@@ -614,6 +614,112 @@ spec:
614614 require .NoError (t , err )
615615}
616616
617+ func TestKprobeMatchCurrentCredRealUidNotEqual (t * testing.T ) {
618+ var doneWG , readyWG sync.WaitGroup
619+ defer doneWG .Wait ()
620+
621+ ctx , cancel := context .WithTimeout (context .Background (), tus .Conf ().CmdWaitTime )
622+ defer cancel ()
623+
624+ if ! config .EnableLargeProgs () {
625+ t .Skipf ("Skipping test since it needs kernel >= 5.3" )
626+ }
627+
628+ // The drop-privileges is a helper binary that drops privileges so we do not
629+ // drop it inside this test which will break the test framework.
630+ testDrop := testutils .RepoRootPath ("contrib/tester-progs/drop-privileges" )
631+ testEcho , err := exec .LookPath ("echo" )
632+ if err != nil {
633+ t .Skipf ("Skipping test could not find 'echo' binary: %v" , err )
634+ }
635+
636+ credshook_ := `
637+ apiVersion: cilium.io/v1alpha1
638+ kind: TracingPolicy
639+ metadata:
640+ name: "process-creds-changed"
641+ spec:
642+ kprobes:
643+ - call: "security_bprm_committed_creds"
644+ syscall: false
645+ args:
646+ - index: 0
647+ resolve: file
648+ type: "file"
649+ selectors:
650+ - matchBinaries:
651+ - operator: "In"
652+ values:
653+ - "` + testDrop + `"
654+ matchArgs:
655+ - index: 0
656+ operator: "Postfix"
657+ values:
658+ - "` + testEcho + `"
659+ matchCurrentCred:
660+ - uid:
661+ - operator: "NotEqual" # we want to match real uid 1879048188
662+ values:
663+ - "0:187904818"
664+ - "187904818:1879048187"
665+ - "1879048189:4294967295"
666+ `
667+
668+ testConfigFile := t .TempDir () + "/tetragon.gotest.yaml"
669+ writeConfigHook := []byte (credshook_ )
670+ err = os .WriteFile (testConfigFile , writeConfigHook , 0644 )
671+ if err != nil {
672+ t .Fatalf ("writeFile(%s): err %s" , testConfigFile , err )
673+ }
674+
675+ obs , err := observertesthelper .GetDefaultObserverWithFile (t , ctx , testConfigFile , tus .Conf ().TetragonLib , observertesthelper .WithMyPid ())
676+ if err != nil {
677+ t .Fatalf ("GetDefaultObserverWithFile error: %s" , err )
678+ }
679+
680+ observertesthelper .LoopEvents (ctx , t , & doneWG , & readyWG , obs )
681+ readyWG .Wait ()
682+
683+ cachedTetragonCreds := ec .NewProcessCredentialsChecker ().
684+ WithUid (0 ).
685+ WithGid (0 ).
686+ WithEuid (0 ).
687+ WithEgid (0 ).
688+ WithSuid (0 ).
689+ WithSgid (0 ).
690+ WithFsuid (0 ).
691+ WithFsgid (0 )
692+
693+ processChecker := ec .NewProcessChecker ().
694+ WithUid (0 ).
695+ WithBinary (sm .Full (testDrop )).
696+ WithProcessCredentials (cachedTetragonCreds )
697+
698+ kpCurrentUid := ec .NewProcessKprobeChecker ("" ).
699+ WithProcess (processChecker ).
700+ WithFunctionName (sm .Full ("security_bprm_committed_creds" )).
701+ WithAction (tetragon .KprobeAction_KPROBE_ACTION_POST )
702+
703+ testCmd := exec .CommandContext (ctx , testDrop , testEcho , "hello" )
704+ if err := testCmd .Start (); err != nil {
705+ t .Fatal (err )
706+ }
707+ if err := testCmd .Wait (); err != nil {
708+ t .Fatalf ("command failed with %s. Context error: %v" , err , ctx .Err ())
709+ }
710+
711+ if err := syscall .Setuid (0 ); err != nil {
712+ t .Fatalf ("setuid(0) error: %s" , err )
713+ }
714+ if err := syscall .Setgid (0 ); err != nil {
715+ t .Fatalf ("setgid(0) error: %s" , err )
716+ }
717+
718+ checker := ec .NewUnorderedEventChecker (kpCurrentUid )
719+ err = jsonchecker .JsonTestCheck (t , checker )
720+ require .NoError (t , err )
721+ }
722+
617723func TestKprobeMatchCurrentCredRealEffectiveUid (t * testing.T ) {
618724 var doneWG , readyWG sync.WaitGroup
619725 defer doneWG .Wait ()
@@ -721,3 +827,114 @@ spec:
721827 err = jsonchecker .JsonTestCheck (t , checker )
722828 require .NoError (t , err )
723829}
830+
831+ func TestKprobeMatchCurrentCredRealEffectiveUidNotEqual (t * testing.T ) {
832+ var doneWG , readyWG sync.WaitGroup
833+ defer doneWG .Wait ()
834+
835+ ctx , cancel := context .WithTimeout (context .Background (), tus .Conf ().CmdWaitTime )
836+ defer cancel ()
837+
838+ if ! config .EnableLargeProgs () {
839+ t .Skipf ("Skipping test since it needs kernel >= 5.3" )
840+ }
841+
842+ // The drop-privileges is a helper binary that drops privileges so we do not
843+ // drop it inside this test which will break the test framework.
844+ testDrop := testutils .RepoRootPath ("contrib/tester-progs/drop-privileges" )
845+ testEcho , err := exec .LookPath ("echo" )
846+ if err != nil {
847+ t .Skipf ("Skipping test could not find 'echo' binary: %v" , err )
848+ }
849+
850+ credshook_ := `
851+ apiVersion: cilium.io/v1alpha1
852+ kind: TracingPolicy
853+ metadata:
854+ name: "process-creds-changed"
855+ spec:
856+ kprobes:
857+ - call: "security_bprm_committed_creds"
858+ syscall: false
859+ args:
860+ - index: 0
861+ resolve: file
862+ type: "file"
863+ selectors:
864+ - matchBinaries:
865+ - operator: "In"
866+ values:
867+ - "` + testDrop + `"
868+ matchArgs:
869+ - index: 0
870+ operator: "Postfix"
871+ values:
872+ - "` + testEcho + `"
873+ matchCurrentCred:
874+ - uid:
875+ - operator: "NotEqual" # we want to match real uid 1879048188
876+ values:
877+ - "0:187904818"
878+ - "1879048189:4294967295"
879+ - euid:
880+ - operator: "NotEqual" # we want to match effective uid 1879048188
881+ values:
882+ - "0:187904818"
883+ - "1879048186:1879048187"
884+ - "1879048189:4294967295"
885+ `
886+
887+ testConfigFile := t .TempDir () + "/tetragon.gotest.yaml"
888+ writeConfigHook := []byte (credshook_ )
889+ err = os .WriteFile (testConfigFile , writeConfigHook , 0644 )
890+ if err != nil {
891+ t .Fatalf ("writeFile(%s): err %s" , testConfigFile , err )
892+ }
893+
894+ obs , err := observertesthelper .GetDefaultObserverWithFile (t , ctx , testConfigFile , tus .Conf ().TetragonLib , observertesthelper .WithMyPid ())
895+ if err != nil {
896+ t .Fatalf ("GetDefaultObserverWithFile error: %s" , err )
897+ }
898+
899+ observertesthelper .LoopEvents (ctx , t , & doneWG , & readyWG , obs )
900+ readyWG .Wait ()
901+
902+ cachedTetragonCreds := ec .NewProcessCredentialsChecker ().
903+ WithUid (0 ).
904+ WithGid (0 ).
905+ WithEuid (0 ).
906+ WithEgid (0 ).
907+ WithSuid (0 ).
908+ WithSgid (0 ).
909+ WithFsuid (0 ).
910+ WithFsgid (0 )
911+
912+ processChecker := ec .NewProcessChecker ().
913+ WithUid (0 ).
914+ WithBinary (sm .Full (testDrop )).
915+ WithProcessCredentials (cachedTetragonCreds )
916+
917+ kpCurrentUid := ec .NewProcessKprobeChecker ("" ).
918+ WithProcess (processChecker ).
919+ WithFunctionName (sm .Full ("security_bprm_committed_creds" )).
920+ WithAction (tetragon .KprobeAction_KPROBE_ACTION_POST )
921+
922+ testCmd := exec .CommandContext (ctx , testDrop , testEcho , "hello" )
923+ if err := testCmd .Start (); err != nil {
924+ t .Fatal (err )
925+ }
926+ if err := testCmd .Wait (); err != nil {
927+ t .Fatalf ("command failed with %s. Context error: %v" , err , ctx .Err ())
928+ }
929+
930+ if err := syscall .Setuid (0 ); err != nil {
931+ t .Fatalf ("setuid(0) error: %s" , err )
932+ }
933+ if err := syscall .Setgid (0 ); err != nil {
934+ t .Fatalf ("setgid(0) error: %s" , err )
935+ }
936+
937+ checker := ec .NewUnorderedEventChecker (kpCurrentUid )
938+ err = jsonchecker .JsonTestCheck (t , checker )
939+ require .NoError (t , err )
940+ }
0 commit comments