fix(uwsgi): add to ssi denylist [backport 3.3] (#12942)

github-actions[bot] · mabdinur · web-flow · commit 2acc8b97b7fc · 2025-04-04T19:06:03.000Z
Backport 327a1e6 from #12891 to 3.3. According to our [docs](https://docs.datadoghq.com/tracing/trace_collection/library_injection_local/?tab=kubernetes#requirements) SSI does not support UWSGI. To make SSI+ddtrace-py more resilient we should add `/usr/bin/uwsgi` to the denylist. This is not a perfect solution since the uwsgi command can be stored elsewhere on a host and this could make it more challenging to add uwsgi support in the future (SSI will fail and it will be hard to know this change is why). ## Checklist - [x] PR author has checked that all the criteria below are met - The PR description includes an overview of the change - The PR description articulates the motivation for the change - The change includes tests OR the PR description describes a testing strategy - The PR description notes risks associated with the change, if any - Newly-added code is easy to change - The change follows the [library release note guidelines](https://ddtrace.readthedocs.io/en/stable/releasenotes.html) - The change includes or references documentation updates if necessary - Backport labels are set (if [applicable](https://ddtrace.readthedocs.io/en/latest/contributing.html#backporting)) ## Reviewer Checklist - [x] Reviewer has checked that all the criteria below are met - Title is accurate - All changes are related to the pull request's stated goal - Avoids breaking [API](https://ddtrace.readthedocs.io/en/stable/versioning.html#interfaces) changes - Testing strategy adequately addresses listed risks - Newly-added code is easy to change - Release note makes sense to a user of the library - If necessary, author has acknowledged and discussed the performance implications of this PR as reported in the benchmarks PR comment - Backport labels are set in a manner that is consistent with the [release branch maintenance policy](https://ddtrace.readthedocs.io/en/latest/contributing.html#backporting) Co-authored-by: Munir Abdinur <munir.abdinur@datadoghq.com>
diff --git a/lib-injection/sources/denied_executables.txt b/lib-injection/sources/denied_executables.txt
@@ -1201,3 +1201,5 @@ usr/libexec/grepconf.sh
 /usr/bin/sepolgen-ifgen
 /usr/bin/sepolicy
 /usr/bin/sesearch
+# Python tools
+uwsgi
diff --git a/releasenotes/notes/munir-avoid-ssi-for-uwsgi-ab6a6f783956002d.yaml b/releasenotes/notes/munir-avoid-ssi-for-uwsgi-ab6a6f783956002d.yaml
@@ -0,0 +1,4 @@
+---
+other:
+  - |
+    library: Ensure that the SSI is not used for uWSGI applications. For enablement instructions, refer to the following our `advanced_usage docs https://ddtrace.readthedocs.io/en/stable/advanced_usage.html#uwsgi`_ .

-Original file line number
+Diff line change
@@ @@ -0,0 +1,4 @@ @@
 +---
 +other:
 +  - |
 +    library: Ensure that the SSI is not used for uWSGI applications. For enablement instructions, refer to the following our `advanced_usage docs https://ddtrace.readthedocs.io/en/stable/advanced_usage.html#uwsgi`_ .