tetragon: Add sigkill return action test

Signed-off-by: Jiri Olsa <[email protected]>
cilium · Dec 4, 2023 · 4e18f76 · 4e18f76
1 parent dc69517
commit 4e18f76
Show file tree

Hide file tree

Showing 2 changed files with 67 additions and 0 deletions.
diff --git a/pkg/sensors/tracing/kprobe_sigkill_test.go b/pkg/sensors/tracing/kprobe_sigkill_test.go
@@ -113,6 +113,39 @@ func TestKprobeSigkill(t *testing.T) {
 	testSigkill(t, makeSpecFile, checker)
 }
 
+func TestReturnKprobeSigkill(t *testing.T) {
+	if !kernels.MinKernelVersion("5.3.0") {
+		t.Skip("sigkill requires at least 5.3.0 version")
+	}
+
+	// makeSpecFile creates a new spec file bsed on the template, and the provided arguments
+	makeSpecFile := func(pid string) string {
+		data := map[string]string{
+			"MatchedPID":   pid,
+			"NamespacePID": "false",
+		}
+		specName, err := testutils.GetSpecFromTemplate("sigkill_return.yaml.tmpl", data)
+		if err != nil {
+			t.Fatal(err)
+		}
+		return specName
+	}
+
+	kpChecker := ec.NewProcessKprobeChecker("").
+		WithFunctionName(sm.Full(arch.AddSyscallPrefixTestHelper(t, "sys_lseek"))).
+		WithArgs(ec.NewKprobeArgumentListMatcher().
+			WithOperator(lc.Ordered).
+			WithValues(
+				ec.NewKprobeArgumentChecker().WithIntArg(5555),
+			)).
+		WithReturn(ec.NewKprobeArgumentChecker().WithIntArg(-9)).
+		WithAction(tetragon.KprobeAction_KPROBE_ACTION_POST).
+		WithReturnAction(tetragon.KprobeAction_KPROBE_ACTION_SIGKILL)
+	checker := ec.NewUnorderedEventChecker(kpChecker)
+
+	testSigkill(t, makeSpecFile, checker)
+}
+
 func testUnprivilegedUsernsKill(t *testing.T, pidns bool) {
 	if !kernels.MinKernelVersion("5.3.0") {
 		t.Skip("sigkill requires at least 5.3.0 version")

diff --git a/testdata/specs/sigkill_return.yaml.tmpl b/testdata/specs/sigkill_return.yaml.tmpl
@@ -0,0 +1,34 @@
+# test for the sigkill action
+apiVersion: cilium.io/v1alpha1
+kind: TracingPolicy
+metadata:
+  name: "sigkilltest"
+spec:
+  kprobes:
+  - call: "sys_lseek"
+    syscall: true
+    return: true
+    args:
+    - index: 2
+      type: int
+    returnArg:
+      index: 0
+      type: int
+    selectors:
+    - matchPIDs:
+      - operator: In
+        values:
+        - {{.MatchedPID}}
+        isNamespacePID: {{.NamespacePID}}
+      matchArgs:
+      - index: 2
+        operator: Equal
+        values:
+        - 5555 # magic value, see also sigkill-tester
+      matchReturnArgs:
+      - index: 0
+        operator: "Equal"
+        values:
+        - "-9" # -EBADF
+      matchReturnActions:
+      - action: Sigkill