Feat/sec core/update rpm#6
Open
yangdao479 wants to merge 238 commits into
Open
Conversation
The BPF verifier rejects trace_write_enter because it cannot prove payload_len (R2) is non-negative after 64→32 bit truncation. Add a bitmask `& (MAX_STDOUT_PAYLOAD - 1)` before bpf_probe_read_user to satisfy the verifier's range check. Signed-off-by: chengshuyi <chengshuyi@linux.alibaba.com>
Signed-off-by: yizheng <YiZheng.Yang@linux.alibaba.com>
Signed-off-by: yizheng <YiZheng.Yang@linux.alibaba.com>
Signed-off-by: yizheng <YiZheng.Yang@linux.alibaba.com>
- add run_id field to HookInput interface (optional, backward-compat) - add setCurrentRunId/getCurrentRunId accessors to Config - set currentRunId from prompt_id in GeminiClient.sendMessageStream() - reset currentRunId on session init in Config - populate run_id in HookEventHandler.createBaseInput() - add runId field to ChatRecord in chatRecordingService - update hook reference and writing-hooks docs - add unit tests for config, client, and hookEventHandler
- Add 'skill_view' to SKILL_FUNCTION_NAMES for Hermes skill load detection
- Support Hermes argument format {"name": "skill-name"} in extract_skill_name_from_args
- Add plain-text fallback regex for Hermes <available_skills> format (- skill-name: desc)
- XML format takes priority; plain-text fallback only when XML yields no results
Closes alibaba#504
…n compatibility Signed-off-by: Shile Zhang <shile.zhang@linux.alibaba.com>
Signed-off-by: Shile Zhang <shile.zhang@linux.alibaba.com>
Signed-off-by: chengshuyi <chengshuyi@linux.alibaba.com>
… support Replace hardcoded agent registry (Hermes/Cosh/OpenClaw) with JSON config-driven cmdline and domain rules. Add TLS SNI probe for domain-based SSL attachment. Expand FFI API and config module to support dynamic rule configuration. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
…very Replace the tcp_sendmsg-based TLS SNI probe (hot path) with a udp_sendmsg-based DNS query probe that only captures port 53 traffic. This significantly reduces overhead since DNS queries are far less frequent than TCP sends, and the port filter eliminates 99%+ of UDP traffic in the first instruction. Key changes: - New udpdns.bpf.c: hooks udp_sendmsg, filters port 53, parses DNS QNAME labels to dotted notation, deduplicates via LRU hash - Skips already-traced processes via traced_processes map lookup - Maintains identical domain-based discovery semantics (domain_rules glob match + deny check -> attach SSL probe) 🤖 Generated with [Qoder][https://qoder.com]
…roll in udpdns.bpf.c
…lve -E2BIG BPF kernel side now only does port 53 filtering + DNS header validation + raw payload copy. All complex QNAME label parsing and domain assembly is done in Rust userspace (src/probes/udpdns.rs::parse_dns_qname). This eliminates nested loops in BPF entirely, making the program trivially pass the verifier on all kernel versions >= 5.3.
… and integration test
… env-check bugs - Merge 8 independent tool categories into 4 (Shell/WebFetch/Read/Write) that map to real AI agent tool names; Docker/Uv/Cargo/Git become Shell recommended deps - Add alias reverse-lookup for cross-framework tool name mapping (exec→Shell, read_file→Read, etc.) - Remove runtime state checks (docker_socket, https_outbound) — tool-ready scope is installation readiness only - Fix env-fix.sh: detect system package manager (dnf/yum/apt/apk), stale log skip when binary missing, 3-stage pip retry, hash -r after installs - Remove unsupported before_tool_register hook from openclaw plugin (openclaw only supports before_tool_call/after_tool_call/ tool_result_persist) - Update cosh hook: sequential tool-ready, 10s timeout, Shell alias regex matcher - Rewrite integration tests for 4-category model + alias lookup - Bump anolis_release to 2, rust BuildRequires to >=1.88 Signed-off-by: Shile Zhang <shile.zhang@linux.alibaba.com>
…all/uninstall - Replace manual cp/esbuild/jq with openclaw CLI commands: install → `openclaw plugins install --force --dangerously-force-unsafe-install`, uninstall → `openclaw plugins uninstall --force` - Add openclaw.extensions to package.json; compile index.ts→index.js in RPM %build so JS entry point is packaged directly - RPM postinstall: no auto plugin setup — only env-check config and legacy hook cleanup; openclaw requires manual `install.sh --openclaw` - RPM preuninstall: check if openclaw plugin dir exists before cleanup; add PATH for minimal scriptlet environment - cosh auto-discovers from /usr/share/anolisa/extensions/, no setup needed Signed-off-by: Shile Zhang <shile.zhang@linux.alibaba.com>
…olumns Old databases (pre v0.3.0) lack before_output and after_output columns, causing stats list to fail with "no such column". ALTER TABLE ADD COLUMN is now run on init for missing columns, with duplicate-column-name errors ignored (column already exists). Signed-off-by: Shile Zhang <shile.zhang@linux.alibaba.com>
Signed-off-by: Shile Zhang <shile.zhang@linux.alibaba.com>
…ssions - CompressToon: pass display (actual output) to record_compression_stats instead of raw toon output, fixing misleading stats on empty output - Rename estimate_tokens_from_chars → estimate_tokens_from_bytes to reflect that callers pass byte lengths (.len()), not char counts - Parameterize SQL LIMIT query instead of format! string interpolation - Unify home dir resolution using dirs::home_dir() with env fallback in main.rs and env_check.rs (replacing inconsistent std::env::var) - Fix file_read permission check to verify actual file read capability (read /etc/hostname) instead of merely stat-ing / Signed-off-by: Shile Zhang <shile.zhang@linux.alibaba.com>
The docs drifted behind the 7 merged probes and 6 Event variants: - AGENTS.md: Event enum listed 4 of 6 variants and the probe table 4 of 7 probes; add FileWrite/UdpDns + filewrite/udpdns/tcpsniff. - integration-tests/README.md: pointed at nonexistent test_sni.md / test_hermes_sni.md and omitted the real test_dns/test_hermes_dns/test_http/ test_connection_scanner/test_ffi_integration entries. - docs/design-docs/ebpf-probes.md: said "4 probes"; document all 7 (diagram, detail sections, and the ring-buffer source-value table). Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
- append chalk.inverse cursor to active OpenAIKeyPrompt fields
- append chalk.inverse cursor to AliyunAuthPrompt AK/SK/model
- add cursor visibility tests for both prompts
C3: install_via_cargo_build uses bash array instead of unquoted string expansion for cargo_args; removed 2>/dev/null to surface build errors; added manifest path validation. H2: jq filter uses --arg for safe variable interpolation instead of direct string splicing into JSON path expression. M6: PATH append dedup uses grep -Fq for literal match instead of regex grep -q, preventing false positives from metacharacters. M9: world-writable check uses (( other_perms & 2 )) to test the write bit directly instead of >= 6 which missed perms 2 and 3. Signed-off-by: Shile Zhang <shile.zhang@linux.alibaba.com>
…ook utilities H3: compress_schema_hook checks proc.returncode before reading stdout, aligning with compress_response_hook pattern. H5: bare except Exception:pass replaced with warn() for error observability in compress_response_hook, compress_toon_hook, and rewrite_hook. Non-fatal exceptions still proceed but now emit diagnostics to stderr. L6+L7: compress_toon_hook adds returncode != 0 check after subprocess; compress_response_hook exit_code check broadened from in (1,2) to != 0 (excluding None). M1: shared functions (_write_context, _run, _parse_version, SKIP_TOOLS) moved to hook_utils.py; hermes/__init__.py imports from hook_utils instead of duplicating; SKIP_TOOLS unified to cover both PascalCase and snake_case tool names. Signed-off-by: Shile Zhang <shile.zhang@linux.alibaba.com>
…alidation C2: resolveBinaryPath uses spawnSync with positional arguments (command -v "$1" + -- separator) instead of execSync with string interpolation, eliminating shell injection surface. M2: binary availability cache adds TTL (5 min) for negative results; stale false cache is refreshed on re-check, allowing auto-fix installs to be detected without manual restart. M3: global process.env mutations replaced with in-memory envContext object; all execFileSync calls now receive per-call env via buildEnv() to avoid multi-session race conditions. L8: compression effectiveness check uses length comparison instead of exact string match, avoiding JSON serialization order false negatives. L9: repeated JSON.stringify(event.message) calls consolidated into single beforeJson variable reuse across savings calculation. Signed-off-by: Shile Zhang <shile.zhang@linux.alibaba.com>
… poison clear L2: tokenizer.rs gains 7 unit tests covering empty string, ASCII, CJK, emoji, mixed text, and byte-vs-char estimate consistency. L5: chrono workspace dependency uses default-features = false with only serde + clock features, avoiding the deprecated oldtime feature. L10: all 5 clear_poison() calls in recorder.rs now emit eprintln warnings before clearing, making mutex poisoning observable instead of silently suppressed. M5: config.rs config_path() fallback chain aligned with main.rs get_home_dir() — now tries dirs::home_dir() then $HOME env var before falling back to current directory. Signed-off-by: Shile Zhang <shile.zhang@linux.alibaba.com>
M7: test-toon.sh replaces hardcoded /tmp/toon_decode_test.json
with mktemp and trap EXIT cleanup, preventing symlink attacks
and concurrent test conflicts.
M8: test-toon-full.sh uses os.path.expanduser("~") in Python
instead of shell $HOME interpolation, avoiding single-quote
injection risk.
Signed-off-by: Shile Zhang <shile.zhang@linux.alibaba.com>
…rflow Add max_depth (default 32) to compress_json_schema so pathological or attacker-crafted deeply-nested JSON schemas cannot exhaust the stack. ResponseCompressor already has the same guard (max_depth=8). Signed-off-by: Shile Zhang <shile.zhang@linux.alibaba.com>
…rning stdout auto_fix() previously discarded the child's exit status, so a failed fix-script run would surface its stderr/exit-1 as if it were a successful output. Check status.success() and return an Err carrying stderr + stdout so callers report the real failure. Signed-off-by: Shile Zhang <shile.zhang@linux.alibaba.com>
…idate binaries $HOME is attacker-controllable: the previous get_home_dir() flowed straight through dirs::home_dir() / $HOME / "." CWD fallback, so a spoofed HOME let an attacker steer the binary search list (~/.local/bin/...) to a malicious target that env_check would later exec. * get_home_dir() now consults getpwuid_r first and only falls back to dirs::home_dir() when the syscall produces no entry; the unsafe "." CWD fallback is removed. * check_dep() runs every candidate path through is_trusted_path() so even a successful spoofed-HOME hop has to clear the uid + non-world- writable check before we accept it. Signed-off-by: Shile Zhang <shile.zhang@linux.alibaba.com>
… divert stderr to log - Add is_trusted_source_path helper: accept system anolisa dirs unconditionally, but require uid ownership match (current user or root) for paths under $HOME, since $HOME is env-controllable and could be redirected to attacker-owned dirs. - install_via_cargo_build: reject untrusted manifests before invoking cargo build, preventing arbitrary code execution via attacker-supplied build.rs. - install_via_symlink: replace inline path whitelist with is_trusted_source_path, closing the $HOME spoof gap. - install_via_system / install_via_pip: redirect stderr to $FIX_LOG (instead of /dev/null) so a fully-failed install chain leaves a diagnosable trail rather than a silent NOT_READY. - Eagerly mkdir $FIX_LOG_DIR at script init so the redirects do not silently drop stderr when the directory has not been created yet. Signed-off-by: Shile Zhang <shile.zhang@linux.alibaba.com>
… of failing Previously every recorder method observed a poisoned mutex by calling clear_poison() and then immediately returning a synthetic SQLITE_BUSY error. The poison would clear, but the in-flight call still failed and the caller had to retry — and because record() is invoked fail-silent from the CLI, the panic effectively turned into permanent stats loss. Replace the per-method boilerplate with a lock_conn() helper that unwraps PoisonError::into_inner() to recover the still-valid guard after clearing the poison. Our workload is single-statement (no multi-step transactions), so the SQLite Connection itself remains safe to reuse after a panic in another thread. Signed-off-by: Shile Zhang <shile.zhang@linux.alibaba.com>
Add MAX_INPUT_BYTES (64 MiB) guard in read_input() to prevent OOM on accidental large-file stdin. Validate TOKENLESS_STATS_DB env var path against the real home directory; reject paths that resolve outside it. Signed-off-by: Shile Zhang <shile.zhang@linux.alibaba.com>
When a truncation marker (… (truncated)) is appended, reserve its character length by subtracting it from the target truncation position. This keeps the final output within the configured truncate_strings_at limit instead of exceeding it by ~14 characters. Signed-off-by: Shile Zhang <shile.zhang@linux.alibaba.com>
- Remove redundant parse+serialize round-trip in CompressSchema; use the original Value for compact serialization directly. - Switch permission check read target from /etc/hostname to /proc/self/status (always present on Linux). - Add cross-reference comments between Rust is_trusted_path and shell is_trusted_file implementations. Signed-off-by: Shile Zhang <shile.zhang@linux.alibaba.com>
Signed-off-by: Shile Zhang <shile.zhang@linux.alibaba.com>
…to tokenless Signed-off-by: Shile Zhang <shile.zhang@linux.alibaba.com>
…rgets Add full-wildcard TCP target support so agentsight captures all plain-HTTP traffic when neither IP nor port is known. Changes: - BPF: add 4th lookup branch (ip=0, port=0) in is_target_conn() - config: TcpTarget::FromStr accepts "*", "*:*", ":*", "ip:*", "*:port" - tcpsniff: emit log::warn when full-wildcard target is configured - tests: 5 new unit tests covering all wildcard parse paths
When full-wildcard target is configured, filter non-HTTP traffic directly in the BPF layer to avoid flooding the ring buffer with TLS/Redis/MySQL etc. Changes: - Add tcp_http_conns LRU map (4096 entries) for per-connection protocol cache - Add is_http_payload() inline to detect HTTP methods and response prefix - Apply filter in both emit_tcp_event_buf (UBUF) and sendmsg (writev) paths - Once a connection is confirmed HTTP, subsequent data passes through (SSE/chunked) - Replace ringbuf submit with discard on probe_read_user failure
Signed-off-by: Xingdong Li <XingDong.Li@linux.alibaba.com>
This reverts commit 6e57f5d.
github-actions
Bot
added
component:sec-core
scope:ci
scope:documentation
scope:scripts
labels
Signed-off-by: yizheng <YiZheng.Yang@linux.alibaba.com>
yangdao479
force-pushed
the
feat/sec-core/update_rpm
branch
2 times, most recently
from
89cf5b5 to
4d1eb84
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
15 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
Related Issue
closes #
Type of Change
Scope
cosh(copilot-shell)sec-core(agent-sec-core)skill(os-skills)sight(agentsight)tokenless(tokenless)Checklist
cosh: Lint passes, type check passes, and tests passsec-core(Rust):cargo clippy -- -D warningsandcargo fmt --checkpasssec-core(Python): Ruff format and pytest passskill: Skill directory structure is valid and shell scripts pass syntax checksight:cargo clippy -- -D warningsandcargo fmt --checkpasstokenless:cargo clippy -- -D warningsandcargo fmt --checkpasspackage-lock.json/Cargo.lock)Testing
Additional Notes