From 99e2e93fda5e21fce29c31924152da43fbf45b2d Mon Sep 17 00:00:00 2001 From: Andrea Terzolo Date: Sun, 17 Dec 2023 16:48:42 +0100 Subject: [PATCH 1/5] style(modern_bpf): reword a comment Signed-off-by: Andrea Terzolo --- driver/modern_bpf/helpers/store/auxmap_store_params.h | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/driver/modern_bpf/helpers/store/auxmap_store_params.h b/driver/modern_bpf/helpers/store/auxmap_store_params.h index 1dae772fa0..435beaf1e5 100644 --- a/driver/modern_bpf/helpers/store/auxmap_store_params.h +++ b/driver/modern_bpf/helpers/store/auxmap_store_params.h @@ -720,11 +720,18 @@ static __always_inline void auxmap__store_socktuple_param(struct auxiliary_map * } unsigned long start_reading_point; - /* We have to skip the two bytes of socket family. */ char first_path_byte = *(char *)path; if(first_path_byte == '\0') { - /* This is an abstract socket address, we need to skip the initial `\0`. */ + /* Please note exceptions in the `sun_path`: + * Taken from: https://man7.org/linux/man-pages/man7/unix.7.html + * + * An `abstract socket address` is distinguished (from a + * pathname socket) by the fact that sun_path[0] is a null byte + * ('\0'). + * + * So in this case, we need to skip the initial `\0`. + */ start_reading_point = (unsigned long)path + 1; } else From f823d3776de5625fca85f0d62346e264353df3ea Mon Sep 17 00:00:00 2001 From: Andrea Terzolo Date: Wed, 20 Dec 2023 16:12:51 +0100 Subject: [PATCH 2/5] new(tests): add a test for unix sockets Signed-off-by: Andrea Terzolo --- .../libsinsp/test/parsers/parse_connect.cpp | 93 +++++++++++++++++++ userspace/libsinsp/test/test_utils.cpp | 46 ++++++--- userspace/libsinsp/test/test_utils.h | 13 +++ 3 files changed, 141 insertions(+), 11 deletions(-) create mode 100644 userspace/libsinsp/test/parsers/parse_connect.cpp diff --git a/userspace/libsinsp/test/parsers/parse_connect.cpp b/userspace/libsinsp/test/parsers/parse_connect.cpp new file mode 100644 index 0000000000..c3302825b3 --- /dev/null +++ b/userspace/libsinsp/test/parsers/parse_connect.cpp @@ -0,0 +1,93 @@ +// SPDX-License-Identifier: Apache-2.0 +/* +Copyright (C) 2023 The Falco Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. + +*/ + +#include +#include +#include + +// Note: +// 1. We don't save the type of the unix socket: datagram or stream +// 2. Do we want to keep the tuple in this way `9c758d0f->9c758d0a /tmp/stream.sock`? +TEST_F(sinsp_with_test_input, CONNECT_parse_unix_socket) +{ + add_default_init_thread(); + open_inspector(); + + int64_t return_value = 0; + int64_t client_fd = 9; + + // We need the enter event because we store it and we use it in the exit one. + // We only store it, we don't create a fdinfo, if the enter event is missing + // we don't parse the exit one. + auto evt = add_event_advance_ts(increasing_ts(), INIT_TID, PPME_SOCKET_SOCKET_E, 3, (uint32_t)PPM_AF_UNIX, + (uint32_t)SOCK_STREAM, (uint32_t)0); + auto fdinfo = evt->get_fd_info(); + ASSERT_FALSE(fdinfo); + + evt = add_event_advance_ts(increasing_ts(), INIT_TID, PPME_SOCKET_SOCKET_X, 1, client_fd); + + /* FDINFO associated with the event */ + fdinfo = evt->get_fd_info(); + ASSERT_TRUE(fdinfo); + ASSERT_TRUE(fdinfo->is_unix_socket()); + // todo! do we want this? In the end a unix socket could be of type datagram or stream + ASSERT_EQ(fdinfo->get_l4proto(), scap_l4_proto::SCAP_L4_NA); + ASSERT_TRUE(fdinfo->is_role_none()); + ASSERT_FALSE(fdinfo->is_socket_connected()); + // The socket syscall doesn't populate the name of the socket + ASSERT_EQ(fdinfo->m_name, ""); + + /* FDINFO associated with the thread */ + auto init_tinfo = m_inspector.get_thread_ref(INIT_TID, false).get(); + ASSERT_TRUE(init_tinfo); + fdinfo = init_tinfo->get_fd(client_fd); + ASSERT_TRUE(fdinfo); + ASSERT_TRUE(fdinfo->is_unix_socket()); + ASSERT_EQ(fdinfo->get_l4proto(), scap_l4_proto::SCAP_L4_NA); + ASSERT_TRUE(fdinfo->is_role_none()); + ASSERT_FALSE(fdinfo->is_socket_connected()); + ASSERT_EQ(fdinfo->m_name, ""); + + // We don't need the enter event! + std::vector socktuple = test_utils::pack_unix_socktuple(0x9c758d0f, 0x9c758d0a, "/tmp/stream.sock"); + evt = add_event_advance_ts(increasing_ts(), INIT_TID, PPME_SOCKET_CONNECT_X, 3, return_value, + scap_const_sized_buffer{socktuple.data(), socktuple.size()}, client_fd); + + /* FDINFO associated with the event */ + fdinfo = evt->get_fd_info(); + ASSERT_TRUE(fdinfo); + ASSERT_TRUE(fdinfo->is_unix_socket()); + ASSERT_EQ(fdinfo->get_l4proto(), scap_l4_proto::SCAP_L4_NA); + ASSERT_TRUE(fdinfo->is_role_client()); + ASSERT_TRUE(fdinfo->is_socket_connected()); + // Note: `9c758d0f` is the kernel pointer to the socket that performs the connection. + // `9c758d0a` is the kernel pointer to the socket that receives the connection. + ASSERT_EQ(fdinfo->m_name, "9c758d0f->9c758d0a /tmp/stream.sock"); + // we don't have code to populate this `m_name_raw` for sockets. + ASSERT_EQ(fdinfo->m_name_raw, ""); + + /* FDINFO associated with the thread */ + fdinfo = init_tinfo->get_fd(client_fd); + ASSERT_TRUE(fdinfo); + ASSERT_TRUE(fdinfo->is_unix_socket()); + ASSERT_EQ(fdinfo->get_l4proto(), scap_l4_proto::SCAP_L4_NA); + ASSERT_TRUE(fdinfo->is_role_client()); + ASSERT_TRUE(fdinfo->is_socket_connected()); + ASSERT_EQ(fdinfo->m_name, "9c758d0f->9c758d0a /tmp/stream.sock"); + ASSERT_EQ(fdinfo->m_name_raw, ""); +} diff --git a/userspace/libsinsp/test/test_utils.cpp b/userspace/libsinsp/test/test_utils.cpp index 626bcda76e..b329766912 100644 --- a/userspace/libsinsp/test/test_utils.cpp +++ b/userspace/libsinsp/test/test_utils.cpp @@ -20,17 +20,6 @@ limitations under the License. #include -#if defined(__linux__) -#include -#else -#if !defined(_WIN32) -#include -# endif //_WIN32 -#ifndef UNIX_PATH_MAX -#define UNIX_PATH_MAX 108 -#endif -#endif - #if !defined(_WIN32) #include #endif //_WIN32 @@ -38,6 +27,7 @@ limitations under the License. #include #include +#include namespace test_utils { @@ -61,6 +51,15 @@ sockaddr_in6 fill_sockaddr_in6(int32_t ipv6_port, const char* ipv6_string) inet_pton(AF_INET6, ipv6_string, &(sockaddr.sin6_addr)); return sockaddr; } + +struct sockaddr_un fill_sockaddr_un(const char* unix_path) +{ + struct sockaddr_un sockaddr; + memset(&sockaddr, 0, sizeof(sockaddr)); + sockaddr.sun_family = AF_UNIX; + strlcpy(sockaddr.sun_path, unix_path, UNIX_PATH_MAX); + return sockaddr; +} #endif //_WIN32 std::string to_null_delimited(const std::vector list) @@ -262,6 +261,31 @@ std::vector pack_socktuple(sockaddr *src, sockaddr *dest) return res; } + +std::vector pack_unix_socktuple(uint64_t scr_pointer, uint64_t dst_pointer, std::string unix_path) +{ + std::vector res; + + // Assert family. + res.push_back(PPM_AF_UNIX); + + // Scr pointer + for (size_t i = 0; i < sizeof(scr_pointer); ++i) + { + res.push_back(scr_pointer & 0xFF); + scr_pointer >>= 8; + } + + // Dest pointer + for (size_t i = 0; i < sizeof(dst_pointer); ++i) + { + res.push_back(dst_pointer & 0xFF); + dst_pointer >>= 8; + } + + res.insert(res.end(), unix_path.begin(), unix_path.end()); + return res; +} #endif //_WIN32 __EMSCRIPTEN__ } // namespace test_utils diff --git a/userspace/libsinsp/test/test_utils.h b/userspace/libsinsp/test/test_utils.h index a36217b95b..8b77d46e93 100644 --- a/userspace/libsinsp/test/test_utils.h +++ b/userspace/libsinsp/test/test_utils.h @@ -42,6 +42,17 @@ limitations under the License. #define DEFAULT_IP_STRING_SIZE 100 +#if defined(__linux__) +#include +#else +#if !defined(_WIN32) +#include +# endif //_WIN32 +#ifndef UNIX_PATH_MAX +#define UNIX_PATH_MAX 108 +#endif +#endif + #define ASSERT_NAMES_EQ(a, b) \ { \ auto a1 = a; \ @@ -107,8 +118,10 @@ std::set unordered_set_to_ordered(std::unordered_set unordered_set); #if !defined(_WIN32) struct sockaddr_in fill_sockaddr_in(int32_t ipv4_port, const char* ipv4_string); struct sockaddr_in6 fill_sockaddr_in6(int32_t ipv6_port, const char* ipv6_string); +struct sockaddr_un fill_sockaddr_un(const char* unix_path); std::vector pack_sockaddr(sockaddr *sa); std::vector pack_socktuple(sockaddr *src, sockaddr *dest); +std::vector pack_unix_socktuple(uint64_t scr_pointer, uint64_t dst_pointer, std::string unix_path); #endif //_WIN32 void print_bytes(uint8_t *buf, size_t size); From 45ad19ac611e062f9963dbe6f994114d6a4b5da4 Mon Sep 17 00:00:00 2001 From: Andrea Terzolo Date: Wed, 20 Dec 2023 16:13:37 +0100 Subject: [PATCH 3/5] fix(sinsp): remove an extra " " Signed-off-by: Andrea Terzolo --- userspace/libsinsp/sinsp_filtercheck_event.cpp | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/userspace/libsinsp/sinsp_filtercheck_event.cpp b/userspace/libsinsp/sinsp_filtercheck_event.cpp index ed48aa247b..23f9c72f10 100644 --- a/userspace/libsinsp/sinsp_filtercheck_event.cpp +++ b/userspace/libsinsp/sinsp_filtercheck_event.cpp @@ -1135,6 +1135,10 @@ uint8_t* sinsp_filter_check_event::extract(sinsp_evt *evt, OUT uint32_t* len, bo } } + if(!m_strstorage.empty()) + { + m_strstorage.pop_back(); + } RETURN_EXTRACT_STRING(m_strstorage); } break; From 205d44f6d5f12b12a00383deaf74da052ff37361 Mon Sep 17 00:00:00 2001 From: Andrea Terzolo Date: Thu, 21 Dec 2023 14:52:38 +0100 Subject: [PATCH 4/5] update(tests): add a test on `uid` fields Signed-off-by: Andrea Terzolo --- userspace/libsinsp/test/filterchecks/evt.cpp | 37 +++++++++++++++++++- 1 file changed, 36 insertions(+), 1 deletion(-) diff --git a/userspace/libsinsp/test/filterchecks/evt.cpp b/userspace/libsinsp/test/filterchecks/evt.cpp index d34069f2fd..52850f8af6 100644 --- a/userspace/libsinsp/test/filterchecks/evt.cpp +++ b/userspace/libsinsp/test/filterchecks/evt.cpp @@ -79,4 +79,39 @@ TEST_F(sinsp_with_test_input, EVT_FILTER_cmd_str) sinsp_evt* evt = add_event_advance_ts(increasing_ts(), 1, PPME_SYSCALL_BPF_2_X, 2, fd, (uint64_t)PPM_BPF_PROG_LOAD); ASSERT_EQ(get_field_as_string(evt, "evt.arg.cmd"), "BPF_PROG_LOAD"); -} \ No newline at end of file +} +TEST_F(sinsp_with_test_input, EVT_FILTER_check_evt_arg_uid) +{ + add_default_init_thread(); + open_inspector(); + + uint32_t user_id = 5; + std::string container_id = ""; + auto evt = add_event_advance_ts(increasing_ts(), INIT_TID, PPME_SYSCALL_SETUID_E, 1, user_id); + ASSERT_EQ(get_field_as_string(evt, "evt.type"), "setuid"); + + // The rawarg provides the field directly from the table. + ASSERT_EQ(get_field_as_string(evt, "evt.rawarg.uid"), std::to_string(user_id)); + + // The `evt.arg.uid` tries to find a user in the user table, in this + // case the user table is empty. + ASSERT_EQ(get_field_as_string(evt, "evt.arg.uid"), ""); + ASSERT_EQ(get_field_as_string(evt, "evt.arg[0]"), ""); + ASSERT_EQ(get_field_as_string(evt, "evt.args"), "uid=5()"); + + // we are adding a user on the host so the `pid` parameter is not considered + ASSERT_TRUE(m_inspector.m_usergroup_manager.add_user(container_id, 0, user_id, 6, "test", "/test", "/bin/test")); + + // Now we should have the necessary info + ASSERT_EQ(get_field_as_string(evt, "evt.arg.uid"), "test"); + ASSERT_EQ(get_field_as_string(evt, "evt.arg[0]"), "test"); + ASSERT_EQ(get_field_as_string(evt, "evt.args"), "uid=5(test)"); + + // We remove the user, and the fields should be empty again + m_inspector.m_usergroup_manager.rm_user(container_id, user_id); + ASSERT_FALSE(m_inspector.m_usergroup_manager.get_user(container_id, user_id)); + + ASSERT_EQ(get_field_as_string(evt, "evt.arg.uid"), ""); + ASSERT_EQ(get_field_as_string(evt, "evt.arg[0]"), ""); + ASSERT_EQ(get_field_as_string(evt, "evt.args"), "uid=5()"); +} From 122692d9849c879cb59629ef82c91a7b4b7b5259 Mon Sep 17 00:00:00 2001 From: Andrea Terzolo Date: Mon, 15 Apr 2024 17:28:10 +0200 Subject: [PATCH 5/5] tests: fix some CI tests Signed-off-by: Andrea Terzolo --- .../test_db_program_spawned_process.py | 2 +- .../test_event_generator/test_file_writes.py | 2 +- .../test_make_binary_dirs.py | 6 +++--- .../test_modify_binary_dirs.py | 4 ++-- .../test_network_activity.py | 4 ++-- .../test_non_sudo_setuid.py | 8 ++++---- .../test_read_sensitive_file.py | 2 +- test/e2e/tests/test_network/test_network.py | 18 +++++++++--------- test/e2e/tests/test_process/test_container.py | 2 +- userspace/libsinsp/test/CMakeLists.txt | 1 + 10 files changed, 25 insertions(+), 24 deletions(-) diff --git a/test/e2e/tests/test_event_generator/test_db_program_spawned_process.py b/test/e2e/tests/test_event_generator/test_db_program_spawned_process.py index 64d0af8bf9..e45c392227 100644 --- a/test/e2e/tests/test_event_generator/test_db_program_spawned_process.py +++ b/test/e2e/tests/test_event_generator/test_db_program_spawned_process.py @@ -41,7 +41,7 @@ def test_db_program_spawned_process(sinsp, run_containers: dict): }, { "container.id": generator_id, - "evt.args": "filename=/bin/ls ", + "evt.args": "filename=/bin/ls", "evt.category": "process", "evt.num": SinspField.numeric_field(), "evt.time": SinspField.numeric_field(), diff --git a/test/e2e/tests/test_event_generator/test_file_writes.py b/test/e2e/tests/test_event_generator/test_file_writes.py index dcb4de4a9d..607f887342 100644 --- a/test/e2e/tests/test_event_generator/test_file_writes.py +++ b/test/e2e/tests/test_event_generator/test_file_writes.py @@ -5,7 +5,7 @@ def create_expected_arg(directory: str) -> str: - return fr'^fd=3\({re.escape(directory)}\/created-by-event-generator\) dirfd=-100\(AT_FDCWD\) name={re.escape(directory)}\/created-by-event-generator flags=20742\(O_TRUNC\|O_CREAT\|O_WRONLY\|O_CLOEXEC\|O_F_CREATED\) mode=0755 dev=.* ino=\d+ $' + return fr'^fd=3\({re.escape(directory)}\/created-by-event-generator\) dirfd=-100\(AT_FDCWD\) name={re.escape(directory)}\/created-by-event-generator flags=20742\(O_TRUNC\|O_CREAT\|O_WRONLY\|O_CLOEXEC\|O_F_CREATED\) mode=0755 dev=.* ino=\d+$' def generate_ids(parameters: list) -> list: diff --git a/test/e2e/tests/test_event_generator/test_make_binary_dirs.py b/test/e2e/tests/test_event_generator/test_make_binary_dirs.py index ce079d98a7..c376824738 100644 --- a/test/e2e/tests/test_event_generator/test_make_binary_dirs.py +++ b/test/e2e/tests/test_event_generator/test_make_binary_dirs.py @@ -35,7 +35,7 @@ def test_make_binary_dirs(sinsp, run_containers: dict): "thread.tid": SinspField.numeric_field() }, { - "evt.args": "res=0 dirfd=-100(AT_FDCWD) path=/bin/directory-created-by-event-generator mode=1ED ", + "evt.args": "res=0 dirfd=-100(AT_FDCWD) path=/bin/directory-created-by-event-generator mode=1ED", "evt.cpu": SinspField.numeric_field(), "evt.dir": "<", "evt.num": SinspField.numeric_field(), @@ -55,7 +55,7 @@ def test_make_binary_dirs(sinsp, run_containers: dict): "thread.tid": SinspField.numeric_field() }, { - "evt.args": "res=-21(EISDIR) dirfd=-100(AT_FDCWD) name=/bin/directory-created-by-event-generator flags=0 ", + "evt.args": "res=-21(EISDIR) dirfd=-100(AT_FDCWD) name=/bin/directory-created-by-event-generator flags=0", "evt.cpu": SinspField.numeric_field(), "evt.dir": "<", "evt.num": SinspField.numeric_field(), @@ -75,7 +75,7 @@ def test_make_binary_dirs(sinsp, run_containers: dict): "thread.tid": SinspField.numeric_field() }, { - "evt.args": "res=0 dirfd=-100(AT_FDCWD) name=/bin/directory-created-by-event-generator flags=512(AT_REMOVEDIR) ", + "evt.args": "res=0 dirfd=-100(AT_FDCWD) name=/bin/directory-created-by-event-generator flags=512(AT_REMOVEDIR)", "evt.cpu": SinspField.numeric_field(), "evt.dir": "<", "evt.num": SinspField.numeric_field(), diff --git a/test/e2e/tests/test_event_generator/test_modify_binary_dirs.py b/test/e2e/tests/test_event_generator/test_modify_binary_dirs.py index 388ce5aed7..3eae13da4c 100644 --- a/test/e2e/tests/test_event_generator/test_modify_binary_dirs.py +++ b/test/e2e/tests/test_event_generator/test_modify_binary_dirs.py @@ -35,7 +35,7 @@ def test_modify_binary_dirs(sinsp, run_containers: dict): "thread.tid": SinspField.numeric_field() }, { - "evt.args": "res=0 olddirfd=-100(AT_FDCWD) oldpath=/bin/true newdirfd=-100(AT_FDCWD) newpath=/bin/true.event-generator ", + "evt.args": "res=0 olddirfd=-100(AT_FDCWD) oldpath=/bin/true newdirfd=-100(AT_FDCWD) newpath=/bin/true.event-generator", "evt.cpu": SinspField.numeric_field(), "evt.dir": "<", "evt.num": SinspField.numeric_field(), @@ -55,7 +55,7 @@ def test_modify_binary_dirs(sinsp, run_containers: dict): "thread.tid": SinspField.numeric_field() }, { - "evt.args": "res=0 olddirfd=-100(AT_FDCWD) oldpath=/bin/true.event-generator newdirfd=-100(AT_FDCWD) newpath=/bin/true ", + "evt.args": "res=0 olddirfd=-100(AT_FDCWD) oldpath=/bin/true.event-generator newdirfd=-100(AT_FDCWD) newpath=/bin/true", "evt.cpu": SinspField.numeric_field(), "evt.dir": "<", "evt.num": SinspField.numeric_field(), diff --git a/test/e2e/tests/test_event_generator/test_network_activity.py b/test/e2e/tests/test_event_generator/test_network_activity.py index 722ec1ba6a..e76b7eb99e 100644 --- a/test/e2e/tests/test_event_generator/test_network_activity.py +++ b/test/e2e/tests/test_event_generator/test_network_activity.py @@ -30,7 +30,7 @@ def test_network_activity(sinsp, run_containers: dict): expected_events = [ { "container.id": generator_id, - "evt.args": "fd=3(<4>) addr=10.2.3.4:8192 ", + "evt.args": "fd=3(<4>) addr=10.2.3.4:8192", "evt.category": "net", "evt.num": SinspField.numeric_field(), "evt.time": SinspField.numeric_field(), @@ -43,7 +43,7 @@ def test_network_activity(sinsp, run_containers: dict): }, { "container.id": generator_id, - "evt.args": SinspField.regex_field(fr'^res=0 tuple={ipv4_regex}->10\.2\.3\.4:8192 fd=3\(<4u>{ipv4_regex}->10\.2\.3\.4:8192\) $'), + "evt.args": SinspField.regex_field(fr'^res=0 tuple={ipv4_regex}->10\.2\.3\.4:8192 fd=3\(<4u>{ipv4_regex}->10\.2\.3\.4:8192\)$'), "evt.category": "net", "evt.num": SinspField.numeric_field(), "evt.time": SinspField.numeric_field(), diff --git a/test/e2e/tests/test_event_generator/test_non_sudo_setuid.py b/test/e2e/tests/test_event_generator/test_non_sudo_setuid.py index 50a1c28af3..eb668cddc6 100644 --- a/test/e2e/tests/test_event_generator/test_non_sudo_setuid.py +++ b/test/e2e/tests/test_event_generator/test_non_sudo_setuid.py @@ -25,25 +25,25 @@ def test_non_sudo_setuid(sinsp, run_containers): expected_events = [ { - "evt.args": "uid=2() ", + "evt.args": "uid=2()", "evt.dir": ">", "evt.type": "setuid", "proc.name": "child", }, { - "evt.args": "res=0 ", + "evt.args": "res=0", "evt.dir": "<", "evt.type": "setuid", "proc.name": "child", }, { - "evt.args": "uid=0() ", + "evt.args": "uid=0()", "evt.dir": ">", "evt.type": "setuid", "proc.name": "child", }, { - "evt.args": "res=-1(EPERM) ", + "evt.args": "res=-1(EPERM)", "evt.dir": "<", "evt.type": "setuid", "proc.name": "child", diff --git a/test/e2e/tests/test_event_generator/test_read_sensitive_file.py b/test/e2e/tests/test_event_generator/test_read_sensitive_file.py index 7752358716..ea68eb928d 100644 --- a/test/e2e/tests/test_event_generator/test_read_sensitive_file.py +++ b/test/e2e/tests/test_event_generator/test_read_sensitive_file.py @@ -55,7 +55,7 @@ def test_read_sensitive_file(sinsp, run_containers: dict, expected_process: str) expected_events = [ { - "evt.args": SinspField.regex_field(r'fd=3\(/etc/shadow\) dirfd=-100\(AT_FDCWD\) name=/etc/shadow flags=4097\(O_RDONLY|O_CLOEXEC\) mode=0 dev=\W+ ino=\d+ '), + "evt.args": SinspField.regex_field(r'fd=3\(/etc/shadow\) dirfd=-100\(AT_FDCWD\) name=/etc/shadow flags=4097\(O_RDONLY|O_CLOEXEC\) mode=0 dev=\W+ ino=\d+'), "evt.cpu": SinspField.numeric_field(), "evt.dir": "<", "evt.num": SinspField.numeric_field(), diff --git a/test/e2e/tests/test_network/test_network.py b/test/e2e/tests/test_network/test_network.py index f282dc294f..ae64990d8c 100644 --- a/test/e2e/tests/test_network/test_network.py +++ b/test/e2e/tests/test_network/test_network.py @@ -32,7 +32,7 @@ def expected_events(origin: dict, destination: dict) -> list: return [ { "container.id": origin['id'], - "evt.args": "domain=2(AF_INET) type=1 proto=0 ", + "evt.args": "domain=2(AF_INET) type=1 proto=0", "evt.category": "net", "evt.type": "socket", "fd.name": None, @@ -40,7 +40,7 @@ def expected_events(origin: dict, destination: dict) -> list: "proc.exe": "curl", }, { "container.id": origin['id'], - "evt.args": "fd=3(<4>) ", + "evt.args": "fd=3(<4>)", "evt.category": "net", "evt.type": "socket", "fd.name": "", @@ -48,7 +48,7 @@ def expected_events(origin: dict, destination: dict) -> list: "proc.exe": "curl", }, { "container.id": origin['id'], - "evt.args": f"fd=3(<4t>0.0.0.0:{origin['local_port']}) addr={destination['ip']} ", + "evt.args": f"fd=3(<4t>0.0.0.0:{origin['local_port']}) addr={destination['ip']}", "evt.category": "net", "evt.type": "connect", "fd.name": f"0.0.0.0:{origin['local_port']}", @@ -56,7 +56,7 @@ def expected_events(origin: dict, destination: dict) -> list: "proc.exe": "curl", }, { "container.id": destination['id'], - "evt.args": "flags=0 ", + "evt.args": "flags=0", "evt.category": "net", "evt.type": "accept4", "fd.name": None, @@ -64,29 +64,29 @@ def expected_events(origin: dict, destination: dict) -> list: "proc.exe": "nginx: master proces", }, { "container.id": destination['id'], - "evt.args": f"fd=3(<4t>{origin['ip']}->{destination['ip']}) tuple={origin['ip']}->{destination['ip']} queuepct=0 queuelen=0 queuemax=511 ", + "evt.args": f"fd=3(<4t>{origin['ip']}->{destination['ip']}) tuple={origin['ip']}->{destination['ip']} queuepct=0 queuelen=0 queuemax=511", "evt.category": "net", "evt.type": "accept4", "fd.name": f"{origin['ip']}->{destination['ip']}", "proc.cmdline": "nginx", "proc.exe": "nginx: master proces", }, { - "evt.args": f"fd=3(<4t>{origin['ip']}->{destination['ip']}) ", + "evt.args": f"fd=3(<4t>{origin['ip']}->{destination['ip']})", "evt.dir": ">", "evt.type": "close", "proc.name": "curl", }, { - "evt.args": "res=0 ", + "evt.args": "res=0", "evt.dir": "<", "evt.type": "close", "proc.name": "curl", }, { - "evt.args": f"fd=3(<4t>{origin['ip']}->{destination['ip']}) ", + "evt.args": f"fd=3(<4t>{origin['ip']}->{destination['ip']})", "evt.dir": ">", "evt.type": "close", "proc.name": "nginx", }, { - "evt.args": "res=0 ", + "evt.args": "res=0", "evt.dir": "<", "evt.type": "close", "proc.name": "nginx", diff --git a/test/e2e/tests/test_process/test_container.py b/test/e2e/tests/test_process/test_container.py index a13aeb4fbe..7d188b965e 100644 --- a/test/e2e/tests/test_process/test_container.py +++ b/test/e2e/tests/test_process/test_container.py @@ -38,7 +38,7 @@ def test_exec_in_container(sinsp, run_containers: dict): expected_events = [ { 'container.id': container_id, - 'evt.args': 'filename=/http-echo ', + 'evt.args': 'filename=/http-echo', 'evt.category': 'process', 'evt.type': 'execve', 'proc.exe': 'runc', diff --git a/userspace/libsinsp/test/CMakeLists.txt b/userspace/libsinsp/test/CMakeLists.txt index 5ce91dfe7e..8245088114 100644 --- a/userspace/libsinsp/test/CMakeLists.txt +++ b/userspace/libsinsp/test/CMakeLists.txt @@ -142,6 +142,7 @@ if(WIN32) elseif(APPLE OR EMSCRIPTEN) list(REMOVE_ITEM LIBSINSP_UNIT_TESTS_SOURCES events_net.ut.cpp + ${CMAKE_CURRENT_SOURCE_DIR}/parsers/parse_connect.cpp ) endif()