diff options
| author | Paul Buetow <paul@buetow.org> | 2026-06-06 10:05:22 +0300 |
|---|---|---|
| committer | Paul Buetow <paul@buetow.org> | 2026-06-06 10:05:22 +0300 |
| commit | 92ca9482e44432b85ce09ebdd8a1b4d199b1c77b (patch) | |
| tree | 353e3bf366b6d3e5f8a5fd7e623bd60a6c2cf7ba /cmd/ioworkload/scenario_security.go | |
| parent | d807c1ad9eb8b176e36300c6ea41744431a05bf0 (diff) | |
test: add end-to-end coverage for getrandom (READ byte count) and flock (KindFd)
Two previously-untested syscalls now have integration coverage:
- getrandom (Security family, READ_CLASSIFIED): new security-getrandom
scenario fills a 32-byte buffer via unix.Getrandom, looping past any
signal-interrupted short reads so the cumulative byte count is strictly
positive. TestSecurityGetrandom asserts enter_getrandom MinCount>=1,
bytes>=1 (locking in the READ byte-count classification end-to-end), and
a positive duration.
- flock (FamilyFS, KindFd@args[0], UNCLASSIFIED): new flock-basic scenario
opens a temp file, takes LOCK_EX then LOCK_UN via syscall.Flock, and
closes it. TestFlockBasic asserts enter_flock with PathContains the temp
filename, confirming the fd resolves to the file path via the procfd
cache.
Both scenarios use raw unix/syscall calls so the exact sys_enter tracepoints
fire, and are registered in cmd/ioworkload/scenarios.go.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Diffstat (limited to 'cmd/ioworkload/scenario_security.go')
| -rw-r--r-- | cmd/ioworkload/scenario_security.go | 34 |
1 files changed, 34 insertions, 0 deletions
diff --git a/cmd/ioworkload/scenario_security.go b/cmd/ioworkload/scenario_security.go index f3cf9ba..6e14f0c 100644 --- a/cmd/ioworkload/scenario_security.go +++ b/cmd/ioworkload/scenario_security.go @@ -11,6 +11,40 @@ import ( var keySpecProcessKeyringArg = ^uintptr(1) +// getrandomBufLen is the requested length of the getrandom buffer. getrandom +// reports the number of random bytes written into buf as its return value, +// which ior READ-classifies as a byte count. +const getrandomBufLen = 32 + +// securityGetrandom exercises the getrandom syscall end-to-end. getrandom +// (FamilyTime/Security, READ_CLASSIFIED) fills buf with random bytes and +// returns the count placed there, so ior records that count as the exit byte +// total. +// +// getrandom may return fewer bytes than requested only when interrupted by a +// signal; to keep the byte count deterministic we loop until the full buffer +// is filled, accumulating any short reads. The enter tracepoint is null-kind +// (no fd/path), so this scenario only locks in the READ byte-count classifi- +// cation, not a path/fd dimension. +func securityGetrandom() error { + buf := make([]byte, getrandomBufLen) + for off := 0; off < len(buf); { + // Use unix.Getrandom so the exact sys_enter_getrandom tracepoint fires. + n, err := unix.Getrandom(buf[off:], 0) + if err != nil { + if err == unix.EINTR { + continue + } + return fmt.Errorf("getrandom: %w", err) + } + if n <= 0 { + return fmt.Errorf("getrandom returned non-positive count %d", n) + } + off += n + } + return nil +} + func securityKeysPtracePerf() error { nr, err := securitySyscallNumbers(runtime.GOARCH) if err != nil { |