Skip to content

Comments

[CWS] Embed multiple default policies on windows#35343

Merged
dd-mergequeue[bot] merged 5 commits intomainfrom
momar/support-embedded-multi-policies-windows
Mar 25, 2025
Merged

[CWS] Embed multiple default policies on windows#35343
dd-mergequeue[bot] merged 5 commits intomainfrom
momar/support-embedded-multi-policies-windows

Conversation

@mftoure
Copy link
Contributor

@mftoure mftoure commented Mar 21, 2025

What does this PR do?

This PR enables embedding multiple default policies on windows, not just the default.policy file.

Motivation

Describe how you validated your changes

Possible Drawbacks / Trade-offs

Additional Notes

@mftoure mftoure added changelog/no-changelog team/agent-security qa/done QA done before merge and regressions are covered by tests labels Mar 21, 2025
@mftoure mftoure added this to the 7.66.0 milestone Mar 21, 2025
@github-actions github-actions bot added the medium review PR review might take time label Mar 21, 2025
@mftoure mftoure marked this pull request as ready for review March 24, 2025 09:37
@mftoure mftoure requested review from a team as code owners March 24, 2025 09:37
chouquette
chouquette reviewed Mar 24, 2025
View reviewed changes
omnibus/config/software/datadog-agent-finalize.rb
if ENV['WINDOWS_DDPROCMON_DRIVER'] and not ENV['WINDOWS_DDPROCMON_DRIVER'].empty? and not windows_arch_i386?
move "#{install_dir}/etc/datadog-agent/security-agent.yaml.example", conf_dir_root, :force=>true
move "#{install_dir}/etc/datadog-agent/runtime-security.d", conf_dir_root, :force=>true
move "#{conf_dir_root}/runtime-security.d/default.policy", "#{conf_dir_root}/runtime-security.d/default.policy.example", :force=>true
Copy link
Contributor

@chouquette chouquette Mar 24, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Don't we risk overriding customers' default.policy file if they contain modifications?

I'm not familiar at all with these files, so please forgive the question if it's silly

Copy link
Contributor Author

@mftoure mftoure Mar 24, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Customers are expected to create additional policy files if they want to create their rules.
This behaviour (risk to override the default.policy ) was the same before this PR.

Copy link
Contributor

@clarkb7 clarkb7 Mar 24, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Previously the MSI custom action would only copy default.policy.example to default.policy if it does not already exist.

Copy link
Contributor Author

@mftoure mftoure Mar 24, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If it copied only if default.policy did not exist, It would not be possible to update the policy. So I think it was a mistake

clarkb7
clarkb7 reviewed Mar 24, 2025
View reviewed changes
omnibus/config/software/datadog-agent-finalize.rb
if ENV['WINDOWS_DDPROCMON_DRIVER'] and not ENV['WINDOWS_DDPROCMON_DRIVER'].empty? and not windows_arch_i386?
move "#{install_dir}/etc/datadog-agent/security-agent.yaml.example", conf_dir_root, :force=>true
move "#{install_dir}/etc/datadog-agent/runtime-security.d", conf_dir_root, :force=>true
move "#{conf_dir_root}/runtime-security.d/default.policy", "#{conf_dir_root}/runtime-security.d/default.policy.example", :force=>true
Copy link
Contributor

@clarkb7 clarkb7 Mar 24, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Previously the MSI custom action would only copy default.policy.example to default.policy if it does not already exist.

chouquette
chouquette approved these changes Mar 24, 2025
View reviewed changes
Copy link
Contributor

@chouquette chouquette left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM for agent-delivery file

@mftoure
Copy link
Contributor Author

mftoure commented Mar 25, 2025

/merge

@dd-devflow
Copy link

dd-devflow bot commented Mar 25, 2025
edited
Loading

View all feedbacks in Devflow UI.
2025-03-25 09:14:56 UTC ℹ️ Start processing command /merge

2025-03-25 09:15:01 UTC ℹ️ MergeQueue: pull request added to the queue

The expected merge time in main is approximately 2h (p90).

2025-03-25 09:45:15 UTC ℹ️ MergeQueue: This merge request was merged

@dd-mergequeue dd-mergequeue bot merged commit 67cc200 into main Mar 25, 2025
327 checks passed
@dd-mergequeue dd-mergequeue bot deleted the momar/support-embedded-multi-policies-windows branch March 25, 2025 09:45
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@lebauce lebauce lebauce approved these changes

@chouquette chouquette chouquette approved these changes

@clarkb7 clarkb7 clarkb7 approved these changes

Assignees

No one assigned

Labels

changelog/no-changelog medium review PR review might take time qa/done QA done before merge and regressions are covered by tests team/agent-security

Projects

None yet

Milestone

7.66.0

Development

Successfully merging this pull request may close these issues.

4 participants

@mftoure @lebauce @chouquette @clarkb7