[WP] Fix IMDS credentials serialization

[Gui774ume]

What does this PR do?

Fixes the serialization of AWS security credentials captured from IMDS traffic so that they are only reported on the process that actually made the IMDS request, instead of being duplicated onto every ancestor of that process.

Concretely:

• FetchAWSSecurityCredentials now takes the *model.Process being serialized and returns (and prunes) that process's own credentials, instead of always looking up the credentials of the event's triggering PID (e.ProcessContext.Pid).
• ResolveAWSSecurityCredentials (the ExtraFieldHandlers interface and its EBPF, EBPFLess, and Fake implementations) now forwards the process being serialized.
• The serializer (newProcessSerializer) passes the process it is currently serializing (ps) to the resolver, so each process and each ancestor reports only its own credentials.

Motivation

AWS security credentials parsed from an IMDS v2 response are attributed, by design, only to the process cache entry of the process that made the request — UpdateAWSSecurityCredentials appends them to a single entry, and Fork() does not copy them to children.

However, the serializer mis-attributed them. newProcessSerializer(ps, e) is invoked once for the triggering process and once per ancestor, but the credential lookup ignored the ps argument and re-resolved from the event:

awsSecurityCredentials := e.FieldHandlers.ResolveAWSSecurityCredentials(e)

That resolver was hard-keyed to e.ProcessContext.Pid, so every ancestor serialization re-fetched the triggering process's credentials and attached them to that ancestor. In production this surfaced as the same aws_security_credentials block (access key ID + metadata) appearing on the requesting process and on all of its ancestors (e.g. entrypoint.sh, runc, containerd-shim, systemd).

Describe how you validated your changes

• Added a regression test TestAWSSecurityCredentialsScopedToProcess that builds a parent -> child lineage, has the child receive IMDS credentials, and asserts the credentials are returned for the child but not for the ancestor — even though the event's process context still points to the child (the exact condition that previously leaked them).
• Added TestAWSSecurityCredentialsExpiration to confirm expired credentials are still pruned on fetch, now per-process.
• dda inv test --targets=./pkg/security/resolvers/process — pass.
• dda inv test --targets=./pkg/security/serializers — pass.
• dda inv test --targets=./pkg/security/secl/model — pass.

Additional Notes

• This is Linux-only: the credential serialization path lives in serializers_linux.go and the ResolveAWSSecurityCredentials field handler is declared in the Unix-only ExtraFieldHandlers interface. The seclwin model carries the AWSSecurityCredentials struct but no Windows serialization path uses it, so there is no Windows impact.
• Per-process expiry pruning is preserved: FetchAWSSecurityCredentials now prunes the slice on the process it is handed (still under the resolver lock) rather than on the triggering PID's entry.

[datadog-datadog-prod-us1-2]

✨ Fix all issues with BitsAI

⚠️ Warnings

🚦 1 Pipeline job failed

DataDog/datadog-agent | new-e2e-cws: [--run TestAgentSuiteEC2]     

See error

2 failed tests in TestAgentSuiteEC2: condition never satisfied and no log found for ruleset_loaded event.

ℹ️ Info

🎯 Code Coverage (details)
• Patch Coverage: 88.89%
• Overall Coverage: 50.43% (-0.00%)

Useful? React with 👍 / 👎

_{This comment will be updated automatically if new data arrives.
🔗 Commit SHA: 7b76512 | Docs | Datadog PR Page | Give us feedback!}

[dd-octo-sts]

Files inventory check summary

File checks results against ancestor f053e31a:

Results for datadog-agent_7.81.0~devel.git.313.7b76512.pipeline.115938193-1_amd64.deb:

No change detected

[dd-octo-sts]

Static quality checks

✅ Please find below the results from static quality gates
Comparison made with ancestor f053e31
📊 Static Quality Gates Dashboard
🔗 SQG Job

Error

	Quality gate	Change	Size (prev → curr → max)
⚠️	docker_agent_amd64 (on disk)	neutral	806.345 MiB → 806.340

Gate failure full details

Quality gate	Error type	Error message
docker_agent_amd64	AbsoluteLimitExceeded (non-blocking: size unchanged from ancestor)	static_quality_gate_docker_agent_amd64 failed! Disk size 806.3 MB exceeds limit of 806.3 MB by 5.3 KB

Note: Some gates exceeded limits but are non-blocking because the size hasn't increased from the ancestor commit.

31 successful checks with minimal change (< 2 KiB)

	Quality gate	Current Size
✅	agent_deb_amd64	746.193 MiB
✅	agent_deb_amd64_fips	703.959 MiB
✅	agent_heroku_amd64	310.715 MiB
✅	agent_rpm_amd64	746.177 MiB
✅	agent_rpm_amd64_fips	703.943 MiB
✅	agent_rpm_arm64	723.743 MiB
✅	agent_rpm_arm64_fips	684.667 MiB
✅	agent_suse_amd64	746.177 MiB
✅	agent_suse_amd64_fips	703.943 MiB
✅	agent_suse_arm64	723.743 MiB
✅	agent_suse_arm64_fips	684.667 MiB
✅	docker_agent_arm64	808.721 MiB
✅	docker_agent_jmx_amd64	997.265 MiB
✅	docker_agent_jmx_arm64	988.419 MiB
✅	docker_cluster_agent_amd64	207.101 MiB
✅	docker_cluster_agent_arm64	221.078 MiB
✅	docker_cws_instrumentation_amd64	7.154 MiB
✅	docker_cws_instrumentation_arm64	6.689 MiB
✅	docker_dogstatsd_amd64	39.511 MiB
✅	docker_dogstatsd_arm64	37.690 MiB
✅	docker_host_profiler_amd64	302.122 MiB
✅	docker_host_profiler_arm64	313.591 MiB
✅	dogstatsd_deb_amd64	30.166 MiB
✅	dogstatsd_deb_arm64	28.292 MiB
✅	dogstatsd_rpm_amd64	30.166 MiB
✅	dogstatsd_suse_amd64	30.166 MiB
✅	iot_agent_deb_amd64	44.460 MiB
✅	iot_agent_deb_arm64	41.429 MiB
✅	iot_agent_deb_armhf	42.146 MiB
✅	iot_agent_rpm_amd64	44.461 MiB
✅	iot_agent_suse_amd64	44.461 MiB

[cit-pr-commenter-54b7da]

Regression Detector

Regression Detector Results

Metrics dashboard
Target profiles
Run ID: d1dcc9bc-10f4-45b1-a7a9-7e84a70252a0

Baseline: f053e31
Comparison: 7b76512
Diff

❌ Experiments with retried target crashes

This is a critical error. One or more replicates failed with a non-zero exit code. These replicates may have been retried. See Replicate Execution Details for more information.

• quality_gate_idle_all_features

Optimization Goals: ✅ No significant changes detected

Experiments ignored for regressions

Regressions in experiments with settings containing erratic: true are ignored.

perf	experiment	goal	Δ mean %	Δ mean % CI	trials	links
➖	docker_containers_cpu	% cpu utilization	-0.82	[-3.75, +2.11]	1	Logs

Fine details of change detection per experiment

perf	experiment	goal	Δ mean %	Δ mean % CI	trials	links
➖	tcp_syslog_to_blackhole	ingress throughput	+0.59	[+0.40, +0.77]	1	Logs
➖	ddot_metrics_sum_cumulative	memory utilization	+0.35	[+0.20, +0.51]	1	Logs
➖	quality_gate_idle_all_features	memory utilization	+0.31	[+0.27, +0.35]	1	Logs bounds checks dashboard
➖	quality_gate_idle	memory utilization	+0.15	[+0.10, +0.20]	1	Logs bounds checks dashboard
➖	uds_dogstatsd_20mb_12k_contexts_20_senders	memory utilization	+0.12	[+0.07, +0.16]	1	Logs
➖	file_to_blackhole_100ms_latency	egress throughput	+0.04	[-0.10, +0.18]	1	Logs
➖	file_to_blackhole_500ms_latency	egress throughput	+0.03	[-0.39, +0.45]	1	Logs
➖	file_to_blackhole_0ms_latency	egress throughput	+0.02	[-0.48, +0.51]	1	Logs
➖	uds_dogstatsd_to_api	ingress throughput	+0.01	[-0.19, +0.21]	1	Logs
➖	tcp_dd_logs_filter_exclude	ingress throughput	-0.00	[-0.10, +0.10]	1	Logs
➖	file_to_blackhole_1000ms_latency	egress throughput	-0.00	[-0.44, +0.44]	1	Logs
➖	file_tree	memory utilization	-0.02	[-0.06, +0.02]	1	Logs
➖	uds_dogstatsd_to_api_v3	ingress throughput	-0.03	[-0.23, +0.17]	1	Logs
➖	ddot_metrics_sum_cumulativetodelta_exporter	memory utilization	-0.05	[-0.29, +0.19]	1	Logs
➖	ddot_metrics_sum_delta	memory utilization	-0.09	[-0.26, +0.07]	1	Logs
➖	ddot_metrics	memory utilization	-0.17	[-0.36, +0.03]	1	Logs
➖	otlp_ingest_logs	memory utilization	-0.20	[-0.28, -0.11]	1	Logs
➖	otlp_ingest_metrics	memory utilization	-0.27	[-0.43, -0.10]	1	Logs
➖	ddot_logs	memory utilization	-0.30	[-0.36, -0.24]	1	Logs
➖	docker_containers_memory	memory utilization	-0.50	[-0.61, -0.40]	1	Logs
➖	quality_gate_metrics_logs	memory utilization	-0.53	[-0.77, -0.28]	1	Logs bounds checks dashboard
➖	docker_containers_cpu	% cpu utilization	-0.82	[-3.75, +2.11]	1	Logs
➖	quality_gate_logs	% cpu utilization	-1.17	[-2.18, -0.15]	1	Logs bounds checks dashboard

Bounds Checks: ✅ Passed

perf	experiment	bounds_check_name	replicates_passed	observed_value	links
✅	docker_containers_cpu	simple_check_run	10/10	714 ≥ 26
✅	docker_containers_memory	memory_usage	10/10	247.34MiB ≤ 370MiB
✅	docker_containers_memory	simple_check_run	10/10	692 ≥ 26
✅	file_to_blackhole_0ms_latency	memory_usage	10/10	0.16GiB ≤ 1.20GiB
✅	file_to_blackhole_0ms_latency	missed_bytes	10/10	0B = 0B
✅	file_to_blackhole_1000ms_latency	memory_usage	10/10	0.20GiB ≤ 1.20GiB
✅	file_to_blackhole_1000ms_latency	missed_bytes	10/10	0B = 0B
✅	file_to_blackhole_100ms_latency	memory_usage	10/10	0.17GiB ≤ 1.20GiB
✅	file_to_blackhole_100ms_latency	missed_bytes	10/10	0B = 0B
✅	file_to_blackhole_500ms_latency	memory_usage	10/10	0.19GiB ≤ 1.20GiB
✅	file_to_blackhole_500ms_latency	missed_bytes	10/10	0B = 0B
✅	quality_gate_idle	intake_connections	10/10	3 ≤ 4	bounds checks dashboard
✅	quality_gate_idle	memory_usage	10/10	142.81MiB ≤ 147MiB	bounds checks dashboard
✅	quality_gate_idle	total_bytes_received	10/10	738.51KiB ≤ 819.20KiB	bounds checks dashboard
✅	quality_gate_idle_all_features	intake_connections	10/10	3 ≤ 4	bounds checks dashboard
✅	quality_gate_idle_all_features	memory_usage	10/10	476.31MiB ≤ 495MiB	bounds checks dashboard
✅	quality_gate_idle_all_features	total_bytes_received	10/10	1.13MiB ≤ 1.25MiB	bounds checks dashboard
✅	quality_gate_logs	intake_connections	10/10	3 ≤ 6	bounds checks dashboard
✅	quality_gate_logs	memory_usage	10/10	173.48MiB ≤ 195MiB	bounds checks dashboard
✅	quality_gate_logs	missed_bytes	10/10	0B = 0B	bounds checks dashboard
✅	quality_gate_logs	total_bytes_received	10/10	264.36MiB ≤ 292MiB	bounds checks dashboard
✅	quality_gate_metrics_logs	cpu_usage	10/10	351.20 ≤ 2000	bounds checks dashboard
✅	quality_gate_metrics_logs	intake_connections	10/10	3 ≤ 6	bounds checks dashboard
✅	quality_gate_metrics_logs	memory_usage	10/10	391.47MiB ≤ 430MiB	bounds checks dashboard
✅	quality_gate_metrics_logs	missed_bytes	10/10	0B = 0B	bounds checks dashboard
✅	quality_gate_metrics_logs	total_bytes_received	10/10	0.95GiB ≤ 1.04GiB	bounds checks dashboard

Explanation

Confidence level: 90.00%
Effect size tolerance: |Δ mean %| ≥ 5.00%

Performance changes are noted in the perf column of each table:

• ✅ = significantly better comparison variant performance
• ❌ = significantly worse comparison variant performance
• ➖ = no significant change in performance

A regression test is an A/B test of target performance in a repeatable rig, where "performance" is measured as "comparison variant minus baseline variant" for an optimization goal (e.g., ingress throughput). Due to intrinsic variability in measuring that goal, we can only estimate its mean value for each experiment; we report uncertainty in that value as a 90.00% confidence interval denoted "Δ mean % CI".

For each experiment, we decide whether a change in performance is a "regression" -- a change worth investigating further -- if all of the following criteria are true:

1. Its estimated |Δ mean %| ≥ 5.00%, indicating the change is big enough to merit a closer look.

2. Its 90.00% confidence interval "Δ mean % CI" does not contain zero, indicating that if our statistical model is accurate, there is at least a 90.00% chance there is a difference in performance between baseline and comparison variants.

3. Its configuration does not mark it "erratic".

Replicate Execution Details

We run multiple replicates for each experiment/variant. However, we allow replicates to be automatically retried if there are any failures, up to 8 times, at which point the replicate is marked dead and we are unable to run analysis for the entire experiment. We call each of these attempts at running replicates a replicate execution. This section lists all replicate executions that failed due to the target crashing or being oom killed.

Note: In the below tables we bucket failures by experiment, variant, and failure type. For each of these buckets we list out the replicate indexes that failed with an annotation signifying how many times said replicate failed with the given failure mode. In the below example the baseline variant of the experiment named experiment_with_failures had two replicates that failed by oom kills. Replicate 0, which failed 8 executions, and replicate 1 which failed 6 executions, all with the same failure mode.

Experiment	Variant	Replicates	Failure	Logs	Debug Dashboard
experiment_with_failures	baseline	0 (x8) 1 (x6)	Oom killed		Debug Dashboard

The debug dashboard links will take you to a debugging dashboard specifically designed to investigate replicate execution failures.

❌ Retried Normal Replicate Execution Failures (non-profiling)

Experiment	Variant	Replicates	Failure	Debug Dashboard
quality_gate_idle_all_features	comparison	3	Oom killed	Debug Dashboard

CI Pass/Fail Decision

✅ Passed. All Quality Gates passed.

• quality_gate_idle_all_features, bounds check memory_usage: 10/10 replicas passed. Gate passed.
• quality_gate_idle_all_features, bounds check total_bytes_received: 10/10 replicas passed. Gate passed.
• quality_gate_idle_all_features, bounds check intake_connections: 10/10 replicas passed. Gate passed.
• quality_gate_idle, bounds check memory_usage: 10/10 replicas passed. Gate passed.
• quality_gate_idle, bounds check total_bytes_received: 10/10 replicas passed. Gate passed.
• quality_gate_idle, bounds check intake_connections: 10/10 replicas passed. Gate passed.
• quality_gate_logs, bounds check memory_usage: 10/10 replicas passed. Gate passed.
• quality_gate_logs, bounds check total_bytes_received: 10/10 replicas passed. Gate passed.
• quality_gate_logs, bounds check missed_bytes: 10/10 replicas passed. Gate passed.
• quality_gate_logs, bounds check intake_connections: 10/10 replicas passed. Gate passed.
• quality_gate_metrics_logs, bounds check cpu_usage: 10/10 replicas passed. Gate passed.
• quality_gate_metrics_logs, bounds check total_bytes_received: 10/10 replicas passed. Gate passed.
• quality_gate_metrics_logs, bounds check missed_bytes: 10/10 replicas passed. Gate passed.
• quality_gate_metrics_logs, bounds check memory_usage: 10/10 replicas passed. Gate passed.
• quality_gate_metrics_logs, bounds check intake_connections: 10/10 replicas passed. Gate passed.