diff --git a/test/drivers/test_suites/syscall_exit_suite/execve_x.cpp b/test/drivers/test_suites/syscall_exit_suite/execve_x.cpp index 674c0c2817..3fd3c62191 100644 --- a/test/drivers/test_suites/syscall_exit_suite/execve_x.cpp +++ b/test/drivers/test_suites/syscall_exit_suite/execve_x.cpp @@ -51,6 +51,15 @@ TEST(SyscallExit, execveX_failure) std::string truncated_too_long_env (4096 - (strlen("IN_TEST=yes")+1) - (strlen("3_ARGUMENT=yes")+1) - 1, 'x'); const char *expected_newenviron[] = {"IN_TEST=yes", "3_ARGUMENT=yes", truncated_too_long_env.c_str(), NULL}; + bool expect_truncated = true; + if(evt_test->is_kmod_engine() && getpagesize() > 4096) + { + // for kmod, the size limit is actually PAGE_SIZE; + // see STR_STORAGE_SIZE macro definition in driver/capture_macro.h. + // In case PAGE_SIZE is < 4096, expect NON-truncated args/envs + expect_truncated = false; + } + assert_syscall_state(SYSCALL_FAILURE, "execve", syscall(__NR_execve, pathname, newargv, newenviron)); int64_t errno_value = -errno; @@ -79,7 +88,14 @@ TEST(SyscallExit, execveX_failure) /* Parameter 3: args (type: PT_CHARBUFARRAY) */ /* Starting from `1` because the first is `exe`. */ - evt_test->assert_charbuf_array_param(3, &expected_newargv[1]); + if (expect_truncated) + { + evt_test->assert_charbuf_array_param(3, &expected_newargv[1]); + } + else + { + evt_test->assert_charbuf_array_param(3, &newargv[1]); + } /* Parameter 4: tid (type: PT_PID) */ evt_test->assert_numeric_param(4, (int64_t)pid); @@ -121,8 +137,15 @@ TEST(SyscallExit, execveX_failure) /* Parameter 15: cgroups (type: PT_CHARBUFARRAY) */ evt_test->assert_cgroup_param(15); - /* Parameter 16: env (type: PT_CHARBUFARRAY) */ - evt_test->assert_charbuf_array_param(16, &expected_newenviron[0]); + /* Parameter 16: env (type: PT_CHARBUFARRAY) */ + if (expect_truncated) + { + evt_test->assert_charbuf_array_param(16, &expected_newenviron[0]); + } + else + { + evt_test->assert_charbuf_array_param(16, &newenviron[0]); + } /* Parameter 17: tty (type: PT_UINT32) */ evt_test->assert_numeric_param(17, (uint32_t)info.tty); @@ -285,6 +308,15 @@ TEST(SyscallExit, execveX_success) std::string truncated_too_long_env (4096 - (strlen("IN_TEST=yes")+1) - (strlen("3_ARGUMENT=yes")+1) - 1, 'x'); const char *expected_newenviron[] = {"IN_TEST=yes", "3_ARGUMENT=yes", truncated_too_long_env.c_str(), NULL}; + bool expect_truncated = true; + if(evt_test->is_kmod_engine() && getpagesize() > 4096) + { + // for kmod, the size limit is actually PAGE_SIZE; + // see STR_STORAGE_SIZE macro definition in driver/capture_macro.h. + // In case PAGE_SIZE is < 4096, expect NON-truncated args/envs + expect_truncated = false; + } + /* We need to use `SIGCHLD` otherwise the parent won't receive any signal * when the child terminates. */ @@ -338,7 +370,14 @@ TEST(SyscallExit, execveX_success) /* Parameter 3: args (type: PT_CHARBUFARRAY) */ /* Starting from `1` because the first is `exe`. */ - evt_test->assert_charbuf_array_param(3, &expected_newargv[1]); + if (expect_truncated) + { + evt_test->assert_charbuf_array_param(3, &expected_newargv[1]); + } + else + { + evt_test->assert_charbuf_array_param(3, &newargv[1]); + } /* Parameter 4: tid (type: PT_PID) */ evt_test->assert_numeric_param(4, (int64_t)ret_pid); @@ -361,7 +400,14 @@ TEST(SyscallExit, execveX_success) evt_test->assert_cgroup_param(15); /* Parameter 16: env (type: PT_CHARBUFARRAY) */ - evt_test->assert_charbuf_array_param(16, &expected_newenviron[0]); + if (expect_truncated) + { + evt_test->assert_charbuf_array_param(16, &expected_newenviron[0]); + } + else + { + evt_test->assert_charbuf_array_param(16, &newenviron[0]); + } /* PPM_EXE_WRITABLE is set when the user that executed a process can also write to the executable * file that is used to spawn it or is its owner or otherwise capable. diff --git a/test/drivers/test_suites/syscall_exit_suite/execveat_x.cpp b/test/drivers/test_suites/syscall_exit_suite/execveat_x.cpp index 5dc2e896bb..b3748bce33 100644 --- a/test/drivers/test_suites/syscall_exit_suite/execveat_x.cpp +++ b/test/drivers/test_suites/syscall_exit_suite/execveat_x.cpp @@ -50,7 +50,16 @@ TEST(SyscallExit, execveatX_failure) const char *newenviron[] = {"IN_TEST=yes", "3_ARGUMENT=yes", too_long_arg.c_str(), "2_ARGUMENT=no", NULL}; std::string truncated_too_long_env (4096 - (strlen("IN_TEST=yes")+1) - (strlen("3_ARGUMENT=yes")+1) - 1, 'x'); const char *expected_newenviron[] = {"IN_TEST=yes", "3_ARGUMENT=yes", truncated_too_long_env.c_str(), NULL}; - + + bool expect_truncated = true; + if(evt_test->is_kmod_engine() && getpagesize() > 4096) + { + // for kmod, the size limit is actually PAGE_SIZE; + // see STR_STORAGE_SIZE macro definition in driver/capture_macro.h. + // In case PAGE_SIZE is < 4096, expect NON-truncated args/envs + expect_truncated = false; + } + int flags = AT_SYMLINK_NOFOLLOW; assert_syscall_state(SYSCALL_FAILURE, "execveat", syscall(__NR_execveat, dirfd, pathname, newargv, newenviron, flags)); int64_t errno_value = -errno; @@ -80,7 +89,14 @@ TEST(SyscallExit, execveatX_failure) /* Parameter 3: args (type: PT_CHARBUFARRAY) */ /* Starting from `1` because the first is `exe`. */ - evt_test->assert_charbuf_array_param(3, &expected_newargv[1]); + if (expect_truncated) + { + evt_test->assert_charbuf_array_param(3, &expected_newargv[1]); + } + else + { + evt_test->assert_charbuf_array_param(3, &newargv[1]); + } /* Parameter 4: tid (type: PT_PID) */ evt_test->assert_numeric_param(4, (int64_t)pid); @@ -123,7 +139,14 @@ TEST(SyscallExit, execveatX_failure) evt_test->assert_cgroup_param(15); /* Parameter 16: env (type: PT_CHARBUFARRAY) */ - evt_test->assert_charbuf_array_param(16, &expected_newenviron[0]); + if (expect_truncated) + { + evt_test->assert_charbuf_array_param(16, &expected_newenviron[0]); + } + else + { + evt_test->assert_charbuf_array_param(16, &newenviron[0]); + } /* Parameter 17: tty (type: PT_UINT32) */ evt_test->assert_numeric_param(17, (uint32_t)info.tty); @@ -190,6 +213,15 @@ TEST(SyscallExit, execveatX_correct_exit) const char *newargv[] = {pathname, "", "first_argv", "", too_long_arg.c_str(), "second_argv", NULL}; const char *newenviron[] = {"IN_TEST=yes", "3_ARGUMENT=yes", too_long_arg.c_str(), "2_ARGUMENT=no", NULL}; + bool expect_truncated = true; + if(evt_test->is_kmod_engine() && getpagesize() > 4096) + { + // for kmod, the size limit is actually PAGE_SIZE; + // see STR_STORAGE_SIZE macro definition in driver/capture_macro.h. + // In case PAGE_SIZE is < 4096, expect NON-truncated args/envs + expect_truncated = false; + } + int flags = 0; /* We need to use `SIGCHLD` otherwise the parent won't receive any signal @@ -248,9 +280,17 @@ TEST(SyscallExit, execveatX_correct_exit) /* Parameter 3: args (type: PT_CHARBUFARRAY) */ /* Starting from `1` because the first is `exe`. */ - std::string truncated_too_long_arg (4096 - (strlen(pathname)+1) - (strlen("first_argv")+1) - 2*(strlen("")+1) - 1, 'x'); - const char *expected_newargv[] = {pathname, "", "first_argv", "", truncated_too_long_arg.c_str(), NULL}; - evt_test->assert_charbuf_array_param(3, &expected_newargv[1]); + if (expect_truncated) + { + std::string truncated_too_long_arg( + 4096 - (strlen(pathname) + 1) - (strlen("first_argv") + 1) - 2 * (strlen("") + 1) - 1, 'x'); + const char *expected_newargv[] = {pathname, "", "first_argv", "", truncated_too_long_arg.c_str(), NULL}; + evt_test->assert_charbuf_array_param(3, &expected_newargv[1]); + } + else + { + evt_test->assert_charbuf_array_param(3, &newargv[1]); + } /* Parameter 4: tid (type: PT_PID) */ evt_test->assert_numeric_param(4, (int64_t)ret_pid); @@ -273,9 +313,18 @@ TEST(SyscallExit, execveatX_correct_exit) evt_test->assert_cgroup_param(15); /* Parameter 16: env (type: PT_CHARBUFARRAY) */ - std::string truncated_too_long_env (4096 - (strlen("IN_TEST=yes")+1) - (strlen("3_ARGUMENT=yes")+1) - 1, 'x'); - const char *expected_newenviron[] = {"IN_TEST=yes", "3_ARGUMENT=yes", truncated_too_long_env.c_str(), NULL}; - evt_test->assert_charbuf_array_param(16, &expected_newenviron[0]); + if (expect_truncated) + { + std::string truncated_too_long_env( + 4096 - (strlen("IN_TEST=yes") + 1) - (strlen("3_ARGUMENT=yes") + 1) - 1, 'x'); + const char *expected_newenviron[] = {"IN_TEST=yes", "3_ARGUMENT=yes", truncated_too_long_env.c_str(), + NULL}; + evt_test->assert_charbuf_array_param(16, &expected_newenviron[0]); + } + else + { + evt_test->assert_charbuf_array_param(16, &newenviron[0]); + } /* PPM_EXE_WRITABLE is set when the user that executed a process can also write to the executable * file that is used to spawn it or is its owner or otherwise capable.