Add flipType, isTypeEnter, isTypeExit for the systemcall event types (o…

…squery#5416) Summary: Pull Request resolved: osquery#5416 To able to invert type from enter to exit and determine if type is exit or enter. Part of a linux tracing system, blueprint: [osquery#5218](osquery#5218) Reviewed By: SAlexandru Differential Revision: D13761673 fbshipit-source-id: 2bf668219fd996d9d5b67e0e1ccf5c1161a41481
akindyakov · Feb 4, 2019 · 344fbed · 344fbed
1 parent 8871a1a
commit 344fbed
Show file tree

Hide file tree

Showing 3 changed files with 85 additions and 0 deletions.
diff --git a/osquery/events/linux/probes/syscall_event.h b/osquery/events/linux/probes/syscall_event.h
@@ -28,6 +28,19 @@ enum class Type : __s32 {
 
 static constexpr std::size_t kCommSize = 16u;
 
+constexpr Type flipType(Type const type) noexcept {
+  return static_cast<Type>(
+      -static_cast<std::underlying_type<Type>::type>(type));
+}
+
+constexpr bool isTypeExit(Type const type) noexcept {
+  return static_cast<std::underlying_type<Type>::type>(type) < 0;
+}
+
+constexpr bool isTypeEnter(Type const type) noexcept {
+  return 0 < static_cast<std::underlying_type<Type>::type>(type);
+}
+
 struct Event {
   // Common part for all events whether Enter or Exit
   Type type;

diff --git a/osquery/events/linux/probes/tests/BUCK b/osquery/events/linux/probes/tests/BUCK
@@ -20,6 +20,7 @@ osquery_cxx_test(
             LINUX,
             [
                 "ebpf_tracepoint.cpp",
+                "syscall_event.cpp",
             ],
         ),
     ],

diff --git a/osquery/events/linux/probes/tests/syscall_event.cpp b/osquery/events/linux/probes/tests/syscall_event.cpp
@@ -0,0 +1,71 @@
+/**
+ *  Copyright (c) 2014-present, Facebook, Inc.
+ *  All rights reserved.
+ *
+ *  This source code is licensed under both the Apache 2.0 license (found in the
+ *  LICENSE file in the root directory of this source tree) and the GPLv2 (found
+ *  in the COPYING file in the root directory of this source tree).
+ *  You may select, at your option, one of the above-listed licenses.
+ */
+
+#include <gtest/gtest.h>
+
+#include <osquery/events/linux/probes/syscall_event.h>
+
+namespace osquery {
+namespace {
+
+class SyscallsTracepointTests : public testing::Test {};
+
+template <events::syscall::Type enter, events::syscall::Type exit>
+void checkEventPair() {
+  static_assert(enter == events::syscall::flipType(exit),
+                "flipType have to flip Exit to Enter");
+  static_assert(exit == events::syscall::flipType(enter),
+                "flipType have to flip Enter to Exit");
+  static_assert(
+      enter == events::syscall::flipType(events::syscall::flipType(enter)),
+      "flipType applied twice to Enter have to return exactly the same Enter");
+  static_assert(
+      exit == events::syscall::flipType(events::syscall::flipType(exit)),
+      "flipType applied twice to Exit have to return exactly the same Exit");
+}
+
+TEST_F(SyscallsTracepointTests, SyscallEvent_flipType) {
+  checkEventPair<events::syscall::Type::KillEnter,
+                 events::syscall::Type::KillExit>();
+  checkEventPair<events::syscall::Type::SetuidEnter,
+                 events::syscall::Type::SetuidExit>();
+  static_assert(events::syscall::Type::Unknown ==
+                    events::syscall::flipType(events::syscall::Type::Unknown),
+                "syscall::Type::Unknown could not be fliped");
+}
+
+TEST_F(SyscallsTracepointTests, SyscallEvent_isTypeExit) {
+  static_assert(events::syscall::isTypeExit(events::syscall::Type::KillExit),
+                "");
+  static_assert(events::syscall::isTypeExit(events::syscall::Type::SetuidExit),
+                "");
+  static_assert(!events::syscall::isTypeExit(events::syscall::Type::Unknown),
+                "");
+  static_assert(
+      !events::syscall::isTypeExit(events::syscall::Type::SetuidEnter), "");
+  static_assert(
+      !events::syscall::isTypeExit(events::syscall::Type::SetuidEnter), "");
+}
+
+TEST_F(SyscallsTracepointTests, SyscallEvent_isTypeEnter) {
+  static_assert(!events::syscall::isTypeEnter(events::syscall::Type::KillExit),
+                "");
+  static_assert(
+      !events::syscall::isTypeEnter(events::syscall::Type::SetuidExit), "");
+  static_assert(!events::syscall::isTypeEnter(events::syscall::Type::Unknown),
+                "");
+  static_assert(
+      events::syscall::isTypeEnter(events::syscall::Type::SetuidEnter), "");
+  static_assert(
+      events::syscall::isTypeEnter(events::syscall::Type::SetuidEnter), "");
+}
+
+} // namespace
+} // namespace osquery