{"version": 2, "width": 118, "height": 34, "timestamp": 1782810190, "idle_time_limit": 2.0, "env": {"SHELL": "/bin/bash", "TERM": "xterm-256color"}, "title": "InnerWarden spec-084 - multi-tenant AI-agent protection (Azure k7.0)"}
[0.292786, "o", "\u001b[H\u001b[2J\u001b[3J"]
[0.294627, "o", "InnerWarden  ·  spec-084  ·  multi-tenant AI-agent protection\r\n# detect  ->  attribute (tenant + pod)  ->  contain (per-pod, in-kernel)\r\n\r\n▶  The node: real Azure cloud kernel, a shared multi-tenant agent fleet\r\n"]
[1.298043, "o", "$ uname -r\r\n"]
[1.302614, "o", "7.0.0-1007-azure\r\n"]
[2.306677, "o", "$ nproc\r\n"]
[2.309214, "o", "2\r\n"]
[3.314021, "o", "# Two tenants, Claude-Code-style agent pods on ONE node (one is rogue):\r\n$ k3s kubectl get pods -A | grep -E 'NAMESPACE|cc-'\r\n"]
[3.404934, "o", "NAMESPACE       NAME                                      READY   STATUS      RESTARTS       AGE\r\ntenant-acme     cc-benign-7c65794d4f-g2p4x                1/1     Running     1 (118m ago)   14h\r\n"]
[3.405117, "o", "tenant-globex   cc-benign-6fb6d6ccd8-btbwz                1/1     Running     1 (118m ago)   14h\r\n"]
[3.405388, "o", "tenant-globex   cc-rogue                                  1/1     Running     1 (118m ago)   14h\r\n"]
[6.41648, "o", "\r\n"]
[6.416544, "o", "▶  1) One rogue agent pod attacks (cred theft, IMDS SSRF, C2 egress, miner)\r\n"]
[7.42017, "o", "$ k3s kubectl exec -n tenant-globex cc-rogue -- bash /agenthome/rogue.sh 2>&1 | sed 's/^/   /'\r\n"]
[7.540733, "o", "   [rogue cc-rogue] cgroup:\r\n"]
[7.543711, "o", "   0::/\r\n"]
[7.544338, "o", "   [rogue] 1/5 credential access (/etc/shadow, /etc/passwd)\r\n"]
[7.552786, "o", "   [rogue] 2/5 IMDS SSRF — cloud metadata credential theft (169.254.169.254)\r\n"]
[7.657151, "o", "     imds-reached\r\n   [rogue] 3/5 C2 egress to external ip:4444\r\n"]
[7.863841, "o", "     c2-refused\r\n   [rogue] 4/5 crypto-miner-named process\r\n"]
[7.865331, "o", "     xmrig pid=429\r\n"]
[7.867354, "o", "   [rogue] 5/5 container-escape probes\r\n"]
[7.880246, "o", "   total 64\r\n   drwxr-xr-x   1 root root   4096 Jun 30 07:04 .\r\n"]
[7.89335, "o", "   ls: cannot access '/run/containerd': No such file or directory\r\n"]
[7.896506, "o", "   [rogue cc-rogue] done\r\n"]
[7.903834, "o", "   coreutils: unknown program 'xmrig'\r\n"]
[8.916916, "o", "# InnerWarden processes it in the agent loop ...\r\n."]
[13.920726, "o", "."]
[18.923644, "o", "."]
[23.926881, "o", "."]
[28.930426, "o", "."]
[33.934263, "o", "."]
[38.937519, "o", "\r\n"]
[38.938838, "o", "\r\n▶  2) InnerWarden NAMES the exact tenant + pod  (non-forgeable, read from the kernel cgroup)\r\n"]
[39.941939, "o", "# Per-incident attribution log (greppable under any log format):\r\n$ journalctl -u innerwarden-agent --since '2 min ago' -o cat | grep 'attributed to tenant' | tail -3 | sed 's/^/   /'\r\n"]
[39.951995, "o", "   tenancy: incident reverse_shell:bash_dev_tcp:20184:2026-06-30T09:03Z attributed to tenant globex-inc (namespace tenant-globex, pod cc-rogue)\r\n   tenancy: incident reverse_shell:bash_dev_tcp:20185:2026-06-30T09:03Z attributed to tenant globex-inc (namespace tenant-globex, pod cc-rogue)\r\n   tenancy: incident reverse_shell:bash_dev_tcp:20189:2026-06-30T09:03Z attributed to tenant globex-inc (namespace tenant-globex, pod cc-rogue)\r\n"]
[40.955282, "o", "# Live Prometheus metric on /metrics (a SOC scrapes this). Rogue counted; benign tenant ABSENT:\r\n$ curl -sk https://127.0.0.1:8787/metrics | grep 'incidents_by_tenant{tenant'\r\n"]
[41.005238, "o", "innerwarden_incidents_by_tenant{tenant=\"globex-inc\"} 24\r\ninnerwarden_incidents_by_tenant{tenant=\"kube-system\"} 1\r\n"]
[44.013636, "o", "\r\n▶  3) CONTAIN only the rogue pod — Execution Gate, OBSERVE first (logs, never blocks)\r\n"]
[45.017139, "o", "# Arm the in-kernel LSM gate, scoped to ONLY the rogue pod's cgroup (id 9772):\r\n"]
[45.02919, "o", "$ bpftool map update pinned /sys/fs/bpf/innerwarden/exec_gate_scope key 0x2c 0x26 0x00 0x00 0x00 0x00 0x00 0x00 value 0x01 any   # scope = rogue pod\r\n"]
[46.033661, "o", "$ bpftool map update pinned /sys/fs/bpf/innerwarden/lsm_policy key 0x04 0x00 0x00 0x00 value 0x01 0x00 0x00 0x00 any   # key4 = scoped\r\n"]
[47.040089, "o", "$ bpftool map update pinned /sys/fs/bpf/innerwarden/lsm_policy key 0x03 0x00 0x00 0x00 value 0x02 0x00 0x00 0x00 any   # key3 = OBSERVE\r\n"]
[48.059373, "o", "# Trigger execs in the rogue pod AND off-scope (other tenant + host) at the same time:\r\n$ k3s kubectl exec -n tenant-globex cc-rogue -- bash -lc 'touch /tmp/a; cat /etc/hostname; sleep 1; seq 1 3' >/dev/null 2>&1\r\n"]
[50.192348, "o", "$ k3s kubectl exec -n tenant-acme cc-benign-7c65794d4f-g2p4x -- sh -lc 'touch /tmp/b; sleep 0' >/dev/null 2>&1\r\n"]
[51.332738, "o", "$ seq 1 3 >/dev/null   # on the host\r\n"]
[52.339257, "o", "# observing ~12s ...\r\n"]
[64.360636, "o", "# would-block events INSIDE the rogue pod's cgroup : 8\r\n   ✓ would-block events OFF-SCOPE (host + other tenant): 0  (never even examined)\r\n"]
[66.364387, "o", "\r\n"]
[66.365113, "o", "▶  4) ENFORCE — block the rogue pod's UNKNOWN binary, in the kernel\r\n"]
[67.368386, "o", "# Pre-authorize the pod's known-good baseline (FNV-1a path hashes):\r\n"]
[67.396142, "o", "#   allow /usr/bin/bash\r\n"]
[67.420346, "o", "#   allow /usr/bin/cat\r\n"]
[67.445144, "o", "#   allow /usr/bin/rm\r\n"]
[67.475964, "o", "#   allow /usr/bin/seq\r\n"]
[67.500195, "o", "#   allow /usr/bin/sleep\r\n"]
[67.524308, "o", "#   allow /usr/bin/timeout\r\n"]
[67.549184, "o", "#   allow /usr/bin/touch\r\n"]
[67.575938, "o", "#   allow /usr/bin/run-parts\r\n"]
[67.6001, "o", "#   allow /usr/bin/locale-check\r\n"]
[67.600507, "o", "$ bpftool map update pinned /sys/fs/bpf/innerwarden/lsm_policy key 0x03 0x00 0x00 0x00 value 0x01 0x00 0x00 0x00 any   # key3 = ENFORCE\r\n"]
[68.605073, "o", "\r\n"]
[68.605405, "o", "# Drop a NEW miner binary in the rogue pod and try to run it:\r\n"]
[68.72992, "o", "$ k3s kubectl exec -n tenant-globex cc-rogue -- /tmp/xmrig 5 ; echo rc=$?\r\n"]
[68.842403, "o", "exec /tmp/xmrig: operation not permitted\r\n"]
[68.846618, "o", "command terminated with exit code 255\r\n"]
[68.8503, "o", "rc=255\r\n"]
[69.854688, "o", "   ✗ DENIED in-kernel (-EPERM). The miner never executed.\r\n\r\n# The pod's own allowlisted binary still runs:\r\n$ k3s kubectl exec -n tenant-globex cc-rogue -- /usr/bin/cat /etc/hostname ; echo rc=$?\r\n"]
[70.018694, "o", "cc-rogue\r\n"]
[70.027262, "o", "rc=0\r\n"]
[71.03193, "o", "   ✓ ALLOWED\r\n\r\n"]
[71.03273, "o", "# Other tenant (tenant-acme) and the HOST run binaries normally — never gated:\r\n$ k3s kubectl exec -n tenant-acme cc-benign-7c65794d4f-g2p4x -- /usr/bin/sleep 0 ; echo other-tenant rc=$?\r\n"]
[71.156027, "o", "other-tenant rc=0\r\n"]
[72.16079, "o", "$ /usr/bin/seq 1 3 >/dev/null ; echo host rc=$?\r\n"]
[72.16467, "o", "host rc=0\r\n"]
[73.174518, "o", "   ✓ both ALLOWED (out of scope, returned before any allowlist lookup)\r\n"]
[75.178108, "o", "\r\n▶  5) Disarm — gate back to inert. The host was never gated.\r\n"]
[76.461377, "o", "$ bpftool map dump pinned /sys/fs/bpf/innerwarden/lsm_policy\r\n"]
[76.463173, "o", "key: 03 00 00 00  value: 00 00 00 00\r\nkey: 04 00 00 00  value: 00 00 00 00\r\nFound 2 elements\r\n"]
[77.468323, "o", "$ bpftool map dump pinned /sys/fs/bpf/innerwarden/exec_gate_scope\r\n"]
[77.473729, "o", "Found 0 elements\r\n"]
[78.476717, "o", "\r\n▶  Result\r\n"]
[79.479785, "o", "   ✓ Rogue agent named to its exact tenant + pod, contained in the kernel AT THE POD.\r\n"]
[79.480345, "o", "   ✓ Host and every other tenant: untouched.\r\n# Full written assessment: https://innerwarden.com\r\n\r\n"]
