Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add Go tests for memfd and friends #186

Open
wants to merge 16 commits into
base: main
Choose a base branch
from
Open

Conversation

stanek-michal
Copy link
Contributor

@stanek-michal stanek-michal commented Mar 19, 2024

Add Go tests for all probes except load_kernel_module (this one will come in the next PR).

Test for shm_open was not integrated because of complicated dependencies (libraries) of that glibc API that are difficult to integrate into the busybox of the kernel_tester

Standalone versions of the poc_* C tests can be viewed here:
https://github.com/elastic/linux-fileless-execution

@stanek-michal stanek-michal requested a review from a team as a code owner March 19, 2024 01:53
@stanek-michal stanek-michal force-pushed the memfd_probes_tests branch 2 times, most recently from f3d4e40 to c8f17a0 Compare March 19, 2024 15:49
testing/kernel_builder/Makefile Outdated Show resolved Hide resolved
testing/test_bins/poc_load_kernel_module.c Show resolved Hide resolved
testing/test_bins/poc_load_kernel_module.c Show resolved Hide resolved
testing/testrunner/main.go Outdated Show resolved Hide resolved
@stanek-michal stanek-michal force-pushed the memfd_probes_tests branch 2 times, most recently from a36eaf7 to 244b7ee Compare March 20, 2024 14:00
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It looks like this file doesn't need to be commited? It's generated in testing/kernel_builder/build.sh. It also contains the same content repeatedly. I guess because it's not cleaned up between running build.sh

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

removed in latest version

@@ -2,10 +2,11 @@ from debian:bullseye

RUN dpkg --add-architecture arm64
RUN apt-get -y update
RUN apt-get -y install xz-utils
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why did this need to be in a separate command?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I moved it to the next command with all installs

${CONTAINER_ENGINE} run -v ${PWD}:/work ${IMAGE}-new:${TAG}

image:
${CONTAINER_ENGINE} build -f Dockerfile.old -t ${IMAGE}-old:${TAG}
${CONTAINER_ENGINE} build -f Dockerfile.new -t ${IMAGE}-new:${TAG}
${CONTAINER_ENGINE} build -f Dockerfile.new -t ${IMAGE}-new:${TAG} .
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think you could rename Dockerfile.new to just Dockerfile now

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yep, its one Dockerfile now

int key = 0x0afebabe;
int size = 1024;
long int shmflg = 0666 |IPC_CREAT;
int shmid = shmget(key, size, shmflg);
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should this check for an error from shmget?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

not necessary I think, currently we only monitor the attempt to shmget, regardless if it failed or not - shmid does not go into ECS (we can think about logging return values later but that would be more probes)

Base automatically changed from memfd_probes to main May 29, 2024 15:14
@fearful-symmetry
Copy link
Contributor

Alright, I'm taking this over; apologies if I break things...

@stanek-michal
Copy link
Contributor Author

stanek-michal commented Jan 10, 2025

Github is preventing me from approving this PR as I created it.
Nevertheless I reviewed it and it's an ACK but I noticed one issue, missing checks that were there in the previous version for ForkExec:

+       AssertTrue(execEvent.IsSetUid == binOutput.IsSetUid)
+       AssertTrue(execEvent.IsSetGid == binOutput.IsSetGid)
+       AssertTrue(execEvent.IsMemfd ==  binOutput.IsMemfd)
+       AssertTrue(execEvent.InodeNlink != 0)
+       AssertUint64Equal(uint64(execEvent.Creds.Ruid), binOutput.Ruid)
+       AssertUint64Equal(uint64(execEvent.Creds.Rgid), binOutput.Rgid)
+       AssertUint64Equal(uint64(execEvent.Creds.Euid), binOutput.Euid)
+       AssertUint64Equal(uint64(execEvent.Creds.Egid), binOutput.Egid)
+       AssertUint64Equal(uint64(execEvent.Creds.Suid), binOutput.Suid)
+       AssertUint64Equal(uint64(execEvent.Creds.Sgid), binOutput.Sgid)

Otherwise good, thanks for the changes!!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants