tetragon: Add 32bit versions of killer tests

Signed-off-by: Jiri Olsa <[email protected]>

.github/workflows/gotests.yml

@@ -29,7 +29,7 @@ jobs:
 
     - name: Install dependencies
       run: |
-        sudo apt-get -y install libelf-dev netcat-traditional libcap-dev gcc
+        sudo apt-get -y install libelf-dev netcat-traditional libcap-dev gcc libc6-dev-i386
 
         sudo sed -i '/secure_path/d' /etc/sudoers
         sudo sed -i '/env_reset/d' /etc/sudoers

.github/workflows/vmtests.yml

@@ -30,7 +30,7 @@ jobs:
 
     - name: Install build dependencies
       run: |
-        sudo apt install libelf-dev netcat-traditional libcap-dev gcc
+        sudo apt install libelf-dev netcat-traditional libcap-dev gcc libc6-dev-i386
         echo `which clang`
         echo `which llc`
         echo `clang --version`

contrib/tester-progs/Makefile

@@ -18,7 +18,8 @@ PROGS = sigkill-tester \
 	threads-tester \
 	bench-reader \
 	threads-exit \
-	killer-tester
+	killer-tester \
+	killer-tester-32
 
 all: $(PROGS)
 
@@ -61,6 +62,9 @@ uprobe-test-1: uprobe-test.c libuprobe.so
 uprobe-test-2: uprobe-test-1
 	cp uprobe-test-1 uprobe-test-2
 
+killer-tester-32: killer-tester.c
+	$(GCC) -Wall -m32 $< -o $@
+
 lseek-pipe: FORCE
 	go build -o lseek-pipe ./go/lseek-pipe
 

pkg/sensors/tracing/killer_amd64_test.go

@@ -0,0 +1,140 @@
+// SPDX-License-Identifier: Apache-2.0
+// Copyright Authors of Tetragon
+
+//go:build amd64 && linux
+// +build amd64,linux
+
+package tracing
+
+import (
+	"syscall"
+	"testing"
+
+	"github.com/cilium/tetragon/api/v1/tetragon"
+	"github.com/cilium/tetragon/pkg/bpf"
+	"github.com/cilium/tetragon/pkg/syscallinfo/i386"
+	"github.com/cilium/tetragon/pkg/testutils"
+
+	ec "github.com/cilium/tetragon/api/v1/tetragon/codegen/eventchecker"
+	lc "github.com/cilium/tetragon/pkg/matchers/listmatcher"
+)
+
+func TestKillerOverride32(t *testing.T) {
+	if !bpf.HasOverrideHelper() {
+		t.Skip("skipping killer test, bpf_override_return helper not available")
+	}
+
+	test := testutils.RepoRootPath("contrib/tester-progs/killer-tester-32")
+	configHook := `
+apiVersion: cilium.io/v1alpha1
+kind: TracingPolicy
+metadata:
+  name: "kill-syscalls"
+spec:
+  lists:
+  - name: "mine"
+    type: "syscalls"
+    values:
+    - "__ia32_sys_prctl"
+  killers:
+  - syscalls:
+    - "list:mine"
+  tracepoints:
+  - subsystem: "raw_syscalls"
+    event: "sys_enter"
+    args:
+    - index: 4
+      type: "syscall64"
+    selectors:
+    - matchArgs:
+      - index: 0
+        operator: "InMap"
+        values:
+        - "list:mine"
+      matchBinaries:
+      - operator: "In"
+        values:
+        - "` + test + `"
+      matchActions:
+      - action: "NotifyKiller"
+        argError: -17 # EEXIST
+`
+
+	tpChecker := ec.NewProcessTracepointChecker("").
+		WithArgs(ec.NewKprobeArgumentListMatcher().
+			WithOperator(lc.Ordered).
+			WithValues(
+				ec.NewKprobeArgumentChecker().WithSizeArg(i386.SYS_PRCTL),
+			)).
+		WithAction(tetragon.KprobeAction_KPROBE_ACTION_NOTIFYKILLER)
+
+	checker := ec.NewUnorderedEventChecker(tpChecker)
+
+	checkerFunc := func(err error, rc int) {
+		if rc != int(syscall.EEXIST) {
+			t.Fatalf("Wrong exit code %d expected %d", rc, int(syscall.EEXIST))
+		}
+	}
+
+	testKiller(t, configHook, test, checker, checkerFunc)
+}
+
+func TestKillerSignal32(t *testing.T) {
+	if !bpf.HasOverrideHelper() {
+		t.Skip("skipping killer test, bpf_override_return helper not available")
+	}
+
+	test := testutils.RepoRootPath("contrib/tester-progs/killer-tester-32")
+	configHook := `
+apiVersion: cilium.io/v1alpha1
+kind: TracingPolicy
+metadata:
+  name: "kill-syscalls"
+spec:
+  lists:
+  - name: "mine"
+    type: "syscalls"
+    values:
+    - "__ia32_sys_prctl"
+  killers:
+  - syscalls:
+    - "list:mine"
+  tracepoints:
+  - subsystem: "raw_syscalls"
+    event: "sys_enter"
+    args:
+    - index: 4
+      type: "syscall64"
+    selectors:
+    - matchArgs:
+      - index: 0
+        operator: "InMap"
+        values:
+        - "list:mine"
+      matchBinaries:
+      - operator: "In"
+        values:
+        - "` + test + `"
+      matchActions:
+      - action: "NotifyKiller"
+        argSig: 9 # SIGKILL
+`
+
+	tpChecker := ec.NewProcessTracepointChecker("").
+		WithArgs(ec.NewKprobeArgumentListMatcher().
+			WithOperator(lc.Ordered).
+			WithValues(
+				ec.NewKprobeArgumentChecker().WithSizeArg(i386.SYS_PRCTL),
+			)).
+		WithAction(tetragon.KprobeAction_KPROBE_ACTION_NOTIFYKILLER)
+
+	checker := ec.NewUnorderedEventChecker(tpChecker)
+
+	checkerFunc := func(err error, rc int) {
+		if err == nil || err.Error() != "signal: killed" {
+			t.Fatalf("Wrong error '%v' expected 'killed'", err)
+		}
+	}
+
+	testKiller(t, configHook, test, checker, checkerFunc)
+}

pkg/sensors/tracing/killer_test.go

@@ -23,7 +23,7 @@ import (
 	"github.com/stretchr/testify/assert"
 )
 
-func test_killer(t *testing.T, configHook string, test string,
+func testKiller(t *testing.T, configHook string, test string,
 	checker *eventchecker.UnorderedEventChecker,
 	checkerFunc func(err error, rc int)) {
 
@@ -111,7 +111,7 @@ spec:
 		}
 	}
 
-	test_killer(t, configHook, test, checker, checkerFunc)
+	testKiller(t, configHook, test, checker, checkerFunc)
 }
 
 func TestKillerSignal(t *testing.T) {
@@ -171,7 +171,7 @@ spec:
 		}
 	}
 
-	test_killer(t, configHook, test, checker, checkerFunc)
+	testKiller(t, configHook, test, checker, checkerFunc)
 }
 
 func TestKillerMulti(t *testing.T) {