cellos-telemetry 0.5.0

In-guest telemetry agent for CellOS — runs as PID 2 inside Firecracker microVMs, emits CBOR-over-vsock observations. No signing key by design (ADR-0006).
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51

//! `capability.denied` probe — stub.
//!
//! Linux-only. The kernel surfaces capability denials through the audit
//! subsystem (`AUDIT_CAPSET`, `AUDIT_AVC`-adjacent records) and through
//! `kprobe`-instrumented `ns_capable()` paths. Both options need a syscall
//! surface this skeleton does not yet wire — Path C / post-1.0 territory
//! (ADR-0006 "What is explicitly POST-1.0").
//!
//! For Phase F3a we emit no events from this probe. The frame the agent
//! sends when wired up will use [`probe_source::CAPABILITY_DENIED`].

#![cfg(target_os = "linux")]

use crate::ProbeEvent;

/// Stub capability-denial probe.
///
/// `poll` always returns an empty vector. The real implementation will
/// either:
///   1. open a netlink audit socket (NETLINK_AUDIT) with a per-cell filter,
///      OR
///   2. read from a `/sys/kernel/debug/tracing/events/capable/` pipe
///      (debugfs is post-1.0 per ADR-0006 §5.8).
///
/// TODO syscall surface — wire one of (1) or (2) under the Path C deferral.
#[derive(Debug, Default)]
pub struct CapabilityProbe;

impl CapabilityProbe {
    /// Construct the stub probe.
    pub fn new() -> Self {
        Self
    }

    /// Poll for capability denials. Currently a no-op.
    pub fn poll(&mut self) -> Vec<ProbeEvent> {
        // TODO syscall surface — see module doc.
        Vec::new()
    }
}

#[cfg(test)]
mod tests {
    use super::*;

    #[test]
    fn stub_returns_empty() {
        let mut p = CapabilityProbe::new();
        assert!(p.poll().is_empty());
    }
}