test(generate): lock in access/faccessat path classification

Audit of access(2) found the tracing implementation already correct:
FS family, KindPathname capturing the real path, and an UNCLASSIFIED
int 0/-1 ret_event on exit. access(2) captures its path from args[0]
(no dirfd), while siblings faccessat(2)/faccessat2(2) capture from
args[1] (dfd precedes the path). mage generate produces no diff and the
docs/integration coverage already match.

Add unit lock-in tests mirroring prior syscall audits:
- FormatAccess/FormatFaccessat tracepoint fixtures (real kernel formats).
- classify tests asserting both classify as KindPathname/"filename".
- family_test cluster asserting access/faccessat/faccessat2 stay FamilyFS.
- codegen test proving access reads ctx->args[0] while faccessat reads
  ctx->args[1], guarding against a wrong-arg or dropped-path regression.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

1 files changed, 45 insertions, 0 deletions

diff --git a/internal/generate/testdata.go b/internal/generate/testdata.go
index 8c2b1ee..0941f97 100644
--- a/internal/generate/testdata.go
+++ b/internal/generate/testdata.go
@@ -389,6 +389,51 @@ format:
 print fmt: "filename: 0x%08lx, times: 0x%08lx", ((unsigned long)(REC->filename)), ((unsigned long)(REC->times))
 `
 
+// FormatAccess mirrors the real sys_enter_access tracepoint format. access(2)
+// checks the calling process's permissions for a file; its first argument
+// "filename" is a genuine const char * filesystem path at args[0] (there is no
+// dirfd), so access classifies as KindPathname with PathnameField "filename"
+// and the path is captured from args[0]. The trailing __data_loc field is the
+// kernel's own copy of the string and is ignored by the classifier.
+const FormatAccess = `name: sys_enter_access
+ID: 817
+format:
+	field:unsigned short common_type;	offset:0;	size:2;	signed:0;
+	field:unsigned char common_flags;	offset:2;	size:1;	signed:0;
+	field:unsigned char common_preempt_count;	offset:3;	size:1;	signed:0;
+	field:int common_pid;	offset:4;	size:4;	signed:1;
+
+	field:int __syscall_nr;	offset:8;	size:4;	signed:1;
+	field:const char * filename;	offset:16;	size:8;	signed:0;
+	field:int mode;	offset:24;	size:8;	signed:0;
+	field:__data_loc char[] __filename_val;	offset:32;	size:4;	signed:0;
+
+print fmt: "filename: 0x%08lx \"%s\", mode: 0x%08lx", ((unsigned long)(REC->filename)), __get_str(__filename_val), ((unsigned long)(REC->mode))
+`
+
+// FormatFaccessat mirrors the real sys_enter_faccessat tracepoint format.
+// faccessat(2) is access(2) relative to a directory file descriptor: its first
+// argument is "dfd" (the dirfd, args[0]) and the real path "filename" is at
+// args[1]. It must therefore classify as KindPathname with PathnameField
+// "filename" while capturing the path from args[1] (not args[0]) — the key
+// difference from access(2), whose path is at args[0].
+const FormatFaccessat = `name: sys_enter_faccessat
+ID: 821
+format:
+	field:unsigned short common_type;	offset:0;	size:2;	signed:0;
+	field:unsigned char common_flags;	offset:2;	size:1;	signed:0;
+	field:unsigned char common_preempt_count;	offset:3;	size:1;	signed:0;
+	field:int common_pid;	offset:4;	size:4;	signed:1;
+
+	field:int __syscall_nr;	offset:8;	size:4;	signed:1;
+	field:int dfd;	offset:16;	size:8;	signed:0;
+	field:const char * filename;	offset:24;	size:8;	signed:0;
+	field:int mode;	offset:32;	size:8;	signed:0;
+	field:__data_loc char[] __filename_val;	offset:40;	size:4;	signed:0;
+
+print fmt: "dfd: 0x%08lx, filename: 0x%08lx \"%s\", mode: 0x%08lx", ((unsigned long)(REC->dfd)), ((unsigned long)(REC->filename)), __get_str(__filename_val), ((unsigned long)(REC->mode))
+`
+
 const FormatDup3 = `name: sys_enter_dup3
 ID: 922
 format: