From 9096f420ca325e04b464d66b3bfb324c3ef60e6f Mon Sep 17 00:00:00 2001 From: Andrea Terzolo Date: Mon, 27 Mar 2023 18:12:54 +0200 Subject: [PATCH] tests: add some tests for the dedicated dropping logic Signed-off-by: Andrea Terzolo --- .../actions_suite/sampling_ratio.cpp | 206 +++++++++++++++++- .../syscall_enter_suite/fcntl_e.cpp | 5 +- 2 files changed, 203 insertions(+), 8 deletions(-) diff --git a/test/drivers/test_suites/actions_suite/sampling_ratio.cpp b/test/drivers/test_suites/actions_suite/sampling_ratio.cpp index 116c200e55..68a7a2c361 100644 --- a/test/drivers/test_suites/actions_suite/sampling_ratio.cpp +++ b/test/drivers/test_suites/actions_suite/sampling_ratio.cpp @@ -36,7 +36,7 @@ TEST(Actions, sampling_ratio_UF_NEVER_DROP) { /* Here we set just one `UF_NEVER_DROP` syscall as interesting... this process will send * only this specific syscall and we have to check that the corresponding event is - * not dropped when the sampling logic is enabled. + * not dropped when the sampling logic is enabled. */ auto evt_test = get_syscall_event_test(__NR_eventfd, ENTER_EVENT); @@ -49,7 +49,7 @@ TEST(Actions, sampling_ratio_UF_NEVER_DROP) int32_t fd = syscall(__NR_eventfd, 3); syscall(__NR_close, fd); - /* We should find the event */ + /* We should find the event */ evt_test->assert_event_presence(); evt_test->disable_sampling_logic(); @@ -62,9 +62,9 @@ TEST(Actions, sampling_ratio_UF_NEVER_DROP) TEST(Actions, sampling_ratio_NO_FLAGS) { /* Here we set just one syscall with no flags (UF_ALWAYS_DROP/UF_NEVER_DROP) - * as interesting... this process will send only this specific syscall and - * we have to check that the corresponding event is not dropped when the - * sampling logic is enabled with ratio==1. + * as interesting... this process will send only this specific syscall and + * we have to check that the corresponding event is not dropped when the + * sampling logic is enabled with ratio==1. */ auto evt_test = get_syscall_event_test(__NR_capset, ENTER_EVENT); @@ -76,7 +76,7 @@ TEST(Actions, sampling_ratio_NO_FLAGS) /* Call the syscall */ syscall(__NR_capset, NULL, NULL); - /* We should find the event */ + /* We should find the event */ evt_test->assert_event_presence(); evt_test->disable_sampling_logic(); @@ -84,3 +84,197 @@ TEST(Actions, sampling_ratio_NO_FLAGS) evt_test->disable_capture(); } #endif + +#ifdef __NR_fcntl +#include +TEST(Actions, sampling_ratio_dropping_FCNTL_E) +{ + auto evt_test = get_syscall_event_test(__NR_fcntl, ENTER_EVENT); + + evt_test->enable_sampling_logic(1); + + evt_test->enable_capture(); + + /* If called with `F_DUPFD_CLOEXEC` flag the fcntl event shouldn't be dropped by the dropping logic */ + int32_t invalid_fd = -1; + int cmd = F_DUPFD_CLOEXEC; + assert_syscall_state(SYSCALL_FAILURE, "fcntl", syscall(__NR_fcntl, invalid_fd, cmd)); + + evt_test->assert_event_presence(); + + /* This fcntl event should be dropped now since the flag is `F_NOTIFY` */ + cmd = F_NOTIFY; + assert_syscall_state(SYSCALL_FAILURE, "fcntl", syscall(__NR_fcntl, invalid_fd, cmd)); + + evt_test->assert_event_absence(); + + evt_test->disable_sampling_logic(); + + /* Now that the sampling logic is disabled we should catch the event */ + assert_syscall_state(SYSCALL_FAILURE, "fcntl", syscall(__NR_fcntl, invalid_fd, cmd)); + + evt_test->assert_event_presence(); + + evt_test->disable_capture(); +} + +TEST(Actions, sampling_ratio_dropping_FCNTL_X) +{ + auto evt_test = get_syscall_event_test(__NR_fcntl, EXIT_EVENT); + + evt_test->enable_sampling_logic(1); + + evt_test->enable_capture(); + + /* If called with `F_DUPFD_CLOEXEC` flag the fcntl event shouldn't be dropped by the dropping logic */ + int32_t invalid_fd = -1; + int cmd = F_DUPFD_CLOEXEC; + assert_syscall_state(SYSCALL_FAILURE, "fcntl", syscall(__NR_fcntl, invalid_fd, cmd)); + + evt_test->assert_event_presence(); + + /* This fcntl event should be dropped now since the flag is `F_NOTIFY` */ + cmd = F_NOTIFY; + assert_syscall_state(SYSCALL_FAILURE, "fcntl", syscall(__NR_fcntl, invalid_fd, cmd)); + + evt_test->assert_event_absence(); + + evt_test->disable_sampling_logic(); + + /* Now that the sampling logic is disabled we should catch the event */ + assert_syscall_state(SYSCALL_FAILURE, "fcntl", syscall(__NR_fcntl, invalid_fd, cmd)); + + evt_test->assert_event_presence(); + + evt_test->disable_capture(); +} +#endif + +#if defined(__NR_close) && defined(__NR_socket) +TEST(Actions, sampling_ratio_dropping_CLOSE_E_invalid_fd) +{ + auto evt_test = get_syscall_event_test(__NR_close, ENTER_EVENT); + + evt_test->enable_sampling_logic(1); + + evt_test->enable_capture(); + + /* If called an invalid `fd` the close enter event should be dropped */ + int32_t invalid_fd = -1; + assert_syscall_state(SYSCALL_FAILURE, "close", syscall(__NR_close, invalid_fd)); + + evt_test->disable_sampling_logic(); + + evt_test->assert_event_absence(); + + /* Now that the sampling logic is disabled we should catch the event */ + assert_syscall_state(SYSCALL_FAILURE, "close", syscall(__NR_close, invalid_fd)); + + evt_test->assert_event_presence(); + + evt_test->disable_capture(); +} + +TEST(Actions, sampling_ratio_dropping_CLOSE_E_max_fds) +{ + auto evt_test = get_syscall_event_test(__NR_close, ENTER_EVENT); + + evt_test->enable_sampling_logic(1); + + evt_test->enable_capture(); + + assert_syscall_state(SYSCALL_FAILURE, "close", syscall(__NR_close, 8192)); + + evt_test->disable_sampling_logic(); + + evt_test->assert_event_absence(); + + // /* Now that the sampling logic is disabled we should be able to collect this event */ + assert_syscall_state(SYSCALL_FAILURE, "close", syscall(__NR_close, 8192)); + + evt_test->assert_event_presence(); + + evt_test->disable_capture(); +} + +TEST(Actions, sampling_ratio_dropping_CLOSE_E_already_closed_fd) +{ + auto evt_test = get_syscall_event_test(__NR_close, ENTER_EVENT); + + evt_test->enable_sampling_logic(1); + + evt_test->enable_capture(); + + int socket_fd = syscall(__NR_socket, AF_INET, SOCK_STREAM | SOCK_NONBLOCK, 0); + assert_syscall_state(SYSCALL_SUCCESS, "socket", socket_fd, NOT_EQUAL, -1); + + /* This close event should be catched since it is called on an existing socket */ + assert_syscall_state(SYSCALL_SUCCESS, "close", syscall(__NR_close, socket_fd), NOT_EQUAL, -1); + + evt_test->assert_event_presence(); + + /* Now we call again the close on the already close fd and we shouldn't be able to catch the close enter event */ + assert_syscall_state(SYSCALL_FAILURE, "close", syscall(__NR_close, socket_fd)); + + evt_test->disable_sampling_logic(); + + evt_test->assert_event_absence(); + + /* Now that the sampling logic is disabled we should be able to collect this event */ + assert_syscall_state(SYSCALL_FAILURE, "close", syscall(__NR_close, socket_fd)); + + evt_test->assert_event_presence(); + + evt_test->disable_capture(); +} + +TEST(Actions, sampling_ratio_dropping_CLOSE_X) +{ + auto evt_test = get_syscall_event_test(__NR_close, EXIT_EVENT); + + evt_test->enable_sampling_logic(1); + + evt_test->enable_capture(); + + /* If the syscall fails the close exit event should be dropped */ + int32_t invalid_fd = -1; + assert_syscall_state(SYSCALL_FAILURE, "close", syscall(__NR_close, invalid_fd)); + + evt_test->disable_sampling_logic(); + + evt_test->assert_event_absence(); + + /* Now that the sampling logic is disabled we should catch the event */ + assert_syscall_state(SYSCALL_FAILURE, "close", syscall(__NR_close, invalid_fd)); + + evt_test->assert_event_presence(); + + evt_test->disable_capture(); +} +#endif + +#ifdef __NR_bind +TEST(Actions, sampling_ratio_dropping_BIND_X) +{ + auto evt_test = get_syscall_event_test(__NR_bind, EXIT_EVENT); + + evt_test->enable_sampling_logic(1); + + evt_test->enable_capture(); + + /* If the syscall fails the bind exit event should be dropped */ + int32_t invalid_fd = -1; + assert_syscall_state(SYSCALL_FAILURE, "bind", syscall(__NR_bind, invalid_fd, NULL, 0)); + + evt_test->disable_sampling_logic(); + + evt_test->assert_event_absence(); + + /* Now that the sampling logic is disabled we should catch the event */ + assert_syscall_state(SYSCALL_FAILURE, "bind", syscall(__NR_bind, invalid_fd, NULL, 0)); + + evt_test->assert_event_presence(); + + evt_test->disable_capture(); +} +#endif diff --git a/test/drivers/test_suites/syscall_enter_suite/fcntl_e.cpp b/test/drivers/test_suites/syscall_enter_suite/fcntl_e.cpp index 428fb53bdf..2e03f66e0c 100644 --- a/test/drivers/test_suites/syscall_enter_suite/fcntl_e.cpp +++ b/test/drivers/test_suites/syscall_enter_suite/fcntl_e.cpp @@ -12,8 +12,9 @@ TEST(SyscallEnter, fcntlE) /*=============================== TRIGGER SYSCALL ===========================*/ + /* If the dropping logic is not enabled we should be always able to collect this event */ int32_t invalid_fd = -1; - int cmd = F_DUPFD_CLOEXEC; + int cmd = F_NOTIFY; assert_syscall_state(SYSCALL_FAILURE, "fcntl", syscall(__NR_fcntl, invalid_fd, cmd)); /*=============================== TRIGGER SYSCALL ===========================*/ @@ -37,7 +38,7 @@ TEST(SyscallEnter, fcntlE) evt_test->assert_numeric_param(1, (int64_t)invalid_fd); /* Parameter 2: cmd (type: PT_ENUMFLAGS8) */ - evt_test->assert_numeric_param(2, (uint8_t)PPM_FCNTL_F_DUPFD_CLOEXEC); + evt_test->assert_numeric_param(2, (uint8_t)PPM_FCNTL_F_NOTIFY); /*=============================== ASSERT PARAMETERS ===========================*/