test(arch_prctl): lock in KindNull/UNCLASSIFIED + FamilyProcess

Audit of the arch_prctl(2) syscall found the tracing implementation
already correct and consistent with the man page:
- enter classifies as KindNull (op/addr never captured as fd/path)
- exit is a ret_event with UNCLASSIFIED ret_type (int 0/-1 status)
- family is Process (deliberately, unlike its x86 siblings
  ioperm/iopl/modify_ldt which are Misc), in sync with the docs and
  the tracepoints drift tests

Add dedicated lock-in tests mirroring the prior iopl audit, using the
real kernel tracepoint fields (option/arg2 on enter, ret on exit) so
the heuristics are proven safe even without the name-only mapping.
Also add explicit FamilyProcess assertions for arch_prctl and
personality to guard against drift toward Misc.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

2 files changed, 71 insertions, 1 deletions

diff --git a/internal/generate/classify_test.go b/internal/generate/classify_test.go
index 3be393d..3aea4fe 100644
--- a/internal/generate/classify_test.go
+++ b/internal/generate/classify_test.go
@@ -1864,6 +1864,66 @@ func TestClassifyExitIoplUnclassifiedRet(t *testing.T) {
 	}
 }
 
+// TestClassifyArchPrctlNullEnter locks in the arch_prctl(2) enter classification
+// using the syscall's REAL kernel tracepoint fields. arch_prctl(int op, unsigned
+// long addr) sets/gets x86-64-specific thread state (ARCH_SET_FS, ARCH_GET_FS,
+// ARCH_SET_GS, ARCH_GET_GS, ARCH_SET_CPUID, ARCH_GET_CPUID). The kernel exposes
+// these args as "option" (an int operation code) and "arg2" (an unsigned long
+// that is either a value for the SET ops or a userspace pointer for the GET ops).
+// Neither is a file descriptor and neither is a filesystem path. arch_prctl is in
+// nameOnlyKindsTable, so its enter classifies as KindNull by name before any field
+// heuristic runs — but the audit concern is that "option"/"arg2" must never be
+// captured as an fd or a path. Using the real fields here (rather than the
+// synthetic arg0 used by TestClassifyE7NullNameOnlyKinds) proves the heuristics
+// would not capture them even if the name-only mapping were removed: the fd
+// heuristic requires a field named "fd" (neither "option" nor "arg2" qualifies),
+// and no C-string-pointer path field exists. arch_prctl is deliberately
+// FamilyProcess (asserted in family_test.go), not Misc, unlike its x86 siblings
+// ioperm/iopl/modify_ldt.
+func TestClassifyArchPrctlNullEnter(t *testing.T) {
+	r := ClassifyFormat(&Format{
+		Name: "sys_enter_arch_prctl",
+		ExternalFields: []Field{
+			{Type: "int", Name: "__syscall_nr"},
+			{Type: "int", Name: "option"},
+			{Type: "unsigned long", Name: "arg2"},
+		},
+	})
+	if r.Kind != KindNull {
+		t.Fatalf("enter_arch_prctl: got kind %d, want KindNull", r.Kind)
+	}
+	// Neither the "option" code nor the "arg2" value/pointer must be captured as a
+	// file descriptor or a path.
+	if r.PathnameField != "" {
+		t.Errorf("enter_arch_prctl: unexpected PathnameField %q, want empty", r.PathnameField)
+	}
+}
+
+// TestClassifyExitArchPrctlUnclassifiedRet locks in that the arch_prctl exit
+// tracepoint is classified as KindRet and Unclassified. arch_prctl(2) returns int
+// (0 on success, -1 on error) — a status code, NOT a transferred byte count — so
+// its exit format carries a single "ret" field and must map to a plain ret_event
+// (KindRet) whose ret_type stays UNCLASSIFIED (matching the generated
+// handle_sys_exit_arch_prctl). Misclassifying that status as a READ/WRITE/TRANSFER
+// byte count would be a real bug. (The ARCH_GET_CPUID op returns the flag setting
+// in the return value, but it is still a small status code, not an I/O byte
+// count.)
+func TestClassifyExitArchPrctlUnclassifiedRet(t *testing.T) {
+	r := ClassifyFormat(&Format{
+		Name: "sys_exit_arch_prctl",
+		ExternalFields: []Field{
+			{Type: "long", Name: "__syscall_nr"},
+			{Type: "long", Name: "ret"},
+		},
+	})
+	if r.Kind != KindRet {
+		t.Fatalf("exit_arch_prctl: got kind %d, want KindRet", r.Kind)
+	}
+	if got := ClassifyRet("sys_exit_arch_prctl"); got != Unclassified {
+		t.Errorf("ClassifyRet(sys_exit_arch_prctl) = %q, want UNCLASSIFIED", got)
+	}
+}
+
 // TestClassifyIoprioNullKind locks in the argument-capture classification for
 // ioprio_set/ioprio_get using their real kernel tracepoint fields. Unlike the
 // name-only Misc/null syscalls above, ioprio_* are NOT in nameOnlyKindsTable:
diff --git a/internal/generate/family_test.go b/internal/generate/family_test.go
index 943994e..c350977 100644
--- a/internal/generate/family_test.go
+++ b/internal/generate/family_test.go
@@ -184,10 +184,20 @@ func TestClassifySyscallFamily(t *testing.T) {
 		// x86 I/O-port / CPU-state syscalls are not in the explicit family
 		// table and intentionally fall through to Misc (ioperm/iopl/modify_ldt
 		// set port-access or LDT state, not file I/O). arch_prctl/personality
-		// are deliberately classified as Process, so they are not listed here.
+		// are deliberately classified as Process (they are in the explicit family
+		// table) — locked in below to guard against drift toward Misc with their
+		// x86 siblings.
 		{"sys_enter_ioperm", FamilyMisc},
 		{"sys_enter_iopl", FamilyMisc},
 		{"sys_enter_modify_ldt", FamilyMisc},
+		// arch_prctl(2) sets/gets x86-64 thread state (FS/GS base, CPUID faulting).
+		// It is per-thread process/architecture state, grouped with the rest of the
+		// process-state cluster, NOT with the port-access/LDT siblings above.
+		{"sys_enter_arch_prctl", FamilyProcess},
+		{"sys_exit_arch_prctl", FamilyProcess},
+		// personality(2) sets the process execution domain — also Process, never Misc.
+		{"sys_enter_personality", FamilyProcess},
+		{"sys_exit_personality", FamilyProcess},
 		// rseq(2) registers/unregisters a per-thread restartable-sequences area
 		// (a userspace struct pointer, not an fd/path). It is not in the explicit
 		// family table and intentionally falls through to Misc, sharing the family