summaryrefslogtreecommitdiff
path: root/internal/generate
diff options
context:
space:
mode:
Diffstat (limited to 'internal/generate')
-rw-r--r--internal/generate/family.go7
-rw-r--r--internal/generate/family_test.go7
-rw-r--r--internal/generate/retclassify_test.go8
3 files changed, 21 insertions, 1 deletions
diff --git a/internal/generate/family.go b/internal/generate/family.go
index daa7ab8..301c638 100644
--- a/internal/generate/family.go
+++ b/internal/generate/family.go
@@ -184,7 +184,12 @@ var syscallFamilies = map[string]SyscallFamily{
"add_key": FamilySecurity, "bpf": FamilySecurity, "capget": FamilySecurity,
"capset": FamilySecurity, "delete_module": FamilySecurity, "finit_module": FamilySecurity,
"getrandom": FamilySecurity, "init_module": FamilySecurity,
- "kexec_file_load": FamilySecurity, "keyctl": FamilySecurity,
+ // kexec_load and kexec_file_load are documented together on the same man
+ // page (kexec_load(2)): both load a new kernel for later execution by
+ // reboot(2). They belong in the same family even though kexec_load takes
+ // raw user pointers (KindNull) while kexec_file_load takes fds (KindFd).
+ "kexec_file_load": FamilySecurity, "kexec_load": FamilySecurity,
+ "keyctl": FamilySecurity,
"landlock_add_rule": FamilySecurity, "landlock_create_ruleset": FamilySecurity,
"landlock_restrict_self": FamilySecurity, "lookup_dcookie": FamilySecurity,
// lsm_* are the Linux Security Module (LSM) introspection syscalls
diff --git a/internal/generate/family_test.go b/internal/generate/family_test.go
index 475a75f..9dd9a8b 100644
--- a/internal/generate/family_test.go
+++ b/internal/generate/family_test.go
@@ -147,6 +147,13 @@ func TestClassifySyscallFamily(t *testing.T) {
{"sys_enter_epoll_wait", FamilyPolling},
{"sys_enter_io_uring_enter", FamilyAIO},
{"sys_enter_bpf", FamilySecurity},
+ // kexec_load and kexec_file_load are siblings on the kexec_load(2) man
+ // page (both load a new kernel for later execution by reboot(2)) and
+ // must share the Security family even though kexec_load takes raw user
+ // pointers (KindNull) and kexec_file_load takes fds (KindFd).
+ {"sys_enter_kexec_load", FamilySecurity},
+ {"sys_enter_kexec_file_load", FamilySecurity},
+ {"sys_exit_kexec_load", FamilySecurity},
// Futexes are shared-memory synchronization/IPC primitives ("fast
// user-space locking", futex(2)); the classic futex() and the Linux
// 6.7+ split syscalls all classify as IPC alongside the System V
diff --git a/internal/generate/retclassify_test.go b/internal/generate/retclassify_test.go
index f26d803..ad548b2 100644
--- a/internal/generate/retclassify_test.go
+++ b/internal/generate/retclassify_test.go
@@ -109,6 +109,14 @@ func TestClassifyRetUnclassified(t *testing.T) {
"listen",
"getsockname",
"getpeername",
+ // kexec_load(2) loads a new kernel for later execution by reboot(2) and
+ // returns long 0 on success or -1 on error — a status code, NOT a
+ // transferred byte count. Its exit must stay UNCLASSIFIED (plain
+ // ret_event), exactly like its sibling kexec_file_load and the
+ // system/admin syscall reboot below.
+ "kexec_load",
+ "kexec_file_load",
+ "reboot",
}
for _, name := range unclassified {
if got := ClassifyRet("sys_exit_" + name); got != Unclassified {
generated by cgit v1.2.3 (git 2.25.1) at 2026-06-17 04:34:14 +0000