Skip to content

v0.11.0 — SecurityAction: privesc / injection / open-port#3

Merged
ZhiXiao-Lin merged 1 commit into
mainfrom
feat/observer-security-action
Jun 24, 2026
Merged

v0.11.0 — SecurityAction: privesc / injection / open-port#3
ZhiXiao-Lin merged 1 commit into
mainfrom
feat/observer-security-action

Conversation

@ZhiXiao-Lin

Copy link
Copy Markdown
Contributor

Adds AgentEvent::SecurityAction { pid, kind, detail } — one rare-and-loud, in-kernel-filtered event for the security-sensitive syscalls an agent rarely makes but that matter when it does.

Kinds (one SEC_EVENTS ring):

  • setuid-root — setuid/setresuid/setreuid → (e)uid 0 from a non-root caller (privesc, incl. the EPERM-bound attempt). Thread-group-leader gated so glibc's NPTL setxid broadcast doesn't fan out one escalation into N duplicate events.
  • ptrace — ptrace(ATTACH|SEIZE) of another process (detail = target pid): injection.
  • bind — bind() to a fixed non-loopback port (detail = port): an off-host-reachable listener.

Validation: live on Linux 6.8 — all three fire with correct detail, verifier loads clean, a 16-thread setuid(0) deduped to one event. Built via an 8-dim enrichment roadmap + a 4-lens adversarial verify fan-out before ship; the verify's two medium findings (setreuid coverage gap, per-thread duplication) are fixed in this PR.

Scope: setgid group escalation and loopback-only binds intentionally excluded.

Unified rare-and-loud, in-kernel-filtered security event on one ring:
- setuid-root: setuid/setresuid/setreuid -> (e)uid 0 from non-root (privesc,
  incl. EPERM-bound attempt). Thread-group-leader gated so glibc NPTL setxid
  broadcast doesn't fan out one escalation into N events.
- ptrace: ptrace(ATTACH|SEIZE) of another process (detail = target pid).
- bind: bind() to a fixed non-loopback port (detail = port).

Live-validated on Linux 6.8 (all three fire with correct detail, verifier
loads clean, 16-thread setuid deduped to one event). Adversarial verify
fan-out (4 lenses) before ship; its two medium findings (setreuid gap,
per-thread dup) fixed here.
@ZhiXiao-Lin ZhiXiao-Lin merged commit e79e604 into main Jun 24, 2026
1 check passed
@ZhiXiao-Lin ZhiXiao-Lin deleted the feat/observer-security-action branch June 24, 2026 09:47
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant