tests: add some tests for the dedicated dropping logic

Signed-off-by: Andrea Terzolo <[email protected]>
falcosecurity · Mar 28, 2023 · 9096f42 · 9096f42
1 parent 5fd46f0
commit 9096f42
Show file tree

Hide file tree

Showing 2 changed files with 203 additions and 8 deletions.
diff --git a/test/drivers/test_suites/actions_suite/sampling_ratio.cpp b/test/drivers/test_suites/actions_suite/sampling_ratio.cpp
@@ -36,7 +36,7 @@ TEST(Actions, sampling_ratio_UF_NEVER_DROP)
 {
 	/* Here we set just one `UF_NEVER_DROP` syscall as interesting... this process will send
 	 * only this specific syscall and we have to check that the corresponding event is
-     * not dropped when the sampling logic is enabled.
+	 * not dropped when the sampling logic is enabled.
 	 */
 	auto evt_test = get_syscall_event_test(__NR_eventfd, ENTER_EVENT);
 
@@ -49,7 +49,7 @@ TEST(Actions, sampling_ratio_UF_NEVER_DROP)
 	int32_t fd = syscall(__NR_eventfd, 3);
 	syscall(__NR_close, fd);
 
-    /* We should find the event */
+	/* We should find the event */
 	evt_test->assert_event_presence();
 
 	evt_test->disable_sampling_logic();
@@ -62,9 +62,9 @@ TEST(Actions, sampling_ratio_UF_NEVER_DROP)
 TEST(Actions, sampling_ratio_NO_FLAGS)
 {
 	/* Here we set just one syscall with no flags (UF_ALWAYS_DROP/UF_NEVER_DROP)
-     * as interesting... this process will send only this specific syscall and 
-     * we have to check that the corresponding event is not dropped when the
-     * sampling logic is enabled with ratio==1.
+	 * as interesting... this process will send only this specific syscall and
+	 * we have to check that the corresponding event is not dropped when the
+	 * sampling logic is enabled with ratio==1.
 	 */
 	auto evt_test = get_syscall_event_test(__NR_capset, ENTER_EVENT);
 
@@ -76,11 +76,205 @@ TEST(Actions, sampling_ratio_NO_FLAGS)
 	/* Call the syscall */
 	syscall(__NR_capset, NULL, NULL);
 
-    /* We should find the event */
+	/* We should find the event */
 	evt_test->assert_event_presence();
 
 	evt_test->disable_sampling_logic();
 
 	evt_test->disable_capture();
 }
 #endif
+
+#ifdef __NR_fcntl
+#include <fcntl.h>
+TEST(Actions, sampling_ratio_dropping_FCNTL_E)
+{
+	auto evt_test = get_syscall_event_test(__NR_fcntl, ENTER_EVENT);
+
+	evt_test->enable_sampling_logic(1);
+
+	evt_test->enable_capture();
+
+	/* If called with `F_DUPFD_CLOEXEC` flag the fcntl event shouldn't be dropped by the dropping logic */
+	int32_t invalid_fd = -1;
+	int cmd = F_DUPFD_CLOEXEC;
+	assert_syscall_state(SYSCALL_FAILURE, "fcntl", syscall(__NR_fcntl, invalid_fd, cmd));
+
+	evt_test->assert_event_presence();
+
+	/* This fcntl event should be dropped now since the flag is `F_NOTIFY` */
+	cmd = F_NOTIFY;
+	assert_syscall_state(SYSCALL_FAILURE, "fcntl", syscall(__NR_fcntl, invalid_fd, cmd));
+
+	evt_test->assert_event_absence();
+
+	evt_test->disable_sampling_logic();
+
+	/* Now that the sampling logic is disabled we should catch the event */
+	assert_syscall_state(SYSCALL_FAILURE, "fcntl", syscall(__NR_fcntl, invalid_fd, cmd));
+
+	evt_test->assert_event_presence();
+
+	evt_test->disable_capture();
+}
+
+TEST(Actions, sampling_ratio_dropping_FCNTL_X)
+{
+	auto evt_test = get_syscall_event_test(__NR_fcntl, EXIT_EVENT);
+
+	evt_test->enable_sampling_logic(1);
+
+	evt_test->enable_capture();
+
+	/* If called with `F_DUPFD_CLOEXEC` flag the fcntl event shouldn't be dropped by the dropping logic */
+	int32_t invalid_fd = -1;
+	int cmd = F_DUPFD_CLOEXEC;
+	assert_syscall_state(SYSCALL_FAILURE, "fcntl", syscall(__NR_fcntl, invalid_fd, cmd));
+
+	evt_test->assert_event_presence();
+
+	/* This fcntl event should be dropped now since the flag is `F_NOTIFY` */
+	cmd = F_NOTIFY;
+	assert_syscall_state(SYSCALL_FAILURE, "fcntl", syscall(__NR_fcntl, invalid_fd, cmd));
+
+	evt_test->assert_event_absence();
+
+	evt_test->disable_sampling_logic();
+
+	/* Now that the sampling logic is disabled we should catch the event */
+	assert_syscall_state(SYSCALL_FAILURE, "fcntl", syscall(__NR_fcntl, invalid_fd, cmd));
+
+	evt_test->assert_event_presence();
+
+	evt_test->disable_capture();
+}
+#endif
+
+#if defined(__NR_close) && defined(__NR_socket)
+TEST(Actions, sampling_ratio_dropping_CLOSE_E_invalid_fd)
+{
+	auto evt_test = get_syscall_event_test(__NR_close, ENTER_EVENT);
+
+	evt_test->enable_sampling_logic(1);
+
+	evt_test->enable_capture();
+
+	/* If called an invalid `fd` the close enter event should be dropped */
+	int32_t invalid_fd = -1;
+	assert_syscall_state(SYSCALL_FAILURE, "close", syscall(__NR_close, invalid_fd));
+
+	evt_test->disable_sampling_logic();
+
+	evt_test->assert_event_absence();
+
+	/* Now that the sampling logic is disabled we should catch the event */
+	assert_syscall_state(SYSCALL_FAILURE, "close", syscall(__NR_close, invalid_fd));
+
+	evt_test->assert_event_presence();
+
+	evt_test->disable_capture();
+}
+
+TEST(Actions, sampling_ratio_dropping_CLOSE_E_max_fds)
+{
+	auto evt_test = get_syscall_event_test(__NR_close, ENTER_EVENT);
+
+	evt_test->enable_sampling_logic(1);
+
+	evt_test->enable_capture();
+
+	assert_syscall_state(SYSCALL_FAILURE, "close", syscall(__NR_close, 8192));
+
+	evt_test->disable_sampling_logic();
+
+	evt_test->assert_event_absence();
+
+	// /* Now that the sampling logic is disabled we should be able to collect this event */
+	assert_syscall_state(SYSCALL_FAILURE, "close", syscall(__NR_close, 8192));
+
+	evt_test->assert_event_presence();
+
+	evt_test->disable_capture();
+}
+
+TEST(Actions, sampling_ratio_dropping_CLOSE_E_already_closed_fd)
+{
+	auto evt_test = get_syscall_event_test(__NR_close, ENTER_EVENT);
+
+	evt_test->enable_sampling_logic(1);
+
+	evt_test->enable_capture();
+
+	int socket_fd = syscall(__NR_socket, AF_INET, SOCK_STREAM | SOCK_NONBLOCK, 0);
+	assert_syscall_state(SYSCALL_SUCCESS, "socket", socket_fd, NOT_EQUAL, -1);
+
+	/* This close event should be catched since it is called on an existing socket */
+	assert_syscall_state(SYSCALL_SUCCESS, "close", syscall(__NR_close, socket_fd), NOT_EQUAL, -1);
+
+	evt_test->assert_event_presence();
+
+	/* Now we call again the close on the already close fd and we shouldn't be able to catch the close enter event */
+	assert_syscall_state(SYSCALL_FAILURE, "close", syscall(__NR_close, socket_fd));
+
+	evt_test->disable_sampling_logic();
+
+	evt_test->assert_event_absence();
+
+	/* Now that the sampling logic is disabled we should be able to collect this event */
+	assert_syscall_state(SYSCALL_FAILURE, "close", syscall(__NR_close, socket_fd));
+
+	evt_test->assert_event_presence();
+
+	evt_test->disable_capture();
+}
+
+TEST(Actions, sampling_ratio_dropping_CLOSE_X)
+{
+	auto evt_test = get_syscall_event_test(__NR_close, EXIT_EVENT);
+
+	evt_test->enable_sampling_logic(1);
+
+	evt_test->enable_capture();
+
+	/* If the syscall fails the close exit event should be dropped */
+	int32_t invalid_fd = -1;
+	assert_syscall_state(SYSCALL_FAILURE, "close", syscall(__NR_close, invalid_fd));
+
+	evt_test->disable_sampling_logic();
+
+	evt_test->assert_event_absence();
+
+	/* Now that the sampling logic is disabled we should catch the event */
+	assert_syscall_state(SYSCALL_FAILURE, "close", syscall(__NR_close, invalid_fd));
+
+	evt_test->assert_event_presence();
+
+	evt_test->disable_capture();
+}
+#endif
+
+#ifdef __NR_bind
+TEST(Actions, sampling_ratio_dropping_BIND_X)
+{
+	auto evt_test = get_syscall_event_test(__NR_bind, EXIT_EVENT);
+
+	evt_test->enable_sampling_logic(1);
+
+	evt_test->enable_capture();
+
+	/* If the syscall fails the bind exit event should be dropped */
+	int32_t invalid_fd = -1;
+	assert_syscall_state(SYSCALL_FAILURE, "bind", syscall(__NR_bind, invalid_fd, NULL, 0));
+
+	evt_test->disable_sampling_logic();
+
+	evt_test->assert_event_absence();
+
+	/* Now that the sampling logic is disabled we should catch the event */
+	assert_syscall_state(SYSCALL_FAILURE, "bind", syscall(__NR_bind, invalid_fd, NULL, 0));
+
+	evt_test->assert_event_presence();
+
+	evt_test->disable_capture();
+}
+#endif
diff --git a/test/drivers/test_suites/syscall_enter_suite/fcntl_e.cpp b/test/drivers/test_suites/syscall_enter_suite/fcntl_e.cpp
@@ -12,8 +12,9 @@ TEST(SyscallEnter, fcntlE)
 
 	/*=============================== TRIGGER SYSCALL  ===========================*/
 
+	/* If the dropping logic is not enabled we should be always able to collect this event */
 	int32_t invalid_fd = -1;
-	int cmd = F_DUPFD_CLOEXEC;
+	int cmd = F_NOTIFY;
 	assert_syscall_state(SYSCALL_FAILURE, "fcntl", syscall(__NR_fcntl, invalid_fd, cmd));
 
 	/*=============================== TRIGGER SYSCALL  ===========================*/
@@ -37,7 +38,7 @@ TEST(SyscallEnter, fcntlE)
 	evt_test->assert_numeric_param(1, (int64_t)invalid_fd);
 
 	/* Parameter 2: cmd (type: PT_ENUMFLAGS8) */
-	evt_test->assert_numeric_param(2, (uint8_t)PPM_FCNTL_F_DUPFD_CLOEXEC);
+	evt_test->assert_numeric_param(2, (uint8_t)PPM_FCNTL_F_NOTIFY);
 
 	/*=============================== ASSERT PARAMETERS  ===========================*/