From 052f4aa8abdc073a5790f9e6f7991002164d810a Mon Sep 17 00:00:00 2001 From: Jiri Olsa Date: Mon, 4 Dec 2023 20:49:27 +0000 Subject: [PATCH] tetragon: Add killer test for both bits Signed-off-by: Jiri Olsa --- pkg/sensors/tracing/killer_amd64_test.go | 76 +++++++++++++++++++++++- pkg/sensors/tracing/killer_test.go | 14 ++++- 2 files changed, 85 insertions(+), 5 deletions(-) diff --git a/pkg/sensors/tracing/killer_amd64_test.go b/pkg/sensors/tracing/killer_amd64_test.go index b31ee5f49ea..212ae5a0623 100644 --- a/pkg/sensors/tracing/killer_amd64_test.go +++ b/pkg/sensors/tracing/killer_amd64_test.go @@ -76,7 +76,7 @@ spec: } } - testKiller(t, configHook, test, checker, checkerFunc) + testKiller(t, configHook, test, "", checker, checkerFunc) } func TestKillerSignal32(t *testing.T) { @@ -136,5 +136,77 @@ spec: } } - testKiller(t, configHook, test, checker, checkerFunc) + testKiller(t, configHook, test, "", checker, checkerFunc) +} + +func TestKillerOverrideBothBits(t *testing.T) { + if !bpf.HasOverrideHelper() { + t.Skip("skipping killer test, bpf_override_return helper not available") + } + + test32 := testutils.RepoRootPath("contrib/tester-progs/killer-tester-32") + test64 := testutils.RepoRootPath("contrib/tester-progs/killer-tester") + + configHook := ` +apiVersion: cilium.io/v1alpha1 +kind: TracingPolicy +metadata: + name: "kill-syscalls" +spec: + lists: + - name: "mine" + type: "syscalls" + values: + - "sys_prctl" + - "__ia32_sys_prctl" + killers: + - syscalls: + - "list:mine" + tracepoints: + - subsystem: "raw_syscalls" + event: "sys_enter" + args: + - index: 4 + type: "syscall64" + selectors: + - matchArgs: + - index: 0 + operator: "InMap" + values: + - "list:mine" + matchBinaries: + - operator: "In" + values: + - "` + test32 + `" + - "` + test64 + `" + matchActions: + - action: "NotifyKiller" + argError: -17 # EEXIST +` + + tpChecker32 := ec.NewProcessTracepointChecker(""). + WithArgs(ec.NewKprobeArgumentListMatcher(). + WithOperator(lc.Ordered). + WithValues( + ec.NewKprobeArgumentChecker().WithSizeArg(i386.SYS_PRCTL), + )). + WithAction(tetragon.KprobeAction_KPROBE_ACTION_NOTIFYKILLER) + + tpChecker64 := ec.NewProcessTracepointChecker(""). + WithArgs(ec.NewKprobeArgumentListMatcher(). + WithOperator(lc.Ordered). + WithValues( + ec.NewKprobeArgumentChecker().WithSizeArg(syscall.SYS_PRCTL), + )). + WithAction(tetragon.KprobeAction_KPROBE_ACTION_NOTIFYKILLER) + + checker := ec.NewUnorderedEventChecker(tpChecker32, tpChecker64) + + checkerFunc := func(err error, rc int) { + if rc != int(syscall.EEXIST) { + t.Fatalf("Wrong exit code %d expected %d", rc, int(syscall.EEXIST)) + } + } + + testKiller(t, configHook, test64, test32, checker, checkerFunc) } diff --git a/pkg/sensors/tracing/killer_test.go b/pkg/sensors/tracing/killer_test.go index a86519b85d6..f01654f3072 100644 --- a/pkg/sensors/tracing/killer_test.go +++ b/pkg/sensors/tracing/killer_test.go @@ -23,7 +23,8 @@ import ( "github.com/stretchr/testify/assert" ) -func testKiller(t *testing.T, configHook string, test string, +func testKiller(t *testing.T, configHook string, + test string, test2 string, checker *eventchecker.UnorderedEventChecker, checkerFunc func(err error, rc int)) { @@ -50,6 +51,13 @@ func testKiller(t *testing.T, configHook string, test string, checkerFunc(err, cmd.ProcessState.ExitCode()) + if test2 != "" { + cmd := exec.Command(test2) + err = cmd.Run() + + checkerFunc(err, cmd.ProcessState.ExitCode()) + } + err = jsonchecker.JsonTestCheck(t, checker) assert.NoError(t, err) } @@ -111,7 +119,7 @@ spec: } } - testKiller(t, configHook, test, checker, checkerFunc) + testKiller(t, configHook, test, "", checker, checkerFunc) } func TestKillerSignal(t *testing.T) { @@ -171,7 +179,7 @@ spec: } } - testKiller(t, configHook, test, checker, checkerFunc) + testKiller(t, configHook, test, "", checker, checkerFunc) } func TestKillerMulti(t *testing.T) {