@@ -766,11 +766,11 @@ mod tests {
766766 ) {
767767 // Set PF_FORKNOEXEC flag (0x00000040) on child process
768768 child. process_flags = 0x00000040 ;
769-
769+
770770 // Even with different exe/cmdline, flag detection should catch it
771771 child. exe = format!( "{}_different" , parent. exe) ;
772772 child. cmdline = format!( "{}_different" , parent. cmdline) ;
773-
773+
774774 assert!( forked_but_not_execd( & child, & parent, DetectionMode :: Flag ) ,
775775 "Process with PF_FORKNOEXEC flag should be detected as forked-but-not-execed" ) ;
776776 }
@@ -782,11 +782,11 @@ mod tests {
782782 ) {
783783 // Clear PF_FORKNOEXEC flag on child process
784784 child. process_flags = child. process_flags & !0x00000040 ;
785-
785+
786786 // Even with identical exe/cmdline, flag detection should not catch it
787787 child. exe = parent. exe. clone( ) ;
788788 child. cmdline = parent. cmdline. clone( ) ;
789-
789+
790790 assert!( !forked_but_not_execd( & child, & parent, DetectionMode :: Flag ) ,
791791 "Process without PF_FORKNOEXEC flag should NOT be detected as forked-but-not-execed in flag mode" ) ;
792792 }
@@ -800,7 +800,7 @@ mod tests {
800800 child. exe = format!( "{}_different" , parent. exe) ;
801801 child. cmdline = format!( "{}_different" , parent. cmdline) ;
802802 child. process_flags = child. process_flags | 0x00000040 ; // Set PF_FORKNOEXEC
803-
803+
804804 // ValidationMode should prefer flag-based detection (true)
805805 assert!( forked_but_not_execd( & child, & parent, DetectionMode :: ValidationMode ) ,
806806 "ValidationMode should prefer flag-based detection even when heuristic disagrees" ) ;
@@ -810,25 +810,43 @@ mod tests {
810810 #[ test]
811811 fn has_forknoexec_flag_detection ( ) {
812812 // Test flag detection with various flag combinations
813- assert ! ( has_forknoexec_flag( 0x00000040 ) , "Should detect PF_FORKNOEXEC flag when set alone" ) ;
814- assert ! ( has_forknoexec_flag( 0x00000041 ) , "Should detect PF_FORKNOEXEC flag when set with other flags" ) ;
815- assert ! ( has_forknoexec_flag( 0xFFFFFFFF ) , "Should detect PF_FORKNOEXEC flag when all flags are set" ) ;
816-
817- assert ! ( !has_forknoexec_flag( 0x00000000 ) , "Should not detect PF_FORKNOEXEC flag when no flags are set" ) ;
818- assert ! ( !has_forknoexec_flag( 0x0000003F ) , "Should not detect PF_FORKNOEXEC flag when other flags are set but not PF_FORKNOEXEC" ) ;
819- assert ! ( !has_forknoexec_flag( 0xFFFFFFBF ) , "Should not detect PF_FORKNOEXEC flag when it's specifically cleared" ) ;
813+ assert ! (
814+ has_forknoexec_flag( 0x00000040 ) ,
815+ "Should detect PF_FORKNOEXEC flag when set alone"
816+ ) ;
817+ assert ! (
818+ has_forknoexec_flag( 0x00000041 ) ,
819+ "Should detect PF_FORKNOEXEC flag when set with other flags"
820+ ) ;
821+ assert ! (
822+ has_forknoexec_flag( 0xFFFFFFFF ) ,
823+ "Should detect PF_FORKNOEXEC flag when all flags are set"
824+ ) ;
825+
826+ assert ! (
827+ !has_forknoexec_flag( 0x00000000 ) ,
828+ "Should not detect PF_FORKNOEXEC flag when no flags are set"
829+ ) ;
830+ assert ! (
831+ !has_forknoexec_flag( 0x0000003F ) ,
832+ "Should not detect PF_FORKNOEXEC flag when other flags are set but not PF_FORKNOEXEC"
833+ ) ;
834+ assert ! (
835+ !has_forknoexec_flag( 0xFFFFFFBF ) ,
836+ "Should not detect PF_FORKNOEXEC flag when it's specifically cleared"
837+ ) ;
820838 }
821839
822840 #[ test]
823841 fn detection_modes_enum_properties ( ) {
824842 // Ensure default is ValidationMode for transition period
825843 assert_eq ! ( DetectionMode :: default ( ) , DetectionMode :: ValidationMode ) ;
826-
844+
827845 // Ensure all modes are Copy and Clone
828846 let mode = DetectionMode :: Flag ;
829847 let _copied = mode;
830848 let _cloned = mode. clone ( ) ;
831-
849+
832850 // Ensure Debug formatting works
833851 let debug_str = format ! ( "{:?}" , DetectionMode :: ValidationMode ) ;
834852 assert ! ( debug_str. contains( "ValidationMode" ) ) ;
0 commit comments