cellos_telemetry/probes/

net_connect.rs

//! `net.connect_attempted` probe — stub.
//!
//! Linux-only. Pre-syscall observation of `connect(2)` requires either
//! seccomp-notify, eBPF tracepoints (`tracepoint:syscalls:sys_enter_connect`),
//! or `/proc/[pid]/net/tcp{,6}` polling. The first two need a syscall surface
//! and a debugfs / BPF-mounted /sys this skeleton does not assume; the third
//! gives only post-facto state, not "attempted". Path C / post-1.0
//! territory (ADR-0006).
//!
//! For Phase F3a we emit no events. Frames the agent sends when wired up
//! will use [`probe_source::NET_CONNECT_ATTEMPTED`].

#![cfg(target_os = "linux")]

use crate::ProbeEvent;

/// Stub network connect-attempt probe.
///
/// TODO syscall surface — choose one of:
///   1. seccomp-notify with the listener fd held by `cellos-init` parent
///      (kernel-version gated; needs Linux ≥ 5.0 and BPF-friendly seccomp),
///   2. BPF tracepoint on `sys_enter_connect` (BPF mount + CAP_BPF needed),
///   3. polling `/proc/net/tcp{,6}` for `SYN_SENT` rows (cheap; loses
///      already-completed connects between polls — false negatives the
///      `cell.observability.guest.declaration_unwitnessed` check on the
///      host will surface anyway).
#[derive(Debug, Default)]
pub struct NetConnectProbe;

impl NetConnectProbe {
    /// Construct the stub probe.
    pub fn new() -> Self {
        Self
    }

    /// Poll for connect attempts. Currently a no-op.
    pub fn poll(&mut self) -> Vec<ProbeEvent> {
        // TODO syscall surface — see module doc.
        Vec::new()
    }
}

#[cfg(test)]
mod tests {
    use super::*;

    #[test]
    fn stub_returns_empty() {
        let mut p = NetConnectProbe::new();
        assert!(p.poll().is_empty());
    }
}