2 files changed, 76 insertions, 0 deletions

diff --git a/internal/generate/classify_test.go b/internal/generate/classify_test.go
index 5b233c2..77e19d1 100644
--- a/internal/generate/classify_test.go
+++ b/internal/generate/classify_test.go
@@ -454,6 +454,53 @@ func TestClassifyExitFallocateUnclassifiedRet(t *testing.T) {
 	}
 }
 
+// TestClassifySetuidNullEnter locks in that the setuid enter tracepoint is
+// classified as KindNull. setuid(2) is "int setuid(uid_t uid)" — its single
+// argument is a numeric user ID, NOT a file descriptor or a path. It must
+// therefore map to a null_event (no argument capture); misclassifying it as an
+// fd-bearing kind would be a real bug, since the uid is not an fd and capturing
+// it as one would attribute the credential change to a bogus file. The whole
+// credential-setting cluster (setuid/seteuid/setresuid/setreuid/setfsuid and
+// the gid analogues) shares this KindNull treatment with the getuid readers.
+func TestClassifySetuidNullEnter(t *testing.T) {
+	r := ClassifyFormat(&Format{
+		Name: "sys_enter_setuid",
+		ExternalFields: []Field{
+			{Type: "long", Name: "__syscall_nr"},
+			{Type: "long", Name: "uid"},
+		},
+	})
+	if r.Kind != KindNull {
+		t.Fatalf("enter_setuid: got kind %d, want KindNull", r.Kind)
+	}
+	// The uid argument must never be captured as a file descriptor or path.
+	if r.PathnameField != "" {
+		t.Errorf("enter_setuid: unexpected PathnameField %q, want empty", r.PathnameField)
+	}
+}
+
+// TestClassifyExitSetuidUnclassifiedRet locks in that the setuid exit
+// tracepoint is classified as KindRet and Unclassified. setuid(2) returns int
+// (0 on success, -1 on error) — that return is a status code, NOT a
+// transferred byte count, so its exit format carries a single "ret" field and
+// must map to a plain ret_event (KindRet) whose ret_type stays UNCLASSIFIED.
+// Misclassifying it as a READ/WRITE/TRANSFER byte count would be a real bug.
+func TestClassifyExitSetuidUnclassifiedRet(t *testing.T) {
+	r := ClassifyFormat(&Format{
+		Name: "sys_exit_setuid",
+		ExternalFields: []Field{
+			{Type: "long", Name: "__syscall_nr"},
+			{Type: "long", Name: "ret"},
+		},
+	})
+	if r.Kind != KindRet {
+		t.Fatalf("exit_setuid: got kind %d, want KindRet", r.Kind)
+	}
+	if got := ClassifyRet("sys_exit_setuid"); got != Unclassified {
+		t.Errorf("ClassifyRet(sys_exit_setuid) = %q, want UNCLASSIFIED", got)
+	}
+}
+
 // TestClassifyExitGetpeername locks in that the getpeername exit tracepoint is
 // classified as KindRet. getpeername(2) returns int (0 on success, -1 on
 // error), so its exit format carries a single "ret" field and must map to a
diff --git a/internal/generate/family_test.go b/internal/generate/family_test.go
index cba4f8e..944eed9 100644
--- a/internal/generate/family_test.go
+++ b/internal/generate/family_test.go
@@ -189,6 +189,35 @@ func TestClassifySyscallFamily(t *testing.T) {
 		{"sys_exit_ioprio_set", FamilyProcess},
 		{"sys_enter_getpriority", FamilyProcess},
 		{"sys_enter_setpriority", FamilyProcess},
+		// setuid(2) sets the process credential (effective, and possibly real and
+		// saved, user ID); it is a process/credential-management syscall and shares
+		// FamilyProcess with its credential-setting cluster — the uid setters
+		// setresuid/setreuid/setfsuid, the gid analogues
+		// setgid/setresgid/setregid/setfsgid/setgroups, and the matching credential
+		// readers getuid/geteuid/getgid/getegid/getresuid/getresgid/getgroups.
+		// Assert the cluster (enter and exit for setuid) so a stray
+		// reclassification of any one credential syscall trips this test. Note:
+		// seteuid/setegid have no dedicated kernel tracepoints (they are libc
+		// wrappers over setreuid/setresuid), so they never reach this classifier
+		// and are intentionally not asserted here. Keep in sync with the Process
+		// list in docs/syscall-tracing-plan.md.
+		{"sys_enter_setuid", FamilyProcess},
+		{"sys_exit_setuid", FamilyProcess},
+		{"sys_enter_setresuid", FamilyProcess},
+		{"sys_enter_setreuid", FamilyProcess},
+		{"sys_enter_setfsuid", FamilyProcess},
+		{"sys_enter_setgid", FamilyProcess},
+		{"sys_enter_setresgid", FamilyProcess},
+		{"sys_enter_setregid", FamilyProcess},
+		{"sys_enter_setfsgid", FamilyProcess},
+		{"sys_enter_setgroups", FamilyProcess},
+		{"sys_enter_getuid", FamilyProcess},
+		{"sys_enter_geteuid", FamilyProcess},
+		{"sys_enter_getgid", FamilyProcess},
+		{"sys_enter_getegid", FamilyProcess},
+		{"sys_enter_getresuid", FamilyProcess},
+		{"sys_enter_getresgid", FamilyProcess},
+		{"sys_enter_getgroups", FamilyProcess},
 		{"sys_enter_unlisted_future_syscall", FamilyMisc},
 	}