From a74da2f75d8088793ee6f7e2cc46ba19803a350f Mon Sep 17 00:00:00 2001
From: Paul Buetow <paul@buetow.org>
Date: Sat, 30 May 2026 16:35:39 +0300
Subject: test(generate): lock in bind syscall classification

Audit of bind(2): int bind(int sockfd, const struct sockaddr *addr,
socklen_t addrlen). Verified the existing classification is correct and
consistent with its socket-setup siblings connect/listen/accept/
getsockname/getpeername:

- KindFd, capturing ev->fd = args[0] (the sockfd); the addr pointer and
  addrlen are not captured.
- FamilyNetwork.
- Exit is UNCLASSIFIED (returns 0/-1, no transferred byte count).

No implementation or doc changes were needed (docs/syscall-tracing-plan.md
already lists bind under Network and fd; drift test green). Added
regression coverage:

- FormatBind/FormatExitBind fixtures mirroring the real kernel tracepoint.
- TestGenerateBindHandler with negative guards (no probe_read on the
  sockaddr, no fd capture from args[1]/args[2], exit stays UNCLASSIFIED).
- bind + connect/listen/getsockname/getpeername added to the
  family (FamilyNetwork) and ret-classification (UNCLASSIFIED) lock-in
  lists.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
---
 internal/generate/codegen_test.go     | 36 +++++++++++++++++++++++++++++++++++
 internal/generate/family_test.go      | 11 +++++++++++
 internal/generate/retclassify_test.go | 10 ++++++++++
 internal/generate/testdata.go         | 35 ++++++++++++++++++++++++++++++++++
 4 files changed, 92 insertions(+)

diff --git a/internal/generate/codegen_test.go b/internal/generate/codegen_test.go
index 68a372e..be94724 100644
--- a/internal/generate/codegen_test.go
+++ b/internal/generate/codegen_test.go
@@ -48,6 +48,42 @@ func TestGenerateModuleHandlers(t *testing.T) {
 	requireContains(t, finitOut, "ev->fd = (__s32)ctx->args[0];")
 }
 
+// TestGenerateBindHandler locks in the generated BPF C for bind(2):
+//
+//	int bind(int sockfd, const struct sockaddr *addr, socklen_t addrlen)
+//
+// bind assigns an address to a socket and returns 0 on success or -1 on error.
+// Its sockfd is at args[0], so the enter handler is a KindFd fd_event capturing
+// ev->fd = args[0] — matching its socket siblings connect/listen/accept/
+// getsockname/getpeername. The addr pointer (args[1]) and addrlen (args[2]) must
+// NOT be captured: bind reads no path and copies no userspace buffer we track.
+// The exit handler is a plain ret_event marked UNCLASSIFIED (0/-1, no byte
+// count), so it must not carry a READ/WRITE/TRANSFER classification.
+func TestGenerateBindHandler(t *testing.T) {
+	output := generateFromPair(t, FormatBind, FormatExitBind)
+
+	// Enter: KindFd fd_event capturing the sockfd from args[0].
+	requireContains(t, output, `SEC("tracepoint/syscalls/sys_enter_bind")`)
+	requireContains(t, output, "struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0);")
+	requireContains(t, output, "ev->event_type = ENTER_FD_EVENT;")
+	requireContains(t, output, "ev->trace_id = SYS_ENTER_BIND;")
+	requireContains(t, output, "ev->fd = (__s32)ctx->args[0];")
+
+	// Negative guards: the sockaddr pointer (args[1]) must never be read as a
+	// path/buffer, and addrlen (args[2]) must not be captured as another fd.
+	requireNotContains(t, output, "bpf_probe_read_user_str")
+	requireNotContains(t, output, "ev->fd = (__s32)ctx->args[1];")
+	requireNotContains(t, output, "ev->fd = (__s32)ctx->args[2];")
+
+	// Exit: plain ret_event, UNCLASSIFIED (bind returns 0/-1, no byte count).
+	requireContains(t, output, `SEC("tracepoint/syscalls/sys_exit_bind")`)
+	requireContains(t, output, "struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0);")
+	requireContains(t, output, "ev->ret_type = UNCLASSIFIED;")
+	requireNotContains(t, output, "ev->ret_type = READ_CLASSIFIED;")
+	requireNotContains(t, output, "ev->ret_type = WRITE_CLASSIFIED;")
+	requireNotContains(t, output, "ev->ret_type = TRANSFER_CLASSIFIED;")
+}
+
 func TestGeneratePidfdGetfdHandlerUsesPidfdArgument(t *testing.T) {
 	output := generateFromPair(t, FormatPidfdGetfd, FormatExitPidfdGetfd)
 
diff --git a/internal/generate/family_test.go b/internal/generate/family_test.go
index ee92740..d86cc4a 100644
--- a/internal/generate/family_test.go
+++ b/internal/generate/family_test.go
@@ -9,6 +9,17 @@ func TestClassifySyscallFamily(t *testing.T) {
 	}{
 		{"sys_enter_accept", FamilyNetwork},
 		{"sys_exit_accept", FamilyNetwork},
+		// bind(2) assigns an address to a socket; it is a socket-setup syscall and
+		// shares FamilyNetwork with its connect/listen/accept/getsockname/
+		// getpeername siblings. Assert both enter and exit (and the closest
+		// siblings) so a stray reclassification of any one trips this test. Keep in
+		// sync with the Network list in docs/syscall-tracing-plan.md.
+		{"sys_enter_bind", FamilyNetwork},
+		{"sys_exit_bind", FamilyNetwork},
+		{"sys_enter_connect", FamilyNetwork},
+		{"sys_enter_listen", FamilyNetwork},
+		{"sys_enter_getsockname", FamilyNetwork},
+		{"sys_enter_getpeername", FamilyNetwork},
 		{"sys_enter_pipe2", FamilyIPC},
 		{"sys_enter_munmap", FamilyMemory},
 		// process_madvise(2) gives memory advice (MADV_COLD/PAGEOUT/...) about
diff --git a/internal/generate/retclassify_test.go b/internal/generate/retclassify_test.go
index 29e2b0f..f26d803 100644
--- a/internal/generate/retclassify_test.go
+++ b/internal/generate/retclassify_test.go
@@ -99,6 +99,16 @@ func TestClassifyRetUnclassified(t *testing.T) {
 		// exit must stay UNCLASSIFIED (plain ret_event), exactly like its
 		// pid/tid-returning Process siblings setsid/getsid/getpid/getppid above.
 		"set_tid_address",
+		// bind(2) assigns an address to a socket and returns int 0 on success or
+		// -1 on error — a status code, NOT a transferred byte count. Its exit must
+		// stay UNCLASSIFIED (plain ret_event), exactly like its socket-setup
+		// siblings connect/listen/getsockname/getpeername (asserted alongside it),
+		// so it is never mistaken for a recvfrom/sendto-style byte transfer.
+		"bind",
+		"connect",
+		"listen",
+		"getsockname",
+		"getpeername",
 	}
 	for _, name := range unclassified {
 		if got := ClassifyRet("sys_exit_" + name); got != Unclassified {
diff --git a/internal/generate/testdata.go b/internal/generate/testdata.go
index 6555fc7..f26234f 100644
--- a/internal/generate/testdata.go
+++ b/internal/generate/testdata.go
@@ -2156,3 +2156,38 @@ format:
 
 print fmt: "0x%lx", REC->ret
 `
+
+// FormatBind / FormatExitBind mirror the real kernel tracepoint format for
+// bind(2): int bind(int sockfd, const struct sockaddr *addr, socklen_t addrlen).
+// The leading "fd" field (sockfd at args[0]) makes it a KindFd fd_event; the
+// addr pointer and addrlen must NOT be captured. On exit bind returns 0/-1,
+// which is UNCLASSIFIED (a plain ret_event, no read/write/transfer byte count).
+const FormatBind = `name: sys_enter_bind
+ID: 1843
+format:
+	field:unsigned short common_type;	offset:0;	size:2;	signed:0;
+	field:unsigned char common_flags;	offset:2;	size:1;	signed:0;
+	field:unsigned char common_preempt_count;	offset:3;	size:1;	signed:0;
+	field:int common_pid;	offset:4;	size:4;	signed:1;
+
+	field:int __syscall_nr;	offset:8;	size:4;	signed:1;
+	field:int fd;	offset:16;	size:8;	signed:0;
+	field:struct sockaddr * umyaddr;	offset:24;	size:8;	signed:0;
+	field:int addrlen;	offset:32;	size:8;	signed:0;
+
+print fmt: "fd: 0x%08lx, umyaddr: 0x%08lx, addrlen: 0x%08lx", ((unsigned long)(REC->fd)), ((unsigned long)(REC->umyaddr)), ((unsigned long)(REC->addrlen))
+`
+
+const FormatExitBind = `name: sys_exit_bind
+ID: 1842
+format:
+	field:unsigned short common_type;	offset:0;	size:2;	signed:0;
+	field:unsigned char common_flags;	offset:2;	size:1;	signed:0;
+	field:unsigned char common_preempt_count;	offset:3;	size:1;	signed:0;
+	field:int common_pid;	offset:4;	size:4;	signed:1;
+
+	field:int __syscall_nr;	offset:8;	size:4;	signed:1;
+	field:long ret;	offset:16;	size:8;	signed:1;
+
+print fmt: "0x%lx", REC->ret
+`
-- 
cgit v1.2.3