seccomp-BPF

seccomp-BPF (Secure Computing Mode with Berkeley Packet Filter) is applied per-agent to enforce a syscall allowlist. If an agent's process makes a syscall not in its allowlist, the kernel kills the process with SIGSYS.

How It Works

At spawn time, agentd generates a BPF filter for the agent based on its trust level and declared capabilities. The filter is applied to the agent process using seccomp(SECCOMP_SET_MODE_FILTER, ...) before the agent binary starts executing.

The filter is a compiled list of rules evaluated at kernel level, with no agentd involvement per syscall.

Syscall Allowlists by Trust Level

Trust Level	Allowed Syscalls
`untrusted`	Minimal: `read`, `write`, `exit`, `exit_group`, `sigreturn`, `brk`, `mmap` (no exec, no network)
`sandboxed`	Standard: adds `open`, `close`, `stat`, `fstat`, `lstat`, `poll`, `lseek`, `mprotect`, etc. Network syscalls blocked unless `network.policy != none`
`trusted`	Expanded: adds `socket`, `connect`, `sendto`, `recvfrom`, etc. for network access
`privileged`	Near-full: most syscalls allowed except dangerous kernel-modification calls

The exact allowlist is derived by profile_gen.rs and varies based on capabilities. For example, an agent with sandbox.exec capability gets clone, execve, and waitpid added to allow spawning sandboxed children.

Validation

# Run seccomp enforcement tests (requires root)
sudo cargo test seccomp

The tests verify that a sandboxed process cannot make disallowed syscalls by attempting them and expecting SIGSYS.

Profile Location

Generated seccomp profiles can be inspected in the daemon's debug output:

RUST_LOG=debug agentd 2>&1 | grep seccomp

Interaction with Namespaces

The seccomp filter is applied inside the new namespaces (PID, NET, MNT). The unshare syscall is allowed only for agents with capabilities that require it (e.g., sandbox.exec).