Skip to content

feat(audit): network.loopback DENY audit channel#231

Merged
luca-iachini merged 2 commits into
mainfrom
fir-383-run-audit
Jul 7, 2026
Merged

feat(audit): network.loopback DENY audit channel#231
luca-iachini merged 2 commits into
mainfrom
fir-383-run-audit

Conversation

@luca-iachini

Copy link
Copy Markdown
Contributor

What

Adds the firma run audit channel: an out-of-band control socket (FIRMA_RUN_AUDIT_SOCK) carrying newline-delimited firma_core::RunAuditMessage. The Sidecar owns the mapping from each RunAuditEvent variant to (action_class, decision, deny_reason, resource) and signs the result.

RunAuditEvent::LoopbackBlocked is the first variant, mapping to the audit-only network.loopback action class (not in ActionClassRegistry::v0_1, never Cedar-evaluated). The channel is reusable by future out-of-band producers rather than adding new sockets.

Why

Foundation for the loopback egress guard (Linux) and future out-of-band enforcement facts to reach signed audit without touching the request pipeline.

Stack

Base of the fir-383 split. Replaces #216.

  • this -> #(linux) -> stacked
  • this -> #(docs) -> stacked

Cross-platform run-audit channel: firma-core RunAuditEvent/RunAuditMessage,
sidecar out-of-band ingest listener, and CLI wiring that binds the control
socket when firma run provisions one. Also migrate two Windows-only
allow(unsafe_code)/expect_used lints to expect(...) with reasons.
@codecov

codecov Bot commented Jul 6, 2026

Copy link
Copy Markdown

Codecov Report

❌ Patch coverage is 83.17757% with 36 lines in your changes missing coverage. Please review.

Files with missing lines Patch % Lines
crates/firma-sidecar/src/run_audit.rs 89.09% 15 Missing and 3 partials ⚠️
crates/firma/src/services/sidecar.rs 28.00% 16 Missing and 2 partials ⚠️

📢 Thoughts on this report? Let us know!

@luca-iachini luca-iachini merged commit 3dc000d into main Jul 7, 2026
15 checks passed
@luca-iachini luca-iachini deleted the fir-383-run-audit branch July 7, 2026 12:05
luca-iachini added a commit that referenced this pull request Jul 7, 2026
## What

Linux `bwrap` seccomp `user-notify` filter that traps the agent's
`connect(2)` and **blocks** direct connections to any loopback address
(`127.0.0.0/8`, `::1`, IPv4-mapped) except the proxy bridge and DNS stub
ports, returning `EACCES`. Catches direct sockets that bypass
`HTTP_PROXY`.

Each block is reported to the Sidecar over the audit channel (PR #231)
and recorded as a signed `DENY` / `network.loopback` / `loopback
blocked` event, visible in `firma monitor`. Deny path is race-free;
allow path uses `SECCOMP_USER_NOTIF_FLAG_CONTINUE`. Fails open with a
warning if user-notify is unavailable — the private netns already
isolates the agent, so the guard is defense-in-depth plus a
direct-socket audit trail.

## Stack

Based on #231 (audit channel). Part of the fir-383 split replacing #216.
luca-iachini added a commit that referenced this pull request Jul 8, 2026
## What

Documents the loopback egress enforcement model across backends:

- `docs-site/src/content/docs/concepts/sandbox.md` — new **Loopback
blocking** section (Linux seccomp guard, macOS sandbox-exec port-scope,
proxy-only backends), updated network-boundary / proxy-bridge prose, and
structural/invariant tables.
- `crates/firma-run/src/backend/windows_wsl2.rs` — comment documenting
the WSL2/Windows gap: the seccomp guard is Linux-host-only and not wired
across the Windows->guest boundary; WSL2 stays proxy-only.

`llms.txt` audit-channel + `network.loopback` action-class registry
entries land in the branches that own them (#231 base; #232 linux; #233
macOS).

## Stack

Based on #231 (audit channel, for the `network.loopback` model). Part of
the fir-383 split replacing #216.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants