 2026

Static quality checks

✅ Please find below the results from static quality gates
Comparison made with ancestor 1548dc2
📊 Static Quality Gates Dashboard
🔗 SQG Job

Successful checks

Info

Quality gate Change Size (prev → curr → max)
agent_deb_amd64 +4.12 KiB (0.00% increase) 752.541 → 752.545 → 753.380
agent_deb_amd64_fips +4.12 KiB (0.00% increase) 709.559 → 709.563 → 713.900
agent_rpm_amd64 +4.12 KiB (0.00% increase) 752.525 → 752.529 → 753.350
agent_rpm_amd64_fips +4.12 KiB (0.00% increase) 709.543 → 709.547 → 713.880
agent_suse_amd64 +4.12 KiB (0.00% increase) 752.525 → 752.529 → 753.350
agent_suse_amd64_fips +4.12 KiB (0.00% increase) 709.543 → 709.547 → 713.880
docker_agent_amd64 +4.12 KiB (0.00% increase) 812.844 → 812.848 → 815.700
docker_agent_jmx_amd64 +4.12 KiB (0.00% increase) 1003.759 → 1003.763 → 1006.580
22 successful checks with minimal change (< 2 KiB)
Quality gate Current Size
agent_heroku_amd64 313.293 MiB
agent_rpm_arm64 730.964 MiB
agent_rpm_arm64_fips 690.995 MiB
agent_suse_arm64 730.964 MiB
agent_suse_arm64_fips 690.995 MiB
docker_agent_arm64 816.053 MiB
docker_agent_jmx_arm64 995.747 MiB
docker_cluster_agent_amd64 203.938 MiB
docker_cluster_agent_arm64 218.420 MiB
docker_cws_instrumentation_amd64 7.142 MiB
docker_cws_instrumentation_arm64 6.689 MiB
docker_dogstatsd_amd64 39.238 MiB
docker_dogstatsd_arm64 37.445 MiB
dogstatsd_deb_amd64 29.881 MiB
dogstatsd_deb_arm64 28.030 MiB
dogstatsd_rpm_amd64 29.881 MiB
dogstatsd_suse_amd64 29.881 MiB
iot_agent_deb_amd64 43.270 MiB
iot_agent_deb_arm64 40.320 MiB
iot_agent_deb_armhf 41.068 MiB
iot_agent_rpm_amd64 43.270 MiB
iot_agent_suse_amd64 43.270 MiB
On-wire sizes (compressed)
Quality gate Change Size (prev → curr → max)
agent_deb_amd64 +30.56 KiB (0.02% increase) 174.728 → 174.758 → 178.360
agent_deb_amd64_fips -21.68 KiB (0.01% reduction) 165.332 → 165.311 → 172.790
agent_heroku_amd64 +6.02 KiB (0.01% increase) 75.000 → 75.005 → 79.970
agent_rpm_amd64 +30.02 KiB (0.02% increase) 177.525 → 177.554 → 181.830
agent_rpm_amd64_fips -9.71 KiB (0.01% reduction) 167.609 → 167.600 → 173.370
agent_rpm_arm64 +22.28 KiB (0.01% increase) 159.465 → 159.487 → 163.060
agent_rpm_arm64_fips -47.84 KiB (0.03% reduction) 151.394 → 151.347 → 156.170
agent_suse_amd64 +30.02 KiB (0.02% increase) 177.525 → 177.554 → 181.830
agent_suse_amd64_fips -9.71 KiB (0.01% reduction) 167.609 → 167.600 → 173.370
agent_suse_arm64 +22.28 KiB (0.01% increase) 159.465 → 159.487 → 163.060
agent_suse_arm64_fips -47.84 KiB (0.03% reduction) 151.394 → 151.347 → 156.170
docker_agent_amd64 +5.94 KiB (0.00% increase) 268.096 → 268.102 → 272.480
docker_agent_arm64 +20.08 KiB (0.01% increase) 255.289 → 255.309 → 261.060
docker_agent_jmx_amd64 +8.58 KiB (0.00% increase) 336.740 → 336.748 → 341.100
docker_agent_jmx_arm64 +11.85 KiB (0.00% increase) 319.921 → 319.932 → 325.620
docker_cluster_agent_amd64 +4.95 KiB (0.01% increase) 71.367 → 71.372 → 72.920
docker_cluster_agent_arm64 -3.17 KiB (0.00% reduction) 67.014 → 67.011 → 68.220
docker_cws_instrumentation_amd64 neutral 2.999 MiB → 3.330
docker_cws_instrumentation_arm64 neutral 2.729 MiB → 3.090
docker_dogstatsd_amd64 neutral 15.173 MiB → 15.820
docker_dogstatsd_arm64 neutral 14.487 MiB → 14.830
dogstatsd_deb_amd64 neutral 7.892 MiB → 8.790
dogstatsd_deb_arm64 neutral 6.777 MiB → 7.710
dogstatsd_rpm_amd64 neutral 7.903 MiB → 8.800
dogstatsd_suse_amd64 neutral 7.903 MiB → 8.800
iot_agent_deb_amd64 +2.42 KiB (0.02% increase) 11.399 → 11.402 → 12.040
iot_agent_deb_arm64 neutral 9.701 MiB → 10.450
iot_agent_deb_armhf neutral 9.939 MiB → 10.620
iot_agent_rpm_amd64 neutral 11.418 MiB → 12.060
iot_agent_suse_amd64 neutral 11.418 MiB → 12.060

@cit-pr-commenter-54b7da
Copy link
Copy Markdown

cit-pr-commenter-54b7da bot commented Mar 23, 2026

Regression Detector

Regression Detector Results

Metrics dashboard
Target profiles
Run ID: 0c9c5ad5-158f-4a23-a4ad-ebb9db62f6a4

Baseline: 712311d
Comparison: 273e223
Diff

Optimization Goals: ✅ No significant changes detected

Experiments ignored for regressions

Regressions in experiments with settings containing erratic: true are ignored.

perf experiment goal Δ mean % Δ mean % CI trials links
docker_containers_cpu % cpu utilization -0.16 [-3.11, +2.79] 1 Logs

Fine details of change detection per experiment

perf experiment goal Δ mean % Δ mean % CI trials links
quality_gate_logs % cpu utilization +2.81 [+1.15, +4.48] 1 Logs bounds checks dashboard
quality_gate_metrics_logs memory utilization +1.45 [+1.21, +1.70] 1 Logs bounds checks dashboard
tcp_syslog_to_blackhole ingress throughput +1.24 [+1.08, +1.39] 1 Logs
otlp_ingest_logs memory utilization +0.62 [+0.51, +0.72] 1 Logs
ddot_metrics memory utilization +0.38 [+0.20, +0.55] 1 Logs
quality_gate_idle_all_features memory utilization +0.35 [+0.31, +0.38] 1 Logs bounds checks dashboard
file_to_blackhole_100ms_latency egress throughput +0.03 [-0.05, +0.10] 1 Logs
ddot_metrics_sum_delta memory utilization +0.02 [-0.14, +0.19] 1 Logs
uds_dogstatsd_to_api ingress throughput +0.02 [-0.17, +0.20] 1 Logs
uds_dogstatsd_to_api_v3 ingress throughput +0.02 [-0.18, +0.21] 1 Logs
file_to_blackhole_1000ms_latency egress throughput +0.01 [-0.41, +0.44] 1 Logs
file_to_blackhole_0ms_latency egress throughput +0.00 [-0.52, +0.53] 1 Logs
file_to_blackhole_500ms_latency egress throughput +0.00 [-0.39, +0.39] 1 Logs
tcp_dd_logs_filter_exclude ingress throughput -0.00 [-0.11, +0.11] 1 Logs
quality_gate_idle memory utilization -0.03 [-0.08, +0.01] 1 Logs bounds checks dashboard
ddot_metrics_sum_cumulativetodelta_exporter memory utilization -0.04 [-0.26, +0.18] 1 Logs
docker_containers_cpu % cpu utilization -0.16 [-3.11, +2.79] 1 Logs
docker_containers_memory memory utilization -0.23 [-0.30, -0.16] 1 Logs
file_tree memory utilization -0.24 [-0.30, -0.18] 1 Logs
ddot_metrics_sum_cumulative memory utilization -0.29 [-0.43, -0.15] 1 Logs
uds_dogstatsd_20mb_12k_contexts_20_senders memory utilization -0.38 [-0.44, -0.33] 1 Logs
otlp_ingest_metrics memory utilization -0.44 [-0.60, -0.27] 1 Logs
ddot_logs memory utilization -0.62 [-0.69, -0.55] 1 Logs

Bounds Checks: ❌ Failed

perf experiment bounds_check_name replicates_passed observed_value links
docker_containers_cpu simple_check_run 10/10 720 ≥ 26
docker_containers_memory memory_usage 10/10 269.54MiB ≤ 370MiB
docker_containers_memory simple_check_run 10/10 708 ≥ 26
file_to_blackhole_0ms_latency memory_usage 10/10 0.19GiB ≤ 1.20GiB
file_to_blackhole_0ms_latency missed_bytes 10/10 0B = 0B
file_to_blackhole_1000ms_latency memory_usage 10/10 0.23GiB ≤ 1.20GiB
file_to_blackhole_1000ms_latency missed_bytes 10/10 0B = 0B
file_to_blackhole_100ms_latency memory_usage 10/10 0.20GiB ≤ 1.20GiB
file_to_blackhole_100ms_latency missed_bytes 10/10 0B = 0B
file_to_blackhole_500ms_latency memory_usage 10/10 0.21GiB ≤ 1.20GiB
file_to_blackhole_500ms_latency missed_bytes 10/10 0B = 0B
quality_gate_idle intake_connections 10/10 3 = 3 bounds checks dashboard
quality_gate_idle memory_usage 9/10 175.05MiB > 175MiB bounds checks dashboard
quality_gate_idle_all_features intake_connections 10/10 3 = 3 bounds checks dashboard
quality_gate_idle_all_features memory_usage 10/10 502.75MiB ≤ 550MiB bounds checks dashboard
quality_gate_logs intake_connections 10/10 4 ≤ 6 bounds checks dashboard
quality_gate_logs memory_usage 10/10 208.50MiB ≤ 220MiB bounds checks dashboard
quality_gate_logs missed_bytes 10/10 0B = 0B bounds checks dashboard
quality_gate_metrics_logs cpu_usage 10/10 355.55 ≤ 2000 bounds checks dashboard
quality_gate_metrics_logs intake_connections 10/10 4 ≤ 6 bounds checks dashboard
quality_gate_metrics_logs memory_usage 10/10 414.55MiB ≤ 475MiB bounds checks dashboard
quality_gate_metrics_logs missed_bytes 10/10 0B = 0B bounds checks dashboard

Explanation

Confidence level: 90.00%
Effect size tolerance: |Δ mean %| ≥ 5.00%

Performance changes are noted in the perf column of each table:

  • ✅ = significantly better comparison variant performance
  • ❌ = significantly worse comparison variant performance
  • ➖ = no significant change in performance

A regression test is an A/B test of target performance in a repeatable rig, where "performance" is measured as "comparison variant minus baseline variant" for an optimization goal (e.g., ingress throughput). Due to intrinsic variability in measuring that goal, we can only estimate its mean value for each experiment; we report uncertainty in that value as a 90.00% confidence interval denoted "Δ mean % CI".

For each experiment, we decide whether a change in performance is a "regression" -- a change worth investigating further -- if all of the following criteria are true:

  1. Its estimated |Δ mean %| ≥ 5.00%, indicating the change is big enough to merit a closer look.

  2. Its 90.00% confidence interval "Δ mean % CI" does not contain zero, indicating that if our statistical model is accurate, there is at least a 90.00% chance there is a difference in performance between baseline and comparison variants.

  3. Its configuration does not mark it "erratic".

CI Pass/Fail Decision

Failed. Some Quality Gates were violated.

  • quality_gate_logs, bounds check memory_usage: 10/10 replicas passed. Gate passed.
  • quality_gate_logs, bounds check intake_connections: 10/10 replicas passed. Gate passed.
  • quality_gate_logs, bounds check missed_bytes: 10/10 replicas passed. Gate passed.
  • quality_gate_idle, bounds check intake_connections: 10/10 replicas passed. Gate passed.
  • quality_gate_idle, bounds check memory_usage: 9/10 replicas passed. Failed 1 which is > 0. Gate FAILED.
  • quality_gate_metrics_logs, bounds check memory_usage: 10/10 replicas passed. Gate passed.
  • quality_gate_metrics_logs, bounds check cpu_usage: 10/10 replicas passed. Gate passed.
  • quality_gate_metrics_logs, bounds check missed_bytes: 10/10 replicas passed. Gate passed.
  • quality_gate_metrics_logs, bounds check intake_connections: 10/10 replicas passed. Gate passed.
  • quality_gate_idle_all_features, bounds check memory_usage: 10/10 replicas passed. Gate passed.
  • quality_gate_idle_all_features, bounds check intake_connections: 10/10 replicas passed. Gate passed.

Comment thread pkg/config/setup/privateactionrunner.go Outdated
@github-actions github-actions bot added medium review PR review might take time and removed short review PR is simple enough to be reviewed quickly labels Mar 23, 2026
Comment thread pkg/config/setup/privateactionrunner.go Outdated
@matt-dz matt-dz marked this pull request as ready for review March 24, 2026 13:29
@matt-dz matt-dz requested a review from a team as a code owner March 24, 2026 13:29
@matt-dz matt-dz requested a review from chrisnad March 24, 2026 13:29
Copy link
Copy Markdown

@chatgpt-codex-connector chatgpt-codex-connector bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: c57c57d1b2

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread pkg/config/setup/privateactionrunner.go
Comment thread pkg/privateactionrunner/bundles/remoteaction/rshell/run_command.go Outdated
@matt-dz
Copy link
Copy Markdown
Contributor Author

matt-dz commented Mar 24, 2026

@codex conduct a comprehensive security and code review

Copy link
Copy Markdown

@chatgpt-codex-connector chatgpt-codex-connector bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 595028d70b

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread pkg/config/setup/privateactionrunner.go Outdated
@matt-dz
Copy link
Copy Markdown
Contributor Author

matt-dz commented Mar 24, 2026

@codex conduct a comprehensive security and code review. keep in mind that interp.AllowedPaths will allow for filepaths to be passed in so do not concern yourself with that.

Comment thread pkg/config/setup/privateactionrunner.go Outdated
Comment thread pkg/config/setup/privateactionrunner.go
Copy link
Copy Markdown

@chatgpt-codex-connector chatgpt-codex-connector bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 595028d70b

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread pkg/config/setup/privateactionrunner.go Outdated
Comment thread pkg/config/setup/privateactionrunner.go Outdated
Comment thread pkg/privateactionrunner/bundles/remoteaction/rshell/run_command.go
Comment on lines +133 to +135
if _, err := os.Stat(hostProc); err == nil {
return hostProc
}
Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Would it be better to be more deterministic?

Suggested change
if _, err := os.Stat(hostProc); err == nil {
return hostProc
}
return hostProc

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/host/proc will likely exist in k8s environments with the changes we're making to the helm charts and datadog operator. however, in docker environments the same may not be true.

always returning /host/proc in a containerized environment would make it easier to test and behavior more predictable but i don't think we can always guarantee it to be there

@github-actions github-actions bot added long review PR is complex, plan time to review it and removed medium review PR review might take time labels Mar 24, 2026
@matt-dz matt-dz requested a review from AlexandreYang March 25, 2026 13:15
matt-dz and others added 3 commits March 26, 2026 09:29
…efixing

Add /proc and /etc/os-release to the default allowed paths for the
restricted shell, and automatically prepend /host when running in a
containerized environment.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
matt-dz and others added 10 commits March 26, 2026 09:36
Serverless-containerized environments (e.g. Fargate) cannot mount host
volumes, so unconditionally prefixing with /host produces unusable
defaults. Check each path with pathExists() before prefixing, falling
back to container-local paths when mounts are absent.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
The validation filter was checking IsDir(), silently dropping file paths
like /etc/os-release from the allowed paths list. Change to only check
existence so both files and directories are preserved.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Remove the PARRestrictedShellProcPath config option and its plumbing
through the config adapter, transform, registries, and entrypoint.
The proc path is always /proc or /host/proc based on the environment,
so determine it at runtime in run_command.go using IsContainerized()
gated on path existence.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Test that restricted shell allowed paths and proc path are correctly
computed based on whether the agent is containerized and whether host
mounts exist.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Change containerizedPathPrefix from const to var so tests can override
it to point at temp directories. Tests now create simulated host mount
structures and assert exact paths instead of conditionally checking
based on the test runner's filesystem.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Revert containerizedPathPrefix to a const. Introduce injectable statFn
and parPathExists vars that default to os.Stat/pathExists and can be
swapped in tests to simulate host mount presence without touching the
filesystem.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
…st mounts

Always use /host-prefixed paths when containerized instead of silently
falling back to container-local paths. Log a warning when the host mount
doesn't exist and let rshell handle the missing path at runtime.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@matt-dz matt-dz force-pushed the matt-dz/par-restricted-shell-container-paths branch from c6c86bd to ec9e614 Compare March 26, 2026 13:37
@matt-dz matt-dz added changelog/no-changelog No changelog entry needed qa/done QA done before merge and regressions are covered by tests labels Mar 26, 2026
@gh-worker-dd-mergequeue-cf854d gh-worker-dd-mergequeue-cf854d bot merged commit 273e223 into main Mar 26, 2026
250 of 253 checks passed
@gh-worker-dd-mergequeue-cf854d gh-worker-dd-mergequeue-cf854d bot deleted the matt-dz/par-restricted-shell-container-paths branch March 26, 2026 15:26
@github-actions github-actions bot added this to the 7.79.0 milestone Mar 26, 2026
@aiuto
Copy link
Copy Markdown
Contributor

aiuto commented Mar 27, 2026

This seems to be breaking many windows tests.

Failed tests:
- TestMetricsFollowSpec from package pkg/collector/corechecks/gpu (in [tests_linux-x64-py3](https://gitlab.ddbuild.io/DataDog/datadog-agent/-/jobs/1544075068), [tests_nodetreemodel](https://gitlab.ddbuild.io/DataDog/datadog-agent/-/jobs/1544075330))
- TestPrivateActionRunnerAllowedPathsContainerizedWithHostMounts from package pkg/config/setup
- TestResolveProcPathContainerizedWithHostMount from package pkg/privateactionrunner/bundles/remoteaction/rshell

The conversation in slack #windows-products is inconclusive about roll back or fix forward.

So, I'm preparing a rollback

chouetz pushed a commit that referenced this pull request Mar 27, 2026
…aware prefixing" (#48460)

Reverts #48236

The original PR is causing several windows tests to fail.
AlexandreYang pushed a commit that referenced this pull request Mar 27, 2026
…efixing (#48236)

## Summary
- Add `/proc` and `/etc/os-release` to the default allowed paths for the PAR restricted shell
- Automatically prepend `/host` to all default paths when running in a containerized environment (detected via `env.IsContainerized()`)
- Paths remain user-overridable via config or `DD_PRIVATE_ACTION_RUNNER_RESTRICTED_SHELL_ALLOWED_PATHS`

## Test plan
- [ ] Verify default paths are `/var/log`, `/proc`, `/etc/os-release` on bare metal
- [ ] Verify default paths are `/host/var/log`, `/host/proc`, `/host/etc/os-release` in a containerized environment
- [ ] Verify env var override still works as expected

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-authored-by: matthew.deguzman <matthew.deguzman@datadoghq.com>
gh-worker-dd-mergequeue-cf854d bot pushed a commit that referenced this pull request Mar 27, 2026
## Backport:

#48127
#48462

## Motivation:

Need to start pentest for the Restricted Shell feature.

The backport is low risk since those PAR action are behind FF.

Co-authored-by: ali.benabdallah <ali.benabdallah@datadoghq.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

changelog/no-changelog No changelog entry needed internal Identify a non-fork PR long review PR is complex, plan time to review it qa/done QA done before merge and regressions are covered by tests team/action-platform

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants