Skip to main content

cellos_telemetry/probes/
capability.rs

1//! `capability.denied` probe — stub.
2//!
3//! Linux-only. The kernel surfaces capability denials through the audit
4//! subsystem (`AUDIT_CAPSET`, `AUDIT_AVC`-adjacent records) and through
5//! `kprobe`-instrumented `ns_capable()` paths. Both options need a syscall
6//! surface this skeleton does not yet wire — Path C / post-1.0 territory
7//! (ADR-0006 "What is explicitly POST-1.0").
8//!
9//! For Phase F3a we emit no events from this probe. The frame the agent
10//! sends when wired up will use [`probe_source::CAPABILITY_DENIED`].
11
12#![cfg(target_os = "linux")]
13
14use crate::ProbeEvent;
15
16/// Stub capability-denial probe.
17///
18/// `poll` always returns an empty vector. The real implementation will
19/// either:
20///   1. open a netlink audit socket (NETLINK_AUDIT) with a per-cell filter,
21///      OR
22///   2. read from a `/sys/kernel/debug/tracing/events/capable/` pipe
23///      (debugfs is post-1.0 per ADR-0006 §5.8).
24///
25/// TODO syscall surface — wire one of (1) or (2) under the Path C deferral.
26#[derive(Debug, Default)]
27pub struct CapabilityProbe;
28
29impl CapabilityProbe {
30    /// Construct the stub probe.
31    pub fn new() -> Self {
32        Self
33    }
34
35    /// Poll for capability denials. Currently a no-op.
36    pub fn poll(&mut self) -> Vec<ProbeEvent> {
37        // TODO syscall surface — see module doc.
38        Vec::new()
39    }
40}
41
42#[cfg(test)]
43mod tests {
44    use super::*;
45
46    #[test]
47    fn stub_returns_empty() {
48        let mut p = CapabilityProbe::new();
49        assert!(p.poll().is_empty());
50    }
51}