func TestResolver_SyscallEntry(t *testing.T) { r := syscallinfo.NewResolver(linux_386.SyscallTable) for _, check := range checksResolution { sc, err := r.SyscallEntry(check.entry) if err != nil { if check.nilError { t.Errorf("wrong error (want=nil, get=%v)", err) } continue } if sc.Num != check.num { t.Errorf("wrong number (want=%v, get=%v)", check.num, sc.Num) } if len(sc.Args) != len(check.context) { t.Errorf("wrong number of arguments (want=%v, get=%v)", len(check.context), len(sc.Args)) continue } for i := range sc.Args { if sc.Args[i].Context != check.context[i] { t.Errorf("wrong context (want=%v, get=%v)", check.context[i], sc.Args[i].Context) } } } }
func TestSyscallCall_Output(t *testing.T) { r := syscallinfo.NewResolver(linux_386.SyscallTable) for _, check := range checksOutputs { sc, err := r.SyscallN(check.num) if err != nil { if check.nilError { t.Errorf("wrong error (want=nil, get=%v)", err) } continue } scc, err := syscallinfo.NewSyscallCall(sc, check.retval, check.args...) if err != nil { return } str, err := scc.Output(0) if err != nil { if check.nilError { t.Errorf("wrong error (want=nil, get=%v)", err) } continue } if str != check.outputCall { t.Errorf("wrong string (want=%v, get=%v)", check.outputCall, str) } } }
func EventCallback(ae *audit.AuditEvent, ce chan error, args ...interface{}) { at, _ := args[0].(*Atrace) pid, _ := ae.GetValueInt("pid", 10) scNR, _ := ae.GetValueInt("syscall", 10) a0, _ := ae.GetValueInt("a0", 16) a1, _ := ae.GetValueInt("a1", 16) a2, _ := ae.GetValueInt("a2", 16) a3, _ := ae.GetValueInt("a3", 16) a4, _ := ae.GetValueInt("a4", 16) a5, _ := ae.GetValueInt("a5", 16) exit, _ := ae.GetValueInt("exit", 10) r := syscallinfo.NewResolver(linux_amd64.SyscallTable) sc, err := r.SyscallN(scNR) if err != nil { return } scc, err := syscallinfo.NewSyscallCall(sc, uint64(exit), uint64(a0), uint64(a1), uint64(a2), uint64(a3), uint64(a4), uint64(a5)) if err != nil { return } at.l_processes.Lock() process := at.processes[pid] process.sccList = append(process.sccList, scc) //fmt.Println(">", process.sccList) at.l_processes.Unlock() switch scNR { case syscall.SYS_EXIT: at.l_processes.Lock() //delete(at.processes, pid) at.l_processes.Unlock() case syscall.SYS_CLONE, syscall.SYS_FORK, syscall.SYS_VFORK: //if process.recursive { at.AddProcess(exit, process.scList, process.recursive) //} } fmt.Printf("[%v] %v\n", pid, scc) os.Stdout.Sync() }
func TestContextHandler_Handle(t *testing.T) { ch := syscallinfo.ContextHandler{} ch.Handle(syscallinfo.CtxFD, func(n uint64) (string, error) { return fmt.Sprintf("test-%d", n), nil }) r := syscallinfo.NewResolver(linux_386.SyscallTable) sc, err := r.SyscallN(checkHandle.num) if err != nil { t.Errorf("wrong error (want=nil, get=%v)", err) return } scc, err := syscallinfo.NewSyscallCall(sc, checkHandle.retval, checkHandle.args...) if err != nil { return } scc.SetContextHandler(ch) str := scc.String() if str != checkHandle.outputCall { t.Errorf("wrong string (want=%v, get=%v)", checkHandle.outputCall, str) } }
func EventCallback(ae *audit.AuditEvent, ce chan error, args ...interface{}) { pid, _ := ae.GetValueInt("pid", 10) syscallid, _ := ae.GetValueInt("syscall", 10) a0, _ := ae.GetValueInt("a0", 16) a1, _ := ae.GetValueInt("a1", 16) a2, _ := ae.GetValueInt("a2", 16) a3, _ := ae.GetValueInt("a3", 16) a4, _ := ae.GetValueInt("a4", 16) a5, _ := ae.GetValueInt("a5", 16) exit, _ := ae.GetValueInt("exit", 10) at, _ := args[0].(*Atrace) at.l_processes.Lock() process := at.processes[pid] at.l_processes.Unlock() // TODO: Review "task" auditd messages. switch syscallid { case syscall.SYS_EXIT: at.l_processes.Lock() delete(at.processes, pid) at.l_processes.Unlock() case syscall.SYS_CLONE, syscall.SYS_FORK, syscall.SYS_VFORK: fmt.Println(process) if process.recursive { at.AddProcess(exit, process.syscalls, process.recursive) } } scRes := syscallinfo.NewResolver(linux_amd64.SyscallTable) sc, _ := scRes.SyscallN(syscallid) scc, _ := syscallinfo.NewSyscallCall(sc, exit, a0, a1, a2, a3, a4, a5) fmt.Printf("[%d] %s\n", pid, scc) fmt.Printf("[%d] %s\n", pid, str) os.Stdout.Sync() }