test(getsockname): lock in KindFd/FamilyNetwork/UNCLASSIFIED classification

Audit of getsockname(2) confirmed correct tracing: enter is KindFd with
the sockfd captured from args[0], family is FamilyNetwork, and the exit
ret_event is UNCLASSIFIED (0/-1, no byte count) — matching the man page
and its bind/connect/listen/accept/getpeername siblings. Integration
coverage already exists (ioworkload calls Getsockname; TestSocketIntro-
spection asserts enter_getsockname).

Add lock-in tests symmetric with the existing getpeername coverage:
- TestClassifyExitGetsockname: exit tracepoint maps to KindRet.
- TestGenerateGetsocknameHandler: enter captures fd=args[0]; the addr
  output pointer (args[1]) and addrlen in/out pointer (args[2]) are not
  captured, and the exit stays UNCLASSIFIED.
- FormatGetsockname/FormatExitGetsockname fixtures copied verbatim from
  the real kernel tracepoint format (third arg is a pointer, unlike
  bind's by-value addrlen).

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

1 files changed, 39 insertions, 0 deletions

diff --git a/internal/generate/codegen_test.go b/internal/generate/codegen_test.go
index be94724..baf47d1 100644
--- a/internal/generate/codegen_test.go
+++ b/internal/generate/codegen_test.go
@@ -84,6 +84,45 @@ func TestGenerateBindHandler(t *testing.T) {
 	requireNotContains(t, output, "ev->ret_type = TRANSFER_CLASSIFIED;")
 }
 
+// TestGenerateGetsocknameHandler locks in the generated BPF C for getsockname(2):
+//
+//	int getsockname(int sockfd, struct sockaddr *addr, socklen_t *addrlen)
+//
+// getsockname returns the local address a socket is bound to and yields 0 on
+// success or -1 on error. Its sockfd is at args[0], so the enter handler is a
+// KindFd fd_event capturing ev->fd = args[0] — matching its socket siblings
+// bind/connect/listen/accept/getpeername. The addr output pointer (args[1]) and
+// the addrlen in/out pointer (args[2]) must NOT be captured: getsockname reads
+// no path and copies no userspace buffer we track. The exit handler is a plain
+// ret_event marked UNCLASSIFIED (0/-1, no byte count), so it must not carry a
+// READ/WRITE/TRANSFER classification — guarding against any mistaken
+// recvfrom/sendto-style byte-transfer accounting.
+func TestGenerateGetsocknameHandler(t *testing.T) {
+	output := generateFromPair(t, FormatGetsockname, FormatExitGetsockname)
+
+	// Enter: KindFd fd_event capturing the sockfd from args[0].
+	requireContains(t, output, `SEC("tracepoint/syscalls/sys_enter_getsockname")`)
+	requireContains(t, output, "struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0);")
+	requireContains(t, output, "ev->event_type = ENTER_FD_EVENT;")
+	requireContains(t, output, "ev->trace_id = SYS_ENTER_GETSOCKNAME;")
+	requireContains(t, output, "ev->fd = (__s32)ctx->args[0];")
+
+	// Negative guards: the sockaddr output pointer (args[1]) must never be read
+	// as a path/buffer, and the addrlen pointer (args[2]) must not be captured as
+	// another fd.
+	requireNotContains(t, output, "bpf_probe_read_user_str")
+	requireNotContains(t, output, "ev->fd = (__s32)ctx->args[1];")
+	requireNotContains(t, output, "ev->fd = (__s32)ctx->args[2];")
+
+	// Exit: plain ret_event, UNCLASSIFIED (getsockname returns 0/-1, no byte count).
+	requireContains(t, output, `SEC("tracepoint/syscalls/sys_exit_getsockname")`)
+	requireContains(t, output, "struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0);")
+	requireContains(t, output, "ev->ret_type = UNCLASSIFIED;")
+	requireNotContains(t, output, "ev->ret_type = READ_CLASSIFIED;")
+	requireNotContains(t, output, "ev->ret_type = WRITE_CLASSIFIED;")
+	requireNotContains(t, output, "ev->ret_type = TRANSFER_CLASSIFIED;")
+}
+
 func TestGeneratePidfdGetfdHandlerUsesPidfdArgument(t *testing.T) {
 	output := generateFromPair(t, FormatPidfdGetfd, FormatExitPidfdGetfd)