tetragon: Add TestEnforcerSignalPersistent test

Signed-off-by: Jiri Olsa <[email protected]>
cilium · Jun 27, 2024 · 65960c7 · 65960c7
1 parent 078597f
commit 65960c7
Showing 1 changed file with 57 additions and 11 deletions.
diff --git a/pkg/sensors/tracing/enforcer_test.go b/pkg/sensors/tracing/enforcer_test.go
@@ -40,6 +40,19 @@ func testEnforcerCheckSkip(t *testing.T) {
  t.Skip("skipping test, neither bpf_override_return nor fmod_ret for syscalls is available")
  }
 }
+func testEnforcerCmd(test string, test2 string, checkerFunc func(err error, rc int)) {
+ cmd := exec.Command(test)
+ err := cmd.Run()
+
+ checkerFunc(err, cmd.ProcessState.ExitCode())
+
+ if test2 != "" {
+ cmd := exec.Command(test2)
+ err = cmd.Run()
+
+ checkerFunc(err, cmd.ProcessState.ExitCode())
+ }
+}
 
 func testEnforcer(t *testing.T, configHook string,
  test string, test2 string,
@@ -64,17 +77,7 @@ func testEnforcer(t *testing.T, configHook string,
  observertesthelper.LoopEvents(ctx, t, &doneWG, &readyWG, obs)
  readyWG.Wait()
 
- cmd := exec.Command(test)
- err = cmd.Run()
-
- checkerFunc(err, cmd.ProcessState.ExitCode())
-
- if test2 != "" {
- cmd := exec.Command(test2)
- err = cmd.Run()
-
- checkerFunc(err, cmd.ProcessState.ExitCode())
- }
+ testEnforcerCmd(test, test2, checkerFunc)
 
  err = jsonchecker.JsonTestCheck(t, checker)
  assert.NoError(t, err)
@@ -675,3 +678,46 @@ spec:
  t.Fatalf("Wrong error '%v' expected 'exit status 22'", err)
  }
 }
+
+func TestEnforcerSignalPersistent(t *testing.T) {
+ testEnforcerCheckSkip(t)
+
+ test := testutils.RepoRootPath("contrib/tester-progs/enforcer-tester")
+
+ tpChecker := ec.NewProcessTracepointChecker("").
+ WithArgs(ec.NewKprobeArgumentListMatcher().
+ WithOperator(lc.Ordered).
+ WithValues(
+ ec.NewKprobeArgumentChecker().WithSizeArg(syscall.SYS_PRCTL),
+ )).
+ WithAction(tetragon.KprobeAction_KPROBE_ACTION_NOTIFYENFORCER)
+
+ checker := ec.NewUnorderedEventChecker(tpChecker)
+
+ checkerFunc := func(err error, _ int) {
+ if err == nil || err.Error() != "signal: killed" {
+ t.Fatalf("Wrong error '%v' expected 'killed'", err)
+ }
+ }
+
+ builder := func() *EnforcerSpecBuilder {
+ return NewEnforcerSpecBuilder("enforcer-signal").
+ WithSyscallList("sys_prctl").
+ WithMatchBinaries(test).
+ WithOverrideValue(-17). // EEXIST
+ WithKill(9) // SigKill
+ }
+
+ t.Run("kprobe (no multi)", func(t *testing.T) {
+ option.Config.KeepSensorsOnExit = true
+ yaml := builder().WithoutMultiKprobe().MustYAML()
+ testEnforcer(t, yaml, test, "", checker, checkerFunc)
+ option.Config.KeepSensorsOnExit = false
+ })
+
+ // The enforcing policy should be still in place
+ testEnforcerCmd(test, "", checkerFunc)
+
+ // ... and finally get rid of pinned progs/maps/links
+ os.RemoveAll(bpf.MapPrefixPath())
+}