From 7a182f9a4651bc4252899127201d38b74b7da239 Mon Sep 17 00:00:00 2001 From: Federico Di Pierro Date: Fri, 19 Apr 2024 10:26:14 +0200 Subject: [PATCH] fix(test/drivers): only assert `dev` parameter on ext4 FS. Refs #1805 Signed-off-by: Federico Di Pierro Co-authored-by: Andrea Terzolo --- test/drivers/event_class/event_class.cpp | 16 ++++++++++++++++ test/drivers/event_class/event_class.h | 7 +++++++ .../syscall_exit_suite/creat_x.cpp | 6 +++++- .../open_by_handle_at_x.cpp | 19 ++++++++++++++----- .../test_suites/syscall_exit_suite/open_x.cpp | 6 +++++- .../syscall_exit_suite/openat2_x.cpp | 12 ++++++++++-- .../syscall_exit_suite/openat_x.cpp | 12 ++++++++++-- 7 files changed, 67 insertions(+), 11 deletions(-) diff --git a/test/drivers/event_class/event_class.cpp b/test/drivers/event_class/event_class.cpp index 612cf392255..76c84b7d001 100644 --- a/test/drivers/event_class/event_class.cpp +++ b/test/drivers/event_class/event_class.cpp @@ -1,6 +1,8 @@ #include #include "event_class.h" #include +#include /* or */ +#include #define MAX_CHARBUF_NUM 16 #define CGROUP_NUMBER 5 @@ -985,3 +987,17 @@ void event_test::assert_event_in_buffers(pid_t pid_to_search, int event_to_searc } } } + +bool event_test::is_ext4_fs(int fd) +{ +#ifdef __NR_fstatfs + struct statfs buf; + if (fstatfs(fd, &buf) != 0) { + return false; + } + if (buf.f_type == EXT4_SUPER_MAGIC) { + return true; + } +#endif + return false; +} \ No newline at end of file diff --git a/test/drivers/event_class/event_class.h b/test/drivers/event_class/event_class.h index 5ab42b2654f..360f65620bb 100644 --- a/test/drivers/event_class/event_class.h +++ b/test/drivers/event_class/event_class.h @@ -634,6 +634,13 @@ class event_test */ void assert_fd_list(int param_num, struct fd_poll* expected_fds, int32_t nfds); + /** + * @brief We only support correct `dev` param for + * open family of syscalls on ext4. + * See https://github.com/falcosecurity/libs/issues/1805. + */ + static bool is_ext4_fs(int fd); + private: ppm_event_code m_event_type; /* type of the event we want to assert in this test. */ std::vector m_event_params; /* all the params of the event (len+value). */ diff --git a/test/drivers/test_suites/syscall_exit_suite/creat_x.cpp b/test/drivers/test_suites/syscall_exit_suite/creat_x.cpp index 36bb8f577d0..ef2cb176eb9 100644 --- a/test/drivers/test_suites/syscall_exit_suite/creat_x.cpp +++ b/test/drivers/test_suites/syscall_exit_suite/creat_x.cpp @@ -21,6 +21,7 @@ TEST(SyscallExit, creatX_success) assert_syscall_state(SYSCALL_SUCCESS, "fstat", syscall(__NR_fstat, fd, &file_stat), NOT_EQUAL, -1); uint32_t dev = (uint32_t)file_stat.st_dev; uint64_t inode = file_stat.st_ino; + const bool is_ext4 = event_test::is_ext4_fs(fd); /* Remove the file. */ syscall(__NR_close, fd); @@ -53,7 +54,10 @@ TEST(SyscallExit, creatX_success) evt_test->assert_numeric_param(3, (uint32_t)(PPM_S_IRUSR | PPM_S_IWUSR | PPM_S_IXUSR)); /* Parameter 4: dev (type: PT_UINT32) */ - evt_test->assert_numeric_param(4, (uint32_t)dev); + if (is_ext4) + { + evt_test->assert_numeric_param(4, (uint32_t)dev); + } /* Parameter 5: ino (type: PT_UINT64) */ evt_test->assert_numeric_param(5, (uint64_t)inode); diff --git a/test/drivers/test_suites/syscall_exit_suite/open_by_handle_at_x.cpp b/test/drivers/test_suites/syscall_exit_suite/open_by_handle_at_x.cpp index b31f17fb515..751bf33af49 100644 --- a/test/drivers/test_suites/syscall_exit_suite/open_by_handle_at_x.cpp +++ b/test/drivers/test_suites/syscall_exit_suite/open_by_handle_at_x.cpp @@ -8,7 +8,7 @@ #define MAX_FSPATH_LEN 4096 -void do___open_by_handle_atX_success(int *open_by_handle_fd, int *dirfd, char *fspath, uint32_t *dev, uint64_t *inode, int use_mountpoint) +void do___open_by_handle_atX_success(int *open_by_handle_fd, int *dirfd, char *fspath, uint32_t *dev, uint64_t *inode, bool *is_ext4, int use_mountpoint) { /* * 0. Create (temporary) mount point (if use_mountpoint). @@ -106,6 +106,7 @@ void do___open_by_handle_atX_success(int *open_by_handle_fd, int *dirfd, char *f assert_syscall_state(SYSCALL_SUCCESS, "fstat", syscall(__NR_fstat, *open_by_handle_fd, &file_stat), NOT_EQUAL, -1); *dev = (uint32_t)file_stat.st_dev; *inode = file_stat.st_ino; + *is_ext4 = event_test::is_ext4_fs(*open_by_handle_fd); /* * 7. Cleaning phase. @@ -157,7 +158,8 @@ TEST(SyscallExit, open_by_handle_atX_success) char fspath[MAX_FSPATH_LEN]; uint32_t dev; uint64_t inode; - do___open_by_handle_atX_success(&open_by_handle_fd, &dirfd, fspath, &dev, &inode, 0); + bool is_ext4; + do___open_by_handle_atX_success(&open_by_handle_fd, &dirfd, fspath, &dev, &inode, &is_ext4, 0); /*=============================== TRIGGER SYSCALL ===========================*/ @@ -188,7 +190,10 @@ TEST(SyscallExit, open_by_handle_atX_success) evt_test->assert_charbuf_param(4, fspath); /* Parameter 5: dev (type: PT_UINT32) */ - evt_test->assert_numeric_param(5, dev); + if (is_ext4) + { + evt_test->assert_numeric_param(5, dev); + } /* Parameter 6: ino (type: PT_UINT64) */ evt_test->assert_numeric_param(6, inode); @@ -212,7 +217,8 @@ TEST(SyscallExit, open_by_handle_atX_success_mp) char fspath[MAX_FSPATH_LEN]; uint32_t dev; uint64_t inode; - do___open_by_handle_atX_success(&open_by_handle_fd, &dirfd, fspath, &dev, &inode, 1); + bool is_ext4; + do___open_by_handle_atX_success(&open_by_handle_fd, &dirfd, fspath, &dev, &inode, &is_ext4, 1); /*=============================== TRIGGER SYSCALL ===========================*/ @@ -244,7 +250,10 @@ TEST(SyscallExit, open_by_handle_atX_success_mp) evt_test->assert_charbuf_param(4, fspath); /* Parameter 5: dev (type: PT_UINT32) */ - evt_test->assert_numeric_param(5, dev); + if (is_ext4) + { + evt_test->assert_numeric_param(5, dev); + } /* Parameter 6: ino (type: PT_UINT64) */ evt_test->assert_numeric_param(6, inode); diff --git a/test/drivers/test_suites/syscall_exit_suite/open_x.cpp b/test/drivers/test_suites/syscall_exit_suite/open_x.cpp index e00bbd7032b..17f0b267d03 100644 --- a/test/drivers/test_suites/syscall_exit_suite/open_x.cpp +++ b/test/drivers/test_suites/syscall_exit_suite/open_x.cpp @@ -30,6 +30,7 @@ TEST(SyscallExit, openX_success) assert_syscall_state(SYSCALL_SUCCESS, "fstat", syscall(__NR_fstat, fd, &file_stat), NOT_EQUAL, -1); uint32_t dev = (uint32_t)file_stat.st_dev; uint64_t inode = file_stat.st_ino; + const bool is_ext4 = event_test::is_ext4_fs(fd); close(fd); if(notmpfile) @@ -69,7 +70,10 @@ TEST(SyscallExit, openX_success) evt_test->assert_numeric_param(4, (uint32_t)mode); /* Parameter 5: dev (type: PT_UINT32) */ - evt_test->assert_numeric_param(5, (uint32_t)dev); + if (is_ext4) + { + evt_test->assert_numeric_param(5, (uint32_t)dev); + } /* Parameter 6: ino (type: PT_UINT64) */ evt_test->assert_numeric_param(6, inode); diff --git a/test/drivers/test_suites/syscall_exit_suite/openat2_x.cpp b/test/drivers/test_suites/syscall_exit_suite/openat2_x.cpp index 99ebdd6e640..1d38f1b1b90 100644 --- a/test/drivers/test_suites/syscall_exit_suite/openat2_x.cpp +++ b/test/drivers/test_suites/syscall_exit_suite/openat2_x.cpp @@ -29,6 +29,7 @@ TEST(SyscallExit, openat2X_success) assert_syscall_state(SYSCALL_SUCCESS, "fstat", syscall(__NR_fstat, fd, &file_stat), NOT_EQUAL, -1); uint32_t dev = (uint32_t)file_stat.st_dev; uint64_t inode = file_stat.st_ino; + const bool is_ext4 = event_test::is_ext4_fs(fd); close(fd); /*=============================== TRIGGER SYSCALL ===========================*/ @@ -67,7 +68,10 @@ TEST(SyscallExit, openat2X_success) evt_test->assert_numeric_param(6, (uint32_t)PPM_RESOLVE_BENEATH | PPM_RESOLVE_NO_MAGICLINKS); /* Parameter 7: dev (type: PT_UINT32) */ - evt_test->assert_numeric_param(7, dev); + if (is_ext4) + { + evt_test->assert_numeric_param(7, dev); + } /* Parameter 8: ino (type: PT_UINT64) */ evt_test->assert_numeric_param(8, inode); @@ -170,6 +174,7 @@ TEST(SyscallExit, openat2X_create_success) assert_syscall_state(SYSCALL_SUCCESS, "fstat", syscall(__NR_fstat, fd, &file_stat), NOT_EQUAL, -1); uint32_t dev = (uint32_t)file_stat.st_dev; uint64_t inode = file_stat.st_ino; + const bool is_ext4 = event_test::is_ext4_fs(fd); close(fd); /*=============================== TRIGGER SYSCALL ===========================*/ @@ -208,7 +213,10 @@ TEST(SyscallExit, openat2X_create_success) evt_test->assert_numeric_param(6, (uint32_t)PPM_RESOLVE_BENEATH | PPM_RESOLVE_NO_MAGICLINKS); /* Parameter 7: dev (type: PT_UINT32) */ - evt_test->assert_numeric_param(7, dev); + if (is_ext4) + { + evt_test->assert_numeric_param(7, dev); + } /* Parameter 8: ino (type: PT_UINT64) */ evt_test->assert_numeric_param(8, inode); diff --git a/test/drivers/test_suites/syscall_exit_suite/openat_x.cpp b/test/drivers/test_suites/syscall_exit_suite/openat_x.cpp index 07f7d5137c1..891ac22a326 100644 --- a/test/drivers/test_suites/syscall_exit_suite/openat_x.cpp +++ b/test/drivers/test_suites/syscall_exit_suite/openat_x.cpp @@ -33,6 +33,7 @@ TEST(SyscallExit, openatX_success) assert_syscall_state(SYSCALL_SUCCESS, "fstat", syscall(__NR_fstat, fd, &file_stat), NOT_EQUAL, -1); uint32_t dev = (uint32_t)file_stat.st_dev; uint64_t inode = file_stat.st_ino; + const bool is_ext4 = event_test::is_ext4_fs(fd); close(fd); if(notmpfile) @@ -74,7 +75,10 @@ TEST(SyscallExit, openatX_success) evt_test->assert_numeric_param(5, (uint32_t)mode); /* Parameter 6: dev (type: PT_UINT32) */ - evt_test->assert_numeric_param(6, (uint32_t)dev); + if (is_ext4) + { + evt_test->assert_numeric_param(6, (uint32_t)dev); + } /* Parameter 7: ino (type: PT_UINT64) */ evt_test->assert_numeric_param(7, inode); @@ -170,6 +174,7 @@ TEST(SyscallExit, openatX_create_success) assert_syscall_state(SYSCALL_SUCCESS, "fstat", syscall(__NR_fstat, fd, &file_stat), NOT_EQUAL, -1); uint32_t dev = (uint32_t)file_stat.st_dev; uint64_t inode = file_stat.st_ino; + const bool is_ext4 = event_test::is_ext4_fs(fd); close(fd); /*=============================== TRIGGER SYSCALL ===========================*/ @@ -205,7 +210,10 @@ TEST(SyscallExit, openatX_create_success) evt_test->assert_numeric_param(5, (uint32_t)mode); /* Parameter 6: dev (type: PT_UINT32) */ - evt_test->assert_numeric_param(6, (uint32_t)dev); + if (is_ext4) + { + evt_test->assert_numeric_param(6, (uint32_t)dev); + } /* Parameter 7: ino (type: PT_UINT64) */ evt_test->assert_numeric_param(7, inode);