From 816967b60483d64e90a0f762a63256cab31c45ea Mon Sep 17 00:00:00 2001 From: Andrea Terzolo Date: Tue, 17 Dec 2024 14:57:00 +0100 Subject: [PATCH] new: extend SOCKET_X Signed-off-by: Andrea Terzolo --- driver/SCHEMA_VERSION | 2 +- driver/bpf/fillers.h | 22 +- driver/event_table.c | 11 +- driver/fillers_table.c | 2 - .../definitions/events_dimensions.h | 2 +- .../syscall_dispatched_events/socket.bpf.c | 18 +- driver/ppm_fillers.c | 28 +++ driver/ppm_flag_helpers.h | 2 +- .../syscall_exit_suite/socket_x.cpp | 19 +- test/e2e/tests/test_network/test_network.py | 2 +- .../engines/savefile/converter.cpp | 48 +++++ userspace/libscap/engine/gvisor/fillers.cpp | 15 +- userspace/libscap/engine/gvisor/fillers.h | 5 +- userspace/libscap/engine/gvisor/parsers.cpp | 12 +- .../engine/savefile/converter/table.cpp | 9 + userspace/libsinsp/parsers.cpp | 32 +-- userspace/libsinsp/test/events_net.ut.cpp | 192 ++++++------------ userspace/libsinsp/test/events_param.ut.cpp | 9 +- .../test/filter_op_net_compare.ut.cpp | 29 +-- .../libsinsp/test/filter_transformer.ut.cpp | 11 +- userspace/libsinsp/test/filterchecks/mock.cpp | 18 +- userspace/libsinsp/test/filterchecks/proc.cpp | 41 ++-- .../libsinsp/test/parsers/parse_connect.cpp | 29 +-- .../test/scap_files/converter_tests.cpp | 30 +++ .../libsinsp/test/sinsp_with_test_input.cpp | 21 ++ .../libsinsp/test/sinsp_with_test_input.h | 23 +++ 26 files changed, 357 insertions(+), 275 deletions(-) diff --git a/driver/SCHEMA_VERSION b/driver/SCHEMA_VERSION index 944880fa15..15a2799817 100644 --- a/driver/SCHEMA_VERSION +++ b/driver/SCHEMA_VERSION @@ -1 +1 @@ -3.2.0 +3.3.0 diff --git a/driver/bpf/fillers.h b/driver/bpf/fillers.h index d3d12d4506..853d6d3501 100644 --- a/driver/bpf/fillers.h +++ b/driver/bpf/fillers.h @@ -4678,11 +4678,9 @@ FILLER(sys_semop_x, true) { } FILLER(sys_socket_x, true) { - long retval; - int res; - - retval = bpf_syscall_get_retval(data->ctx); - res = bpf_push_s64_to_ring(data, retval); + /* Parameter 1: fd (type: PT_FD)*/ + long retval = bpf_syscall_get_retval(data->ctx); + int res = bpf_push_s64_to_ring(data, retval); CHECK_RES(res); if(retval >= 0 && !data->settings->socket_file_ops) { @@ -4695,7 +4693,19 @@ FILLER(sys_socket_x, true) { } } - return res; + /* Parameter 2: domain (type: PT_ENUMFLAGS32) */ + uint8_t domain = (uint8_t)bpf_syscall_get_argument(data, 0); + res = bpf_push_u32_to_ring(data, domain); + CHECK_RES(res); + + /* Parameter 3: type (type: PT_UINT32) */ + uint32_t type = (uint32_t)bpf_syscall_get_argument(data, 1); + res = bpf_push_u32_to_ring(data, type); + CHECK_RES(res); + + /* Parameter 4: proto (type: PT_UINT32) */ + uint32_t proto = (uint32_t)bpf_syscall_get_argument(data, 2); + return bpf_push_u32_to_ring(data, proto); } FILLER(sys_flock_e, true) { diff --git a/driver/event_table.c b/driver/event_table.c index 26305f7a29..26a8eb1844 100644 --- a/driver/event_table.c +++ b/driver/event_table.c @@ -152,16 +152,19 @@ const struct ppm_event_info g_event_info[] = { [PPME_PROCEXIT_X] = {"NA", EC_UNKNOWN, EF_UNUSED | EF_OLD_VERSION, 0}, [PPME_SOCKET_SOCKET_E] = {"socket", EC_NET | EC_SYSCALL, - EF_CREATES_FD | EF_MODIFIES_STATE, + EF_CREATES_FD | EF_MODIFIES_STATE | EF_TMP_CONVERTER_MANAGED, 3, {{"domain", PT_ENUMFLAGS32, PF_DEC, socket_families}, {"type", PT_UINT32, PF_DEC}, {"proto", PT_UINT32, PF_DEC}}}, [PPME_SOCKET_SOCKET_X] = {"socket", EC_NET | EC_SYSCALL, - EF_CREATES_FD | EF_MODIFIES_STATE, - 1, - {{"fd", PT_FD, PF_DEC}}}, + EF_CREATES_FD | EF_MODIFIES_STATE | EF_TMP_CONVERTER_MANAGED, + 4, + {{"fd", PT_FD, PF_DEC}, + {"domain", PT_ENUMFLAGS32, PF_DEC, socket_families}, + {"type", PT_UINT32, PF_DEC}, + {"proto", PT_UINT32, PF_DEC}}}, [PPME_SOCKET_BIND_E] = {"bind", EC_NET | EC_SYSCALL, EF_USES_FD | EF_MODIFIES_STATE | EF_TMP_CONVERTER_MANAGED, diff --git a/driver/fillers_table.c b/driver/fillers_table.c index c88a4b086c..5fe6d3fb9d 100644 --- a/driver/fillers_table.c +++ b/driver/fillers_table.c @@ -20,8 +20,6 @@ or GPL2.txt for full copies of the license. #define FILLER_REF(x) 0, PPM_FILLER_##x #endif /* __KERNEL__ */ -#define f_sys_socket_x f_sys_single_x - #pragma GCC diagnostic push #pragma GCC diagnostic ignored "-Wmissing-field-initializers" const struct ppm_event_entry g_ppm_events[PPM_EVENT_MAX] = { diff --git a/driver/modern_bpf/definitions/events_dimensions.h b/driver/modern_bpf/definitions/events_dimensions.h index 371538c617..eb8c3b03df 100644 --- a/driver/modern_bpf/definitions/events_dimensions.h +++ b/driver/modern_bpf/definitions/events_dimensions.h @@ -89,7 +89,7 @@ #define CAPSET_E_SIZE HEADER_LEN #define CAPSET_X_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint64_t) * 3 + PARAM_LEN * 4 #define SOCKET_E_SIZE HEADER_LEN + sizeof(uint32_t) * 3 + PARAM_LEN * 3 -#define SOCKET_X_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN +#define SOCKET_X_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint32_t) * 3 + PARAM_LEN * 4 #define SOCKETPAIR_E_SIZE HEADER_LEN + sizeof(uint32_t) * 3 + PARAM_LEN * 3 #define SOCKETPAIR_X_SIZE HEADER_LEN + sizeof(int64_t) * 3 + sizeof(uint64_t) * 2 + PARAM_LEN * 5 #define ACCEPT_E_SIZE HEADER_LEN diff --git a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/socket.bpf.c b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/socket.bpf.c index cf07e85eac..8cefc41a27 100644 --- a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/socket.bpf.c +++ b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/socket.bpf.c @@ -62,7 +62,7 @@ int BPF_PROG(socket_x, struct pt_regs *regs, long ret) { /*=============================== COLLECT PARAMETERS ===========================*/ - /* Parameter 1: res (type: PT_ERRNO)*/ + /* Parameter 1: fd (type: PT_FD)*/ ringbuf__store_s64(&ringbuf, ret); /* Just called once by our scap process */ @@ -85,6 +85,22 @@ int BPF_PROG(socket_x, struct pt_regs *regs, long ret) { } } + /* Collect parameters at the beginning so we can easily manage socketcalls */ + unsigned long args[3] = {0}; + extract__network_args(args, 3, regs); + + /* Parameter 2: domain (type: PT_ENUMFLAGS32) */ + uint8_t domain = (uint8_t)args[0]; + ringbuf__store_u32(&ringbuf, (uint32_t)socket_family_to_scap(domain)); + + /* Parameter 3: type (type: PT_UINT32) */ + uint32_t type = (uint32_t)args[1]; + ringbuf__store_u32(&ringbuf, type); + + /* Parameter 4: proto (type: PT_UINT32) */ + uint32_t proto = (uint32_t)args[2]; + ringbuf__store_u32(&ringbuf, proto); + /*=============================== COLLECT PARAMETERS ===========================*/ ringbuf__submit_event(&ringbuf); diff --git a/driver/ppm_fillers.c b/driver/ppm_fillers.c index 6e2a1746b8..a3a16e2b6e 100644 --- a/driver/ppm_fillers.c +++ b/driver/ppm_fillers.c @@ -6671,6 +6671,34 @@ int f_sys_close_x(struct event_filler_arguments *args) { return add_sentinel(args); } +int f_sys_socket_x(struct event_filler_arguments *args) { + int64_t res = 0; + int64_t retval = 0; + unsigned long val = 0; + + /* Parameter 1: fd (type: PT_FD)*/ + retval = (int64_t)syscall_get_return_value(current, args->regs); + res = val_to_ring(args, retval, 0, false, 0); + CHECK_RES(res); + + /* Parameter 2: domain (type: PT_ENUMFLAGS32) */ + syscall_get_arguments_deprecated(args, 0, 1, &val); + res = val_to_ring(args, val, 0, true, 0); + CHECK_RES(res); + + /* Parameter 3: type (type: PT_UINT32) */ + syscall_get_arguments_deprecated(args, 1, 1, &val); + res = val_to_ring(args, val, 0, true, 0); + CHECK_RES(res); + + /* Parameter 4: proto (type: PT_UINT32) */ + syscall_get_arguments_deprecated(args, 2, 1, &val); + res = val_to_ring(args, val, 0, true, 0); + CHECK_RES(res); + + return add_sentinel(args); +} + int f_sys_bpf_e(struct event_filler_arguments *args) { int res = 0; int32_t cmd = 0; diff --git a/driver/ppm_flag_helpers.h b/driver/ppm_flag_helpers.h index d47ecc292d..9757430eae 100644 --- a/driver/ppm_flag_helpers.h +++ b/driver/ppm_flag_helpers.h @@ -54,7 +54,7 @@ or GPL2.txt for full copies of the license. #define PPM_MS_MGC_MSK 0xffff0000 #define PPM_MS_MGC_VAL 0xC0ED0000 -/* Check if the res is different from `PPM_SUCCCES` */ +/* Check if the res is different from `PPM_SUCCESS` */ #define CHECK_RES(x) \ if(unlikely(x != PPM_SUCCESS)) { \ return x; \ diff --git a/test/drivers/test_suites/syscall_exit_suite/socket_x.cpp b/test/drivers/test_suites/syscall_exit_suite/socket_x.cpp index 8be270264d..581af4069e 100644 --- a/test/drivers/test_suites/syscall_exit_suite/socket_x.cpp +++ b/test/drivers/test_suites/syscall_exit_suite/socket_x.cpp @@ -12,9 +12,9 @@ TEST(SyscallExit, socketX) { /*=============================== TRIGGER SYSCALL ===========================*/ - int domain = -1; - int type = -1; - int protocol = -1; + int domain = 0; + int type = SOCK_RAW; + int protocol = PF_INET; /* Here we need to call the `socket` from a child because the main process throws a `socket` * syscall to calibrate the socket file options if we are using the bpf probe. @@ -48,7 +48,7 @@ TEST(SyscallExit, socketX) { } /* This is the errno value we expect from the `socket` call. */ - int64_t errno_value = -EINVAL; + int64_t errno_value = -EAFNOSUPPORT; /*=============================== TRIGGER SYSCALL ===========================*/ @@ -69,8 +69,17 @@ TEST(SyscallExit, socketX) { /* Parameter 1: res (type: PT_ERRNO)*/ evt_test->assert_numeric_param(1, (int64_t)errno_value); + /* Parameter 2: domain (type: PT_ENUMFLAGS32) */ + evt_test->assert_numeric_param(2, (uint32_t)domain); + + /* Parameter 3: type (type: PT_UINT32) */ + evt_test->assert_numeric_param(3, (uint32_t)type); + + /* Parameter 4: proto (type: PT_UINT32) */ + evt_test->assert_numeric_param(4, (uint32_t)protocol); + /*=============================== ASSERT PARAMETERS ===========================*/ - evt_test->assert_num_params_pushed(1); + evt_test->assert_num_params_pushed(4); } #endif diff --git a/test/e2e/tests/test_network/test_network.py b/test/e2e/tests/test_network/test_network.py index ae64990d8c..2160ec9207 100644 --- a/test/e2e/tests/test_network/test_network.py +++ b/test/e2e/tests/test_network/test_network.py @@ -40,7 +40,7 @@ def expected_events(origin: dict, destination: dict) -> list: "proc.exe": "curl", }, { "container.id": origin['id'], - "evt.args": "fd=3(<4>)", + "evt.args": "fd=3(<4>) domain=2(AF_INET) type=1 proto=0", "evt.category": "net", "evt.type": "socket", "fd.name": "", diff --git a/test/libscap/test_suites/engines/savefile/converter.cpp b/test/libscap/test_suites/engines/savefile/converter.cpp index ee24440e8e..8d4b4d386a 100644 --- a/test/libscap/test_suites/engines/savefile/converter.cpp +++ b/test/libscap/test_suites/engines/savefile/converter.cpp @@ -263,3 +263,51 @@ TEST_F(convert_event_test, PPME_SOCKET_BIND_X_to_3_params_with_enter) { scap_const_sized_buffer{&sockaddr, sizeof(sockaddr)}, fd)); } + +//////////////////////////// +// SOCKET +//////////////////////////// + +TEST_F(convert_event_test, PPME_SOCKET_SOCKET_E_store) { + uint64_t ts = 12; + int64_t tid = 25; + uint32_t domain = 89; + uint32_t type = 89; + uint32_t proto = 89; + + auto evt = create_safe_scap_event(ts, tid, PPME_SOCKET_SOCKET_E, 3, domain, type, proto); + assert_single_conversion_skip(evt); + assert_event_storage_presence(evt); +} + +TEST_F(convert_event_test, PPME_SOCKET_SOCKET_X_to_4_params_no_enter) { + uint64_t ts = 12; + int64_t tid = 25; + + int64_t fd = 23; + uint32_t domain = 0; + uint32_t type = 0; + uint32_t proto = 0; + + assert_single_conversion_success( + conversion_result::CONVERSION_COMPLETED, + create_safe_scap_event(ts, tid, PPME_SOCKET_SOCKET_X, 1, fd), + create_safe_scap_event(ts, tid, PPME_SOCKET_SOCKET_X, 4, fd, domain, type, proto)); +} + +TEST_F(convert_event_test, PPME_SOCKET_SOCKET_X_to_4_params_with_enter) { + uint64_t ts = 12; + int64_t tid = 25; + int64_t fd = 23; + uint32_t domain = 89; + uint32_t type = 87; + uint32_t proto = 86; + + auto evt = create_safe_scap_event(ts, tid, PPME_SOCKET_SOCKET_E, 3, domain, type, proto); + assert_single_conversion_skip(evt); + + assert_single_conversion_success( + conversion_result::CONVERSION_COMPLETED, + create_safe_scap_event(ts, tid, PPME_SOCKET_SOCKET_X, 1, fd), + create_safe_scap_event(ts, tid, PPME_SOCKET_SOCKET_X, 4, fd, domain, type, proto)); +} diff --git a/userspace/libscap/engine/gvisor/fillers.cpp b/userspace/libscap/engine/gvisor/fillers.cpp index 71c48dec71..9bd14bd573 100644 --- a/userspace/libscap/engine/gvisor/fillers.cpp +++ b/userspace/libscap/engine/gvisor/fillers.cpp @@ -778,8 +778,19 @@ int32_t fill_event_socket_e(scap_sized_buffer scap_buf, int32_t fill_event_socket_x(scap_sized_buffer scap_buf, size_t* event_size, char* scap_err, - int64_t fd) { - return scap_event_encode_params(scap_buf, event_size, scap_err, PPME_SOCKET_SOCKET_X, 1, fd); + int64_t fd, + uint32_t domain, + uint32_t type, + uint32_t protocol) { + return scap_event_encode_params(scap_buf, + event_size, + scap_err, + PPME_SOCKET_SOCKET_X, + 4, + fd, + domain, + type, + protocol); } // PPME_SYSCALL_CHDIR_E diff --git a/userspace/libscap/engine/gvisor/fillers.h b/userspace/libscap/engine/gvisor/fillers.h index fb93e8a93f..29817468f0 100644 --- a/userspace/libscap/engine/gvisor/fillers.h +++ b/userspace/libscap/engine/gvisor/fillers.h @@ -259,7 +259,10 @@ int32_t fill_event_socket_e(scap_sized_buffer scap_buf, int32_t fill_event_socket_x(scap_sized_buffer scap_buf, size_t* event_size, char* scap_err, - int64_t fd); + int64_t fd, + uint32_t domain, + uint32_t type, + uint32_t protocol); int32_t fill_event_chdir_e(scap_sized_buffer scap_buf, size_t* event_size, char* scap_err); diff --git a/userspace/libscap/engine/gvisor/parsers.cpp b/userspace/libscap/engine/gvisor/parsers.cpp index 0d78fbf333..a590bfc212 100644 --- a/userspace/libscap/engine/gvisor/parsers.cpp +++ b/userspace/libscap/engine/gvisor/parsers.cpp @@ -743,10 +743,14 @@ static parse_result parse_socket(uint32_t id, } if(gvisor_evt.has_exit()) { - ret.status = scap_gvisor::fillers::fill_event_socket_x(scap_buf, - &ret.size, - scap_err, - gvisor_evt.exit().result()); + ret.status = scap_gvisor::fillers::fill_event_socket_x( + scap_buf, + &ret.size, + scap_err, + gvisor_evt.exit().result(), + socket_family_to_scap(gvisor_evt.domain()), + gvisor_evt.type(), + gvisor_evt.protocol()); } else { ret.status = scap_gvisor::fillers::fill_event_socket_e( scap_buf, diff --git a/userspace/libscap/engine/savefile/converter/table.cpp b/userspace/libscap/engine/savefile/converter/table.cpp index aa326a8779..d2eae93447 100644 --- a/userspace/libscap/engine/savefile/converter/table.cpp +++ b/userspace/libscap/engine/savefile/converter/table.cpp @@ -36,7 +36,16 @@ const std::unordered_map g_conversion_table = { .instrs({{C_INSTR_FROM_ENTER, 0}, {C_INSTR_FROM_ENTER, 1}, {C_INSTR_FROM_ENTER, 2}})}, + /*====================== BIND ======================*/ {conversion_key{PPME_SOCKET_BIND_E, 1}, conversion_info().action(C_ACTION_STORE)}, {conversion_key{PPME_SOCKET_BIND_X, 2}, conversion_info().action(C_ACTION_ADD_PARAMS).instrs({{C_INSTR_FROM_ENTER, 0}})}, + /*====================== SOCKET ======================*/ + {conversion_key{PPME_SOCKET_SOCKET_E, 3}, conversion_info().action(C_ACTION_STORE)}, + {conversion_key{PPME_SOCKET_SOCKET_X, 1}, + conversion_info() + .action(C_ACTION_ADD_PARAMS) + .instrs({{C_INSTR_FROM_ENTER, 0}, + {C_INSTR_FROM_ENTER, 1}, + {C_INSTR_FROM_ENTER, 2}})}, }; diff --git a/userspace/libsinsp/parsers.cpp b/userspace/libsinsp/parsers.cpp index 60253c9eeb..a8cacd5aa9 100644 --- a/userspace/libsinsp/parsers.cpp +++ b/userspace/libsinsp/parsers.cpp @@ -90,7 +90,6 @@ void sinsp_parser::process_event(sinsp_evt *evt) { case PPME_SYSCALL_OPENAT_E: case PPME_SYSCALL_OPENAT_2_E: case PPME_SYSCALL_OPENAT2_E: - case PPME_SOCKET_SOCKET_E: case PPME_SYSCALL_EVENTFD_E: case PPME_SYSCALL_EVENTFD2_E: case PPME_SYSCALL_CHDIR_E: @@ -2592,10 +2591,12 @@ inline void sinsp_parser::add_socket(sinsp_evt *evt, #endif domain != 17) // AF_PACKET, used for packet capture { - // - // IPv6 will go here - // - ASSERT(false); + // A possible case in which we enter here is when we reproduce an old scap-file like + // `scap_2013` in our tests. In this case, we have only the exit event of the socket + // `evt_num=5` because we have just started the capture so we lost the enter event. The + // result produced by our scap-file converter is a socket with (domain=0, type=0, + // protocol=0). + fdi->m_type = SCAP_FD_UNKNOWN; } } @@ -2666,12 +2667,6 @@ inline void sinsp_parser::infer_sendto_fdinfo(sinsp_evt *const evt) { } void sinsp_parser::parse_socket_exit(sinsp_evt *evt) { - int64_t fd; - uint32_t domain; - uint32_t type; - uint32_t protocol; - sinsp_evt *enter_evt = &m_tmp_evt; - // // NOTE: we don't check the return value of get_param() because we know the arguments we need // are there. @@ -2679,7 +2674,7 @@ void sinsp_parser::parse_socket_exit(sinsp_evt *evt) { // parameters in one scan. We don't care too much because we assume that we get here // seldom enough that saving few tens of CPU cycles is not important. // - fd = evt->get_syscall_return_value(); + int64_t fd = evt->get_syscall_return_value(); if(fd < 0) { // @@ -2692,19 +2687,12 @@ void sinsp_parser::parse_socket_exit(sinsp_evt *evt) { return; } - // - // Load the enter event so we can access its arguments - // - if(!retrieve_enter_event(enter_evt, evt)) { - return; - } - // // Extract the arguments // - domain = enter_evt->get_param(0)->as(); - type = enter_evt->get_param(1)->as(); - protocol = enter_evt->get_param(2)->as(); + uint32_t domain = evt->get_param(1)->as(); + uint32_t type = evt->get_param(2)->as(); + uint32_t protocol = evt->get_param(3)->as(); // // Allocate a new fd descriptor, populate it and add it to the thread fd table diff --git a/userspace/libsinsp/test/events_net.ut.cpp b/userspace/libsinsp/test/events_net.ut.cpp index efc846b0b9..14224b3db2 100644 --- a/userspace/libsinsp/test/events_net.ut.cpp +++ b/userspace/libsinsp/test/events_net.ut.cpp @@ -31,19 +31,9 @@ int64_t return_value = 0; TEST_F(sinsp_with_test_input, net_socket) { add_default_init_thread(); open_inspector(); - sinsp_evt* evt = NULL; - sinsp_fdinfo* fdinfo = NULL; - int64_t client_fd = 9; - add_event_advance_ts(increasing_ts(), - 1, - PPME_SOCKET_SOCKET_E, - 3, - (uint32_t)PPM_AF_INET, - (uint32_t)SOCK_STREAM, - (uint32_t)0); - evt = add_event_advance_ts(increasing_ts(), 1, PPME_SOCKET_SOCKET_X, 1, client_fd); - fdinfo = evt->get_fd_info(); + auto evt = generate_socket_events(); + auto fdinfo = evt->get_fd_info(); ASSERT_NE(fdinfo, nullptr); ASSERT_EQ(fdinfo->get_l4proto(), SCAP_L4_NA); /// todo: probably this is not what we want ASSERT_TRUE(fdinfo->is_ipv4_socket()); @@ -75,16 +65,8 @@ TEST_F(sinsp_with_test_input, net_ipv4_connect) { sinsp_fdinfo* fdinfo = NULL; sinsp_threadinfo* tinfo = NULL; char ipv4_string[DEFAULT_IP_STRING_SIZE]; - int64_t client_fd = 7; - add_event_advance_ts(increasing_ts(), - 1, - PPME_SOCKET_SOCKET_E, - 3, - (uint32_t)PPM_AF_INET, - (uint32_t)SOCK_STREAM, - (uint32_t)0); - add_event_advance_ts(increasing_ts(), 1, PPME_SOCKET_SOCKET_X, 1, client_fd); + generate_socket_events(); sockaddr_in client = test_utils::fill_sockaddr_in(DEFAULT_CLIENT_PORT, DEFAULT_IPV4_CLIENT_STRING); @@ -98,13 +80,13 @@ TEST_F(sinsp_with_test_input, net_ipv4_connect) { 1, PPME_SOCKET_CONNECT_E, 2, - client_fd, + sinsp_test_input::socket_params::default_fd, scap_const_sized_buffer{server_sockaddr.data(), server_sockaddr.size()}); /* See the `reset` logic for enter events with `EF_USES_FD` flag */ tinfo = evt->get_thread_info(false); ASSERT_NE(tinfo, nullptr); - ASSERT_EQ(tinfo->m_lastevent_fd, client_fd); + ASSERT_EQ(tinfo->m_lastevent_fd, sinsp_test_input::socket_params::default_fd); ASSERT_EQ(tinfo->m_lastevent_ts, evt->get_ts()); ASSERT_EQ(tinfo->m_latency, 0); @@ -143,9 +125,9 @@ TEST_F(sinsp_with_test_input, net_ipv4_connect) { 1, PPME_SOCKET_CONNECT_X, 3, - return_value, + (int64_t)0, scap_const_sized_buffer{socktuple.data(), socktuple.size()}, - client_fd); + sinsp_test_input::socket_params::default_fd); fdinfo = evt->get_fd_info(); ASSERT_NE(fdinfo, nullptr); @@ -184,17 +166,8 @@ TEST_F(sinsp_with_test_input, net_ipv4_connect_with_intermediate_event) { add_default_init_thread(); open_inspector(); sinsp_evt* evt = NULL; - sinsp_fdinfo* fdinfo = NULL; - int64_t client_fd = 8; - add_event_advance_ts(increasing_ts(), - 1, - PPME_SOCKET_SOCKET_E, - 3, - (uint32_t)PPM_AF_INET, - (uint32_t)SOCK_STREAM, - (uint32_t)0); - add_event_advance_ts(increasing_ts(), 1, PPME_SOCKET_SOCKET_X, 1, client_fd); + generate_socket_events(); sockaddr_in client = test_utils::fill_sockaddr_in(DEFAULT_CLIENT_PORT, DEFAULT_IPV4_CLIENT_STRING); @@ -209,7 +182,7 @@ TEST_F(sinsp_with_test_input, net_ipv4_connect_with_intermediate_event) { 1, PPME_SOCKET_CONNECT_E, 2, - client_fd, + sinsp_test_input::socket_params::default_fd, scap_const_sized_buffer{server_sockaddr.data(), server_sockaddr.size()}); std::vector socktuple = test_utils::pack_socktuple(reinterpret_cast(&client), @@ -219,7 +192,7 @@ TEST_F(sinsp_with_test_input, net_ipv4_connect_with_intermediate_event) { 1, PPME_SOCKET_SENDTO_E, 3, - client_fd, + sinsp_test_input::socket_params::default_fd, (uint32_t)102, scap_const_sized_buffer{socktuple.data(), socktuple.size()}); evt = add_event_advance_ts(increasing_ts(), @@ -228,10 +201,10 @@ TEST_F(sinsp_with_test_input, net_ipv4_connect_with_intermediate_event) { 3, return_value, scap_const_sized_buffer{socktuple.data(), socktuple.size()}, - client_fd); + sinsp_test_input::socket_params::default_fd); /* We are able to recover the fdinfo in the connect exit event even when interleaved */ - fdinfo = evt->get_fd_info(); + auto fdinfo = evt->get_fd_info(); ASSERT_NE(fdinfo, nullptr); ASSERT_EQ(get_field_as_string(evt, "fd.connected"), "true"); @@ -243,15 +216,7 @@ TEST_F(sinsp_with_test_input, net_ipv6_multiple_connects) { open_inspector(); sinsp_evt* evt = NULL; - int64_t client_fd = 9; - add_event_advance_ts(increasing_ts(), - 1, - PPME_SOCKET_SOCKET_E, - 3, - (uint32_t)PPM_AF_INET6, - (uint32_t)SOCK_DGRAM, - (uint32_t)0); - add_event_advance_ts(increasing_ts(), 1, PPME_SOCKET_SOCKET_X, 1, client_fd); + generate_socket_events(sinsp_test_input::socket_params(PPM_AF_INET6, SOCK_DGRAM)); sockaddr_in6 client = test_utils::fill_sockaddr_in6(DEFAULT_CLIENT_PORT, DEFAULT_IPV6_CLIENT_STRING); @@ -268,7 +233,7 @@ TEST_F(sinsp_with_test_input, net_ipv6_multiple_connects) { 1, PPME_SOCKET_CONNECT_E, 2, - client_fd, + sinsp_test_input::socket_params::default_fd, scap_const_sized_buffer{server1_sockaddr.data(), server1_sockaddr.size()}); std::vector socktuple = @@ -278,9 +243,9 @@ TEST_F(sinsp_with_test_input, net_ipv6_multiple_connects) { 1, PPME_SOCKET_CONNECT_X, 3, - return_value, + (int64_t)0, scap_const_sized_buffer{socktuple.data(), socktuple.size()}, - client_fd); + sinsp_test_input::socket_params::default_fd); ASSERT_EQ(get_field_as_string(evt, "fd.name"), DEFAULT_IPV6_FDNAME); ASSERT_EQ(get_field_as_string(evt, "fd.connected"), "true"); @@ -312,7 +277,7 @@ TEST_F(sinsp_with_test_input, net_ipv6_multiple_connects) { 1, PPME_SOCKET_CONNECT_E, 2, - client_fd, + sinsp_test_input::socket_params::default_fd, scap_const_sized_buffer{server2_sockaddr.data(), server2_sockaddr.size()}); /* check that upon entry to the new connect the fd name is the same as during the last * connection */ @@ -329,9 +294,9 @@ TEST_F(sinsp_with_test_input, net_ipv6_multiple_connects) { 1, PPME_SOCKET_CONNECT_X, 3, - return_value, + (int64_t)0, scap_const_sized_buffer{socktuple.data(), socktuple.size()}, - client_fd); + sinsp_test_input::socket_params::default_fd); ASSERT_EQ(get_field_as_string(evt, "fd.name_changed"), "true"); std::string new_fd_name = std::string(DEFAULT_IPV6_CLIENT_STRING) + ":" + std::string(DEFAULT_CLIENT_PORT_STRING) + "->" + ipv6_server2 + ":" + @@ -343,7 +308,7 @@ TEST_F(sinsp_with_test_input, net_ipv6_multiple_connects) { 1, PPME_SOCKET_SENDTO_E, 3, - client_fd, + sinsp_test_input::socket_params::default_fd, (uint32_t)6, null_buf); /* the tuple of `sendto` is empty so we won't update anything */ @@ -358,15 +323,7 @@ TEST_F(sinsp_with_test_input, net_bind_listen_accept_ipv4) { sinsp_fdinfo* fdinfo = NULL; char ipv4_string[DEFAULT_IP_STRING_SIZE]; - int64_t server_fd = 3; - add_event_advance_ts(increasing_ts(), - 1, - PPME_SOCKET_SOCKET_E, - 3, - (uint32_t)PPM_AF_INET, - (uint32_t)SOCK_STREAM, - (uint32_t)0); - add_event_advance_ts(increasing_ts(), 1, PPME_SOCKET_SOCKET_X, 1, server_fd); + generate_socket_events(); sockaddr_in server = test_utils::fill_sockaddr_in(DEFAULT_SERVER_PORT, DEFAULT_IPV4_SERVER_STRING); @@ -378,9 +335,9 @@ TEST_F(sinsp_with_test_input, net_bind_listen_accept_ipv4) { 1, PPME_SOCKET_BIND_X, 3, - return_value, + (int64_t)0, scap_const_sized_buffer{server_sockaddr.data(), server_sockaddr.size()}, - server_fd); + sinsp_test_input::socket_params::default_fd); fdinfo = evt->get_fd_info(); ASSERT_NE(fdinfo, nullptr); ASSERT_FALSE(fdinfo->is_ipv4_socket()); @@ -413,8 +370,13 @@ TEST_F(sinsp_with_test_input, net_bind_listen_accept_ipv4) { ASSERT_FALSE(field_has_value(evt, "fd.rport")); ASSERT_FALSE(field_has_value(evt, "fd.lport")); - add_event_advance_ts(increasing_ts(), 1, PPME_SOCKET_LISTEN_E, 2, server_fd, (uint32_t)5); - add_event_advance_ts(increasing_ts(), 1, PPME_SOCKET_LISTEN_X, 1, return_value); + add_event_advance_ts(increasing_ts(), + 1, + PPME_SOCKET_LISTEN_E, + 2, + sinsp_test_input::socket_params::default_fd, + (uint32_t)5); + add_event_advance_ts(increasing_ts(), 1, PPME_SOCKET_LISTEN_X, 1, (int64_t)0); sockaddr_in client = test_utils::fill_sockaddr_in(DEFAULT_CLIENT_PORT, DEFAULT_IPV4_CLIENT_STRING); @@ -452,15 +414,7 @@ TEST_F(sinsp_with_test_input, net_bind_listen_accept_ipv6) { open_inspector(); sinsp_evt* evt = NULL; - int64_t server_fd = 3; - add_event_advance_ts(increasing_ts(), - 1, - PPME_SOCKET_SOCKET_E, - 3, - (uint32_t)PPM_AF_INET6, - (uint32_t)SOCK_STREAM, - 0); - add_event_advance_ts(increasing_ts(), 1, PPME_SOCKET_SOCKET_X, 1, server_fd); + generate_socket_events(sinsp_test_input::socket_params(PPM_AF_INET6, SOCK_STREAM)); sockaddr_in6 server = test_utils::fill_sockaddr_in6(DEFAULT_SERVER_PORT, DEFAULT_IPV6_SERVER_STRING); @@ -472,16 +426,21 @@ TEST_F(sinsp_with_test_input, net_bind_listen_accept_ipv6) { 1, PPME_SOCKET_BIND_X, 3, - return_value, + (int64_t)0, scap_const_sized_buffer{server_sockaddr.data(), server_sockaddr.size()}, - server_fd); + sinsp_test_input::socket_params::default_fd); std::string fdname = std::string(DEFAULT_IPV6_SERVER_STRING) + ":" + std::string(DEFAULT_SERVER_PORT_STRING); ASSERT_EQ(get_field_as_string(evt, "fd.name"), fdname); ASSERT_EQ(get_field_as_string(evt, "fd.is_server"), "true"); - add_event_advance_ts(increasing_ts(), 1, PPME_SOCKET_LISTEN_E, 2, server_fd, (uint32_t)5); - add_event_advance_ts(increasing_ts(), 1, PPME_SOCKET_LISTEN_X, 1, return_value); + add_event_advance_ts(increasing_ts(), + 1, + PPME_SOCKET_LISTEN_E, + 2, + sinsp_test_input::socket_params::default_fd, + (uint32_t)5); + add_event_advance_ts(increasing_ts(), 1, PPME_SOCKET_LISTEN_X, 1, (int64_t)0); sockaddr_in6 client = test_utils::fill_sockaddr_in6(DEFAULT_CLIENT_PORT, DEFAULT_IPV6_CLIENT_STRING); @@ -519,16 +478,8 @@ TEST_F(sinsp_with_test_input, net_connect_exit_event_fails) { sinsp_evt* evt = NULL; sinsp_fdinfo* fdinfo = NULL; char ipv4_string[DEFAULT_IP_STRING_SIZE]; - int64_t client_fd = 7; - add_event_advance_ts(increasing_ts(), - 1, - PPME_SOCKET_SOCKET_E, - 3, - (uint32_t)PPM_AF_INET, - (uint32_t)SOCK_STREAM, - 0); - add_event_advance_ts(increasing_ts(), 1, PPME_SOCKET_SOCKET_X, 1, client_fd); + generate_socket_events(); sockaddr_in client = test_utils::fill_sockaddr_in(DEFAULT_CLIENT_PORT, DEFAULT_IPV4_CLIENT_STRING); @@ -545,7 +496,7 @@ TEST_F(sinsp_with_test_input, net_connect_exit_event_fails) { 1, PPME_SOCKET_CONNECT_E, 2, - client_fd, + sinsp_test_input::socket_params::default_fd, scap_const_sized_buffer{server_sockaddr.data(), server_sockaddr.size()}); std::vector socktuple = @@ -555,9 +506,9 @@ TEST_F(sinsp_with_test_input, net_connect_exit_event_fails) { 1, PPME_SOCKET_CONNECT_X, 3, - return_value, + (int64_t)0, scap_const_sized_buffer{socktuple.data(), socktuple.size()}, - client_fd); + sinsp_test_input::socket_params::default_fd); fdinfo = evt->get_fd_info(); ASSERT_NE(fdinfo, nullptr); @@ -575,7 +526,7 @@ TEST_F(sinsp_with_test_input, net_connect_exit_event_fails) { 1, PPME_SOCKET_CONNECT_E, 2, - client_fd, + sinsp_test_input::socket_params::default_fd, scap_const_sized_buffer{server_sockaddr.data(), server_sockaddr.size()}); socktuple = test_utils::pack_socktuple(reinterpret_cast(&client), @@ -586,7 +537,7 @@ TEST_F(sinsp_with_test_input, net_connect_exit_event_fails) { 3, (int64_t)-2, scap_const_sized_buffer{socktuple.data(), socktuple.size()}, - client_fd); + sinsp_test_input::socket_params::default_fd); /* Filterchecks will get an updated fdname since the extraction happens directly on the params, * while the fdinfo fdname is not updated. Ip and port of the new server are updated by the @@ -632,16 +583,8 @@ TEST_F(sinsp_with_test_input, net_connect_enter_event_is_empty) { sinsp_evt* evt = NULL; sinsp_fdinfo* fdinfo = NULL; char ipv4_string[DEFAULT_IP_STRING_SIZE]; - int64_t client_fd = 7; - add_event_advance_ts(increasing_ts(), - 1, - PPME_SOCKET_SOCKET_E, - 3, - (uint32_t)PPM_AF_INET, - (uint32_t)SOCK_DGRAM, - (uint32_t)0); - add_event_advance_ts(increasing_ts(), 1, PPME_SOCKET_SOCKET_X, 1, client_fd); + generate_socket_events(sinsp_test_input::socket_params(PPM_AF_INET, SOCK_DGRAM)); sockaddr_in client = test_utils::fill_sockaddr_in(DEFAULT_CLIENT_PORT, DEFAULT_IPV4_CLIENT_STRING); @@ -657,7 +600,7 @@ TEST_F(sinsp_with_test_input, net_connect_enter_event_is_empty) { 1, PPME_SOCKET_CONNECT_E, 2, - client_fd, + sinsp_test_input::socket_params::default_fd, scap_const_sized_buffer{server_sockaddr.data(), server_sockaddr.size()}); std::vector socktuple = @@ -667,9 +610,9 @@ TEST_F(sinsp_with_test_input, net_connect_enter_event_is_empty) { 1, PPME_SOCKET_CONNECT_X, 3, - return_value, + (int64_t)0, scap_const_sized_buffer{socktuple.data(), socktuple.size()}, - client_fd); + sinsp_test_input::socket_params::default_fd); /* Second connection with an empty sockaddr in the PPME_SOCKET_CONNECT_E event, new client and * new server */ @@ -685,7 +628,12 @@ TEST_F(sinsp_with_test_input, net_connect_enter_event_is_empty) { sockaddr_in server2 = test_utils::fill_sockaddr_in(port_server2, ipv4_server2.c_str()); scap_const_sized_buffer null_buf = scap_const_sized_buffer{nullptr, 0}; - add_event_advance_ts(increasing_ts(), 1, PPME_SOCKET_CONNECT_E, 2, client_fd, null_buf); + add_event_advance_ts(increasing_ts(), + 1, + PPME_SOCKET_CONNECT_E, + 2, + sinsp_test_input::socket_params::default_fd, + null_buf); socktuple = test_utils::pack_socktuple(reinterpret_cast(&client2), reinterpret_cast(&server2)); @@ -695,7 +643,7 @@ TEST_F(sinsp_with_test_input, net_connect_enter_event_is_empty) { 3, (int64_t)-2, scap_const_sized_buffer{socktuple.data(), socktuple.size()}, - client_fd); + sinsp_test_input::socket_params::default_fd); /* Only filterchecks will see the new tuple in the fdname all the rest is not updated */ std::string fdname = ipv4_client2 + ":" + port_client2_string + "->" + ipv4_server2 + ":" + @@ -733,16 +681,8 @@ TEST_F(sinsp_with_test_input, net_connect_enter_event_is_missing) { sinsp_evt* evt = NULL; sinsp_fdinfo* fdinfo = NULL; char ipv4_string[DEFAULT_IP_STRING_SIZE]; - int64_t client_fd = 7; - add_event_advance_ts(increasing_ts(), - 1, - PPME_SOCKET_SOCKET_E, - 3, - (uint32_t)PPM_AF_INET, - (uint32_t)SOCK_DGRAM, - (uint32_t)0); - add_event_advance_ts(increasing_ts(), 1, PPME_SOCKET_SOCKET_X, 1, client_fd); + generate_socket_events(sinsp_test_input::socket_params(PPM_AF_INET, SOCK_DGRAM)); int port_client = 12; std::string ipv4_client = "80.9.11.45"; @@ -763,9 +703,9 @@ TEST_F(sinsp_with_test_input, net_connect_enter_event_is_missing) { 1, PPME_SOCKET_CONNECT_X, 3, - return_value, + (int64_t)0, scap_const_sized_buffer{socktuple.data(), socktuple.size()}, - client_fd); + sinsp_test_input::socket_params::default_fd); /* Check that everything is updated anyway, even if we lost connect enter */ std::string fdname = @@ -803,16 +743,8 @@ TEST_F(sinsp_with_test_input, net_connect_enter_event_is_missing_wo_fd_param_exi add_default_init_thread(); open_inspector(); sinsp_evt* evt = NULL; - int64_t client_fd = 7; - add_event_advance_ts(increasing_ts(), - 1, - PPME_SOCKET_SOCKET_E, - 3, - (uint32_t)PPM_AF_INET, - (uint32_t)SOCK_DGRAM, - (uint32_t)0); - add_event_advance_ts(increasing_ts(), 1, PPME_SOCKET_SOCKET_X, 1, client_fd); + generate_socket_events(sinsp_test_input::socket_params(PPM_AF_INET, SOCK_DGRAM)); int port_client = 12; std::string ipv4_client = "80.9.11.45"; @@ -836,7 +768,7 @@ TEST_F(sinsp_with_test_input, net_connect_enter_event_is_missing_wo_fd_param_exi 1, PPME_SOCKET_CONNECT_X, 2, - return_value, + (int64_t)0, scap_const_sized_buffer{socktuple.data(), socktuple.size()}); /* We cannot recover the file descriptor from the enter event neither from the exit event */ diff --git a/userspace/libsinsp/test/events_param.ut.cpp b/userspace/libsinsp/test/events_param.ut.cpp index a9e466d9f9..fbf8923fcf 100644 --- a/userspace/libsinsp/test/events_param.ut.cpp +++ b/userspace/libsinsp/test/events_param.ut.cpp @@ -403,15 +403,14 @@ TEST_F(sinsp_with_test_input, enumparams) { add_default_init_thread(); open_inspector(); - sinsp_evt* evt = NULL; - /* `PPME_SOCKET_SOCKET_E` is a simple event that uses a PT_ENUMFLAGS32 (param 1) */ - evt = add_event_advance_ts(increasing_ts(), 1, PPME_SOCKET_SOCKET_E, 3, PPM_AF_UNIX, 0, 0); + /* `PPME_SOCKET_SOCKET_X` is a simple event that uses a PT_ENUMFLAGS32 (param 1) */ + auto evt = generate_socket_events(sinsp_test_input::socket_params(PPM_AF_UNIX, SOCK_DGRAM)); - ASSERT_EQ(evt->get_param(0)->as(), PPM_AF_UNIX); + ASSERT_EQ(evt->get_param(1)->as(), PPM_AF_UNIX); const char* val_str = NULL; - evt->get_param_as_str(0, &val_str); + evt->get_param_as_str(1, &val_str); // Since the enum value "1" matches multiple flags values, // we expect a space-separated list of them ASSERT_STREQ(val_str, "AF_LOCAL|AF_UNIX"); diff --git a/userspace/libsinsp/test/filter_op_net_compare.ut.cpp b/userspace/libsinsp/test/filter_op_net_compare.ut.cpp index 305317cc80..8c6f6ed40a 100644 --- a/userspace/libsinsp/test/filter_op_net_compare.ut.cpp +++ b/userspace/libsinsp/test/filter_op_net_compare.ut.cpp @@ -26,16 +26,7 @@ TEST_F(sinsp_with_test_input, net_ipv4_compare) { open_inspector(); sinsp_evt* evt = NULL; - int64_t client_fd = 9; - add_event_advance_ts(increasing_ts(), - 1, - PPME_SOCKET_SOCKET_E, - 3, - (uint32_t)PPM_AF_INET, - (uint32_t)SOCK_STREAM, - (uint32_t)0); - evt = add_event_advance_ts(increasing_ts(), 1, PPME_SOCKET_SOCKET_X, 1, client_fd); - + evt = generate_socket_events(); int64_t return_value = 0; sockaddr_in client = test_utils::fill_sockaddr_in(54321, "172.40.111.222"); @@ -48,7 +39,7 @@ TEST_F(sinsp_with_test_input, net_ipv4_compare) { 1, PPME_SOCKET_CONNECT_E, 2, - client_fd, + sinsp_test_input::socket_params::default_fd, scap_const_sized_buffer{server_sockaddr.data(), server_sockaddr.size()}); std::vector socktuple = @@ -60,7 +51,7 @@ TEST_F(sinsp_with_test_input, net_ipv4_compare) { 3, return_value, scap_const_sized_buffer{socktuple.data(), socktuple.size()}, - client_fd); + sinsp_test_input::socket_params::default_fd); EXPECT_TRUE(eval_filter(evt, "fd.ip == 142.251.111.147")); EXPECT_TRUE(eval_filter(evt, "fd.sip == 142.251.111.147")); @@ -89,15 +80,7 @@ TEST_F(sinsp_with_test_input, net_ipv6_compare) { open_inspector(); sinsp_evt* evt = NULL; - int64_t client_fd = 9; - add_event_advance_ts(increasing_ts(), - 1, - PPME_SOCKET_SOCKET_E, - 3, - (uint32_t)PPM_AF_INET6, - (uint32_t)SOCK_DGRAM, - (uint32_t)0); - add_event_advance_ts(increasing_ts(), 1, PPME_SOCKET_SOCKET_X, 1, client_fd); + evt = generate_socket_events(); int64_t return_value = 0; @@ -111,7 +94,7 @@ TEST_F(sinsp_with_test_input, net_ipv6_compare) { 1, PPME_SOCKET_CONNECT_E, 2, - client_fd, + sinsp_test_input::socket_params::default_fd, scap_const_sized_buffer{server1_sockaddr.data(), server1_sockaddr.size()}); std::vector socktuple = @@ -123,7 +106,7 @@ TEST_F(sinsp_with_test_input, net_ipv6_compare) { 3, return_value, scap_const_sized_buffer{socktuple.data(), socktuple.size()}, - client_fd); + sinsp_test_input::socket_params::default_fd); EXPECT_TRUE(eval_filter(evt, "fd.ip == 2001:4860:4860::8888")); EXPECT_TRUE(eval_filter(evt, "fd.sip == 2001:4860:4860::8888")); diff --git a/userspace/libsinsp/test/filter_transformer.ut.cpp b/userspace/libsinsp/test/filter_transformer.ut.cpp index 81262276a2..81aef376b4 100644 --- a/userspace/libsinsp/test/filter_transformer.ut.cpp +++ b/userspace/libsinsp/test/filter_transformer.ut.cpp @@ -388,16 +388,7 @@ TEST_F(sinsp_with_test_input, len_transformer) { EXPECT_TRUE(eval_filter(evt, "len(fd.name) = 16")); - int64_t client_fd = 9; - add_event_advance_ts(increasing_ts(), - 1, - PPME_SOCKET_SOCKET_E, - 3, - (uint32_t)PPM_AF_INET, - (uint32_t)SOCK_STREAM, - (uint32_t)0); - evt = add_event_advance_ts(increasing_ts(), 1, PPME_SOCKET_SOCKET_X, 1, client_fd); - + evt = generate_socket_events(); // fd.types = (ipv4,file) EXPECT_TRUE(eval_filter(evt, "len(fd.types) = 2")); diff --git a/userspace/libsinsp/test/filterchecks/mock.cpp b/userspace/libsinsp/test/filterchecks/mock.cpp index 8eae7d7b4d..6c5b7ce54e 100644 --- a/userspace/libsinsp/test/filterchecks/mock.cpp +++ b/userspace/libsinsp/test/filterchecks/mock.cpp @@ -342,17 +342,7 @@ TEST_F(sinsp_with_test_input, check_some_fd_fields) { open_inspector(); // Prepare the setup to extract something from the filter checks `fd.cip`. - int64_t client_fd = 9; - int64_t return_value = 0; - - add_event_advance_ts(increasing_ts(), - 1, - PPME_SOCKET_SOCKET_E, - 3, - (uint32_t)PPM_AF_INET6, - (uint32_t)SOCK_DGRAM, - (uint32_t)0); - add_event_advance_ts(increasing_ts(), 1, PPME_SOCKET_SOCKET_X, 1, client_fd); + generate_socket_events(sinsp_test_input::socket_params(PPM_AF_INET6, SOCK_DGRAM)); sockaddr_in6 client = test_utils::fill_sockaddr_in6(DEFAULT_CLIENT_PORT, DEFAULT_IPV6_CLIENT_STRING); @@ -368,7 +358,7 @@ TEST_F(sinsp_with_test_input, check_some_fd_fields) { 1, PPME_SOCKET_CONNECT_E, 2, - client_fd, + sinsp_test_input::socket_params::default_fd, scap_const_sized_buffer{server_sockaddr.data(), server_sockaddr.size()}); std::vector socktuple = test_utils::pack_socktuple(reinterpret_cast(&client), @@ -377,9 +367,9 @@ TEST_F(sinsp_with_test_input, check_some_fd_fields) { 1, PPME_SOCKET_CONNECT_X, 3, - return_value, + (int64_t)0, scap_const_sized_buffer{socktuple.data(), socktuple.size()}, - client_fd); + sinsp_test_input::socket_params::default_fd); { // fd.cip will extract an ipv6 we cannot compare it with an ipv4, so we expect false diff --git a/userspace/libsinsp/test/filterchecks/proc.cpp b/userspace/libsinsp/test/filterchecks/proc.cpp index 92fcedd8ad..faf71565a0 100644 --- a/userspace/libsinsp/test/filterchecks/proc.cpp +++ b/userspace/libsinsp/test/filterchecks/proc.cpp @@ -235,18 +235,9 @@ TEST_F(sinsp_with_test_input, PROC_FILTER_pgid_family) { TEST_F(sinsp_with_test_input, PROC_FILTER_stdin_stdout_stderr) { DEFAULT_TREE sinsp_evt* evt = NULL; - int64_t client_fd = 3, return_value = 0; int64_t stdin_fd = 0, stdout_fd = 1, stderr_fd = 2; - // Create a connected socket - add_event_advance_ts(increasing_ts(), - 1, - PPME_SOCKET_SOCKET_E, - 3, - (uint32_t)PPM_AF_INET, - (uint32_t)SOCK_STREAM, - 0); - add_event_advance_ts(increasing_ts(), 1, PPME_SOCKET_SOCKET_X, 1, client_fd); + generate_socket_events(); sockaddr_in client = test_utils::fill_sockaddr_in(DEFAULT_CLIENT_PORT, DEFAULT_IPV4_CLIENT_STRING); @@ -261,7 +252,7 @@ TEST_F(sinsp_with_test_input, PROC_FILTER_stdin_stdout_stderr) { 1, PPME_SOCKET_CONNECT_E, 2, - client_fd, + sinsp_test_input::socket_params::default_fd, scap_const_sized_buffer{server_sockaddr.data(), server_sockaddr.size()}); std::vector socktuple = @@ -271,34 +262,46 @@ TEST_F(sinsp_with_test_input, PROC_FILTER_stdin_stdout_stderr) { 1, PPME_SOCKET_CONNECT_X, 3, - return_value, + (int64_t)0, scap_const_sized_buffer{socktuple.data(), socktuple.size()}, - client_fd); + sinsp_test_input::socket_params::default_fd); // The socket is duped to stdin, stdout, stderr - evt = add_event_advance_ts(increasing_ts(), 1, PPME_SYSCALL_DUP2_E, 1, client_fd); + evt = add_event_advance_ts(increasing_ts(), + 1, + PPME_SYSCALL_DUP2_E, + 1, + sinsp_test_input::socket_params::default_fd); evt = add_event_advance_ts(increasing_ts(), 1, PPME_SYSCALL_DUP2_X, 3, stdin_fd, - client_fd, + sinsp_test_input::socket_params::default_fd, stdin_fd); - evt = add_event_advance_ts(increasing_ts(), 1, PPME_SYSCALL_DUP2_E, 1, client_fd); + evt = add_event_advance_ts(increasing_ts(), + 1, + PPME_SYSCALL_DUP2_E, + 1, + sinsp_test_input::socket_params::default_fd); evt = add_event_advance_ts(increasing_ts(), 1, PPME_SYSCALL_DUP2_X, 3, stdout_fd, - client_fd, + sinsp_test_input::socket_params::default_fd, stdout_fd); - evt = add_event_advance_ts(increasing_ts(), 1, PPME_SYSCALL_DUP2_E, 1, client_fd); + evt = add_event_advance_ts(increasing_ts(), + 1, + PPME_SYSCALL_DUP2_E, + 1, + sinsp_test_input::socket_params::default_fd); evt = add_event_advance_ts(increasing_ts(), 1, PPME_SYSCALL_DUP2_X, 3, stderr_fd, - client_fd, + sinsp_test_input::socket_params::default_fd, stderr_fd); // Exec a process and check stdin, stdout and stderr types and names diff --git a/userspace/libsinsp/test/parsers/parse_connect.cpp b/userspace/libsinsp/test/parsers/parse_connect.cpp index 25ac9dc340..58380970b8 100644 --- a/userspace/libsinsp/test/parsers/parse_connect.cpp +++ b/userspace/libsinsp/test/parsers/parse_connect.cpp @@ -27,26 +27,9 @@ TEST_F(sinsp_with_test_input, CONNECT_parse_unix_socket) { add_default_init_thread(); open_inspector(); - int64_t return_value = 0; - int64_t client_fd = 9; - - // We need the enter event because we store it and we use it in the exit one. - // We only store it, we don't create a fdinfo, if the enter event is missing - // we don't parse the exit one. - auto evt = add_event_advance_ts(increasing_ts(), - INIT_TID, - PPME_SOCKET_SOCKET_E, - 3, - (uint32_t)PPM_AF_UNIX, - (uint32_t)SOCK_STREAM, - (uint32_t)0); - auto fdinfo = evt->get_fd_info(); - ASSERT_FALSE(fdinfo); - - evt = add_event_advance_ts(increasing_ts(), INIT_TID, PPME_SOCKET_SOCKET_X, 1, client_fd); + auto evt = generate_socket_events(sinsp_test_input::socket_params(PPM_AF_UNIX, SOCK_STREAM)); - /* FDINFO associated with the event */ - fdinfo = evt->get_fd_info(); + auto fdinfo = evt->get_fd_info(); ASSERT_TRUE(fdinfo); ASSERT_TRUE(fdinfo->is_unix_socket()); // todo! do we want this? In the end a unix socket could be of type datagram or stream @@ -59,7 +42,7 @@ TEST_F(sinsp_with_test_input, CONNECT_parse_unix_socket) { /* FDINFO associated with the thread */ auto init_tinfo = m_inspector.get_thread_ref(INIT_TID, false).get(); ASSERT_TRUE(init_tinfo); - fdinfo = init_tinfo->get_fd(client_fd); + fdinfo = init_tinfo->get_fd(sinsp_test_input::socket_params::default_fd); ASSERT_TRUE(fdinfo); ASSERT_TRUE(fdinfo->is_unix_socket()); ASSERT_EQ(fdinfo->get_l4proto(), scap_l4_proto::SCAP_L4_NA); @@ -74,9 +57,9 @@ TEST_F(sinsp_with_test_input, CONNECT_parse_unix_socket) { INIT_TID, PPME_SOCKET_CONNECT_X, 3, - return_value, + (int64_t)0, scap_const_sized_buffer{socktuple.data(), socktuple.size()}, - client_fd); + sinsp_test_input::socket_params::default_fd); /* FDINFO associated with the event */ fdinfo = evt->get_fd_info(); @@ -102,7 +85,7 @@ TEST_F(sinsp_with_test_input, CONNECT_parse_unix_socket) { ASSERT_EQ(fdinfo->m_name_raw, ""); /* FDINFO associated with the thread */ - fdinfo = init_tinfo->get_fd(client_fd); + fdinfo = init_tinfo->get_fd(sinsp_test_input::socket_params::default_fd); ASSERT_TRUE(fdinfo); ASSERT_TRUE(fdinfo->is_unix_socket()); ASSERT_EQ(fdinfo->get_l4proto(), scap_l4_proto::SCAP_L4_NA); diff --git a/userspace/libsinsp/test/scap_files/converter_tests.cpp b/userspace/libsinsp/test/scap_files/converter_tests.cpp index 1e7817af0b..1e5a5533b9 100644 --- a/userspace/libsinsp/test/scap_files/converter_tests.cpp +++ b/userspace/libsinsp/test/scap_files/converter_tests.cpp @@ -128,3 +128,33 @@ TEST_F(scap_file_test, pread_x_check_final_converted_event) { size, pos)); } + +//////////////////////////// +// SOCKET +//////////////////////////// + +TEST_F(scap_file_test, socket_x_check_final_converted_event) { + open_filename("scap_2013.scap"); + + // Inside the scap-file the event `515881` is the following: + // - type=PPME_SOCKET_SOCKET_E + // - ts=1380933088295478275 + // - tid=44106 + // - args=domain=2(AF_INET) type=524289 proto=0 + // + // And its corresponding enter event `511520` is the following: + // - type=PPME_SOCKET_SOCKET_X + // - ts=1380933088295552884 + // - tid=44106, + // - args=fd=19(<4>) + // + uint64_t ts = 1380933088295552884; + int64_t tid = 44106; + int64_t fd = 19; + uint32_t domain = 2; + uint32_t type = 524289; + uint32_t proto = 0; + + assert_event_presence( + create_safe_scap_event(ts, tid, PPME_SOCKET_SOCKET_X, 4, fd, domain, type, proto)); +} diff --git a/userspace/libsinsp/test/sinsp_with_test_input.cpp b/userspace/libsinsp/test/sinsp_with_test_input.cpp index e997b5265e..7c6cc4a824 100644 --- a/userspace/libsinsp/test/sinsp_with_test_input.cpp +++ b/userspace/libsinsp/test/sinsp_with_test_input.cpp @@ -373,6 +373,27 @@ sinsp_evt* sinsp_with_test_input::generate_open_x_event(sinsp_test_input::open_p params.ino); } +sinsp_evt* sinsp_with_test_input::generate_socket_events(sinsp_test_input::socket_params params, + int64_t tid_caller) { + // todo!: remove it when we will disable enter events by default. At the moment we want to test + // the use case in which we generate both the enter event and the exit one. + add_event_advance_ts(increasing_ts(), + tid_caller, + PPME_SOCKET_SOCKET_E, + 3, + params.domain, + params.type, + params.proto); + return add_event_advance_ts(increasing_ts(), + tid_caller, + PPME_SOCKET_SOCKET_X, + 4, + params.fd, + params.domain, + params.type, + params.proto); +} + //=============================== PROCESS GENERATION =========================== void sinsp_with_test_input::add_thread(const scap_threadinfo& tinfo, diff --git a/userspace/libsinsp/test/sinsp_with_test_input.h b/userspace/libsinsp/test/sinsp_with_test_input.h index 4d972976de..0f81c820f9 100644 --- a/userspace/libsinsp/test/sinsp_with_test_input.h +++ b/userspace/libsinsp/test/sinsp_with_test_input.h @@ -51,6 +51,27 @@ struct open_params { uint64_t ino = 0; }; +struct socket_params { + static constexpr int64_t default_fd = 4; + + int64_t fd = default_fd; + uint32_t domain = PPM_AF_INET; + uint32_t type = SOCK_STREAM; + uint32_t proto = 0; + + socket_params() { + domain = PPM_AF_INET; + type = SOCK_STREAM; + proto = 0; + }; + + socket_params(uint32_t d, uint32_t t): domain(d), type(t) { + domain = d; + type = t; + proto = 0; + }; +}; + struct fd_info_fields { std::optional fd_num = std::nullopt; std::optional fd_name = std::nullopt; @@ -221,6 +242,8 @@ class sinsp_with_test_input : public ::testing::Test { sinsp_evt* generate_getcwd_failed_entry_event(int64_t tid_caller = INIT_TID); sinsp_evt* generate_open_x_event(sinsp_test_input::open_params params = {}, int64_t tid_caller = INIT_TID); + sinsp_evt* generate_socket_events(sinsp_test_input::socket_params params = {}, + int64_t tid_caller = INIT_TID); //=============================== PROCESS GENERATION ===========================