fix(observability): verify root-owned SigNoz bundle

This commit is contained in:
ogt
2026-07-15 16:58:03 +08:00
parent a5ae8f9969
commit 7d6db4f2b7
5 changed files with 17 additions and 6 deletions

View File

@@ -166,7 +166,11 @@ emit ai_decision pass "candidate_additive_immutable_inactive_source_deploy"
emit risk_policy_decision pass "medium_no_active_pointer_no_secret_no_raw_sqlite"
remote_check() {
bounded_ssh "${SSH_OPTIONS[@]}" "${TARGET_HOST}" bash -s -- \
# The immutable root is deliberately 0700/root-owned. Run this bounded
# verifier as root so it can distinguish exact from absent without relaxing
# directory permissions. REMOTE_CHECK contains only stat/hash/process/API
# reads and performs no writes.
bounded_ssh "${SSH_OPTIONS[@]}" "${TARGET_HOST}" sudo -n bash -s -- \
"${REMOTE_ROOT}" "${BUNDLE_ID}" "${REMOTE_TIMEOUT_SECONDS}" \
"${KILL_AFTER_SECONDS}" "${SOURCE_HASHES[@]}" <<'REMOTE_CHECK'
set -euo pipefail

View File

@@ -174,6 +174,13 @@ def test_shared_operation_lock_is_existing_read_only_and_fail_closed() -> None:
assert "exec 8>>/tmp/awoooi-signoz-backup-operation.lock" not in source
def test_remote_check_uses_privileged_read_only_visibility() -> None:
source = DEPLOYER.read_text(encoding="utf-8")
remote_check = source.split("remote_check() {", 1)[1].split("\n}", 1)[0]
assert '"${TARGET_HOST}" sudo -n bash -s --' in remote_check
assert "REMOTE_CHECK contains only stat/hash/process/API" in remote_check
def test_exact_five_file_supply_chain_and_modes_are_fixed() -> None:
source = DEPLOYER.read_text(encoding="utf-8")
for path in (