new(modern_bpf): add signalfd4 syscall

Signed-off-by: Andrea Terzolo <[email protected]>
falcosecurity · Jul 30, 2022 · 2608086 · 2608086
1 parent 4d03b09
commit 2608086
Show file tree

Hide file tree

Showing 2 changed files with 111 additions and 0 deletions.
diff --git a/test/modern_bpf/test_suites/syscall_enter_suite/signalfd4_e.cpp b/test/modern_bpf/test_suites/syscall_enter_suite/signalfd4_e.cpp
@@ -0,0 +1,59 @@
+#include "../../event_class/event_class.h"
+
+#ifdef __NR_signalfd4
+
+#include <sys/signalfd.h>
+
+TEST(SyscallEnter, signalfd4E)
+{
+
+	/* Please note:
+	 * the syscall `signalfd4` is mapped to `PPME_SYSCALL_SIGNALFD_E` event
+	 * like `signalfd`. The same BPF program will be used for both the syscalls.
+	 */
+
+	auto evt_test = new event_test(__NR_signalfd4, ENTER_EVENT);
+
+	evt_test->enable_capture();
+
+	/*=============================== TRIGGER SYSCALL ===========================*/
+
+	/* `mask` and `flags` are not catched BPF side. */
+	int32_t mock_fd = -1;
+	sigset_t mask = {0};
+	int flags = 7;
+	assert_syscall_state(SYSCALL_FAILURE, "signalfd4", syscall(__NR_signalfd4, mock_fd, &mask, flags));
+
+	/*=============================== TRIGGER SYSCALL ===========================*/
+
+	evt_test->disable_capture();
+
+	evt_test->assert_event_presence();
+
+	if(HasFatalFailure())
+	{
+		return;
+	}
+
+	evt_test->parse_event();
+
+	evt_test->assert_header();
+
+	/*=============================== ASSERT PARAMETERS  ===========================*/
+
+	/* Parameter 1: fd (type: PT_FD) */
+	evt_test->assert_numeric_param(1, (int64_t)mock_fd);
+
+	/* Parameter 2: mask (type: PT_UINT32) */
+	/* Right now we don't catch any mask, so we expect `0` as a second parameter. */
+	evt_test->assert_numeric_param(2, (uint32_t)0);
+
+	/* Parameter 3: flags (type: PT_FLAGS8) */
+	/* Right now we don't catch any flag, so we expect `0` as a second parameter. */
+	evt_test->assert_numeric_param(3, (uint8_t)0);
+
+	/*=============================== ASSERT PARAMETERS  ===========================*/
+
+	evt_test->assert_num_params_pushed(3);
+}
+#endif
diff --git a/test/modern_bpf/test_suites/syscall_exit_suite/signalfd4_x.cpp b/test/modern_bpf/test_suites/syscall_exit_suite/signalfd4_x.cpp
@@ -0,0 +1,52 @@
+#include "../../event_class/event_class.h"
+
+#ifdef __NR_signalfd4
+
+#include <sys/signalfd.h>
+
+TEST(SyscallExit, signalfd4X)
+{
+
+	/* Please note:
+	 * the syscall `signalfd4` is mapped to `PPME_SYSCALL_SIGNALFD_X` event
+	 * like `signalfd`. The same BPF program will be used for both the syscalls.
+	 */
+
+	auto evt_test = new event_test(__NR_signalfd4, EXIT_EVENT);
+
+	evt_test->enable_capture();
+
+	/*=============================== TRIGGER SYSCALL ===========================*/
+
+	/* `mask` and `flags` are not catched BPF side. */
+	int32_t mock_fd = -1;
+	sigset_t mask = {0};
+	int flags = 7;
+	assert_syscall_state(SYSCALL_FAILURE, "signalfd4", syscall(__NR_signalfd4, mock_fd, &mask, flags));
+	int64_t errno_value = -errno;
+
+	/*=============================== TRIGGER SYSCALL ===========================*/
+
+	evt_test->disable_capture();
+
+	evt_test->assert_event_presence();
+
+	if(HasFatalFailure())
+	{
+		return;
+	}
+
+	evt_test->parse_event();
+
+	evt_test->assert_header();
+
+	/*=============================== ASSERT PARAMETERS  ===========================*/
+
+	/* Parameter 1: res (type: PT_ERRNO)*/
+	evt_test->assert_numeric_param(1, (int64_t)errno_value);
+
+	/*=============================== ASSERT PARAMETERS  ===========================*/
+
+	evt_test->assert_num_params_pushed(1);
+}
+#endif