github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2025-09-19 00:19:17 +00:00
Code Issues Projects Releases Wiki Activity

cleanup(unit_tests): revert some test extensions in interim

Browse Source 
Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com>
This commit is contained in:
Melissa Kilby
2023-03-27 05:10:38 +00:00
committed by poiana
parent ea3571564b
commit 3e0f0d3692
1 changed files with 11 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
unit_tests/falco/app/actions/test_configure_interesting_sets.cpp
View File

@@ -47,7 +47,7 @@ static std::string s_sample_ruleset = "sample-ruleset";
static std::string s_sample_source = falco_common::syscall_source; static std::string s_sample_source = falco_common::syscall_source;
static strset_t s_sample_filters = { static strset_t s_sample_filters = {
"evt.type=connect or evt.type=accept or evt.type=accept4 or evt.type=umount2", "evt.type=connect or evt.type=accept",
"evt.type in (open, ptrace, mmap, execve, read, container)", "evt.type in (open, ptrace, mmap, execve, read, container)",
"evt.type in (open, execve, mprotect) and not evt.type=mprotect"}; "evt.type in (open, execve, mprotect) and not evt.type=mprotect"};
@@ -99,7 +99,7 @@ TEST(ConfigureInterestingSets, engine_codes_syscalls_set)
auto rules_event_set = engine->event_codes_for_ruleset(s_sample_source); auto rules_event_set = engine->event_codes_for_ruleset(s_sample_source);
auto rules_event_names = libsinsp::events::event_set_to_names(rules_event_set); auto rules_event_names = libsinsp::events::event_set_to_names(rules_event_set);
ASSERT_NAMES_EQ(rules_event_names, strset_t({ ASSERT_NAMES_EQ(rules_event_names, strset_t({
"connect", "accept", "accept4", "umount2", "open", "ptrace", "mmap", "execve", "read", "container"})); "connect", "accept", "open", "ptrace", "mmap", "execve", "read", "container"}));
// test if sc code names were extracted from each rule in test ruleset. // test if sc code names were extracted from each rule in test ruleset.
// note, this is not supposed to contain "container", as that's an event // note, this is not supposed to contain "container", as that's an event
@@ -107,7 +107,7 @@ TEST(ConfigureInterestingSets, engine_codes_syscalls_set)
auto rules_sc_set = engine->sc_codes_for_ruleset(s_sample_source); auto rules_sc_set = engine->sc_codes_for_ruleset(s_sample_source);
auto rules_sc_names = libsinsp::events::sc_set_to_names(rules_sc_set); auto rules_sc_names = libsinsp::events::sc_set_to_names(rules_sc_set);
ASSERT_NAMES_EQ(rules_sc_names, strset_t({ ASSERT_NAMES_EQ(rules_sc_names, strset_t({
"connect", "accept", "accept4", "umount2", "open", "ptrace", "mmap", "execve", "read"})); "connect", "accept", "accept4", "open", "ptrace", "mmap", "execve", "read"}));
} }
TEST(ConfigureInterestingSets, preconditions_postconditions) TEST(ConfigureInterestingSets, preconditions_postconditions)
@@ -158,7 +158,7 @@ TEST(ConfigureInterestingSets, engine_codes_nonsyscalls_set)
// This is a good example of information loss from ppm_event_code <-> ppm_sc_code. // This is a good example of information loss from ppm_event_code <-> ppm_sc_code.
auto generic_names = libsinsp::events::event_set_to_names({ppm_event_code::PPME_GENERIC_E}); auto generic_names = libsinsp::events::event_set_to_names({ppm_event_code::PPME_GENERIC_E});
auto expected_names = strset_t({ auto expected_names = strset_t({
"connect", "accept", "accept4", "umount2", "open", "ptrace", "mmap", "execve", "read", "container", // ruleset "connect", "accept", "open", "ptrace", "mmap", "execve", "read", "container", // ruleset
"procexit", "switch", "pluginevent"}); // from non-syscall event filters "procexit", "switch", "pluginevent"}); // from non-syscall event filters
expected_names.insert(generic_names.begin(), generic_names.end()); expected_names.insert(generic_names.begin(), generic_names.end());
ASSERT_NAMES_EQ(rules_event_names, expected_names); ASSERT_NAMES_EQ(rules_event_names, expected_names);
@@ -166,7 +166,7 @@ TEST(ConfigureInterestingSets, engine_codes_nonsyscalls_set)
auto rules_sc_set = engine->sc_codes_for_ruleset(s_sample_source); auto rules_sc_set = engine->sc_codes_for_ruleset(s_sample_source);
auto rules_sc_names = libsinsp::events::sc_set_to_names(rules_sc_set); auto rules_sc_names = libsinsp::events::sc_set_to_names(rules_sc_set);
ASSERT_NAMES_EQ(rules_sc_names, strset_t({ ASSERT_NAMES_EQ(rules_sc_names, strset_t({
"connect", "accept", "accept4", "umount2", "open", "ptrace", "mmap", "execve", "read", "connect", "accept", "accept4", "open", "ptrace", "mmap", "execve", "read",
"syncfs", "fanotify_init", // from generic event filters "syncfs", "fanotify_init", // from generic event filters
})); }));
} }
@@ -189,7 +189,7 @@ TEST(ConfigureInterestingSets, selection_not_allevents)
auto selected_sc_names = libsinsp::events::sc_set_to_names(s.selected_sc_set); auto selected_sc_names = libsinsp::events::sc_set_to_names(s.selected_sc_set);
auto expected_sc_names = strset_t({ auto expected_sc_names = strset_t({
// note: we expect the "read" syscall to have been erased // note: we expect the "read" syscall to have been erased
"connect", "accept", "accept4", "umount2", "open", "ptrace", "mmap", "execve", // from ruleset "connect", "accept", "open", "ptrace", "mmap", "execve", // from ruleset
"clone", "clone3", "fork", "vfork", // from sinsp state set (spawned_process) "clone", "clone3", "fork", "vfork", // from sinsp state set (spawned_process)
"socket", "bind", "close" // from sinsp state set (network, files) "socket", "bind", "close" // from sinsp state set (network, files)
}); });
@@ -232,7 +232,7 @@ TEST(ConfigureInterestingSets, selection_allevents)
auto selected_sc_names = libsinsp::events::sc_set_to_names(s.selected_sc_set); auto selected_sc_names = libsinsp::events::sc_set_to_names(s.selected_sc_set);
auto expected_sc_names = strset_t({ auto expected_sc_names = strset_t({
// note: we expect the "read" syscall to not be erased // note: we expect the "read" syscall to not be erased
"connect", "accept", "accept4", "umount2", "open", "ptrace", "mmap", "execve", "read", // from ruleset "connect", "accept", "open", "ptrace", "mmap", "execve", "read", // from ruleset
"clone", "clone3", "fork", "vfork", // from sinsp state set (spawned_process) "clone", "clone3", "fork", "vfork", // from sinsp state set (spawned_process)
"socket", "bind", "close" // from sinsp state set (network, files) "socket", "bind", "close" // from sinsp state set (network, files)
}); });
@@ -264,7 +264,7 @@ TEST(ConfigureInterestingSets, selection_generic_evts)
auto selected_sc_names = libsinsp::events::sc_set_to_names(s.selected_sc_set); auto selected_sc_names = libsinsp::events::sc_set_to_names(s.selected_sc_set);
auto expected_sc_names = strset_t({ auto expected_sc_names = strset_t({
// note: we expect the "read" syscall to not be erased // note: we expect the "read" syscall to not be erased
"connect", "accept", "accept4", "umount2", "open", "ptrace", "mmap", "execve", // from ruleset "connect", "accept", "open", "ptrace", "mmap", "execve", // from ruleset
"syncfs", "fanotify_init", // from ruleset (generic events) "syncfs", "fanotify_init", // from ruleset (generic events)
"clone", "clone3", "fork", "vfork", // from sinsp state set (spawned_process) "clone", "clone3", "fork", "vfork", // from sinsp state set (spawned_process)
"socket", "bind", "close" // from sinsp state set (network, files) "socket", "bind", "close" // from sinsp state set (network, files)
@@ -288,6 +288,7 @@ TEST(ConfigureInterestingSets, selection_custom_base_set)
auto default_base_set = libsinsp::events::sinsp_state_sc_set(); auto default_base_set = libsinsp::events::sinsp_state_sc_set();
// non-empty custom base set (both positive and negative) // non-empty custom base set (both positive and negative)
s.config->m_base_syscalls_repair = false;
s.config->m_base_syscalls_custom_set = {"syncfs", "!accept"}; s.config->m_base_syscalls_custom_set = {"syncfs", "!accept"};
auto result = falco::app::actions::configure_interesting_sets(s); auto result = falco::app::actions::configure_interesting_sets(s);
ASSERT_TRUE(result.success); ASSERT_TRUE(result.success);
@@ -305,6 +306,7 @@ TEST(ConfigureInterestingSets, selection_custom_base_set)
ASSERT_NAMES_CONTAIN(selected_sc_names, expected_sc_names); ASSERT_NAMES_CONTAIN(selected_sc_names, expected_sc_names);
// non-empty custom base set (both positive and negative with collision) // non-empty custom base set (both positive and negative with collision)
s.config->m_base_syscalls_repair = false;
s.config->m_base_syscalls_custom_set = {"syncfs", "accept", "!accept"}; s.config->m_base_syscalls_custom_set = {"syncfs", "accept", "!accept"};
result = falco::app::actions::configure_interesting_sets(s); result = falco::app::actions::configure_interesting_sets(s);
ASSERT_TRUE(result.success); ASSERT_TRUE(result.success);
@@ -372,7 +374,7 @@ TEST(ConfigureInterestingSets, selection_custom_base_set_repair)
auto selected_sc_names = libsinsp::events::sc_set_to_names(s.selected_sc_set); auto selected_sc_names = libsinsp::events::sc_set_to_names(s.selected_sc_set);
auto expected_sc_names = strset_t({ auto expected_sc_names = strset_t({
// note: expecting syscalls from mock rules and `sinsp_repair_state_sc_set` enforced syscalls // note: expecting syscalls from mock rules and `sinsp_repair_state_sc_set` enforced syscalls
"connect", "accept", "accept4", "umount2", "open", "ptrace", "mmap", "execve", "sched_process_exit", \ "connect", "accept", "open", "ptrace", "mmap", "execve", "sched_process_exit", \
"bind", "socket", "clone3", "setuid" "bind", "socket", "clone3", "setuid"
}); });
ASSERT_NAMES_CONTAIN(selected_sc_names, expected_sc_names); ASSERT_NAMES_CONTAIN(selected_sc_names, expected_sc_names);