From 6f0280a5ff32dce9d32758bfda52e0be7eb17b34 Mon Sep 17 00:00:00 2001 From: Paul Buetow Date: Fri, 29 May 2026 17:36:18 +0300 Subject: test(generate): lock in init_module vs finit_module classification MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Audit of init_module (man 2 init_module) confirmed the implementation is correct: init_module(void *module_image, unsigned long len, const char *param_values) is classified KindModule (null_event), capturing neither an fd nor a path — param_values is a module-parameter string, not a filesystem path. finit_module(int fd, ...) is classified KindFd via field-based matching and captures fd = args[0]. Both syscalls live in the Security family and match docs/syscall-tracing-plan.md. No explicit finit_module test or init_module-vs-finit_module distinction test existed, so add lock-in coverage: - testdata.go: real-layout Format constants for (f)init_module enter/exit. - classify_test.go: assert init_module=KindModule with no PathnameField and finit_module=KindFd. - codegen_test.go: assert generated BPF C for init_module captures no fd and no filename/path, while finit_module captures fd = args[0]. Co-Authored-By: Claude Opus 4.8 --- internal/generate/classify_test.go | 26 ++++++++++++++++++++++++++ 1 file changed, 26 insertions(+) (limited to 'internal/generate/classify_test.go') diff --git a/internal/generate/classify_test.go b/internal/generate/classify_test.go index fecbb93..b03164b 100644 --- a/internal/generate/classify_test.go +++ b/internal/generate/classify_test.go @@ -1022,6 +1022,32 @@ func TestClassify67NameOnlyKinds(t *testing.T) { } } +// TestClassifyInitModuleVsFinitModule locks in the load-bearing distinction +// between the two module-loading syscalls (man 2 init_module). +// +// init_module(void *module_image, unsigned long len, const char *param_values) +// takes a userspace ELF image pointer and a module-PARAMETER string (not a +// filesystem path), so it must classify as KindModule (null_event) and capture +// neither an fd nor a path — param_values must NOT be mistaken for a path. +// +// finit_module(int fd, const char *param_values, int flags) reads the module +// from a file descriptor, so it must classify as KindFd via field-based +// matching on the leading "fd" field. +func TestClassifyInitModuleVsFinitModule(t *testing.T) { + if r := classifyFromData(t, FormatInitModule); r.Kind != KindModule { + t.Errorf("init_module: got kind %d, want KindModule", r.Kind) + } + if r := classifyFromData(t, FormatFinitModule); r.Kind != KindFd { + t.Errorf("finit_module: got kind %d, want KindFd", r.Kind) + } + + // param_values (uargs) is a parameter string, never a captured path: the + // init_module classification must not select KindPathname/KindName/KindOpen. + if r := classifyFromData(t, FormatInitModule); r.PathnameField != "" { + t.Errorf("init_module: unexpected PathnameField %q, want empty", r.PathnameField) + } +} + func TestClassify87NameOnlyKinds(t *testing.T) { tests := []string{ "sys_enter_rt_sigaction", -- cgit v1.2.3