diff options
| -rw-r--r-- | internal/generate/family.go | 8 | ||||
| -rw-r--r-- | internal/generate/family_test.go | 16 |
2 files changed, 19 insertions, 5 deletions
diff --git a/internal/generate/family.go b/internal/generate/family.go index 71ce724..fd61961 100644 --- a/internal/generate/family.go +++ b/internal/generate/family.go @@ -88,6 +88,14 @@ var syscallFamilies = map[string]SyscallFamily{ "setgroups": FamilyProcess, "setns": FamilyProcess, "setpgid": FamilyProcess, "setpriority": FamilyProcess, "setregid": FamilyProcess, "setresgid": FamilyProcess, "setresuid": FamilyProcess, "setreuid": FamilyProcess, "setrlimit": FamilyProcess, + // seteuid/setegid set the effective user/group ID (seteuid(2)) and belong + // with the rest of the credential-setting cluster (setuid/setgid/setresuid/ + // setreuid/setfsuid) under Process. They are latent here: current kernels + // expose no dedicated seteuid/setegid tracepoints (glibc implements them as + // wrappers over setreuid/setresuid), so they never reach the generated + // tracepoint map or docs. Classified for consistency so that if such + // tracepoints ever appear they land in Process rather than falling to Misc. + "seteuid": FamilyProcess, "setegid": FamilyProcess, "setsid": FamilyProcess, "setuid": FamilyProcess, "umask": FamilyProcess, "unshare": FamilyProcess, "vfork": FamilyProcess, "vhangup": FamilyProcess, "wait4": FamilyProcess, "waitid": FamilyProcess, diff --git a/internal/generate/family_test.go b/internal/generate/family_test.go index 50c8120..71f0d0d 100644 --- a/internal/generate/family_test.go +++ b/internal/generate/family_test.go @@ -210,13 +210,19 @@ func TestClassifySyscallFamily(t *testing.T) { // setgid/setresgid/setregid/setfsgid/setgroups, and the matching credential // readers getuid/geteuid/getgid/getegid/getresuid/getresgid/getgroups. // Assert the cluster (enter and exit for setuid) so a stray - // reclassification of any one credential syscall trips this test. Note: - // seteuid/setegid have no dedicated kernel tracepoints (they are libc - // wrappers over setreuid/setresuid), so they never reach this classifier - // and are intentionally not asserted here. Keep in sync with the Process - // list in docs/syscall-tracing-plan.md. + // reclassification of any one credential syscall trips this test. + // seteuid/setegid (set effective uid/gid) belong with the cluster too, + // but have no dedicated kernel tracepoints (they are libc wrappers over + // setreuid/setresuid), so they never reach the generated tracepoint map + // or docs/syscall-tracing-plan.md. They are still classified as Process + // in family.go for consistency, so assert them here by name directly + // (no tracepoint required) to lock in that latent classification. {"sys_enter_setuid", FamilyProcess}, {"sys_exit_setuid", FamilyProcess}, + {"sys_enter_seteuid", FamilyProcess}, + {"sys_exit_seteuid", FamilyProcess}, + {"sys_enter_setegid", FamilyProcess}, + {"sys_exit_setegid", FamilyProcess}, {"sys_enter_setresuid", FamilyProcess}, {"sys_enter_setreuid", FamilyProcess}, {"sys_enter_setfsuid", FamilyProcess}, |