test(generate): lock in listen(2) handler classification

Audit of syscall listen(2): int listen(int sockfd, int backlog). Confirmed
the tracing implementation already matches the man page and its socket
siblings (bind/connect/accept/getsockname/getpeername):
  - KindFd, capturing ev->fd = args[0] (sockfd)
  - FamilyNetwork
  - exit ret_event UNCLASSIFIED (returns 0/-1, no byte count)

listen was already covered by the name-based classify/family/retclassify
tests but lacked a dedicated generated-handler lock-in test like its
bind/getsockname siblings. Add FormatListen/FormatExitListen tracepoint
fixtures and TestGenerateListenHandler asserting the enter captures
fd=args[0] (and never backlog at args[1]) and the exit stays UNCLASSIFIED.

No classification or generated-code changes; mage generate produces no diff.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

2 files changed, 80 insertions, 0 deletions

diff --git a/internal/generate/codegen_test.go b/internal/generate/codegen_test.go
index da86b86..818a2d2 100644
--- a/internal/generate/codegen_test.go
+++ b/internal/generate/codegen_test.go
@@ -123,6 +123,43 @@ func TestGenerateGetsocknameHandler(t *testing.T) {
 	requireNotContains(t, output, "ev->ret_type = TRANSFER_CLASSIFIED;")
 }
 
+// TestGenerateListenHandler locks in the generated BPF C for listen(2):
+//
+//	int listen(int sockfd, int backlog)
+//
+// listen marks the socket referred to by sockfd as passive (it will accept
+// incoming connections via accept(2)) and returns 0 on success or -1 on error.
+// Its sockfd is at args[0], so the enter handler is a KindFd fd_event capturing
+// ev->fd = args[0] — matching its socket siblings bind/connect/accept/
+// getsockname/getpeername. The backlog argument (args[1]) is a plain int queue
+// length, NOT a second fd, so it must NOT be captured. The exit handler is a
+// plain ret_event marked UNCLASSIFIED (0/-1, no byte count), so it must not
+// carry a READ/WRITE/TRANSFER classification — guarding against any mistaken
+// recvfrom/sendto-style byte-transfer accounting.
+func TestGenerateListenHandler(t *testing.T) {
+	output := generateFromPair(t, FormatListen, FormatExitListen)
+
+	// Enter: KindFd fd_event capturing the sockfd from args[0].
+	requireContains(t, output, `SEC("tracepoint/syscalls/sys_enter_listen")`)
+	requireContains(t, output, "struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0);")
+	requireContains(t, output, "ev->event_type = ENTER_FD_EVENT;")
+	requireContains(t, output, "ev->trace_id = SYS_ENTER_LISTEN;")
+	requireContains(t, output, "ev->fd = (__s32)ctx->args[0];")
+
+	// Negative guards: the backlog (args[1]) must not be captured as another fd,
+	// and listen reads no userspace path/buffer.
+	requireNotContains(t, output, "bpf_probe_read_user_str")
+	requireNotContains(t, output, "ev->fd = (__s32)ctx->args[1];")
+
+	// Exit: plain ret_event, UNCLASSIFIED (listen returns 0/-1, no byte count).
+	requireContains(t, output, `SEC("tracepoint/syscalls/sys_exit_listen")`)
+	requireContains(t, output, "struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0);")
+	requireContains(t, output, "ev->ret_type = UNCLASSIFIED;")
+	requireNotContains(t, output, "ev->ret_type = READ_CLASSIFIED;")
+	requireNotContains(t, output, "ev->ret_type = WRITE_CLASSIFIED;")
+	requireNotContains(t, output, "ev->ret_type = TRANSFER_CLASSIFIED;")
+}
+
 func TestGeneratePidfdGetfdHandlerUsesPidfdArgument(t *testing.T) {
 	output := generateFromPair(t, FormatPidfdGetfd, FormatExitPidfdGetfd)
 
diff --git a/internal/generate/testdata.go b/internal/generate/testdata.go
index d9fb2c0..0d57029 100644
--- a/internal/generate/testdata.go
+++ b/internal/generate/testdata.go
@@ -2297,6 +2297,49 @@ format:
 print fmt: "0x%lx", REC->ret
 `
 
+// FormatListen / FormatExitListen mirror the real kernel tracepoint format for
+// listen(2):
+//
+//	int listen(int sockfd, int backlog).
+//
+// listen marks the socket referred to by sockfd as a passive socket that will
+// accept incoming connection requests via accept(2). The leading "fd" field
+// (sockfd at args[0]) makes the enter a KindFd fd_event capturing
+// ev->fd = args[0] — matching its socket siblings bind/connect/accept/
+// getsockname/getpeername. The backlog argument (args[1]) is a plain int queue
+// length, NOT a second fd, and must NOT be captured. On exit listen returns
+// 0/-1, which is UNCLASSIFIED (a plain ret_event, no read/write/transfer byte
+// count). Field names/offsets are copied verbatim from
+// /sys/kernel/tracing/events/syscalls/sys_enter_listen.
+const FormatListen = `name: sys_enter_listen
+ID: 1841
+format:
+	field:unsigned short common_type;	offset:0;	size:2;	signed:0;
+	field:unsigned char common_flags;	offset:2;	size:1;	signed:0;
+	field:unsigned char common_preempt_count;	offset:3;	size:1;	signed:0;
+	field:int common_pid;	offset:4;	size:4;	signed:1;
+
+	field:int __syscall_nr;	offset:8;	size:4;	signed:1;
+	field:int fd;	offset:16;	size:8;	signed:0;
+	field:int backlog;	offset:24;	size:8;	signed:0;
+
+print fmt: "fd: 0x%08lx, backlog: 0x%08lx", ((unsigned long)(REC->fd)), ((unsigned long)(REC->backlog))
+`
+
+const FormatExitListen = `name: sys_exit_listen
+ID: 1840
+format:
+	field:unsigned short common_type;	offset:0;	size:2;	signed:0;
+	field:unsigned char common_flags;	offset:2;	size:1;	signed:0;
+	field:unsigned char common_preempt_count;	offset:3;	size:1;	signed:0;
+	field:int common_pid;	offset:4;	size:4;	signed:1;
+
+	field:int __syscall_nr;	offset:8;	size:4;	signed:1;
+	field:long ret;	offset:16;	size:8;	signed:1;
+
+print fmt: "0x%lx", REC->ret
+`
+
 // FormatKexecFileLoad / FormatExitKexecFileLoad mirror the real kernel
 // tracepoint format for kexec_file_load(2):
 //