[WP] Implementation of Otel 4947 thread context: dd-trace-go test

Gui774ume · Gui774ume · commit 2ac91efb2dee · 2026-04-10T19:52:28.000+02:00
diff --git a/pkg/security/tests/span_test.go b/pkg/security/tests/span_test.go
@@ -307,3 +307,65 @@ func TestGoSpan(t *testing.T) {
 		})
 	})
 }
+
+// TestDDTraceGoSpan tests the full dd-trace-go integration: dd-trace-go creates
+// a real span which internally sets pprof labels ("span id", "local root span id"),
+// and the eBPF Go labels reader extracts them from the goroutine's label storage.
+func TestDDTraceGoSpan(t *testing.T) {
+	SkipIfNotAvailable(t)
+
+	ruleDefs := []*rules.RuleDefinition{
+		{
+			ID:         "test_ddtrace_span_rule_open",
+			Expression: `open.file.path == "{{.Root}}/test-ddtrace-span"`,
+		},
+	}
+
+	test, err := newTestModule(t, nil, ruleDefs)
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer test.Close()
+
+	goSyscallTester, err := loadSyscallTester(t, test, "syscall_go_tester")
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	t.Run("ddtrace_span", func(t *testing.T) {
+		test.RunMultiMode(t, "open", func(t *testing.T, _ wrapperType, cmdFunc func(cmd string, args []string, envs []string) *exec.Cmd) {
+			testFile, _, err := test.Path("test-ddtrace-span")
+			if err != nil {
+				t.Fatal(err)
+			}
+			defer os.Remove(testFile)
+
+			args := []string{
+				"-ddtrace-span-test",
+				"-ddtrace-span-file-path", testFile,
+			}
+			envs := []string{}
+
+			test.WaitSignalFromRule(t, func() error {
+				cmd := cmdFunc(goSyscallTester, args, envs)
+				out, err := cmd.CombinedOutput()
+
+				if err != nil {
+					return fmt.Errorf("%s: %w", out, err)
+				}
+
+				return nil
+			}, func(event *model.Event, rule *rules.Rule) {
+				assertTriggeredRule(t, rule, "test_ddtrace_span_rule_open")
+
+				// dd-trace-go generates span IDs at runtime, so we can't predict
+				// the exact values. We just verify they're non-zero, which proves
+				// the full pipeline works: dd-trace-go → pprof labels → eBPF reader.
+				assert.NotEqual(t, uint64(0), event.SpanContext.SpanID,
+					"span ID should be non-zero (set by dd-trace-go via pprof labels)")
+				assert.NotEqual(t, uint64(0), event.SpanContext.TraceID.Lo,
+					"trace ID lo should be non-zero (local root span ID from dd-trace-go)")
+			}, "test_ddtrace_span_rule_open")
+		})
+	})
+}
diff --git a/pkg/security/tests/syscall_tester/go/syscall_go_tester.go b/pkg/security/tests/syscall_tester/go/syscall_go_tester.go
@@ -17,12 +17,14 @@ import (
 	"net/http"
 	"os"
 	"os/exec"
+	"runtime"
 	"runtime/pprof"
 	"strconv"
 	"syscall"
 	"time"
 	"unsafe"
 
+	"github.com/DataDog/dd-trace-go/v2/ddtrace/tracer"
 	manager "github.com/DataDog/ebpf-manager"
 	"github.com/syndtr/gocapability/capability"
 	"github.com/vishvananda/netlink"
@@ -55,6 +57,8 @@ var (
 	goSpanSpanID          string
 	goSpanLocalRootSpanID string
 	goSpanFilePath        string
+	ddtraceSpanTest       bool
+	ddtraceSpanFilePath   string
 )
 
 //go:embed ebpf_probe.o
@@ -340,6 +344,96 @@ func RunGoSpanTest(spanID, localRootSpanID, filePath string) error {
 	return nil
 }
 
+// RunDDTraceSpanTest uses dd-trace-go to create a real span, which sets pprof
+// labels automatically via the profiler code hotspots integration. This tests
+// the full dd-trace-go → pprof labels → eBPF Go labels reader pipeline.
+func RunDDTraceSpanTest(filePath string) error {
+	// Create and seal a tracer-info memfd with tracer_language="go".
+	type TracerMeta struct {
+		SchemaVersion  uint8  `msgpack:"schema_version"`
+		TracerLanguage string `msgpack:"tracer_language"`
+		TracerVersion  string `msgpack:"tracer_version"`
+		Hostname       string `msgpack:"hostname"`
+		ServiceName    string `msgpack:"service_name"`
+	}
+	meta := TracerMeta{
+		SchemaVersion:  2,
+		TracerLanguage: "go",
+		TracerVersion:  "0.0.1-test",
+		Hostname:       "test",
+		ServiceName:    "ddtrace-test",
+	}
+	data, err := msgpack.Marshal(&meta)
+	if err != nil {
+		return fmt.Errorf("msgpack marshal: %w", err)
+	}
+
+	fd, err := unix.MemfdCreate("datadog-tracer-info-ddtrace0", unix.MFD_ALLOW_SEALING)
+	if err != nil {
+		return fmt.Errorf("memfd_create: %w", err)
+	}
+	defer unix.Close(fd)
+
+	if _, err := unix.Write(fd, data); err != nil {
+		return fmt.Errorf("memfd write: %w", err)
+	}
+	const fAddSeals = 1033
+	const fSealWrite = 0x0008
+	const fSealShrink = 0x0002
+	const fSealGrow = 0x0004
+	if _, _, errno := syscall.Syscall(syscall.SYS_FCNTL, uintptr(fd), fAddSeals, fSealWrite|fSealShrink|fSealGrow); errno != 0 {
+		return fmt.Errorf("memfd seal: %w", errno)
+	}
+
+	// Wait for the agent to process the memfd seal event and populate the BPF map.
+	time.Sleep(500 * time.Millisecond)
+
+	// Start dd-trace-go with:
+	// - WithTestDefaults: uses a dummy transport (no real agent needed)
+	// - WithProfilerCodeHotspots: enables "span id" and "local root span id" pprof labels
+	// - WithService: set a service name
+	tracer.Start(
+		tracer.WithTestDefaults(nil),
+		tracer.WithProfilerCodeHotspots(true),
+		tracer.WithService("ddtrace-test"),
+		tracer.WithLogStartup(false),
+	)
+	defer tracer.Stop()
+
+	// Create a span. dd-trace-go will automatically set pprof labels
+	// "span id" and "local root span id" on the current goroutine.
+	span, ctx := tracer.StartSpanFromContext(context.Background(), "test.operation")
+
+	// The span ID and local root span ID should now be set as pprof labels.
+	// Print them so the test can verify the values.
+	spanID := span.Context().SpanID()
+	// For a root span, local root span ID == span ID.
+	fmt.Printf("ddtrace_span_id=%d\n", spanID)
+
+	// Activate the labels on this goroutine by using the context.
+	_ = ctx
+	// dd-trace-go sets labels in StartSpanFromContext, but we need to ensure
+	// the goroutine labels are active. Use pprof.SetGoroutineLabels with
+	// the span's context to make sure.
+	runtime.LockOSThread()
+	defer runtime.UnlockOSThread()
+
+	// Give a moment for the labels to be set
+	time.Sleep(10 * time.Millisecond)
+
+	// Trigger the file open that the CWS rule is watching.
+	f, err := os.Create(filePath)
+	if err != nil {
+		span.Finish()
+		return fmt.Errorf("create file: %w", err)
+	}
+	f.Close()
+	os.Remove(filePath)
+
+	span.Finish()
+	return nil
+}
+
 func main() {
 	flag.BoolVar(&bpfLoad, "load-bpf", false, "load the eBPF programs")
 	flag.BoolVar(&bpfClone, "clone-bpf", false, "clone maps")
@@ -360,6 +454,8 @@ func main() {
 	flag.StringVar(&goSpanSpanID, "go-span-span-id", "", "span ID for the Go span test (decimal string)")
 	flag.StringVar(&goSpanLocalRootSpanID, "go-span-local-root-span-id", "", "local root span ID for the Go span test (decimal string)")
 	flag.StringVar(&goSpanFilePath, "go-span-file-path", "", "file path to open for the Go span test")
+	flag.BoolVar(&ddtraceSpanTest, "ddtrace-span-test", false, "when set, runs the dd-trace-go span test")
+	flag.StringVar(&ddtraceSpanFilePath, "ddtrace-span-file-path", "", "file path to open for the dd-trace-go span test")
 
 	flag.Parse()
 
@@ -426,4 +522,10 @@ func main() {
 			panic(err)
 		}
 	}
+
+	if ddtraceSpanTest {
+		if err := RunDDTraceSpanTest(ddtraceSpanFilePath); err != nil {
+			panic(err)
+		}
+	}
 }
