refactor(bpf/net): centralize net_block event + enforce-signal across the 6 socket hooks

[ErenAri]

What

The 6 socket_* LSM hooks (+ the connect tracepoint fallback) each carried a near-identical ~95-line deny tail: a duplicated SIGKILL-escalation signal computation (6×) and a duplicated net_block event reserve+fill+submit (13×). That per-hook duplication is exactly the class that produced past divergence bugs (the headline detect_missing_optional_lsm_hooks bug was a per-hook divergence).

Two __always_inline helpers in aegis_common.h now own that logic:

• compute_net_enforce_signal(pid, start_time)
• emit_net_block_event(...) — the single definition of the net_block event shape

Each hook's audit/enforce branches collapse into one audit ? 0 : -EPERM tail.

aegis_net.bpf.h: 1483 → 1044 lines (-30%).

Safety

• Every hook's address-parsing + rule-match logic is byte-identical — only the (verified) decision/emit tail changed. The deny decision (what matches) is untouched.
• Behavior-preserving, with one deliberate exception: bind/listen rule_type is now a zero-filled char[16] (previously a 5-byte memcpy("port") that left 11 uninitialized ring-buffer bytes in the emitted event — a minor info-leak fix).

Verification

• bpf_obj compiles clean.
• Behavioral, on a real 6.17 BPF-LSM host: the enforcement-proof harness passes end-to-end — connect and sendmsg to a denied CIDR (240.0.0.0/4) → -EPERM, runtime_state=ENFORCE, every class (module/file/exec/ptrace/bpf/network) + bypass (symlink/hardlink/bindmount/rename/sendmsg/overlay) BLOCKED, no silent downgrade.
• A first cut omitted bpf_ringbuf_submit in the helper; the verifier's reference-leak check caught it immediately (now fixed) — and the behavioral harness re-confirmed enforcement.
• CI adds cross-clang bpf-compile (15–18), veristat (15% complexity tolerance; inlined helpers keep counts flat), and kernel-bpf-test. I've also dispatched the bpfcompat kernel matrix on this branch to confirm the object loads on 5.15→6.17.

🤖 Generated with Claude Code