chore(test/drivers): added new tests for ia32 to check pushed params.

Signed-off-by: Federico Di Pierro <[email protected]>
falcosecurity · Oct 6, 2023 · b9a72a4 · b9a72a4
1 parent 8bf4140
commit b9a72a4
Show file tree

Hide file tree

Showing 2 changed files with 193 additions and 9 deletions.
diff --git a/test/drivers/helpers/ia32.c b/test/drivers/helpers/ia32.c
@@ -5,13 +5,24 @@
  */
 
 #include <unistd.h>
+#include <fcntl.h>
+#include <linux/openat2.h>  /* Definition of RESOLVE_* constants */
 #include <sys/syscall.h>
 #include <sys/types.h>
+#include <sys/socket.h>
 #include <linux/net.h>        /* Definition of SYS_* constants */
 
 int main() {
-	syscall(__NR_close, -1);
+	struct open_how how;
+	how.flags = O_RDWR;
+	how.mode = 0;
+	how.resolve = RESOLVE_BENEATH | RESOLVE_NO_MAGICLINKS;
+	syscall(__NR_openat2, 11, "mock_path", &how, sizeof(struct open_how));
+	syscall(__NR_write, 17, NULL, 1013);
 	unsigned long args[3] = {0};
+	args[0] = AF_INET;
+	args[1] = SOCK_RAW;
+	args[2] = PF_INET;
 	syscall(__NR_socketcall, SYS_SOCKET, args);
 	syscall(__NR_socketcall, SYS_ACCEPT4, args);
 	syscall(__NR_socketcall, SYS_SEND, args);

diff --git a/test/drivers/test_suites/actions_suite/ia32.cpp.in b/test/drivers/test_suites/actions_suite/ia32.cpp.in
@@ -40,8 +40,10 @@ TEST(Actions, ia32)
 	evt_test->disable_capture();
 
 	/* Retrieve events in order. */
-	evt_test->assert_event_presence(ret_pid, PPME_SYSCALL_CLOSE_E);
-	evt_test->assert_event_presence(ret_pid, PPME_SYSCALL_CLOSE_X);
+	evt_test->assert_event_presence(ret_pid, PPME_SYSCALL_OPENAT2_E);
+  evt_test->assert_event_presence(ret_pid, PPME_SYSCALL_OPENAT2_X);
+	evt_test->assert_event_presence(ret_pid, PPME_SYSCALL_WRITE_E);
+	evt_test->assert_event_presence(ret_pid, PPME_SYSCALL_WRITE_X);
 	evt_test->assert_event_presence(ret_pid, PPME_SOCKET_SOCKET_E);
 	evt_test->assert_event_presence(ret_pid, PPME_SOCKET_SOCKET_X);
 	evt_test->assert_event_presence(ret_pid, PPME_SOCKET_ACCEPT4_6_E);
@@ -98,6 +100,7 @@ TEST(Actions, ia32)
 	}
 }
 
+#ifdef __NR_execve
 // Check that we receive proper execve exit events, testing that it gets
 // properly received, even if it comes from a x86_64 task that is execv'ing a COMPAT task.
 TEST(Actions, ia32_execve_compat)
@@ -112,12 +115,6 @@ TEST(Actions, ia32_execve_compat)
 	{
 		char* const argv[] = {NULL};
 		char* const envp[] = {NULL};
-		// Pin process to a single core, so that events get sent in order
-		cpu_set_t my_set;
-		CPU_ZERO(&my_set);
-		CPU_SET(1, &my_set);
-		sched_setaffinity(0, sizeof(cpu_set_t), &my_set);
-
 		execve("${CMAKE_CURRENT_BINARY_DIR}/ia32", argv, envp);
 		exit(EXIT_FAILURE);
 	}
@@ -137,4 +134,180 @@ TEST(Actions, ia32_execve_compat)
 	/* We search for a child event. */
   evt_test->assert_event_presence(ret_pid);
 }
+#endif
+
+#ifdef __NR_openat2
+TEST(Actions, ia32_openat2_e)
+{
+	auto evt_test = get_syscall_event_test(__NR_openat2, ENTER_EVENT);
+
+	evt_test->enable_capture();
+
+	/*=============================== TRIGGER SYSCALL  ===========================*/
+	pid_t ret_pid = syscall(__NR_fork);
+	if(ret_pid == 0)
+	{
+		char* const argv[] = {NULL};
+		char* const envp[] = {NULL};
+		execve("${CMAKE_CURRENT_BINARY_DIR}/ia32", argv, envp);
+		exit(EXIT_FAILURE);
+	}
+	assert_syscall_state(SYSCALL_SUCCESS, "fork", ret_pid, NOT_EQUAL, -1);
+	int status = 0;
+	int options = 0;
+	assert_syscall_state(SYSCALL_SUCCESS, "wait4", syscall(__NR_wait4, ret_pid, &status, options, NULL), NOT_EQUAL, -1);
+
+	if(__WEXITSTATUS(status) == EXIT_FAILURE || __WIFSIGNALED(status) != 0)
+	{
+		FAIL() << "Fork failed..." << std::endl;
+	}
+
+	/* Disable the capture: no more events from now. */
+	evt_test->disable_capture();
+
+	/* Retrieve events in order. */
+	evt_test->assert_event_presence(ret_pid);
+
+	if(HasFatalFailure())
+	{
+  	return;
+  }
+
+  evt_test->parse_event();
+  evt_test->assert_header();
+
+  /*=============================== ASSERT PARAMETERS  ===========================*/
+
+  /* Parameter 1: dirfd (type: PT_FD) */
+  evt_test->assert_numeric_param(1, (int64_t)11);
+
+ 	/* Parameter 2: name (type: PT_FSPATH) */
+ 	evt_test->assert_charbuf_param(2, "mock_path");
+
+  /* Parameter 3: flags (type: PT_FLAGS32) */
+	evt_test->assert_numeric_param(3, (uint32_t)PPM_O_RDWR);
+
+	/* Parameter 4: mode (type: PT_UINT32) */
+	evt_test->assert_numeric_param(4, (uint32_t)0);
+
+	/* Parameter 5: resolve (type: PT_FLAGS32) */
+	evt_test->assert_numeric_param(5, (uint32_t)PPM_RESOLVE_BENEATH | PPM_RESOLVE_NO_MAGICLINKS);
+
+ 	/*=============================== ASSERT PARAMETERS  ===========================*/
+
+ 	evt_test->assert_num_params_pushed(5);
+}
+#endif
+
+#ifdef __NR_write
+TEST(Actions, ia32_write_e)
+{
+	auto evt_test = get_syscall_event_test(__NR_write, ENTER_EVENT);
+
+	evt_test->enable_capture();
+
+	/*=============================== TRIGGER SYSCALL  ===========================*/
+	pid_t ret_pid = syscall(__NR_fork);
+	if(ret_pid == 0)
+	{
+		char* const argv[] = {NULL};
+		char* const envp[] = {NULL};
+		execve("${CMAKE_CURRENT_BINARY_DIR}/ia32", argv, envp);
+		exit(EXIT_FAILURE);
+	}
+	assert_syscall_state(SYSCALL_SUCCESS, "fork", ret_pid, NOT_EQUAL, -1);
+	int status = 0;
+	int options = 0;
+	assert_syscall_state(SYSCALL_SUCCESS, "wait4", syscall(__NR_wait4, ret_pid, &status, options, NULL), NOT_EQUAL, -1);
+
+	if(__WEXITSTATUS(status) == EXIT_FAILURE || __WIFSIGNALED(status) != 0)
+	{
+		FAIL() << "Fork failed..." << std::endl;
+	}
+
+	/* Disable the capture: no more events from now. */
+	evt_test->disable_capture();
+
+	/* Retrieve events in order. */
+	evt_test->assert_event_presence(ret_pid);
+
+	if(HasFatalFailure())
+	{
+  	return;
+  }
+
+  evt_test->parse_event();
+  evt_test->assert_header();
+
+  /*=============================== ASSERT PARAMETERS  ===========================*/
+
+	/* Parameter 1: fd (type: PT_FD) */
+  evt_test->assert_numeric_param(1, (int64_t)17);
+
+  /* Parameter 2: size (type: PT_UINT32)*/
+  evt_test->assert_numeric_param(2, (uint32_t)1013);
+
+  /*=============================== ASSERT PARAMETERS  ===========================*/
+
+  evt_test->assert_num_params_pushed(2);
+}
+#endif
+
+#if defined(__NR_socket)
+TEST(Actions, ia32_socket_e)
+{
+	auto evt_test = get_syscall_event_test(__NR_socket, ENTER_EVENT);
+
+	evt_test->enable_capture();
+
+	/*=============================== TRIGGER SYSCALL  ===========================*/
+	pid_t ret_pid = syscall(__NR_fork);
+	if(ret_pid == 0)
+	{
+		char* const argv[] = {NULL};
+		char* const envp[] = {NULL};
+		execve("${CMAKE_CURRENT_BINARY_DIR}/ia32", argv, envp);
+		exit(EXIT_FAILURE);
+	}
+	assert_syscall_state(SYSCALL_SUCCESS, "fork", ret_pid, NOT_EQUAL, -1);
+	int status = 0;
+	int options = 0;
+	assert_syscall_state(SYSCALL_SUCCESS, "wait4", syscall(__NR_wait4, ret_pid, &status, options, NULL), NOT_EQUAL, -1);
+
+	if(__WEXITSTATUS(status) == EXIT_FAILURE || __WIFSIGNALED(status) != 0)
+	{
+		FAIL() << "Fork failed..." << std::endl;
+	}
+
+	/* Disable the capture: no more events from now. */
+	evt_test->disable_capture();
+
+	/* Retrieve events in order. */
+	evt_test->assert_event_presence(ret_pid);
+
+	if(HasFatalFailure())
+	{
+  	return;
+  }
+
+  evt_test->parse_event();
+  evt_test->assert_header();
+
+  /*=============================== ASSERT PARAMETERS  ===========================*/
+
+  /* Parameter 1: domain (type: PT_ENUMFLAGS32) */
+  evt_test->assert_numeric_param(1, (uint32_t)PPM_AF_INET);
+
+  /* Parameter 2: type (type: PT_UINT32) */
+  evt_test->assert_numeric_param(2, (uint32_t)SOCK_RAW);
+
+  /* Parameter 3: proto (type: PT_UINT32) */
+  evt_test->assert_numeric_param(3, (uint32_t)PF_INET);
+
+  /*=============================== ASSERT PARAMETERS  ===========================*/
+
+  evt_test->assert_num_params_pushed(3);
+}
+#endif
+
 #endif