Add unit test for syscall support

This does a madvise, which doesn't have a ppm event type, both directly and indirectly via syscall(__NR_madvise, ...), as well as an open directly + indirectly. The corresponding rules file matches on madvise and open. The test ensures that both opens and both madvises are detected.
falcosecurity · Apr 17, 2018 · 940f415 · 940f415
1 parent b937a61
commit 940f415
Show file tree

Hide file tree

Showing 3 changed files with 21 additions and 0 deletions.
diff --git a/test/falco_tests.yaml b/test/falco_tests.yaml
@@ -689,3 +689,13 @@ trace_files: !mux
     rules_file:
       - rules/detect_connect_using_in.yaml
     trace_file: trace_files/connect_localhost.scap
+
+  syscalls:
+    detect: True
+    detect_level: INFO
+    rules_file:
+      - rules/syscalls.yaml
+    detect_counts:
+      - syscall_madvise: 2
+      - syscall_open: 2
+    trace_file: trace_files/syscall.scap
diff --git a/test/rules/syscalls.yaml b/test/rules/syscalls.yaml
@@ -0,0 +1,11 @@
+- rule: detect_madvise
+  desc: Detect any call to madvise
+  condition: evt.type=madvise and evt.dir=<
+  output: A madvise syscall was seen (command=%proc.cmdline evt=%evt.type)
+  priority: INFO
+
+- rule: detect_open
+  desc: Detect any call to open
+  condition: evt.type=open and evt.dir=< and fd.name=/dev/null
+  output: An open syscall was seen (command=%proc.cmdline evt=%evt.type file=%fd.name)
+  priority: INFO
diff --git a/test/trace_files/syscall.scap b/test/trace_files/syscall.scap