Skip to content

[WP] Serialize tracer metadata struct in process #48487

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
Gui774ume wants to merge 1 commit into
base: main
Choose a base branch
from
Open

[WP] Serialize tracer metadata struct in process #48487

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
133 changes: 111 additions & 22 deletions docs/cloud-workload-security/backend_linux.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1481,11 +1481,8 @@ Workload Protection events for Linux systems have the following JSON schema:
"description": "List of AWS Security Credentials that the process had access to"
},
"tracer": {
"additionalProperties": {
"type": "string"
},
"type": "object",
"description": "Tags from an APM tracer instrumentation"
"$ref": "#/$defs/TracerMetadata",
"description": "Metadata from APM tracer instrumentation"
},
"variables": {
"$ref": "#/$defs/Variables",
Expand Down Expand Up @@ -1662,11 +1659,8 @@ Workload Protection events for Linux systems have the following JSON schema:
"description": "List of AWS Security Credentials that the process had access to"
},
"tracer": {
"additionalProperties": {
"type": "string"
},
"type": "object",
"description": "Tags from an APM tracer instrumentation"
"$ref": "#/$defs/TracerMetadata",
"description": "Metadata from APM tracer instrumentation"
},
"variables": {
"$ref": "#/$defs/Variables",
Expand Down Expand Up @@ -2238,6 +2232,51 @@ Workload Protection events for Linux systems have the following JSON schema:
"type": "object",
"description": "TLSContextSerializer defines a tls context serializer"
},
"TracerMetadata": {
"properties": {
"schema_version": {
"type": "integer"
},
"runtime_id": {
"type": "string"
},
"tracer_language": {
"type": "string"
},
"tracer_version": {
"type": "string"
},
"hostname": {
"type": "string"
},
"service_name": {
"type": "string"
},
"service_env": {
"type": "string"
},
"service_version": {
"type": "string"
},
"process_tags": {
"type": "string"
},
"container_id": {
"type": "string"
},
"logs_collected": {
"type": "boolean"
}
},
"additionalProperties": false,
"type": "object",
"required": [
"schema_version",
"tracer_language",
"tracer_version",
"hostname"
]
},
"UserContext": {
"properties": {
"id": {
Expand Down Expand Up @@ -4637,11 +4676,8 @@ Workload Protection events for Linux systems have the following JSON schema:
"description": "List of AWS Security Credentials that the process had access to"
},
"tracer": {
"additionalProperties": {
"type": "string"
},
"type": "object",
"description": "Tags from an APM tracer instrumentation"
"$ref": "#/$defs/TracerMetadata",
"description": "Metadata from APM tracer instrumentation"
},
"variables": {
"$ref": "#/$defs/Variables",
Expand Down Expand Up @@ -4697,7 +4733,7 @@ Workload Protection events for Linux systems have the following JSON schema:
| `source` | Process source |
| `syscalls` | List of syscalls captured to generate the event |
| `aws_security_credentials` | List of AWS Security Credentials that the process had access to |
| `tracer` | Tags from an APM tracer instrumentation |
| `tracer` | Metadata from APM tracer instrumentation |
| `variables` | Variable values |

| References |
Expand All @@ -4708,6 +4744,7 @@ Workload Protection events for Linux systems have the following JSON schema:
| [CGroupContext](#cgroupcontext) |
| [ContainerContext](#containercontext) |
| [SyscallsEvent](#syscallsevent) |
| [TracerMetadata](#tracermetadata) |
| [Variables](#variables) |

## `ProcessContext`
Expand Down Expand Up @@ -4875,11 +4912,8 @@ Workload Protection events for Linux systems have the following JSON schema:
"description": "List of AWS Security Credentials that the process had access to"
},
"tracer": {
"additionalProperties": {
"type": "string"
},
"type": "object",
"description": "Tags from an APM tracer instrumentation"
"$ref": "#/$defs/TracerMetadata",
"description": "Metadata from APM tracer instrumentation"
},
"variables": {
"$ref": "#/$defs/Variables",
Expand Down Expand Up @@ -4950,7 +4984,7 @@ Workload Protection events for Linux systems have the following JSON schema:
| `source` | Process source |
| `syscalls` | List of syscalls captured to generate the event |
| `aws_security_credentials` | List of AWS Security Credentials that the process had access to |
| `tracer` | Tags from an APM tracer instrumentation |
| `tracer` | Metadata from APM tracer instrumentation |
| `variables` | Variable values |
| `parent` | Parent process |
| `ancestors` | Ancestor processes |
Expand All @@ -4964,6 +4998,7 @@ Workload Protection events for Linux systems have the following JSON schema:
| [CGroupContext](#cgroupcontext) |
| [ContainerContext](#containercontext) |
| [SyscallsEvent](#syscallsevent) |
| [TracerMetadata](#tracermetadata) |
| [Variables](#variables) |
| [Process](#process) |

Expand Down Expand Up @@ -5790,6 +5825,60 @@ Workload Protection events for Linux systems have the following JSON schema:



## `TracerMetadata`


{{< code-block lang="json" collapsible="true" >}}
{
"properties": {
"schema_version": {
"type": "integer"
},
"runtime_id": {
"type": "string"
},
"tracer_language": {
"type": "string"
},
"tracer_version": {
"type": "string"
},
"hostname": {
"type": "string"
},
"service_name": {
"type": "string"
},
"service_env": {
"type": "string"
},
"service_version": {
"type": "string"
},
"process_tags": {
"type": "string"
},
"container_id": {
"type": "string"
},
"logs_collected": {
"type": "boolean"
}
},
"additionalProperties": false,
"type": "object",
"required": [
"schema_version",
"tracer_language",
"tracer_version",
"hostname"
]
}

{{< /code-block >}}



## `UserContext`


Expand Down
59 changes: 49 additions & 10 deletions docs/cloud-workload-security/backend_linux.schema.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1470,11 +1470,8 @@
"description": "List of AWS Security Credentials that the process had access to"
},
"tracer": {
"additionalProperties": {
"type": "string"
},
"type": "object",
"description": "Tags from an APM tracer instrumentation"
"$ref": "#/$defs/TracerMetadata",
"description": "Metadata from APM tracer instrumentation"
},
"variables": {
"$ref": "#/$defs/Variables",
Expand Down Expand Up @@ -1651,11 +1648,8 @@
"description": "List of AWS Security Credentials that the process had access to"
},
"tracer": {
"additionalProperties": {
"type": "string"
},
"type": "object",
"description": "Tags from an APM tracer instrumentation"
"$ref": "#/$defs/TracerMetadata",
"description": "Metadata from APM tracer instrumentation"
},
"variables": {
"$ref": "#/$defs/Variables",
Expand Down Expand Up @@ -2227,6 +2221,51 @@
"type": "object",
"description": "TLSContextSerializer defines a tls context serializer"
},
"TracerMetadata": {
"properties": {
"schema_version": {
"type": "integer"
},
"runtime_id": {
"type": "string"
},
"tracer_language": {
"type": "string"
},
"tracer_version": {
"type": "string"
},
"hostname": {
"type": "string"
},
"service_name": {
"type": "string"
},
"service_env": {
"type": "string"
},
"service_version": {
"type": "string"
},
"process_tags": {
"type": "string"
},
"container_id": {
"type": "string"
},
"logs_collected": {
"type": "boolean"
}
},
"additionalProperties": false,
"type": "object",
"required": [
"schema_version",
"tracer_language",
"tracer_version",
"hostname"
]
},
"UserContext": {
"properties": {
"id": {
Expand Down
17 changes: 9 additions & 8 deletions pkg/network/events/monitor.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -156,15 +156,16 @@ func (h *eventConsumerWrapper) Copy(ev *model.Event) any {
}
}

tracerTags := ev.GetProcessTracerTags()
for _, tag := range tracerTags {
if tracermetadata.ShouldSkipServiceTag(tag,
tagsFound["DD_SERVICE"],
tagsFound["DD_ENV"],
tagsFound["DD_VERSION"]) {
continue
if tmeta := ev.GetProcessTracerMetadata(); (tmeta != tracermetadata.TracerMetadata{}) {
for key, value := range tmeta.Tags() {
if tracermetadata.ShouldSkipServiceTagKV(key, value,
tagsFound["DD_SERVICE"],
tagsFound["DD_ENV"],
tagsFound["DD_VERSION"]) {
continue
}
p.Tags = append(p.Tags, intern.GetByString(key+":"+value))
}
p.Tags = append(p.Tags, intern.GetByString(tag))
}

if cid := ev.GetContainerID(); cid != "" {
Expand Down
61 changes: 49 additions & 12 deletions pkg/network/events/monitor_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,7 @@ import (
"github.com/stretchr/testify/require"
"go4.org/intern"

tracermetadata "github.com/DataDog/datadog-agent/pkg/discovery/tracermetadata/model"
"github.com/DataDog/datadog-agent/pkg/security/secl/model"
)

Expand Down Expand Up @@ -259,15 +260,11 @@ func TestEventHandleTracerTags(t *testing.T) {
"DD_ENV=env-from-envp",
"DD_VERSION=version-from-envp",
},
TracerTags: []string{
"tracer_service_name:my-service",
"tracer_service_env:my-env",
"tracer_service_version:my-version",
"entrypoint.name:my-entrypoint",
// Should be skipped because it matches the UST tags
"tracer_service_name:service-from-envp",
"tracer_service_env:env-from-envp",
"tracer_service_version:version-from-envp",
TracerMetadata: tracermetadata.TracerMetadata{
ServiceName: "my-service",
ServiceEnv: "my-env",
ServiceVersion: "my-version",
ProcessTags: "entrypoint.name:my-entrypoint",
},
},
},
Expand All @@ -286,9 +283,49 @@ func TestEventHandleTracerTags(t *testing.T) {
assert.Contains(t, receivedProc.Tags, intern.GetByString("tracer_service_name:my-service"))
assert.Contains(t, receivedProc.Tags, intern.GetByString("tracer_service_env:my-env"))
assert.Contains(t, receivedProc.Tags, intern.GetByString("tracer_service_version:my-version"))
assert.NotContains(t, receivedProc.Tags, intern.GetByString("tracer_service_name:service-from-envp"))
assert.NotContains(t, receivedProc.Tags, intern.GetByString("tracer_service_env:env-from-envp"))
assert.NotContains(t, receivedProc.Tags, intern.GetByString("tracer_service_version:version-from-envp"))
assert.Contains(t, receivedProc.Tags, intern.GetByString("entrypoint.name:my-entrypoint"))
})

t.Run("process event with tracer tags matching UST env vars", func(t *testing.T) {
handler.events = nil // reset

now := time.Now()
ev := &model.Event{
BaseEvent: model.BaseEvent{
Type: uint32(model.ExecEventType),
ProcessContext: &model.ProcessContext{
Process: model.Process{
PIDContext: model.PIDContext{
Pid: 1234,
},
ExecTime: now,
Envp: []string{
"DD_SERVICE=my-service",
"DD_ENV=my-env",
"DD_VERSION=my-version",
},
TracerMetadata: tracermetadata.TracerMetadata{
ServiceName: "my-service",
ServiceEnv: "my-env",
ServiceVersion: "my-version",
ProcessTags: "entrypoint.name:my-entrypoint",
},
},
},
FieldHandlers: &model.FakeFieldHandlers{},
},
}

p := evHandler.Copy(ev).(*Process)
evHandler.HandleEvent(p)

require.Len(t, handler.events, 1, "should have received 1 process event")
receivedProc := handler.events[0]
// tracer_service_* tags should be skipped because they match DD_* env vars
assert.NotContains(t, receivedProc.Tags, intern.GetByString("tracer_service_name:my-service"))
assert.NotContains(t, receivedProc.Tags, intern.GetByString("tracer_service_env:my-env"))
assert.NotContains(t, receivedProc.Tags, intern.GetByString("tracer_service_version:my-version"))
// non-service tags should still be present
assert.Contains(t, receivedProc.Tags, intern.GetByString("entrypoint.name:my-entrypoint"))
})

Expand Down
Loading
Loading