diff options
| author | Paul Buetow <paul@buetow.org> | 2026-06-06 10:05:22 +0300 |
|---|---|---|
| committer | Paul Buetow <paul@buetow.org> | 2026-06-06 10:05:22 +0300 |
| commit | 92ca9482e44432b85ce09ebdd8a1b4d199b1c77b (patch) | |
| tree | 353e3bf366b6d3e5f8a5fd7e623bd60a6c2cf7ba /integrationtests/security_test.go | |
| parent | d807c1ad9eb8b176e36300c6ea41744431a05bf0 (diff) | |
test: add end-to-end coverage for getrandom (READ byte count) and flock (KindFd)
Two previously-untested syscalls now have integration coverage:
- getrandom (Security family, READ_CLASSIFIED): new security-getrandom
scenario fills a 32-byte buffer via unix.Getrandom, looping past any
signal-interrupted short reads so the cumulative byte count is strictly
positive. TestSecurityGetrandom asserts enter_getrandom MinCount>=1,
bytes>=1 (locking in the READ byte-count classification end-to-end), and
a positive duration.
- flock (FamilyFS, KindFd@args[0], UNCLASSIFIED): new flock-basic scenario
opens a temp file, takes LOCK_EX then LOCK_UN via syscall.Flock, and
closes it. TestFlockBasic asserts enter_flock with PathContains the temp
filename, confirming the fd resolves to the file path via the procfd
cache.
Both scenarios use raw unix/syscall calls so the exact sys_enter tracepoints
fire, and are registered in cmd/ioworkload/scenarios.go.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Diffstat (limited to 'integrationtests/security_test.go')
| -rw-r--r-- | integrationtests/security_test.go | 23 |
1 files changed, 23 insertions, 0 deletions
diff --git a/integrationtests/security_test.go b/integrationtests/security_test.go index 8d41691..f4d38ea 100644 --- a/integrationtests/security_test.go +++ b/integrationtests/security_test.go @@ -62,6 +62,29 @@ func TestSecurityKeysPtracePerf(t *testing.T) { } } +var getrandomTraceArgs = []string{"-trace-syscalls", "getrandom"} + +// TestSecurityGetrandom asserts end-to-end tracing of the getrandom syscall +// (Security family, READ_CLASSIFIED). The security-getrandom scenario fills a +// 32-byte buffer via unix.Getrandom, looping until the full buffer is filled. +// +// getrandom reports the number of random bytes written into buf as its return +// value, which ior records as the exit byte count. The scenario loops past any +// signal-interrupted short reads, so the cumulative byte count is strictly +// positive; we assert bytes>=1 (the per-call count can be split across reads, +// so a conservative >=1 minimum is the safe invariant) plus a positive +// duration. The enter tracepoint is null-kind (no fd/path dimension), so only +// the READ byte-count classification is locked in here. +func TestSecurityGetrandom(t *testing.T) { + result, _ := runScenarioResultWithIorArgs(t, "security-getrandom", []ExpectedEvent{ + {Tracepoint: "enter_getrandom", Comm: "ioworkload", MinCount: 1}, + }, getrandomTraceArgs) + + exp := ExpectedEvent{Tracepoint: "enter_getrandom", Comm: "ioworkload"} + assertEventBytesAtLeast(t, result, exp, 1) + assertEventDurationPositive(t, result, exp) +} + var landlockTraceArgs = []string{"-trace-syscalls", "landlock_create_ruleset,landlock_add_rule,close"} // TestSecurityLandlockCreateRuleset asserts end-to-end tracing of the |