cloudtaser's eBPF agent now enforces via BPF LSM hooks as the synchronous deny path for the five highest-risk kernel entry points:
ptrace_access_check,
file_open (covering
/proc/pid/environ and
/proc/pid/mem),
bpf (unauthorised program loads),
socket_sendmsg (secret-buffer exfiltration), and
kernel_load_data. By LSM design, the hook fires synchronously before the kernel action completes. BPF LSM is the default enforcement mode (
REQUIRE_LSM_OR_FAIL defaults to
true).
Update, July 2026: current releases fail closed by default when BPF-LSM is unavailable; kprobe-only mode is now an explicit operator opt-in rather than an automatic fallback. The LSM code merged across cloudtaser-ebpf
#183,
#185,
#190,
#193 and shipped in a tagged release; per-kernel runtime confirmation lands once
cloudtaser-pipeline#227 unblocks full-matrix BPF verifier validation.