[CLS-84749] charts: s1-agent: add fargate_ptrace_allow injection toggle#328
Open
DorEdelman wants to merge 2 commits into
Open
[CLS-84749] charts: s1-agent: add fargate_ptrace_allow injection toggle#328DorEdelman wants to merge 2 commits into
DorEdelman wants to merge 2 commits into
Conversation
DorEdelman
force-pushed
the
dore-allow-ptrace-fargate
branch
from
df3b8e3 to
5f587b1
Compare
MosheFriedland
approved these changes
May 17, 2026
New value configuration.env.injection.fargate_ptrace_allow (default true) that flows to the helper as S1_FARGATE_PTRACE_ALLOW. When set to false, the helper webhook skips injecting s1-fargate-init / libptrace_allow.so into Fargate pods and leaves their container CMD unchanged. Add LD_PRELOAD env to helper's agent container to load libptrace_allow.so when ptrace injection is enabled. Co-Authored-By: Moshe Friedland <moshe.friedland@sentinelone.com> Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
DorEdelman
force-pushed
the
dore-allow-ptrace-fargate
branch
from
5f587b1 to
0d7b6d0
Compare
MosheFriedland
changed the title
Add S1_FARGATE_PTRACE_ALLOW to the env of the agent container that the helper webhook injects into Fargate pods, sharing the existing fargate_ptrace_allow gate next to LD_PRELOAD. The agent's cws_deployment startup reads this env var and translates it to the daemon_executor_ptrace_allow_enabled config key. When set, the agent's shell_spawner opts its remote-shell child (orphaned to pid 1 by daemon_executor's double-fork) into prctl(PR_SET_PTRACER, PR_SET_PTRACER_ANY) so the agent's subsequent PTRACE_ATTACH succeeds under YAMA mode 1. The same toggle now drives all three Fargate ptrace fixes: workload LD_PRELOAD libptrace_allow.so, workload CMD wrap with s1-fargate-init, and the agent's own remote-shell PR_SET_PTRACER opt-in.
MosheFriedland
force-pushed
the
dore-allow-ptrace-fargate
branch
from
cad3d76 to
f8aedf1
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds
configuration.env.injection.fargate_ptrace_allow(defaulttrue) — a toggle to control whether the agent injects ptrace-allow support into Fargate pods during webhook injection. Set tofalseto skip the injection for environments where it is not needed.