From 27f5e9bd23f73b184e925a2224e2115c6db6e2e0 Mon Sep 17 00:00:00 2001
From: Jiri Olsa <jolsa@kernel.org>
Date: Tue, 17 Oct 2023 18:21:56 +0000
Subject: [PATCH] tetragon Add test to override security_ function

Signed-off-by: Jiri Olsa <jolsa@kernel.org>
---
 pkg/sensors/tracing/kprobe_test.go | 58 ++++++++++++++++++++++++++++++
 1 file changed, 58 insertions(+)

diff --git a/pkg/sensors/tracing/kprobe_test.go b/pkg/sensors/tracing/kprobe_test.go
index 7e3b97b97d0..7769ca49e42 100644
--- a/pkg/sensors/tracing/kprobe_test.go
+++ b/pkg/sensors/tracing/kprobe_test.go
@@ -2207,6 +2207,64 @@ spec:
 	runKprobeOverride(t, openAtHook, checker, file.Name(), syscall.ENOENT, false)
 }
 
+func TestKprobeOverrideSecurity(t *testing.T) {
+	if !bpf.HasModifyReturn() {
+		t.Skip("skipping fmod_ret support is not available")
+	}
+
+	pidStr := strconv.Itoa(int(observertesthelper.GetMyPid()))
+
+	file, err := os.CreateTemp(t.TempDir(), "kprobe-override-")
+	if err != nil {
+		t.Fatalf("writeFile(%s): err %s", testConfigFile, err)
+	}
+	defer assert.NoError(t, file.Close())
+
+	openAtHook := `
+apiVersion: cilium.io/v1alpha1
+kind: TracingPolicy
+metadata:
+  name: "sys-openat-override"
+spec:
+  kprobes:
+  - call: "security_file_open"
+    syscall: false
+    return: true
+    args:
+    - index: 0
+      type: "file"
+    returnArg:
+      type: "int"
+    selectors:
+    - matchPIDs:
+      - operator: In
+        followForks: true
+        values:
+        - ` + pidStr + `
+      matchArgs:
+      - index: 0
+        operator: "Equal"
+        values:
+        - "` + file.Name() + `"
+      matchActions:
+      - action: Override
+        argError: -2
+`
+
+	kpChecker := ec.NewProcessKprobeChecker("").
+		WithFunctionName(sm.Full("security_file_open")).
+		WithArgs(ec.NewKprobeArgumentListMatcher().
+			WithOperator(lc.Ordered).
+			WithValues(
+				ec.NewKprobeArgumentChecker().WithFileArg(ec.NewKprobeFileChecker().WithPath(sm.Full(file.Name()))),
+			)).
+		WithReturn(ec.NewKprobeArgumentChecker().WithIntArg(-2)).
+		WithAction(tetragon.KprobeAction_KPROBE_ACTION_OVERRIDE)
+	checker := ec.NewUnorderedEventChecker(kpChecker)
+
+	runKprobeOverride(t, openAtHook, checker, file.Name(), syscall.ENOENT, false)
+}
+
 func TestKprobeOverrideNopostAction(t *testing.T) {
 	pidStr := strconv.Itoa(int(observertesthelper.GetMyPid()))