diff --git a/test/e2e/tests/test_event_generator/test_db_program_spawned_process.py b/test/e2e/tests/test_event_generator/test_db_program_spawned_process.py index e45c392227..278e6db35d 100644 --- a/test/e2e/tests/test_event_generator/test_db_program_spawned_process.py +++ b/test/e2e/tests/test_event_generator/test_db_program_spawned_process.py @@ -53,7 +53,7 @@ def test_db_program_spawned_process(sinsp, run_containers: dict): }, { "container.id": generator_id, - "evt.args": SinspField.regex_field(r'^res=0 exe=/bin/ls args=NULL tid=\d+\(ls\) pid=\d+\(ls\) ptid=\d+\(mysqld\) .* tty=0 pgid=1\(systemd\) loginuid=-1\(\\) flags=1\(EXE_WRITABLE\) cap_inheritable=0'), + "evt.args": SinspField.regex_field(r'^res=0 exe=/bin/ls args=NULL tid=\d+\(ls\) pid=\d+\(ls\) ptid=\d+\(mysqld\) .* tty=0 pgid=1\(systemd\) loginuid=-1\(\\) flags=9\(EXE_WRITABLE\|EXE_LOWER_LAYER\) cap_inheritable=0'), "evt.category": "process", "evt.num": SinspField.numeric_field(), "evt.time": SinspField.numeric_field(), diff --git a/test/e2e/tests/test_event_generator/test_file_writes.py b/test/e2e/tests/test_event_generator/test_file_writes.py index 607f887342..cac2a57f74 100644 --- a/test/e2e/tests/test_event_generator/test_file_writes.py +++ b/test/e2e/tests/test_event_generator/test_file_writes.py @@ -5,7 +5,11 @@ def create_expected_arg(directory: str) -> str: - return fr'^fd=3\({re.escape(directory)}\/created-by-event-generator\) dirfd=-100\(AT_FDCWD\) name={re.escape(directory)}\/created-by-event-generator flags=20742\(O_TRUNC\|O_CREAT\|O_WRONLY\|O_CLOEXEC\|O_F_CREATED\) mode=0755 dev=.* ino=\d+$' + return fr'^fd=3\({re.escape(directory)}\/created-by-event-generator\) dirfd=-100\(AT_FDCWD\) name={re.escape(directory)}\/created-by-event-generator flags=53510\(O_TRUNC\|O_CREAT\|O_WRONLY\|O_CLOEXEC\|O_F_CREATED\|FD_UPPER_LAYER\) mode=0755 dev=.* ino=\d+$' + +def create_expected_arg_for_dev() -> str: + # please note that `/dev` folder is not in the overlay filesystem inside the container but in the tmpfs so it won't have the `FD_UPPER_LAYER` flag. That's the reason why it needs a different regex. + return fr'^fd=3\(/dev/created-by-event-generator\) dirfd=-100\(AT_FDCWD\) name=/dev/created-by-event-generator flags=20742\(O_TRUNC\|O_CREAT\|O_WRONLY\|O_CLOEXEC\|O_F_CREATED\) mode=0755 dev=.* ino=\d+$' def generate_ids(parameters: list) -> list: @@ -29,7 +33,7 @@ def generate_ids(parameters: list) -> list: expected_args = [ create_expected_arg('/etc'), create_expected_arg('/bin'), - create_expected_arg('/dev'), + create_expected_arg_for_dev(), create_expected_arg('/var/lib/rpm') ] generator_tuples = zip(generator_containers, expected_args) diff --git a/test/e2e/tests/test_event_generator/test_read_sensitive_file.py b/test/e2e/tests/test_event_generator/test_read_sensitive_file.py index ea68eb928d..14723992cc 100644 --- a/test/e2e/tests/test_event_generator/test_read_sensitive_file.py +++ b/test/e2e/tests/test_event_generator/test_read_sensitive_file.py @@ -55,7 +55,7 @@ def test_read_sensitive_file(sinsp, run_containers: dict, expected_process: str) expected_events = [ { - "evt.args": SinspField.regex_field(r'fd=3\(/etc/shadow\) dirfd=-100\(AT_FDCWD\) name=/etc/shadow flags=4097\(O_RDONLY|O_CLOEXEC\) mode=0 dev=\W+ ino=\d+'), + "evt.args": SinspField.regex_field(r'fd=3\(/etc/shadow\) dirfd=-100\(AT_FDCWD\) name=/etc/shadow flags=69633\(O_RDONLY|O_CLOEXEC\|FD_LOWER_LAYER\) mode=0 dev=\W+ ino=\d+'), "evt.cpu": SinspField.numeric_field(), "evt.dir": "<", "evt.num": SinspField.numeric_field(), diff --git a/test/e2e/tests/test_event_generator/test_run_shell_untrusted.py b/test/e2e/tests/test_event_generator/test_run_shell_untrusted.py index ab0a8ae8d8..9f6d032c20 100644 --- a/test/e2e/tests/test_event_generator/test_run_shell_untrusted.py +++ b/test/e2e/tests/test_event_generator/test_run_shell_untrusted.py @@ -26,7 +26,7 @@ def test_run_shell_untrusted(sinsp, run_containers: dict): expected_events = [ { "container.id": generator_id, - "evt.args": SinspField.regex_field(r'^res=0 exe=\/tmp\/falco-event-generator\d+\/httpd args=--loglevel.info.run.\^helper.RunShell\$. tid=\d+\(httpd\) pid=\d+\(httpd\) ptid=\d+\(event-generator\) .* tty=0 pgid=\d+\(systemd\) loginuid=-1\(\\) flags=1\(EXE_WRITABLE\) cap_inheritable=0'), + "evt.args": SinspField.regex_field(r'^res=0 exe=\/tmp\/falco-event-generator\d+\/httpd args=--loglevel.info.run.\^helper.RunShell\$. tid=\d+\(httpd\) pid=\d+\(httpd\) ptid=\d+\(event-generator\) .* tty=0 pgid=\d+\(systemd\) loginuid=-1\(\\) flags=9\(EXE_WRITABLE\|EXE_LOWER_LAYER\) cap_inheritable=0'), "evt.category": "process", "evt.num": SinspField.numeric_field(), "evt.time": SinspField.numeric_field(), @@ -38,7 +38,7 @@ def test_run_shell_untrusted(sinsp, run_containers: dict): }, { "container.id": generator_id, - "evt.args": SinspField.regex_field(r'^res=0 exe=bash args=-c.ls > \/dev\/null. tid=\d+\(bash\) pid=\d+\(bash\) ptid=\d+\(httpd\) .* tty=0 pgid=\d+\(systemd\) loginuid=-1\(\\) flags=1\(EXE_WRITABLE\) cap_inheritable=0'), + "evt.args": SinspField.regex_field(r'^res=0 exe=bash args=-c.ls > \/dev\/null. tid=\d+\(bash\) pid=\d+\(bash\) ptid=\d+\(httpd\) .* tty=0 pgid=\d+\(systemd\) loginuid=-1\(\\) flags=9\(EXE_WRITABLE\|EXE_LOWER_LAYER\) cap_inheritable=0'), "evt.category": "process", "evt.num": SinspField.numeric_field(), "evt.time": SinspField.numeric_field(), diff --git a/test/e2e/tests/test_event_generator/test_system_user_interactive.py b/test/e2e/tests/test_event_generator/test_system_user_interactive.py index 723ba672f6..7993f968b9 100644 --- a/test/e2e/tests/test_event_generator/test_system_user_interactive.py +++ b/test/e2e/tests/test_event_generator/test_system_user_interactive.py @@ -27,7 +27,7 @@ def test_system_user_interactive(sinsp, run_containers: dict): expected_events = [ { "container.id": generator_id, - "evt.args": SinspField.regex_field(r'^res=0 exe=\/bin\/login args=NULL tid=\d+\(login\) pid=\d+\(login\) ptid=\d+\(event-generator\) .* pgid=\d+\(systemd\) loginuid=-1\(\\) flags=0 cap_inheritable=0 cap_permitted=0 cap_effective=0'), + "evt.args": SinspField.regex_field(r'^res=0 exe=\/bin\/login args=NULL tid=\d+\(login\) pid=\d+\(login\) ptid=\d+\(event-generator\) .* pgid=\d+\(systemd\) loginuid=-1\(\\) flags=8\(EXE_LOWER_LAYER\) cap_inheritable=0 cap_permitted=0 cap_effective=0'), "evt.category": "process", "evt.num": SinspField.numeric_field(), "evt.time": SinspField.numeric_field(),