diff --git a/osquery/events/linux/probes/syscall_event.h b/osquery/events/linux/probes/syscall_event.h index 1d646d06d29..183b69acc64 100644 --- a/osquery/events/linux/probes/syscall_event.h +++ b/osquery/events/linux/probes/syscall_event.h @@ -28,6 +28,19 @@ enum class Type : __s32 { static constexpr std::size_t kCommSize = 16u; +constexpr Type flipType(Type const type) noexcept { + return static_cast( + -static_cast::type>(type)); +} + +constexpr bool isTypeExit(Type const type) noexcept { + return static_cast::type>(type) < 0; +} + +constexpr bool isTypeEnter(Type const type) noexcept { + return 0 < static_cast::type>(type); +} + struct Event { // Common part for all events whether Enter or Exit Type type; diff --git a/osquery/events/linux/probes/tests/BUCK b/osquery/events/linux/probes/tests/BUCK index db5f6e7aae3..b5462572c50 100644 --- a/osquery/events/linux/probes/tests/BUCK +++ b/osquery/events/linux/probes/tests/BUCK @@ -20,6 +20,7 @@ osquery_cxx_test( LINUX, [ "ebpf_tracepoint.cpp", + "syscall_event.cpp", ], ), ], diff --git a/osquery/events/linux/probes/tests/syscall_event.cpp b/osquery/events/linux/probes/tests/syscall_event.cpp new file mode 100644 index 00000000000..b0f34ac793b --- /dev/null +++ b/osquery/events/linux/probes/tests/syscall_event.cpp @@ -0,0 +1,71 @@ +/** + * Copyright (c) 2014-present, Facebook, Inc. + * All rights reserved. + * + * This source code is licensed under both the Apache 2.0 license (found in the + * LICENSE file in the root directory of this source tree) and the GPLv2 (found + * in the COPYING file in the root directory of this source tree). + * You may select, at your option, one of the above-listed licenses. + */ + +#include + +#include + +namespace osquery { +namespace { + +class SyscallsTracepointTests : public testing::Test {}; + +template +void checkEventPair() { + static_assert(enter == events::syscall::flipType(exit), + "flipType have to flip Exit to Enter"); + static_assert(exit == events::syscall::flipType(enter), + "flipType have to flip Enter to Exit"); + static_assert( + enter == events::syscall::flipType(events::syscall::flipType(enter)), + "flipType applied twice to Enter have to return exactly the same Enter"); + static_assert( + exit == events::syscall::flipType(events::syscall::flipType(exit)), + "flipType applied twice to Exit have to return exactly the same Exit"); +} + +TEST_F(SyscallsTracepointTests, SyscallEvent_flipType) { + checkEventPair(); + checkEventPair(); + static_assert(events::syscall::Type::Unknown == + events::syscall::flipType(events::syscall::Type::Unknown), + "syscall::Type::Unknown could not be fliped"); +} + +TEST_F(SyscallsTracepointTests, SyscallEvent_isTypeExit) { + static_assert(events::syscall::isTypeExit(events::syscall::Type::KillExit), + ""); + static_assert(events::syscall::isTypeExit(events::syscall::Type::SetuidExit), + ""); + static_assert(!events::syscall::isTypeExit(events::syscall::Type::Unknown), + ""); + static_assert( + !events::syscall::isTypeExit(events::syscall::Type::SetuidEnter), ""); + static_assert( + !events::syscall::isTypeExit(events::syscall::Type::SetuidEnter), ""); +} + +TEST_F(SyscallsTracepointTests, SyscallEvent_isTypeEnter) { + static_assert(!events::syscall::isTypeEnter(events::syscall::Type::KillExit), + ""); + static_assert( + !events::syscall::isTypeEnter(events::syscall::Type::SetuidExit), ""); + static_assert(!events::syscall::isTypeEnter(events::syscall::Type::Unknown), + ""); + static_assert( + events::syscall::isTypeEnter(events::syscall::Type::SetuidEnter), ""); + static_assert( + events::syscall::isTypeEnter(events::syscall::Type::SetuidEnter), ""); +} + +} // namespace +} // namespace osquery