Aegis-BPF

Changelog

All notable changes to AegisBPF will be documented in this file.

The format is based on Keep a Changelog, and this project adheres to Semantic Versioning.

Unreleased

Added

• Result error handling throughout the codebase
• Structured logging with text and JSON output formats
• --log-level and --log-format CLI options
• --seccomp flag for runtime syscall filtering
• Thread-safe caching for cgroup and path resolution
• RAII wrappers for popen (PipeGuard) and ring_buffer (RingBufferGuard)
• Input validation for CLI path arguments
• Google Test unit tests for core components
• Google Benchmark performance tests
• Sanitizer builds (ASAN, UBSAN, TSAN)
• Code coverage reporting with gcovr and Codecov
• Comprehensive CI pipeline with test, sanitizer, and coverage jobs
• AppArmor profile for runtime confinement
• SELinux policy module
• Sigstore/Cosign code signing for releases
• SBOM generation (SPDX and CycloneDX)
• Prometheus alert rules
• Grafana dashboard
• JSON Schema for event validation
• Event schema validation tests and sample payloads
• SIEM integration documentation
• Dockerfile for containerized deployment
• Helm chart for Kubernetes deployment
• Architecture documentation
• Troubleshooting guide
• Man page
• Dev check and environment verification scripts
• Enforce-mode smoke test script
• Nightly fuzz workflow, perf regression workflow, and kernel matrix workflow

Changed

• All functions now return Result instead of int/bool
• Replaced std::cerr/std::cout with structured logging
• Improved error messages with context
• Event schema aligned with emitted JSON fields
• README/architecture diagrams updated to file-open enforcement

Fixed

• popen() file descriptor leak in kernel config check
• Race conditions in cgroup path cache
• Race conditions in CWD resolution cache
• Thread-safety issue in journal error reporting

Security

• Added seccomp-bpf syscall filter
• Added AppArmor and SELinux policies
• Added input validation for all user-provided paths

0.1.0 - 2024-01-01

Added

• Initial release
• BPF LSM-based execution blocking
• Tracepoint-based audit mode (fallback)
• Policy file support with deny_path, deny_inode, allow_cgroup sections
• SHA256 hash-based blocking
• Prometheus metrics endpoint
• Journald integration
• CLI commands: run, block, allow, policy, stats, metrics, health

This site is open source. Improve this page.