fix(tests): fix e2e sinsp tests

Signed-off-by: Andrea Terzolo <[email protected]>

test/e2e/tests/test_event_generator/test_db_program_spawned_process.py

@@ -53,7 +53,7 @@ def test_db_program_spawned_process(sinsp, run_containers: dict):
         },
         {
             "container.id": generator_id,
-            "evt.args": SinspField.regex_field(r'^res=0 exe=/bin/ls args=NULL tid=\d+\(ls\) pid=\d+\(ls\) ptid=\d+\(mysqld\) .* tty=0 pgid=1\(systemd\) loginuid=-1\(\<NONE\>\) flags=1\(EXE_WRITABLE\) cap_inheritable=0'),
+            "evt.args": SinspField.regex_field(r'^res=0 exe=/bin/ls args=NULL tid=\d+\(ls\) pid=\d+\(ls\) ptid=\d+\(mysqld\) .* tty=0 pgid=1\(systemd\) loginuid=-1\(\<NONE\>\) flags=9\(EXE_WRITABLE\|EXE_LOWER_LAYER\) cap_inheritable=0'),
             "evt.category": "process",
             "evt.num": SinspField.numeric_field(),
             "evt.time": SinspField.numeric_field(),

test/e2e/tests/test_event_generator/test_file_writes.py

@@ -5,7 +5,11 @@
 
 
 def create_expected_arg(directory: str) -> str:
-    return fr'^fd=3\(<f>{re.escape(directory)}\/created-by-event-generator\) dirfd=-100\(AT_FDCWD\) name={re.escape(directory)}\/created-by-event-generator flags=20742\(O_TRUNC\|O_CREAT\|O_WRONLY\|O_CLOEXEC\|O_F_CREATED\) mode=0755 dev=.* ino=\d+$'
+    return fr'^fd=3\(<f>{re.escape(directory)}\/created-by-event-generator\) dirfd=-100\(AT_FDCWD\) name={re.escape(directory)}\/created-by-event-generator flags=53510\(O_TRUNC\|O_CREAT\|O_WRONLY\|O_CLOEXEC\|O_F_CREATED\|FD_UPPER_LAYER\) mode=0755 dev=.* ino=\d+$'
+
+def create_expected_arg_for_dev() -> str:
+	# please note that `/dev` folder is not in the overlay filesystem inside the container but in the tmpfs so it won't have the `FD_UPPER_LAYER` flag. That's the reason why it needs a different regex.
+    return fr'^fd=3\(<f>/dev/created-by-event-generator\) dirfd=-100\(AT_FDCWD\) name=/dev/created-by-event-generator flags=20742\(O_TRUNC\|O_CREAT\|O_WRONLY\|O_CLOEXEC\|O_F_CREATED\) mode=0755 dev=.* ino=\d+$'
 
 
 def generate_ids(parameters: list) -> list:
@@ -29,7 +33,7 @@ def generate_ids(parameters: list) -> list:
 expected_args = [
     create_expected_arg('/etc'),
     create_expected_arg('/bin'),
-    create_expected_arg('/dev'),
+    create_expected_arg_for_dev(),
     create_expected_arg('/var/lib/rpm')
 ]
 generator_tuples = zip(generator_containers, expected_args)

test/e2e/tests/test_event_generator/test_read_sensitive_file.py

@@ -55,7 +55,7 @@ def test_read_sensitive_file(sinsp, run_containers: dict, expected_process: str)
 
     expected_events = [
         {
-            "evt.args": SinspField.regex_field(r'fd=3\(<f>/etc/shadow\) dirfd=-100\(AT_FDCWD\) name=/etc/shadow flags=4097\(O_RDONLY|O_CLOEXEC\) mode=0 dev=\W+ ino=\d+'),
+            "evt.args": SinspField.regex_field(r'fd=3\(<f>/etc/shadow\) dirfd=-100\(AT_FDCWD\) name=/etc/shadow flags=69633\(O_RDONLY|O_CLOEXEC\|FD_LOWER_LAYER\) mode=0 dev=\W+ ino=\d+'),
             "evt.cpu": SinspField.numeric_field(),
             "evt.dir": "<",
             "evt.num": SinspField.numeric_field(),

test/e2e/tests/test_event_generator/test_run_shell_untrusted.py

@@ -26,7 +26,7 @@ def test_run_shell_untrusted(sinsp, run_containers: dict):
     expected_events = [
         {
             "container.id": generator_id,
-            "evt.args": SinspField.regex_field(r'^res=0 exe=\/tmp\/falco-event-generator\d+\/httpd args=--loglevel.info.run.\^helper.RunShell\$. tid=\d+\(httpd\) pid=\d+\(httpd\) ptid=\d+\(event-generator\) .* tty=0 pgid=\d+\(systemd\) loginuid=-1\(\<NONE\>\) flags=1\(EXE_WRITABLE\) cap_inheritable=0'),
+            "evt.args": SinspField.regex_field(r'^res=0 exe=\/tmp\/falco-event-generator\d+\/httpd args=--loglevel.info.run.\^helper.RunShell\$. tid=\d+\(httpd\) pid=\d+\(httpd\) ptid=\d+\(event-generator\) .* tty=0 pgid=\d+\(systemd\) loginuid=-1\(\<NONE\>\) flags=9\(EXE_WRITABLE\|EXE_LOWER_LAYER\) cap_inheritable=0'),
             "evt.category": "process",
             "evt.num": SinspField.numeric_field(),
             "evt.time": SinspField.numeric_field(),
@@ -38,7 +38,7 @@ def test_run_shell_untrusted(sinsp, run_containers: dict):
         },
         {
             "container.id": generator_id,
-            "evt.args": SinspField.regex_field(r'^res=0 exe=bash args=-c.ls > \/dev\/null. tid=\d+\(bash\) pid=\d+\(bash\) ptid=\d+\(httpd\) .* tty=0 pgid=\d+\(systemd\) loginuid=-1\(\<NONE\>\) flags=1\(EXE_WRITABLE\) cap_inheritable=0'),
+            "evt.args": SinspField.regex_field(r'^res=0 exe=bash args=-c.ls > \/dev\/null. tid=\d+\(bash\) pid=\d+\(bash\) ptid=\d+\(httpd\) .* tty=0 pgid=\d+\(systemd\) loginuid=-1\(\<NONE\>\) flags=9\(EXE_WRITABLE\|EXE_LOWER_LAYER\) cap_inheritable=0'),
             "evt.category": "process",
             "evt.num": SinspField.numeric_field(),
             "evt.time": SinspField.numeric_field(),

test/e2e/tests/test_event_generator/test_system_user_interactive.py

@@ -27,7 +27,7 @@ def test_system_user_interactive(sinsp, run_containers: dict):
     expected_events = [
         {
             "container.id": generator_id,
-            "evt.args": SinspField.regex_field(r'^res=0 exe=\/bin\/login args=NULL tid=\d+\(login\) pid=\d+\(login\) ptid=\d+\(event-generator\) .* pgid=\d+\(systemd\) loginuid=-1\(\<NONE\>\) flags=0 cap_inheritable=0 cap_permitted=0 cap_effective=0'),
+            "evt.args": SinspField.regex_field(r'^res=0 exe=\/bin\/login args=NULL tid=\d+\(login\) pid=\d+\(login\) ptid=\d+\(event-generator\) .* pgid=\d+\(systemd\) loginuid=-1\(\<NONE\>\) flags=8\(EXE_LOWER_LAYER\) cap_inheritable=0 cap_permitted=0 cap_effective=0'),
             "evt.category": "process",
             "evt.num": SinspField.numeric_field(),
             "evt.time": SinspField.numeric_field(),