fix(agent): deduplicate exec audit events

Author: kylewanginchina

agent/crates/enterprise-utils/src/lib.rs

@@ -548,6 +548,14 @@ pub mod ai_agent_enforcement {
         pub rule_index: u32,
         pub rule_id: String,
         pub mode: EnforcementMode,
+        pub kernel_event_source: KernelEventSource,
+    }
+
+    #[derive(Clone, Copy, Debug, PartialEq, Eq)]
+    pub enum KernelEventSource {
+        None,
+        Lsm,
+        KprobeOverride,
     }
 
     #[derive(Clone, Debug, PartialEq, Eq)]

agent/src/config/handler.rs

@@ -6196,7 +6196,7 @@ mod tests {
         );
         assert_eq!(
             config.ai_agent_enforcement.allowed_mechanisms,
-            vec!["lsm", "kprobe_override", "sigkill", "seccomp"]
+            vec!["lsm", "kprobe_override"]
         );
         assert!(config.ai_agent_enforcement.rules.is_empty());
     }

agent/src/ebpf/test/test_ai_agent_source_contracts.py

@@ -402,8 +402,8 @@ def read_source(path: Path) -> str:
         "standalone exec override wrapper must define shared map symbols and include only exec override kprobes",
     )
     require(
-        "buf->arg.bytes,\n\t\t\t\t       AI_AGENT_EXEC_OVERRIDE_ARG_LEN" in exec_override_text,
-        "AI Agent exec override must emit argv cmdline with the 64-byte argv buffer size, not the 256-byte path size",
+        "buf->path,\n\t\t\t\t       AI_AGENT_EXEC_PATTERN_LEN" in exec_override_text,
+        "AI Agent exec override must report exec_path as cmdline placeholder instead of a partial argv slot",
     )
     syscall_override_bpf = ENTERPRISE_BPF / "ai_agent_syscall_override.bpf.c"
     require(

agent/src/ebpf_dispatcher.rs

@@ -192,7 +192,7 @@ fn fill_ai_agent_root_pid(event: &mut BoxedProcEvents) {
 #[cfg(feature = "enterprise")]
 #[allow(static_mut_refs)]
 fn emit_ai_agent_enforcement_audit_event(event: &BoxedProcEvents) {
-    use enterprise_utils::ai_agent_enforcement::EnforcementMode;
+    use enterprise_utils::ai_agent_enforcement::{EnforcementMode, KernelEventSource};
 
     if event.0.ai_agent_root_pid == 0 {
         return;
@@ -214,6 +214,17 @@ fn emit_ai_agent_enforcement_audit_event(event: &BoxedProcEvents) {
     if hit.mode != EnforcementMode::AuditOnly {
         return;
     }
+    match hit.kernel_event_source {
+        KernelEventSource::Lsm if AI_AGENT_EXEC_LSM_EVENTS_ACTIVE.load(Ordering::Relaxed) => {
+            return;
+        }
+        KernelEventSource::KprobeOverride
+            if AI_AGENT_EXEC_KPROBE_EVENTS_ACTIVE.load(Ordering::Relaxed) =>
+        {
+            return;
+        }
+        _ => {}
+    }
     let Some(audit_event) = event
         .0
         .new_proc_block_event_for_audit(&hit.rule_id, policy.epoch)
@@ -690,6 +701,10 @@ static AI_AGENT_SYSCALL_RULES_MAP_FD: AtomicI32 = AtomicI32::new(-1);
 #[cfg(feature = "enterprise")]
 static AI_AGENT_POLICY_EPOCH_MAP_FD: AtomicI32 = AtomicI32::new(-1);
 #[cfg(feature = "enterprise")]
+static AI_AGENT_EXEC_LSM_EVENTS_ACTIVE: AtomicBool = AtomicBool::new(false);
+#[cfg(feature = "enterprise")]
+static AI_AGENT_EXEC_KPROBE_EVENTS_ACTIVE: AtomicBool = AtomicBool::new(false);
+#[cfg(feature = "enterprise")]
 const AI_AGENT_EXEC_RULES_BPF_MAX: usize = 256;
 #[cfg(feature = "enterprise")]
 const AI_AGENT_SYSCALL_RULES_BPF_MAX: usize = 32;
@@ -1716,6 +1731,8 @@ impl EbpfCollector {
         let max_syscall_records = config.max_rules.min(AI_AGENT_SYSCALL_RULES_BPF_MAX);
         if !config.enabled {
             set_global_exec_policy(None);
+            AI_AGENT_EXEC_LSM_EVENTS_ACTIVE.store(false, Ordering::Relaxed);
+            AI_AGENT_EXEC_KPROBE_EVENTS_ACTIVE.store(false, Ordering::Relaxed);
             Self::clear_ai_agent_exec_enforcement_bpf_maps(max_exec_records);
             Self::clear_ai_agent_syscall_enforcement_bpf_maps(max_syscall_records);
             return;
@@ -1750,6 +1767,8 @@ impl EbpfCollector {
             Err(e) => {
                 warn!("AI Agent enforcement: failed to compile policy: {}", e);
                 set_global_exec_policy(None);
+                AI_AGENT_EXEC_LSM_EVENTS_ACTIVE.store(false, Ordering::Relaxed);
+                AI_AGENT_EXEC_KPROBE_EVENTS_ACTIVE.store(false, Ordering::Relaxed);
                 Self::clear_ai_agent_exec_enforcement_bpf_maps(max_exec_records);
                 return;
             }
@@ -1775,10 +1794,16 @@ impl EbpfCollector {
                         set_global_exec_policy(None);
                     }
                 }
+                AI_AGENT_EXEC_LSM_EVENTS_ACTIVE.store(false, Ordering::Relaxed);
+                AI_AGENT_EXEC_KPROBE_EVENTS_ACTIVE.store(false, Ordering::Relaxed);
                 Self::clear_ai_agent_exec_enforcement_bpf_maps(max_exec_records);
                 return;
             }
+            AI_AGENT_EXEC_LSM_EVENTS_ACTIVE.store(lsm_allowed, Ordering::Relaxed);
+            AI_AGENT_EXEC_KPROBE_EVENTS_ACTIVE.store(kprobe_override_allowed, Ordering::Relaxed);
         } else {
+            AI_AGENT_EXEC_LSM_EVENTS_ACTIVE.store(false, Ordering::Relaxed);
+            AI_AGENT_EXEC_KPROBE_EVENTS_ACTIVE.store(false, Ordering::Relaxed);
             Self::clear_ai_agent_exec_enforcement_bpf_maps(max_exec_records);
         }