Fix nmap bypass: comm-based tracking for pre-monitor openclaw workers

Root cause: openclaw-gateway workers created before the monitor starts
are never added to tracked_pids because the fork hook only propagates
tracking for already-tracked parents. Short-lived worker processes
(e.g. the gateway's executor) are invisible in /proc at bootstrap time,
so their children (bash, nmap, etc.) run without BPF enforcement.

Fix:
- bpf_hooks.c: add tracked_comms map and hash_comm_buf() helper;
  extend sched_process_fork to fall back to comm-name lookup when the
  parent is not in tracked_pids — auto-backfills the process into
  tracked_pids so it and all descendants are tracked immediately
- monitor.py: add populate_tracked_comms() that registers djb2 hashes
  of openclaw worker comm strings at startup; sources both target_paths
  basenames and a /proc scan that catches openclaw-gateway (comm
  "openclaw-gatewa") and similar workers already running before load
- dashboard/app.py: suppress PATH-LIN-015 self-noise from monitor's
  own npm subprocess; raise parse_log_lines cap to 5000; include
  rotated log backup in BLOCK_LOG_PATHS

Author: leos565

deploy/dashboard/app.py

@@ -160,6 +160,7 @@ def _save_dismissed(dismissed: set) -> None:
 
 BLOCK_LOG_PATHS = [
     "/var/log/clawedr.log",
+    "/var/log/clawedr.log.1",  # rotated backup — ensures alerts aren't lost after rotation
     os.path.expanduser("~/Library/Logs/clawedr.log"),
     "/tmp/clawedr_log_tailer.log",
 ]
@@ -231,7 +232,7 @@ def _parse_ancestry(details: str) -> list[dict] | None:
     return chain if chain else None
 
 
-def _parse_log_lines(max_lines: int = 1000) -> list[dict]:
+def _parse_log_lines(max_lines: int = 5000) -> list[dict]:
     """Parse recent BLOCKED entries from the log files."""
     import datetime
     alerts: list[dict] = []
@@ -249,9 +250,17 @@ def _parse_log_lines(max_lines: int = 1000) -> list[dict]:
                     ancestry = _parse_ancestry(raw_details)
                     # Strip ancestry from the displayed details string
                     clean_details = _ANCESTRY_RE.sub("", raw_details).strip()
+                    rule_id = m.group(3)
+                    # Suppress monitor self-noise: PATH-LIN-015 blocks for libuv-worker
+                    # uid=0 processes are spawned by the monitor's own npm subprocess,
+                    # not by the agent. These flood the log and are not agent actions.
+                    if (rule_id == "PATH-LIN-015"
+                            and "comm=libuv-worker" in clean_details
+                            and "uid=0" in clean_details):
+                        continue
                     entry: dict = {
                         "timestamp": m.group(1),
-                        "rule_id": m.group(3),
+                        "rule_id": rule_id,
                         "details": clean_details,
                         "blocked": kind != "ALERT",
                     }

deploy/linux/bpf_hooks.c

@@ -65,6 +65,10 @@ BPF_ARRAY(egress_mode, u8, 1);
 /* Shell interpreters: only track when parent is tracked (agent-spawned shells)
  */
 BPF_HASH(parent_tracked_bins, u64, u8, 16);
+/* Comm-name hashes of openclaw worker processes (e.g. "openclaw-gatewa").
+ * When a process with a matching comm forks, it and its child are auto-tracked
+ * even if the process predates the monitor (e.g. long-lived gateway workers). */
+BPF_HASH(tracked_comms, u64, u8, 16);
 /* OpenClaw gateway PIDs: never SIGKILL these (openat/statx log-only) */
 BPF_HASH(protected_pids, u32, u8, 16);
 
@@ -124,6 +128,19 @@ static __always_inline u64 simple_hash(const char *s, int len) {
   return h;
 }
 
+/* Hash comm string from a local stack buffer (bpf_get_current_comm output). */
+static __always_inline u64 hash_comm_buf(const char *buf) {
+  u64 h = 5381;
+#pragma unroll
+  for (int i = 0; i < 16; i++) {
+    char c = buf[i];
+    if (c == 0)
+      break;
+    h = ((h << 5) + h) + (u64)c;
+  }
+  return h;
+}
+
 /* Hash path from kernel buffer (e.g. bpf_d_path output); must match djb2. */
 static __always_inline u64 hash_path_buf(const char *buf, int max_len) {
   u64 h = 5381;
@@ -732,10 +749,25 @@ TRACEPOINT_PROBE(sched, sched_process_fork) {
    * thread PID as parent_pid.  When a worker thread (libuv, etc.) forks
    * a child, parent_pid is the thread PID which may differ from the TGID. */
   u8 *tracked = tracked_pids.lookup(&parent_pid);
+  u32 tgid = bpf_get_current_pid_tgid() >> 32;
   if (!tracked) {
-    u32 tgid = bpf_get_current_pid_tgid() >> 32;
     tracked = tracked_pids.lookup(&tgid);
   }
+  if (!tracked) {
+    /* Comm-based fallback: auto-track openclaw worker processes that predate
+     * the monitor.  When a process whose comm matches a known openclaw worker
+     * (e.g. "openclaw-gatewa") forks, backfill it into tracked_pids so that
+     * its child—and all future descendants—are correctly tracked. */
+    char cur_comm[16] = {};
+    bpf_get_current_comm(&cur_comm, sizeof(cur_comm));
+    u64 comm_h = hash_comm_buf(cur_comm);
+    u8 *comm_tracked = tracked_comms.lookup(&comm_h);
+    if (comm_tracked) {
+      u8 one = 1;
+      tracked_pids.update(&tgid, &one);
+      tracked = comm_tracked;
+    }
+  }
   if (tracked) {
     u8 one = 1;
     tracked_pids.update(&child_pid, &one);
@@ -998,10 +1030,17 @@ TRACEPOINT_PROBE(syscalls, sys_enter_write) {
 /* ── exit: clean up tracked set + heuristic state ── */
 TRACEPOINT_PROBE(sched, sched_process_exit) {
   u64 pid_tgid = bpf_get_current_pid_tgid();
-  u32 pid = pid_tgid >> 32;
-
-  tracked_pids.delete(&pid);
-  heu_fork_state.delete(&pid);
+  u32 tgid = pid_tgid >> 32;  /* userspace PID = thread group leader */
+  u32 tid  = (u32)pid_tgid;   /* kernel thread ID */
+
+  /* Only remove from tracked_pids when the thread group leader (main thread)
+   * exits.  Worker threads (libuv-worker, pthread pool, etc.) share the same
+   * TGID as their parent process.  Deleting on every thread exit would wipe
+   * the parent process from tracking, causing intermittent enforcement gaps. */
+  if (tgid == tid) {
+    tracked_pids.delete(&tgid);
+    heu_fork_state.delete(&tgid);
+  }
   /* heu_state and heu_connect_state keys include pid; they'll age out or we
    * could delete by prefix — skip for now to avoid iteration */