diff options
| author | Paul Buetow <paul@buetow.org> | 2026-05-29 23:00:28 +0300 |
|---|---|---|
| committer | Paul Buetow <paul@buetow.org> | 2026-05-29 23:00:28 +0300 |
| commit | ff63b2c2fc99c9f4a2bb99248bd53d09df91712a (patch) | |
| tree | 94e3d7b9fa1281360aad5609844ffcec5255d029 /internal/generate/family_test.go | |
| parent | 3cd431e7aac28fa7bacc37a7e751a9082287251d (diff) | |
test(generate): lock in setuid classification audit
Audit of setuid(2) confirmed correct tracing classification:
- KindNull (single uid_t arg, never an fd or path)
- FamilyProcess (credential-setting, consistent with siblings)
- Unclassified exit ret (int 0/-1 status, not a byte count)
Add lock-in tests asserting the setuid enter (KindNull, no pathname
capture) and exit (KindRet, UNCLASSIFIED) classification, plus a
family assertion covering the credential-setting cluster
(setuid/setresuid/setreuid/setfsuid, the gid analogues, and the
getuid/geteuid/... readers).
Discovered out of scope: family.go omits seteuid/setegid from the
FamilyProcess list (they fall through to Misc), unlike their siblings.
These have no dedicated kernel tracepoints today, so it is latent;
tracked as follow-up task 620.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Diffstat (limited to 'internal/generate/family_test.go')
| -rw-r--r-- | internal/generate/family_test.go | 29 |
1 files changed, 29 insertions, 0 deletions
diff --git a/internal/generate/family_test.go b/internal/generate/family_test.go index cba4f8e..944eed9 100644 --- a/internal/generate/family_test.go +++ b/internal/generate/family_test.go @@ -189,6 +189,35 @@ func TestClassifySyscallFamily(t *testing.T) { {"sys_exit_ioprio_set", FamilyProcess}, {"sys_enter_getpriority", FamilyProcess}, {"sys_enter_setpriority", FamilyProcess}, + // setuid(2) sets the process credential (effective, and possibly real and + // saved, user ID); it is a process/credential-management syscall and shares + // FamilyProcess with its credential-setting cluster — the uid setters + // setresuid/setreuid/setfsuid, the gid analogues + // setgid/setresgid/setregid/setfsgid/setgroups, and the matching credential + // readers getuid/geteuid/getgid/getegid/getresuid/getresgid/getgroups. + // Assert the cluster (enter and exit for setuid) so a stray + // reclassification of any one credential syscall trips this test. Note: + // seteuid/setegid have no dedicated kernel tracepoints (they are libc + // wrappers over setreuid/setresuid), so they never reach this classifier + // and are intentionally not asserted here. Keep in sync with the Process + // list in docs/syscall-tracing-plan.md. + {"sys_enter_setuid", FamilyProcess}, + {"sys_exit_setuid", FamilyProcess}, + {"sys_enter_setresuid", FamilyProcess}, + {"sys_enter_setreuid", FamilyProcess}, + {"sys_enter_setfsuid", FamilyProcess}, + {"sys_enter_setgid", FamilyProcess}, + {"sys_enter_setresgid", FamilyProcess}, + {"sys_enter_setregid", FamilyProcess}, + {"sys_enter_setfsgid", FamilyProcess}, + {"sys_enter_setgroups", FamilyProcess}, + {"sys_enter_getuid", FamilyProcess}, + {"sys_enter_geteuid", FamilyProcess}, + {"sys_enter_getgid", FamilyProcess}, + {"sys_enter_getegid", FamilyProcess}, + {"sys_enter_getresuid", FamilyProcess}, + {"sys_enter_getresgid", FamilyProcess}, + {"sys_enter_getgroups", FamilyProcess}, {"sys_enter_unlisted_future_syscall", FamilyMisc}, } |