feat(events): create e2e for dependencies failure

Create an end-to-end test for the dependencies failure mechanism. This should check that the new dependencies mechanism is integrating well with Tracee. This PR introduce test events for the first time.
aquasecurity · Apr 29, 2024 · 578bbb6 · 578bbb6
1 parent 3d175e5
commit 578bbb6
Show file tree

Hide file tree

Showing 9 changed files with 455 additions and 1 deletion.
diff --git a/pkg/ebpf/c/tracee.bpf.c b/pkg/ebpf/c/tracee.bpf.c
@@ -6762,3 +6762,52 @@ int sched_process_exit_signal(struct bpf_raw_tracepoint_args *ctx)
 }
 
 // END OF Control Plane Programs
+
+// Tests
+
+SEC("kprobe/empty_kprobe")
+int BPF_KPROBE(empty_probe)
+{
+    return 0;
+}
+
+bool did_submit = false;
+
+SEC("raw_tracepoint/submit_once")
+int tracepoint__submit_once(struct bpf_raw_tracepoint_args *ctx)
+{
+    if (likely(did_submit)) {
+        return 0;
+    }
+
+    int ret = 0;
+
+    program_data_t p = {};
+    if (!init_program_data(&p, ctx, NO_EVENT_SUBMIT))
+        return 0;
+
+    if (!evaluate_scope_filters(&p))
+        return 0;
+
+    if (!reset_event(p.event, TEST_SUBMIT_ONCE))
+        return 0;
+    if (evaluate_scope_filters(&p))
+        ret |= events_perf_submit(&p, 0);
+
+    if (!reset_event(p.event, TEST_MISSING_KSYMBOLS))
+        return 0;
+    if (evaluate_scope_filters(&p))
+        ret |= events_perf_submit(&p, 0);
+
+    if (!reset_event(p.event, TEST_FAILED_ATTACH))
+        return 0;
+    if (evaluate_scope_filters(&p))
+        ret |= events_perf_submit(&p, 0);
+
+    if (ret == 0)
+        // This is not a guarantee that the event will be submitted once, but it is good enough for
+        // tests as the purpose is to not create too much of a load.
+        did_submit = true;
+
+    return 0;
+}
diff --git a/pkg/ebpf/c/types.h b/pkg/ebpf/c/types.h
@@ -129,6 +129,11 @@ enum event_id_e
     SECURITY_BPRM_CREDS_FOR_EXEC,
     MAX_EVENT_ID,
     NO_EVENT_SUBMIT,
+
+    // Test events IDs
+    TEST_SUBMIT_ONCE = 9000,
+    TEST_MISSING_KSYMBOLS,
+    TEST_FAILED_ATTACH,
 };
 
 enum signal_event_id_e

diff --git a/pkg/ebpf/probes/probe_group.go b/pkg/ebpf/probes/probe_group.go
@@ -232,6 +232,9 @@ func NewDefaultProbeGroup(module *bpf.Module, netEnabled bool, kSyms *helpers.Ke
 		SignalSchedProcessExit:     NewTraceProbe(RawTracepoint, "sched:sched_process_exit", "sched_process_exit_signal"),
 		ExecuteFinished:            NewTraceProbe(Tracepoint, "syscalls:sys_exit_execve", "execute_finished"),
 		ExecuteAtFinished:          NewTraceProbe(Tracepoint, "syscalls:sys_exit_execveat", "execute_finished"),
+
+		TestUnavailableHook: NewTraceProbe(KProbe, "non_existing_func", "empty_kprobe"),
+		TestSubmitOnce:      NewTraceProbe(RawTracepoint, "raw_syscalls:sys_enter", "tracepoint__submit_once"),
 	}
 
 	if !netEnabled {

diff --git a/pkg/ebpf/probes/probes.go b/pkg/ebpf/probes/probes.go
@@ -142,3 +142,9 @@ const (
 	ExecuteFinished
 	ExecuteAtFinished
 )
+
+// Test probe handles
+const (
+	TestUnavailableHook = 1000 + iota
+	TestSubmitOnce
+)
diff --git a/pkg/events/core.go b/pkg/events/core.go
@@ -171,6 +171,13 @@ const (
 	MaxSignatureID   ID = 6999
 )
 
+// Test events
+const (
+	SubmitOnce ID = 9000 + iota
+	MissingKsymbol
+	FailedAttach
+)
+
 //
 // All Events
 //
@@ -13580,4 +13587,52 @@ var CoreEvents = map[ID]Definition{
 			{Type: "const char **", Name: "dst_dns"},
 		},
 	},
+
+	// Test Events
+	SubmitOnce: {
+		id:      SubmitOnce,
+		id32Bit: Sys32Undefined,
+		name:    "submit_once",
+		version: NewVersion(1, 0, 0),
+		syscall: false,
+		sets:    []string{"tests", "dependencies"},
+		params:  []trace.ArgMeta{},
+		dependencies: Dependencies{
+			probes: []Probe{
+				{handle: probes.TestSubmitOnce, required: true},
+			},
+		},
+	},
+	MissingKsymbol: {
+		id:      MissingKsymbol,
+		id32Bit: Sys32Undefined,
+		name:    "missing_ksymbol",
+		version: NewVersion(1, 0, 0),
+		syscall: false,
+		sets:    []string{"tests", "dependencies"},
+		params:  []trace.ArgMeta{},
+		dependencies: Dependencies{
+			kSymbols: []KSymbol{
+				{symbol: "non_existing_symbol", required: true},
+			},
+			probes: []Probe{
+				{handle: probes.TestSubmitOnce, required: true},
+			},
+		},
+	},
+	FailedAttach: {
+		id:      FailedAttach,
+		id32Bit: Sys32Undefined,
+		name:    "failed_attach",
+		version: NewVersion(1, 0, 0),
+		syscall: false,
+		sets:    []string{"tests", "dependencies"},
+		params:  []trace.ArgMeta{},
+		dependencies: Dependencies{
+			probes: []Probe{
+				{handle: probes.TestUnavailableHook, required: true},
+				{handle: probes.TestUnavailableHook, required: true},
+			},
+		},
+	},
 }
diff --git a/pkg/logger/logger.go b/pkg/logger/logger.go
@@ -339,6 +339,11 @@ func SetLogger(l LoggerInterface) {
 	pkgLogger.l = l
 }
 
+// GetLogger gets the package-level base logger
+func GetLogger() LoggerInterface {
+	return pkgLogger.l
+}
+
 // SetLevel sets package-level base logger level,
 // it is threadsafe
 func SetLevel(level Level) {

diff --git a/pkg/policy/v1beta1/policy_file_test.go b/pkg/policy/v1beta1/policy_file_test.go
@@ -35,7 +35,7 @@ func TestPolicyValidate(t *testing.T) {
 		nil,
 	)
 
-	err := events.Core.Add(9000, fakeSigEventDefinition)
+	err := events.Core.Add(events.StartSignatureID, fakeSigEventDefinition)
 	assert.NilError(t, err)
 
 	tests := []struct {