tests: reject invalid tracepoint and LSM hook policies

This commit adds tests to ensure that invalid TracingPolicies
for tracepoints and LSM hooks are properly rejected
during the pre-validation phase, before any BPF resources get created.

Signed-off-by: Aritra Dey <adey01027@gmail.com>

Author: AritraDey-Dev

pkg/sensors/tracing/lsm_validation_test.go

@@ -0,0 +1,151 @@
+// SPDX-License-Identifier: Apache-2.0
+// Copyright Authors of Tetragon
+
+//go:build !windows
+
+package tracing
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/require"
+
+	"github.com/cilium/tetragon/pkg/bpf"
+	"github.com/cilium/tetragon/pkg/config"
+	"github.com/cilium/tetragon/pkg/tracingpolicy"
+)
+
+func TestLsmValidationBogusHook(t *testing.T) {
+
+	if !bpf.HasLSMPrograms() || !config.EnableLargeProgs() {
+		t.Skip("LSM programs not supported on this kernel")
+	}
+
+	crd := `
+apiVersion: cilium.io/v1alpha1
+kind: TracingPolicy
+metadata:
+  name: "lsm-bogus-hook"
+spec:
+  lsmhooks:
+  - hook: "bogus_nonexistent_hook_xyz"
+`
+
+	err := checkCrd(t, crd)
+	require.Error(t, err)
+}
+
+func TestLsmValidationEmptyHook(t *testing.T) {
+
+	if !bpf.HasLSMPrograms() || !config.EnableLargeProgs() {
+		t.Skip("LSM programs not supported on this kernel")
+	}
+
+	crd := `
+apiVersion: cilium.io/v1alpha1
+kind: TracingPolicy
+metadata:
+  name: "lsm-empty-hook"
+spec:
+  lsmhooks:
+  - hook: ""
+`
+
+	err := checkCrd(t, crd)
+	require.Error(t, err)
+}
+
+func TestLsmValidationInvalidSelector(t *testing.T) {
+
+	if !bpf.HasLSMPrograms() || !config.EnableLargeProgs() {
+		t.Skip("LSM programs not supported on this kernel")
+	}
+
+	crd := `
+apiVersion: cilium.io/v1alpha1
+kind: TracingPolicy
+metadata:
+  name: "lsm-bad-selector"
+spec:
+  lsmhooks:
+  - hook: "file_open"
+    selectors:
+    - matchReturnArgs:
+      - index: 0
+        operator: "Equal"
+        values:
+        - "0"
+`
+
+	err := checkCrd(t, crd)
+	require.Error(t, err)
+}
+
+func TestLsmValidationArgIndexOutOfBounds(t *testing.T) {
+
+	if !bpf.HasLSMPrograms() || !config.EnableLargeProgs() {
+		t.Skip("LSM programs not supported on this kernel")
+	}
+
+	crd := `
+apiVersion: cilium.io/v1alpha1
+kind: TracingPolicy
+metadata:
+  name: "lsm-arg-oob"
+spec:
+  lsmhooks:
+  - hook: "file_open"
+    args:
+    - index: 5
+      type: "int"
+`
+
+	err := checkCrd(t, crd)
+	require.Error(t, err)
+}
+
+func TestLsmValidationInvalidArgType(t *testing.T) {
+
+	if !bpf.HasLSMPrograms() || !config.EnableLargeProgs() {
+		t.Skip("LSM programs not supported on this kernel")
+	}
+
+	crd := `
+apiVersion: cilium.io/v1alpha1
+kind: TracingPolicy
+metadata:
+  name: "lsm-bad-argtype"
+spec:
+  lsmhooks:
+  - hook: "file_open"
+    args:
+    - index: 0
+      type: "bogus_type_xyz"
+`
+
+	_, err := tracingpolicy.FromYAML(crd)
+	require.Error(t, err)
+}
+
+func TestLsmValidationValidPolicy(t *testing.T) {
+
+	if !bpf.HasLSMPrograms() || !config.EnableLargeProgs() {
+		t.Skip("LSM programs not supported on this kernel")
+	}
+
+	crd := `
+apiVersion: cilium.io/v1alpha1
+kind: TracingPolicy
+metadata:
+  name: "lsm-valid"
+spec:
+  lsmhooks:
+  - hook: "file_open"
+    args:
+    - index: 0
+      type: "file"
+`
+
+	err := checkCrd(t, crd)
+	require.NoError(t, err)
+}

pkg/sensors/tracing/tracepoint_validation_test.go

@@ -0,0 +1,165 @@
+// SPDX-License-Identifier: Apache-2.0
+// Copyright Authors of Tetragon
+
+//go:build !windows
+
+package tracing
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/require"
+)
+
+func TestTracepointValidationWrongSubsystem(t *testing.T) {
+
+	crd := `
+apiVersion: cilium.io/v1alpha1
+kind: TracingPolicy
+metadata:
+  name: "tp-bogus-subsystem"
+spec:
+  tracepoints:
+  - subsystem: "bogus_subsystem"
+    event: "bogus_event"
+`
+
+	err := checkCrd(t, crd)
+	require.Error(t, err)
+}
+
+func TestTracepointValidationWrongEvent(t *testing.T) {
+
+	crd := `
+apiVersion: cilium.io/v1alpha1
+kind: TracingPolicy
+metadata:
+  name: "tp-bogus-event"
+spec:
+  tracepoints:
+  - subsystem: "syscalls"
+    event: "bogus_event_xyz"
+`
+
+	err := checkCrd(t, crd)
+	require.Error(t, err)
+}
+
+func TestTracepointValidationEmptySubsystem(t *testing.T) {
+
+	crd := `
+apiVersion: cilium.io/v1alpha1
+kind: TracingPolicy
+metadata:
+  name: "tp-empty-subsystem"
+spec:
+  tracepoints:
+  - subsystem: ""
+    event: "sys_enter_openat"
+`
+
+	err := checkCrd(t, crd)
+	require.Error(t, err)
+}
+
+func TestTracepointValidationEmptyEvent(t *testing.T) {
+
+	crd := `
+apiVersion: cilium.io/v1alpha1
+kind: TracingPolicy
+metadata:
+  name: "tp-empty-event"
+spec:
+  tracepoints:
+  - subsystem: "syscalls"
+    event: ""
+`
+
+	err := checkCrd(t, crd)
+	require.Error(t, err)
+}
+
+func TestTracepointValidationArgIndexOutOfBounds(t *testing.T) {
+
+	crd := `
+apiVersion: cilium.io/v1alpha1
+kind: TracingPolicy
+metadata:
+  name: "tp-arg-oob"
+spec:
+  tracepoints:
+  - subsystem: "syscalls"
+    event: "sys_enter_openat"
+    args:
+    - index: 999
+      type: "int"
+`
+
+	err := checkCrd(t, crd)
+	require.Error(t, err)
+}
+
+func TestTracepointValidationRawArgIndexOutOfBounds(t *testing.T) {
+
+	crd := `
+apiVersion: cilium.io/v1alpha1
+kind: TracingPolicy
+metadata:
+  name: "tp-raw-arg-oob"
+spec:
+  tracepoints:
+  - subsystem: "raw_syscalls"
+    event: "sys_enter"
+    raw: true
+    args:
+    - index: 6
+      type: "int"
+`
+
+	err := checkCrd(t, crd)
+	require.Error(t, err)
+}
+
+func TestTracepointValidationValidPolicy(t *testing.T) {
+
+	crd := `
+apiVersion: cilium.io/v1alpha1
+kind: TracingPolicy
+metadata:
+  name: "tp-valid"
+spec:
+  tracepoints:
+  - subsystem: "raw_syscalls"
+    event: "sys_enter"
+    raw: true
+    args:
+    - index: 4
+      type: "syscall64"
+`
+
+	err := checkCrd(t, crd)
+	require.NoError(t, err)
+}
+
+func TestTracepointValidationNotifyEnforcerWithoutEnforcer(t *testing.T) {
+
+	crd := `
+apiVersion: cilium.io/v1alpha1
+kind: TracingPolicy
+metadata:
+  name: "tp-enforcer-missing"
+spec:
+  tracepoints:
+  - subsystem: "raw_syscalls"
+    event: "sys_enter"
+    args:
+    - index: 4
+      type: "syscall64"
+    selectors:
+    - matchActions:
+      - action: NotifyEnforcer
+`
+
+	err := checkCrd(t, crd)
+	require.Error(t, err)
+}