feat: switch macOS learning mode from fs_usage to eslogger

Replace fs_usage (reports Mach thread IDs, requiring process name matching with false positives) with eslogger (Endpoint Security framework, reports real Unix PIDs via audit_token.pid plus fork events for process tree tracking). Key changes: - Daemon starts eslogger instead of fs_usage, with early-exit detection and clear Full Disk Access error messaging - New two-pass eslogger JSON parser: pass 1 builds PID tree from fork events, pass 2 filters filesystem events by PID set - Remove runtime PID polling (StartPIDTracking, pollDescendantPIDs) — process tree is now built post-hoc from the eslogger log - Platform-specific generateLearnedTemplatePlatform() for darwin/linux/stub - Refactor TraceResult and GenerateLearnedTemplate to be platform-agnostic
2026-02-26 17:23:43 -06:00
parent e05b54ec1b
commit 9d5d852860
14 changed files with 1434 additions and 70 deletions
--- a/internal/sandbox/manager_linux.go
+++ b/internal/sandbox/manager_linux.go
@@ -0,0 +1,31 @@
+//go:build linux
+
+package sandbox
+
+import (
+	"fmt"
+	"os"
+)
+
+// generateLearnedTemplatePlatform parses the strace log and generates a template (Linux).
+func (m *Manager) generateLearnedTemplatePlatform(cmdName string) (string, error) {
+	if m.straceLogPath == "" {
+		return "", fmt.Errorf("no strace log available (was learning mode enabled?)")
+	}
+
+	result, err := ParseStraceLog(m.straceLogPath, m.debug)
+	if err != nil {
+		return "", fmt.Errorf("failed to parse strace log: %w", err)
+	}
+
+	templatePath, err := GenerateLearnedTemplate(result, cmdName, m.debug)
+	if err != nil {
+		return "", err
+	}
+
+	// Clean up strace log since we've processed it
+	_ = os.Remove(m.straceLogPath)
+	m.straceLogPath = ""
+
+	return templatePath, nil
+}