Most eBPF-based runtime security systems observe events (tracepoints/kprobes) and alert asynchronously. Aegis attaches to Linux Security Module (LSM) hooks such as:
file_open
inode_permission
bprm_check_security
socket_connect / socket_bind
This allows operations to be denied synchronously before the syscall completes.
Core ideas:
Inode-first file enforcement (stable across renames)
Dual-stack IPv4/IPv6 network deny rules enforced in-kernel
Explicit enforce vs audit posture contract
Capability-aware fail-closed mode
Structured state transitions (ENFORCE / AUDIT_FALLBACK / DEGRADED)
Performance (example baseline, 200k ops):
~2–3% p95 overhead on open
~0.5–1% overhead on connect
O(1) map lookups regardless of rule count
The project includes:
Signed policy bundles (Ed25519)
Capability/posture reporting
Kernel compatibility matrix CI
Documented threat model and TOCTOU analysis
I wrote two technical deep dives explaining the design rationale:
Part 1 – Synchronous Kernel-Level Denial via eBPF-LSM https://medium.com/@erenari27/part-1-synchronous-kernel-leve...
Part 2 – Deterministic Enforcement Contracts & Posture Semantics https://medium.com/@erenari27/part-2-deterministic-enforceme...
Happy to discuss hook selection tradeoffs, verifier constraints, seccomp vs LSM, Landlock comparisons, or enforcement failure modes.