From 6f0280a5ff32dce9d32758bfda52e0be7eb17b34 Mon Sep 17 00:00:00 2001
From: Paul Buetow <paul@buetow.org>
Date: Fri, 29 May 2026 17:36:18 +0300
Subject: test(generate): lock in init_module vs finit_module classification
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Audit of init_module (man 2 init_module) confirmed the implementation is
correct: init_module(void *module_image, unsigned long len, const char
*param_values) is classified KindModule (null_event), capturing neither
an fd nor a path — param_values is a module-parameter string, not a
filesystem path. finit_module(int fd, ...) is classified KindFd via
field-based matching and captures fd = args[0]. Both syscalls live in the
Security family and match docs/syscall-tracing-plan.md.

No explicit finit_module test or init_module-vs-finit_module distinction
test existed, so add lock-in coverage:
- testdata.go: real-layout Format constants for (f)init_module enter/exit.
- classify_test.go: assert init_module=KindModule with no PathnameField
  and finit_module=KindFd.
- codegen_test.go: assert generated BPF C for init_module captures no fd
  and no filename/path, while finit_module captures fd = args[0].

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
---
 internal/generate/testdata.go | 69 +++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 69 insertions(+)

(limited to 'internal/generate/testdata.go')

diff --git a/internal/generate/testdata.go b/internal/generate/testdata.go
index 50efc00..8c2b1ee 100644
--- a/internal/generate/testdata.go
+++ b/internal/generate/testdata.go
@@ -1208,6 +1208,75 @@ format:
 print fmt: "0x%lx", REC->ret
 `
 
+// FormatInitModule mirrors the real sys_enter_init_module tracepoint layout.
+// Its arguments are a userspace ELF image pointer (umod), the image length
+// (len), and a module-parameter string (uargs). uargs is a parameter string of
+// the form "name=value ..." — NOT a filesystem path — so init_module must
+// classify as KindModule (null_event) and capture neither an fd nor a path.
+const FormatInitModule = `name: sys_enter_init_module
+ID: 9370
+format:
+	field:unsigned short common_type;	offset:0;	size:2;	signed:0;
+	field:unsigned char common_flags;	offset:2;	size:1;	signed:0;
+	field:unsigned char common_preempt_count;	offset:3;	size:1;	signed:0;
+	field:int common_pid;	offset:4;	size:4;	signed:1;
+
+	field:int __syscall_nr;	offset:8;	size:4;	signed:1;
+	field:void * umod;	offset:16;	size:8;	signed:0;
+	field:unsigned long len;	offset:24;	size:8;	signed:0;
+	field:const char * uargs;	offset:32;	size:8;	signed:0;
+
+print fmt: "umod: 0x%08lx, len: 0x%08lx, uargs: 0x%08lx", ((unsigned long)(REC->umod)), ((unsigned long)(REC->len)), ((unsigned long)(REC->uargs))
+`
+
+const FormatExitInitModule = `name: sys_exit_init_module
+ID: 9369
+format:
+	field:unsigned short common_type;	offset:0;	size:2;	signed:0;
+	field:unsigned char common_flags;	offset:2;	size:1;	signed:0;
+	field:unsigned char common_preempt_count;	offset:3;	size:1;	signed:0;
+	field:int common_pid;	offset:4;	size:4;	signed:1;
+
+	field:int __syscall_nr;	offset:8;	size:4;	signed:1;
+	field:long ret;	offset:16;	size:8;	signed:1;
+
+print fmt: "0x%lx", REC->ret
+`
+
+// FormatFinitModule mirrors the real sys_enter_finit_module tracepoint layout.
+// Unlike init_module, finit_module reads the module from a file descriptor
+// (fd at args[0]), so field-based classification must yield KindFd and capture
+// fd = args[0]. This is the load-bearing distinction from init_module.
+const FormatFinitModule = `name: sys_enter_finit_module
+ID: 9371
+format:
+	field:unsigned short common_type;	offset:0;	size:2;	signed:0;
+	field:unsigned char common_flags;	offset:2;	size:1;	signed:0;
+	field:unsigned char common_preempt_count;	offset:3;	size:1;	signed:0;
+	field:int common_pid;	offset:4;	size:4;	signed:1;
+
+	field:int __syscall_nr;	offset:8;	size:4;	signed:1;
+	field:int fd;	offset:16;	size:8;	signed:0;
+	field:const char * uargs;	offset:24;	size:8;	signed:0;
+	field:int flags;	offset:32;	size:8;	signed:0;
+
+print fmt: "fd: 0x%08lx, uargs: 0x%08lx, flags: 0x%08lx", ((unsigned long)(REC->fd)), ((unsigned long)(REC->uargs)), ((unsigned long)(REC->flags))
+`
+
+const FormatExitFinitModule = `name: sys_exit_finit_module
+ID: 9372
+format:
+	field:unsigned short common_type;	offset:0;	size:2;	signed:0;
+	field:unsigned char common_flags;	offset:2;	size:1;	signed:0;
+	field:unsigned char common_preempt_count;	offset:3;	size:1;	signed:0;
+	field:int common_pid;	offset:4;	size:4;	signed:1;
+
+	field:int __syscall_nr;	offset:8;	size:4;	signed:1;
+	field:long ret;	offset:16;	size:8;	signed:1;
+
+print fmt: "0x%lx", REC->ret
+`
+
 const FormatAccept = `name: sys_enter_accept
 ID: 1808
 format:
-- 
cgit v1.2.3