test(events): add e2e test to access_remote_vm

Add e2e test to check that the access_remote_vm works well.

.github/workflows/pr.yaml

@@ -65,6 +65,7 @@ env:
     BPF_ATTACH
     CONTAINERS_DATA_SOURCE
     PROCTREE_DATA_SOURCE
+    ACCESS_REMOTE_VM
 jobs:
   #
   # CODE VERIFICATION

tests/e2e-inst-signatures/e2e-access_remote_vm.go

@@ -0,0 +1,78 @@
+package main
+
+import (
+	"fmt"
+
+	"github.com/aquasecurity/tracee/signatures/helpers"
+	"github.com/aquasecurity/tracee/types/detect"
+	"github.com/aquasecurity/tracee/types/protocol"
+	"github.com/aquasecurity/tracee/types/trace"
+)
+
+type e2eAccessRemoteVm struct {
+	cb detect.SignatureHandler
+}
+
+func (sig *e2eAccessRemoteVm) Init(ctx detect.SignatureContext) error {
+	sig.cb = ctx.Callback
+	return nil
+}
+
+func (sig *e2eAccessRemoteVm) GetMetadata() (detect.SignatureMetadata, error) {
+	return detect.SignatureMetadata{
+		ID:          "ACCESS_REMOTE_VM",
+		EventName:   "ACCESS_REMOTE_VM",
+		Version:     "0.1.0",
+		Name:        "Access Remote VM Test",
+		Description: "Instrumentation events E2E Tests: Access Remote VM",
+		Tags:        []string{"e2e", "instrumentation"},
+	}, nil
+}
+
+func (sig *e2eAccessRemoteVm) GetSelectedEvents() ([]detect.SignatureEventSelector, error) {
+	return []detect.SignatureEventSelector{
+		{Source: "tracee", Name: "access_remote_vm"},
+	}, nil
+}
+
+func (sig *e2eAccessRemoteVm) OnEvent(event protocol.Event) error {
+	eventObj, ok := event.Payload.(trace.Event)
+	if !ok {
+		return fmt.Errorf("failed to cast event's payload")
+	}
+
+	switch eventObj.EventName {
+	case "access_remote_vm":
+		remotePid, err := helpers.GetTraceeIntArgumentByName(eventObj, "remote_pid")
+		if err != nil {
+			return err
+		}
+
+		vmName, err := helpers.GetTraceeStringArgumentByName(eventObj, "mapped.path")
+		if err != nil {
+			return err
+		}
+
+		// check expected values from test for detection
+
+		if remotePid != eventObj.HostParentProcessID || vmName != "[stack]" {
+			return nil
+		}
+
+		m, _ := sig.GetMetadata()
+
+		sig.cb(detect.Finding{
+			SigMetadata: m,
+			Event:       event,
+			Data:        map[string]interface{}{},
+		})
+	}
+
+	return nil
+}
+
+func (sig *e2eAccessRemoteVm) OnSignal(s detect.Signal) error {
+	return nil
+}
+
+func (sig *e2eAccessRemoteVm) Close() {}

tests/e2e-inst-signatures/export.go

@@ -10,4 +10,5 @@ var ExportedSignatures = []detect.Signature{
 	&e2eContainersDataSource{},
 	&e2eBpfAttach{},
 	&e2eProcessTreeDataSource{},
+	&e2eAccessRemoteVm{},
 }

tests/e2e-inst-signatures/scripts/access_remote_vm.sh

@@ -0,0 +1,35 @@
+#!/bin/bash
+
+info_exit() {
+    echo -n "INFO: "
+    echo $@
+    exit 0
+}
+
+info() {
+    echo -n "INFO: "
+    echo "$@"
+}
+
+error_exit() {
+    echo -n "ERROR: "
+    echo "$@"
+    exit 1
+}
+
+# Get the stack address from /proc/self/maps
+stack_address="0x"$(grep 'stack' /proc/$$/maps | awk '{split($1, range, "-"); print range[1]}')
+
+if [ -z "$stack_address" ]; then
+  error_exit "Failed to find the stack address in /proc/self/maps"
+fi
+
+info "Stack address: $stack_address"
+
+# Read from /proc/self/mem in given address
+read_mem_file() {
+  tail /proc/$$/mem -c +$1 > /dev/null
+}
+
+# Call the function to read from the stack
+read_mem_file $((stack_address))

tests/e2e-inst-test.sh

@@ -94,7 +94,7 @@ for TEST in $TESTS; do
         --output option:parse-arguments \
         --log file:$SCRIPT_TMP_DIR/tracee-log-$$ \
         --signatures-dir "$SIG_DIR" \
-        --scope comm=echo,mv,ls,tracee,proctreetester \
+        --scope comm=echo,mv,ls,tracee,proctreetester,tail \
         --events "$TEST" &
 
     # wait tracee-ebpf to be started (30 sec most)