[FA] - Fix apm_inject test verifySharedLib fail

[Hitsuji-M]

What does this PR do?

Fixes APM inject tests flaking on Debian 12 and Ubuntu 24.04 by making verifySharedLib only block installation on fatal crash signals, and removes the now-unnecessary flake marks.

Motivation

The new datadog-apm-inject release (538720e) introduced telemetry code (9c23a97c) that, when the C library is loaded during the pre-write sanity check (verifySharedLib), attempts network/procfs operations that AppArmor blocks on Ubuntu 24.04 and Debian 12. This caused echo 1 to exit with a non-zero code, which the sanity check incorrectly treated the same as a fatal crash — aborting the install entirely.

The original check blocked the install on any non-zero exit from echo 1. But the purpose of verifySharedLib is narrower: prevent a library that sends fatal crash signals (SIGSEGV, SIGABRT) from being written to /etc/ld.so.preload, where it would kill every process on the system. A library that exits non-zero due to a blocked AppArmor syscall does not crash host processes at runtime — it fails gracefully and injection simply doesn't happen.

The TestAppArmor assertion was already fixed separately in #50400. The flake marks added in #50387 can now be removed.

Describe how you validated your changes

• VerifySharedLib unit tests (TestVerifySharedLib_BuggyLibrary, TestInstrumentLDPreload_BuggyLibrary) updated and passing: a library that sends SIGSEGV still blocks the install; a library that exits non-zero does not.
• TestAppArmor assertion widened to "not injecting" which matches both the old Go subprocess message and the new C library message.

Additional Notes

The root cause of the non-zero exit belongs in the auto_inject repo (a crashtracker fix ebbfe1b4 exists there but is not yet in a pinned release). This PR makes the agent-side sanity check correctly tolerant of graceful failures while preserving protection against libraries that actually crash host processes.

[datadog-datadog-prod-us1-2]

🎯 Code Coverage (details)
• Patch Coverage: 66.67%
• Overall Coverage: 50.26% (+0.00%)

_{This comment will be updated automatically if new data arrives.
🔗 Commit SHA: 9f1e9e7 | Docs | Datadog PR Page | Give us feedback!}

[dd-octo-sts]

Files inventory check summary

File checks results against ancestor b182c4f5:

Results for datadog-agent_7.80.0~devel.git.507.9f1e9e7.pipeline.111712319-1_amd64.deb:

No change detected

[dd-octo-sts]

Static quality checks

✅ Please find below the results from static quality gates
Comparison made with ancestor b182c4f
📊 Static Quality Gates Dashboard
🔗 SQG Job

32 successful checks with minimal change (< 2 KiB)

	Quality gate	Current Size
✅	agent_deb_amd64	742.198 MiB
✅	agent_deb_amd64_fips	700.273 MiB
✅	agent_heroku_amd64	309.139 MiB
✅	agent_rpm_amd64	742.182 MiB
✅	agent_rpm_amd64_fips	700.256 MiB
✅	agent_rpm_arm64	720.116 MiB
✅	agent_rpm_arm64_fips	681.286 MiB
✅	agent_suse_amd64	742.182 MiB
✅	agent_suse_amd64_fips	700.256 MiB
✅	agent_suse_arm64	720.116 MiB
✅	agent_suse_arm64_fips	681.286 MiB
✅	docker_agent_amd64	802.440 MiB
✅	docker_agent_arm64	805.215 MiB
✅	docker_agent_jmx_amd64	993.360 MiB
✅	docker_agent_jmx_arm64	984.914 MiB
✅	docker_cluster_agent_amd64	206.607 MiB
✅	docker_cluster_agent_arm64	220.634 MiB
✅	docker_cws_instrumentation_amd64	7.142 MiB
✅	docker_cws_instrumentation_arm64	6.689 MiB
✅	docker_host_profiler_amd64	301.108 MiB
✅	docker_host_profiler_arm64	312.624 MiB
✅	docker_dogstatsd_amd64	39.492 MiB
✅	docker_dogstatsd_arm64	37.690 MiB
✅	dogstatsd_deb_amd64	30.149 MiB
✅	dogstatsd_deb_arm64	28.279 MiB
✅	dogstatsd_rpm_amd64	30.149 MiB
✅	dogstatsd_suse_amd64	30.149 MiB
✅	iot_agent_deb_amd64	44.462 MiB
✅	iot_agent_deb_arm64	41.442 MiB
✅	iot_agent_deb_armhf	42.183 MiB
✅	iot_agent_rpm_amd64	44.462 MiB
✅	iot_agent_suse_amd64	44.462 MiB

On-wire sizes (compressed)

	Quality gate	Change	Size (prev → curr → max)
✅	agent_deb_amd64	-33.18 KiB (0.02% reduction)	175.736 → 175.704 → 179.160
✅	agent_deb_amd64_fips	-12.1 KiB (0.01% reduction)	167.421 → 167.409 → 174.440
✅	agent_heroku_amd64	neutral	74.981 MiB → 80.310
✅	agent_rpm_amd64	+4.51 KiB (0.00% increase)	177.738 → 177.742 → 182.080
✅	agent_rpm_amd64_fips	-20.7 KiB (0.01% reduction)	168.742 → 168.722 → 174.140
✅	agent_rpm_arm64	+10.32 KiB (0.01% increase)	159.813 → 159.823 → 163.610
✅	agent_rpm_arm64_fips	-5.23 KiB (0.00% reduction)	152.138 → 152.133 → 156.850
✅	agent_suse_amd64	+4.51 KiB (0.00% increase)	177.738 → 177.742 → 182.080
✅	agent_suse_amd64_fips	-20.7 KiB (0.01% reduction)	168.742 → 168.722 → 174.140
✅	agent_suse_arm64	+10.32 KiB (0.01% increase)	159.813 → 159.823 → 163.610
✅	agent_suse_arm64_fips	-5.23 KiB (0.00% reduction)	152.138 → 152.133 → 156.850
✅	docker_agent_amd64	neutral	268.252 MiB → 272.990
✅	docker_agent_arm64	neutral	255.246 MiB → 261.470
✅	docker_agent_jmx_amd64	neutral	336.901 MiB → 341.610
✅	docker_agent_jmx_arm64	-4.71 KiB (0.00% reduction)	319.882 → 319.878 → 326.050
✅	docker_cluster_agent_amd64	neutral	72.426 MiB → 73.460
✅	docker_cluster_agent_arm64	neutral	67.892 MiB → 68.680
✅	docker_cws_instrumentation_amd64	neutral	2.999 MiB → 3.330
✅	docker_cws_instrumentation_arm64	neutral	2.729 MiB → 3.090
✅	docker_host_profiler_amd64	neutral	110.751 MiB → 125.600
✅	docker_host_profiler_arm64	neutral	105.084 MiB → 120.000
✅	docker_dogstatsd_amd64	neutral	15.287 MiB → 15.870
✅	docker_dogstatsd_arm64	neutral	14.598 MiB → 14.890
✅	dogstatsd_deb_amd64	neutral	7.978 MiB → 8.830
✅	dogstatsd_deb_arm64	neutral	6.857 MiB → 7.750
✅	dogstatsd_rpm_amd64	neutral	7.987 MiB → 8.840
✅	dogstatsd_suse_amd64	neutral	7.987 MiB → 8.840
✅	iot_agent_deb_amd64	neutral	11.701 MiB → 13.210
✅	iot_agent_deb_arm64	neutral	9.997 MiB → 11.620
✅	iot_agent_deb_armhf	neutral	10.209 MiB → 11.780
✅	iot_agent_rpm_amd64	neutral	11.721 MiB → 13.230
✅	iot_agent_suse_amd64	neutral	11.721 MiB → 13.230

[cit-pr-commenter-54b7da]

Regression Detector

Regression Detector Results

Metrics dashboard
Target profiles
Run ID: 72859063-8a91-48cd-8087-cb1cf8ad7107

Baseline: b182c4f
Comparison: 9f1e9e7
Diff

Optimization Goals: ✅ No significant changes detected

Experiments ignored for regressions

Regressions in experiments with settings containing erratic: true are ignored.

perf	experiment	goal	Δ mean %	Δ mean % CI	trials	links
➖	docker_containers_cpu	% cpu utilization	-0.05	[-2.95, +2.84]	1	Logs

Fine details of change detection per experiment

perf	experiment	goal	Δ mean %	Δ mean % CI	trials	links
➖	otlp_ingest_logs	memory utilization	+0.90	[+0.80, +1.00]	1	Logs
➖	quality_gate_metrics_logs	memory utilization	+0.63	[+0.39, +0.87]	1	Logs bounds checks dashboard
➖	quality_gate_idle	memory utilization	+0.45	[+0.40, +0.49]	1	Logs bounds checks dashboard
➖	ddot_metrics_sum_delta	memory utilization	+0.44	[+0.24, +0.63]	1	Logs
➖	ddot_metrics	memory utilization	+0.29	[+0.08, +0.49]	1	Logs
➖	docker_containers_memory	memory utilization	+0.27	[+0.15, +0.38]	1	Logs
➖	file_to_blackhole_500ms_latency	egress throughput	+0.04	[-0.37, +0.44]	1	Logs
➖	uds_dogstatsd_to_api_v3	ingress throughput	+0.03	[-0.19, +0.25]	1	Logs
➖	file_to_blackhole_1000ms_latency	egress throughput	+0.02	[-0.43, +0.47]	1	Logs
➖	uds_dogstatsd_to_api	ingress throughput	+0.00	[-0.19, +0.20]	1	Logs
➖	ddot_logs	memory utilization	+0.00	[-0.07, +0.07]	1	Logs
➖	file_to_blackhole_0ms_latency	egress throughput	-0.00	[-0.56, +0.55]	1	Logs
➖	file_to_blackhole_100ms_latency	egress throughput	-0.00	[-0.15, +0.14]	1	Logs
➖	tcp_dd_logs_filter_exclude	ingress throughput	-0.02	[-0.15, +0.12]	1	Logs
➖	ddot_metrics_sum_cumulativetodelta_exporter	memory utilization	-0.02	[-0.26, +0.22]	1	Logs
➖	docker_containers_cpu	% cpu utilization	-0.05	[-2.95, +2.84]	1	Logs
➖	quality_gate_idle_all_features	memory utilization	-0.09	[-0.14, -0.05]	1	Logs bounds checks dashboard
➖	otlp_ingest_metrics	memory utilization	-0.13	[-0.29, +0.03]	1	Logs
➖	file_tree	memory utilization	-0.15	[-0.20, -0.10]	1	Logs
➖	tcp_syslog_to_blackhole	ingress throughput	-0.18	[-0.39, +0.03]	1	Logs
➖	ddot_metrics_sum_cumulative	memory utilization	-0.18	[-0.34, -0.02]	1	Logs
➖	uds_dogstatsd_20mb_12k_contexts_20_senders	memory utilization	-0.20	[-0.24, -0.15]	1	Logs
➖	quality_gate_logs	% cpu utilization	-0.97	[-1.93, -0.01]	1	Logs bounds checks dashboard

Bounds Checks: ✅ Passed

perf	experiment	bounds_check_name	replicates_passed	observed_value	links
✅	docker_containers_cpu	simple_check_run	10/10	659 ≥ 26
✅	docker_containers_memory	memory_usage	10/10	248.32MiB ≤ 370MiB
✅	docker_containers_memory	simple_check_run	10/10	698 ≥ 26
✅	file_to_blackhole_0ms_latency	memory_usage	10/10	0.16GiB ≤ 1.20GiB
✅	file_to_blackhole_0ms_latency	missed_bytes	10/10	0B = 0B
✅	file_to_blackhole_1000ms_latency	memory_usage	10/10	0.20GiB ≤ 1.20GiB
✅	file_to_blackhole_1000ms_latency	missed_bytes	10/10	0B = 0B
✅	file_to_blackhole_100ms_latency	memory_usage	10/10	0.17GiB ≤ 1.20GiB
✅	file_to_blackhole_100ms_latency	missed_bytes	10/10	0B = 0B
✅	file_to_blackhole_500ms_latency	memory_usage	10/10	0.19GiB ≤ 1.20GiB
✅	file_to_blackhole_500ms_latency	missed_bytes	10/10	0B = 0B
✅	quality_gate_idle	intake_connections	10/10	3 ≤ 4	bounds checks dashboard
✅	quality_gate_idle	memory_usage	10/10	141.90MiB ≤ 147MiB	bounds checks dashboard
✅	quality_gate_idle_all_features	intake_connections	10/10	3 ≤ 4	bounds checks dashboard
✅	quality_gate_idle_all_features	memory_usage	10/10	479.44MiB ≤ 495MiB	bounds checks dashboard
✅	quality_gate_logs	intake_connections	10/10	4 ≤ 6	bounds checks dashboard
✅	quality_gate_logs	memory_usage	10/10	177.70MiB ≤ 195MiB	bounds checks dashboard
✅	quality_gate_logs	missed_bytes	10/10	0B = 0B	bounds checks dashboard
✅	quality_gate_metrics_logs	cpu_usage	10/10	358.82 ≤ 2000	bounds checks dashboard
✅	quality_gate_metrics_logs	intake_connections	10/10	4 ≤ 6	bounds checks dashboard
✅	quality_gate_metrics_logs	memory_usage	10/10	382.64MiB ≤ 430MiB	bounds checks dashboard
✅	quality_gate_metrics_logs	missed_bytes	10/10	0B = 0B	bounds checks dashboard

Explanation

Confidence level: 90.00%
Effect size tolerance: |Δ mean %| ≥ 5.00%

Performance changes are noted in the perf column of each table:

• ✅ = significantly better comparison variant performance
• ❌ = significantly worse comparison variant performance
• ➖ = no significant change in performance

A regression test is an A/B test of target performance in a repeatable rig, where "performance" is measured as "comparison variant minus baseline variant" for an optimization goal (e.g., ingress throughput). Due to intrinsic variability in measuring that goal, we can only estimate its mean value for each experiment; we report uncertainty in that value as a 90.00% confidence interval denoted "Δ mean % CI".

For each experiment, we decide whether a change in performance is a "regression" -- a change worth investigating further -- if all of the following criteria are true:

1. Its estimated |Δ mean %| ≥ 5.00%, indicating the change is big enough to merit a closer look.

2. Its 90.00% confidence interval "Δ mean % CI" does not contain zero, indicating that if our statistical model is accurate, there is at least a 90.00% chance there is a difference in performance between baseline and comparison variants.

3. Its configuration does not mark it "erratic".

CI Pass/Fail Decision

✅ Passed. All Quality Gates passed.

• quality_gate_idle, bounds check memory_usage: 10/10 replicas passed. Gate passed.
• quality_gate_idle, bounds check intake_connections: 10/10 replicas passed. Gate passed.
• quality_gate_metrics_logs, bounds check memory_usage: 10/10 replicas passed. Gate passed.
• quality_gate_metrics_logs, bounds check intake_connections: 10/10 replicas passed. Gate passed.
• quality_gate_metrics_logs, bounds check missed_bytes: 10/10 replicas passed. Gate passed.
• quality_gate_metrics_logs, bounds check cpu_usage: 10/10 replicas passed. Gate passed.
• quality_gate_logs, bounds check memory_usage: 10/10 replicas passed. Gate passed.
• quality_gate_logs, bounds check missed_bytes: 10/10 replicas passed. Gate passed.
• quality_gate_logs, bounds check intake_connections: 10/10 replicas passed. Gate passed.
• quality_gate_idle_all_features, bounds check intake_connections: 10/10 replicas passed. Gate passed.
• quality_gate_idle_all_features, bounds check memory_usage: 10/10 replicas passed. Gate passed.

[maattdd]

I'm not sure about this.

It seems our injector code is actually being blocked by AppArmor (because of telemetry?) so it will make AppArmor block all apps on the system (better than crashing but still unusable).

[Hitsuji-M]

I'm not sure too, that's why I'm keeping it as a draft to take the time to find a proper fix.