test(generate): lock in init_module vs finit_module classification

Audit of init_module (man 2 init_module) confirmed the implementation is
correct: init_module(void *module_image, unsigned long len, const char
*param_values) is classified KindModule (null_event), capturing neither
an fd nor a path — param_values is a module-parameter string, not a
filesystem path. finit_module(int fd, ...) is classified KindFd via
field-based matching and captures fd = args[0]. Both syscalls live in the
Security family and match docs/syscall-tracing-plan.md.

No explicit finit_module test or init_module-vs-finit_module distinction
test existed, so add lock-in coverage:
- testdata.go: real-layout Format constants for (f)init_module enter/exit.
- classify_test.go: assert init_module=KindModule with no PathnameField
  and finit_module=KindFd.
- codegen_test.go: assert generated BPF C for init_module captures no fd
  and no filename/path, while finit_module captures fd = args[0].

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

3 files changed, 119 insertions, 0 deletions

diff --git a/internal/generate/classify_test.go b/internal/generate/classify_test.go
index fecbb93..b03164b 100644
--- a/internal/generate/classify_test.go
+++ b/internal/generate/classify_test.go
@@ -1022,6 +1022,32 @@ func TestClassify67NameOnlyKinds(t *testing.T) {
 	}
 }
 
+// TestClassifyInitModuleVsFinitModule locks in the load-bearing distinction
+// between the two module-loading syscalls (man 2 init_module).
+//
+// init_module(void *module_image, unsigned long len, const char *param_values)
+// takes a userspace ELF image pointer and a module-PARAMETER string (not a
+// filesystem path), so it must classify as KindModule (null_event) and capture
+// neither an fd nor a path — param_values must NOT be mistaken for a path.
+//
+// finit_module(int fd, const char *param_values, int flags) reads the module
+// from a file descriptor, so it must classify as KindFd via field-based
+// matching on the leading "fd" field.
+func TestClassifyInitModuleVsFinitModule(t *testing.T) {
+	if r := classifyFromData(t, FormatInitModule); r.Kind != KindModule {
+		t.Errorf("init_module: got kind %d, want KindModule", r.Kind)
+	}
+	if r := classifyFromData(t, FormatFinitModule); r.Kind != KindFd {
+		t.Errorf("finit_module: got kind %d, want KindFd", r.Kind)
+	}
+
+	// param_values (uargs) is a parameter string, never a captured path: the
+	// init_module classification must not select KindPathname/KindName/KindOpen.
+	if r := classifyFromData(t, FormatInitModule); r.PathnameField != "" {
+		t.Errorf("init_module: unexpected PathnameField %q, want empty", r.PathnameField)
+	}
+}
+
 func TestClassify87NameOnlyKinds(t *testing.T) {
 	tests := []string{
 		"sys_enter_rt_sigaction",
diff --git a/internal/generate/codegen_test.go b/internal/generate/codegen_test.go
index 746aa07..6b19129 100644
--- a/internal/generate/codegen_test.go
+++ b/internal/generate/codegen_test.go
@@ -24,6 +24,30 @@ func TestGenerateFdHandler(t *testing.T) {
 	requireContains(t, output, "#define SYS_ENTER_READ 844")
 }
 
+// TestGenerateModuleHandlers locks in the generated BPF C for the module-load
+// syscalls (man 2 init_module). init_module is a null_event: it must capture no
+// fd and no path/filename (its param_values arg is a parameter string, not a
+// path). finit_module is an fd_event capturing fd = args[0].
+func TestGenerateModuleHandlers(t *testing.T) {
+	initOut := generateFromPair(t, FormatInitModule, FormatExitInitModule)
+	requireContains(t, initOut, `SEC("tracepoint/syscalls/sys_enter_init_module")`)
+	requireContains(t, initOut, "struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0);")
+	requireContains(t, initOut, "ev->event_type = ENTER_NULL_EVENT;")
+	// init_module must not capture an fd or any filename/path.
+	if strings.Contains(initOut, "ev->fd =") {
+		t.Error("init_module handler must not capture an fd")
+	}
+	if strings.Contains(initOut, "ev->filename") || strings.Contains(initOut, "bpf_probe_read_user_str") {
+		t.Error("init_module handler must not capture param_values as a path/filename")
+	}
+
+	finitOut := generateFromPair(t, FormatFinitModule, FormatExitFinitModule)
+	requireContains(t, finitOut, `SEC("tracepoint/syscalls/sys_enter_finit_module")`)
+	requireContains(t, finitOut, "struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0);")
+	requireContains(t, finitOut, "ev->event_type = ENTER_FD_EVENT;")
+	requireContains(t, finitOut, "ev->fd = (__s32)ctx->args[0];")
+}
+
 func TestGeneratePidfdGetfdHandlerUsesPidfdArgument(t *testing.T) {
 	output := generateFromPair(t, FormatPidfdGetfd, FormatExitPidfdGetfd)
 
diff --git a/internal/generate/testdata.go b/internal/generate/testdata.go
index 50efc00..8c2b1ee 100644
--- a/internal/generate/testdata.go
+++ b/internal/generate/testdata.go
@@ -1208,6 +1208,75 @@ format:
 print fmt: "0x%lx", REC->ret
 `
 
+// FormatInitModule mirrors the real sys_enter_init_module tracepoint layout.
+// Its arguments are a userspace ELF image pointer (umod), the image length
+// (len), and a module-parameter string (uargs). uargs is a parameter string of
+// the form "name=value ..." — NOT a filesystem path — so init_module must
+// classify as KindModule (null_event) and capture neither an fd nor a path.
+const FormatInitModule = `name: sys_enter_init_module
+ID: 9370
+format:
+	field:unsigned short common_type;	offset:0;	size:2;	signed:0;
+	field:unsigned char common_flags;	offset:2;	size:1;	signed:0;
+	field:unsigned char common_preempt_count;	offset:3;	size:1;	signed:0;
+	field:int common_pid;	offset:4;	size:4;	signed:1;
+
+	field:int __syscall_nr;	offset:8;	size:4;	signed:1;
+	field:void * umod;	offset:16;	size:8;	signed:0;
+	field:unsigned long len;	offset:24;	size:8;	signed:0;
+	field:const char * uargs;	offset:32;	size:8;	signed:0;
+
+print fmt: "umod: 0x%08lx, len: 0x%08lx, uargs: 0x%08lx", ((unsigned long)(REC->umod)), ((unsigned long)(REC->len)), ((unsigned long)(REC->uargs))
+`
+
+const FormatExitInitModule = `name: sys_exit_init_module
+ID: 9369
+format:
+	field:unsigned short common_type;	offset:0;	size:2;	signed:0;
+	field:unsigned char common_flags;	offset:2;	size:1;	signed:0;
+	field:unsigned char common_preempt_count;	offset:3;	size:1;	signed:0;
+	field:int common_pid;	offset:4;	size:4;	signed:1;
+
+	field:int __syscall_nr;	offset:8;	size:4;	signed:1;
+	field:long ret;	offset:16;	size:8;	signed:1;
+
+print fmt: "0x%lx", REC->ret
+`
+
+// FormatFinitModule mirrors the real sys_enter_finit_module tracepoint layout.
+// Unlike init_module, finit_module reads the module from a file descriptor
+// (fd at args[0]), so field-based classification must yield KindFd and capture
+// fd = args[0]. This is the load-bearing distinction from init_module.
+const FormatFinitModule = `name: sys_enter_finit_module
+ID: 9371
+format:
+	field:unsigned short common_type;	offset:0;	size:2;	signed:0;
+	field:unsigned char common_flags;	offset:2;	size:1;	signed:0;
+	field:unsigned char common_preempt_count;	offset:3;	size:1;	signed:0;
+	field:int common_pid;	offset:4;	size:4;	signed:1;
+
+	field:int __syscall_nr;	offset:8;	size:4;	signed:1;
+	field:int fd;	offset:16;	size:8;	signed:0;
+	field:const char * uargs;	offset:24;	size:8;	signed:0;
+	field:int flags;	offset:32;	size:8;	signed:0;
+
+print fmt: "fd: 0x%08lx, uargs: 0x%08lx, flags: 0x%08lx", ((unsigned long)(REC->fd)), ((unsigned long)(REC->uargs)), ((unsigned long)(REC->flags))
+`
+
+const FormatExitFinitModule = `name: sys_exit_finit_module
+ID: 9372
+format:
+	field:unsigned short common_type;	offset:0;	size:2;	signed:0;
+	field:unsigned char common_flags;	offset:2;	size:1;	signed:0;
+	field:unsigned char common_preempt_count;	offset:3;	size:1;	signed:0;
+	field:int common_pid;	offset:4;	size:4;	signed:1;
+
+	field:int __syscall_nr;	offset:8;	size:4;	signed:1;
+	field:long ret;	offset:16;	size:8;	signed:1;
+
+print fmt: "0x%lx", REC->ret
+`
+
 const FormatAccept = `name: sys_enter_accept
 ID: 1808
 format: