tests: add test for matchParents

kobrineli · kobrineli · commit 600672b5c502 · 2025-10-29T12:43:27.000+03:00
Add test for matchParents selector, which runs
/usr/bin/tail binary with /bin/bash and /bin/sh
binaries as parents, and tests In, NotIn, Postfix,
NotPostfix, Prefix, NotPrefix operators.

Signed-off-by: Kobrin Ilay &lt;ilayko3110@yandex.ru&gt;
diff --git a/pkg/sensors/tracing/kprobe_test.go b/pkg/sensors/tracing/kprobe_test.go
@@ -35,14 +35,15 @@ import (
 
 	"github.com/cilium/tetragon/api/v1/tetragon"
 	ec "github.com/cilium/tetragon/api/v1/tetragon/codegen/eventchecker"
+	"github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/v1alpha1"
+
 	"github.com/cilium/tetragon/pkg/api/tracingapi"
 	"github.com/cilium/tetragon/pkg/arch"
 	"github.com/cilium/tetragon/pkg/bpf"
 	"github.com/cilium/tetragon/pkg/config"
 	"github.com/cilium/tetragon/pkg/ftrace"
 	"github.com/cilium/tetragon/pkg/grpc/tracing"
 	"github.com/cilium/tetragon/pkg/jsonchecker"
-	"github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/v1alpha1"
 	"github.com/cilium/tetragon/pkg/kernels"
 	"github.com/cilium/tetragon/pkg/logger"
 	bc "github.com/cilium/tetragon/pkg/matchers/bytesmatcher"
@@ -3818,6 +3819,108 @@ spec:
 	require.Error(t, err)
 }
 
+func getMatchParentsCrd(opStr string, vals []string) string {
+	configHook := `apiVersion: cilium.io/v1alpha1
+kind: TracingPolicy
+metadata:
+  name: "testing-file-match-binaries"
+spec:
+  kprobes:
+  - call: "fd_install"
+    syscall: false
+    return: false
+    args:
+    - index: 0
+      type: int
+    - index: 1
+      type: "file"
+    selectors:
+    - matchParents:
+      - operator: "` + opStr + `"
+        values: `
+	for i := range vals {
+		configHook += fmt.Sprintf("\n        - \"%s\"", vals[i])
+	}
+	return configHook
+}
+
+func createParentsChecker(parent, binary, filename string) *ec.ProcessKprobeChecker {
+	kpChecker := ec.NewProcessKprobeChecker("").
+		WithParent(ec.NewProcessChecker().WithBinary(sm.Full(parent))).
+		WithProcess(ec.NewProcessChecker().WithBinary(sm.Full(binary))).
+		WithFunctionName(sm.Full("fd_install")).
+		WithArgs(ec.NewKprobeArgumentListMatcher().
+			WithOperator(lc.Subset).
+			WithValues(
+				ec.NewKprobeArgumentChecker().WithFileArg(ec.NewKprobeFileChecker().WithPath(sm.Full(filename))),
+			))
+	return kpChecker
+}
+
+func matchParentsTest(t *testing.T, operator string, values []string, kpChecker *ec.ProcessKprobeChecker) {
+	var doneWG, readyWG sync.WaitGroup
+	defer doneWG.Wait()
+
+	ctx, cancel := context.WithTimeout(context.Background(), tus.Conf().CmdWaitTime)
+	defer cancel()
+
+	createCrdFile(t, getMatchParentsCrd(operator, values))
+
+	obs, err := observertesthelper.GetDefaultObserverWithFile(t, ctx, testConfigFile, tus.Conf().TetragonLib, observertesthelper.WithMyPid())
+	if err != nil {
+		t.Fatalf("GetDefaultObserverWithFile error: %s", err)
+	}
+	observertesthelper.LoopEvents(ctx, t, &doneWG, &readyWG, obs)
+	readyWG.Wait()
+
+	if err := exec.Command("/usr/bin/bash", "-c", "echo '/usr/bin/tail /etc/passwd' | /usr/bin/bash").Run(); err != nil {
+		t.Fatalf("failed to run tail /etc/passwd with /bin/bash: %s", err)
+	}
+
+	if err := exec.Command("/usr/bin/sh", "-c", "echo '/usr/bin/tail /etc/passwd' | /usr/bin/sh").Run(); err != nil {
+		t.Fatalf("failed to run tail /etc/passwd with /bin/sh: %s", err)
+	}
+
+	checker := ec.NewUnorderedEventChecker(kpChecker)
+	err = jsonchecker.JsonTestCheck(t, checker)
+	require.NoError(t, err)
+}
+
+const skipMatchParents = "kernels without large progs do not support matchParents Prefix/NotPrefix/Postfix/NotPostfix"
+
+func TestKprobeMatchParents(t *testing.T) {
+	t.Run("In", func(t *testing.T) {
+		matchParentsTest(t, "In", []string{"/usr/bin/bash"}, createParentsChecker("/usr/bin/bash", "/usr/bin/tail", "/etc/passwd"))
+	})
+	t.Run("NotIn", func(t *testing.T) {
+		matchParentsTest(t, "NotIn", []string{"/usr/bin/bash"}, createParentsChecker("/usr/bin/sh", "/usr/bin/tail", "/etc/passwd"))
+	})
+	t.Run("Prefix", func(t *testing.T) {
+		if !config.EnableLargeProgs() {
+			t.Skip(skipMatchParents)
+		}
+		matchParentsTest(t, "Prefix", []string{"/usr/bin/ba"}, createParentsChecker("/usr/bin/bash", "/usr/bin/tail", "/etc/passwd"))
+	})
+	t.Run("NotPrefix", func(t *testing.T) {
+		if !config.EnableLargeProgs() {
+			t.Skip(skipMatchParents)
+		}
+		matchParentsTest(t, "NotPrefix", []string{"/usr/bin/bas"}, createParentsChecker("/usr/bin/sh", "/usr/bin/tail", "/etc/passwd"))
+	})
+	t.Run("Postfix", func(t *testing.T) {
+		if !config.EnableLargeProgs() {
+			t.Skip(skipMatchParents)
+		}
+		matchParentsTest(t, "Postfix", []string{"in/bash"}, createParentsChecker("/usr/bin/bash", "/usr/bin/tail", "/etc/passwd"))
+	})
+	t.Run("NotPostfix", func(t *testing.T) {
+		if !config.EnableLargeProgs() {
+			t.Skip(skipMatchParents)
+		}
+		matchParentsTest(t, "NotPostfix", []string{"n/bash"}, createParentsChecker("/usr/bin/sh", "/usr/bin/tail", "/etc/passwd"))
+	})
+}
+
 func getMatchBinariesCrd(opStr string, vals []string) string {
 	configHook := `apiVersion: cilium.io/v1alpha1
 kind: TracingPolicy
