3 files changed, 100 insertions, 0 deletions

diff --git a/internal/generate/classify_test.go b/internal/generate/classify_test.go
index 4efdaee..b562689 100644
--- a/internal/generate/classify_test.go
+++ b/internal/generate/classify_test.go
@@ -696,6 +696,24 @@ func TestClassifyExitGetpeername(t *testing.T) {
 	}
 }
 
+// TestClassifyExitGetsockname locks in that the getsockname exit tracepoint is
+// classified as KindRet. getsockname(2) returns int (0 on success, -1 on
+// error), so its exit format carries a single "ret" field and must map to a
+// plain ret_event, matching the generated sys_exit_getsockname handler — just
+// like its sibling getpeername (see TestClassifyExitGetpeername).
+func TestClassifyExitGetsockname(t *testing.T) {
+	r := ClassifyFormat(&Format{
+		Name: "sys_exit_getsockname",
+		ExternalFields: []Field{
+			{Type: "long", Name: "__syscall_nr"},
+			{Type: "long", Name: "ret"},
+		},
+	})
+	if r.Kind != KindRet {
+		t.Errorf("exit_getsockname: got kind %d, want KindRet", r.Kind)
+	}
+}
+
 func TestClassifySocket(t *testing.T) {
 	r := classifyFromData(t, FormatSocket)
 	if r.Kind != KindSocket {
diff --git a/internal/generate/codegen_test.go b/internal/generate/codegen_test.go
index be94724..baf47d1 100644
--- a/internal/generate/codegen_test.go
+++ b/internal/generate/codegen_test.go
@@ -84,6 +84,45 @@ func TestGenerateBindHandler(t *testing.T) {
 	requireNotContains(t, output, "ev->ret_type = TRANSFER_CLASSIFIED;")
 }
 
+// TestGenerateGetsocknameHandler locks in the generated BPF C for getsockname(2):
+//
+//	int getsockname(int sockfd, struct sockaddr *addr, socklen_t *addrlen)
+//
+// getsockname returns the local address a socket is bound to and yields 0 on
+// success or -1 on error. Its sockfd is at args[0], so the enter handler is a
+// KindFd fd_event capturing ev->fd = args[0] — matching its socket siblings
+// bind/connect/listen/accept/getpeername. The addr output pointer (args[1]) and
+// the addrlen in/out pointer (args[2]) must NOT be captured: getsockname reads
+// no path and copies no userspace buffer we track. The exit handler is a plain
+// ret_event marked UNCLASSIFIED (0/-1, no byte count), so it must not carry a
+// READ/WRITE/TRANSFER classification — guarding against any mistaken
+// recvfrom/sendto-style byte-transfer accounting.
+func TestGenerateGetsocknameHandler(t *testing.T) {
+	output := generateFromPair(t, FormatGetsockname, FormatExitGetsockname)
+
+	// Enter: KindFd fd_event capturing the sockfd from args[0].
+	requireContains(t, output, `SEC("tracepoint/syscalls/sys_enter_getsockname")`)
+	requireContains(t, output, "struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0);")
+	requireContains(t, output, "ev->event_type = ENTER_FD_EVENT;")
+	requireContains(t, output, "ev->trace_id = SYS_ENTER_GETSOCKNAME;")
+	requireContains(t, output, "ev->fd = (__s32)ctx->args[0];")
+
+	// Negative guards: the sockaddr output pointer (args[1]) must never be read
+	// as a path/buffer, and the addrlen pointer (args[2]) must not be captured as
+	// another fd.
+	requireNotContains(t, output, "bpf_probe_read_user_str")
+	requireNotContains(t, output, "ev->fd = (__s32)ctx->args[1];")
+	requireNotContains(t, output, "ev->fd = (__s32)ctx->args[2];")
+
+	// Exit: plain ret_event, UNCLASSIFIED (getsockname returns 0/-1, no byte count).
+	requireContains(t, output, `SEC("tracepoint/syscalls/sys_exit_getsockname")`)
+	requireContains(t, output, "struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0);")
+	requireContains(t, output, "ev->ret_type = UNCLASSIFIED;")
+	requireNotContains(t, output, "ev->ret_type = READ_CLASSIFIED;")
+	requireNotContains(t, output, "ev->ret_type = WRITE_CLASSIFIED;")
+	requireNotContains(t, output, "ev->ret_type = TRANSFER_CLASSIFIED;")
+}
+
 func TestGeneratePidfdGetfdHandlerUsesPidfdArgument(t *testing.T) {
 	output := generateFromPair(t, FormatPidfdGetfd, FormatExitPidfdGetfd)
 
diff --git a/internal/generate/testdata.go b/internal/generate/testdata.go
index f26234f..3a5920f 100644
--- a/internal/generate/testdata.go
+++ b/internal/generate/testdata.go
@@ -2191,3 +2191,46 @@ format:
 
 print fmt: "0x%lx", REC->ret
 `
+
+// FormatGetsockname / FormatExitGetsockname mirror the real kernel tracepoint
+// format for getsockname(2):
+//
+//	int getsockname(int sockfd, struct sockaddr *addr, socklen_t *addrlen).
+//
+// getsockname returns the local address a socket is bound to. The leading "fd"
+// field (sockfd at args[0]) makes the enter a KindFd fd_event; both the addr
+// output pointer (usockaddr, args[1]) and the addrlen in/out pointer
+// (usockaddr_len, args[2]) are userspace pointers we do NOT capture — note that
+// unlike bind(2)'s by-value addrlen, getsockname's third arg is itself a
+// pointer. On exit getsockname returns 0/-1, which is UNCLASSIFIED (a plain
+// ret_event, no read/write/transfer byte count). Field names/offsets are copied
+// verbatim from /sys/kernel/tracing/events/syscalls/sys_enter_getsockname.
+const FormatGetsockname = `name: sys_enter_getsockname
+ID: 1833
+format:
+	field:unsigned short common_type;	offset:0;	size:2;	signed:0;
+	field:unsigned char common_flags;	offset:2;	size:1;	signed:0;
+	field:unsigned char common_preempt_count;	offset:3;	size:1;	signed:0;
+	field:int common_pid;	offset:4;	size:4;	signed:1;
+
+	field:int __syscall_nr;	offset:8;	size:4;	signed:1;
+	field:int fd;	offset:16;	size:8;	signed:0;
+	field:struct sockaddr * usockaddr;	offset:24;	size:8;	signed:0;
+	field:int * usockaddr_len;	offset:32;	size:8;	signed:0;
+
+print fmt: "fd: 0x%08lx, usockaddr: 0x%08lx, usockaddr_len: 0x%08lx", ((unsigned long)(REC->fd)), ((unsigned long)(REC->usockaddr)), ((unsigned long)(REC->usockaddr_len))
+`
+
+const FormatExitGetsockname = `name: sys_exit_getsockname
+ID: 1832
+format:
+	field:unsigned short common_type;	offset:0;	size:2;	signed:0;
+	field:unsigned char common_flags;	offset:2;	size:1;	signed:0;
+	field:unsigned char common_preempt_count;	offset:3;	size:1;	signed:0;
+	field:int common_pid;	offset:4;	size:4;	signed:1;
+
+	field:int __syscall_nr;	offset:8;	size:4;	signed:1;
+	field:long ret;	offset:16;	size:8;	signed:1;
+
+print fmt: "0x%lx", REC->ret
+`