diff options
| author | Paul Buetow <paul@buetow.org> | 2026-05-30 10:08:52 +0300 |
|---|---|---|
| committer | Paul Buetow <paul@buetow.org> | 2026-05-30 10:08:52 +0300 |
| commit | 23579dbdac320884bcdd670e46744b5f4ab45d5d (patch) | |
| tree | 47c228cd136850cd08e3888e0ff94252d8a4649e /internal/generate/family_test.go | |
| parent | 66fdd29a27af496091bbfff827d5e16d8f168798 (diff) | |
fix(family): classify seteuid/setegid as Process for consistency
classify.go has KindNull entries for sys_enter_seteuid/sys_enter_setegid,
but family.go's FamilyProcess credential cluster omitted them, so
ClassifySyscallFamily returned Misc — inconsistent with their siblings
setuid/setgid/setresuid/setreuid/setfsuid. Add seteuid/setegid to the
FamilyProcess group with a comment noting they are latent: current kernels
expose no dedicated seteuid/setegid tracepoints (glibc wraps them over
setreuid/setresuid), so they never reach the generated tracepoint map or
docs/syscall-tracing-plan.md. mage generate confirmed idempotent with no
diff, so docs/drift test are untouched. Lock-in unit tests assert Process
for seteuid/setegid (enter+exit) by name directly, since no tracepoint exists.
Refs task 620.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Diffstat (limited to 'internal/generate/family_test.go')
| -rw-r--r-- | internal/generate/family_test.go | 16 |
1 files changed, 11 insertions, 5 deletions
diff --git a/internal/generate/family_test.go b/internal/generate/family_test.go index 50c8120..71f0d0d 100644 --- a/internal/generate/family_test.go +++ b/internal/generate/family_test.go @@ -210,13 +210,19 @@ func TestClassifySyscallFamily(t *testing.T) { // setgid/setresgid/setregid/setfsgid/setgroups, and the matching credential // readers getuid/geteuid/getgid/getegid/getresuid/getresgid/getgroups. // Assert the cluster (enter and exit for setuid) so a stray - // reclassification of any one credential syscall trips this test. Note: - // seteuid/setegid have no dedicated kernel tracepoints (they are libc - // wrappers over setreuid/setresuid), so they never reach this classifier - // and are intentionally not asserted here. Keep in sync with the Process - // list in docs/syscall-tracing-plan.md. + // reclassification of any one credential syscall trips this test. + // seteuid/setegid (set effective uid/gid) belong with the cluster too, + // but have no dedicated kernel tracepoints (they are libc wrappers over + // setreuid/setresuid), so they never reach the generated tracepoint map + // or docs/syscall-tracing-plan.md. They are still classified as Process + // in family.go for consistency, so assert them here by name directly + // (no tracepoint required) to lock in that latent classification. {"sys_enter_setuid", FamilyProcess}, {"sys_exit_setuid", FamilyProcess}, + {"sys_enter_seteuid", FamilyProcess}, + {"sys_exit_seteuid", FamilyProcess}, + {"sys_enter_setegid", FamilyProcess}, + {"sys_exit_setegid", FamilyProcess}, {"sys_enter_setresuid", FamilyProcess}, {"sys_enter_setreuid", FamilyProcess}, {"sys_enter_setfsuid", FamilyProcess}, |