fix(ebpf): harden ai agent exec lsm enforcement

kylewanginchina · kylewanginchina · commit e7422861bb48 · 2026-05-13T14:05:42.000+08:00
diff --git a/agent/src/common/kernel_capability.rs b/agent/src/common/kernel_capability.rs
@@ -1,7 +1,7 @@
 use std::{
-    fs,
+    env, fs,
     io::{Cursor, Read},
-    path::Path,
+    path::{Path, PathBuf},
 };
 
 use flate2::read::GzDecoder;
@@ -17,18 +17,28 @@ pub struct KernelCapability {
 
 impl KernelCapability {
     pub fn detect() -> Self {
-        let lsm_text = fs::read_to_string("/sys/kernel/security/lsm").unwrap_or_default();
-        let config_text = read_kernel_config().unwrap_or_default();
+        let proc_root = path_from_env("PROCFS_ROOT", "/proc");
+        let sys_root = path_from_env("SYSFS_ROOT", "/sys");
+        let boot_root =
+            host_sibling_root(&proc_root, "boot").unwrap_or_else(|| PathBuf::from("/boot"));
+
+        Self::detect_from_roots(&proc_root, &sys_root, &boot_root)
+    }
+
+    pub fn detect_from_roots(proc_root: &Path, sys_root: &Path, boot_root: &Path) -> Self {
+        let lsm_text = fs::read_to_string(sys_root.join("kernel/security/lsm")).unwrap_or_default();
+        let config_text = read_kernel_config_from_roots(proc_root, boot_root).unwrap_or_default();
+        let bpf_lsm_active = lsm_has_bpf(&lsm_text);
 
         Self {
-            bpf_lsm_configured: config_enabled(&config_text, "CONFIG_BPF_LSM"),
-            bpf_lsm_active: lsm_has_bpf(&lsm_text),
+            bpf_lsm_configured: config_enabled(&config_text, "CONFIG_BPF_LSM") || bpf_lsm_active,
+            bpf_lsm_active,
             bpf_kprobe_override_configured: config_enabled(
                 &config_text,
                 "CONFIG_BPF_KPROBE_OVERRIDE",
             ),
             seccomp_filter_configured: config_enabled(&config_text, "CONFIG_SECCOMP_FILTER"),
-            btf_vmlinux_available: Path::new("/sys/kernel/btf/vmlinux").exists(),
+            btf_vmlinux_available: sys_root.join("kernel/btf/vmlinux").exists(),
         }
     }
 
@@ -37,6 +47,18 @@ impl KernelCapability {
     }
 }
 
+fn path_from_env(name: &str, default: &str) -> PathBuf {
+    env::var_os(name)
+        .filter(|value| !value.is_empty())
+        .map(PathBuf::from)
+        .unwrap_or_else(|| PathBuf::from(default))
+}
+
+fn host_sibling_root(proc_root: &Path, sibling: &str) -> Option<PathBuf> {
+    let parent = proc_root.parent()?;
+    Some(parent.join(sibling))
+}
+
 fn lsm_has_bpf(lsm_text: &str) -> bool {
     lsm_text
         .trim()
@@ -54,20 +76,24 @@ fn config_enabled(config_text: &str, option: &str) -> bool {
 }
 
 fn read_kernel_config() -> Option<String> {
-    if let Some(config) = read_boot_kernel_config() {
+    read_kernel_config_from_roots(Path::new("/proc"), Path::new("/boot"))
+}
+
+fn read_kernel_config_from_roots(proc_root: &Path, boot_root: &Path) -> Option<String> {
+    if let Some(config) = read_boot_kernel_config(proc_root, boot_root) {
         return Some(config);
     }
-    read_proc_kernel_config()
+    read_proc_kernel_config(proc_root)
 }
 
-fn read_boot_kernel_config() -> Option<String> {
-    let release = fs::read_to_string("/proc/sys/kernel/osrelease").ok()?;
-    let path = format!("/boot/config-{}", release.trim());
+fn read_boot_kernel_config(proc_root: &Path, boot_root: &Path) -> Option<String> {
+    let release = fs::read_to_string(proc_root.join("sys/kernel/osrelease")).ok()?;
+    let path = boot_root.join(format!("config-{}", release.trim()));
     fs::read_to_string(path).ok()
 }
 
-fn read_proc_kernel_config() -> Option<String> {
-    let compressed = fs::read("/proc/config.gz").ok()?;
+fn read_proc_kernel_config(proc_root: &Path) -> Option<String> {
+    let compressed = fs::read(proc_root.join("config.gz")).ok()?;
     decode_gzip(&compressed).ok()
 }
 
@@ -113,4 +139,40 @@ mod tests {
         }
         .supports_exec_lsm_enforcement());
     }
+
+    #[test]
+    fn detect_from_roots_reads_host_sysfs_lsm_in_container() {
+        let root = make_temp_root("host-sysfs-lsm");
+        let proc_root = root.join("host-proc");
+        let sys_root = root.join("host-sys");
+        let boot_root = root.join("boot");
+        fs::create_dir_all(sys_root.join("kernel/security")).unwrap();
+        fs::create_dir_all(sys_root.join("kernel/btf")).unwrap();
+        fs::create_dir_all(proc_root.join("sys/kernel")).unwrap();
+        fs::write(
+            sys_root.join("kernel/security/lsm"),
+            "capability,yama,selinux,bpf",
+        )
+        .unwrap();
+        fs::write(sys_root.join("kernel/btf/vmlinux"), b"btf").unwrap();
+        fs::write(proc_root.join("sys/kernel/osrelease"), "4.18.0-test\n").unwrap();
+
+        let capability = KernelCapability::detect_from_roots(&proc_root, &sys_root, &boot_root);
+
+        assert!(capability.bpf_lsm_active);
+        assert!(capability.bpf_lsm_configured);
+        assert!(capability.btf_vmlinux_available);
+
+        let _ = fs::remove_dir_all(root);
+    }
+
+    fn make_temp_root(name: &str) -> std::path::PathBuf {
+        let root = std::env::temp_dir().join(format!(
+            "deepflow-kernel-capability-{name}-{}",
+            std::process::id()
+        ));
+        let _ = fs::remove_dir_all(&root);
+        fs::create_dir_all(&root).unwrap();
+        root
+    }
 }
diff --git a/agent/src/ebpf/test/test_ai_agent_exec_enforcement.sh b/agent/src/ebpf/test/test_ai_agent_exec_enforcement.sh
@@ -0,0 +1,55 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+# Lightweight manual harness for AI Agent exec enforcement verification.
+# It intentionally does not start or reconfigure deepflow-agent; effective policy
+# must be delivered by DeepFlow server/controller agent-group configuration.
+
+SYSFS_ROOT="${SYSFS_ROOT:-/sys}"
+LSM_FILE="${SYSFS_ROOT%/}/kernel/security/lsm"
+BLOCKED_CMD="${BLOCKED_CMD:-/usr/bin/uname}"
+SERVER_NODE="${SERVER_NODE:-10.50.120.81}"
+AGENT_NODE="${AGENT_NODE:-10.50.120.21}"
+NAMESPACE="${NAMESPACE:-deepflow}"
+AGENT_DS="${AGENT_DS:-deepflow-agent-r4-dcn-ctrl}"
+
+if [[ ! -r "$LSM_FILE" ]]; then
+	echo "SKIP: cannot read $LSM_FILE"
+	exit 0
+fi
+
+if ! tr ',' '\n' <"$LSM_FILE" | grep -qx bpf; then
+	echo "SKIP: BPF LSM is not active in $LSM_FILE"
+	exit 0
+fi
+
+if [[ ! -x "$BLOCKED_CMD" ]]; then
+	echo "SKIP: blocked command $BLOCKED_CMD is not executable on this host"
+	exit 0
+fi
+
+echo "OK: BPF LSM active and $BLOCKED_CMD exists."
+cat <<EOF
+
+Manual K8s verification checklist:
+
+1. Configure the rule through DeepFlow server/controller agent-group config,
+   not only through the Kubernetes ConfigMap:
+     inputs.proc.ai_agent.enforcement.enabled: true
+     inputs.proc.ai_agent.enforcement.mode: block
+     exact rule path: $BLOCKED_CMD
+
+2. Refresh controller vtap cache, then check the target DaemonSet:
+     ssh root@$SERVER_NODE 'kubectl -n $NAMESPACE get ds $AGENT_DS -o wide'
+
+3. Confirm agent logs show both capability and LSM attach success:
+     ssh root@$AGENT_NODE \\
+       'sudo crictl ps --name deepflow-agent && sudo crictl logs <container-id> 2>&1 | grep -Ei "KernelCapability|bpf_lsm|attach lsm" | tail -50'
+
+4. Trigger an AI endpoint hit from the same process that later executes
+   $BLOCKED_CMD. Expected result in block mode:
+     PermissionError errno=1
+
+5. If event persistence is being validated, deploy a server/schema version that
+   contains event.proc_block_event before querying ClickHouse.
+EOF
diff --git a/agent/src/ebpf/test/test_ai_agent_source_contracts.py b/agent/src/ebpf/test/test_ai_agent_source_contracts.py
@@ -137,6 +137,12 @@ def read_source(path: Path) -> str:
     "BPF_PROG_TYPE_LSM" in load_text,
     "load.c must map lsm/ programs to BPF_PROG_TYPE_LSM",
 )
+require(
+    "prog_load_name" in load_text
+    and "prog->type == BPF_PROG_TYPE_LSM" in load_text
+    and '"lsm__%s"' in load_text,
+    "load.c must pass lsm__<hook> to BCC so it sets BPF_LSM_MAC and lets libbpf find bpf_lsm_<hook>",
+)
 require(
     "program__attach_lsm" in probe_text,
     "probe.c must provide an LSM attach helper",
@@ -145,6 +151,10 @@ def read_source(path: Path) -> str:
     "bpf_raw_tracepoint_open" in probe_text,
     "LSM attach helper must use the raw tracepoint attach syscall path",
 )
+require(
+    "bpf_raw_tracepoint_open(NULL, ebpf_prog->prog_fd)" in probe_text,
+    "LSM attach helper must attach by loaded attach_btf_id, not by raw tracepoint hook name",
+)
 require(
     "struct lsm_prog" in tracer_h_text and "lsms_count" in tracer_h_text,
     "tracer.h must keep LSM program attach state",
@@ -177,6 +187,10 @@ def read_source(path: Path) -> str:
         'SEC("lsm/bprm_check_security")' in exec_enforce_text,
         "AI Agent exec enforcement must attach to lsm/bprm_check_security",
     )
+    require(
+        "BPF_PROG(bpf_lsm_bprm_check_security," in exec_enforce_text,
+        "AI Agent exec enforcement BPF function name must match the bpf_lsm_<hook> BTF name for BCC/libbpf lookup",
+    )
     require(
         "is_ai_agent_process" in exec_enforce_text
         or "ai_agent_pids" in exec_enforce_text,
@@ -186,6 +200,23 @@ def read_source(path: Path) -> str:
         "DATA_SOURCE_PROC_BLOCK_EVENT" in exec_enforce_text,
         "AI Agent exec enforcement must emit proc block events",
     )
+    require(
+        "#define AI_AGENT_EXEC_MAX_RULES      8" in exec_enforce_text,
+        "AI Agent exec enforcement must cap BPF-side rule scan to 8 records to stay under old verifier complexity limits",
+    )
+    require(
+        "ai_agent_match_contains" not in exec_enforce_text
+        and "AI_AGENT_EXEC_MATCH_ARGV_CONTAINS" not in exec_enforce_text,
+        "AI Agent exec enforcement BPF must not include argv_contains nested scans on old verifier kernels",
+    )
+    require(
+        "pattern_hash" in exec_enforce_text
+        and "ai_agent_hash_exec_path" in exec_enforce_text
+        and "ai_agent_match_exact" not in exec_enforce_text
+        and "ai_agent_match_prefix" not in exec_enforce_text
+        and "ai_agent_match_suffix" not in exec_enforce_text,
+        "AI Agent exec enforcement BPF must use precomputed exact path hashes instead of verifier-expensive string scans",
+    )
     require(
         "ai_agent_submit_event" in exec_enforce_text,
         "AI Agent exec enforcement must submit events through the AI Agent pipeline",
diff --git a/agent/src/ebpf/user/load.c b/agent/src/ebpf/user/load.c
@@ -74,6 +74,23 @@ extern int btf__set_pointer_size(struct btf *btf, size_t ptr_sz);
 
 static int probe_read_kernel_feat;
 
+static const char *prog_load_name(const struct ebpf_prog *prog, char *buf,
+				  size_t buf_len)
+{
+	if (prog->type == BPF_PROG_TYPE_LSM && prog->sec_name != NULL &&
+	    !strncmp(prog->sec_name, "lsm/", 4) && prog->sec_name[4] != '\0') {
+		/*
+		 * BCC uses the lsm__ prefix to set expected_attach_type to
+		 * BPF_LSM_MAC. libbpf then adds the kernel BTF bpf_lsm_
+		 * prefix while resolving attach_btf_id.
+		 */
+		snprintf(buf, buf_len, "lsm__%s", prog->sec_name + 4);
+		return buf;
+	}
+
+	return prog->name;
+}
+
 int suspend_stderr()
 {
 	fflush(stderr);
@@ -261,7 +278,10 @@ static void log_verifier_tail(const char *buf, size_t len)
 
 int load_ebpf_prog(struct ebpf_prog *prog)
 {
-	return bcc_prog_load(prog->type, prog->name,
+	char name_buf[128];
+	const char *name = prog_load_name(prog, name_buf, sizeof(name_buf));
+
+	return bcc_prog_load(prog->type, name,
 			     prog->insns, prog->insns_size, prog->obj->license,
 			     prog->obj->kern_version, 0, NULL,
 			     0 /*EBPF_LOG_LEVEL, log_buf, LOG_BUF_SZ */ );
@@ -776,12 +796,15 @@ static int load_obj__progs(struct ebpf_object *obj)
 		// Modify eBPF instructions based on BTF relocation information.
 		obj_relocate_core(new_prog);
 
+		char name_buf[128];
+		const char *name =
+		    prog_load_name(new_prog, name_buf, sizeof(name_buf));
 		int stderr_fd = suspend_stderr();
 		if (stderr_fd < 0) {
 			ebpf_warning("Failed to suspend stderr\n");
 		}
 		new_prog->prog_fd =
-		    bcc_prog_load(new_prog->type, new_prog->name,
+		    bcc_prog_load(new_prog->type, name,
 				  new_prog->insns, new_prog->insns_size,
 				  obj->license, obj->kern_version, 0, NULL,
 				  0 /*EBPF_LOG_LEVEL, log_buf, LOG_BUF_SZ */ );
@@ -792,7 +815,7 @@ static int load_obj__progs(struct ebpf_object *obj)
 			bool save_full_log = env_flag_enabled(VERIFIER_LOG_ENV);
 			ebpf_warning
 			    ("bcc_prog_load() failed. name: %s, %s errno: %d\n",
-			     new_prog->name, strerror(errno), errno);
+			     name, strerror(errno), errno);
 			char log_path[] = "/tmp/df_verifier_XXXXXX.log";
 			int tmp_fd = -1;
 			char tail_buf[VERIFIER_LOG_TAIL_BYTES + 1] = { 0 };
@@ -858,7 +881,7 @@ static int load_obj__progs(struct ebpf_object *obj)
 					log_pipe[1] = -1;
 
 					fd2 = bcc_prog_load(new_prog->type,
-							    new_prog->name,
+							    name,
 							    new_prog->insns,
 							    new_prog->insns_size,
 							    obj->license,
@@ -912,7 +935,7 @@ static int load_obj__progs(struct ebpf_object *obj)
 				}
 
 				fd2 = bcc_prog_load(new_prog->type,
-						    new_prog->name,
+						    name,
 						    new_prog->insns,
 						    new_prog->insns_size,
 						    obj->license,
@@ -936,7 +959,7 @@ static int load_obj__progs(struct ebpf_object *obj)
 
 			if (!load_attempted) {
 				fd2 = bcc_prog_load(new_prog->type,
-						    new_prog->name,
+						    name,
 						    new_prog->insns,
 						    new_prog->insns_size,
 						    obj->license,
@@ -972,7 +995,7 @@ static int load_obj__progs(struct ebpf_object *obj)
 				// Preserve errno from the latest attempt for better diagnostics.
 				ebpf_warning
 				    ("bcc_prog_load() still failed. name: %s, errno after retry: %d (orig %d)\n",
-				     new_prog->name, retry_errno, saved_errno);
+				     name, retry_errno, saved_errno);
 				errno = retry_errno;
 			}
 
diff --git a/agent/src/ebpf/user/probe.c b/agent/src/ebpf/user/probe.c
@@ -511,7 +511,11 @@ struct ebpf_link *program__attach_lsm(void *prog)
 		return NULL;
 	}
 
-	pfd = bpf_raw_tracepoint_open(hook, ebpf_prog->prog_fd);
+	/*
+	 * BPF LSM programs are loaded with attach_btf_id. The raw tracepoint
+	 * attach syscall should use a NULL name and attach by that BTF id.
+	 */
+	pfd = bpf_raw_tracepoint_open(NULL, ebpf_prog->prog_fd);
 	if (pfd < 0) {
 		if (errno == EOPNOTSUPP || errno == EINVAL) {
 			ebpf_warning("BPF LSM attach unsupported for %s: %s(%d)\n",
diff --git a/agent/src/ebpf_dispatcher.rs b/agent/src/ebpf_dispatcher.rs
@@ -43,7 +43,9 @@ pub mod memory_profile;
 use std::ffi::{CStr, CString};
 use std::ptr::{self, null_mut};
 use std::slice;
-use std::sync::atomic::{AtomicBool, AtomicI32, AtomicI64, AtomicU64, Ordering};
+#[cfg(feature = "enterprise")]
+use std::sync::atomic::AtomicI32;
+use std::sync::atomic::{AtomicBool, AtomicI64, AtomicU64, Ordering};
 use std::sync::Arc;
 use std::thread::{self, JoinHandle};
 use std::time::Duration;
@@ -684,7 +686,7 @@ static AI_AGENT_EXEC_RULES_MAP_FD: AtomicI32 = AtomicI32::new(-1);
 #[cfg(feature = "enterprise")]
 static AI_AGENT_POLICY_EPOCH_MAP_FD: AtomicI32 = AtomicI32::new(-1);
 #[cfg(feature = "enterprise")]
-const AI_AGENT_EXEC_RULES_BPF_MAX: usize = 256;
+const AI_AGENT_EXEC_RULES_BPF_MAX: usize = 8;
 
 #[cfg(feature = "enterprise")]
 fn ai_agent_enforcement_mode_eq(value: &str, expected: &str) -> bool {
