From fd5bfec3c20bb459bab4b4c4c8af40ffe1137fdc Mon Sep 17 00:00:00 2001 From: Ofek Lev Date: Wed, 23 Sep 2020 15:37:59 -0400 Subject: [PATCH] Ignore `/proc/sys/fs/binfmt_misc` by default --- disk/assets/configuration/spec.yaml | 3 ++- disk/datadog_checks/disk/data/conf.yaml.default | 3 ++- disk/datadog_checks/disk/disk.py | 6 +++++- disk/tests/test_filter.py | 6 +++--- disk/tests/test_unit.py | 2 +- 5 files changed, 13 insertions(+), 7 deletions(-) diff --git a/disk/assets/configuration/spec.yaml b/disk/assets/configuration/spec.yaml index 57b7fbf64c11b5..fc45efb1edbc12 100644 --- a/disk/assets/configuration/spec.yaml +++ b/disk/assets/configuration/spec.yaml @@ -26,7 +26,8 @@ files: description: | Instruct the check to always add these patterns to `mount_point_blacklist`. value: - example: [] + example: + - /proc/sys/fs/binfmt_misc$ type: array items: type: string diff --git a/disk/datadog_checks/disk/data/conf.yaml.default b/disk/datadog_checks/disk/data/conf.yaml.default index f336395f479a7b..285c610ddc3f4b 100644 --- a/disk/datadog_checks/disk/data/conf.yaml.default +++ b/disk/datadog_checks/disk/data/conf.yaml.default @@ -16,7 +16,8 @@ init_config: ## @param mount_point_global_blacklist - list of strings - optional ## Instruct the check to always add these patterns to `mount_point_blacklist`. # - # mount_point_global_blacklist: [] + # mount_point_global_blacklist: + # - /proc/sys/fs/binfmt_misc$ ## Every instance is scheduled independent of the others. # diff --git a/disk/datadog_checks/disk/disk.py b/disk/datadog_checks/disk/disk.py index 7f1f9a370aff33..c7eaa840c3d494 100644 --- a/disk/datadog_checks/disk/disk.py +++ b/disk/datadog_checks/disk/disk.py @@ -438,4 +438,8 @@ def get_default_device_blacklist(): @staticmethod def get_default_mount_mount_blacklist(): - return [] + return [ + # https://github.com/DataDog/datadog-agent/issues/1961 + # https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1049 + '/proc/sys/fs/binfmt_misc$' + ] diff --git a/disk/tests/test_filter.py b/disk/tests/test_filter.py index 705b18c4fd0880..2642a4df407cc3 100644 --- a/disk/tests/test_filter.py +++ b/disk/tests/test_filter.py @@ -39,7 +39,7 @@ def test_bad_config_string_regex(): assert_regex_equal(c._device_whitelist, re.compile('test', IGNORE_CASE)) assert_regex_equal(c._device_blacklist, re.compile('test', IGNORE_CASE)) assert_regex_equal(c._mount_point_whitelist, re.compile('test', IGNORE_CASE)) - assert_regex_equal(c._mount_point_blacklist, re.compile('test', IGNORE_CASE)) + assert_regex_equal(c._mount_point_blacklist, re.compile('test|/proc/sys/fs/binfmt_misc$', IGNORE_CASE)) def test_ignore_empty_regex(): @@ -58,7 +58,7 @@ def test_ignore_empty_regex(): assert_regex_equal(c._device_whitelist, re.compile('test', IGNORE_CASE)) assert_regex_equal(c._device_blacklist, re.compile('test', IGNORE_CASE)) assert_regex_equal(c._mount_point_whitelist, re.compile('test', IGNORE_CASE)) - assert_regex_equal(c._mount_point_blacklist, re.compile('test', IGNORE_CASE)) + assert_regex_equal(c._mount_point_blacklist, re.compile('test|/proc/sys/fs/binfmt_misc$', IGNORE_CASE)) def test_exclude_bad_devices(): @@ -191,7 +191,7 @@ def test_legacy_config(): assert_regex_equal(c._file_system_blacklist, re.compile('iso9660$|test$', re.I)) assert_regex_equal(c._device_blacklist, re.compile('test1$|test2', IGNORE_CASE)) - assert_regex_equal(c._mount_point_blacklist, re.compile('test', IGNORE_CASE)) + assert_regex_equal(c._mount_point_blacklist, re.compile('/proc/sys/fs/binfmt_misc$|test', IGNORE_CASE)) def test_legacy_exclude_disk(): diff --git a/disk/tests/test_unit.py b/disk/tests/test_unit.py index 7f569fb44316d9..9df3cd5dc0cc29 100644 --- a/disk/tests/test_unit.py +++ b/disk/tests/test_unit.py @@ -26,7 +26,7 @@ def test_default_options(): assert check._device_whitelist is None assert check._device_blacklist is None assert check._mount_point_whitelist is None - assert check._mount_point_blacklist is None + assert check._mount_point_blacklist == re.compile('/proc/sys/fs/binfmt_misc$', re.I) assert check._tag_by_filesystem is False assert check._device_tag_re == [] assert check._service_check_rw is False