[WIP] Testing framework shared between all the drivers

[Andreagit97]

What type of PR is this?

/kind cleanup

/kind feature

Any specific area of the project related to this PR?

/area build

/area CI

/area driver-kmod

/area driver-bpf

/area driver-modern-bpf

/area tests

Does this PR require a change in the driver versions?

No

What this PR does / why we need it:

Finally, we have the testing framework shared between all the 3 drivers! Right now it supports only the syscalls implemented in the modern probe but every time we add a new syscall in the modern and so a new test we can check that this test runs also for the other 2 drivers.
I know this PR is quite huge, and sorry for that, when I started I didn't imagine it would become something like this 😟 BTW we can think of splitting it in some way not so easy to do but we can find something.

One of the most widespread issues is the conversion from 32-bit signed numbers to 64-bit signed numbers. What we usually do
is:

• take a 32-bit signed number like -1 (FFFFFFFF)
• put it into an unsigned long (00000000FFFFFFFF)
• push it to userspace, which expects an int64 so -1 should be (FFFFFFFFFFFFFFFF)

We have other issues with syscalls that receive data like (recvfrom, recvmsg), because we rely on userspace structs that could be empty so in some cases, we are not able to extract the desired data (you can find more info in every single commit).

When a syscall doesn't behave as we expect I've chosen to skip the test case, but I don't skip it a priori, before doing that, I check that the event sent to userspace is correct, and only at the end I skip the test case, this is the reason why in the old probe or in the kmod you could see some tests SKIPPED

The idea is to run a sort of matrix in CI (I've still to check if all works well in CI), right now I would to run them on an ubuntu 22.04 machine and an ubuntu 20.04 one (only x86, unfortunately, we cannot run these tests in CI with aarch64 and s390x and that is really a pity since I tried locally and they work also on these architectures :( )

Which issue(s) this PR fixes:

Special notes for your reviewer:

I suggest reviewing it commit by commit, every commit should address a particular issue.
The PR is still not ready, I've to check the CI part, but I've tested it locally on the following machines:

• 5.11.0-051100 (x86)
• 5.15.0-1023 (x86)
• 4.14.276 (x86)
• 5.15.0-1019 (aarch64)
• 5.11.0-051100 (s390x)

Does this PR introduce a user-facing change?:

NONE

[poiana]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: Andreagit97

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [Andreagit97]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[Andreagit97]

and yes, I didn't change 202 files I've just renamed the external folder, and now we can build tests also without the modern bpf probe, I wrote everything in the README so please take a look :)

[Andreagit97]

Cool it seems that gtest doesn't define GTEST_SKIP() when we use system deps 🙄

[hbrueckner]

Hi @Andreagit97,

the PR reads awesome ❤️ ! And my thanks for also testing it on s390x! The s390 CI topic is still on my todo list ;-)

and yes, I didn't change 202 files I've just renamed the external folder, and now we can build tests also without the modern bpf probe, I wrote everything in the README so please take a look :)

I will have a look at it ;-)

[Andreagit97]

The question about build-modern-bpf-arm64 and build-modern-bpf-s390x(point [2] #782) is quite clear here we are using 2 jobs just to build the cpp tests without running them :/

[Andreagit97]

I supposed that ubuntu-20.04 and ubuntu-22.04 runners were different but they run on the same kernel so it's completely useless to have both of them I will remove ubuntu-20.04

[Andreagit97]

A sort of little self-review

[Andreagit97]

This is a test to check all drivers correctly start (only x86, it would be amazing to test also other archs)

[Andreagit97]

we have to disable it by default otherwise some CI jobs that use system deps will break since the gtest version is different

[Andreagit97]

like in the modern probe

[Andreagit97]

the logic is the same as before, i've just removed a nested if

[Andreagit97]

This is a workaround to avoid 2 case with the same value, for example:
if SO_SNDTIMEO is defined its value will be SO_SNDTIMEO_OLD or SO_SNDTIMEO_NEW so we cannot have a case for each of them

[Andreagit97]

again this is not a new test case!

[Andreagit97]

I had to call the bpf syscall from the child because the main process throws lots of bpf and sometimes we caught the wrong event from the ring buffer. With this workaround, we have just one bpf syscall produced by the child

Same for ioctl since the kmod use many ioctl calls

[Andreagit97]

I have changed the approach in all process syscalls. Now the father collects some data and asserts some parameters of the child. In the previous approach, the child asserted itself but the problem is that now we use a scap_handle and this should not be shared between more than one process for this reason i chose this new method :)

[Andreagit97]

Same for all other process syscalls

[Andreagit97]

not a new test!

[Andreagit97]

same approach described in bpf syscall

[Andreagit97]

/hold

[Andreagit97]

/milestone next-driver

[Andreagit97]

Probably this is too complex to review in one shot, I will keep this PR open just to show you the final result, but I will split its content into smaller PRs

We merged all the required PRs I think we can close this one :)

[hbrueckner]

Hi @Andreagit97 ,
with rebase of #809, I started running the driver_test against the BPF probe. There is yet a different behavior for sys_accept_x where modern BPF tests for successful return and BPF driver always provides information. I would add below to #809 unless you like to have a separate PR for it. Wdyt?

--- a/driver/bpf/fillers.h
+++ b/driver/bpf/fillers.h
@@ -2867,25 +2867,32 @@ FILLER(sys_accept_x, true)
        int res = bpf_val_to_ring_type(data, (s64)fd, PT_FD);
        CHECK_RES(res);
 
-       /* Parameter 2: tuple (type: PT_SOCKTUPLE) */
-       long size = bpf_fd_to_socktuple(data, fd, NULL, 0, false, true, data->tmp_scratch);
-       data->curarg_already_on_frame = true;
-       res = __bpf_val_to_ring(data, 0, size, PT_SOCKTUPLE, -1, false, KERNEL);
-       CHECK_RES(res);
-
        u32 queuelen = 0;
        u32 queuemax = 0;
        u8 queuepct = 0;
 
-       /* Get the listening socket (first syscall parameter) */
-       s32 listening_fd = (s32)bpf_syscall_get_argument(data, 0);
-       struct socket * sock = bpf_sockfd_lookup(data, listening_fd);
-       struct sock *sk = _READ(sock->sk);
-       queuelen = _READ(sk->sk_ack_backlog);
-       queuemax = _READ(sk->sk_max_ack_backlog);
-       if(queuelen && queuemax)
+       if (fd >= 0)
+       {
+               /* Parameter 2: tuple (type: PT_SOCKTUPLE) */
+               long size = bpf_fd_to_socktuple(data, fd, NULL, 0, false, true, data->tmp_scratch);
+               data->curarg_already_on_frame = true;
+               res = __bpf_val_to_ring(data, 0, size, PT_SOCKTUPLE, -1, false, KERNEL);
+               CHECK_RES(res);
+
+               /* Get the listening socket (first syscall parameter) */
+               s32 listening_fd = (s32)bpf_syscall_get_argument(data, 0);
+               struct socket * sock = bpf_sockfd_lookup(data, listening_fd);
+               struct sock *sk = _READ(sock->sk);
+               queuelen = _READ(sk->sk_ack_backlog);
+               queuemax = _READ(sk->sk_max_ack_backlog);
+               if(queuelen && queuemax)
+               {
+                       queuepct = (u8)((u64)queuelen * 100 / queuemax);
+               }
+       }
+       else
        {
-               queuepct = (u8)((u64)queuelen * 100 / queuemax);
+               bpf_push_empty_param(data);
        }
 
        /* Parameter 3: queuepct (type: PT_UINT8) */

[Andreagit97]

Hey @hbrueckner thank you for that! feel free to add these changes into #809 :)