kexec_load: classify into Security family with its sibling

kexec_load(2) and kexec_file_load are documented together on the same
man page and both load a new kernel for later execution by reboot(2).
kexec_file_load was already FamilySecurity, but kexec_load fell through
to FamilyMisc. Move kexec_load to FamilySecurity so the siblings share
a family. Kind classification was already correct: kexec_load takes raw
user pointers (KindNull, no fd/path) while kexec_file_load takes fds
(KindFd); the return value (long 0/-1, no byte count) stays UNCLASSIFIED.

Update docs/syscall-tracing-plan.md to match, regenerate artifacts, and
add lock-in tests for the family and UNCLASSIFIED return of both kexec
syscalls plus reboot.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

3 files changed, 21 insertions, 1 deletions

diff --git a/internal/generate/family.go b/internal/generate/family.go
index daa7ab8..301c638 100644
--- a/internal/generate/family.go
+++ b/internal/generate/family.go
@@ -184,7 +184,12 @@ var syscallFamilies = map[string]SyscallFamily{
 	"add_key": FamilySecurity, "bpf": FamilySecurity, "capget": FamilySecurity,
 	"capset": FamilySecurity, "delete_module": FamilySecurity, "finit_module": FamilySecurity,
 	"getrandom": FamilySecurity, "init_module": FamilySecurity,
-	"kexec_file_load": FamilySecurity, "keyctl": FamilySecurity,
+	// kexec_load and kexec_file_load are documented together on the same man
+	// page (kexec_load(2)): both load a new kernel for later execution by
+	// reboot(2). They belong in the same family even though kexec_load takes
+	// raw user pointers (KindNull) while kexec_file_load takes fds (KindFd).
+	"kexec_file_load": FamilySecurity, "kexec_load": FamilySecurity,
+	"keyctl": FamilySecurity,
 	"landlock_add_rule": FamilySecurity, "landlock_create_ruleset": FamilySecurity,
 	"landlock_restrict_self": FamilySecurity, "lookup_dcookie": FamilySecurity,
 	// lsm_* are the Linux Security Module (LSM) introspection syscalls
diff --git a/internal/generate/family_test.go b/internal/generate/family_test.go
index 475a75f..9dd9a8b 100644
--- a/internal/generate/family_test.go
+++ b/internal/generate/family_test.go
@@ -147,6 +147,13 @@ func TestClassifySyscallFamily(t *testing.T) {
 		{"sys_enter_epoll_wait", FamilyPolling},
 		{"sys_enter_io_uring_enter", FamilyAIO},
 		{"sys_enter_bpf", FamilySecurity},
+		// kexec_load and kexec_file_load are siblings on the kexec_load(2) man
+		// page (both load a new kernel for later execution by reboot(2)) and
+		// must share the Security family even though kexec_load takes raw user
+		// pointers (KindNull) and kexec_file_load takes fds (KindFd).
+		{"sys_enter_kexec_load", FamilySecurity},
+		{"sys_enter_kexec_file_load", FamilySecurity},
+		{"sys_exit_kexec_load", FamilySecurity},
 		// Futexes are shared-memory synchronization/IPC primitives ("fast
 		// user-space locking", futex(2)); the classic futex() and the Linux
 		// 6.7+ split syscalls all classify as IPC alongside the System V
diff --git a/internal/generate/retclassify_test.go b/internal/generate/retclassify_test.go
index f26d803..ad548b2 100644
--- a/internal/generate/retclassify_test.go
+++ b/internal/generate/retclassify_test.go
@@ -109,6 +109,14 @@ func TestClassifyRetUnclassified(t *testing.T) {
 		"listen",
 		"getsockname",
 		"getpeername",
+		// kexec_load(2) loads a new kernel for later execution by reboot(2) and
+		// returns long 0 on success or -1 on error — a status code, NOT a
+		// transferred byte count. Its exit must stay UNCLASSIFIED (plain
+		// ret_event), exactly like its sibling kexec_file_load and the
+		// system/admin syscall reboot below.
+		"kexec_load",
+		"kexec_file_load",
+		"reboot",
 	}
 	for _, name := range unclassified {
 		if got := ClassifyRet("sys_exit_" + name); got != Unclassified {