test(finit_module): lock in family and ret classification

The finit_module audit (task 8t) confirmed the tracing implementation
matches man 2 finit_module: KindFd with fd at args[0], param_values
string never captured as a path, exit UNCLASSIFIED, and FamilySecurity
alongside init_module/delete_module. No implementation discrepancies
were found.

Extend TestClassifyInitModuleVsFinitModule to also assert the
previously-untested dimensions so the classification stays pinned:
- finit_module captures no path (empty PathnameField), like init_module
- both module-loading syscalls are FamilySecurity
- both exits are UNCLASSIFIED (0/-1 return, no byte count)

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

1 files changed, 15 insertions, 0 deletions

diff --git a/internal/generate/classify_test.go b/internal/generate/classify_test.go
index f161ef8..9a17dd2 100644
--- a/internal/generate/classify_test.go
+++ b/internal/generate/classify_test.go
@@ -1342,6 +1342,21 @@ func TestClassifyInitModuleVsFinitModule(t *testing.T) {
 	if r := classifyFromData(t, FormatInitModule); r.PathnameField != "" {
 		t.Errorf("init_module: unexpected PathnameField %q, want empty", r.PathnameField)
 	}
+	if r := classifyFromData(t, FormatFinitModule); r.PathnameField != "" {
+		t.Errorf("finit_module: unexpected PathnameField %q, want empty", r.PathnameField)
+	}
+
+	// Both module-loading syscalls live in FamilySecurity (man 2 init_module:
+	// loading kernel code is a privileged, security-sensitive operation), and
+	// both return 0/-1 with no byte count, so their exits are UNCLASSIFIED.
+	for _, name := range []string{"init_module", "finit_module"} {
+		if fam := ClassifySyscallFamily("sys_enter_" + name); fam != FamilySecurity {
+			t.Errorf("%s: got family %s, want FamilySecurity", name, fam)
+		}
+		if got := ClassifyRet("sys_exit_" + name); got != Unclassified {
+			t.Errorf("ClassifyRet(sys_exit_%s) = %q, want UNCLASSIFIED", name, got)
+		}
+	}
 }
 
 func TestClassify87NameOnlyKinds(t *testing.T) {