diff options
Diffstat (limited to 'internal')
| -rw-r--r-- | internal/generate/codegen_test.go | 37 | ||||
| -rw-r--r-- | internal/generate/testdata.go | 43 |
2 files changed, 80 insertions, 0 deletions
diff --git a/internal/generate/codegen_test.go b/internal/generate/codegen_test.go index da86b86..818a2d2 100644 --- a/internal/generate/codegen_test.go +++ b/internal/generate/codegen_test.go @@ -123,6 +123,43 @@ func TestGenerateGetsocknameHandler(t *testing.T) { requireNotContains(t, output, "ev->ret_type = TRANSFER_CLASSIFIED;") } +// TestGenerateListenHandler locks in the generated BPF C for listen(2): +// +// int listen(int sockfd, int backlog) +// +// listen marks the socket referred to by sockfd as passive (it will accept +// incoming connections via accept(2)) and returns 0 on success or -1 on error. +// Its sockfd is at args[0], so the enter handler is a KindFd fd_event capturing +// ev->fd = args[0] — matching its socket siblings bind/connect/accept/ +// getsockname/getpeername. The backlog argument (args[1]) is a plain int queue +// length, NOT a second fd, so it must NOT be captured. The exit handler is a +// plain ret_event marked UNCLASSIFIED (0/-1, no byte count), so it must not +// carry a READ/WRITE/TRANSFER classification — guarding against any mistaken +// recvfrom/sendto-style byte-transfer accounting. +func TestGenerateListenHandler(t *testing.T) { + output := generateFromPair(t, FormatListen, FormatExitListen) + + // Enter: KindFd fd_event capturing the sockfd from args[0]. + requireContains(t, output, `SEC("tracepoint/syscalls/sys_enter_listen")`) + requireContains(t, output, "struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0);") + requireContains(t, output, "ev->event_type = ENTER_FD_EVENT;") + requireContains(t, output, "ev->trace_id = SYS_ENTER_LISTEN;") + requireContains(t, output, "ev->fd = (__s32)ctx->args[0];") + + // Negative guards: the backlog (args[1]) must not be captured as another fd, + // and listen reads no userspace path/buffer. + requireNotContains(t, output, "bpf_probe_read_user_str") + requireNotContains(t, output, "ev->fd = (__s32)ctx->args[1];") + + // Exit: plain ret_event, UNCLASSIFIED (listen returns 0/-1, no byte count). + requireContains(t, output, `SEC("tracepoint/syscalls/sys_exit_listen")`) + requireContains(t, output, "struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0);") + requireContains(t, output, "ev->ret_type = UNCLASSIFIED;") + requireNotContains(t, output, "ev->ret_type = READ_CLASSIFIED;") + requireNotContains(t, output, "ev->ret_type = WRITE_CLASSIFIED;") + requireNotContains(t, output, "ev->ret_type = TRANSFER_CLASSIFIED;") +} + func TestGeneratePidfdGetfdHandlerUsesPidfdArgument(t *testing.T) { output := generateFromPair(t, FormatPidfdGetfd, FormatExitPidfdGetfd) diff --git a/internal/generate/testdata.go b/internal/generate/testdata.go index d9fb2c0..0d57029 100644 --- a/internal/generate/testdata.go +++ b/internal/generate/testdata.go @@ -2297,6 +2297,49 @@ format: print fmt: "0x%lx", REC->ret ` +// FormatListen / FormatExitListen mirror the real kernel tracepoint format for +// listen(2): +// +// int listen(int sockfd, int backlog). +// +// listen marks the socket referred to by sockfd as a passive socket that will +// accept incoming connection requests via accept(2). The leading "fd" field +// (sockfd at args[0]) makes the enter a KindFd fd_event capturing +// ev->fd = args[0] — matching its socket siblings bind/connect/accept/ +// getsockname/getpeername. The backlog argument (args[1]) is a plain int queue +// length, NOT a second fd, and must NOT be captured. On exit listen returns +// 0/-1, which is UNCLASSIFIED (a plain ret_event, no read/write/transfer byte +// count). Field names/offsets are copied verbatim from +// /sys/kernel/tracing/events/syscalls/sys_enter_listen. +const FormatListen = `name: sys_enter_listen +ID: 1841 +format: + field:unsigned short common_type; offset:0; size:2; signed:0; + field:unsigned char common_flags; offset:2; size:1; signed:0; + field:unsigned char common_preempt_count; offset:3; size:1; signed:0; + field:int common_pid; offset:4; size:4; signed:1; + + field:int __syscall_nr; offset:8; size:4; signed:1; + field:int fd; offset:16; size:8; signed:0; + field:int backlog; offset:24; size:8; signed:0; + +print fmt: "fd: 0x%08lx, backlog: 0x%08lx", ((unsigned long)(REC->fd)), ((unsigned long)(REC->backlog)) +` + +const FormatExitListen = `name: sys_exit_listen +ID: 1840 +format: + field:unsigned short common_type; offset:0; size:2; signed:0; + field:unsigned char common_flags; offset:2; size:1; signed:0; + field:unsigned char common_preempt_count; offset:3; size:1; signed:0; + field:int common_pid; offset:4; size:4; signed:1; + + field:int __syscall_nr; offset:8; size:4; signed:1; + field:long ret; offset:16; size:8; signed:1; + +print fmt: "0x%lx", REC->ret +` + // FormatKexecFileLoad / FormatExitKexecFileLoad mirror the real kernel // tracepoint format for kexec_file_load(2): // |