feat: Check all syscalls in set.

Also adds a custom wait func to wait for output

Signed-off-by: Simarpreet Singh <simar@linux.com>

tracee-ebpf/test/integration/go.mod

@@ -3,6 +3,7 @@ module github.com/aquasecurity/tracee/integration
 go 1.16
 
 require (
+	github.com/aquasecurity/tracee/tracee-ebpf v0.0.0-20210316172205-2e0edb215460
 	github.com/kelseyhightower/envconfig v1.4.0
 	github.com/mitchellh/go-ps v1.0.0
 	github.com/onsi/gomega v1.11.0

tracee-ebpf/test/integration/go.sum

@@ -1,3 +1,9 @@
+github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
+github.com/aquasecurity/tracee/libbpfgo v0.0.0-20210115081842-487d1e44fcda h1:ghWH8XcpEasEd4dfAvhLBDD+ib/DK9uJTQ2rWWHHNRI=
+github.com/aquasecurity/tracee/libbpfgo v0.0.0-20210115081842-487d1e44fcda/go.mod h1:Ldem7RTRbX6bdTDxU2eYYvo7pPWYQbbc6rdGv0Ilyts=
+github.com/aquasecurity/tracee/tracee-ebpf v0.0.0-20210316172205-2e0edb215460 h1:LlTv7C7JCyIillyH8DMM0bSjxH5FzSLufta7zzRrEjM=
+github.com/aquasecurity/tracee/tracee-ebpf v0.0.0-20210316172205-2e0edb215460/go.mod h1:uhZ7NoCw0Sst5mHiAaKNMQi0xCYJmfJJM5yRLatETQA=
+github.com/cpuguy83/go-md2man/v2 v2.0.0-20190314233015-f79a8a8ca69d/go.mod h1:maD7wRr/U5Z6m/iR4s+kqSMx2CaBsrgA7czyZG/E6dU=
 github.com/davecgh/go-spew v1.1.0 h1:ZDRjVQ15GmhC3fiQ8ni8+OwkZQO4DARzQgrnXU1Liz8=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/fsnotify/fsnotify v1.4.7 h1:IXs+QLmnXW2CcXuY+8Mzv/fWEsPGWxqefPtCP5CnV9I=
@@ -27,9 +33,14 @@ github.com/onsi/gomega v1.11.0 h1:+CqWgvj0OZycCaqclBD1pxKHAU+tOkHmQIWvDHq2aug=
 github.com/onsi/gomega v1.11.0/go.mod h1:azGKhqFUon9Vuj0YmTfLSmx0FUwqXYSTl5re8lQLTUg=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
+github.com/russross/blackfriday/v2 v2.0.1/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
+github.com/shurcooL/sanitized_anchor_name v1.0.0/go.mod h1:1NzhyTcUVG4SuEtjjoZeVRXNmyL/1OwPU0+IJeTBvfc=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
+github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5cxcmMvtA=
 github.com/stretchr/testify v1.7.0 h1:nwc3DEeHmmLAfoZucVR881uASk0Mfjw8xYJ99tb5CcY=
 github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
+github.com/syndtr/gocapability v0.0.0-20180916011248-d98352740cb2/go.mod h1:hkRG7XYTFWNJGYcbNJQlaLq0fg1yr4J4t/NcTQtrfww=
+github.com/urfave/cli/v2 v2.1.1/go.mod h1:SE9GqnLQmjVa0iPEY0f1w3ygNIYcIJ0OKPMoW2caLfQ=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
@@ -60,6 +71,7 @@ gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8
 gopkg.in/fsnotify.v1 v1.4.7/go.mod h1:Tz8NjZHkW78fSQdbUxIjBTcgA1z1m8ZHf0WmKUhAMys=
 gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 h1:uRGJdciOHaEIrze2W8Q3AKkepLTh2hOroT7a+7czfdQ=
 gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7/go.mod h1:dt/ZhP58zS4L8KSrWDmTeBkI65Dw0HsyUHuEVlX15mw=
+gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.2.4/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY=
 gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ=

tracee-ebpf/test/integration/integration_test.go

@@ -13,6 +13,8 @@ import (
 	"testing"
 	"time"
 
+	"github.com/aquasecurity/tracee/tracee-ebpf/tracee"
+
 	ps "github.com/mitchellh/go-ps"
 	"github.com/onsi/gomega/gexec"
 	"github.com/stretchr/testify/require"
@@ -21,6 +23,10 @@ import (
 	"github.com/stretchr/testify/assert"
 )
 
+const (
+	CheckTimeout = time.Second * 2
+)
+
 type Config struct {
 	TraceeBinaryPath string `required:"true" envconfig:"trc_bin"`
 }
@@ -60,6 +66,15 @@ func getPidByName(t *testing.T, name string) int {
 	return -1
 }
 
+// wait for tracee buffer to fill or timeout to occur, whichever comes first
+func waitForTraceeOutput(gotOutput *bytes.Buffer, now time.Time) {
+	for {
+		if len(gotOutput.String()) > 0 || (time.Since(now) > CheckTimeout) {
+			break
+		}
+	}
+}
+
 // small set of actions to trigger a magic write event
 func checkMagicwrite(t *testing.T, gotOutput *bytes.Buffer) {
 	// create a temp dir for testing
@@ -81,6 +96,8 @@ func checkMagicwrite(t *testing.T, gotOutput *bytes.Buffer) {
 	cpCmd.Stdout = os.Stdout
 	assert.NoError(t, cpCmd.Run())
 
+	waitForTraceeOutput(gotOutput, time.Now())
+
 	// check tracee output
 	assert.Contains(t, gotOutput.String(), `[102 111 111 46 98 97 114 46 98 97 122]`)
 }
@@ -89,6 +106,8 @@ func checkMagicwrite(t *testing.T, gotOutput *bytes.Buffer) {
 func checkExeccommand(t *testing.T, gotOutput *bytes.Buffer) {
 	_, _ = exec.Command("ls").CombinedOutput()
 
+	waitForTraceeOutput(gotOutput, time.Now())
+
 	// check tracee output
 	processNames := strings.Split(strings.TrimSpace(gotOutput.String()), "\n")
 	for _, pname := range processNames {
@@ -103,6 +122,8 @@ func checkPidnew(t *testing.T, gotOutput *bytes.Buffer) {
 	// run a command
 	_, _ = exec.Command("ls").CombinedOutput()
 
+	waitForTraceeOutput(gotOutput, time.Now())
+
 	// output should only have events with pids greater (newer) than tracee
 	pids := strings.Split(strings.TrimSpace(gotOutput.String()), "\n")
 	for _, p := range pids {
@@ -115,6 +136,8 @@ func checkPidnew(t *testing.T, gotOutput *bytes.Buffer) {
 func checkUidzero(t *testing.T, gotOutput *bytes.Buffer) {
 	_, _ = exec.Command("ls").CombinedOutput()
 
+	waitForTraceeOutput(gotOutput, time.Now())
+
 	// check output length
 	require.NotEmpty(t, gotOutput.String())
 
@@ -130,6 +153,8 @@ func checkUidzero(t *testing.T, gotOutput *bytes.Buffer) {
 func checkPidOne(t *testing.T, gotOutput *bytes.Buffer) {
 	_, _ = exec.Command("init", "q").CombinedOutput()
 
+	waitForTraceeOutput(gotOutput, time.Now())
+
 	// check output length
 	require.NotEmpty(t, gotOutput.String())
 
@@ -145,6 +170,8 @@ func checkPidOne(t *testing.T, gotOutput *bytes.Buffer) {
 func checkExecve(t *testing.T, gotOutput *bytes.Buffer) {
 	_, _ = exec.Command("ls").CombinedOutput()
 
+	waitForTraceeOutput(gotOutput, time.Now())
+
 	// check output length
 	require.NotEmpty(t, gotOutput.String())
 
@@ -161,14 +188,30 @@ func checkExecve(t *testing.T, gotOutput *bytes.Buffer) {
 func checkSetFs(t *testing.T, gotOutput *bytes.Buffer) {
 	_, _ = exec.Command("ls").CombinedOutput()
 
+	waitForTraceeOutput(gotOutput, time.Now())
+
 	// check output length
 	require.NotEmpty(t, gotOutput.String())
 
-	// output should only have events with event name of execve
+	expectedSyscalls := getAllSyscallsInSet("fs")
+
+	// output should only have events with events in the set of filesystem syscalls
 	eventNames := strings.Split(strings.TrimSpace(gotOutput.String()), "\n")
 	for _, en := range eventNames {
-		require.Contains(t, []string{"access", "openat", "fstat", "close", "read", "pread64", "statfs", "ioctl", "statx", "getdents64", "write"}, en)
+		require.Contains(t, expectedSyscalls, en)
+	}
+}
+
+func getAllSyscallsInSet(set string) []string {
+	var syscallsInSet []string
+	for _, v := range tracee.EventsIDToEvent {
+		for _, c := range v.Sets {
+			if c == set {
+				syscallsInSet = append(syscallsInSet, v.Name)
+			}
+		}
 	}
+	return syscallsInSet
 }
 
 func Test_Events(t *testing.T) {
@@ -208,11 +251,11 @@ func Test_Events(t *testing.T) {
 			eventFunc:  checkPidOne,
 			goTemplate: "{{ .ProcessID }}\n",
 		},
-		// TODO: Add pid=0,1
-		// TODO: Add pid=0 pid=1
-		// TODO: Add uid>0
-		// TODO: Add pid>0 pid<1000
-		// TODO: Add u>0 u!=1000
+		//TODO: Add pid=0,1
+		//TODO: Add pid=0 pid=1
+		//TODO: Add uid>0
+		//TODO: Add pid>0 pid<1000
+		//TODO: Add u>0 u!=1000
 		{
 			name:       "trace only execve events from comm ls",
 			args:       []string{"--trace", "event=execve"},