-
Notifications
You must be signed in to change notification settings - Fork 392
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
test(events): add e2e test to access_remote_vm
Add e2e test to check that the access_remote_vm works well.
- Loading branch information
1 parent
0794743
commit 3a5c024
Showing
5 changed files
with
116 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,78 @@ | ||
package main | ||
|
||
import ( | ||
"fmt" | ||
|
||
"github.com/aquasecurity/tracee/signatures/helpers" | ||
"github.com/aquasecurity/tracee/types/detect" | ||
"github.com/aquasecurity/tracee/types/protocol" | ||
"github.com/aquasecurity/tracee/types/trace" | ||
) | ||
|
||
type e2eAccessRemoteVm struct { | ||
cb detect.SignatureHandler | ||
} | ||
|
||
func (sig *e2eAccessRemoteVm) Init(ctx detect.SignatureContext) error { | ||
sig.cb = ctx.Callback | ||
return nil | ||
} | ||
|
||
func (sig *e2eAccessRemoteVm) GetMetadata() (detect.SignatureMetadata, error) { | ||
return detect.SignatureMetadata{ | ||
ID: "ACCESS_REMOTE_VM", | ||
EventName: "ACCESS_REMOTE_VM", | ||
Version: "0.1.0", | ||
Name: "Access Remote VM Test", | ||
Description: "Instrumentation events E2E Tests: Access Remote VM", | ||
Tags: []string{"e2e", "instrumentation"}, | ||
}, nil | ||
} | ||
|
||
func (sig *e2eAccessRemoteVm) GetSelectedEvents() ([]detect.SignatureEventSelector, error) { | ||
return []detect.SignatureEventSelector{ | ||
{Source: "tracee", Name: "access_remote_vm"}, | ||
}, nil | ||
} | ||
|
||
func (sig *e2eAccessRemoteVm) OnEvent(event protocol.Event) error { | ||
eventObj, ok := event.Payload.(trace.Event) | ||
if !ok { | ||
return fmt.Errorf("failed to cast event's payload") | ||
} | ||
|
||
switch eventObj.EventName { | ||
case "access_remote_vm": | ||
remotePid, err := helpers.GetTraceeIntArgumentByName(eventObj, "remote_pid") | ||
if err != nil { | ||
return err | ||
} | ||
|
||
vmName, err := helpers.GetTraceeStringArgumentByName(eventObj, "mapped.path") | ||
if err != nil { | ||
return err | ||
} | ||
|
||
// check expected values from test for detection | ||
|
||
if remotePid != eventObj.HostParentProcessID || vmName != "[stack]" { | ||
return nil | ||
} | ||
|
||
m, _ := sig.GetMetadata() | ||
|
||
sig.cb(detect.Finding{ | ||
SigMetadata: m, | ||
Event: event, | ||
Data: map[string]interface{}{}, | ||
}) | ||
} | ||
|
||
return nil | ||
} | ||
|
||
func (sig *e2eAccessRemoteVm) OnSignal(s detect.Signal) error { | ||
return nil | ||
} | ||
|
||
func (sig *e2eAccessRemoteVm) Close() {} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,35 @@ | ||
#!/bin/bash | ||
|
||
info_exit() { | ||
echo -n "INFO: " | ||
echo $@ | ||
exit 0 | ||
} | ||
|
||
info() { | ||
echo -n "INFO: " | ||
echo "$@" | ||
} | ||
|
||
error_exit() { | ||
echo -n "ERROR: " | ||
echo "$@" | ||
exit 1 | ||
} | ||
|
||
# Get the stack address from /proc/self/maps | ||
stack_address="0x"$(grep 'stack' /proc/$$/maps | awk '{split($1, range, "-"); print range[1]}') | ||
|
||
if [ -z "$stack_address" ]; then | ||
error_exit "Failed to find the stack address in /proc/self/maps" | ||
fi | ||
|
||
info "Stack address: $stack_address" | ||
|
||
# Read from /proc/self/mem in given address | ||
read_mem_file() { | ||
tail /proc/$$/mem -c +$1 > /dev/null | ||
} | ||
|
||
# Call the function to read from the stack | ||
read_mem_file $((stack_address)) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters