diff options
| author | Paul Buetow <paul@buetow.org> | 2026-05-30 10:31:04 +0300 |
|---|---|---|
| committer | Paul Buetow <paul@buetow.org> | 2026-05-30 10:31:04 +0300 |
| commit | 7595c52029ddd83bdcc48481528f2af7c4ccb1a0 (patch) | |
| tree | 27ef00932d563db5276c074850e996849d87381f /internal/generate | |
| parent | d7ed10ef5f3d819c7232302317c8ba149922b391 (diff) | |
test(setpgid): lock in KindNull/Process/UNCLASSIFIED audit findings
Audit of setpgid(pid_t pid, pid_t pgid): both args are process/process-
group identifiers (kernel tracepoint type pid_t), never an fd or path;
the call returns int 0/-1. Verified it is correctly classified KindNull
(null_event), FamilyProcess, and UNCLASSIFIED ret, and that the Process
and null lists in docs/syscall-tracing-plan.md stay in sync. No
classification change was needed.
Add lock-in tests so a future stray reclassification trips immediately:
- TestClassifySetpgidNullEnter feeds the REAL tracepoint fields (pid_t
pid, pid_t pgid) and asserts KindNull, proving args[0] (pid) is never
mistaken for an fd: isFdType matches only int/unsigned int/unsigned
long (not pid_t) and the fd heuristic also requires field name fd.
- TestClassifyExitSetpgidUnclassifiedRet asserts the exit is KindRet and
ClassifyRet stays UNCLASSIFIED (status code, not a byte count).
- Add setpgid to the retclassify UNCLASSIFIED cluster beside setsid/getsid.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Diffstat (limited to 'internal/generate')
| -rw-r--r-- | internal/generate/classify_test.go | 54 | ||||
| -rw-r--r-- | internal/generate/retclassify_test.go | 6 |
2 files changed, 60 insertions, 0 deletions
diff --git a/internal/generate/classify_test.go b/internal/generate/classify_test.go index bebf85e..0705a2d 100644 --- a/internal/generate/classify_test.go +++ b/internal/generate/classify_test.go @@ -501,6 +501,60 @@ func TestClassifyExitSetuidUnclassifiedRet(t *testing.T) { } } +// TestClassifySetpgidNullEnter locks in the setpgid(2) enter classification +// using the syscall's REAL tracepoint fields. setpgid(pid_t pid, pid_t pgid) +// sets the process group ID of a process; both arguments are process/process- +// group identifiers (the kernel tracepoint declares them as field type +// "pid_t"), NOT file descriptors and NOT filesystem paths. The audit concern is +// that args[0] ("pid") could be mistaken for an fd: it must not be. setpgid has +// no fd or path argument, so its enter format must classify as KindNull +// (null_event) — matching its session/process-group siblings setsid/getsid/ +// getpgid/getpgrp and the explicit name-only mapping in classify.go. Using the +// real "pid"/"pgid" pid_t fields here (rather than a synthetic arg0) proves the +// generic field heuristics never capture them: isFdType only matches int/ +// unsigned int/unsigned long (not "pid_t"), and the fd heuristic additionally +// requires the field name be "fd", which neither "pid" nor "pgid" is. +func TestClassifySetpgidNullEnter(t *testing.T) { + r := ClassifyFormat(&Format{ + Name: "sys_enter_setpgid", + ExternalFields: []Field{ + {Type: "int", Name: "__syscall_nr"}, + {Type: "pid_t", Name: "pid"}, + {Type: "pid_t", Name: "pgid"}, + }, + }) + if r.Kind != KindNull { + t.Fatalf("enter_setpgid: got kind %d, want KindNull", r.Kind) + } + // Neither pid argument must be captured as a file descriptor or path. + if r.PathnameField != "" { + t.Errorf("enter_setpgid: unexpected PathnameField %q, want empty", r.PathnameField) + } +} + +// TestClassifyExitSetpgidUnclassifiedRet locks in that the setpgid exit +// tracepoint is classified as KindRet and Unclassified. setpgid(2) returns int +// (0 on success, -1 on error) — a status code, NOT a transferred byte count — +// so its exit format carries a single "ret" field and must map to a plain +// ret_event (KindRet) whose ret_type stays UNCLASSIFIED. This matches its +// sibling setsid/getsid (asserted in retclassify_test.go); misclassifying it as +// a READ/WRITE/TRANSFER byte count would be a real bug. +func TestClassifyExitSetpgidUnclassifiedRet(t *testing.T) { + r := ClassifyFormat(&Format{ + Name: "sys_exit_setpgid", + ExternalFields: []Field{ + {Type: "int", Name: "__syscall_nr"}, + {Type: "long", Name: "ret"}, + }, + }) + if r.Kind != KindRet { + t.Fatalf("exit_setpgid: got kind %d, want KindRet", r.Kind) + } + if got := ClassifyRet("sys_exit_setpgid"); got != Unclassified { + t.Errorf("ClassifyRet(sys_exit_setpgid) = %q, want UNCLASSIFIED", got) + } +} + // TestClassifyExitGetpeername locks in that the getpeername exit tracepoint is // classified as KindRet. getpeername(2) returns int (0 on success, -1 on // error), so its exit format carries a single "ret" field and must map to a diff --git a/internal/generate/retclassify_test.go b/internal/generate/retclassify_test.go index c434b7d..2f53437 100644 --- a/internal/generate/retclassify_test.go +++ b/internal/generate/retclassify_test.go @@ -84,6 +84,12 @@ func TestClassifyRetUnclassified(t *testing.T) { // byte transfer. "setsid", "getsid", + // setpgid(2) sets the process group ID of a process and returns int + // 0 on success or -1 on error — a status code, not a transferred byte + // count. Its exit must stay UNCLASSIFIED (plain ret_event), exactly + // like its session/process-group siblings setsid/getsid above and the + // pid-returning getpid/getppid below. + "setpgid", "getpid", "getppid", } |