fix(test/drivers): only assert dev parameter on ext4 FS.

Refs #1805 Signed-off-by: Federico Di Pierro <nierro92@gmail.com> Co-authored-by: Andrea Terzolo <andreaterzolo3@gmail.com>
falcosecurity · Apr 19, 2024 · 7a182f9 · 7a182f9
1 parent eecc115
commit 7a182f9
Show file tree

Hide file tree

Showing 7 changed files with 67 additions and 11 deletions.
diff --git a/test/drivers/event_class/event_class.cpp b/test/drivers/event_class/event_class.cpp
@@ -1,6 +1,8 @@
 #include <libscap/strl.h>
 #include "event_class.h"
 #include <time.h>
+#include <sys/vfs.h>    /* or <sys/statfs.h> */
+#include <linux/magic.h>
 
 #define MAX_CHARBUF_NUM 16
 #define CGROUP_NUMBER 5
@@ -985,3 +987,17 @@ void event_test::assert_event_in_buffers(pid_t pid_to_search, int event_to_searc
 		}
 	}
 }
+
+bool event_test::is_ext4_fs(int fd)
+{
+#ifdef __NR_fstatfs
+	struct statfs buf;
+	if (fstatfs(fd, &buf) != 0) {
+		return false;
+	}
+	if (buf.f_type == EXT4_SUPER_MAGIC) {
+		return true;
+	}
+#endif
+	return false;
+}
diff --git a/test/drivers/event_class/event_class.h b/test/drivers/event_class/event_class.h
@@ -634,6 +634,13 @@ class event_test
 	 */
 	void assert_fd_list(int param_num, struct fd_poll* expected_fds, int32_t nfds);
 
+	/**
+	 * @brief We only support correct `dev` param for
+	 * open family of syscalls on ext4.
+	 * See https://github.com/falcosecurity/libs/issues/1805.
+	 */
+	static bool is_ext4_fs(int fd);
+
 private:
 	ppm_event_code m_event_type;		  /* type of the event we want to assert in this test. */
 	std::vector<struct param> m_event_params; /* all the params of the event (len+value). */

diff --git a/test/drivers/test_suites/syscall_exit_suite/creat_x.cpp b/test/drivers/test_suites/syscall_exit_suite/creat_x.cpp
@@ -21,6 +21,7 @@ TEST(SyscallExit, creatX_success)
 	assert_syscall_state(SYSCALL_SUCCESS, "fstat", syscall(__NR_fstat, fd, &file_stat), NOT_EQUAL, -1);
 	uint32_t dev = (uint32_t)file_stat.st_dev;
 	uint64_t inode = file_stat.st_ino;
+	const bool is_ext4 = event_test::is_ext4_fs(fd);
 
 	/* Remove the file. */
 	syscall(__NR_close, fd);
@@ -53,7 +54,10 @@ TEST(SyscallExit, creatX_success)
 	evt_test->assert_numeric_param(3, (uint32_t)(PPM_S_IRUSR | PPM_S_IWUSR | PPM_S_IXUSR));
 
 	/* Parameter 4: dev (type: PT_UINT32) */
-	evt_test->assert_numeric_param(4, (uint32_t)dev);
+	if (is_ext4)
+	{
+		evt_test->assert_numeric_param(4, (uint32_t)dev);
+	}
 
 	/* Parameter 5: ino (type: PT_UINT64) */
 	evt_test->assert_numeric_param(5, (uint64_t)inode);

diff --git a/test/drivers/test_suites/syscall_exit_suite/open_by_handle_at_x.cpp b/test/drivers/test_suites/syscall_exit_suite/open_by_handle_at_x.cpp
@@ -8,7 +8,7 @@
 
 #define MAX_FSPATH_LEN	4096
 
-void do___open_by_handle_atX_success(int *open_by_handle_fd, int *dirfd, char *fspath, uint32_t *dev, uint64_t *inode, int use_mountpoint)
+void do___open_by_handle_atX_success(int *open_by_handle_fd, int *dirfd, char *fspath, uint32_t *dev, uint64_t *inode, bool *is_ext4, int use_mountpoint)
 {
 	/*
 	 * 0. Create (temporary) mount point (if use_mountpoint).
@@ -106,6 +106,7 @@ void do___open_by_handle_atX_success(int *open_by_handle_fd, int *dirfd, char *f
 	assert_syscall_state(SYSCALL_SUCCESS, "fstat", syscall(__NR_fstat, *open_by_handle_fd, &file_stat), NOT_EQUAL, -1);
 	*dev = (uint32_t)file_stat.st_dev;
 	*inode = file_stat.st_ino;
+	*is_ext4 = event_test::is_ext4_fs(*open_by_handle_fd);
 
 	/*
 	 * 7. Cleaning phase.
@@ -157,7 +158,8 @@ TEST(SyscallExit, open_by_handle_atX_success)
 	char fspath[MAX_FSPATH_LEN];
 	uint32_t dev;
 	uint64_t inode;
-	do___open_by_handle_atX_success(&open_by_handle_fd, &dirfd, fspath, &dev, &inode, 0);
+	bool is_ext4;
+	do___open_by_handle_atX_success(&open_by_handle_fd, &dirfd, fspath, &dev, &inode, &is_ext4, 0);
 
 	/*=============================== TRIGGER SYSCALL  ===========================*/
 
@@ -188,7 +190,10 @@ TEST(SyscallExit, open_by_handle_atX_success)
 	evt_test->assert_charbuf_param(4, fspath);
 
 	/* Parameter 5: dev (type: PT_UINT32) */
-	evt_test->assert_numeric_param(5, dev);
+	if (is_ext4)
+	{
+		evt_test->assert_numeric_param(5, dev);
+	}
 
 	/* Parameter 6: ino (type: PT_UINT64) */
 	evt_test->assert_numeric_param(6, inode);
@@ -212,7 +217,8 @@ TEST(SyscallExit, open_by_handle_atX_success_mp)
 	char fspath[MAX_FSPATH_LEN];
 	uint32_t dev;
 	uint64_t inode;
-	do___open_by_handle_atX_success(&open_by_handle_fd, &dirfd, fspath, &dev, &inode, 1);
+	bool is_ext4;
+	do___open_by_handle_atX_success(&open_by_handle_fd, &dirfd, fspath, &dev, &inode, &is_ext4, 1);
 
 	/*=============================== TRIGGER SYSCALL  ===========================*/
 
@@ -244,7 +250,10 @@ TEST(SyscallExit, open_by_handle_atX_success_mp)
 	evt_test->assert_charbuf_param(4, fspath);
 
 	/* Parameter 5: dev (type: PT_UINT32) */
-	evt_test->assert_numeric_param(5, dev);
+	if (is_ext4)
+	{
+		evt_test->assert_numeric_param(5, dev);
+	}
 
 	/* Parameter 6: ino (type: PT_UINT64) */
 	evt_test->assert_numeric_param(6, inode);

diff --git a/test/drivers/test_suites/syscall_exit_suite/open_x.cpp b/test/drivers/test_suites/syscall_exit_suite/open_x.cpp
@@ -30,6 +30,7 @@ TEST(SyscallExit, openX_success)
 	assert_syscall_state(SYSCALL_SUCCESS, "fstat", syscall(__NR_fstat, fd, &file_stat), NOT_EQUAL, -1);
 	uint32_t dev = (uint32_t)file_stat.st_dev;
 	uint64_t inode = file_stat.st_ino;
+	const bool is_ext4 = event_test::is_ext4_fs(fd);
 	close(fd);
 
 	if(notmpfile)
@@ -69,7 +70,10 @@ TEST(SyscallExit, openX_success)
 	evt_test->assert_numeric_param(4, (uint32_t)mode);
 
 	/* Parameter 5: dev (type: PT_UINT32) */
-	evt_test->assert_numeric_param(5, (uint32_t)dev);
+	if (is_ext4)
+	{
+		evt_test->assert_numeric_param(5, (uint32_t)dev);
+	}
 
 	/* Parameter 6: ino (type: PT_UINT64) */
 	evt_test->assert_numeric_param(6, inode);

diff --git a/test/drivers/test_suites/syscall_exit_suite/openat2_x.cpp b/test/drivers/test_suites/syscall_exit_suite/openat2_x.cpp
@@ -29,6 +29,7 @@ TEST(SyscallExit, openat2X_success)
 	assert_syscall_state(SYSCALL_SUCCESS, "fstat", syscall(__NR_fstat, fd, &file_stat), NOT_EQUAL, -1);
 	uint32_t dev = (uint32_t)file_stat.st_dev;
 	uint64_t inode = file_stat.st_ino;
+	const bool is_ext4 = event_test::is_ext4_fs(fd);
 	close(fd);
 
 	/*=============================== TRIGGER SYSCALL  ===========================*/
@@ -67,7 +68,10 @@ TEST(SyscallExit, openat2X_success)
 	evt_test->assert_numeric_param(6, (uint32_t)PPM_RESOLVE_BENEATH | PPM_RESOLVE_NO_MAGICLINKS);
 
 	/* Parameter 7: dev (type: PT_UINT32) */
-	evt_test->assert_numeric_param(7, dev);
+	if (is_ext4)
+	{
+		evt_test->assert_numeric_param(7, dev);
+	}
 
 	/* Parameter 8: ino (type: PT_UINT64) */
 	evt_test->assert_numeric_param(8, inode);
@@ -170,6 +174,7 @@ TEST(SyscallExit, openat2X_create_success)
 	assert_syscall_state(SYSCALL_SUCCESS, "fstat", syscall(__NR_fstat, fd, &file_stat), NOT_EQUAL, -1);
 	uint32_t dev = (uint32_t)file_stat.st_dev;
 	uint64_t inode = file_stat.st_ino;
+	const bool is_ext4 = event_test::is_ext4_fs(fd);
 	close(fd);
 
 	/*=============================== TRIGGER SYSCALL  ===========================*/
@@ -208,7 +213,10 @@ TEST(SyscallExit, openat2X_create_success)
 	evt_test->assert_numeric_param(6, (uint32_t)PPM_RESOLVE_BENEATH | PPM_RESOLVE_NO_MAGICLINKS);
 
 	/* Parameter 7: dev (type: PT_UINT32) */
-	evt_test->assert_numeric_param(7, dev);
+	if (is_ext4)
+	{
+		evt_test->assert_numeric_param(7, dev);
+	}
 
 	/* Parameter 8: ino (type: PT_UINT64) */
 	evt_test->assert_numeric_param(8, inode);

diff --git a/test/drivers/test_suites/syscall_exit_suite/openat_x.cpp b/test/drivers/test_suites/syscall_exit_suite/openat_x.cpp
@@ -33,6 +33,7 @@ TEST(SyscallExit, openatX_success)
 	assert_syscall_state(SYSCALL_SUCCESS, "fstat", syscall(__NR_fstat, fd, &file_stat), NOT_EQUAL, -1);
 	uint32_t dev = (uint32_t)file_stat.st_dev;
 	uint64_t inode = file_stat.st_ino;
+	const bool is_ext4 = event_test::is_ext4_fs(fd);
 	close(fd);
 
 	if(notmpfile)
@@ -74,7 +75,10 @@ TEST(SyscallExit, openatX_success)
 	evt_test->assert_numeric_param(5, (uint32_t)mode);
 
 	/* Parameter 6: dev (type: PT_UINT32) */
-	evt_test->assert_numeric_param(6, (uint32_t)dev);
+	if (is_ext4)
+	{
+		evt_test->assert_numeric_param(6, (uint32_t)dev);
+	}
 
 	/* Parameter 7: ino (type: PT_UINT64) */
 	evt_test->assert_numeric_param(7, inode);
@@ -170,6 +174,7 @@ TEST(SyscallExit, openatX_create_success)
 	assert_syscall_state(SYSCALL_SUCCESS, "fstat", syscall(__NR_fstat, fd, &file_stat), NOT_EQUAL, -1);
 	uint32_t dev = (uint32_t)file_stat.st_dev;
 	uint64_t inode = file_stat.st_ino;
+	const bool is_ext4 = event_test::is_ext4_fs(fd);
 	close(fd);
 
 	/*=============================== TRIGGER SYSCALL  ===========================*/
@@ -205,7 +210,10 @@ TEST(SyscallExit, openatX_create_success)
 	evt_test->assert_numeric_param(5, (uint32_t)mode);
 
 	/* Parameter 6: dev (type: PT_UINT32) */
-	evt_test->assert_numeric_param(6, (uint32_t)dev);
+	if (is_ext4)
+	{
+		evt_test->assert_numeric_param(6, (uint32_t)dev);
+	}
 
 	/* Parameter 7: ino (type: PT_UINT64) */
 	evt_test->assert_numeric_param(7, inode);