github-actions: add unix socket runmode script and job

Runs with ASAN.

.github/workflows/builds.yml

@@ -1682,6 +1682,94 @@ jobs:
           fail_ci_if_error: false
           flags: livemode
 
+  ubuntu-24-04-pcap-unix:
+    name: Ubuntu 24.04 (pcap unix socket ASAN)
+    runs-on: ubuntu-latest
+    container:
+      image: ubuntu:24.04
+      options: --privileged
+    needs: [prepare-deps, prepare-cbindgen]
+    steps:
+      - name: Cache ~/.cargo
+        uses: actions/cache@13aacd865c20de90d75de3b17ebe84f7a17d57d2
+        with:
+          path: ~/.cargo
+          key: ${{ github.job }}-cargo
+      - name: Determine number of CPUs
+        run: echo CPUS=$(nproc --all) >> $GITHUB_ENV
+
+      - name: Install dependencies
+        run: |
+          apt update
+          apt -y install \
+                libpcre2-dev \
+                build-essential \
+                autoconf \
+                automake \
+                llvm-18-dev \
+                cargo \
+                cbindgen \
+                clang-18 \
+                git \
+                jq \
+                libc++-dev \
+                libc++abi-dev \
+                libtool \
+                libpcap-dev \
+                libnet1-dev \
+                libyaml-0-2 \
+                libyaml-dev \
+                libcap-ng-dev \
+                libcap-ng0 \
+                libmagic-dev \
+                libnetfilter-queue-dev \
+                libnetfilter-queue1 \
+                libnfnetlink-dev \
+                libnfnetlink0 \
+                libnuma-dev \
+                libhiredis-dev \
+                liblua5.1-dev \
+                libjansson-dev \
+                libevent-dev \
+                libevent-pthreads-2.1-7 \
+                make \
+                parallel \
+                python3-yaml \
+                rustc \
+                software-properties-common \
+                sudo \
+                zlib1g \
+                zlib1g-dev \
+                exuberant-ctags \
+                unzip \
+                curl \
+                time \
+                wget \
+                dpdk-dev
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
+      - run: git config --global --add safe.directory /__w/suricata/suricata
+      - uses: actions/download-artifact@c850b930e6ba138125429b7e5c93fc707a7f8427
+        with:
+          name: prep
+          path: prep
+      - run: tar xf prep/libhtp.tar.gz
+      - name: Extracting suricata-verify
+        run: tar xf prep/suricata-verify.tar.gz
+      - name: Fix kernel mmap rnd bits
+        run: sudo sysctl vm.mmap_rnd_bits=28
+      - run: ./autogen.sh
+      - run: ./configure --enable-dpdk --disable-shared --enable-gccprotect --localstatedir=/var --prefix=/usr --sysconfdir=/etc
+        env:
+          CC: "clang-18"
+          CFLAGS: "-g -fsanitize=address -fno-omit-frame-pointer"
+          ac_cv_func_malloc_0_nonnull: "yes"
+          ac_cv_func_realloc_0_nonnull: "yes"
+      - run: make -j ${{ env.CPUS }}
+        env:
+          CC: "clang-18"
+      - run: |
+          ./qa/unix.sh "suricata-verify/"
+
   ubuntu-24-04-asan-afpdpdk:
     name: Ubuntu 24.04 (afpacket and dpdk live tests with ASAN)
     runs-on: ubuntu-latest

qa/unix.sh

@@ -0,0 +1,92 @@
+#!/bin/bash
+
+# Script for QA purposes to exercise the unix socket runmode.
+# Call from the suricata directory, with a single argument:
+# Path to a checkout out Suricata-Verify repo.
+# The script will start Suricata, then find all pcap files from the
+# SV repo and use the unix socket to pass them to Suricata.
+
+set -x
+#set -e
+
+SV="$1"
+PCAPS="${SV}/tests/"
+
+USOCKET="/var/run/suricata/suricata.socket"
+mkdir -p /var/run/suricata/
+# Use ET open from SV
+RULES="${SV}/tests/test-ruleparse-etopen-01/emerging-all.rules"
+VERBOSE=""
+
+UnixCommand () {
+    COMMAND=$1
+    PYTHONPATH=python/ python3 python/bin/suricatasc -c "${COMMAND}" ${USOCKET}
+}
+
+Start () {
+    src/suricata -c suricata.yaml --unix-socket --set "default-log-dir=." \
+                --set "unix-command.filename=$USOCKET" -S ${RULES} \
+                --set classification-file=classification.config \
+                --set reference-config-file=reference.config -k none &
+    SURIPID=$!
+    echo "SURIPID $SURIPID"
+}
+
+Stop () {
+    echo "sending shutdown command"
+    UnixCommand shutdown
+
+    echo "waiting for suri $SURIPID to exit"
+    wait $SURIPID
+    RETVAL=$?
+    if [ $RETVAL -ne 0 ]; then
+        echo "FAILURE"
+        exit 1
+    else
+        echo "success"
+        exit 0
+    fi
+}
+
+SocketReady() {
+    RETVAL=255
+    CNT=0
+
+    while [ $RETVAL -ne 0 ]; do
+        UnixCommand version
+        RETVAL=$?
+        sleep 1
+        ((CNT++))
+        if [ $CNT -eq 300 ]; then
+            echo "ERROR: failed to start up"
+            exit 1
+        fi
+    done
+}
+
+FeedPcaps() {
+    PCAPLIST=$(find ${PCAPS} -type f -name '*.pcap')
+    for P in $PCAPLIST; do
+        UnixCommand "pcap-file ${P} ."
+    done
+
+    # wait for engine to report 0 pcaps in list
+    CNT=1
+    while [ $CNT -ne 0 ]; do
+        RAWCNT=$(UnixCommand pcap-file-number)
+        CNT=$(echo $RAWCNT|jq -r 'select(.message)|.message')
+	    sleep 3
+        echo $CNT
+    done
+    echo "FeedPcaps: loop done"
+    sleep 60
+    echo "FeedPcaps: end"
+}
+
+Start
+SocketReady
+FeedPcaps
+echo "stopping suri"
+Stop
+echo "suri stopped"
+exit 0