From 6f0280a5ff32dce9d32758bfda52e0be7eb17b34 Mon Sep 17 00:00:00 2001 From: Paul Buetow Date: Fri, 29 May 2026 17:36:18 +0300 Subject: test(generate): lock in init_module vs finit_module classification MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Audit of init_module (man 2 init_module) confirmed the implementation is correct: init_module(void *module_image, unsigned long len, const char *param_values) is classified KindModule (null_event), capturing neither an fd nor a path — param_values is a module-parameter string, not a filesystem path. finit_module(int fd, ...) is classified KindFd via field-based matching and captures fd = args[0]. Both syscalls live in the Security family and match docs/syscall-tracing-plan.md. No explicit finit_module test or init_module-vs-finit_module distinction test existed, so add lock-in coverage: - testdata.go: real-layout Format constants for (f)init_module enter/exit. - classify_test.go: assert init_module=KindModule with no PathnameField and finit_module=KindFd. - codegen_test.go: assert generated BPF C for init_module captures no fd and no filename/path, while finit_module captures fd = args[0]. Co-Authored-By: Claude Opus 4.8 --- internal/generate/codegen_test.go | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) (limited to 'internal/generate/codegen_test.go') diff --git a/internal/generate/codegen_test.go b/internal/generate/codegen_test.go index 746aa07..6b19129 100644 --- a/internal/generate/codegen_test.go +++ b/internal/generate/codegen_test.go @@ -24,6 +24,30 @@ func TestGenerateFdHandler(t *testing.T) { requireContains(t, output, "#define SYS_ENTER_READ 844") } +// TestGenerateModuleHandlers locks in the generated BPF C for the module-load +// syscalls (man 2 init_module). init_module is a null_event: it must capture no +// fd and no path/filename (its param_values arg is a parameter string, not a +// path). finit_module is an fd_event capturing fd = args[0]. +func TestGenerateModuleHandlers(t *testing.T) { + initOut := generateFromPair(t, FormatInitModule, FormatExitInitModule) + requireContains(t, initOut, `SEC("tracepoint/syscalls/sys_enter_init_module")`) + requireContains(t, initOut, "struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0);") + requireContains(t, initOut, "ev->event_type = ENTER_NULL_EVENT;") + // init_module must not capture an fd or any filename/path. + if strings.Contains(initOut, "ev->fd =") { + t.Error("init_module handler must not capture an fd") + } + if strings.Contains(initOut, "ev->filename") || strings.Contains(initOut, "bpf_probe_read_user_str") { + t.Error("init_module handler must not capture param_values as a path/filename") + } + + finitOut := generateFromPair(t, FormatFinitModule, FormatExitFinitModule) + requireContains(t, finitOut, `SEC("tracepoint/syscalls/sys_enter_finit_module")`) + requireContains(t, finitOut, "struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0);") + requireContains(t, finitOut, "ev->event_type = ENTER_FD_EVENT;") + requireContains(t, finitOut, "ev->fd = (__s32)ctx->args[0];") +} + func TestGeneratePidfdGetfdHandlerUsesPidfdArgument(t *testing.T) { output := generateFromPair(t, FormatPidfdGetfd, FormatExitPidfdGetfd) -- cgit v1.2.3