diff options
| author | Paul Buetow <paul@buetow.org> | 2026-05-29 16:58:36 +0300 |
|---|---|---|
| committer | Paul Buetow <paul@buetow.org> | 2026-05-29 16:58:36 +0300 |
| commit | d526d0a5f482a3b12675bd281683c58b23d9093c (patch) | |
| tree | 2c7f9a2918fd40d89436745a31181cf0a58df306 /internal/generate | |
| parent | e4d91d9a0e0e3dfb3ec6914c265c2f117a66d062 (diff) | |
classify: move lsm_* syscalls from Misc to Security family
The Linux Security Module introspection syscalls lsm_list_modules,
lsm_get_self_attr and lsm_set_self_attr (Linux 6.8+) were classified as
FamilyMisc while every sibling LSM/security syscall (landlock_*, keyctl,
add_key, request_key, seccomp) is FamilySecurity. This audited
inconsistency is fixed by adding the three lsm_* entries to the
syscallFamilies map; their kind stays KindNull (args are userspace
pointers + flags, no fd/path) and the exit remains a ret_event.
Docs (syscall-tracing-plan.md) updated accordingly, generated artifacts
regenerated via mage generate, and lock-in family assertions added to
TestClassifySyscallPairEmitsAllFamilies.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Diffstat (limited to 'internal/generate')
| -rw-r--r-- | internal/generate/classify_test.go | 6 | ||||
| -rw-r--r-- | internal/generate/family.go | 8 |
2 files changed, 13 insertions, 1 deletions
diff --git a/internal/generate/classify_test.go b/internal/generate/classify_test.go index c9ac8eb..b925a03 100644 --- a/internal/generate/classify_test.go +++ b/internal/generate/classify_test.go @@ -1540,6 +1540,12 @@ func TestClassifySyscallPairEmitsAllFamilies(t *testing.T) { {"request_key", syntheticEnter("request_key", 9304), syntheticExit("request_key", 9303), FamilySecurity}, {"ptrace", syntheticEnter("ptrace", 9306), syntheticExit("ptrace", 9305), FamilySecurity}, {"perf_event_open", syntheticEnter("perf_event_open", 9308), syntheticExit("perf_event_open", 9307), FamilySecurity}, + // lsm_* are the Linux Security Module introspection syscalls (Linux + // 6.8+); they belong with their landlock_*/keyctl/*_key siblings in + // the Security family, not Misc. + {"lsm_list_modules", syntheticEnter("lsm_list_modules", 9412), syntheticExit("lsm_list_modules", 9411), FamilySecurity}, + {"lsm_get_self_attr", syntheticEnter("lsm_get_self_attr", 9414), syntheticExit("lsm_get_self_attr", 9413), FamilySecurity}, + {"lsm_set_self_attr", syntheticEnter("lsm_set_self_attr", 9416), syntheticExit("lsm_set_self_attr", 9415), FamilySecurity}, {"mount", FormatMount, FormatExitMount, FamilyFS}, {"umount", FormatUmount, FormatExitUmount, FamilyFS}, {"move_mount", FormatMoveMount, FormatExitMoveMount, FamilyFS}, diff --git a/internal/generate/family.go b/internal/generate/family.go index a883bf8..1ea8bca 100644 --- a/internal/generate/family.go +++ b/internal/generate/family.go @@ -121,7 +121,13 @@ var syscallFamilies = map[string]SyscallFamily{ "kexec_file_load": FamilySecurity, "keyctl": FamilySecurity, "landlock_add_rule": FamilySecurity, "landlock_create_ruleset": FamilySecurity, "landlock_restrict_self": FamilySecurity, "lookup_dcookie": FamilySecurity, - "perf_event_open": FamilySecurity, "ptrace": FamilySecurity, + // lsm_* are the Linux Security Module (LSM) introspection syscalls + // (Linux 6.8+): list loaded LSMs and get/set per-task LSM attributes. + // They belong with the other security syscalls, alongside their + // landlock_* and *_key siblings. + "lsm_get_self_attr": FamilySecurity, "lsm_list_modules": FamilySecurity, + "lsm_set_self_attr": FamilySecurity, + "perf_event_open": FamilySecurity, "ptrace": FamilySecurity, "request_key": FamilySecurity, "seccomp": FamilySecurity, } |