[CWS] Allow dumping process cache in raw JSON (#30522)

DataDog · Oct 28, 2024 · 8ecc141 · 8ecc141
1 parent 5172b01
commit 8ecc141
Show file tree

Hide file tree

Showing 10 changed files with 608 additions and 506 deletions.
diff --git a/cmd/security-agent/subcommands/runtime/command.go b/cmd/security-agent/subcommands/runtime/command.go
@@ -223,6 +223,7 @@ type processCacheDumpCliParams struct {
 	*command.GlobalParams
 
 	withArgs bool
+	format   string
 }
 
 //nolint:unused // TODO(SEC) Fix unused linter
@@ -246,6 +247,7 @@ func processCacheCommands(globalParams *command.GlobalParams) []*cobra.Command {
 		},
 	}
 	processCacheDumpCmd.Flags().BoolVar(&cliParams.withArgs, "with-args", false, "add process arguments to the dump")
+	processCacheDumpCmd.Flags().StringVar(&cliParams.format, "format", "dot", "process cache dump format")
 
 	processCacheCmd := &cobra.Command{
 		Use:   "process-cache",
@@ -328,7 +330,7 @@ func dumpProcessCache(_ log.Component, _ config.Component, _ secrets.Component,
 	}
 	defer client.Close()
 
-	filename, err := client.DumpProcessCache(processCacheDumpArgs.withArgs)
+	filename, err := client.DumpProcessCache(processCacheDumpArgs.withArgs, processCacheDumpArgs.format)
 	if err != nil {
 		return fmt.Errorf("unable to get a process cache dump: %w", err)
 	}

diff --git a/cmd/system-probe/subcommands/runtime/command.go b/cmd/system-probe/subcommands/runtime/command.go
@@ -217,6 +217,7 @@ type processCacheDumpCliParams struct {
 	*command.GlobalParams
 
 	withArgs bool
+	format   string
 }
 
 //nolint:unused // TODO(SEC) Fix unused linter
@@ -240,6 +241,7 @@ func processCacheCommands(globalParams *command.GlobalParams) []*cobra.Command {
 		},
 	}
 	processCacheDumpCmd.Flags().BoolVar(&cliParams.withArgs, "with-args", false, "add process arguments to the dump")
+	processCacheDumpCmd.Flags().StringVar(&cliParams.format, "format", "dot", "process cache dump format")
 
 	processCacheCmd := &cobra.Command{
 		Use:   "process-cache",
@@ -322,7 +324,7 @@ func dumpProcessCache(_ log.Component, _ config.Component, _ secrets.Component,
 	}
 	defer client.Close()
 
-	filename, err := client.DumpProcessCache(processCacheDumpArgs.withArgs)
+	filename, err := client.DumpProcessCache(processCacheDumpArgs.withArgs, processCacheDumpArgs.format)
 	if err != nil {
 		return fmt.Errorf("unable to get a process cache dump: %w", err)
 	}

diff --git a/pkg/security/agent/client.go b/pkg/security/agent/client.go
@@ -32,7 +32,7 @@ type RuntimeSecurityClient struct {
 // SecurityModuleClientWrapper represents a security module client
 type SecurityModuleClientWrapper interface {
 	DumpDiscarders() (string, error)
-	DumpProcessCache(withArgs bool) (string, error)
+	DumpProcessCache(withArgs bool, format string) (string, error)
 	GenerateActivityDump(request *api.ActivityDumpParams) (*api.ActivityDumpMessage, error)
 	ListActivityDumps() (*api.ActivityDumpListMessage, error)
 	StopActivityDump(name, containerid string) (*api.ActivityDumpStopMessage, error)
@@ -61,8 +61,8 @@ func (c *RuntimeSecurityClient) DumpDiscarders() (string, error) {
 }
 
 // DumpProcessCache sends a process cache dump request
-func (c *RuntimeSecurityClient) DumpProcessCache(withArgs bool) (string, error) {
-	response, err := c.apiClient.DumpProcessCache(context.Background(), &api.DumpProcessCacheParams{WithArgs: withArgs})
+func (c *RuntimeSecurityClient) DumpProcessCache(withArgs bool, format string) (string, error) {
+	response, err := c.apiClient.DumpProcessCache(context.Background(), &api.DumpProcessCacheParams{WithArgs: withArgs, Format: format})
 	if err != nil {
 		return "", err
 	}

diff --git a/pkg/security/agent/mocks/security_module_client_wrapper.go b/pkg/security/agent/mocks/security_module_client_wrapper.go
diff --git a/pkg/security/module/server_linux.go b/pkg/security/module/server_linux.go
@@ -11,6 +11,7 @@ import (
 	"context"
 	"errors"
 	"fmt"
+	"os"
 
 	"github.com/DataDog/datadog-agent/pkg/security/probe"
 	"github.com/DataDog/datadog-agent/pkg/security/proto/api"
@@ -36,9 +37,39 @@ func (a *APIServer) DumpProcessCache(_ context.Context, params *api.DumpProcessC
 		return nil, fmt.Errorf("not supported")
 	}
 
-	filename, err := p.Resolvers.ProcessResolver.ToDot(params.WithArgs)
-	if err != nil {
-		return nil, err
+	var (
+		filename string
+		err      error
+	)
+
+	switch params.Format {
+	case "json":
+		jsonContent, err := p.Resolvers.ProcessResolver.ToJSON(true)
+		if err != nil {
+			return nil, err
+		}
+
+		dump, err := os.CreateTemp("/tmp", "process-cache-dump-*.json")
+		if err != nil {
+			return nil, err
+		}
+
+		defer dump.Close()
+
+		filename = dump.Name()
+		if err := os.Chmod(dump.Name(), 0400); err != nil {
+			return nil, err
+		}
+
+		if _, err := dump.Write(jsonContent); err != nil {
+			return nil, err
+		}
+
+	case "dot", "":
+		filename, err = p.Resolvers.ProcessResolver.ToDot(params.WithArgs)
+		if err != nil {
+			return nil, err
+		}
 	}
 
 	return &api.SecurityDumpProcessCacheMessage{

diff --git a/pkg/security/probe/coredump.go b/pkg/security/probe/coredump.go
@@ -50,7 +50,7 @@ func (cd *CoreDump) ToJSON() ([]byte, error) {
 	}
 
 	if cd.definition.Process {
-		data, _ := cd.resolvers.ProcessResolver.ToJSON()
+		data, _ := cd.resolvers.ProcessResolver.ToJSON(false)
 		content.Process = data
 	}