Ignore /proc/sys/fs/binfmt_misc by default (#7650)

* Ignore `/proc/sys/fs/binfmt_misc` by default

* address

* add warning

Author: ofek

disk/assets/configuration/spec.yaml

@@ -8,6 +8,9 @@ files:
           - name: file_system_global_blacklist
             description: |
               Instruct the check to always add these patterns to `file_system_blacklist`.
+
+              WARNING: Overriding these defaults could negatively impact your system or
+              the performance of the check.
             value:
               example:
                 - iso9660$
@@ -17,6 +20,9 @@ files:
           - name: device_global_blacklist
             description: |
               Instruct the check to always add these patterns to `device_blacklist`.
+
+              WARNING: Overriding these defaults could negatively impact your system or
+              the performance of the check.
             value:
               example: []
               type: array
@@ -25,8 +31,12 @@ files:
           - name: mount_point_global_blacklist
             description: |
               Instruct the check to always add these patterns to `mount_point_blacklist`.
+
+              WARNING: Overriding these defaults could negatively impact your system or
+              the performance of the check.
             value:
-              example: []
+              example:
+                - (/host)?/proc/sys/fs/binfmt_misc$
               type: array
               items:
                 type: string

disk/datadog_checks/disk/data/conf.yaml.default

@@ -4,19 +4,29 @@ init_config:
 
     ## @param file_system_global_blacklist - list of strings - optional
     ## Instruct the check to always add these patterns to `file_system_blacklist`.
+    ##
+    ## WARNING: Overriding these defaults could negatively impact your system or
+    ## the performance of the check.
     #
     # file_system_global_blacklist:
     #   - iso9660$
 
     ## @param device_global_blacklist - list of strings - optional
     ## Instruct the check to always add these patterns to `device_blacklist`.
+    ##
+    ## WARNING: Overriding these defaults could negatively impact your system or
+    ## the performance of the check.
     #
     # device_global_blacklist: []
 
     ## @param mount_point_global_blacklist - list of strings - optional
     ## Instruct the check to always add these patterns to `mount_point_blacklist`.
+    ##
+    ## WARNING: Overriding these defaults could negatively impact your system or
+    ## the performance of the check.
     #
-    # mount_point_global_blacklist: []
+    # mount_point_global_blacklist:
+    #   - (/host)?/proc/sys/fs/binfmt_misc$
 
 ## Every instance is scheduled independent of the others.
 #

disk/datadog_checks/disk/disk.py

@@ -438,4 +438,8 @@ def get_default_device_blacklist():
 
     @staticmethod
     def get_default_mount_mount_blacklist():
-        return []
+        return [
+            # https://github.com/DataDog/datadog-agent/issues/1961
+            # https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1049
+            '(/host)?/proc/sys/fs/binfmt_misc$'
+        ]

disk/tests/test_filter.py

@@ -39,7 +39,7 @@ def test_bad_config_string_regex():
     assert_regex_equal(c._device_whitelist, re.compile('test', IGNORE_CASE))
     assert_regex_equal(c._device_blacklist, re.compile('test', IGNORE_CASE))
     assert_regex_equal(c._mount_point_whitelist, re.compile('test', IGNORE_CASE))
-    assert_regex_equal(c._mount_point_blacklist, re.compile('test', IGNORE_CASE))
+    assert_regex_equal(c._mount_point_blacklist, re.compile('test|(/host)?/proc/sys/fs/binfmt_misc$', IGNORE_CASE))
 
 
 def test_ignore_empty_regex():
@@ -58,7 +58,7 @@ def test_ignore_empty_regex():
     assert_regex_equal(c._device_whitelist, re.compile('test', IGNORE_CASE))
     assert_regex_equal(c._device_blacklist, re.compile('test', IGNORE_CASE))
     assert_regex_equal(c._mount_point_whitelist, re.compile('test', IGNORE_CASE))
-    assert_regex_equal(c._mount_point_blacklist, re.compile('test', IGNORE_CASE))
+    assert_regex_equal(c._mount_point_blacklist, re.compile('test|(/host)?/proc/sys/fs/binfmt_misc$', IGNORE_CASE))
 
 
 def test_exclude_bad_devices():
@@ -191,7 +191,7 @@ def test_legacy_config():
 
     assert_regex_equal(c._file_system_blacklist, re.compile('iso9660$|test$', re.I))
     assert_regex_equal(c._device_blacklist, re.compile('test1$|test2', IGNORE_CASE))
-    assert_regex_equal(c._mount_point_blacklist, re.compile('test', IGNORE_CASE))
+    assert_regex_equal(c._mount_point_blacklist, re.compile('(/host)?/proc/sys/fs/binfmt_misc$|test', IGNORE_CASE))
 
 
 def test_legacy_exclude_disk():

disk/tests/test_unit.py

@@ -11,6 +11,7 @@
 from datadog_checks.base.utils.platform import Platform
 from datadog_checks.base.utils.timeout import TimeoutException
 from datadog_checks.disk import Disk
+from datadog_checks.disk.disk import IGNORE_CASE
 
 from .common import DEFAULT_DEVICE_BASE_NAME, DEFAULT_DEVICE_NAME, DEFAULT_FILE_SYSTEM, DEFAULT_MOUNT_POINT
 from .mocks import MockDiskMetrics, MockPart, mock_blkid_output
@@ -26,7 +27,7 @@ def test_default_options():
     assert check._device_whitelist is None
     assert check._device_blacklist is None
     assert check._mount_point_whitelist is None
-    assert check._mount_point_blacklist is None
+    assert check._mount_point_blacklist == re.compile('(/host)?/proc/sys/fs/binfmt_misc$', IGNORE_CASE)
     assert check._tag_by_filesystem is False
     assert check._device_tag_re == []
     assert check._service_check_rw is False