From 6e6d0abf48cb403a993b60a7309459fe75427182 Mon Sep 17 00:00:00 2001 From: Akshu121796 Date: Wed, 27 May 2026 23:27:56 +0530 Subject: [PATCH 1/2] feat: add structured target context metadata for runtime events --- telos_core/loader/main.go | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/telos_core/loader/main.go b/telos_core/loader/main.go index 2d8dc52..e96f5ad 100644 --- a/telos_core/loader/main.go +++ b/telos_core/loader/main.go @@ -974,6 +974,15 @@ func (d *TelosDaemon) readEvents() { actionStr = "DENY" severityStr = "WARNING" } + targetContext := "" + + if event.DescStr == "connect_denied" || event.DescStr == "exfil_blocked" { + ip := make(net.IP, 4) + binary.BigEndian.PutUint32(ip, uint32(event.ContextVal)) + targetContext = ip.String() + } else if event.DescStr == "open_inode" || event.DescStr == "mirage_trap" { + targetContext = fmt.Sprintf("inode:%d", event.ContextVal) + } d.EmitAudit(SentinelAuditEvent{ Component: "LSM", @@ -985,6 +994,7 @@ func (d *TelosDaemon) readEvents() { "comm": event.CommStr, "description": event.DescStr, "taint_level": event.TaintLevel, + "target_context": targetContext, }, }) From 952db3107840bb13af1fb1dfc0631025c5a1bca3 Mon Sep 17 00:00:00 2001 From: Akshu121796 Date: Thu, 28 May 2026 14:55:54 +0530 Subject: [PATCH 2/2] fix: correct IP parsing and add ptrace context support --- telos_core/loader/main.go | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/telos_core/loader/main.go b/telos_core/loader/main.go index e96f5ad..8e71c19 100644 --- a/telos_core/loader/main.go +++ b/telos_core/loader/main.go @@ -978,10 +978,12 @@ func (d *TelosDaemon) readEvents() { if event.DescStr == "connect_denied" || event.DescStr == "exfil_blocked" { ip := make(net.IP, 4) - binary.BigEndian.PutUint32(ip, uint32(event.ContextVal)) + binary.LittleEndian.PutUint32(ip, uint32(event.ContextVal)) targetContext = ip.String() } else if event.DescStr == "open_inode" || event.DescStr == "mirage_trap" { targetContext = fmt.Sprintf("inode:%d", event.ContextVal) + } else if event.DescStr == "ptrace_denied" { + targetContext = fmt.Sprintf("pid:%d", event.ContextVal) } d.EmitAudit(SentinelAuditEvent{