github.com/castai/kvisor@v1.7.1-0.20240516114728-b3572a2607b5/pkg/ebpftracer/signature/stdio_socket_test.go (about) 1 package signature 2 3 import ( 4 "net/netip" 5 "testing" 6 7 v1 "github.com/castai/kvisor/api/v1/runtime" 8 "github.com/castai/kvisor/pkg/containers" 9 "github.com/castai/kvisor/pkg/ebpftracer/events" 10 "github.com/castai/kvisor/pkg/ebpftracer/types" 11 "github.com/castai/kvisor/pkg/logging" 12 "github.com/stretchr/testify/require" 13 ) 14 15 func TestStdioOverSocketSignature(t *testing.T) { 16 type testCase struct { 17 title string 18 event types.Event 19 expectedFinding *v1.SignatureFinding 20 } 21 22 testCases := []testCase{ 23 { 24 title: "should fire for security socket connect event with stdio over socket", 25 event: types.Event{ 26 Context: &types.EventContext{ 27 EventID: events.SecuritySocketConnect, 28 Ts: 11, 29 CgroupID: 10, 30 Pid: 99, 31 }, 32 Container: &containers.Container{ 33 ID: "123", 34 Name: "name-123", 35 CgroupID: 10, 36 }, 37 Args: types.SecuritySocketConnectArgs{ 38 Sockfd: 0, 39 Type: 0, 40 RemoteAddr: types.Ip4SockAddr{ 41 Addr: netip.MustParseAddrPort("1.2.3.4:1190"), 42 }, 43 }, 44 }, 45 expectedFinding: &v1.SignatureFinding{ 46 Data: &v1.SignatureFinding_StdioViaSocket{ 47 StdioViaSocket: &v1.StdioViaSocketFinding{ 48 Ip: netip.MustParseAddr("1.2.3.4").AsSlice(), 49 Port: 1190, 50 Socketfd: 0, 51 }, 52 }, 53 }, 54 }, 55 { 56 title: "should not fire for security socket connect event with socket not stdio", 57 event: types.Event{ 58 Context: &types.EventContext{ 59 EventID: events.SecuritySocketConnect, 60 Ts: 11, 61 CgroupID: 10, 62 Pid: 99, 63 }, 64 Container: &containers.Container{ 65 ID: "123", 66 Name: "name-123", 67 CgroupID: 10, 68 }, 69 Args: types.SecuritySocketConnectArgs{ 70 Sockfd: 10, 71 Type: 0, 72 RemoteAddr: types.Ip4SockAddr{ 73 Addr: netip.MustParseAddrPort("1.2.3.4:1190"), 74 }, 75 }, 76 }, 77 }, 78 { 79 title: "should fire for socket dup event with new fs being stdio", 80 event: types.Event{ 81 Context: &types.EventContext{ 82 EventID: events.SocketDup, 83 Ts: 11, 84 CgroupID: 10, 85 Pid: 99, 86 }, 87 Container: &containers.Container{ 88 ID: "123", 89 Name: "name-123", 90 CgroupID: 10, 91 }, 92 Args: types.SocketDupArgs{ 93 Oldfd: 10, 94 Newfd: 0, 95 RemoteAddr: types.Ip4SockAddr{Addr: netip.MustParseAddrPort("1.2.3.4:1190")}, 96 }, 97 }, 98 expectedFinding: &v1.SignatureFinding{ 99 Data: &v1.SignatureFinding_StdioViaSocket{ 100 StdioViaSocket: &v1.StdioViaSocketFinding{ 101 Ip: netip.MustParseAddr("1.2.3.4").AsSlice(), 102 Port: 1190, 103 Socketfd: 0, 104 }, 105 }, 106 }, 107 }, 108 { 109 title: "should not fire for socket dup event with old fs not being stdio", 110 event: types.Event{ 111 Context: &types.EventContext{ 112 EventID: events.SocketDup, 113 Ts: 11, 114 CgroupID: 10, 115 Pid: 99, 116 }, 117 Container: &containers.Container{ 118 ID: "123", 119 Name: "name-123", 120 CgroupID: 10, 121 }, 122 Args: types.SocketDupArgs{ 123 Oldfd: 5, 124 Newfd: 10, 125 RemoteAddr: types.Ip4SockAddr{Addr: netip.MustParseAddrPort("1.2.3.4:1190")}, 126 }, 127 }, 128 }, 129 { 130 title: "should not fire for random event", 131 event: types.Event{ 132 Context: &types.EventContext{ 133 EventID: events.Chroot, 134 Ts: 11, 135 CgroupID: 10, 136 Pid: 99, 137 }, 138 Container: &containers.Container{ 139 ID: "123", 140 Name: "name-123", 141 CgroupID: 10, 142 }, 143 Args: types.ChrootArgs{}, 144 }, 145 }, 146 } 147 148 log := logging.New(&logging.Config{}) 149 150 for _, test := range testCases { 151 t.Run(test.title, func(t *testing.T) { 152 r := require.New(t) 153 154 signature := NewStdViaSocketSignature(log) 155 156 result := signature.OnEvent(&test.event) 157 158 if test.expectedFinding == nil { 159 r.Nil(result) 160 return 161 } 162 163 r.Equal(test.expectedFinding, result) 164 }) 165 } 166 }