testing: Add file-monitoring test case

This test uses the tracing policy described https://raw.githubusercontent.com/cilium/tetragon/main/examples/tracingpolicy/file_monitoring.yaml. Signed-off-by: Anastasios Papagiannis <[email protected]>
cilium · Aug 1, 2023 · 1d93922 · 1d93922
1 parent da3ee4d
commit 1d93922
Showing 1 changed file with 72 additions and 0 deletions.
diff --git a/pkg/sensors/tracing/kprobe_test.go b/pkg/sensors/tracing/kprobe_test.go
@@ -3150,6 +3150,78 @@ func TestKprobeMatchArgsFdPrefix(t *testing.T) {
 	assert.NoError(t, err)
 }
 
+func getMatchArgsFileFIMCrd(vals []string) string {
+	configHook := `apiVersion: cilium.io/v1alpha1
+kind: TracingPolicy
+metadata:
+  name: "file-monitoring"
+spec:
+  kprobes:
+  - call: "security_file_permission"
+    syscall: false
+    return: true
+    args:
+    - index: 0
+      type: "file"
+    - index: 1
+      type: "int"
+    returnArg:
+      type: "int"
+    returnArgAction: "Post"
+    selectors:
+    - matchArgs:
+      - index: 0
+        operator: "Prefix"
+        values: `
+	for i := 0; i < len(vals); i++ {
+		configHook += fmt.Sprintf("\n        - \"%s\"", vals[i])
+	}
+	return configHook
+}
+
+func TestKprobeMatchArgsFileMonitoringPrefix(t *testing.T) {
+	var doneWG, readyWG sync.WaitGroup
+	defer doneWG.Wait()
+
+	ctx, cancel := context.WithTimeout(context.Background(), tus.Conf().CmdWaitTime)
+	defer cancel()
+
+	numValues := getNumValues()
+	argVals := make([]string, numValues)
+	argVals[0] = "/etc/p"
+	argVals[1] = "/etc/g"
+	if kernels.EnableLargeProgs() {
+		argVals[2] = "/etc/h"
+		argVals[3] = "/etc/s"
+	}
+
+	createCrdFile(t, getMatchArgsFileFIMCrd(argVals[:]))
+
+	obs, err := observer.GetDefaultObserverWithFile(t, ctx, testConfigFile, tus.Conf().TetragonLib, observer.WithMyPid())
+	if err != nil {
+		t.Fatalf("GetDefaultObserverWithFile error: %s", err)
+	}
+	observer.LoopEvents(ctx, t, &doneWG, &readyWG, obs)
+	readyWG.Wait()
+
+	kpCheckers := make([]ec.EventChecker, numValues)
+	for i := 0; i < numValues; i++ {
+		readFile(t, allFiles[i])
+		kpCheckers[i] = ec.NewProcessKprobeChecker("").
+			WithFunctionName(sm.Full("security_file_permission")).
+			WithArgs(ec.NewKprobeArgumentListMatcher().
+				WithOperator(lc.Ordered).
+				WithValues(
+					ec.NewKprobeArgumentChecker().WithFileArg(ec.NewKprobeFileChecker().WithPath(sm.Full(allFiles[i]))),
+					ec.NewKprobeArgumentChecker().WithIntArg(4), // MAY_READ
+				))
+	}
+
+	checker := ec.NewUnorderedEventChecker(kpCheckers...)
+	err = jsonchecker.JsonTestCheck(t, checker)
+	assert.NoError(t, err)
+}
+
 func getMatchBinariesCrd(opStr string, vals []string) string {
 	configHook := `apiVersion: cilium.io/v1alpha1
 kind: TracingPolicy