diff options
| author | Paul Buetow <paul@buetow.org> | 2026-05-29 17:36:18 +0300 |
|---|---|---|
| committer | Paul Buetow <paul@buetow.org> | 2026-05-29 17:36:18 +0300 |
| commit | 6f0280a5ff32dce9d32758bfda52e0be7eb17b34 (patch) | |
| tree | 8ed3fb324744fe6ca9725517e92f1de425897146 /internal/export | |
| parent | 372d01873ccdc7db9a076c12577d5b1ab6288d10 (diff) | |
test(generate): lock in init_module vs finit_module classification
Audit of init_module (man 2 init_module) confirmed the implementation is
correct: init_module(void *module_image, unsigned long len, const char
*param_values) is classified KindModule (null_event), capturing neither
an fd nor a path — param_values is a module-parameter string, not a
filesystem path. finit_module(int fd, ...) is classified KindFd via
field-based matching and captures fd = args[0]. Both syscalls live in the
Security family and match docs/syscall-tracing-plan.md.
No explicit finit_module test or init_module-vs-finit_module distinction
test existed, so add lock-in coverage:
- testdata.go: real-layout Format constants for (f)init_module enter/exit.
- classify_test.go: assert init_module=KindModule with no PathnameField
and finit_module=KindFd.
- codegen_test.go: assert generated BPF C for init_module captures no fd
and no filename/path, while finit_module captures fd = args[0].
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Diffstat (limited to 'internal/export')
0 files changed, 0 insertions, 0 deletions