diff --git a/receiver/awscontainerinsightreceiver/internal/efa/efaSysfs.go b/receiver/awscontainerinsightreceiver/internal/efa/efaSysfs.go index bf9b85aa888d..f6c13bce8a7a 100644 --- a/receiver/awscontainerinsightreceiver/internal/efa/efaSysfs.go +++ b/receiver/awscontainerinsightreceiver/internal/efa/efaSysfs.go @@ -11,7 +11,6 @@ import ( "path/filepath" "strconv" "strings" - "syscall" "time" "go.opentelemetry.io/collector/pdata/pmetric" @@ -343,19 +342,9 @@ func (r *sysfsReaderImpl) EfaDataExists() (bool, error) { return false, err } - stat, ok := info.Sys().(*syscall.Stat_t) - if !ok { - r.logger.Warn("Couldn't read permissions of EFA directory, not reading from it", zap.String("path", efaPath)) - return false, nil - } - - if stat.Uid != 0 { - r.logger.Warn("EFA directory exists but is not owned by root, not reading from it", zap.String("path", efaPath), zap.Uint32("owner uid", stat.Uid)) - return false, nil - } - perms := info.Mode().Perm() - if perms&0002 != 0 { - r.logger.Warn("EFA directory exists but is writeable by anyone, not reading from it", zap.String("path", efaPath), zap.String("permissions", perms.String())) + valid, err := checkPermissions(info) + if !valid { + r.logger.Warn("not reading from EFA directory", zap.String("path", efaPath), zap.Error(err)) return false, nil } diff --git a/receiver/awscontainerinsightreceiver/internal/efa/permissionscheck_linux.go b/receiver/awscontainerinsightreceiver/internal/efa/permissionscheck_linux.go new file mode 100644 index 000000000000..96980d32a572 --- /dev/null +++ b/receiver/awscontainerinsightreceiver/internal/efa/permissionscheck_linux.go @@ -0,0 +1,31 @@ +// Copyright The OpenTelemetry Authors +// SPDX-License-Identifier: Apache-2.0 + +//go:build !windows +// +build !windows + +package efa + +import ( + "errors" + "fmt" + "os" + "syscall" +) + +func checkPermissions(info os.FileInfo) (bool, error) { + stat, ok := info.Sys().(*syscall.Stat_t) + if !ok { + return false, errors.New("couldn't read permissions") + } + + if stat.Uid != 0 { + return false, fmt.Errorf("not owned by root, owned by uid %d", stat.Uid) + } + perms := info.Mode().Perm() + if perms&0002 != 0 { + return false, fmt.Errorf("writeable by anyone, permissions: %s", perms.String()) + } + + return true, nil +} diff --git a/receiver/awscontainerinsightreceiver/internal/efa/permissionscheck_windows.go b/receiver/awscontainerinsightreceiver/internal/efa/permissionscheck_windows.go new file mode 100644 index 000000000000..84a86d42efca --- /dev/null +++ b/receiver/awscontainerinsightreceiver/internal/efa/permissionscheck_windows.go @@ -0,0 +1,11 @@ +// Copyright The OpenTelemetry Authors +// SPDX-License-Identifier: Apache-2.0 + +//go:build windows +// +build windows + +package efa + +func checkPermissions(info os.FileInfo) (bool, error) { + return false, errors.New("not implemented on Windows") +} diff --git a/receiver/awscontainerinsightreceiver/internal/stores/kubeletutil/podresourcesclient.go b/receiver/awscontainerinsightreceiver/internal/stores/kubeletutil/podresourcesclient.go index f2a6c4c27948..08fcf137dcb1 100644 --- a/receiver/awscontainerinsightreceiver/internal/stores/kubeletutil/podresourcesclient.go +++ b/receiver/awscontainerinsightreceiver/internal/stores/kubeletutil/podresourcesclient.go @@ -8,7 +8,6 @@ import ( "fmt" "net" "os" - "syscall" "time" "google.golang.org/grpc" @@ -75,20 +74,9 @@ func validateSocket(socket string) error { return fmt.Errorf("failed to check socket path: %w", err) } - stat, ok := info.Sys().(*syscall.Stat_t) - if !ok { - return nil - } - - if stat.Uid != 0 { - return fmt.Errorf("socket path %s is owned by %d, not root", socket, stat.Uid) - } - perms := info.Mode().Perm() - if perms&0002 != 0 { - return fmt.Errorf("socket path %s is writeable by anyone - permissions: %s", socket, perms) - } - if info.Mode()&os.ModeSocket == 0 { - return fmt.Errorf("socket path %s is not a socket - mode: %s", socket, info.Mode()) + err = checkPodResourcesSocketPermissions(info) + if err != nil { + return fmt.Errorf("socket path %s is not valid: %w", socket, err) } return nil diff --git a/receiver/awscontainerinsightreceiver/internal/stores/kubeletutil/podresourcesclientpermissionscheck_linux.go b/receiver/awscontainerinsightreceiver/internal/stores/kubeletutil/podresourcesclientpermissionscheck_linux.go new file mode 100644 index 000000000000..0cca378bd9a0 --- /dev/null +++ b/receiver/awscontainerinsightreceiver/internal/stores/kubeletutil/podresourcesclientpermissionscheck_linux.go @@ -0,0 +1,33 @@ +// Copyright The OpenTelemetry Authors +// SPDX-License-Identifier: Apache-2.0 + +//go:build !windows +// +build !windows + +package kubeletutil + +import ( + "fmt" + "os" + "syscall" +) + +func checkPodResourcesSocketPermissions(info os.FileInfo) error { + stat, ok := info.Sys().(*syscall.Stat_t) + if !ok { + return fmt.Errorf("couldn't check permissions") + } + + if stat.Uid != 0 { + return fmt.Errorf("owned by %d, not root", stat.Uid) + } + perms := info.Mode().Perm() + if perms&0002 != 0 { + return fmt.Errorf("writeable by anyone - permissions: %s", perms) + } + if info.Mode()&os.ModeSocket == 0 { + return fmt.Errorf("not a socket - mode: %s", info.Mode()) + } + + return nil +} diff --git a/receiver/awscontainerinsightreceiver/internal/stores/kubeletutil/podresourcesclientpermissionscheck_windows.go b/receiver/awscontainerinsightreceiver/internal/stores/kubeletutil/podresourcesclientpermissionscheck_windows.go new file mode 100644 index 000000000000..95a7dbae9336 --- /dev/null +++ b/receiver/awscontainerinsightreceiver/internal/stores/kubeletutil/podresourcesclientpermissionscheck_windows.go @@ -0,0 +1,15 @@ +// Copyright The OpenTelemetry Authors +// SPDX-License-Identifier: Apache-2.0 + +//go:build windows +// +build windows + +package kubeletutil + +import ( + "os" +) + +func checkPodResourcesSocketPermissions(info os.FileInfo) error { + return errors.New("not implemented on Windows") +}