test(generate): lock in setuid classification audit

Audit of setuid(2) confirmed correct tracing classification:
- KindNull (single uid_t arg, never an fd or path)
- FamilyProcess (credential-setting, consistent with siblings)
- Unclassified exit ret (int 0/-1 status, not a byte count)

Add lock-in tests asserting the setuid enter (KindNull, no pathname
capture) and exit (KindRet, UNCLASSIFIED) classification, plus a
family assertion covering the credential-setting cluster
(setuid/setresuid/setreuid/setfsuid, the gid analogues, and the
getuid/geteuid/... readers).

Discovered out of scope: family.go omits seteuid/setegid from the
FamilyProcess list (they fall through to Misc), unlike their siblings.
These have no dedicated kernel tracepoints today, so it is latent;
tracked as follow-up task 620.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

1 files changed, 47 insertions, 0 deletions

diff --git a/internal/generate/classify_test.go b/internal/generate/classify_test.go
index 5b233c2..77e19d1 100644
--- a/internal/generate/classify_test.go
+++ b/internal/generate/classify_test.go
@@ -454,6 +454,53 @@ func TestClassifyExitFallocateUnclassifiedRet(t *testing.T) {
 	}
 }
 
+// TestClassifySetuidNullEnter locks in that the setuid enter tracepoint is
+// classified as KindNull. setuid(2) is "int setuid(uid_t uid)" — its single
+// argument is a numeric user ID, NOT a file descriptor or a path. It must
+// therefore map to a null_event (no argument capture); misclassifying it as an
+// fd-bearing kind would be a real bug, since the uid is not an fd and capturing
+// it as one would attribute the credential change to a bogus file. The whole
+// credential-setting cluster (setuid/seteuid/setresuid/setreuid/setfsuid and
+// the gid analogues) shares this KindNull treatment with the getuid readers.
+func TestClassifySetuidNullEnter(t *testing.T) {
+	r := ClassifyFormat(&Format{
+		Name: "sys_enter_setuid",
+		ExternalFields: []Field{
+			{Type: "long", Name: "__syscall_nr"},
+			{Type: "long", Name: "uid"},
+		},
+	})
+	if r.Kind != KindNull {
+		t.Fatalf("enter_setuid: got kind %d, want KindNull", r.Kind)
+	}
+	// The uid argument must never be captured as a file descriptor or path.
+	if r.PathnameField != "" {
+		t.Errorf("enter_setuid: unexpected PathnameField %q, want empty", r.PathnameField)
+	}
+}
+
+// TestClassifyExitSetuidUnclassifiedRet locks in that the setuid exit
+// tracepoint is classified as KindRet and Unclassified. setuid(2) returns int
+// (0 on success, -1 on error) — that return is a status code, NOT a
+// transferred byte count, so its exit format carries a single "ret" field and
+// must map to a plain ret_event (KindRet) whose ret_type stays UNCLASSIFIED.
+// Misclassifying it as a READ/WRITE/TRANSFER byte count would be a real bug.
+func TestClassifyExitSetuidUnclassifiedRet(t *testing.T) {
+	r := ClassifyFormat(&Format{
+		Name: "sys_exit_setuid",
+		ExternalFields: []Field{
+			{Type: "long", Name: "__syscall_nr"},
+			{Type: "long", Name: "ret"},
+		},
+	})
+	if r.Kind != KindRet {
+		t.Fatalf("exit_setuid: got kind %d, want KindRet", r.Kind)
+	}
+	if got := ClassifyRet("sys_exit_setuid"); got != Unclassified {
+		t.Errorf("ClassifyRet(sys_exit_setuid) = %q, want UNCLASSIFIED", got)
+	}
+}
+
 // TestClassifyExitGetpeername locks in that the getpeername exit tracepoint is
 // classified as KindRet. getpeername(2) returns int (0 on success, -1 on
 // error), so its exit format carries a single "ret" field and must map to a