tetragon: Add test for unknown process tracepoint kill

Signed-off-by: Jiri Olsa <jolsa@kernel.org>
cilium · Feb 17, 2025 · c349e11 · c349e11
1 parent 6d94285
commit c349e11
Show file tree

Hide file tree

Showing 2 changed files with 63 additions and 0 deletions.
diff --git a/pkg/sensors/tracing/kprobe_sigkill_test.go b/pkg/sensors/tracing/kprobe_sigkill_test.go
@@ -18,6 +18,7 @@ import (
 	"github.com/cilium/tetragon/pkg/kernels"
 	lc "github.com/cilium/tetragon/pkg/matchers/listmatcher"
 	sm "github.com/cilium/tetragon/pkg/matchers/stringmatcher"
+	smatcher "github.com/cilium/tetragon/pkg/matchers/stringmatcher"
 	"github.com/cilium/tetragon/pkg/observer/observertesthelper"
 	"github.com/cilium/tetragon/pkg/option"
 	"github.com/cilium/tetragon/pkg/testutils"
@@ -149,6 +150,42 @@ func TestKprobeSigkillExecveMap1(t *testing.T) {
 	option.Config.ExecveMapEntries = 0
 }
 
+func TestTracepointSigkillExecveMap1(t *testing.T) {
+	if !kernels.MinKernelVersion("5.3.0") {
+		t.Skip("sigkill requires at least 5.3.0 version")
+	}
+
+	// makeSpecFile creates a new spec file bsed on the template, and the provided arguments
+	makeSpecFile := func(pid string) string {
+		data := map[string]string{
+			"MatchedPID":   pid,
+			"NamespacePID": "false",
+		}
+		specName, err := testutils.GetSpecFromTemplate("sigkill_tracepoint.yaml.tmpl", data)
+		if err != nil {
+			t.Fatal(err)
+		}
+		return specName
+	}
+
+	kpChecker := ec.NewProcessTracepointChecker("").
+		WithSubsys(smatcher.Full("syscalls")).
+		WithEvent(smatcher.Full("sys_enter_lseek")).
+		WithArgs(ec.NewKprobeArgumentListMatcher().
+			WithOperator(lc.Ordered).
+			WithValues(
+				ec.NewKprobeArgumentChecker().WithIntArg(int32(5555)),
+			)).
+		WithAction(tetragon.KprobeAction_KPROBE_ACTION_SIGKILL).
+		WithProcess(ec.NewProcessChecker().WithFlags(sm.Full("unknown")))
+
+	checker := ec.NewUnorderedEventChecker(kpChecker)
+
+	option.Config.ExecveMapEntries = 1
+	testSigkill(t, makeSpecFile, checker)
+	option.Config.ExecveMapEntries = 0
+}
+
 func TestReturnKprobeSigkill(t *testing.T) {
 	if !kernels.MinKernelVersion("5.3.0") {
 		t.Skip("sigkill requires at least 5.3.0 version")

diff --git a/testdata/specs/sigkill_tracepoint.yaml.tmpl b/testdata/specs/sigkill_tracepoint.yaml.tmpl
@@ -0,0 +1,26 @@
+# test for the tracepoint sigkill action
+apiVersion: cilium.io/v1alpha1
+kind: TracingPolicy
+metadata:
+  name: "sigkilltest"
+spec:
+  tracepoints:
+  - subsystem: "syscalls"
+    event: "sys_enter_lseek"
+    args:
+    # whence argument
+    - index: 7
+      type: "int32"
+    selectors:
+    - matchPIDs:
+      - operator: In
+        values:
+        - {{.MatchedPID}}
+        isNamespacePID: {{.NamespacePID}}
+      matchArgs:
+      - index: 7
+        operator: Equal
+        values:
+        - 5555 # magic value, see also sigkill-tester
+      matchActions:
+      - action: Sigkill