fix(userspace/libsinsp): sinsp_filter_check_user::extract_single return-stack-address

Address the following warning (we build with -Werror...): ``` /__w/libs/libs/userspace/libsinsp/sinsp_filtercheck_user.cpp:104:26: warning: address of stack memory associated with local variable 'user' returned [-Wreturn-stack-address] 104 | RETURN_EXTRACT_STRING(user); | ^~~~ /__w/libs/libs/userspace/libsinsp/sinsp_filtercheck_user.cpp:34:21: note: expanded from macro 'RETURN_EXTRACT_STRING' 34 | return (uint8_t*)(x).c_str(); \ | ^ ``` Signed-off-by: Angelo Puglisi <angelopuglisi86@gmail.com>
fix(libsinsp): use proper INET6_ADDRSTRLEN buffer size for inet_ntop
2025-08-06 16:39:05 +02:00 · 2025-08-04 12:16:49 +02:00 · 2025-08-04 10:00:48 +02:00 · 2025-08-04 10:00:48 +02:00 · 2025-08-04 09:46:48 +02:00 · 2025-08-04 09:46:48 +02:00
1501 changed files with 307889 additions and 136293 deletions
--- a/.circleci/config.yml
+++ b/.circleci/config.yml
@ -1,157 +0,0 @@
-version: 2.1
-jobs:
-  # Here we test drivers and also engines
-  "test-drivers-engines-arm64":
-    machine:
-      enabled: true
-      image: ubuntu-2204:2022.10.2
-    resource_class: arm.large
-    steps:
-      - run:
-          name: Install deps ⛓️
-          command: |
-            sudo apt update -y
-            sudo DEBIAN_FRONTEND=noninteractive apt install -y --no-install-recommends ca-certificates cmake build-essential git pkg-config autoconf automake libelf-dev libcap-dev linux-headers-$(uname -r) clang-14 llvm-14
-            sudo update-alternatives --install /usr/bin/clang clang /usr/bin/clang-14 90
-            sudo update-alternatives --install /usr/bin/llvm-strip llvm-strip /usr/bin/llvm-strip-14 90
-            git clone https://github.com/libbpf/bpftool.git --branch v7.0.0 --single-branch
-            cd bpftool
-            git submodule update --init
-            cd src && sudo make install
-
-      - checkout:
-          path: /tmp/libs
-
-      - run:
-          name: Print kernel info 🔢
-          command: |
-            uname -a
-
-      # Gvisor is not supported on ARM64
-      - run:
-          name: Build drivers and engines tests 🏗️
-          command: |
-            mkdir -p /tmp/libs/build
-            cd /tmp/libs/build && cmake -DUSE_BUNDLED_DEPS=On -DENABLE_DRIVERS_TESTS=On -DBUILD_LIBSCAP_GVISOR=Off -DBUILD_BPF=True -DBUILD_LIBSCAP_MODERN_BPF=On -DCREATE_TEST_TARGETS=On -DENABLE_LIBSCAP_TESTS=On ..
-            make drivers_test driver bpf libscap_test scap-open -j6
-
-      - run:
-          name: Run drivers_test with modern bpf 🏎️
-          command: |
-            cd /tmp/libs/build
-            sudo ./test/drivers/drivers_test -m
-
-      - run:
-          name: Run drivers_test with bpf 🏎️
-          command: |
-            cd /tmp/libs/build
-            sudo ./test/drivers/drivers_test -b
-
-      - run:
-          name: Run drivers_test with kernel module 🏎️
-          command: |
-            cd /tmp/libs/build
-            sudo ./test/drivers/drivers_test -k
-
-      - run:
-          name: Run engine tests 🏎️
-          command: |
-            cd /tmp/libs/build
-            sudo ./test/libscap/libscap_test
-
-      - run:
-          name: Run scap-open with modern bpf 🏎️
-          command: |
-            cd /tmp/libs/build
-            sudo ./libscap/examples/01-open/scap-open --modern_bpf --num_events 0
-
-      - run:
-          name: Run scap-open with bpf 🏎️
-          command: |
-            cd /tmp/libs/build
-            sudo ./libscap/examples/01-open/scap-open --bpf ./driver/bpf/probe.o --num_events 0
-
-      - run:
-          name: Run scap-open with kmod 🏎️
-          command: |
-            cd /tmp/libs/build
-            sudo insmod ./driver/scap.ko || true
-            sudo ./libscap/examples/01-open/scap-open --kmod --num_events 0
-            sudo rmmod scap
-
-  # Here we test libraries
-  "test-libraries-arm64":
-    machine:
-      enabled: true
-      image: ubuntu-2204:2022.10.2
-    resource_class: arm.large
-    steps:
-      - run:
-          name: Install deps ⛓️
-          command: |
-            sudo apt update -y
-            sudo DEBIAN_FRONTEND=noninteractive apt install -y --no-install-recommends ca-certificates cmake build-essential git clang llvm pkg-config autoconf automake libtool libelf-dev wget libc-ares-dev libcurl4-openssl-dev libssl-dev libtbb-dev libjq-dev libjsoncpp-dev libgrpc++-dev protobuf-compiler-grpc libgtest-dev libprotobuf-dev liblua5.1-dev
-
-      - checkout:
-          path: /tmp/libs
-
-      - run:
-          name: Install valijson and other external deps ⛓️
-          command: |
-            cd /tmp/libs
-            sudo .github/install-deps.sh
-
-      - run:
-          name: Build and run libraries tests 🏗️🏎️
-          command: |
-            mkdir -p /tmp/libs/build
-            cd /tmp/libs/build && cmake -DUSE_BUNDLED_DEPS=Off -DBUILD_BPF=Off -DBUILD_DRIVER=Off ..
-            make run-unit-tests -j6
-
-  "test-clang-7":
-    machine:
-      image: ubuntu-2004:202107-02
-    steps:
-      - run:
-          name: Install deps ⛓️
-          command: |
-            sudo apt update -y
-            sudo DEBIAN_FRONTEND=noninteractive apt install -y --no-install-recommends ca-certificates git make build-essential clang-7 libelf-dev libcap-dev cmake linux-headers-$(uname -r)
-            ls /usr/bin/ | grep clang
-            ls /usr/bin/ | grep llc
-            sudo ln -s /usr/bin/clang-7 /usr/bin/clang
-
-      - checkout:
-          path: /tmp/libs
-
-      - run:
-          name: Print kernel info 🔢
-          command: |
-            uname -a
-
-      - run:
-          name: Build drivers and engines tests 🏗️
-          command: |
-            mkdir -p /tmp/libs/build
-            cd /tmp/libs/build && cmake -DUSE_BUNDLED_DEPS=On -DENABLE_DRIVERS_TESTS=On -DBUILD_LIBSCAP_GVISOR=Off -DBUILD_BPF=True -DBUILD_LIBSCAP_MODERN_BPF=Off -DCREATE_TEST_TARGETS=On ..
-            make drivers_test driver bpf -j6
-
-      - run:
-          name: Run drivers_test with kernel module 🏎️
-          command: |
-            cd /tmp/libs/build
-            sudo ./test/drivers/drivers_test -k --gtest_filter=-'GenericTracepoints.page_fault_kernel'
-
-      - run:
-          name: Run drivers_test with bpf 🏎️
-          command: |
-            cd /tmp/libs/build
-            sudo ./test/drivers/drivers_test -b --gtest_filter=-'GenericTracepoints.page_fault_kernel'
-
-workflows:
-  version: 2.1
-  build_and_test:
-    jobs:
-      - "test-drivers-engines-arm64"
-      - "test-libraries-arm64"
-      - "test-clang-7"
--- a/.clang-format
+++ b/.clang-format
@ -1,16 +1,36 @@
---
 Language: Cpp
-BasedOnStyle: LLVM
-AccessModifierOffset: -8
-BreakBeforeBraces: Allman
+BasedOnStyle: Google
+AccessModifierOffset: -4
+BreakBeforeBraces: Attach
+AllowAllArgumentsOnNextLine: false
+AllowAllConstructorInitializersOnNextLine: false
+AllowAllParametersOfDeclarationOnNextLine: false
+AllowShortFunctionsOnASingleLine: Inline
+AllowShortIfStatementsOnASingleLine: Never
+AllowShortLoopsOnASingleLine: false
+BinPackArguments: false
+BinPackParameters: false
+ColumnLimit: 100
+DerivePointerBinding: false
+IndentCaseLabels: false
+IndentWidth: 4
+SpaceAfterTemplateKeyword: false
+TabWidth: 4
+UseTab: ForIndentation
 BreakConstructorInitializers: AfterColon
-ColumnLimit: 120
 ConstructorInitializerIndentWidth: 8
 ContinuationIndentWidth: 8
 DerivePointerAlignment: true
-IndentWidth: 8
-SortIncludes: false
-SpaceAfterTemplateKeyword: false
+SortIncludes: Never
 SpaceBeforeCtorInitializerColon: false
 SpaceBeforeParens: Never
-UseTab: Always
+InsertNewlineAtEOF: true
+---
+Language: Proto
+DisableFormat: true
+---
+Language: JavaScript
+DisableFormat: true
+---
+Language: Java
+DisableFormat: true
--- a/.clang-format-ignore
+++ b/.clang-format-ignore
@ -0,0 +1,16 @@
+# All vmlinux autogenerated headers are not formatted
+driver/modern_bpf/definitions/aarch64/vmlinux.h
+driver/modern_bpf/definitions/ppc64le/vmlinux.h
+driver/modern_bpf/definitions/s390x/vmlinux.h
+driver/modern_bpf/definitions/x86_64/vmlinux.h
+# Autogenerated events dimensions file for modern probe is not formatted
+driver/modern_bpf/definitions/events_dimensions.h
+# All syscall_compat autogenerated headers are not formatted
+driver/syscall_compat_aarch64.h
+driver/syscall_compat_loongarch64.h
+driver/syscall_compat_ppc64le.h
+driver/syscall_compat_riscv64.h
+driver/syscall_compat_s390x.h
+driver/syscall_compat_x86_64.h
+driver/syscall_ia32_64_map.c
+driver/syscall_table.c
--- a/.clang-tidy
+++ b/.clang-tidy
@ -0,0 +1,16 @@
+Checks:
+  - clang-diagnostic-*
+  - clang-analyzer-*
+  - clang-analyzer-core.*
+  - clang-analyzer-cplusplus.*
+  - clang-analyzer-nullability.*
+  - clang-analyzer-unix.*
+  - performance-*
+  - bugprone-use-after-move
+  - bugprone-move-forwarding-reference
+  - cppcoreguidelines-rvalue-reference-param-not-moved
+  - misc-unused-parameters
+WarningsAsErrors: 'bugprone-use-after-move'
+# UseColor true causes sarif conversion and reviewdog fail
+UseColor: false
+ExtraArgsBefore: ['-Wno-unknown-warning-option']
--- a/.cmake-format.json
+++ b/.cmake-format.json
@ -0,0 +1,254 @@
+{
+	"_help_format": "Options affecting formatting.",
+	"format": {
+		"_help_disable": [
+			"Disable formatting entirely, making cmake-format a no-op"
+		],
+		"disable": false,
+		"_help_line_width": [
+			"How wide to allow formatted cmake files"
+		],
+		"line_width": 100,
+		"_help_tab_size": [
+			"How many spaces to tab for indent"
+		],
+		"tab_size": 4,
+		"_help_use_tabchars": [
+			"If true, lines are indented using tab characters (utf-8",
+			"0x09) instead of <tab_size> space characters (utf-8 0x20).",
+			"In cases where the layout would require a fractional tab",
+			"character, the behavior of the  fractional indentation is",
+			"governed by <fractional_tab_policy>"
+		],
+		"use_tabchars": true,
+		"_help_fractional_tab_policy": [
+			"If <use_tabchars> is True, then the value of this variable",
+			"indicates how fractional indentions are handled during",
+			"whitespace replacement. If set to 'use-space', fractional",
+			"indentation is left as spaces (utf-8 0x20). If set to",
+			"`round-up` fractional indentation is replaced with a single",
+			"tab character (utf-8 0x09) effectively shifting the column",
+			"to the next tabstop"
+		],
+		"fractional_tab_policy": "use-space",
+		"_help_max_subgroups_hwrap": [
+			"If an argument group contains more than this many sub-groups",
+			"(parg or kwarg groups) then force it to a vertical layout."
+		],
+		"max_subgroups_hwrap": 2,
+		"_help_max_pargs_hwrap": [
+			"If a positional argument group contains more than this many",
+			"arguments, then force it to a vertical layout."
+		],
+		"max_pargs_hwrap": 6,
+		"_help_max_rows_cmdline": [
+			"If a cmdline positional group consumes more than this many",
+			"lines without nesting, then invalidate the layout (and nest)"
+		],
+		"max_rows_cmdline": 2,
+		"_help_separate_ctrl_name_with_space": [
+			"If true, separate flow control names from their parentheses",
+			"with a space"
+		],
+		"separate_ctrl_name_with_space": false,
+		"_help_separate_fn_name_with_space": [
+			"If true, separate function names from parentheses with a",
+			"space"
+		],
+		"separate_fn_name_with_space": false,
+		"_help_dangle_parens": [
+			"If a statement is wrapped to more than one line, than dangle",
+			"the closing parenthesis on its own line."
+		],
+		"dangle_parens": true,
+		"_help_dangle_align": [
+			"If the trailing parenthesis must be 'dangled' on its on",
+			"line, then align it to this reference: `prefix`: the start",
+			"of the statement,  `prefix-indent`: the start of the",
+			"statement, plus one indentation  level, `child`: align to",
+			"the column of the arguments"
+		],
+		"dangle_align": "prefix",
+		"_help_min_prefix_chars": [
+			"If the statement spelling length (including space and",
+			"parenthesis) is smaller than this amount, then force reject",
+			"nested layouts."
+		],
+		"min_prefix_chars": 4,
+		"_help_max_prefix_chars": [
+			"If the statement spelling length (including space and",
+			"parenthesis) is larger than the tab width by more than this",
+			"amount, then force reject un-nested layouts."
+		],
+		"max_prefix_chars": 10,
+		"_help_max_lines_hwrap": [
+			"If a candidate layout is wrapped horizontally but it exceeds",
+			"this many lines, then reject the layout."
+		],
+		"max_lines_hwrap": 2,
+		"_help_line_ending": [
+			"What style line endings to use in the output."
+		],
+		"line_ending": "unix",
+		"_help_command_case": [
+			"Format command names consistently as 'lower' or 'upper' case"
+		],
+		"command_case": "canonical",
+		"_help_keyword_case": [
+			"Format keywords consistently as 'lower' or 'upper' case"
+		],
+		"keyword_case": "unchanged",
+		"_help_always_wrap": [
+			"A list of command names which should always be wrapped"
+		],
+		"always_wrap": [],
+		"_help_enable_sort": [
+			"If true, the argument lists which are known to be sortable",
+			"will be sorted lexicographicall"
+		],
+		"enable_sort": true,
+		"_help_autosort": [
+			"If true, the parsers may infer whether or not an argument",
+			"list is sortable (without annotation)."
+		],
+		"autosort": false,
+		"_help_require_valid_layout": [
+			"By default, if cmake-format cannot successfully fit",
+			"everything into the desired linewidth it will apply the",
+			"last, most agressive attempt that it made. If this flag is",
+			"True, however, cmake-format will print error, exit with non-",
+			"zero status code, and write-out nothing"
+		],
+		"require_valid_layout": false,
+		"_help_layout_passes": [
+			"A dictionary mapping layout nodes to a list of wrap",
+			"decisions. See the documentation for more information."
+		],
+		"layout_passes": {}
+	},
+	"_help_markup": "Options affecting comment reflow and formatting.",
+	"markup": {
+		"_help_bullet_char": [
+			"What character to use for bulleted lists"
+		],
+		"bullet_char": "*",
+		"_help_enum_char": [
+			"What character to use as punctuation after numerals in an",
+			"enumerated list"
+		],
+		"enum_char": ".",
+		"_help_first_comment_is_literal": [
+			"If comment markup is enabled, don't reflow the first comment",
+			"block in each listfile. Use this to preserve formatting of",
+			"your copyright/license statements."
+		],
+		"first_comment_is_literal": false,
+		"_help_literal_comment_pattern": [
+			"If comment markup is enabled, don't reflow any comment block",
+			"which matches this (regex) pattern. Default is `None`",
+			"(disabled)."
+		],
+		"literal_comment_pattern": null,
+		"_help_fence_pattern": [
+			"Regular expression to match preformat fences in comments",
+			"default= ``r'^\\s*([`~]{3}[`~]*)(.*)$'``"
+		],
+		"fence_pattern": "^\\s*([`~]{3}[`~]*)(.*)$",
+		"_help_ruler_pattern": [
+			"Regular expression to match rulers in comments default=",
+			"``r'^\\s*[^\\w\\s]{3}.*[^\\w\\s]{3}$'``"
+		],
+		"ruler_pattern": "^\\s*[^\\w\\s]{3}.*[^\\w\\s]{3}$",
+		"_help_explicit_trailing_pattern": [
+			"If a comment line matches starts with this pattern then it",
+			"is explicitly a trailing comment for the preceeding",
+			"argument. Default is '#<'"
+		],
+		"explicit_trailing_pattern": "#<",
+		"_help_hashruler_min_length": [
+			"If a comment line starts with at least this many consecutive",
+			"hash characters, then don't lstrip() them off. This allows",
+			"for lazy hash rulers where the first hash char is not",
+			"separated by space"
+		],
+		"hashruler_min_length": 10,
+		"_help_canonicalize_hashrulers": [
+			"If true, then insert a space between the first hash char and",
+			"remaining hash chars in a hash ruler, and normalize its",
+			"length to fill the column"
+		],
+		"canonicalize_hashrulers": true,
+		"_help_enable_markup": [
+			"enable comment markup parsing and reflow"
+		],
+		"enable_markup": true
+	},
+	"_help_lint": "Options affecting the linter",
+	"lint": {
+		"_help_disabled_codes": [
+			"a list of lint codes to disable"
+		],
+		"disabled_codes": [],
+		"_help_function_pattern": [
+			"regular expression pattern describing valid function names"
+		],
+		"function_pattern": "[0-9a-z_]+",
+		"_help_macro_pattern": [
+			"regular expression pattern describing valid macro names"
+		],
+		"macro_pattern": "[0-9A-Z_]+",
+		"_help_global_var_pattern": [
+			"regular expression pattern describing valid names for",
+			"variables with global (cache) scope"
+		],
+		"global_var_pattern": "[A-Z][0-9A-Z_]+",
+		"_help_internal_var_pattern": [
+			"regular expression pattern describing valid names for",
+			"variables with global scope (but internal semantic)"
+		],
+		"internal_var_pattern": "_[A-Z][0-9A-Z_]+",
+		"_help_local_var_pattern": [
+			"regular expression pattern describing valid names for",
+			"variables with local scope"
+		],
+		"local_var_pattern": "[a-z][a-z0-9_]+",
+		"_help_private_var_pattern": [
+			"regular expression pattern describing valid names for",
+			"privatedirectory variables"
+		],
+		"private_var_pattern": "_[0-9a-z_]+",
+		"_help_public_var_pattern": [
+			"regular expression pattern describing valid names for public",
+			"directory variables"
+		],
+		"public_var_pattern": "[A-Z][0-9A-Z_]+",
+		"_help_argument_var_pattern": [
+			"regular expression pattern describing valid names for",
+			"function/macro arguments and loop variables."
+		],
+		"argument_var_pattern": "[a-z][a-z0-9_]+",
+		"_help_keyword_pattern": [
+			"regular expression pattern describing valid names for",
+			"keywords used in functions or macros"
+		],
+		"keyword_pattern": "[A-Z][0-9A-Z_]+",
+		"_help_max_conditionals_custom_parser": [
+			"In the heuristic for C0201, how many conditionals to match",
+			"within a loop in before considering the loop a parser."
+		],
+		"max_conditionals_custom_parser": 2,
+		"_help_min_statement_spacing": [
+			"Require at least this many newlines between statements"
+		],
+		"min_statement_spacing": 1,
+		"_help_max_statement_spacing": [
+			"Require no more than this many newlines between statements"
+		],
+		"max_statement_spacing": 2,
+		"max_returns": 6,
+		"max_branches": 12,
+		"max_arguments": 5,
+		"max_localvars": 15,
+		"max_statements": 50
+	}
+}
--- a/.git-blame-ignore-revs
+++ b/.git-blame-ignore-revs
@ -0,0 +1,16 @@
+# These commits altered the blame only to change types
+89ec22f38ce06145a10d52fd9be2cb1b872bfd11
+4dd9c8a2517dcda5aab0fc7a26197e74bf557fd6
+9326b1dd23efd095908a723a1d94acbe91032cab
+c8b971ecbff766003c736f01c0455e73dbd0efb3
+a5730f7a18e2e81b270105c2f81cf6c6a0201feb
+56b6e591cf8bf6849c27adfccc1557835daa1529
+93240ff1106f54add1e620e861bdfe890cf99108
+5c9b3cd3eb485ff8e4a3c364383f246d79146194
+0736581e22da38f260e01b64a9c73a4d66c7c02a
+2bea7ba762ed916eaf283066b20ad989b77276a6
+# This commit formatted the libs code for the first time.
+215db2d9de0cb15061873a2e3bea33f731a54cab
+# This commit has completely rewritten the history of file `userspace/libscap/engine/savefile/scap_savefile.c`. 
+# https://github.com/falcosecurity/libs/commit/a6df8fc90e3be0209c5a5f9bb0443077cd5d0967
+a6df8fc90e3be0209c5a5f9bb0443077cd5d0967
--- a/.github/PULL_REQUEST_TEMPLATE.md
+++ b/.github/PULL_REQUEST_TEMPLATE.md
@ -20,6 +20,8 @@

 > /kind failing-test

+> /kind test
+
 > /kind feature

 <!--
@ -58,8 +60,6 @@ Please remove the leading whitespace before the `/kind <>` you uncommented.

 > /area libscap-engine-savefile

-> /area libscap-engine-udig
-
 > /area libscap

 > /area libpman
--- a/.github/actions/composite-perf/action.yml
+++ b/.github/actions/composite-perf/action.yml
@ -0,0 +1,92 @@
+name: 'libs-perf'
+description: 'Run multiple perf tests on libs.'
+
+outputs:
+  perf_tests:
+    description: "Unit tests perf.data"
+    value: ${{ steps.store-outputs.outputs.perf_tests }}
+  perf_scap:
+    description: "Scap file perf.data"
+    value: ${{ steps.store-outputs.outputs.perf_scap }}
+  heaptrack_tests:
+    description: "Unit tests heaptrack data"
+    value: ${{ steps.store-outputs.outputs.heaptrack_tests }}
+  heaptrack_scap:
+    description: "Scap file heaptrack data"
+    value: ${{ steps.store-outputs.outputs.heaptrack_scap }}
+  gbench_json:
+    description: "Google benchmarks json data"
+    value: ${{ steps.store-outputs.outputs.gbench_json }}
+
+runs:
+  using: "composite"
+  steps:
+    - name: Install deps ⛓️
+      shell: bash
+      run: |
+        sudo apt update && sudo apt install -y --no-install-recommends ca-certificates cmake build-essential git clang llvm pkg-config autoconf automake libtool libelf-dev wget libtbb-dev libjq-dev libjsoncpp-dev protobuf-compiler libgtest-dev libprotobuf-dev linux-tools-common linux-tools-generic linux-tools-`uname -r` heaptrack coreutils util-linux
+        sudo .github/install-deps.sh
+
+    - name: Build
+      shell: bash
+      run: |
+        mkdir -p build
+        cd build && cmake -DUSE_BUNDLED_DEPS=False -DCMAKE_BUILD_TYPE=Debug -DENABLE_BENCHMARKS=True ../
+        make unit-test-libsinsp -j4
+        make bench -j4
+        make sinsp-example -j4
+
+    - name: Download scap file
+      shell: bash
+      run: |
+        cd build
+        wget https://download.falco.org/fixtures/trace-files/traces-positive.zip
+        unzip traces-positive.zip
+
+    - name: Run - perf unit tests
+      shell: bash
+      run: |
+        cd build
+        sudo perf record --call-graph dwarf -o perf_tests.data -q libsinsp/test/unit-test-libsinsp
+
+    # First empty run to stabilize disk IO (scap file read) perf
+    - name: Run - load scap file
+      shell: bash
+      run: |
+        cd build
+        sudo ./libsinsp/examples/sinsp-example -s traces-positive/falco-event-generator.scap &> /dev/null
+
+    - name: Run - perf scap file
+      shell: bash
+      run: |
+        cd build
+        sudo perf record --call-graph dwarf -o perf_scap.data -q ./libsinsp/examples/sinsp-example -s traces-positive/falco-event-generator.scap
+
+    - name: Run - heaptrack unit tests
+      shell: bash
+      run: |
+        cd build
+        sudo heaptrack -o heaptrack_tests.data libsinsp/test/unit-test-libsinsp
+
+    - name: Run - heaptrack scap file
+      shell: bash
+      run: |
+        cd build
+        sudo heaptrack -o heaptrack_scap.data ./libsinsp/examples/sinsp-example -s traces-positive/falco-event-generator.scap
+
+    - name: Run - gbench
+      shell: bash
+      run: |
+        cd build
+        ./benchmark/bench --benchmark_repetitions=20 --benchmark_report_aggregates_only --benchmark_out=gbench_data.json --benchmark_out_format=json
+
+    - name: Set Outputs
+      id: store-outputs
+      shell: bash
+      run: |
+        cd build
+        echo "perf_tests=$(realpath perf_tests.data)" >> $GITHUB_OUTPUT
+        echo "perf_scap=$(realpath perf_scap.data)" >> $GITHUB_OUTPUT
+        echo "heaptrack_tests=$(realpath heaptrack_tests.data.zst)" >> $GITHUB_OUTPUT
+        echo "heaptrack_scap=$(realpath heaptrack_scap.data.zst)" >> $GITHUB_OUTPUT
+        echo "gbench_json=$(realpath gbench_data.json)" >> $GITHUB_OUTPUT
--- a/.github/actions/install-zig/action.yml
+++ b/.github/actions/install-zig/action.yml
@ -0,0 +1,43 @@
+name: 'install-zig'
+description: 'Install zig compiler and make it available in PATH.'
+
+runs:
+  using: "composite"
+  steps:
+    - name: Store zig version as local output
+      shell: bash
+      id: store
+      env:
+        ZIG_VERSION: '0.14.1'
+      run: |
+        echo "zig_version=${ZIG_VERSION}" >> "$GITHUB_OUTPUT"
+
+    - name: Download zig
+      shell: bash
+      run: |
+        curl -L -o zig.tar.xz https://ziglang.org/download/${{ steps.store.outputs.zig_version }}/zig-$(uname -m)-linux-${{ steps.store.outputs.zig_version }}.tar.xz
+        tar -xvf zig.tar.xz
+
+        cat > zig-$(uname -m)-linux-${{ steps.store.outputs.zig_version }}/zig-cc <<EOF
+        #!/bin/bash
+        exec zig cc -target $(uname -m)-linux-gnu.2.17 -mcpu=baseline "\$@"
+        EOF
+        chmod +x zig-$(uname -m)-linux-${{ steps.store.outputs.zig_version }}/zig-cc
+
+        cat > zig-$(uname -m)-linux-${{ steps.store.outputs.zig_version }}/zig-c++ <<EOF
+        #!/bin/bash
+        exec zig c++ -target $(uname -m)-linux-gnu.2.17 -mcpu=baseline "\$@"
+        EOF
+        chmod +x zig-$(uname -m)-linux-${{ steps.store.outputs.zig_version }}/zig-c++
+
+        mv zig-$(uname -m)-linux-${{ steps.store.outputs.zig_version }}/ zig
+
+    - name: Setup zig
+      shell: bash
+      id: zig
+      run: |
+        echo "$(pwd)/zig" >> $GITHUB_PATH
+        echo "CC=zig-cc" >> $GITHUB_ENV
+        echo "CXX=zig-c++" >> $GITHUB_ENV
+        echo "AR=zig ar" >> $GITHUB_ENV
+        echo "RANLIB=zig ranlib" >> $GITHUB_ENV
--- a/.github/dependabot.yaml
+++ b/.github/dependabot.yaml
@ -0,0 +1,12 @@
+version: 2
+updates:
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    open-pull-requests-limit: 10
+    groups:
+      actions:
+        update-types:
+          - "minor"
+          - "patch"
--- a/.github/install-deps.sh
+++ b/.github/install-deps.sh
@ -1,15 +1,19 @@
 #!/usr/bin/env bash
+# SPDX-License-Identifier: Apache-2.0
 #
-# Copyright (C) 2022 The Falco Authors.
+# Copyright (C) 2023 The Falco Authors.
 #
-# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
 #
-# http://www.apache.org/licenses/LICENSE-2.0
+#     http://www.apache.org/licenses/LICENSE-2.0
 #
-# Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an
-# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
-# specific language governing permissions and limitations under the License.
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
 #

 set -e
@ -17,7 +21,7 @@ set -e
 mkdir -p third_party
 cd third_party

-# === Valijson === 
+# === Valijson ===
 echo "=== Building and installing valijson v0.6 ==="

 wget "https://github.com/tristanpenman/valijson/archive/refs/tags/v0.6.tar.gz"
@ -39,7 +43,7 @@ make install -j
 popd


-# === RE2 === 
+# === RE2 ===
 echo "=== Building and installing re2 (v2022-06-01) ==="

 wget "https://github.com/google/re2/archive/refs/tags/2022-06-01.tar.gz"
@ -52,16 +56,18 @@ cd build-re2
 cmake \
    -DCMAKE_BUILD_TYPE=Release \
    -DRE2_BUILD_TESTING=OFF \
+    -DBUILD_SHARED_LIBS=ON  \
    ..
 make -j
 make install -j
 popd

-# === Tinydir === 
-echo "=== Building and installing tinydir (1.2.5) ==="
+# === uthash ===
+echo "=== Downloading uthash.h (1.9.8) ==="

-wget "https://github.com/cxong/tinydir/archive/refs/tags/1.2.5.tar.gz"
-tar xzf 1.2.5.tar.gz
-pushd tinydir-1.2.5/
-cp tinydir.h /usr/include
-popd
+wget -P "/usr/include" "https://raw.githubusercontent.com/troydhanson/uthash/v1.9.8/src/uthash.h"
+
+# === BS_thread_pool ===
+echo "=== Downloading BS_thread_pool.h (4.1.0) ==="
+
+wget -P "/usr/include" "https://github.com/bshoshany/thread-pool/raw/v4.1.0/include/BS_thread_pool.hpp"
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@ -14,49 +14,42 @@ concurrency:
  cancel-in-progress: true

 jobs:
-  paths-filter:
-    runs-on: ubuntu-latest
-    outputs:
-      driver_changed: ${{ steps.filter.outputs.driver }}
-      libscap_changed: ${{ steps.filter.outputs.libscap }}
-      libsinsp_changed: ${{ steps.filter.outputs.libsinsp }}
-    steps:
-    - uses: actions/checkout@v2
-    - uses: dorny/paths-filter@v2
-      id: filter
-      with:
-        filters: |
-          driver:
-            - 'driver/**'
-          libscap:
-            - 'userspace/libscap/**'
-          libsinsp:
-            - 'userspace/libsinsp/**'
-
-  build-libs-linux-amd64:
-    name: build-libs-linux-amd64 😁
+  build-libs-linux:
+    name: build-libs-linux-${{ matrix.arch }} 😁 (${{ matrix.name }})
+    runs-on: ${{ (matrix.arch == 'arm64' && 'ubuntu-22.04-arm') || 'ubuntu-22.04' }}
    strategy:
+      fail-fast: false
      matrix:
-        name: [system_deps, bundled_deps, system_deps_w_chisels, system_deps_minimal]
+        arch: [amd64, arm64]
+        name: [system_deps, bundled_deps, sanitizers, zig]
        include:
          - name: system_deps
            cmake_opts: -DBUILD_WARNINGS_AS_ERRORS=On -DBUILD_BPF=On -DUSE_BUNDLED_DEPS=False
          - name: bundled_deps
            cmake_opts: -DBUILD_WARNINGS_AS_ERRORS=On -DBUILD_BPF=On -DUSE_BUNDLED_DEPS=True
-          - name: system_deps_w_chisels
-            cmake_opts: -DBUILD_WARNINGS_AS_ERRORS=On -DBUILD_BPF=On -DUSE_BUNDLED_DEPS=False -DWITH_CHISEL=True
-          - name: system_deps_minimal
-            cmake_opts: -DBUILD_WARNINGS_AS_ERRORS=On -DUSE_BUNDLED_DEPS=False -DMINIMAL_BUILD=True
-    runs-on: ubuntu-latest
+          - name: sanitizers
+            cmake_opts: -DUSE_ASAN=On -DUSE_UBSAN=On -DUSE_BUNDLED_DEPS=False
+          - name: zig
+            cmake_opts: -DUSE_BUNDLED_DEPS=True
    container:
      image: debian:buster
    steps:
      - name: Install deps ⛓️
        run: |
-          apt update && apt install -y --no-install-recommends ca-certificates cmake build-essential git clang llvm pkg-config autoconf automake libtool libelf-dev wget libc-ares-dev libcurl4-openssl-dev libssl-dev libtbb-dev libjq-dev libjsoncpp-dev libgrpc++-dev protobuf-compiler-grpc libgtest-dev libprotobuf-dev liblua5.1-dev linux-headers-amd64
+          # Use 20250630T203427Z debian apt snapshot as it still contains support for buster.
+          printf "deb http://snapshot.debian.org/archive/debian/20250630T203427Z buster main\ndeb http://snapshot.debian.org/archive/debian-security/20250630T203427Z buster/updates main\ndeb http://snapshot.debian.org/archive/debian/20250630T203427Z buster-updates main" > /etc/apt/sources.list
+          apt update && apt install -y --no-install-recommends curl ca-certificates build-essential git clang llvm pkg-config autoconf automake libtool libelf-dev wget libtbb-dev libjq-dev libjsoncpp-dev protobuf-compiler libgtest-dev libprotobuf-dev linux-headers-${{ matrix.arch }}
+
+      - name: Install a recent version of CMake ⛓️
+        run: |
+          curl -L -o /tmp/cmake.tar.gz https://github.com/Kitware/CMake/releases/download/v3.22.5/cmake-3.22.5-linux-$(uname -m).tar.gz
+          gzip -d /tmp/cmake.tar.gz
+          tar -xpf /tmp/cmake.tar --directory=/tmp
+          cp -R /tmp/cmake-3.22.5-linux-$(uname -m)/* /usr
+          rm -rf /tmp/cmake-3.22.5-linux-$(uname -m)/

      - name: Checkout Libs ⤵️
-        uses: actions/checkout@v3
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          fetch-depth: 0

@ -68,32 +61,58 @@ jobs:
        run: |
          git config --global --add safe.directory $GITHUB_WORKSPACE

+      - name: Install zig
+        if: matrix.name == 'zig'
+        uses: ./.github/actions/install-zig
+
      - name: Build and test 🏗️🧪
+        env:
+          UBSAN_OPTIONS: print_stacktrace=1
        run: |
          mkdir -p build
-          cd build && cmake ${{ matrix.cmake_opts }} ../
+          cd build && cmake ${{ matrix.cmake_opts }} -DENABLE_THREAD_POOL=ON ../
          KERNELDIR=/lib/modules/$(ls /lib/modules)/build make -j4
          make run-unit-tests

-  build-libs-linux-amd64-asan:
-    name: build-libs-linux-amd64-asan 🧐
+      - name: Test sinsp-example and .scap files
+        run: |
+          cd build && make sinsp-example
+          libsinsp/examples/sinsp-example -s ../test/libsinsp_e2e/resources/captures/curl_google.scap | grep --extended-regexp --invert-match '^(Time spent|Events/ms): ' > /tmp/curl_google.txt
+          libsinsp/examples/sinsp-example -s ../test/libsinsp_e2e/resources/captures/curl_google_comments.scap | grep --extended-regexp --invert-match '^(Time spent|Events/ms): ' > /tmp/curl_google_comments.txt
+          diff -u /tmp/curl_google.txt /tmp/curl_google_comments.txt
+
+      # On zig, build also sinsp-example and check the glibc linked versions
+      # to make sure we are actually using the correct glibc version.
+      - name: Test zig build glibc version
+        if: matrix.name == 'zig'
+        run: |
+          cd build
+          objdump -T libsinsp/test/unit-test-libsinsp | grep -Eo 'GLIBC_\S+' | sort -u -t "." -k1,1n -k2,2n -k3,3n
+          linked_glibc=$(objdump -T libsinsp/test/unit-test-libsinsp | grep -Eo 'GLIBC_\S+' | sort -u -t "." -k1,1n -k2,2n -k3,3n | tail -n1 | tr -d ')')
+          if [ "$linked_glibc" != "GLIBC_2.17" ]; then
+            echo "Expected glibc 2.17; found $linked_glibc" 
+            exit 1
+          fi
+
+  build-libs-linux-amd64-static:
+    name: build-libs-linux-amd64-static 🎃
    runs-on: ubuntu-latest
    container:
-      image: debian:buster
+      image: alpine:3.17
    steps:
      - name: Install deps ⛓️
        run: |
-          apt update && apt install -y --no-install-recommends ca-certificates cmake build-essential git clang llvm pkg-config autoconf automake libtool libelf-dev wget libc-ares-dev libcurl4-openssl-dev libssl-dev libtbb-dev libjq-dev libjsoncpp-dev libgrpc++-dev protobuf-compiler-grpc libgtest-dev libprotobuf-dev liblua5.1-dev linux-headers-amd64
+          apk add g++ gcc cmake make git bash perl linux-headers autoconf automake m4 libtool elfutils-dev libelf-static patch binutils clang llvm
+          git clone https://github.com/libbpf/bpftool.git --branch v7.3.0 --single-branch
+          cd bpftool
+          git submodule update --init
+          cd src && make install

      - name: Checkout Libs ⤵️
-        uses: actions/checkout@v3
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          fetch-depth: 0

-      - name: Install deps ⛓️
-        run: |
-          .github/install-deps.sh
-
      - name: Git safe directory
        run: |
          git config --global --add safe.directory $GITHUB_WORKSPACE
@ -101,50 +120,46 @@ jobs:
      - name: Build and test 🏗️🧪
        run: |
          mkdir -p build
-          cd build && LDFLAGS="-lpthread" cmake -DCMAKE_C_FLAGS=-fsanitize=address -DCMAKE_CXX_FLAGS=-fsanitize=address -DUSE_BUNDLED_DEPS=False ../
-          KERNELDIR=/lib/modules/$(ls /lib/modules)/build make -j4
-          make run-unit-tests
+          cd build && cmake -DBUILD_BPF=On -DBUILD_DRIVER=Off -DUSE_BUNDLED_DEPS=On -DUSE_BUNDLED_LIBELF=Off -DUSE_SHARED_LIBELF=Off -DBUILD_LIBSCAP_MODERN_BPF=ON -DMUSL_OPTIMIZED_BUILD=On -DENABLE_THREAD_POOL=ON ../
+          make run-unit-tests -j4

  build-shared-libs-linux-amd64:
    name: build-shared-libs-linux-amd64 🧐
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
    steps:
-      - name: Install deps ⛓️
-        run: |
-          sudo apt update
-          sudo apt install -y --no-install-recommends ca-certificates cmake build-essential git clang llvm pkg-config autoconf automake libtool libelf-dev wget libc-ares-dev libcurl4-openssl-dev libssl-dev libre2-dev libtbb-dev libjq-dev libjsoncpp-dev libgrpc++-dev protobuf-compiler-grpc libgtest-dev libprotobuf-dev liblua5.1-dev linux-headers-$(uname -r)
-
      - name: Checkout Libs ⤵️
-        uses: actions/checkout@v3
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          fetch-depth: 0

-      - name: Git safe directory
+      - name: Install deps ⛓️
        run: |
-          git config --global --add safe.directory $GITHUB_WORKSPACE
+          sudo apt update
+          sudo apt install -y --no-install-recommends ca-certificates cmake build-essential git clang llvm pkg-config autoconf automake libtool libelf-dev wget libre2-dev libtbb-dev libjq-dev libjsoncpp-dev protobuf-compiler libgtest-dev libprotobuf-dev linux-headers-$(uname -r)
+          sudo .github/install-deps.sh

      - name: Build and test 🏗️🧪
        run: |
          mkdir -p build
-          cd build && cmake -DBUILD_SHARED_LIBS=True -DUSE_BUNDLED_DEPS=False -DMINIMAL_BUILD=True -DUSE_BUNDLED_VALIJSON=True -DCMAKE_INSTALL_PREFIX=/tmp/libs-test ../
-          KERNELDIR=/lib/modules/$(ls /lib/modules)/build make -j4
+          cd build && cmake -DBUILD_SHARED_LIBS=True -DUSE_BUNDLED_DEPS=False -DCMAKE_INSTALL_PREFIX=/tmp/libs-test -DENABLE_THREAD_POOL=ON ../
+          make -j4
          make run-unit-tests
-          
+
      - name: Install
        run: |
          cd build
          make install
-          
+
      - name: Test sinsp-example build with pkg-config
        run: |
          cd userspace/libsinsp/examples
          export PKG_CONFIG_PATH=/tmp/libs-test/lib/pkgconfig
-          g++ -o sinsp-example test.cpp util.cpp $(pkg-config --cflags --libs libsinsp)
-          
+          g++ -o sinsp-example *.cpp $(pkg-config --cflags --libs libsinsp)
+
      - name: Test sinsp-example runtime linker
        run: |
          cd userspace/libsinsp/examples
-          export LD_LIBRARY_PATH=/tmp/libs-test/lib/falcosecurity
+          export LD_LIBRARY_PATH=/tmp/libs-test/lib
          ./sinsp-example -h

  build-libs-others-amd64:
@ -152,30 +167,66 @@ jobs:
    strategy:
      fail-fast: false
      matrix:
-        os: [windows-latest, macos-latest]
+        os: [windows-latest]
+        crt: [MultiThreaded, MultiThreadedDLL]
+        include:
+          - os: macos-latest
    runs-on: ${{ matrix.os }}
    steps:
      - name: Checkout Libs ⤵️
-        uses: actions/checkout@v3
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          fetch-depth: 0

      - name: Build and test 🏗️🧪
        run: |
          mkdir -p build
-          cd build && cmake -DUSE_BUNDLED_DEPS=ON -DCMAKE_BUILD_TYPE=Release -DCREATE_TEST_TARGETS=ON -DMINIMAL_BUILD=ON ..
-          cmake --build . --config Release && make run-unit-tests || libsinsp\test\Release\unit-test-libsinsp.exe
+          cd build && cmake -DUSE_BUNDLED_DEPS=ON -DCMAKE_BUILD_TYPE=Release -DCMAKE_MSVC_RUNTIME_LIBRARY=${{ matrix.crt }} -DCREATE_TEST_TARGETS=ON -DENABLE_THREAD_POOL=ON ..
+          cmake --build . --config Release --parallel 4 && make run-unit-tests || libsinsp\test\Release\unit-test-libsinsp.exe

-  # This job run all engine tests and scap-open
-  test-scap-x86:
-    name: test-scap-x86 😆 (bundled_deps)
-    runs-on: ubuntu-22.04
-    needs: paths-filter
-    if: needs.paths-filter.outputs.driver_changed == 'true' || needs.paths-filter.outputs.libscap_changed == 'true'
+  build-shared-libs-macos-amd64:
+    name: build-shared-libs-macos-amd64 😨
+    runs-on: macos-latest
    steps:
-
      - name: Checkout Libs ⤵️
-        uses: actions/checkout@v3
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          fetch-depth: 0
+
+      - name: Install deps ⛓️
+        run: |
+          HOMEBREW_NO_AUTO_UPDATE=1 brew install c-ares re2 tbb jq jsoncpp openssl uthash
+
+      - name: Build 🏗️
+        run: |
+          mkdir -p build
+          cd build && cmake -DBUILD_SHARED_LIBS=True -DUSE_BUNDLED_DEPS=False -DUSE_BUNDLED_VALIJSON=ON -DUSE_BUNDLED_BS_THREADPOOL=ON -DENABLE_THREAD_POOL=ON -DCMAKE_BUILD_TYPE=Release -DCREATE_TEST_TARGETS=OFF -DCMAKE_INSTALL_PREFIX=/tmp/libs-test ..
+          cmake --build . --config Release --parallel $(getconf _NPROCESSORS_ONLN)
+
+      - name: Install
+        run: |
+          cd build
+          make install
+
+      - name: Test sinsp-example build with pkg-config 🧪
+        run: |
+          cd userspace/libsinsp/examples
+          export PKG_CONFIG_PATH=/tmp/libs-test/lib/pkgconfig
+          c++ --std=c++17 -o sinsp-example test.cpp util.cpp $(pkg-config --cflags --libs libsinsp)
+
+      - name: Test sinsp-example runtime linker 🧪
+        run: |
+          cd userspace/libsinsp/examples
+          export DYLD_LIBRARY_PATH=/tmp/libs-test/lib
+          ./sinsp-example -h
+
+  # This job checks that a bundled deps of libs is as static as possible
+  test-libs-static:
+    name: test-libs-static (bundled_deps)
+    runs-on: ubuntu-22.04
+    steps:
+      - name: Checkout Libs ⤵️
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          fetch-depth: 0

@ -187,205 +238,35 @@ jobs:
          sudo update-alternatives --install /usr/bin/llvm-strip llvm-strip /usr/bin/llvm-strip-14 90
          sudo update-alternatives --install /usr/bin/llc llc /usr/bin/llc-14 90

-      - name: Build scap-open and drivers 🏗️
+      - name: Build sinsp-example
        run: |
          mkdir -p build
-          cd build && cmake -DUSE_BUNDLED_DEPS=On -DBUILD_DRIVER=ON -DBUILD_LIBSCAP_MODERN_BPF=ON -DBUILD_BPF=On -DBUILD_LIBSCAP_GVISOR=On -DCREATE_TEST_TARGETS=On -DENABLE_LIBSCAP_TESTS=On ../
-          make scap-open
-          make driver bpf
-          make libscap_test
+          cd build && cmake -DUSE_BUNDLED_DEPS=On -DBUILD_DRIVER=ON -DBUILD_LIBSCAP_MODERN_BPF=ON -DBUILD_BPF=On -DBUILD_LIBSCAP_GVISOR=On -DCREATE_TEST_TARGETS=Off -DENABLE_LIBSCAP_TESTS=Off ../
+          make -j$(nproc) sinsp-example

-      - name: Run scap-open with modern bpf 🏎️
+      - name: Ensure that sinsp-example with bundled deps is as static as possible
        run: |
-          cd build
-          sudo ./libscap/examples/01-open/scap-open --modern_bpf --num_events 0
-
-      - name: Run scap-open with bpf 🏎️
-        run: |
-          cd build
-          sudo ./libscap/examples/01-open/scap-open --bpf ./driver/bpf/probe.o --num_events 0
-
-      - name: Run scap-open with kmod 🏎️
-        run: |
-          cd build
-          sudo insmod ./driver/scap.ko
-          sudo ./libscap/examples/01-open/scap-open --kmod --num_events 0
-          sudo rmmod scap
-
-      - name: Run libscap_test 🏎️
-        run: |
-          cd build
-          sudo ./test/libscap/libscap_test
-
-  test-drivers-x86:
-    name: test-drivers-x86 😇 (bundled_deps)
-    runs-on: ubuntu-22.04
-    needs: paths-filter
-    if: needs.paths-filter.outputs.driver_changed == 'true' || needs.paths-filter.outputs.libscap_changed == 'true'
-    steps:
-
-      - name: Checkout Libs ⤵️
-        uses: actions/checkout@v3
-        with:
-          fetch-depth: 0
-
-      - name: Install deps ⛓️
-        run: |
-          sudo apt update
-          sudo apt install -y --no-install-recommends ca-certificates cmake build-essential git pkg-config autoconf automake libelf-dev libcap-dev linux-headers-$(uname -r) clang-14 llvm-14 libtool
-          sudo update-alternatives --install /usr/bin/clang clang /usr/bin/clang-14 90
-          sudo update-alternatives --install /usr/bin/llvm-strip llvm-strip /usr/bin/llvm-strip-14 90
-          sudo update-alternatives --install /usr/bin/llc llc /usr/bin/llc-14 90
-
-      - name: Build drivers tests 🏗️
-        run: |
-          mkdir -p build
-          cd build && cmake -DUSE_BUNDLED_DEPS=ON -DENABLE_DRIVERS_TESTS=ON -DBUILD_LIBSCAP_MODERN_BPF=ON -DMODERN_BPF_DEBUG_MODE=ON -DBUILD_BPF=True -DBUILD_LIBSCAP_GVISOR=OFF ../
-          make drivers_test
-          make driver bpf
-
-      - name: Run drivers_test with modern bpf 🏎️
-        run: |
-          cd build
-          sudo ./test/drivers/drivers_test -m
-
-      - name: Run drivers_test with bpf 🏎️
-        run: |
-          cd build
-          sudo ./test/drivers/drivers_test -b
-
-      - name: Run drivers_test with kmod 🏎️
-        run: |
-          cd build
-          sudo ./test/drivers/drivers_test -k
-
-  build-libs-s390x:
-    name: build-libs-s390x 😁 (system_deps)
-    runs-on: ubuntu-22.04
-    needs: paths-filter
-    if: needs.paths-filter.outputs.driver_changed == 'true' || needs.paths-filter.outputs.libsinsp_changed == 'true'
-    steps:
-
-      - name: Checkout Libs ⤵️
-        uses: actions/checkout@v3
-        with:
-          fetch-depth: 0
-
-      - uses: uraimo/run-on-arch-action@v2.2.0
-        name: Run s390x build 🏗️
-        with:
-          arch: s390x
-          distro: ubuntu22.04
-          githubToken: ${{ github.token }}
-
-          install: |
-            apt update && apt install -y --no-install-recommends ca-certificates cmake build-essential clang llvm git pkg-config autoconf automake libtool libelf-dev wget libc-ares-dev libcurl4-openssl-dev libssl-dev libtbb-dev libjq-dev libjsoncpp-dev libgrpc++-dev protobuf-compiler-grpc libgtest-dev libprotobuf-dev linux-headers-generic            
-            git clone https://github.com/libbpf/bpftool.git --branch v7.0.0 --single-branch
-            cd bpftool
-            git submodule update --init
-            cd src && make install
-            cd ../../
-            git clone https://github.com/libbpf/libbpf.git --branch v1.0.1 --single-branch
-            cd libbpf/src && BUILD_STATIC_ONLY=y DESTDIR=/ make install
-            ln -s /usr/lib64/libbpf.a /usr/lib/s390x-linux-gnu/
-
-          # Please note: we cannot inject the BPF probe inside QEMU, so right now, we only build it
-          run: |
-            git config --global --add safe.directory $GITHUB_WORKSPACE
-            .github/install-deps.sh
-            mkdir -p build
-            cd build && cmake -DBUILD_BPF=On -DUSE_BUNDLED_DEPS=OFF -DMODERN_PROBE_INCLUDE="-I/usr/include/s390x-linux-gnu" -DBUILD_LIBSCAP_MODERN_BPF=ON -DMODERN_BPF_DEBUG_MODE=ON -DBUILD_LIBSCAP_GVISOR=OFF ../
-            KERNELDIR=/lib/modules/$(ls /lib/modules)/build make scap-open driver bpf unit-test-libsinsp -j6
-            ./libsinsp/test/unit-test-libsinsp
+          ldd "build/libsinsp/examples/sinsp-example" | cut --fields=2 | cut --delimiter=' ' --fields=1 | rev | cut --delimiter='/' --fields=1 | rev | sort --unique --version-sort > ldd_out.txt
+          cat > expected_ldd_out.txt <<EOF
+          ld-linux-x86-64.so.2
+          libc.so.6
+          libgcc_s.so.1
+          libm.so.6
+          libstdc++.so.6
+          linux-vdso.so.1
+          EOF
+          diff -u expected_ldd_out.txt ldd_out.txt

  run-e2e-tests-amd64:
-    name: run-e2e-tests-amd64
-    strategy:
-      fail-fast: false
-      matrix:
-        name: [system_deps, bundled_deps, system_deps_w_chisels, asan]
-        include:
-          - name: system_deps
-            cmake_opts: -DUSE_BUNDLED_DEPS=False
-          - name: bundled_deps
-            cmake_opts: -DUSE_BUNDLED_DEPS=True
-          - name: system_deps_w_chisels
-            cmake_opts: -DUSE_BUNDLED_DEPS=False -DWITH_CHISEL=True
-          - name: asan
-            cmake_opts: -DUSE_BUNDLED_DEPS=True -DCMAKE_C_FLAGS=-fsanitize=address -DCMAKE_CXX_FLAGS=-fsanitize=address
-    runs-on: ubuntu-22.04
-    steps:
-      - name: Install deps ⛓️
-        run: |
-          sudo apt-get update && sudo apt-get install -y --no-install-recommends \
-            ca-certificates \
-            cmake \
-            build-essential \
-            clang-14 llvm-14 \
-            git \
-            clang \
-            llvm \
-            pkg-config \
-            autoconf \
-            automake \
-            libtool \
-            libelf-dev \
-            wget \
-            libc-ares-dev \
-            libbpf-dev \
-            libcap-dev \
-            libcurl4-openssl-dev \
-            libssl-dev \
-            libtbb-dev \
-            libjq-dev \
-            libjsoncpp-dev \
-            libgrpc++-dev \
-            protobuf-compiler-grpc \
-            libgtest-dev \
-            libprotobuf-dev \
-            liblua5.1-dev \
-            "linux-headers-$(uname -r)"
-          sudo update-alternatives --install /usr/bin/clang clang /usr/bin/clang-14 90
-          sudo update-alternatives --install /usr/bin/llvm-strip llvm-strip /usr/bin/llvm-strip-14 90
-          sudo update-alternatives --install /usr/bin/llc llc /usr/bin/llc-14 90
+    uses: ./.github/workflows/reusable_e2e_tests.yaml
+    with:
+      libsversion: ${{ github.sha }}
+    secrets: inherit

-      - name: Checkout Libs ⤵️
-        uses: actions/checkout@v3
-        with:
-          fetch-depth: 0
-
-      - name: Install deps ⛓️
-        run: |
-          sudo .github/install-deps.sh
-
-      - name: Git safe directory
-        run: |
-          git config --global --add safe.directory $GITHUB_WORKSPACE
-
-      - name: Build and test 🏗️🧪
-        run: |
-          mkdir -p build && cd build
-          cmake -DBUILD_BPF=ON \
-                -DBUILD_LIBSCAP_MODERN_BPF=ON \
-                -DBUILD_LIBSCAP_GVISOR=OFF \
-                ${{ matrix.cmake_opts }} \
-                -DUSE_BUNDLED_LIBBPF=ON \
-                ..
-          make -j$(nproc) sinsp-example driver bpf
-          sudo make e2e-install-deps
-          sudo ../test/e2e/scripts/run_tests.sh
-
-      - name: Archive test reports
-        uses: actions/upload-artifact@v3
-        if: failure()
-        with:
-          name: ${{ matrix.name }}_report
-          path: |
-            ${{ github.workspace }}/build/report/

  build-libs-emscripten:
    name: build-libs-emscripten 🧐
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
    steps:
      - name: Install deps ⛓️
        run: |
@ -393,17 +274,13 @@ jobs:
          sudo apt install -y --no-install-recommends ca-certificates cmake build-essential clang-14 llvm-14 git pkg-config autoconf automake libtool libelf-dev libcap-dev linux-headers-$(uname -r) emscripten

      - name: Checkout Libs ⤵️
-        uses: actions/checkout@v3
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          fetch-depth: 0

-      - name: Git safe directory
-        run: |
-          git config --global --add safe.directory $GITHUB_WORKSPACE
-
      - name: Build and test 🏗️🧪
        run: |
          mkdir -p build
          cd build && emcmake cmake -DUSE_BUNDLED_DEPS=True ../
-          KERNELDIR=/lib/modules/$(ls /lib/modules)/build emmake make -j4
-          KERNELDIR=/lib/modules/$(ls /lib/modules)/build emmake make run-unit-tests -j4
+          emmake make -j4
+          emmake make run-unit-tests -j4
--- a/.github/workflows/create-comment-kernel-testing.yml
+++ b/.github/workflows/create-comment-kernel-testing.yml
@ -0,0 +1,87 @@
+# NOTE: This has read-write repo token and access to secrets, so this must
+# not run any untrusted code.
+# see: https://securitylab.github.com/research/github-actions-preventing-pwn-requests/
+name: Comment with Kernel testing results on pull requests
+
+on:
+  workflow_run:
+    workflows: ["Drivers CI Build"]
+    types:
+      - completed
+
+jobs:
+  upload:
+    runs-on: ubuntu-latest
+    if: github.event.workflow_run.event == 'pull_request'
+    steps:
+      - name: 'Download artifact'
+        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+        with:
+          script: |
+            var artifacts = await github.rest.actions.listWorkflowRunArtifacts({
+               owner: context.repo.owner,
+               repo: context.repo.repo,
+               run_id: ${{github.event.workflow_run.id }},
+            });
+            var matchArtifacts = artifacts.data.artifacts.filter((artifact) => {
+              return artifact.name == "pr-kernel-testing"
+            });
+            if (!Array.isArray(matchArtifacts) || !matchArtifacts.length) {
+              var process = require('process');
+              process.exit();
+            }
+            var matchArtifact = matchArtifacts[0];
+            var download = await github.rest.actions.downloadArtifact({
+               owner: context.repo.owner,
+               repo: context.repo.repo,
+               artifact_id: matchArtifact.id,
+               archive_format: 'zip',
+            });
+            var fs = require('fs');
+            fs.writeFileSync('${{github.workspace}}/pr.zip', Buffer.from(download.data));
+
+      - name: 'Unpack artifact'
+        run: |
+          if [ -f pr.zip ]; then
+            unzip pr.zip
+          fi
+
+      - name: 'Comment on PR'
+        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          # Taken from https://github.com/actions/github-script/blob/main/.github/workflows/pull-request-test.yml
+          script: |
+            var fs = require('fs');
+            if (!fs.existsSync('./NR')) {
+              var process = require('process');
+              process.exit();
+            }
+            var issue_number = Number(fs.readFileSync('./NR'));
+            var comment_body = fs.readFileSync('./COMMENT');
+
+            // Get the existing comments.
+            const {data: comments} = await github.rest.issues.listComments({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              issue_number: issue_number,
+            });
+
+            // Find any comment already made by the bot.
+            const botComment = comments.find(comment => comment.user.id === 41898282 && comment.body.includes('# X64 kernel testing matrix'));
+
+            if (botComment) {
+              await github.rest.issues.updateComment({
+                  owner: context.repo.owner,
+                  repo: context.repo.repo,
+                  comment_id: botComment.id,
+                  body: comment_body.toString('utf8')
+              });
+            } else {
+              await github.rest.issues.createComment({
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                issue_number: issue_number,
+                body: comment_body.toString('utf8')
+              });
+            }
--- a/.github/workflows/create-comment-perf.yml
+++ b/.github/workflows/create-comment-perf.yml
@ -0,0 +1,87 @@
+# NOTE: This has read-write repo token and access to secrets, so this must
+# not run any untrusted code.
+# see: https://securitylab.github.com/research/github-actions-preventing-pwn-requests/
+name: Comment with Perf diff on pull requests
+
+on:
+  workflow_run:
+    workflows: ["Perf CI"]
+    types:
+      - completed
+
+jobs:
+  upload:
+    runs-on: ubuntu-latest
+    if: github.event.workflow_run.event == 'pull_request'
+    steps:
+      - name: 'Download artifact'
+        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+        with:
+          script: |
+            var artifacts = await github.rest.actions.listWorkflowRunArtifacts({
+               owner: context.repo.owner,
+               repo: context.repo.repo,
+               run_id: ${{github.event.workflow_run.id }},
+            });
+            var matchArtifacts = artifacts.data.artifacts.filter((artifact) => {
+              return artifact.name == "pr-perf"
+            });
+            if (!Array.isArray(matchArtifacts) || !matchArtifacts.length) {
+              var process = require('process');
+              process.exit();
+            }
+            var matchArtifact = matchArtifacts[0];
+            var download = await github.rest.actions.downloadArtifact({
+               owner: context.repo.owner,
+               repo: context.repo.repo,
+               artifact_id: matchArtifact.id,
+               archive_format: 'zip',
+            });
+            var fs = require('fs');
+            fs.writeFileSync('${{github.workspace}}/pr.zip', Buffer.from(download.data));
+
+      - name: 'Unpack artifact'
+        run: |
+          if [ -f pr.zip ]; then
+            unzip pr.zip
+          fi
+
+      - name: 'Comment on PR'
+        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          # Taken from https://github.com/actions/github-script/blob/main/.github/workflows/pull-request-test.yml
+          script: |
+            var fs = require('fs');
+            if (!fs.existsSync('./NR')) {
+              var process = require('process');
+              process.exit();
+            }
+            var issue_number = Number(fs.readFileSync('./NR'));
+            var comment_body = fs.readFileSync('./COMMENT');
+
+            // Get the existing comments.
+            const {data: comments} = await github.rest.issues.listComments({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              issue_number: issue_number,
+            });
+
+            // Find any comment already made by the bot.
+            const botComment = comments.find(comment => comment.user.id === 41898282 && comment.body.includes('# Perf diff from master'));
+
+            if (botComment) {
+              await github.rest.issues.updateComment({
+                  owner: context.repo.owner,
+                  repo: context.repo.repo,
+                  comment_id: botComment.id,
+                  body: comment_body.toString('utf8')
+              });
+            } else {
+              await github.rest.issues.createComment({
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                issue_number: issue_number,
+                body: comment_body.toString('utf8')
+              });
+            }
--- a/.github/workflows/driver-api-version.yml
+++ b/.github/workflows/driver-api-version.yml
@ -6,8 +6,12 @@ name: Driver API_VERSION checks
 on:
  pull_request_target:
    paths:
-      - 'driver/ppm_fillers.c'
-      - 'driver/bpf/fillers.h'
+      - 'userspace/libscap/engine/bpf/**'
+      - 'userspace/libscap/engine/modern_bpf/**'
+      - 'userspace/libscap/engine/kmod/**'
+      - 'driver/ppm_events_public.h'
+      - 'driver/bpf/maps.h'
+      - 'driver/modern_bpf/maps/maps.h'

 jobs:
  paths-filter:
@ -15,8 +19,8 @@ jobs:
    outputs:
      driver_api_changed: ${{ steps.filter.outputs.driver_api }}
    steps:
-    - uses: actions/checkout@v2
-    - uses: dorny/paths-filter@v2
+    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+    - uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3.0.2
      id: filter
      with:
        filters: |
@ -31,7 +35,7 @@ jobs:
    if: needs.paths-filter.outputs.driver_api_changed == 'false'
    steps:
      - name: Check driver API_VERSION
-        uses: mshick/add-pr-comment@v2
+        uses: mshick/add-pr-comment@b8f338c590a895d50bcbfa6c5859251edc8952fc # v2.8.2
        with:
          message: |
            Please double check **driver/API_VERSION** file. See [versioning](https://github.com/falcosecurity/libs/blob/master/driver/README.VERSION.md#api-version-number).
--- a/.github/workflows/driver-schema-version.yml
+++ b/.github/workflows/driver-schema-version.yml
@ -6,6 +6,8 @@ name: Driver SCHEMA_VERSION checks
 on:
  pull_request_target:
    paths:
+      - 'driver/ppm_fillers.c'
+      - 'driver/bpf/fillers.h'
      - 'driver/event_table.c'
      - 'driver/ppm_events_public.h'
      - 'driver/event_stats.h'
@ -17,8 +19,8 @@ jobs:
    outputs:
      driver_schema_changed: ${{ steps.filter.outputs.driver_schema }}
    steps:
-    - uses: actions/checkout@v2
-    - uses: dorny/paths-filter@v2
+    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+    - uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3.0.2
      id: filter
      with:
        filters: |
@ -32,14 +34,14 @@ jobs:
    needs: paths-filter
    if: needs.paths-filter.outputs.driver_schema_changed == 'false'
    steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

      - name: Check driver SCHEMA_VERSION
-        uses: mshick/add-pr-comment@v2
+        uses: mshick/add-pr-comment@b8f338c590a895d50bcbfa6c5859251edc8952fc # v2.8.2
        with:
          message: |
            Please double check **driver/SCHEMA_VERSION** file. See [versioning](https://github.com/falcosecurity/libs/blob/master/driver/README.VERSION.md#schema-version-number).
-            
+
            /hold

      - name: Trigger failure
--- a/.github/workflows/driverkit.yml
+++ b/.github/workflows/driverkit.yml
@ -37,7 +37,7 @@ jobs:
      - name: Test drivers build on ${{ matrix.name }}
        run: |
          driverkit docker --kernelrelease ${{ matrix.kernelrelease }} --target ${{ matrix.target }} --output-module /tmp/libs.ko --output-probe /tmp/libs.o --driverversion $GITHUB_SHA --loglevel debug --kernelurls ${{ matrix.kernelurls }}
-          
+
  build-drivers-arm64:
    strategy:
      matrix:
@ -55,7 +55,7 @@ jobs:
            kernelrelease: 6.4.1-1.el9.elrepo.aarch64
            target: centos
            kernelurls: https://download.falco.org/fixtures/libs/kernel-ml-devel-6.4.1-1.el9.elrepo.aarch64.rpm
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04-arm
    container:
      image: falcosecurity/driverkit:latest
    steps:
--- a/.github/workflows/drivers_ci.yml
+++ b/.github/workflows/drivers_ci.yml
@ -0,0 +1,363 @@
+name: Drivers CI Build
+on:
+  pull_request:
+  push:
+    branches:
+      - master
+      - 'release/**'
+      - 'maintainers/**'
+  workflow_dispatch:
+  # we cannot use paths key here since otherwise required_status_checks jobs won't run.
+  # See https://github.com/orgs/community/discussions/26251.
+  # We need to use the paths-filter job.
+
+# Checks if any concurrent jobs under the same pull request or branch are being executed
+concurrency:
+  group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
+
+jobs:
+  paths-filter:
+    runs-on: ubuntu-latest
+    outputs:
+      driver: ${{ steps.filter.outputs.driver }}
+      libscap: ${{ steps.filter.outputs.libscap }}
+      libpman: ${{ steps.filter.outputs.libpman }}
+    steps:
+    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+    - uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3.0.2
+      id: filter
+      with:
+        filters: |
+          driver:
+            - 'driver/**'
+          libscap:
+            - 'userspace/libscap/**'
+          libpman:
+            - 'userspace/libpman/**'
+
+  # This job run all engine tests and scap-open
+  test-scap:
+    name: test-scap-${{ matrix.arch }} 😆 (bundled_deps)
+    runs-on: ${{ (matrix.arch == 'arm64' && 'ubuntu-24.04-arm') || 'ubuntu-24.04' }}
+    needs: paths-filter
+    strategy:
+      matrix:
+        arch: [amd64, arm64]
+        include:
+          - arch: amd64
+            enable_gvisor: True
+          - arch: amd64
+            enable_gvisor: False
+      fail-fast: false
+    steps:
+      - name: Checkout Libs ⤵️
+        # We need to skip each step because of https://github.com/orgs/community/discussions/9141.
+        # This avoids having a skipped job whose name is not the resolved matrix name, like "test-scap-${{ matrix.arch }} 😆 (bundled_deps)"
+        if: needs.paths-filter.outputs.driver == 'true' || needs.paths-filter.outputs.libscap == 'true' || needs.paths-filter.outputs.libpman == 'true'
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          fetch-depth: 0
+
+      - name: Install deps ⛓️
+        if: needs.paths-filter.outputs.driver == 'true' || needs.paths-filter.outputs.libscap == 'true' || needs.paths-filter.outputs.libpman == 'true'
+        run: |
+          sudo apt update
+          sudo apt install -y --no-install-recommends ca-certificates cmake build-essential clang llvm git pkg-config autoconf automake libtool libelf-dev libcap-dev linux-headers-$(uname -r)
+          git clone https://github.com/libbpf/bpftool.git --branch v7.3.0 --single-branch
+          cd bpftool
+          git submodule update --init
+          cd src && sudo make install
+
+      - name: Build scap-open and drivers 🏗️
+        if: needs.paths-filter.outputs.driver == 'true' || needs.paths-filter.outputs.libscap == 'true' || needs.paths-filter.outputs.libpman == 'true'
+        run: |
+          mkdir -p build
+          cd build && cmake -DBUILD_WARNINGS_AS_ERRORS=On -DUSE_BUNDLED_DEPS=On -DBUILD_DRIVER=ON -DBUILD_LIBSCAP_MODERN_BPF=ON -DBUILD_BPF=On -DBUILD_LIBSCAP_GVISOR=${{ matrix.enable_gvisor }} -DCREATE_TEST_TARGETS=On -DENABLE_LIBSCAP_TESTS=On -DUSE_ASAN=On -DUSE_UBSAN=On ../
+          make scap-open driver bpf libscap_test -j6
+
+      - name: Run scap-open with modern bpf 🏎️
+        if: needs.paths-filter.outputs.driver == 'true' || needs.paths-filter.outputs.libscap == 'true' || needs.paths-filter.outputs.libpman == 'true'
+        run: |
+          cd build
+          sudo ./libscap/examples/01-open/scap-open --modern_bpf --num_events 10
+
+      - name: Run scap-open with bpf 🏎️
+        if: needs.paths-filter.outputs.driver == 'true' || needs.paths-filter.outputs.libscap == 'true' || needs.paths-filter.outputs.libpman == 'true'
+        run: |
+          cd build
+          sudo ./libscap/examples/01-open/scap-open --bpf ./driver/bpf/probe.o --num_events 10
+
+      - name: Run scap-open with kmod 🏎️
+        if: needs.paths-filter.outputs.driver == 'true' || needs.paths-filter.outputs.libscap == 'true' || needs.paths-filter.outputs.libpman == 'true'
+        run: |
+          cd build
+          sudo insmod ./driver/scap.ko
+          sudo ./libscap/examples/01-open/scap-open --kmod --num_events 10
+          sudo rmmod scap
+
+      - name: Run libscap_test 🏎️
+        if: needs.paths-filter.outputs.driver == 'true' || needs.paths-filter.outputs.libscap == 'true' || needs.paths-filter.outputs.libpman == 'true'
+        run: |
+          cd build
+          sudo ./test/libscap/libscap_test
+
+      - name: Validate scap-open with modern bpf
+        if: needs.paths-filter.outputs.driver == 'true' || needs.paths-filter.outputs.libscap == 'true' || needs.paths-filter.outputs.libpman == 'true'
+        uses: Andreagit97/bpfvalidator@v0.3.0
+        with:
+          args: |
+            --config=$GITHUB_WORKSPACE/driver/modern_bpf/bpfvalidator_config.yaml --cmd="$GITHUB_WORKSPACE/build/libscap/examples/01-open/scap-open --modern_bpf --num_events 10"
+
+  test-drivers:
+    name: test-drivers-${{ matrix.arch }} 😇 (bundled_deps)
+    runs-on: ${{ (matrix.arch == 'arm64' && 'ubuntu-22.04-arm') || 'ubuntu-22.04' }}
+    needs: paths-filter
+    strategy:
+      matrix:
+        arch: [amd64, arm64]
+      fail-fast: false
+    steps:
+      - name: Checkout Libs ⤵️
+        if: needs.paths-filter.outputs.driver == 'true' || needs.paths-filter.outputs.libscap == 'true' || needs.paths-filter.outputs.libpman == 'true'
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          fetch-depth: 0
+
+      - name: Install deps ⛓️
+        if: needs.paths-filter.outputs.driver == 'true' || needs.paths-filter.outputs.libscap == 'true' || needs.paths-filter.outputs.libpman == 'true'
+        run: |
+          sudo apt update
+          sudo apt install -y --no-install-recommends ca-certificates cmake build-essential git pkg-config autoconf automake libelf-dev libcap-dev clang llvm libtool linux-headers-$(uname -r)
+          git clone https://github.com/libbpf/bpftool.git --branch v7.3.0 --single-branch
+          cd bpftool
+          git submodule update --init
+          cd src && sudo make install
+
+      - name: Install multilib compilers for ia32 tests
+        if: (needs.paths-filter.outputs.driver == 'true' || needs.paths-filter.outputs.libscap == 'true' || needs.paths-filter.outputs.libpman == 'true') && matrix.arch == 'amd64'
+        run: |
+          sudo apt install -y --no-install-recommends gcc-multilib g++-multilib
+
+      - name: Build drivers tests 🏗️
+        if: needs.paths-filter.outputs.driver == 'true' || needs.paths-filter.outputs.libscap == 'true' || needs.paths-filter.outputs.libpman == 'true'
+        run: |
+          mkdir -p build
+          cd build && cmake -DBUILD_WARNINGS_AS_ERRORS=On -DUSE_BUNDLED_DEPS=ON -DENABLE_DRIVERS_TESTS=ON -DBUILD_LIBSCAP_MODERN_BPF=ON -DMODERN_BPF_DEBUG_MODE=ON -DBUILD_BPF=True -DBUILD_LIBSCAP_GVISOR=OFF ../
+          make drivers_test driver bpf -j6
+
+      - name: Run drivers_test with modern bpf 🏎️
+        if: needs.paths-filter.outputs.driver == 'true' || needs.paths-filter.outputs.libscap == 'true' || needs.paths-filter.outputs.libpman == 'true'
+        run: |
+          cd build
+          sudo ./test/drivers/drivers_test -m
+
+      - name: Run drivers_test with bpf 🏎️
+        if: needs.paths-filter.outputs.driver == 'true' || needs.paths-filter.outputs.libscap == 'true' || needs.paths-filter.outputs.libpman == 'true'
+        run: |
+          cd build
+          sudo ./test/drivers/drivers_test -b
+
+      - name: Run drivers_test with kmod 🏎️
+        if: needs.paths-filter.outputs.driver == 'true' || needs.paths-filter.outputs.libscap == 'true' || needs.paths-filter.outputs.libpman == 'true'
+        run: |
+          cd build
+          sudo ./test/drivers/drivers_test -k
+
+  test-drivers-ppc64le:
+    name: test-drivers-ppc64le 😁 (system_deps,custom node)
+    runs-on: ubuntu-22.04
+    # Avoid running on forks since this job uses a private secret
+    # not available on forks, leading to failures.
+    if: github.event_name == 'push' || github.event.pull_request.head.repo.full_name == 'falcosecurity/libs'
+    needs: paths-filter
+    steps:
+      - name: Extract branch name
+        run: echo "GIT_BRANCH=${GITHUB_HEAD_REF:-${GITHUB_REF#refs/heads/}}" >> $GITHUB_ENV
+
+      - name: Build and test drivers on ppc64le node via ssh
+        if: needs.paths-filter.outputs.driver == 'true' || needs.paths-filter.outputs.libscap == 'true' || needs.paths-filter.outputs.libpman == 'true'
+        uses: appleboy/ssh-action@2ead5e36573f08b82fbfce1504f1a4b05a647c6f # v1.2.2
+        with:
+          host: ${{ secrets.PPC64LE_HOST }}
+          username: ${{ secrets.PPC64LE_USERNAME }}
+          key: ${{ secrets.PPC64LE_KEY }}
+          port: ${{ secrets.PPC64LE_PORT }}
+          envs: GIT_BRANCH,GITHUB_REPOSITORY,GITHUB_SERVER_URL
+          command_timeout: 60m
+          script: |
+            sudo dnf install -y bpftool ca-certificates cmake make automake gcc gcc-c++ kernel-devel clang git pkg-config autoconf automake libbpf-devel
+            # Remove, if present, any libs clone created by a previous job run.
+            rm -rf libs
+            git clone -b $GIT_BRANCH $GITHUB_SERVER_URL/$GITHUB_REPOSITORY.git libs
+            cd libs
+            mkdir -p build
+            cd build && cmake -DBUILD_WARNINGS_AS_ERRORS=On -DUSE_BUNDLED_DEPS=ON -DENABLE_DRIVERS_TESTS=ON -DBUILD_LIBSCAP_MODERN_BPF=ON -DMODERN_BPF_DEBUG_MODE=ON -DBUILD_BPF=True -DBUILD_LIBSCAP_GVISOR=OFF -DUSE_BUNDLED_LIBELF=OFF ../
+            make drivers_test driver bpf -j6
+            sudo ./test/drivers/drivers_test -m
+            rc_modern=$?
+            sudo ./test/drivers/drivers_test -b
+            rc_bpf=$?
+            sudo ./test/drivers/drivers_test -k
+            rc_kmod=$?
+            exit $(($rc_modern + $rc_bpf +$rc_kmod))
+
+  build-drivers-s390x:
+    name: build-drivers-s390x 😁 (system_deps)
+    runs-on: ubuntu-22.04
+    needs: paths-filter
+    steps:
+      - name: Checkout Libs ⤵️
+        if: needs.paths-filter.outputs.driver == 'true' || needs.paths-filter.outputs.libscap == 'true' || needs.paths-filter.outputs.libpman == 'true'
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          fetch-depth: 0
+
+      - uses: uraimo/run-on-arch-action@d94c13912ea685de38fccc1109385b83fd79427d # v3.0.1
+        name: Run s390x build 🏗️
+        if: needs.paths-filter.outputs.driver == 'true' || needs.paths-filter.outputs.libscap == 'true' || needs.paths-filter.outputs.libpman == 'true'
+        with:
+          arch: s390x
+          distro: ubuntu22.04
+          githubToken: ${{ github.token }}
+
+          install: |
+            apt update && apt install -y --no-install-recommends ca-certificates cmake build-essential clang llvm git pkg-config autoconf automake libtool libelf-dev wget libtbb-dev libjq-dev libjsoncpp-dev libcap-dev protobuf-compiler libgtest-dev libprotobuf-dev linux-headers-generic
+            git clone https://github.com/libbpf/bpftool.git --branch v7.3.0 --single-branch
+            cd bpftool
+            git submodule update --init
+            cd src && make install
+            cd ../../
+            git clone https://github.com/libbpf/libbpf.git --branch v1.3.0 --single-branch
+            cd libbpf/src && BUILD_STATIC_ONLY=y DESTDIR=/ make install install_uapi_headers 
+            ln -s /usr/lib64/libbpf.a /usr/lib/s390x-linux-gnu/
+            ln -s /usr/include/bpf /usr/include/s390x-linux-gnu/
+          # Please note: we cannot inject the BPF probe inside QEMU, so right now, we only build it
+          run: |
+            git config --global --add safe.directory $GITHUB_WORKSPACE
+            .github/install-deps.sh
+            mkdir -p build
+            cd build && cmake -DBUILD_WARNINGS_AS_ERRORS=On -DBUILD_BPF=On -DUSE_BUNDLED_DEPS=OFF -DMODERN_PROBE_INCLUDE="-I/usr/include/s390x-linux-gnu" -DBUILD_LIBSCAP_MODERN_BPF=ON -DMODERN_BPF_DEBUG_MODE=ON -DENABLE_DRIVERS_TESTS=On -DCREATE_TEST_TARGETS=On -DBUILD_LIBSCAP_GVISOR=OFF ../
+            KERNELDIR=/lib/modules/$(ls /lib/modules)/build make driver bpf drivers_test -j6
+
+  build-modern-bpf-skeleton:
+    needs: paths-filter
+    # See https://github.com/actions/runner/issues/409#issuecomment-1158849936
+    runs-on: 'ubuntu-latest'
+    if: needs.paths-filter.outputs.driver == 'true' || needs.paths-filter.outputs.libscap == 'true' || needs.paths-filter.outputs.libpman == 'true'
+    container: fedora:41
+    steps:
+      # Always install deps before invoking checkout action, to properly perform a full clone.
+      - name: Install build dependencies
+        run: |
+          dnf install -y bpftool ca-certificates cmake make automake gcc gcc-c++ kernel-devel clang git pkg-config autoconf automake libbpf-devel
+
+      - name: Checkout
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+      - name: Build modern BPF skeleton
+        run: |
+          mkdir skeleton-build && cd skeleton-build
+          cmake -DUSE_BUNDLED_DEPS=ON -DBUILD_LIBSCAP_MODERN_BPF=ON -DCREATE_TEST_TARGETS=Off ..
+          make ProbeSkeleton -j6
+
+      - name: Upload skeleton
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+        with:
+          name: bpf_probe_x86_64.skel.h
+          path: skeleton-build/skel_dir/bpf_probe.skel.h
+          retention-days: 1
+
+  build-scap-open-w-extern-bpf-skeleton:
+    env:
+      ACTIONS_ALLOW_USE_UNSECURE_NODE_VERSION: true
+    needs: [paths-filter,build-modern-bpf-skeleton]
+    runs-on: 'ubuntu-latest'
+    if: needs.paths-filter.outputs.driver == 'true' || needs.paths-filter.outputs.libscap == 'true' || needs.paths-filter.outputs.libpman == 'true'
+    steps:
+      - name: Install build dependencies
+        run: |
+          sudo apt update
+          sudo apt install -y --no-install-recommends ca-certificates cmake build-essential clang-14 llvm-14 git pkg-config autoconf automake libtool libelf-dev libcap-dev
+          sudo update-alternatives --install /usr/bin/clang clang /usr/bin/clang-14 90
+          sudo update-alternatives --install /usr/bin/llvm-strip llvm-strip /usr/bin/llvm-strip-14 90
+          sudo update-alternatives --install /usr/bin/llc llc /usr/bin/llc-14 90
+
+      - name: Checkout
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+      - name: Download skeleton
+        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
+        with:
+          name: bpf_probe_x86_64.skel.h
+          path: /tmp
+
+      - name: Prepare project
+        run: |
+          mkdir build && cd build
+          cmake \
+              -DCMAKE_BUILD_TYPE=Release \
+              -DUSE_BUNDLED_DEPS=On \
+              -DBUILD_LIBSCAP_MODERN_BPF=ON \
+              -DMODERN_BPF_SKEL_DIR=/tmp \
+              -DBUILD_DRIVER=Off \
+              -DBUILD_BPF=Off \
+              ..
+
+      - name: Build project
+        run: |
+          cd build
+          make scap-open -j6
+
+  # Only runs on pull request since on master branch it is already triggered by pages CI.
+  kernel-tests-dev:
+    needs: paths-filter
+    # Avoid running on forks since this job uses a private secret
+    # not available on forks, leading to failures.
+    if: github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == 'falcosecurity/libs' && (needs.paths-filter.outputs.driver == 'true' || needs.paths-filter.outputs.libscap == 'true' || needs.paths-filter.outputs.libpman == 'true')
+    uses: ./.github/workflows/reusable_kernel_tests.yaml
+    with:
+      # Use real branch's HEAD sha, not the merge commit
+      libsversion: ${{ github.event.pull_request.head.sha }}
+    secrets: inherit
+
+  kernel-tests-pr-info-upload:
+    needs: kernel-tests-dev
+    # Avoid running on forks since this job uses a private secret
+    # not available on forks, leading to failures.
+    if: github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == 'falcosecurity/libs' && (needs.paths-filter.outputs.driver == 'true' || needs.paths-filter.outputs.libscap == 'true' || needs.paths-filter.outputs.libpman == 'true')
+    runs-on: ubuntu-latest
+    steps:
+      - name: Download X64 matrix
+        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
+        with:
+          name: matrix_X64
+          path: matrix_X64
+
+      - name: Download ARM64 matrix
+        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
+        with:
+          name: matrix_ARM64
+          path: matrix_ARM64
+
+      - name: Save PR info
+        run: |
+          mkdir -p ./pr
+          echo ${{ github.event.number }} > ./pr/NR
+          touch ./pr/COMMENT
+          echo "# X64 kernel testing matrix" >> ./pr/COMMENT
+          echo "$(head -n $(grep -n -v -m1 '^|' matrix_X64/matrix.md | awk -F':'  '{ print $1 }') matrix_X64/matrix.md)" >> ./pr/COMMENT
+          echo "" >> ./pr/COMMENT
+          echo "# ARM64 kernel testing matrix" >> ./pr/COMMENT
+          echo "$(head -n $(grep -n -v -m1 '^|' matrix_ARM64/matrix.md | awk -F':'  '{ print $1 }') matrix_ARM64/matrix.md)" >> ./pr/COMMENT
+          echo Uploading PR info...
+          cat ./pr/COMMENT
+          echo ""
+
+      - name: Upload PR info as artifact
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
+        with:
+          name: pr-kernel-testing
+          path: pr/
+          retention-days: 1
+          if-no-files-found: warn
--- a/.github/workflows/e2e_ci.yml
+++ b/.github/workflows/e2e_ci.yml
@ -0,0 +1,169 @@
+name: libsinsp e2e CI
+on:
+  pull_request:
+  push:
+    branches:
+      - master
+      - 'release/**'
+  workflow_dispatch:
+
+# Checks if any concurrent jobs under the same pull request or branch are being executed
+concurrency:
+  group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
+
+jobs:
+  build-test-e2e:
+    name: build-test-e2e-${{ matrix.arch }} 😇 (bundled_deps)
+    runs-on: ${{ (matrix.arch == 'arm64' && 'ubuntu-22.04-arm') || 'ubuntu-22.04' }}
+    strategy:
+      matrix:
+        arch: [amd64, arm64]
+      fail-fast: false
+    steps:
+      - name: Checkout Libs ⤵️
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          fetch-depth: 0
+
+      - name: Install deps ⛓️
+        run: |
+          sudo apt-get update && sudo apt-get install -y --no-install-recommends \
+            ca-certificates \
+            cmake \
+            build-essential \
+            clang \
+            llvm \
+            git \
+            ccache \
+            llvm \
+            pkg-config \
+            autoconf \
+            automake \
+            libtool \
+            libelf-dev \
+            wget \
+            libbpf-dev \
+            libcap-dev \
+            libtbb-dev \
+            libjq-dev \
+            libjsoncpp-dev \
+            libgtest-dev \
+            libprotobuf-dev \
+            protobuf-compiler \
+            linux-headers-$(uname -r)
+          sudo .github/install-deps.sh
+          git clone https://github.com/libbpf/bpftool.git --branch v7.3.0 --single-branch
+          cd bpftool
+          git submodule update --init
+          cd src && sudo make install
+
+      - name: Install multilib compilers for ia32 tests
+        if: matrix.arch == 'amd64'
+        run: |
+          sudo apt install -y --no-install-recommends gcc-multilib g++-multilib
+
+      - name: Run sccache-cache
+        uses: mozilla-actions/sccache-action@7d986dd989559c6ecdb630a3fd2557667be217ad # v0.0.9
+
+      - name: Build e2e tests 🏗️
+        env:
+          SCCACHE_GHA_ENABLED: "true"
+        run: |
+          mkdir -p build
+          cd build && \
+            cmake \
+                -DCMAKE_C_COMPILER_LAUNCHER=sccache \
+                -DCMAKE_CXX_COMPILER_LAUNCHER=sccache \
+                -DBUILD_BPF=ON \
+                -DUSE_BUNDLED_DEPS=ON \
+                -DUSE_ASAN=ON \
+                -DUSE_UBSAN=ON \
+                -DENABLE_LIBSINSP_E2E_TESTS=ON \
+                -DBUILD_LIBSCAP_MODERN_BPF=ON \
+                -DBUILD_LIBSCAP_GVISOR=OFF \
+                -DUSE_BUNDLED_LIBBPF=ON \
+                -DUSE_BUNDLED_GTEST=ON \
+                ..
+          make -j6 libsinsp_e2e_tests
+          sudo rm -vfr test/libsinsp_e2e/resources/_proc
+          cd ..
+
+      - name: Cache build
+        uses: actions/cache/save@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3
+        if: always()
+        id: cache
+        with:
+          path: build
+          key: build-e2e-${{ matrix.arch }}-${{ github.run_id }}
+
+  test-e2e:
+    name: test-e2e-${{ matrix.arch }}-${{ matrix.driver.name }} 😇 (bundled_deps)
+    needs: [build-test-e2e]
+    runs-on: ${{ (matrix.arch == 'arm64' && 'ubuntu-22.04-arm') || 'ubuntu-22.04' }}
+    strategy:
+      matrix:
+        arch: [amd64, arm64]
+        driver: [ {name: kmod, option: -k}, {name: bpf, option: -b}, {name: modern-bpf, option: -m} ]
+      fail-fast: false
+    steps:
+      - name: Checkout Libs ⤵️
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          fetch-depth: 0
+
+      - name: Restore build
+        id: cache
+        uses: actions/cache/restore@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3
+        with:
+          path: build
+          key: build-e2e-${{ matrix.arch }}-${{ github.run_id }}
+          restore-keys: build-e2e-
+
+      - name: Fix kernel mmap rnd bits
+        # Asan in llvm 14 provided in ubuntu 22.04 is incompatible with
+        # high-entropy ASLR in much newer kernels that GitHub runners are
+        # using leading to random crashes: https://reviews.llvm.org/D148280
+        run: sudo sysctl vm.mmap_rnd_bits=28
+
+      - name: Update apt index
+        run: |
+          sudo apt update
+
+      - name: Install multilib compilers for ia32 tests
+        if: matrix.arch == 'amd64'
+        run: |
+          sudo apt install -y --no-install-recommends gcc-multilib g++-multilib
+
+      - name: Install deps
+        run: |
+          sudo apt install -y --no-install-recommends clang gcc llvm build-essential cmake python3 quota linux-headers-$(uname -r)
+
+        # We have no guarantees that the kernel version is the same for the
+        # different workers, so we rebuild the drivers.
+      - name: Rebuild drivers
+        run: |
+          pushd build
+          make -B driver bpf
+          pushd test/libsinsp_e2e/resources/
+          sudo tar xzf fake-proc.tar.gz
+          popd
+          popd
+
+      - name: Run e2e tests with ${{ matrix.driver.name }} 🏎️
+        if: matrix.arch == 'amd64'
+        env:
+          UBSAN_OPTIONS: print_stacktrace=1
+        run: |
+          cd build/test/libsinsp_e2e/
+          sudo -E ./libsinsp_e2e_tests ${{ matrix.driver.option }}
+
+        # the arm64 workers don't have the CONFIG_QFMT_V2 flag
+        # which is needed for the quotactl_ok test (cmd=QQUOTA_ON + id=QFMT_VFS_V0).
+      - name: Run e2e tests with ${{ matrix.driver.name }} 🏎️
+        if: matrix.arch == 'arm64'
+        env:
+          UBSAN_OPTIONS: print_stacktrace=1
+        run: |
+          cd build/test/libsinsp_e2e/
+          sudo -E ./libsinsp_e2e_tests ${{ matrix.driver.option }} --gtest_filter=-sys_call_test.quotactl_ok
--- a/.github/workflows/format.yml
+++ b/.github/workflows/format.yml
@ -0,0 +1,38 @@
+name: Format code
+on:
+  pull_request:
+  push:
+    branches:
+      - master
+      - "release/**"
+
+jobs:
+  format:
+    name: format code 🐲
+    runs-on: ubuntu-22.04
+    steps:
+      - name: Checkout repository 🎉
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          fetch-depth: 0
+
+      - name: Install deps ⛓️
+        run: |
+          sudo apt update -y
+          sudo apt install -y --no-install-recommends ca-certificates pip git
+          pip install pre-commit
+
+      - name: Run pre-commit ©️
+        run: |
+          pre-commit run --show-diff-on-failure --color=always --all-files
+
+      - name: Generate the git-diff 🚒
+        if: failure()
+        run: git diff > format_diff.patch
+
+      - name: Upload the git diff artifact 📦
+        if: failure()
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+        with:
+          name: format_diff.patch
+          path: ./format_diff.patch
--- a/.github/workflows/insecure-api.yml
+++ b/.github/workflows/insecure-api.yml
@ -1,26 +0,0 @@
-name: Insecure API check
-on:
-  pull_request:
-    branches:
-      - master
-      - 'release/**'
-      - 'maintainers/**'
-
-jobs:
-  insecure-api:
-    name: check-insecure-api
-    runs-on: ubuntu-latest
-    container:
-      image: returntocorp/semgrep
-    steps:
-      - name: Checkout Libs ⤵️
-        uses: actions/checkout@v3
-        with:
-          fetch-depth: 0
-      - name: Scan PR for insecure API usage 🕵️
-        run: |
-          semgrep scan \
-            --error \
-            --metrics=off \
-            --baseline-commit ${{ github.event.pull_request.base.sha }} \
-            --config=./semgrep
--- a/.github/workflows/kernel_tests.yaml
+++ b/.github/workflows/kernel_tests.yaml
@ -1,98 +0,0 @@
-name: Test drivers against a matrix of kernels/distros
-
-on:
-  workflow_dispatch:
-    inputs:
-      libsversion:
-        description: libs version to be tested
-        type: string
-        required: false
-        default: master
-  push:
-    branches:
-      - master
-    tags:
-      - '[0-9]+.[0-9]+.[0-9]+\+driver'
-    
-concurrency:
-  group: kernel-tests
-  cancel-in-progress: true
-
-jobs:
-  test-kernels:
-    strategy:
-      fail-fast: false
-      matrix:
-        architecture: [X64, ARM64]
-    runs-on: [ "self-hosted", "linux", "${{matrix.architecture}}" ]    
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v3
-        with:
-          repository: falcosecurity/kernel-testing
-          ref: v0.2.3
-        
-      - name: Generate vars yaml
-        working-directory: ./ansible-playbooks
-        run: |
-          LIBS_V=${{ github.event.inputs.libsversion }}
-          LIBS_VERSION=${LIBS_V:-${{ github.ref_name }}}
-          cat > vars.yml <<EOF
-          run_id: "id-${{ github.run_id }}"
-          output_dir: "~/ansible_output_${{ github.run_id }}"
-          repos:
-            libs: {name: "falcosecurity-libs", repo: "https://github.com/falcosecurity/libs.git", version: "$LIBS_VERSION"}
-          EOF
-    
-      - name: Bootstrap VMs
-        working-directory: ./ansible-playbooks
-        run: |
-          ansible-playbook bootstrap.yml --extra-vars "@vars.yml"
-      
-      - name: Common setup
-        working-directory: ./ansible-playbooks
-        run: |
-          ansible-playbook common.yml --extra-vars "@vars.yml"
-
-      - name: Prepare github repos
-        working-directory: ./ansible-playbooks
-        run: |
-          ansible-playbook git-repos.yml --extra-vars "@vars.yml"
-      
-      - name: Run scap-open tests
-        working-directory: ./ansible-playbooks
-        run: |
-          ansible-playbook scap-open.yml --extra-vars "@vars.yml" || :
-          
-      - name: Tar output files
-        run: |
-          tar -cvf ansible_output.tar ~/ansible_output_${{ github.run_id }}
-
-      - uses: actions/upload-artifact@v3
-        with:
-          name: ansible_output_${{matrix.architecture}}
-          path: ansible_output.tar
-    
-      - name: Build matrix_gen
-        working-directory: ./matrix_gen
-        env:
-          GOPATH: /root/go
-          GOCACHE: /root/.cache/go-build
-        run: |
-          go build .
-        
-      - name: Generate new matrix
-        working-directory: ./matrix_gen
-        run: |
-          ./matrix_gen --root-folder ~/ansible_output_${{ github.run_id }} --output-file matrix_${{matrix.architecture}}.md
-        
-      - uses: actions/upload-artifact@v3
-        with:
-          name: matrix_${{matrix.architecture}}
-          path: ./matrix_gen/matrix_${{matrix.architecture}}.md
-          
-      - name: Cleanup
-        if: always()
-        working-directory: ./ansible-playbooks
-        run: |
-          ansible-playbook clean-up.yml --extra-vars "@vars.yml" || :
--- a/.github/workflows/latest-kernel.yml
+++ b/.github/workflows/latest-kernel.yml
@ -4,33 +4,31 @@ on:
  workflow_dispatch:
    inputs:
      linux-version:
-        description: 'Archlinux kernel version to build a driver against, eg: 6.2.arch1-1'
-        required: true
+        description: 'Archlinux kernel version to build a driver against, eg: 6.2.arch1-1 or empty to build latest mainline'
+        required: false
        type: string
  schedule:
    - cron: '0 8 * * *' # every day at 8am

 jobs:
-  build-latest-kernel:
-    name: build-latest-kernel
-    runs-on: ubuntu-latest
-    container:
-      image: falcosecurity/driverkit:latest
+  compute-latest-version:
+    outputs:
+      latest_vers: ${{ steps.latest-version.outputs.latest_vers }}
+    runs-on: 'ubuntu-latest'
    steps:
      - name: Checkout Archlinux mainline package ⤵️
        run: |
-          apk update && apk add git
          git clone https://aur.archlinux.org/linux-mainline.git linux/
-    
+
      - name: Generate driverkit config
        id: latest-version
        # Note: in case we are building latest mainline,
        # we grep the linux-mainline aur PKGBUILD "_tag" line, that is made like: "_tag=v6.4-rc1"
        # We then need to extract the part after the "=" and finally remove the starting "v".
-        run: |    
+        run: |
          cd linux/
          echo "kernelversion: 1" > dk.yaml
-          echo "architecture: amd64" >> dk.yaml
+          echo "driverversion: ${{ github.sha }}" >> dk.yaml
          echo "output:" >> dk.yaml
          echo "  module: mod.ko" >> dk.yaml
          echo "  probe: probe.o" >> dk.yaml
@ -44,26 +42,80 @@ jobs:
            echo "target: arch" >> dk.yaml
          fi
          echo "latest_vers=$(grep kernelrelease dk.yaml | awk -F": " '{print $2}')" >> $GITHUB_OUTPUT
-      
+
      - name: Upload driverkit config
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
        with:
          name: driverkit_config.yaml
          path: linux/dk.yaml
-          
+
+  build-latest-kernel-amd64:
+    needs: 'compute-latest-version'
+    outputs:
+      build: ${{ steps.build.outcome }}
+    runs-on: 'ubuntu-latest'
+    steps:
+      - name: Download driverkit config
+        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
+        with:
+          name: driverkit_config.yaml
+
+      - name: Download latest driverkit artifact
+        uses: robinraju/release-downloader@daf26c55d821e836577a15f77d86ddc078948b05 # v1.12
+        with:
+          fileName: driverkit_*_linux_amd64.tar.gz
+          latest: true
+          repository: falcosecurity/driverkit
+          tarBall: false
+          zipBall: false
+          extract: true
+
      - name: Test drivers build
        id: build
        run: |
-          echo "Testing build of drivers against: ${{ steps.latest-version.outputs.latest_vers }}"
-          driverkit docker -c linux/dk.yaml -l debug
-          
+          echo "Testing build of drivers against: ${{ needs.compute-latest-version.outputs.latest_vers }}"
+          chmod +x driverkit
+          ./driverkit docker -c dk.yaml -l debug --timeout 300
+
+  build-latest-kernel-arm64:
+    needs: 'compute-latest-version'
+    outputs:
+      build: ${{ steps.build.outcome }}
+    runs-on: 'ubuntu-22.04-arm'
+    steps:
+      - name: Download driverkit config
+        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
+        with:
+          name: driverkit_config.yaml
+
+      - name: Download latest driverkit artifact
+        uses: robinraju/release-downloader@daf26c55d821e836577a15f77d86ddc078948b05 # v1.12
+        with:
+          fileName:  driverkit_*_linux_arm64.tar.gz
+          latest: true
+          repository: falcosecurity/driverkit
+          tarBall: false
+          zipBall: false
+          extract: true
+
+      - name: Test drivers build
+        id: build
+        run: |
+          echo "Testing build of drivers against: ${{ needs.compute-latest-version.outputs.latest_vers }}"
+          chmod +x driverkit
+          ./driverkit docker -c dk.yaml -l debug --timeout 300
+
+  badge-latest-kernel:
+    if: always() && github.event_name == 'schedule'
+    runs-on: 'ubuntu-latest'
+    needs: [compute-latest-version,build-latest-kernel-amd64,build-latest-kernel-arm64]
+    steps:
      - name: Update README badge
-        uses: schneegans/dynamic-badges-action@v1.6.0
-        if: always() && inputs.linux-version == ''
+        uses: schneegans/dynamic-badges-action@e9a478b16159b4d31420099ba146cdc50f134483 # v1.7.0
        with:
          auth: ${{ secrets.FEDEDP_GIST_SECRET }}
          gistID: 1cbc5d42edf8e3a02fb75e76625f1072
          filename: kernel.json
          label: Drivers build
-          message: ${{ steps.latest-version.outputs.latest_vers }}
-          color: ${{ steps.build.outcome != 'success' && 'red' || 'brightgreen' }}
+          message: ${{ needs.compute-latest-version.outputs.latest_vers }}
+          color: ${{ (needs.build-latest-kernel-amd64.outputs.build != 'success' || needs.build-latest-kernel-arm64.outputs.build != 'success') && 'red' || 'brightgreen' }}
--- a/.github/workflows/pages.yml
+++ b/.github/workflows/pages.yml
@ -1,53 +1,144 @@
 name: Deploy Github Pages
 on:
-  workflow_run:
-    workflows: ["Test drivers against a matrix of kernels/distros"]
-    types: [completed]
+  push:
    branches: [master]
-      
+
 permissions:
  contents: read
  pages: write
  id-token: write

 concurrency:
-  group: "pages"
+  group: pages
  cancel-in-progress: true

 jobs:
+  kernel-tests-master:
+    uses: ./.github/workflows/reusable_kernel_tests.yaml
+    secrets: inherit
+
+  perf-libs-master:
+    runs-on: [ "self-hosted", "linux", "X64" ]
+    steps:
+      - name: Checkout Libs ⤵️
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+      - name: Run perf
+        id: perf
+        uses: ./.github/actions/composite-perf
+
+      - name: Archive master perf report
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+        with:
+          name: perf_report
+          retention-days: 30 # 30 days because this is the artifact on master; we need to retain it to be able to properly diff it
+          path: |
+            ${{ steps.perf.outputs.perf_tests }}
+            ${{ steps.perf.outputs.perf_scap }}
+            ${{ steps.perf.outputs.heaptrack_tests }}
+            ${{ steps.perf.outputs.heaptrack_scap }}
+            ${{ steps.perf.outputs.gbench_json }}
+          if-no-files-found: error
+
+      - name: Checkout Flamegraph ⤵️
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          repository: 'brendangregg/FlameGraph'
+          path: flamegraph
+          ref: master
+
+      - name: Generate svg file - perf unit tests
+        run: |
+          sudo perf script --dsos unit-test-libsinsp -i ${{ steps.perf.outputs.perf_tests }} > perf_tests.perf
+          ./flamegraph/stackcollapse-perf.pl perf_tests.perf > perf_tests.folded
+          ./flamegraph/flamegraph.pl perf_tests.folded > perf_tests.svg
+
+      - name: Generate svg file - perf scap file
+        run: |
+          sudo perf script --dsos sinsp-example -i ${{ steps.perf.outputs.perf_scap }} > perf_scap.perf
+          ./flamegraph/stackcollapse-perf.pl perf_scap.perf > perf_scap.folded
+          ./flamegraph/flamegraph.pl perf_scap.folded > perf_scap.svg
+
+      - name: Generate svg file - heaptrack unit tests
+        run: |
+          heaptrack_print ${{ steps.perf.outputs.heaptrack_tests }} -F stacks.txt
+          ./flamegraph/flamegraph.pl stacks.txt > heaptrack_tests.svg
+          rm -rf stacks.txt
+
+      - name: Generate svg file - heaptrack scap file
+        run: |
+          heaptrack_print ${{ steps.perf.outputs.heaptrack_scap }} -F stacks.txt
+          ./flamegraph/flamegraph.pl stacks.txt > heaptrack_scap.svg
+          rm -rf stacks.txt
+
+      - name: Upload svg files
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+        with:
+          name: perf_svg
+          path: '*.svg'
+          if-no-files-found: error
+
  deploy-pages:
+    needs: [kernel-tests-master,perf-libs-master]
    environment:
      name: github-pages
      url: ${{ steps.deployment.outputs.page_url }}
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v3
-      
-      - name: Download matrixes
-        uses: dawidd6/action-download-artifact@v2
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+      - name: Download matrix X64
+        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
        with:
-          workflow: kernel_tests.yaml
-          branch: master
-          name: matrix_*
-          name_is_regexp: true
-      
+          name: matrix_X64
+
+      - name: Move X64 matrix under docs
+        run: mv matrix.md docs/matrix_X64.md
+
+      - name: Download matrix ARM64
+        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
+        with:
+          name: matrix_ARM64
+
+      - name: Move ARM64 matrix under docs
+        run: mv matrix.md docs/matrix_ARM64.md
+
      - name: Disable Table Of Content for matrixes pages
        run: |
-          mv matrix_*/*.md docs/
          sed -i '1s/^/---\nhide:\n- toc\n---\n\n/' docs/matrix_X64.md
          sed -i '1s/^/---\nhide:\n- toc\n---\n\n/' docs/matrix_ARM64.md

-      - uses: actions/setup-python@v2
+      - name: Download perf svg files
+        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
+        with:
+          name: perf_svg
+
+      - name: Generate perf pages
+        run: |
+          mv perf_tests.svg docs/
+          echo '<object data="../perf_tests.svg" type="image/svg+xml" id="perf_unit_tests"></object>' > docs/perf_unit_tests.md
+          sed -i '1s/^/---\nhide:\n- toc\n---\n\n/' docs/perf_unit_tests.md
+          mv perf_scap.svg docs/
+          echo '<object data="../perf_scap.svg" type="image/svg+xml" id="perf_scap_file"></object>' > docs/perf_scap_file.md
+          sed -i '1s/^/---\nhide:\n- toc\n---\n\n/' docs/perf_scap_file.md
+          mv heaptrack_tests.svg docs/
+          echo '<object data="../heaptrack_tests.svg" type="image/svg+xml" id="heaptrack_unit_tests"></object>' > docs/heaptrack_unit_tests.md
+          sed -i '1s/^/---\nhide:\n- toc\n---\n\n/' docs/heaptrack_unit_tests.md
+          mv heaptrack_scap.svg docs/
+          echo '<object data="../heaptrack_scap.svg" type="image/svg+xml" id="heaptrack_scap_file"></object>' > docs/heaptrack_scap_file.md
+          sed -i '1s/^/---\nhide:\n- toc\n---\n\n/' docs/heaptrack_scap_file.md
+
+      - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
        with:
          python-version: 3.x
-          
+
      - run: pip install mkdocs mkdocs-material
-      
+
      - run: mkdocs build
-      
-      - uses: actions/upload-pages-artifact@v1
+
+      - uses: actions/upload-pages-artifact@56afc609e74202658d3ffba0e8f6dda462b719fa # v3.0.1
        with:
          path: 'site'

      - id: deployment
-        uses: actions/deploy-pages@v1
+        uses: actions/deploy-pages@d6db90164ac5ed86f2b6aed7e0febac5b3c0c03e # v4.0.5
--- a/.github/workflows/perf.yml
+++ b/.github/workflows/perf.yml
@ -0,0 +1,168 @@
+name: Perf CI
+on:
+  pull_request:
+  workflow_dispatch:
+
+# Checks if any concurrent jobs under the same pull request or branch are being executed
+concurrency:
+  group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}-perf
+  cancel-in-progress: true
+
+jobs:
+  perf-libs-linux-amd64:
+    runs-on: [ "self-hosted", "linux", "X64" ]
+    steps:
+      - name: Checkout Libs ⤵️
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+      - name: Checkout Google benchmark ⤵️
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          repository: 'google/benchmark'
+          ref: 'v1.9.0'
+          path: google-benchmark/
+
+      - name: Run perf
+        id: perf
+        uses: ./.github/actions/composite-perf
+
+      - name: Download latest master report
+        uses: dawidd6/action-download-artifact@ac66b43f0e6a346234dd65d4d0c8fbb31cb316e5 # v11
+        with:
+          branch: master
+          event: push
+          name: perf_report
+          workflow: pages.yml
+
+      - name: Diff from master - perf unit tests
+        run: |
+          sudo perf diff perf_tests.data ${{ steps.perf.outputs.perf_tests }} -d unit-test-libsinsp -b -o 1 --percentage relative -q &> perf_tests_diff.txt
+
+      - name: Diff from master - perf scap file
+        run: |
+          sudo perf diff perf_scap.data ${{ steps.perf.outputs.perf_scap }} -d sinsp-example -b -o 1 --percentage relative -q &> perf_scap_diff.txt
+
+      - name: Diff from master - heaptrack unit tests
+        run: |
+          sudo heaptrack_print heaptrack_tests.data.zst -d ${{ steps.perf.outputs.heaptrack_tests }} &> heaptrack_tests_diff.txt
+
+      - name: Diff from master - heaptrack scap file
+        run: |
+          sudo heaptrack_print heaptrack_scap.data.zst -d ${{ steps.perf.outputs.heaptrack_scap }} &> heaptrack_scap_diff.txt
+
+      - name: Diff from master - gbench
+        run: |
+          pip3 install -r google-benchmark/tools/requirements.txt
+          python3 google-benchmark/tools/compare.py --no-color benchmarks gbench_data.json ${{ steps.perf.outputs.gbench_json }} &> gbench_diff.txt
+
+      - name: Archive perf diff
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+        with:
+          name: perf_diff
+          path: '*_diff.txt'
+          if-no-files-found: error
+
+      - name: Save PR info
+        run: |
+          mkdir -p ./pr
+          echo ${{ github.event.number }} > ./pr/NR
+          touch ./pr/COMMENT
+          echo "# Perf diff from master - unit tests" >> ./pr/COMMENT
+          echo "\`\`\`" >> ./pr/COMMENT
+          head -n10 "perf_tests_diff.txt" >> ./pr/COMMENT
+          echo "\`\`\`" >> ./pr/COMMENT
+          echo "" >> ./pr/COMMENT
+          # Drop unstable perf results!
+          # echo "# Perf diff from master - scap file" >> ./pr/COMMENT
+          # echo "\`\`\`" >> ./pr/COMMENT
+          # head -n10 "perf_scap_diff.txt" >> ./pr/COMMENT
+          # echo "\`\`\`" >> ./pr/COMMENT
+          # echo "" >> ./pr/COMMENT
+          echo "# Heap diff from master - unit tests" >> ./pr/COMMENT
+          echo "\`\`\`" >> ./pr/COMMENT
+          tail -n3 "heaptrack_tests_diff.txt" >> ./pr/COMMENT
+          echo "\`\`\`" >> ./pr/COMMENT
+          echo "" >> ./pr/COMMENT
+          echo "# Heap diff from master - scap file" >> ./pr/COMMENT
+          echo "\`\`\`" >> ./pr/COMMENT
+          tail -n3 "heaptrack_scap_diff.txt" >> ./pr/COMMENT
+          echo "\`\`\`" >> ./pr/COMMENT
+          echo "# Benchmarks diff from master" >> ./pr/COMMENT
+          echo "\`\`\`" >> ./pr/COMMENT
+          cat "gbench_diff.txt" >> ./pr/COMMENT
+          echo "\`\`\`" >> ./pr/COMMENT
+          echo Uploading PR info...
+          cat ./pr/COMMENT
+          echo ""
+
+      - name: Upload PR info as artifact
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
+        with:
+          name: pr-perf
+          path: pr/
+          retention-days: 1
+          if-no-files-found: warn
+
+      # Check will fail if sum of all differences is >= 1%.
+      # But we will always comment with the perf diff from master
+      - name: Check >= 5% threshold - perf unit tests
+        if: always()
+        run: |
+          sum=$(awk '{sum+=sprintf("%f",$2)}END{printf "%.6f\n",sum}' perf_tests_diff.txt | tr ',' '.')
+          if (( $(echo "$sum >= 5.0" | bc -l) )); then
+            exit 1
+          fi
+
+      # Check will fail if sum of all differences is >= 1%.
+      # But we will always comment with the perf diff from master
+      # CHECK DISABLED: UNSTABLE PERF TEST.
+#      - name: Check >= 1% threshold - perf scap file
+#        if: always() # Even if other threshold checks failed
+#        run: |
+#          sum=$(awk '{sum+=sprintf("%f",$2)}END{printf "%.6f\n",sum}' perf_scap_diff.txt | tr ',' '.')
+#          if (( $(echo "$sum >= 1.0" | bc -l) )); then
+#            exit 1
+#          fi
+
+      # Check will fail if there is any heap memory usage difference >= 1M,
+      # or if there is new memory leaked.
+      - name: Check >= 1M threshold or new leaked mem - heaptrack unit tests
+        if: always() # Even if other threshold checks failed
+        run: |
+          tail -n 3 heaptrack_tests_diff.txt | grep "peak heap memory consumption" | awk -F': ' '{print $2 }' | tr '.' ',' | numfmt --from=iec | awk '{if (substr($1,RSTART+RLENGTH)+0 >= 1048576) print }' &> heaptrack_tests_diff_above_thresh.txt
+          if [ -s heaptrack_tests_diff_above_thresh.txt ]; then
+            exit 1
+          fi
+          tail -n 3 heaptrack_scap_diff.txt | grep "total memory leaked" | awk -F': ' '{print $2 }' | tr '.' ',' | numfmt --from=iec | awk '{if (substr($1,RSTART+RLENGTH)+0 > 0) print }' &> heaptrack_scap_diff_above_thresh.txt
+          if [ -s heaptrack_scap_diff_above_thresh.txt ]; then
+            exit 2
+          fi
+
+      # Check will fail if there is any heap memory usage difference >= 1M,
+      # or if there is new memory leaked.
+      - name: Check >= 1M threshold or new leaked mem - heaptrack scap file
+        if: always() # Even if other threshold checks failed
+        run: |
+          tail -n 3 heaptrack_scap_diff.txt | grep "peak heap memory consumption" | awk -F': ' '{print $2 }' | tr '.' ',' | numfmt --from=iec | awk '{if (substr($1,RSTART+RLENGTH)+0 >= 1048576) print }' &> heaptrack_scap_diff_above_thresh.txt
+          if [ -s heaptrack_scap_diff_above_thresh.txt ]; then
+            exit 1
+          fi
+          tail -n 3 heaptrack_scap_diff.txt | grep "total memory leaked" | awk -F': ' '{print $2 }' | tr '.' ',' | numfmt --from=iec | awk '{if (substr($1,RSTART+RLENGTH)+0 > 0) print }' &> heaptrack_scap_diff_above_thresh.txt
+          if [ -s heaptrack_scap_diff_above_thresh.txt ]; then
+            exit 2
+          fi
+
+      # Check will fail if there any google benchmark is slowed more than 5%
+      - name: Check >= 5% slowdown on google benchmarks
+        if: always() # Even if other threshold checks failed
+        run: |
+          # Remove first 3 lines and last line that are no tests results
+          tail -n+4 gbench_diff.txt | head -n -1 | while read p; do
+            test_name=$(echo "$p" | awk '{print $1}')
+            if [[ "$test_name" =~ _mean$ ]]; then
+              diff_pct=$(echo "$p" | awk '{print $3}' | tr -d '+')
+              if (( $(echo "$diff_pct >= 5.0" | bc -l) )); then
+                exit 1
+              fi
+            fi
+          done
--- a/.github/workflows/release-body.yml
+++ b/.github/workflows/release-body.yml
@ -1,42 +1,177 @@
-name: Generate release body
+name: Generate release body for published releases
 on:
-  workflow_run:
-    workflows: ["Test drivers against a matrix of kernels/distros"]
-    types: [completed]
-    branches-ignore: ['master'] # ignore master runs (we could skip this given the below extract semver check; still, this is a small optimization)
-      
-permissions:
-  contents: write
+  release:
+    types: [published]

+# Checks if any concurrent jobs is running for driver release CI and eventually wait for it.
 concurrency:
-  group: "release-body"
-  cancel-in-progress: true
+  group: release
+  cancel-in-progress: false

 jobs:
-  release-body:
+  release-settings:
+    runs-on: ubuntu-latest
+    outputs:
+      is_latest: ${{ steps.get_settings.outputs.is_latest }}
+      is_driver: ${{ steps.get_settings.outputs.is_driver }}
+    steps:
+      - name: Get latest release
+        uses: rez0n/actions-github-release@27a57820ee808f8fd940c8a9d1f7188f854aa2b5 # v2.0
+        id: latest_release
+        env:
+          token: ${{ secrets.GITHUB_TOKEN }}
+          repository: ${{ github.repository }}
+          type: "stable"
+
+      - name: Get settings for this release
+        id: get_settings
+        shell: python
+        run: |
+          import os
+          import re
+          import sys
+
+          semver_no_meta = '''^(?P<major>0|[1-9]\d*)\.(?P<minor>0|[1-9]\d*)\.(?P<patch>0|[1-9]\d*)(?:-(?P<prerelease>(?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\.(?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\+(?P<buildmetadata>[0-9a-zA-Z-]+(?:\.[0-9a-zA-Z-]+)*))?$'''
+          tag_name = '${{ github.event.release.tag_name }}'
+
+          is_valid_version = re.match(semver_no_meta, tag_name) is not None
+          if not is_valid_version:
+            print(f'Release version {tag_name} is not a valid full or pre-release. See RELEASE.md for more information.')
+            sys.exit(1)
+
+          is_prerelease = '-' in tag_name
+
+          # Safeguard: you need to both set "latest" in GH and not have suffixes to overwrite latest
+          is_latest = '${{ steps.latest_release.outputs.release }}' == tag_name and not is_prerelease
+
+          is_driver = "+driver" in tag_name
+
+          with open(os.environ['GITHUB_OUTPUT'], 'a') as ofp:
+            print(f'is_latest={is_latest}'.lower(), file=ofp)
+            print(f'is_driver={is_driver}'.lower(), file=ofp)
+
+  release-body-libs:
+    needs: [release-settings]
+    if: ${{ needs.release-settings.outputs.is_latest == 'true' && needs.release-settings.outputs.is_driver == 'false' }} # only for latest releases and not driver ones
+    permissions:
+      contents: write
    runs-on: ubuntu-latest
    steps:
-      # Note: there is no `tag` filter for `workflow_run`.
-      # We need to manually check whether we are running on a tag.
-      - name: Extract semver ℹ️
-        uses: actions-ecosystem/action-regex-match@v2
-        id: regex-match
-        with:
-          text: ${{ github.event.workflow_run.head_branch }}
-          regex: '[0-9]+.[0-9]+.[0-9]+\+driver$'
+      - name: Clone repo
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

-      - name: Skip on non driver tag
-        if: steps.regex-match.outputs.match == ''
-        run: exit 0
-          
-      - name: Download matrixes
-        uses: dawidd6/action-download-artifact@v2
+      - name: Create release body file
+        run: |
+          touch release-body.md
+
+      - name: Extract MIN_API version
+        run: |
+          MIN_API_VER=$(grep SCAP_MINIMUM_DRIVER_API_VERSION userspace/libscap/scap.h)
+          prefix="#define SCAP_MINIMUM_DRIVER_API_VERSION PPM_API_VERSION"
+          MIN_API_VER=${MIN_API_VER/#$prefix}
+          MIN_API_VER=$(echo $MIN_API_VER | tr -d "(" | tr -d ")")
+          MIN_API_VER=$(echo $MIN_API_VER | sed -r 's/, /./g')
+          echo '!'"[MIN_DRIVER_API](https://img.shields.io/badge/MIN_DRIVER_API-${MIN_API_VER}-yellow)" >> release-body.md
+
+      - name: Extract MIN_SCHEMA version
+        run: |
+          MIN_SCHEMA_VER=$(grep SCAP_MINIMUM_DRIVER_SCHEMA_VERSION userspace/libscap/scap.h)
+          prefix="#define SCAP_MINIMUM_DRIVER_SCHEMA_VERSION PPM_API_VERSION"
+          MIN_SCHEMA_VER=${MIN_SCHEMA_VER/#$prefix}
+          MIN_SCHEMA_VER=$(echo $MIN_SCHEMA_VER | tr -d "(" | tr -d ")")
+          MIN_SCHEMA_VER=$(echo $MIN_SCHEMA_VER | sed -r 's/, /./g')
+          echo '!'"[MIN_DRIVER_SCHEMA](https://img.shields.io/badge/MIN_DRIVER_SCHEMA-${MIN_SCHEMA_VER}-yellow)" >> release-body.md
+          echo "" >> release-body.md
+
+      - name: Generate release notes
+        uses: leodido/rn2md@9c351d81278644c0e17b1ca68edbdba305276c73
        with:
-          workflow: kernel_tests.yaml
-          name: matrix_*
-          name_is_regexp: true
-          run_id: ${{ github.event.workflow_run.id }}
-      
+          milestone: ${{ github.event.release.tag_name }}
+          output: ./notes.md
+
+      - name: Merge release notes to pre existent body
+        run: cat notes.md >> release-body.md
+
+      - name: Attach release creator to release body
+        run: |
+          echo "" >> release-body.md
+          echo "#### Release Manager @${{ github.event.release.author.login }}" >> release-body.md
+
+      - name: Release
+        uses: softprops/action-gh-release@72f2c25fcb47643c292f7107632f7a47c1df5cd8 # v2.3.2
+        with:
+          body_path: ./release-body.md
+          tag_name: ${{ github.event.release.tag_name }}
+          name: ${{ github.event.release.name }}
+
+  kernel-tests-release:
+    needs: [release-settings]
+    if: ${{ needs.release-settings.outputs.is_latest == 'true' && needs.release-settings.outputs.is_driver == 'true' }} # only for latest driver releases
+    uses: ./.github/workflows/reusable_kernel_tests.yaml
+    with:
+      libsversion: ${{ github.event.release.tag_name }}
+    secrets: inherit
+
+  release-body-driver:
+    needs: [release-settings, kernel-tests-release]
+    if: ${{ needs.release-settings.outputs.is_latest == 'true' && needs.release-settings.outputs.is_driver == 'true' }} # only for latest driver releases
+    permissions:
+      contents: write
+    runs-on: ubuntu-latest
+    steps:
+      - name: Clone libs repo
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+      - name: Create release body file
+        run: |
+          touch release-body.md
+
+      - name: Extract API and SCHEMA versions
+        run: |
+          touch release-body.md
+          API_VERS=$(cat driver/API_VERSION)
+          SCHEMA_VERS=$(cat driver/SCHEMA_VERSION)
+          echo '!'"[API](https://img.shields.io/badge/API-${API_VERS}-yellow)" >> release-body.md
+          echo '!'"[SCHEMA](https://img.shields.io/badge/SCHEMA-${SCHEMA_VERS}-yellow)" >> release-body.md
+          echo "" >> release-body.md
+
+      - name: Push badge to latest kernel release
+        run: |
+          wget https://gist.githubusercontent.com/FedeDP/1cbc5d42edf8e3a02fb75e76625f1072/raw/kernel.json
+          # 6.15-rc2 -> 6.15
+          # 6.10.6 -> 6.10
+          # 6.10 -> 6.10
+          KVER=$(cat kernel.json | jq '.message' | tr -d '"' | grep -oE -- '[0-9]+.[0-9]+')
+          SUCCESS=$(cat kernel.json | jq '.color' | tr -d '"')
+          # If latest run was not successful,
+          # revert back to previous kernel release.
+          # Of course, the fallback logic is bugged in case minor is 0,
+          # as we cannot know which was the previous version.
+          # It should not matter until kernel 7.0 :P
+          if [[ "$SUCCESS" = "red" ]]; then
+            n=${KVER//[!0-9]/ }
+            a=(${n//\./ })
+            KVER=$(echo "${a[0]}.$((a[1] - 1))")
+          fi
+          echo '!'"[Latest Compatible Kernel](https://img.shields.io/badge/KERNEL-${KVER}-brightgreen)" >> release-body.md
+          echo "" >> release-body.md
+
+      - name: Download matrix X64
+        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
+        with:
+          name: matrix_X64
+
+      - name: Rename X64 matrix
+        run: mv matrix.md matrix_X64.md
+
+      - name: Download matrix ARM64
+        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
+        with:
+          name: matrix_ARM64
+
+      - name: Rename ARM64 matrix
+        run: mv matrix.md matrix_ARM64.md
+
      # Steps:
      # Remove everything after the table (ie: since the first line that starts with "# ",
      # ie: a markdown section start.
@ -45,18 +180,31 @@ jobs:
      # Finally, merge them together
      - name: Append matrixes to create release body
        run: |
-          mv matrix_*/*.md .
          sed -i -n '/# /q;p' matrix_X64.md
          sed -i -n '/# /q;p' matrix_ARM64.md
          sed -i 's/\[\(.\)\]([^)]*)/\1/g' matrix_X64.md
          sed -i 's/\[\(.\)\]([^)]*)/\1/g' matrix_ARM64.md
          sed -i '1s/^/# Driver Testing Matrix amd64\n\n/' matrix_X64.md
          sed -i '1s/^/# Driver Testing Matrix arm64\n\n/' matrix_ARM64.md
-          cat matrix_X64.md matrix_ARM64.md > release-body.md
+          cat matrix_X64.md matrix_ARM64.md >> release-body.md
+
+      - name: Generate release notes
+        uses: leodido/rn2md@9c351d81278644c0e17b1ca68edbdba305276c73 # main
+        with:
+          milestone: ${{ github.event.release.tag_name }}
+          output: ./notes.md
+
+      - name: Merge release notes to pre existent body
+        run: cat notes.md >> release-body.md
+
+      - name: Attach release creator to release body
+        run: |
+          echo "" >> release-body.md
+          echo "#### Release Manager @${{ github.event.release.author.login }}" >> release-body.md

      - name: Release
-        uses: softprops/action-gh-release@v1
+        uses: softprops/action-gh-release@72f2c25fcb47643c292f7107632f7a47c1df5cd8 # v2.3.2
        with:
          body_path: ./release-body.md
-          append_body: true
-          tag_name: ${{ github.event.workflow_run.head_branch }}
+          tag_name: ${{ github.event.release.tag_name }}
+          name: ${{ github.event.release.name }}
--- a/.github/workflows/reusable_e2e_tests.yaml
+++ b/.github/workflows/reusable_e2e_tests.yaml
@ -0,0 +1,137 @@
+name: Run libs e2e tests python framework
+
+on:
+  workflow_call:
+    inputs:
+      container_plugin_artifact_name:
+        description: 'use a previously built custom container plugin; artifact name to be downloaded, or empty'
+        type: string
+        required: false
+        default: ''
+      test-docker:
+        description: "Whether to run tests with docker socket"
+        type: boolean
+        required: false
+        default: true
+      test-podman:
+        description: "Whether to run tests with podman socket"
+        type: boolean
+        required: false
+        default: true
+      libsversion:
+        description: 'libs version to be tested, eg: master'
+        type: string
+        required: false
+        default: 'master'
+      libsrepo:
+        description: 'libs repo to be tested, eg: falcosecurity/libs'
+        type: string
+        required: false
+        default: 'falcosecurity/libs'
+
+jobs:
+  test-e2e:
+    if: inputs.test-docker || inputs.test-podman
+    strategy:
+      fail-fast: false
+      matrix:
+        name: [ system_deps, bundled_deps, asan ]
+        include:
+          - name: system_deps
+            cmake_opts: -DUSE_BUNDLED_DEPS=False
+          - name: bundled_deps
+            cmake_opts: -DUSE_BUNDLED_DEPS=True
+          - name: asan
+            cmake_opts: -DUSE_BUNDLED_DEPS=True -DCMAKE_C_FLAGS=-fsanitize=address -DCMAKE_CXX_FLAGS=-fsanitize=address
+    runs-on: ubuntu-24.04
+    steps:
+      - name: Install deps ⛓️
+        run: |
+          sudo apt-get update && sudo apt-get install -y --no-install-recommends \
+            ca-certificates \
+            cmake \
+            build-essential \
+            git \
+            clang \
+            llvm \
+            pkg-config \
+            autoconf \
+            automake \
+            libtool \
+            libelf-dev \
+            wget \
+            libbpf-dev \
+            libcap-dev \
+            libtbb-dev \
+            libjq-dev \
+            libjsoncpp-dev \
+            libgtest-dev \
+            libprotobuf-dev \
+            protobuf-compiler \
+            "linux-headers-$(uname -r)"
+
+      - name: Checkout Libs ⤵️
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          fetch-depth: 0
+          repository: ${{ inputs.libsrepo }}
+          ref: ${{ inputs.libsversion }}
+
+      - name: Install deps ⛓️
+        run: |
+          sudo .github/install-deps.sh
+
+      - name: Build tests 🏗️
+        run: |
+          mkdir -p build && cd build
+          cmake -DBUILD_BPF=ON \
+                -DBUILD_LIBSCAP_MODERN_BPF=ON \
+                -DBUILD_LIBSCAP_GVISOR=OFF \
+                -DENABLE_E2E_TESTS=ON \
+                ${{ matrix.cmake_opts }} \
+                -DUSE_BUNDLED_LIBBPF=ON \
+                ..
+          make -j$(nproc) sinsp-example driver bpf container_plugin
+          sudo -E make e2e-install-deps
+
+      - name: Download overriding custom container plugin
+        if: inputs.container_plugin_artifact_name != ''
+        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
+        with:
+          name: ${{ inputs.container_plugin_artifact_name }}
+          path: build/test/e2e/container_plugin-prefix/src/container_plugin/
+
+      - name: Run tests - docker 🧪
+        if: inputs.test-docker
+        working-directory: build
+        run: |
+          sudo -E ../test/e2e/scripts/run_tests.sh
+
+      - name: Archive test reports - docker
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+        if: inputs.test-docker && failure()
+        with:
+          name: ${{ matrix.name }}_docker_report
+          path: |
+            /tmp/report/
+
+      - name: Run tests - podman 🧪
+        if: inputs.test-podman && always()
+        working-directory: build
+        env:
+          # Set DOCKER_HOST pointing to podman socket
+          DOCKER_HOST: unix://run/podman/podman.sock
+        run: |
+          # Cleanup docker tests generated report folder
+          sudo rm -rf /tmp/report
+          # Podman tests require podman socket
+          sudo systemctl start podman
+          sudo -E ../test/e2e/scripts/run_tests.sh
+
+      - name: Archive test reports - podman
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+        if: inputs.test-podman && failure()
+        with:
+          name: ${{ matrix.name }}_podman_report
+          path: |
+            /tmp/report/
--- a/.github/workflows/reusable_kernel_tests.yaml
+++ b/.github/workflows/reusable_kernel_tests.yaml
@ -0,0 +1,58 @@
+name: Test drivers against a matrix of kernels/distros
+
+on:
+  workflow_dispatch:
+    inputs:
+      libsversion:
+        description: 'libs version to be tested, eg: master'
+        type: string
+        required: false
+        default: 'master'
+      libsrepo:
+        description: 'libs repo to be tested, eg: falcosecurity/libs'
+        type: string
+        required: false
+        default: 'falcosecurity/libs'
+  workflow_call:
+    inputs:
+      libsversion:
+        description: 'libs version to be tested, eg: master'
+        type: string
+        required: false
+        default: 'master'
+      libsrepo:
+        description: 'libs repo to be tested, eg: falcosecurity/libs'
+        type: string
+        required: false
+        default: 'falcosecurity/libs'
+
+concurrency:
+  group: kernel-tests
+  cancel-in-progress: false
+
+jobs:
+  test-kernels:
+    strategy:
+      fail-fast: false
+      matrix:
+        architecture: [X64, ARM64]
+    runs-on: [ "self-hosted", "linux", "${{matrix.architecture}}" ]
+    steps:
+      # We need to use v0.3.2 instead of the hash because the tagname is 
+      # used by the action to download release tagged images.
+      - uses: falcosecurity/kernel-testing@v0.3.2
+        id: kernel_tests
+        with:
+          libsversion: ${{ inputs.libsversion }}
+          libsrepo: ${{ inputs.libsrepo }}
+          build_matrix: 'true'
+
+      - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+        with:
+          name: ansible_output_${{matrix.architecture}}
+          path: ${{ steps.kernel_tests.outputs.ansible_output }}
+
+      - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+        with:
+          name: matrix_${{matrix.architecture}}
+          path: ${{ steps.kernel_tests.outputs.matrix_output }}
--- a/.github/workflows/semgrep_checks.yml
+++ b/.github/workflows/semgrep_checks.yml
@ -0,0 +1,44 @@
+name: Semgrep Checks
+on:
+  pull_request:
+    branches:
+      - master
+      - 'release/**'
+      - 'maintainers/**'
+
+jobs:
+  insecure-api:
+    name: check-insecure-api
+    runs-on: ubuntu-latest
+    container:
+      image: docker.io/semgrep/semgrep:1.85.0@sha256:b4c2272e0a2e59ca551ff96d3bbae657bd2b7356e339af557b27a96d9e751544
+    steps:
+      - name: Checkout Libs ⤵️
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          fetch-depth: 0
+      - name: Scan PR for insecure API usage 🕵️
+        run: |
+          semgrep scan \
+            --error \
+            --metrics=off \
+            --baseline-commit ${{ github.event.pull_request.base.sha }} \
+            --config=./semgrep/insecure-api
+
+  absolute-include-paths:
+    name: check-absolute-include-paths
+    runs-on: ubuntu-latest
+    container:
+      image: docker.io/semgrep/semgrep:1.85.0@sha256:b4c2272e0a2e59ca551ff96d3bbae657bd2b7356e339af557b27a96d9e751544
+    steps:
+      - name: Checkout Libs ⤵️
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          fetch-depth: 0
+      - name: Scan PR for libs relateive include paths 🕵️
+        run: |
+          semgrep scan \
+            --error \
+            --metrics=off \
+            --baseline-commit ${{ github.event.pull_request.base.sha }} \
+            --config=./semgrep/absolute-include-paths.yaml
--- a/.github/workflows/test_coverage_ci.yml
+++ b/.github/workflows/test_coverage_ci.yml
@ -0,0 +1,46 @@
+name: Test Coverage CI
+on:
+  pull_request:
+  push:
+    branches:
+      - master
+
+# Checks if any concurrent jobs under the same pull request or branch are being executed
+concurrency:
+  group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
+
+jobs:
+  unit-test-libsinsp-coverage:
+    name: unit-test-libsinsp-coverage 🧐
+    runs-on: 'ubuntu-22.04'
+    steps:
+      - name: Checkout Libs ⤵️
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          fetch-depth: 0
+
+      - name: Install deps ⛓️
+        run: |
+          sudo apt-get update && sudo apt install -y --no-install-recommends ca-certificates cmake build-essential git clang llvm pkg-config autoconf automake libtool libelf-dev wget libre2-dev libtbb-dev libjq-dev libjsoncpp-dev protobuf-compiler libgtest-dev libprotobuf-dev linux-headers-$(uname -r) gpg gpg-agent gcovr
+          sudo .github/install-deps.sh
+
+      - name: Build and test 🏗️🧪
+        run: |
+          mkdir -p build
+          cd build && cmake -DBUILD_WARNINGS_AS_ERRORS=True -DENABLE_COVERAGE=True -DUSE_BUNDLED_DEPS=False ../
+          KERNELDIR=/lib/modules/$(ls /lib/modules)/build make -j4
+          make run-unit-tests
+
+      - name: Generate libsinsp coverage report
+        run: |
+          gcovr --xml -o ./libsinsp.coverage.xml
+
+      - name: Upload to codecov
+        uses: codecov/codecov-action@18283e04ce6e62d37312384ff67231eb8fd56d24 # v5.4.3
+        with:
+          fail_ci_if_error: true
+          files: ./libsinsp.coverage.xml
+          token: ${{ secrets.CODECOV_TOKEN }}
+          verbose: true
+          flags: libsinsp
--- a/.github/workflows/update-syscalls.yml
+++ b/.github/workflows/update-syscalls.yml
@ -7,29 +7,26 @@ on:

 jobs:
  update-syscalls:
-    runs-on: ubuntu-latest
-    container:
-      image: falcosecurity/syscalls-bumper:latest
    permissions:
      contents: write
      pull-requests: write
+    runs-on: ubuntu-latest
    steps:
-      - name: Git set-up
-        run: |
-          apk update && apk add git
-
      - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          ref: master
-          
+          path: libs
+
      - name: Bump syscalls
-        run: |
-          syscalls-bumper --repo-root $(pwd) --overwrite
-          
-      - name: Create Pull Request
-        uses: peter-evans/create-pull-request@v5-rc
+        uses: falcosecurity/syscalls-bumper@main # should be pointing to main
        with:
+          repo-root: ${{ github.workspace }}/libs
+
+      - name: Create Pull Request
+        uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7.0.8
+        with:
+          path: libs
          signoff: true
          base: master
          branch: update/syscalls
--- a/.gitignore
+++ b/.gitignore
@ -28,3 +28,4 @@ cscope.out
 tags
 third_party
 *.vagrant*
+.DS_Store
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@ -0,0 +1,23 @@
+# See https://pre-commit.com for more information
+# See https://pre-commit.com/hooks.html for more hooks
+fail_fast: false
+minimum_pre_commit_version: '0'
+repos:
+- repo: https://github.com/cheshirekow/cmake-format-precommit
+  rev: v0.6.13
+  hooks:
+  - id: cmake-format
+    stages: [pre-commit]
+- repo: https://github.com/pre-commit/mirrors-clang-format
+  rev: v18.1.8
+  hooks:
+  - id: clang-format
+    types_or: [c++, c]
+    stages: [pre-commit]
+- repo: local
+  hooks:
+  - id: dco-hook-local
+    name: DCO hook local
+    entry: ./tools/local_hooks/dco-pre-commit-msg.sh
+    language: script
+    stages: [prepare-commit-msg]
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@ -1,33 +1,33 @@
+# SPDX-License-Identifier: Apache-2.0
 #
-# Copyright (C) 2022 The Falco Authors.
+# Copyright (C) 2023 The Falco Authors.
 #
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except
+# in compliance with the License. You may obtain a copy of the License at
 #
 # http://www.apache.org/licenses/LICENSE-2.0
 #
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
+# Unless required by applicable law or agreed to in writing, software distributed under the License
+# is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express
+# or implied. See the License for the specific language governing permissions and limitations under
+# the License.
 #

-# Prior to doing anything, we make sure that we aren't trying to
-# run cmake in-tree.
+# Prior to doing anything, we make sure that we aren't trying to run cmake in-tree.
 if(EXISTS ${CMAKE_CURRENT_BINARY_DIR}/CMakeLists.txt)
-	message(FATAL_ERROR
-		"Looks like you are trying to run CMake from the base source directory.\n"
-		"** RUNNING CMAKE FROM THE BASE DIRECTORY WILL NOT WORK **\n"
-		"To Fix:\n"
-		" 1. Remove the CMakeCache.txt file in this directory. ex: rm CMakeCache.txt\n"
-		" 2. Create a build directory from here. ex: mkdir build\n"
-		" 3. cd into that directory. ex: cd build\n"
-		" 4. Run cmake from the build directory. ex: cmake ..\n"
-		" 5. Run make from the build directory. ex: make\n"
-		"Full paste-able example:\n"
-		"( rm -f CMakeCache.txt; mkdir build; cd build; cmake ..; make )")
+	message(
+		FATAL_ERROR
+			"Looks like you are trying to run CMake from the base source directory.\n"
+			"** RUNNING CMAKE FROM THE BASE DIRECTORY WILL NOT WORK **\n"
+			"To Fix:\n"
+			" 1. Remove the CMakeCache.txt file in this directory. ex: rm CMakeCache.txt\n"
+			" 2. Create a build directory from here. ex: mkdir build\n"
+			" 3. cd into that directory. ex: cd build\n"
+			" 4. Run cmake from the build directory. ex: cmake ..\n"
+			" 5. Run make from the build directory. ex: make\n"
+			"Full paste-able example:\n"
+			"( rm -f CMakeCache.txt; mkdir build; cd build; cmake ..; make )"
+	)
 endif()

 cmake_minimum_required(VERSION 3.12)
@ -37,16 +37,36 @@ if(POLICY CMP0042)
 	cmake_policy(SET CMP0042 NEW)
 endif()

+# Enable CMAKE_MSVC_RUNTIME_LIBRARY on Windows + CMake >= 3.15 and link with the static
+# (MultiThreaded) CRT unless instructed otherwise.
+if(NOT (CMAKE_MSVC_RUNTIME_LIBRARY OR BUILD_SHARED_LIBS))
+	set(CMAKE_MSVC_RUNTIME_LIBRARY "MultiThreaded$<$<CONFIG:Debug>:Debug>")
+endif()
+if(POLICY CMP0091)
+	cmake_policy(SET CMP0091 NEW)
+endif()
+
+if(POLICY CMP0135)
+	cmake_policy(SET CMP0135 NEW)
+endif()
+
 project(falcosecurity-libs)

 option(USE_BUNDLED_DEPS "Enable bundled dependencies instead of using the system ones" ON)
-option(MINIMAL_BUILD "Produce a minimal build with only the essential features (no eBPF probe driver, no kubernetes, no mesos, no marathon and no container metadata)" OFF)
 option(MUSL_OPTIMIZED_BUILD "Enable if you want a musl optimized build" OFF)
-option(USE_BUNDLED_DRIVER "Use the driver/ subdirectory in the build process (only available in Linux)" ON)
+option(USE_BUNDLED_DRIVER
+	   "Use the driver/ subdirectory in the build process (only available in Linux)" ON
+)
+option(ENABLE_E2E_TESTS "Enable e2e tests" OFF)
 option(ENABLE_DRIVERS_TESTS "Enable driver tests (bpf, kernel module, modern bpf)" OFF)
 option(ENABLE_LIBSCAP_TESTS "Enable libscap unit tests" OFF)
+option(ENABLE_LIBSINSP_E2E_TESTS "Enable libsinsp e2e tests" OFF)
 option(BUILD_SHARED_LIBS "Build libscap and libsinsp as shared libraries" OFF)
-option(ENABLE_VM_TESTS "Enable driver sanity tests" OFF)
+option(USE_ASAN "Build with AddressSanitizer" OFF)
+option(USE_UBSAN "Build with UndefinedBehaviorSanitizer" OFF)
+option(USE_TSAN "Build with ThreadSanitizer" OFF)
+option(ENABLE_COVERAGE "Build with code coverage" OFF)
+option(UBSAN_HALT_ON_ERROR "Halt on error when building with UBSan" ON)

 if(${CMAKE_VERSION} VERSION_LESS "3.1.0" AND BUILD_SHARED_LIBS)
 	# scap_engine_savefile uses target_sources
@ -56,8 +76,7 @@ endif()
 include(GNUInstallDirs)

 # Add path for custom CMake modules.
-list(APPEND CMAKE_MODULE_PATH
-	"${CMAKE_CURRENT_SOURCE_DIR}/cmake/modules")
+list(APPEND CMAKE_MODULE_PATH "${CMAKE_CURRENT_SOURCE_DIR}/cmake/modules")

 include(versions)

@ -87,15 +106,13 @@ set(LIBS_PACKAGE_NAME "falcosecurity")

 include(CompilerFlags)

-option(WITH_CHISEL "Include chisel implementation" OFF)
-
 option(CREATE_TEST_TARGETS "Enable make-targets for unit testing" ON)

 if(CREATE_TEST_TARGETS)
 	include(gtest)
 endif()

-if (BUILD_SHARED_LIBS)
+if(BUILD_SHARED_LIBS)
 	get_shared_libs_versions(FALCOSECURITY_SHARED_LIBS_VERSION FALCOSECURITY_SHARED_LIBS_SOVERSION)
 	message(STATUS "Shared library version: ${FALCOSECURITY_SHARED_LIBS_VERSION}")
 	message(STATUS "Shared library soversion: ${FALCOSECURITY_SHARED_LIBS_SOVERSION}")
@ -105,14 +122,13 @@ include(libscap)
 include(libsinsp)

 if(CREATE_TEST_TARGETS)
-	# Add command to run all unit tests at once via the make system.
-	# This is preferred vs using ctest's add_test because it will build
-	# the code and output to stdout.
-	add_custom_target(run-unit-tests
-		COMMAND ${CMAKE_MAKE_PROGRAM} run-unit-test-libsinsp
-	)
+	# Add command to run all unit tests at once via the make system. This is preferred vs using
+	# ctest's add_test because it will build the code and output to stdout.
+	add_custom_target(run-unit-tests COMMAND ${CMAKE_MAKE_PROGRAM} run-unit-test-libsinsp)

-	add_subdirectory(test/e2e)
+	if(ENABLE_E2E_TESTS)
+		add_subdirectory(test/e2e)
+	endif()

 	if(ENABLE_DRIVERS_TESTS)
 		add_subdirectory(test/drivers)
@ -122,8 +138,15 @@ if(CREATE_TEST_TARGETS)
 		add_subdirectory(test/libscap)
 	endif()

-	if(ENABLE_VM_TESTS)
-		add_subdirectory(test/vm)
+	if(ENABLE_LIBSINSP_E2E_TESTS)
+		message(WARNING "LIBSINSP_E2E_TESTS are experimental!")
+		add_subdirectory(test/libsinsp_e2e)
+		add_subdirectory(test/libsinsp_e2e/resources)
 	endif()

 endif()
+
+option(ENABLE_BENCHMARKS "Enable Benchmarks" OFF)
+if(ENABLE_BENCHMARKS)
+	add_subdirectory(benchmark)
+endif()
--- a/CMakeListsGtestInclude.cmake
+++ b/CMakeListsGtestInclude.cmake
@ -1,17 +1,16 @@
+# SPDX-License-Identifier: Apache-2.0
 #
-# Copyright (C) 2021 The Falco Authors.
+# Copyright (C) 2023 The Falco Authors.
 #
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except
+# in compliance with the License. You may obtain a copy of the License at
 #
-#     http://www.apache.org/licenses/LICENSE-2.0
+# http://www.apache.org/licenses/LICENSE-2.0
 #
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
+# Unless required by applicable law or agreed to in writing, software distributed under the License
+# is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express
+# or implied. See the License for the specific language governing permissions and limitations under
+# the License.
 #

 cmake_minimum_required(VERSION 3.12)
@ -19,14 +18,15 @@ cmake_minimum_required(VERSION 3.12)
 project(googletest-download NONE)

 include(ExternalProject)
-ExternalProject_Add(googletest
-  GIT_REPOSITORY    https://github.com/google/googletest.git
-  GIT_TAG           "release-1.12.1"
-  SOURCE_DIR        "${PROJECT_BINARY_DIR}/googletest-src"
-  BINARY_DIR        "${PROJECT_BINARY_DIR}/googletest-build"
-  CONFIGURE_COMMAND ""
-  BUILD_COMMAND     ""
-  INSTALL_COMMAND   ""
-  UPDATE_COMMAND    ""
-  TEST_COMMAND      ""
+ExternalProject_Add(
+	googletest
+	GIT_REPOSITORY https://github.com/google/googletest.git
+	GIT_TAG "release-1.12.1"
+	SOURCE_DIR "${PROJECT_BINARY_DIR}/googletest-src"
+	BINARY_DIR "${PROJECT_BINARY_DIR}/googletest-build"
+	CONFIGURE_COMMAND ""
+	BUILD_COMMAND ""
+	INSTALL_COMMAND ""
+	UPDATE_COMMAND ""
+	TEST_COMMAND ""
 )
--- a/CMakePresets.json
+++ b/CMakePresets.json
@ -0,0 +1,47 @@
+{
+	"version": 3,
+	"configurePresets": [
+		{
+			"name": "base",
+			"hidden": true,
+			"generator": "Unix Makefiles",
+			"cacheVariables": {
+				"CMAKE_BUILD_TYPE": "Release",
+				"CMAKE_EXPORT_COMPILE_COMMANDS": "ON",
+				"BUILD_DRIVER": "ON",
+				"BUILD_BPF": "ON",
+				"BUILD_WARNINGS_AS_ERRORS": "ON"
+			}
+		},
+		{
+			"name": "scap-drivers",
+			"inherits": "base",
+			"displayName": "Build scap drivers and their tests",
+			"description": "Build all scap drivers (modern eBPF, legacy eBPF, kmod) and their tests",
+			"binaryDir": "${sourceDir}/build-scap-drivers",
+			"cacheVariables": {
+				"USE_BUNDLED_DEPS": "ON",
+				"ENABLE_DRIVERS_TESTS": "ON",
+				"MODERN_BPF_DEBUG_MODE": "ON",
+				"BUILD_LIBSCAP_MODERN_BPF": "ON",
+				"BUILD_LIBSCAP_GVISOR": "OFF",
+				"CREATE_TEST_TARGETS": "ON",
+				"ENABLE_LIBSCAP_TESTS": "ON",
+				"SCAP_FILES_SUITE_ENABLE": "OFF"
+			}
+		},
+		{
+			"name": "sinsp-minimal",
+			"inherits": "base",
+			"displayName": "Build minimal sinsp",
+			"description": "Build sinsp without gvisor and protobuf deps",
+			"binaryDir": "${sourceDir}/build-sinsp-minimal",
+			"cacheVariables": {
+				"USE_BUNDLED_DEPS": "ON",
+				"BUILD_LIBSCAP_GVISOR": "OFF",
+				"CREATE_TEST_TARGETS": "ON",
+				"SCAP_FILES_SUITE_ENABLE": "OFF"
+			}
+		}
+	]
+}
--- a/Contributing.md
+++ b/Contributing.md
@ -0,0 +1,207 @@
+# How to contribute
+
+## Enforce coding style 💻
+
+### Introduction
+
+This document introduces the coding style that will be applied in this repository.
+This coding style involves all the following files: `.c`, `.h`, `.cpp`, `.cmake`, `CMakeLists.txt`. To enforce it we rely on two main tools:
+
+1. `clang-format` version `18.1.8`.
+2. `cmake-format` version `0.6.13`.
+
+> __Please note__: tools versions are important! Different versions will enforce slightly different changes on the code. For example `clang-format-18` will produce a slightly different output respect to `clang-format-17` always respecting the imposed style.
+
+The coding style is expressed through the 2 configuration file that you find in this repo: `.clang-format`, `.cmake-format.json`.  
+
+### Enforce the style locally
+
+There are many ways to enforce the style locally, here we will describe two of them:
+
+1. Use `pre-commit` framework.
+2. Use the repo `Makefile`.
+
+#### 1.Pre-commit framework (suggested if you don't have the 2 tools already installed on your machine)
+
+The `pre-commit` framework allows you to automatically install different `git-hooks` that will run at every new commit. More precisely, if you use the `.pre-commit-config.yaml` in this repo you will install 3 different hooks:
+
+1. The `clang-format` hook: this is a `pre-commit` git hook that runs `clang-format` on your staged changes.
+2. The `cmake-format` hook: this is a `pre-commit` git hook that runs `cmake-format` on your staged changes.
+3. The `DCO signed-off` hook: this is a `pre-commit-msg` git hook that adds the `DCO` on your commit if not present. This hook is not strictly related to the coding style so we will talk about it in a separate section: [Add DCO signed-off to your commits](#add-dco-signed-off-to-your-commits).
+
+Now let's see what we need to use `pre-commit` framework.
+
+##### Step 1
+
+Install `pre-commit` framework following the [official documentation](https://pre-commit.com/#installation).
+
+> __Please note__: you have to follow only the "Installation" section.
+
+##### Step 2
+
+Once you have installed `pre-commit`, you don't need to install anything else! This is the good point of using a framework like `pre-commit`, all the tools necessary to format your code will be directly managed by the framework. But in order to be ready, you need to install the git hooks in your local repo.
+
+This simple command allows you to install the two `pre-commit` git hooks, `clang-format` and `cmake-format`.
+
+```bash
+pre-commit install --install-hooks --hook-type pre-commit --overwrite  
+```
+
+If you want to install also the `pre-commit-msg` git hook for the DCO you have to type the following command, but be sure to have configured all you need as said in the [dedicated section]((#add-dco-signed-off-to-your-commits))
+
+```bash
+pre-commit install --install-hooks --hook-type prepare-commit-msg --overwrite 
+```
+
+You have done, at every new commit, this hook will check that your patch respects the coding style of this repo!
+
+If you want to detach the git hooks, you can simply type:
+
+```bash
+pre-commit uninstall --hook-type prepare-commit-msg
+pre-commit uninstall --hook-type pre-commit 
+```
+
+#### 2.Makefile
+
+##### Step 1
+
+In order to use the repo `Makefile`, you need to install on your local machine the two aforementioned tools:
+
+__clang-format v18.1.8__
+
+One of the easiest ways to install `clang-format` could be directly downloading its static binary from [here](https://github.com/muttleyxd/clang-tools-static-binaries).
+There are other ways for example you can download the package for your distro or you can also build it from sources.
+
+__cmake-format v0.6.13__
+
+To install `cmake-format` you can follow the official documentation [here](https://cmake-format.readthedocs.io/en/latest/installation.html).
+
+> __NOTE__: Please check the versions of the two tool with `clang-format --version` and `cmake-format --version`.
+
+##### Step 2
+
+Once you have installed the __right__ versions of the 2 tools, you can simply type `make format-all` from the root directory of the project (`/libs`) to format all your code according to the coding style.
+
+Remember to do that before submitting a new patch upstream! 😁
+
+#### Other solutions
+
+Obviously, you can also install the 2 tools locally and enable some extension of your favorite IDE (like `VScode`) to format your code every time you save your files!
+
+## Add DCO signed-off to your commits 🔏
+
+### Introduction
+
+Another requirement for contributing to the `libs` repository, is applying the [DCO](https://cert-manager.io/docs/contributing/sign-off/) to every commit you want to push upstream.
+Before doing this you have to configure your git user `name` and `email` if you haven't already done it. To check your actual `name` and `email` type:
+
+```bash
+git config --get user.name
+git config --get user.email
+```
+
+If they are correct you have done, otherwise, you have to set them:
+
+```bash
+git config user.name <full-name>
+git config user.email <mail-used_with-GitHub-profile>
+```
+
+>__Please note__: If you have problems in doing this you can read the full documentation [here](https://docs.github.com/en/get-started/getting-started-with-git/setting-your-username-in-git).
+
+### Enforce the DCO locally
+
+Now you are ready to sign your commits! You have two main ways to do this:
+
+1. Manually with `git` tool.
+2. Use the `pre-commit-msg` hook quoted before.
+
+### Manually
+
+To do this you just need to remember the `-s` while performing your commits:
+
+```bash
+git commit -s
+```
+
+or with the inline message:
+
+```bash
+git commit -s -m "my first commit"
+```
+
+### Use `pre-commit` hook
+
+Here if you have already added the hook in the [previous section](#step-2), you have to do nothing otherwise you have to simply install the DCO hook with:
+
+```bash
+pre-commit install --install-hooks --hook-type prepare-commit-msg --overwrite 
+```
+
+And you have done! Now you don't have to remember the `-s` option every time you commit something, the DCO hook will automatically add the DCO if you forget it! 😄
+
+## Some best practices 📏
+
+### Class variables
+
+To know whether a variable belongs to a `class` or a `function`, we start member variables with `m_`.
+
+Example:
+
+```c
+    public int32_t m_counter;
+```
+
+### Global variables
+
+To know whether the variable is global or not, we start globals with `g_`.
+
+Example:
+
+```c
+    int g_nplugins;
+```
+
+### Capitalization
+
+The naming convention is camel-cased "Unix" style, i.e. always lower case. Words are separated by underscores.
+
+Example:
+
+```c
+    int32_t g_global_bean_counter;
+    int32_t count_beans();
+```
+
+and not,
+
+```c
+    int32_t GlobalBeanCounter;
+    int32_t CountBeans();
+```
+
+### Packed Structures
+
+Packed structures should use the GCC and MSVC-style supported `pragma`:
+
+Example:
+
+```c
+    #pragma pack(push,1)
+    struct frame_control
+    {
+        struct fields....
+    };
+    #pragma pack(pop)
+```
+
+### 64-bit constants
+
+Put an `LL` at the end of your `64-bit` constants. Without the `LL`, some platform compilers try to interpret the constant on the right-hand side as a `long integer` instead of a `long long` and this could lead to an error at building time.
+
+Example:
+
+```c
+    x=0X00FF00000000000LL
+```
--- a/202
+++ b/202
@ -0,0 +1,202 @@
+
+                                 Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/
+
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+   1. Definitions.
+
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
+
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship, whether in Source or
+      Object form, made available under the License, as indicated by a
+      copyright notice that is included in or attached to the work
+      (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+
+      "Contribution" shall mean any work of authorship, including
+      the original version of the Work and any modifications or additions
+      to that Work or Derivative Works thereof, that is intentionally
+      submitted to Licensor for inclusion in the Work by the copyright owner
+      or by an individual or Legal Entity authorized to submit on behalf of
+      the copyright owner. For the purposes of this definition, "submitted"
+      means any form of electronic, verbal, or written communication sent
+      to the Licensor or its representatives, including but not limited to
+      communication on electronic mailing lists, source code control systems,
+      and issue tracking systems that are managed by, or on behalf of, the
+      Licensor for the purpose of discussing and improving the Work, but
+      excluding communication that is conspicuously marked or otherwise
+      designated in writing by the copyright owner as "Not a Contribution."
+
+      "Contributor" shall mean Licensor and any individual or Legal Entity
+      on behalf of whom a Contribution has been received by Licensor and
+      subsequently incorporated within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a
+      cross-claim or counterclaim in a lawsuit) alleging that the Work
+      or a Contribution incorporated within the Work constitutes direct
+      or contributory patent infringement, then any patent licenses
+      granted to You under this License for that Work shall terminate
+      as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or
+          Derivative Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, then any Derivative Works that You distribute must
+          include a readable copy of the attribution notices contained
+          within such NOTICE file, excluding those notices that do not
+          pertain to any part of the Derivative Works, in at least one
+          of the following places: within a NOTICE text file distributed
+          as part of the Derivative Works; within the Source form or
+          documentation, if provided along with the Derivative Works; or,
+          within a display generated by the Derivative Works, if and
+          wherever such third-party notices normally appear. The contents
+          of the NOTICE file are for informational purposes only and
+          do not modify the License. You may add Your own attribution
+          notices within Derivative Works that You distribute, alongside
+          or as an addendum to the NOTICE text from the Work, provided
+          that such additional attribution notices cannot be construed
+          as modifying the License.
+
+      You may add Your own copyright statement to Your modifications and
+      may provide additional or different license terms and conditions
+      for use, reproduction, or distribution of Your modifications, or
+      for any such Derivative Works as a whole, provided Your use,
+      reproduction, and distribution of the Work otherwise complies with
+      the conditions stated in this License.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for reasonable and customary use in describing the
+      origin of the Work and reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or consequential damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or any and all
+      other commercial damages or losses), even if such Contributor
+      has been advised of the possibility of such damages.
+
+   9. Accepting Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may choose to offer,
+      and charge a fee for, acceptance of support, warranty, indemnity,
+      or other liability obligations and/or rights consistent with this
+      License. However, in accepting such obligations, You may act only
+      on Your own behalf and on Your sole responsibility, not on behalf
+      of any other Contributor, and only if You agree to indemnify,
+      defend, and hold each Contributor harmless for any liability
+      incurred by, or claims asserted against, such Contributor by reason
+      of your accepting any such warranty or additional liability.
+
+   END OF TERMS AND CONDITIONS
+
+   APPENDIX: How to apply the Apache License to your work.
+
+      To apply the Apache License to your work, attach the following
+      boilerplate notice, with the fields enclosed by brackets "[]"
+      replaced with your own identifying information. (Don't include
+      the brackets!)  The text should be enclosed in the appropriate
+      comment syntax for the file format. We also recommend that a
+      file or class name and description of purpose be included on the
+      same "printed page" as the copyright notice for easier
+      identification within third-party archives.
+
+   Copyright [yyyy] The Falco Authors
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
--- a/81
+++ b/81
@ -0,0 +1,81 @@
+#
+# Copyright (C) 2024 The Falco Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+# mofidy the following variables to match your paths
+CLANG_FORMAT_EXE ?= clang-format
+CLANG_FORMAT_VERSION = "$(shell ${CLANG_FORMAT_EXE} --version | grep -o '[0-9]*\.[0-9]*\.[0-9]*')"
+CLANG_FORMAT_DESIRED_VERSION ="18.1.8"
+
+CMAKE_FORMAT_EXE ?= cmake-format
+CMAKE_FORMAT_VERSION = "$(shell ${CMAKE_FORMAT_EXE} --version | grep -o '[0-9]*\.[0-9]*\.[0-9]*')"
+CMAKE_FORMAT_DESIRED_VERSION = "0.6.13"
+
+PROJECT_ROOT_DIR = $(shell git rev-parse --show-toplevel)
+
+######################
+#    Clang-format    #
+######################
+.PHONY: clang-format-install
+clang-format-install:
+ifeq (, $(shell ${CLANG_FORMAT_EXE} --version))
+	@echo "${CLANG_FORMAT_EXE} is not installed. Please read the 'coding style' doc to get more info."
+	@exit 1
+endif
+
+ifneq ($(CLANG_FORMAT_VERSION), $(CLANG_FORMAT_DESIRED_VERSION))
+	@echo "${CLANG_FORMAT_EXE} version is not '${CLANG_FORMAT_DESIRED_VERSION}'. Actual version is '${CLANG_FORMAT_VERSION}'"
+	@exit 1
+endif
+
+.PHONY: format-clang
+format-clang: clang-format-install
+	git ls-files --directory ${PROJECT_ROOT_DIR} | grep -E '\.(cpp|h|c)$$' | xargs ${CLANG_FORMAT_EXE} -Werror --style=file:${PROJECT_ROOT_DIR}/.clang-format -i
+
+.PHONY: check-clang
+check-clang: clang-format-install
+	git ls-files --directory ${PROJECT_ROOT_DIR} | grep -E '\.(cpp|h|c)$$' | xargs ${CLANG_FORMAT_EXE} -Werror --style=file:${PROJECT_ROOT_DIR}/.clang-format -n
+
+######################
+#    Cmake-format    #
+######################
+.PHONY: cmake-format-install
+cmake-format-install:
+ifeq (, $(shell ${CMAKE_FORMAT_EXE} --version))
+	@echo "${CMAKE_FORMAT_EXE} is not installed. Please read the 'coding style' doc to get more info."
+	@exit 1
+endif
+
+ifneq ($(CMAKE_FORMAT_VERSION), $(CMAKE_FORMAT_DESIRED_VERSION))
+	@echo "${CMAKE_FORMAT_EXE} version is not '${CMAKE_FORMAT_DESIRED_VERSION}'. Actual version is '${CMAKE_FORMAT_VERSION}'"
+	@exit 1
+endif
+
+.PHONY: format-cmake
+format-cmake: cmake-format-install
+	git ls-files --directory ${PROJECT_ROOT_DIR} | grep -E '\.(cmake)$$|CMakeLists.txt$$' | xargs ${CMAKE_FORMAT_EXE} --config-files ${PROJECT_ROOT_DIR}/.cmake-format.json -i
+
+.PHONY: check-cmake
+check-cmake: cmake-format-install
+	git ls-files --directory ${PROJECT_ROOT_DIR} | grep -E '\.(cmake)$$|CMakeLists.txt$$' | xargs ${CMAKE_FORMAT_EXE} --config-files ${PROJECT_ROOT_DIR}/.cmake-format.json --check
+
+# Add new formatters here...
+
+.PHONY: format-all
+format-all: format-clang format-cmake
+
+.PHONY: check-all
+check-all: check-clang check-cmake
+
--- a/3
+++ b/3
@ -7,10 +7,11 @@ approvers:
  - molter73
  - lucaguerra
  - jasondellaluce
-  - incertum
+  - ekoops
 reviewers:
  - hbrueckner
 emeritus_approvers:
  - fntlnz
  - leodido
  - ldegio
+  - incertum
--- a/README.md
+++ b/README.md
@ -3,16 +3,15 @@
 [![Falco Core Repository](https://github.com/falcosecurity/evolution/blob/main/repos/badges/falco-core-blue.svg)](https://github.com/falcosecurity/evolution/blob/main/REPOSITORIES.md#core-scope) [![Stable](https://img.shields.io/badge/status-stable-brightgreen?style=for-the-badge)](https://github.com/falcosecurity/evolution/blob/main/REPOSITORIES.md#stable) [![License](https://img.shields.io/github/license/falcosecurity/libs?style=for-the-badge)](./COPYING)

 [![CI Build](https://github.com/falcosecurity/libs/actions/workflows/ci.yml/badge.svg?branch=master)](https://github.com/falcosecurity/libs/actions/workflows/ci.yml)
-[![Architectures](https://img.shields.io/badge/ARCHS-x86__64%7Caarch64%7Cs390x-blueviolet)](#drivers-officially-supported-architectures)
+[![Architectures](https://img.shields.io/badge/ARCHS-x86__64%7Caarch64%7Cs390x%7Criscv64%7Cppc64le-blueviolet)](#drivers-officially-supported-architectures)
 [![Drivers](https://img.shields.io/endpoint?url=https://gist.githubusercontent.com/FedeDP/1cbc5d42edf8e3a02fb75e76625f1072/raw/kernel.json)](https://github.com/falcosecurity/libs/actions/workflows/latest-kernel.yml)
-[![Kernel Tests](https://github.com/falcosecurity/libs/actions/workflows/kernel_tests.yaml/badge.svg)](https://github.com/falcosecurity/libs/actions/workflows/kernel_tests.yaml)
 [![Github Pages](https://github.com/falcosecurity/libs/actions/workflows/pages.yml/badge.svg)](https://falcosecurity.github.io/libs/)

 This repository contains **libsinsp**, **libscap**, the **kernel module** and the **eBPF probes** sources.

 These components are at the foundation of [Falco](https://github.com/falcosecurity/falco) and other projects that work with the same kind of data.

-This component stack mainly operates on syscall events. We monitor syscalls using either a kernel module or an eBPF probe, which we call *drivers*. On top of the drivers, `libscap` manages the data capture process, while `libsinsp` enriches the data, and provides a rich set of API to consume the data. Furthermore, these two libraries also implement a [plugin](https://github.com/falcosecurity/plugins) framework that extends this stack to potentially any other data sources. For further details, please refer to the [official documentation](https://falco.org/docs/).
+This component stack mainly operates on syscall events. We monitor syscalls using either a kernel module or an eBPF probe, which we call *drivers*. On top of the drivers, `libscap` manages the data capture process, while `libsinsp` enriches the data, and provides a rich set of API to consume the data. Furthermore, these two libraries also implement a [plugin](https://github.com/falcosecurity/plugins) framework that extends this stack to potentially any other data sources. For further details, please refer to Falco's [official documentation](https://falco.org/docs/).

 An image is worth a thousand words, they say:

@ -23,8 +22,7 @@ An image is worth a thousand words, they say:

 * [_driver/_](./driver) contains kernel module and eBPF probe source code,
 so-called **drivers**.       
-* [_userspace/_](./userspace) contains libscap and libsinsp libraries code,
-plus chisels related code and common utilities.
+* [_userspace/_](./userspace) contains libscap and libsinsp libraries code.
  * **libscap** (aka lib for *System CAPture*) is the userspace library
  that directly communicates with the drivers, reading syscall events from
  the ring buffer (where drivers place them), and forwarding them
@ -34,9 +32,6 @@ plus chisels related code and common utilities.
  libscap and enriches them with machine state: moreover, it performs
  events filtering with rule evaluation through its internal rule engine.
  Finally, it manages outputs. 
-  * **chisels** are just little Lua scripts to analyze an event stream
-  and perform useful actions. In this subfolder, the backend code for
-  chisels support can be found.  
 * [_proposals/_](./proposals) unexpectedly contains the list of proposals.
 * [_cmake/modules/_](./cmake/modules) contains modules to build
 external dependencies, plus the libscap and libsinsp ones; consumers
@ -46,11 +41,13 @@ external dependencies, plus the libscap and libsinsp ones; consumers

 Our drivers officially support the following architectures:

-|             | Kernel module                                                                                | eBPF probe | Modern eBPF probe | Status |
-| ----------- |----------------------------------------------------------------------------------------------| ---------- | ----------------- | ------ |
-| **x86_64**  | >= 2.6                                                                                       | >= 4.14    | >= 5.8            | _STABLE_ |
-| **aarch64** | >= [3.16](https://github.com/torvalds/linux/commit/055b1212d141f1f398fca548f8147787c0b6253f) | >= 4.17    | >= 5.8            | _STABLE_ |
-| **s390x**   | >= 2.6                                                                                       | >= [5.5](https://github.com/torvalds/linux/commit/6ae08ae3dea) | >= 5.8            | _EXPERIMENTAL_ |
+|             | Kernel module                                                                                | eBPF probe                                                                                  | Modern eBPF probe | Status |
+| ----------- |----------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------| ----------------- | ------ |
+| **x86_64**  | >= 2.6                                                                                       | >= 4.14                                                                                     | >= 5.8            | _STABLE_ |
+| **aarch64** | >= [3.16](https://github.com/torvalds/linux/commit/055b1212d141f1f398fca548f8147787c0b6253f) | >= 4.17                                                                                     | >= 5.8            | _STABLE_ |
+| **s390x**   | >= 2.6                                                                                       | >= [5.5](https://github.com/torvalds/linux/commit/6ae08ae3dea)                              | >= 5.8            | _EXPERIMENTAL_ |
+| **riscv64** | >= [5.0](https://github.com/torvalds/linux/commit/5aeb1b36cedd3a1dfdbfe368629fed52dee34103)  | N/A                                                                                         | N/A               | _EXPERIMENTAL_ |
+| **ppc64le** | >= 2.6                                                                                       | >= [5.1](https://github.com/torvalds/linux/commit/ed1cd6deb013a11959d17a94e35ce159197632da) | >= 5.8               | _STABLE_ |


 To access up-to-date status reports on Falco drivers kernel testing, please visit this [page](https://falcosecurity.github.io/libs/). It provides a list of supported syscalls as well as the [report](https://falcosecurity.github.io/libs/report/).
@ -107,13 +104,13 @@ If you are building this project outside of a Git working directory, or if you w
 <details>
 	<summary>Expand Build Instructions</summary>

-For your convenience, we have included the instructions for building the `libs` modules here, in addition to the information available in the [official documentation](https://falco.org/docs/install-operate/source/). These instructions are designed for building and testing `libs` on your own Linux development machine. However, if you intend to adopt CI or build within containers, there are additional considerations to take into account. The official [website]((https://falco.org/docs/install-operate/source/)) continually extends its guidance in this respect.
+For your convenience, we have included the instructions for building the `libs` modules here, in addition to the information available in Falco's [official documentation](https://falco.org/docs/install-operate/source/). These instructions are designed for building and testing `libs` on your own Linux development machine. However, if you intend to adopt CI or build within containers, there are additional considerations to take into account. The official [website]((https://falco.org/docs/install-operate/source/)) continually extends its guidance in this respect.

 The project utilizes the `cmake` build system, and the key `make` targets are as follows: 

 * `driver` -> build the kmod
-* `bpf` -> build the eBPF probe
-* `scap` -> build libscap (`modern_bpf` driver will be bundled into `scap` if enabled)
+* `bpf` -> build the legacy `ebpf` probe
+* `scap` -> build libscap (`modern_ebpf` driver will be bundled into `scap` if enabled)
 * `sinsp` -> build libsinsp (depends upon `scap` target)
 * `scap-open` -> build a small example binary for `libscap` to test the drivers (dependent on `scap`)
 * `sinsp-example` -> build a small example binary for `libsinsp` to test the drivers and/or `libsinsp` functionality (dependent on `scap` and `sinsp`)
@ -138,7 +135,7 @@ make sinsp

 ### Build userspace using system deps

-To build using the system deps instead, first, make sure to have all the needed packages installed. Refer to the [official documentation](https://falco.org/docs/install-operate/source/).
+To build using the system deps instead, first, make sure to have all the needed packages installed. Refer to Falco's [official documentation](https://falco.org/docs/install-operate/source/).

 ```bash
 cmake -DUSE_BUNDLED_DEPS=OFF ../;
@ -149,29 +146,27 @@ make sinsp

 ### Build driver - kmod

-To build the kmod driver, you need your kernel headers installed. Check out the [official documentation](https://falco.org/docs/install-operate/source/).
+To build the kmod driver, you need your kernel headers installed. Check out Falco's [official documentation](https://falco.org/docs/install-operate/source/).

 ```bash
 make driver
-# Verify the kmod object code was created, uses `.ko` extension.
+# Verify the kmod binary object file was created, uses `.ko` extension.
 ls -l driver/src/scap.ko;
 ```

 ### Build driver - eBPF probe

-To build the eBPF probe, you need `clang` and `llvm` packages and you also need your kernel headers installed. Check out the [official documentation](https://falco.org/docs/install-operate/source/).
+To build the eBPF probe, you need `clang` and `llvm` packages and you also need your kernel headers installed. Check out Falco's [official documentation](https://falco.org/docs/install-operate/source/).

 ```bash
 cmake -DBUILD_BPF=ON ../;
 make bpf
-# Verify the eBPF object code was created, uses `.o` extension.
+# Verify the eBPF bytecode file was created, uses `.o` extension.
 ls -l driver/bpf/probe.o;
 ```

 >__WARNING__: **clang-7** is the oldest supported version to build our BPF probe.

-Initial guidance for CI and building within containers: To build either the kmod or eBPF probe in a container, you will need to make the extracted kernel headers available. The [test/vm](test/vm/) directory contains example [scripts](test/vm/scripts/compile_drivers.sh) demonstrating how to pass them to the `make` command using the argument `KERNELDIR=${EXTRACTED_KERNEL_HEADERS_DIR}`. You can also use the [falcosecurity/driverkit](https://github.com/falcosecurity/driverkit) or explore the scripts within the driverkit repository. The mentioned resources also provide candidate builder containers.
-
 ### Build driver - modern eBPF probe

 To build the modern eBPF probe, further prerequisites are necessary:
@ -196,13 +191,13 @@ To build the modern eBPF probe, further prerequisites are necessary:

 > __NOTE:__ These are not the requirements to use the modern BPF probe, but rather for building it from source.

-Regarding the previously discussed bpf drivers, they create a kernel-specific object code (`driver/bpf/probe.o`) for your machine's kernel release (`uname -r`). This object code is then used as an argument for testing with `scap-open` and `sinsp-example` binaries.
+Regarding the previously discussed legacy eBPF driver, it generates kernel-specific bytecode (`driver/bpf/probe.o`) tailored to your machine's kernel release (`uname -r`). The location of the bytecode file can then be passed as an argument for testing with the `scap-open` and `sinsp-example` binaries.

-However, the modern BPF driver operates differently. It doesn't require kernel headers, and its build isn't tied to your kernel release. This is enabled by the CO-RE (Compile Once - Run Everywhere) feature of the modern BPF driver. CO-RE allows the driver to work on kernels with backported BTF (BPF Type Format) support or kernel versions >= 5.8.
+However, the modern eBPF driver build process doesn't require kernel headers, and it isn't tied to your kernel release. This is enabled by the CO-RE (Compile Once - Run Everywhere) feature of the modern eBPF driver.

-To comprehend how the driver understands kernel data structures without knowledge of the kernel it runs on, there's no black magic involved. We maintain a [vmlinux.h](driver/modern_bpf/definitions/vmlinux.h) file in our project containing all necessary kernel data structure definitions. Additionally, we sometimes rely on macros or functions typically found in system header files, which we redefine in [struct_flavors.h](driver/modern_bpf/definitions/struct_flavors.h).
+CO-RE allows the driver to work on kernels with backported BTF (BPF Type Format) support or kernel versions >= 5.8. The way the driver interprets kernel data structures without direct knowledge of the running kernel is not magic — it leverages predefined type information and BTF-based relocations. We maintain a [vmlinux.h](driver/modern_bpf/definitions/vmlinux.h) file containing essential kernel data structure definitions, allowing the eBPF program to reference fields dynamically. Additionally, for cases where macros or functions from system headers are required, we redefine them in [struct_flavors.h](driver/modern_bpf/definitions/struct_flavors.h). Combined with CO-RE (Compile Once, Run Everywhere), this enables the driver to remain portable across different kernel versions.
 
-That being said, the modern BPF driver still produces an object file, which you can create using the target below. Nevertheless, we ultimately include it in `scap` regardless. Hence, when modern BPF is enabled, building `scap` will already cover this step for you.
+The modern eBPF driver build process produces an eBPF header skeleton file using `bpftool`. The skeleton file is a C header file that embeds the compiled eBPF program as bytecode.

 ```bash
 cmake \
@ -210,13 +205,15 @@ cmake \
 -DBUILD_LIBSCAP_MODERN_BPF=ON ../;

 make ProbeSkeleton
-# Verify the modern eBPF object code / final composed header file including all `.o` modern_bpf files was created, uses `.h` extension.
+# Verify the modern eBPF bytecode / final composed header file including all `.o` modern_ebpf files was created, uses `.h` extension.
 ls -l skel_dir/bpf_probe.skel.h;
 # Now includes skel_dir/bpf_probe.skel.h in `scap` during the linking process.
 make scap
 ```

-Initial guidance for CI and building within containers: The Falco Project, for instance, compiles the final Falco userspace binary within older centos7 [falco-builder](https://falco.org/docs/install-operate/source/#build-using-falco-builder-container) containers with bundled dependencies. This ensures compatibility across supported systems, mainly due to GLIBC versions and other intricacies. However, you won't be able to compile the modern BPF driver on such old systems or builder containers. One solution is to build `skel_dir/bpf_probe.skel.h` in a more recent builder container. For example, you can refer to this [container](test/vm/containers/ubuntu2310.Dockerfile) as a guide. Subsequently, you can provide the modern BPF header file as an artifact to `scap` during building in an older builder container. As an illustrative example, we use `/tmp/skel-dir` containing the `bpf_probe.skel.h` file.
+Since modern eBPF is included in `scap`, running `make scap` automatically covers the `make ProbeSkeleton` build step.
+
+You can also split the build process and specify the directory containing the `bpf_probe.skel.h` file.

 ```bash
 cmake \
@ -246,7 +243,7 @@ This repository includes convenient test example binaries for both `scap` and `s

 When developing new features, you would run either one depending on what you're working on, in order to test and validate your changes.

-> __NOTE:__ When you're working on driver development, it can be quite useful to make use of the kernel's built-in `printk` functionality. However, for the traditional bpf driver, you'll need to uncomment a line in the [bpf Makefile](driver/bpf/Makefile) first and use a dedicated build flag `BPF_DEBUG`. For modern BPF, use the build flag `MODERN_BPF_DEBUG_MODE`. Any logs generated by `bpf_printk()` will be written to `/sys/kernel/debug/tracing/trace_pipe`. Just make sure you have the right permissions set up for this.
+> __NOTE:__ When you're working on driver development, it can be quite useful to make use of the kernel's built-in `printk` functionality. However, for the traditional bpf driver, you'll need to uncomment a line in the [bpf Makefile](driver/bpf/Makefile) first and use a dedicated build flag `BPF_DEBUG`. For modern eBPF, use the build flag `MODERN_BPF_DEBUG_MODE`. Any logs generated by `bpf_printk()` will be written to `/sys/kernel/debug/tracing/trace_pipe`. Just make sure you have the right permissions set up for this.

 Here's an example of a `cmake` command that will enable everything you need for all tests and components. By default, the following flags are disabled, with the exception of `USE_BUNDLED_DEPS` and `CREATE_TEST_TARGETS` (they are enabled by default).

@ -262,9 +259,11 @@ cmake \
 -DCREATE_TEST_TARGETS=ON \
 -DENABLE_LIBSCAP_TESTS=ON \
 -DENABLE_DRIVERS_TESTS=ON \
-DENABLE_VM_TESTS=ON ../;
+-DENABLE_LIBSINSP_E2E_TESTS=ON ../;
 ```

+> __NOTE:__ The `ENABLE_LIBSINSP_E2E_TESTS` flag enables the new e2e tests for libsinsp. Please keep in mind these tests are currently in heavy development and need some extra steps (see in the section below) to run correctly.
+
 > __TIP:__ Installing and using the package `ccache` can optimize repeated testing, but we don't offer official support or testing for it.

 ```bash
@ -302,9 +301,20 @@ sudo ./test/drivers/drivers_test -m;
 The tests mentioned below expand beyond the scope of "unit tests". In this context as well, we are dedicated to making sure they run smoothly on your `localhost` for pre-PR testing, to the best of our ability:

 - [test/e2e](test/e2e) - enforced by our CI
- [test/vm](test/vm) - our CI includes comparable tests, but it employs a distinct framework. For current status reports on Falco drivers kernel testing, please visit this [page](https://falcosecurity.github.io/libs/).

-As mentioned earlier, The Falco Project's `libs` repository includes numerous CI-powered checks. For the most current information, please refer to the CI definitions under the [workflows](.github/workflows/) directory.
+For current status reports on the CI powered Falco drivers kernel testing, please visit this [page](https://falcosecurity.github.io/libs/).
+
+In general, The Falco Project's `libs` repository includes numerous CI-powered checks. For the most current information, please refer to the CI definitions under the [workflows](.github/workflows/) directory.
+
+### [EXPERIMENTAL] Run libsinsp e2e tests
+
+To correctly run the new libsinsp e2e tests on x86_64 `gcc-multilib` and `g++-multilib` are needed. To run the tests, use the following commands:
+
+```bash
+make -j$(($nproc-1)) libsinsp_e2e_tests;
+# Run each drivers test via changing flags
+sudo ./test/libsinsp_e2e/libsinsp_e2e_tests -m;
+```

 </details>

--- a/benchmark/CMakeLists.txt
+++ b/benchmark/CMakeLists.txt
@ -0,0 +1,33 @@
+# SPDX-License-Identifier: Apache-2.0
+#
+# Copyright (C) 2024 The Falco Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except
+# in compliance with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed under the License
+# is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express
+# or implied. See the License for the specific language governing permissions and limitations under
+# the License.
+#
+
+message(STATUS "Benchmarks enabled")
+
+include(googleBenchmark)
+
+set(BENCHMARK_SOURCES ./main.cpp)
+set(BENCHMARK_DEPENDENCIES sinsp)
+set(BENCHMARK_LIBRARIES benchmark::benchmark sinsp)
+set(BENCHMARK_INCLUDE PRIVATE "${LIBSINSP_INCLUDE_DIRS}")
+
+file(GLOB_RECURSE SINSP_SUITE "${CMAKE_CURRENT_SOURCE_DIR}/libsinsp/*.cpp")
+list(APPEND BENCHMARK_SOURCES ${SINSP_SUITE})
+
+add_compile_options(${FALCOSECURITY_LIBS_USERSPACE_COMPILE_FLAGS})
+add_link_options(${FALCOSECURITY_LIBS_USERSPACE_LINK_FLAGS})
+add_executable(bench ${BENCHMARK_SOURCES})
+target_link_libraries(bench ${BENCHMARK_LIBRARIES})
+target_include_directories(bench ${BENCHMARK_INCLUDE})
+add_dependencies(bench ${BENCHMARK_DEPENDENCIES})
--- a/benchmark/README.md
+++ b/benchmark/README.md
@ -0,0 +1,14 @@
+# Benchmarks
+
+## Build
+
+```bash
+cmake -DENABLE_BENCHMARKS=ON ..
+make bench
+```
+
+## Run
+
+```bash
+sudo ./benchmark/bench
+```
--- a/benchmark/libsinsp/utils.cpp
+++ b/benchmark/libsinsp/utils.cpp
@ -0,0 +1,55 @@
+// SPDX-License-Identifier: Apache-2.0
+/*
+Copyright (C) 2024 The Falco Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+
+*/
+
+#include <libsinsp/utils.h>
+#include <benchmark/benchmark.h>
+
+static void BM_sinsp_split(benchmark::State& state) {
+	for(auto _ : state) {
+		std::string str = "hello,world,";
+		benchmark::DoNotOptimize(sinsp_split(str, ','));
+	}
+}
+BENCHMARK(BM_sinsp_split);
+
+static void BM_sinsp_concatenate_paths_relative_path(benchmark::State& state) {
+	for(auto _ : state) {
+		std::string path1 = "/tmp/";
+		std::string path2 = "foo/bar";
+		benchmark::DoNotOptimize(sinsp_utils::concatenate_paths(path1, path2));
+	}
+}
+BENCHMARK(BM_sinsp_concatenate_paths_relative_path);
+
+static void BM_sinsp_concatenate_paths_empty_path(benchmark::State& state) {
+	for(auto _ : state) {
+		std::string path1 = "/tmp/";
+		std::string path2 = "";
+		benchmark::DoNotOptimize(sinsp_utils::concatenate_paths(path1, path2));
+	}
+}
+BENCHMARK(BM_sinsp_concatenate_paths_empty_path);
+
+static void BM_sinsp_concatenate_paths_absolute_path(benchmark::State& state) {
+	for(auto _ : state) {
+		std::string path1 = "/tmp/";
+		std::string path2 = "/foo/bar";
+		benchmark::DoNotOptimize(sinsp_utils::concatenate_paths(path1, path2));
+	}
+}
+BENCHMARK(BM_sinsp_concatenate_paths_absolute_path);
--- a/userspace/libsinsp/mesos_common.h
+++ b/userspace/libsinsp/mesos_common.h
@ -1,5 +1,6 @@
+// SPDX-License-Identifier: Apache-2.0
 /*
-Copyright (C) 2021 The Falco Authors.
+Copyright (C) 2024 The Falco Authors.

 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
@ -14,10 +15,7 @@ See the License for the specific language governing permissions and
 limitations under the License.

 */
-//
-// mesos_common.h
-//
-
-#pragma once

+#include <benchmark/benchmark.h>

+BENCHMARK_MAIN();
--- a/cmake/modules/BuildPkgConfigDependencies.cmake
+++ b/cmake/modules/BuildPkgConfigDependencies.cmake
@ -0,0 +1,138 @@
+# Get all dependencies for ${lib} and add them to ${LIBDIRS_VAR} and ${LIBS_VAR}. Ignore any
+# dependencies in the list ${ignored} to: - avoid infinite recursion - avoid libscap dependencies in
+# libsinsp.pc (which requires libscap.pc and pulls them in that way)
+function(add_pkgconfig_library LIBDIRS_VAR LIBS_VAR lib ignored)
+
+	message(DEBUG "[add_pkgconfig_library] processing lib \"${lib}\"")
+	# if it's not a target, it doesn't have dependencies we know or care about
+	if(NOT TARGET ${lib})
+		return()
+	endif()
+
+	# get the libraries that ${lib} links to
+	get_target_property(PKGCONFIG_LIBRARIES ${lib} LINK_LIBRARIES)
+	if("${PKGCONFIG_LIBRARIES}" STREQUAL "PKGCONFIG_LIBRARIES-NOTFOUND")
+		return()
+	endif()
+
+	message(DEBUG "[add_pkgconfig_library] LINK_LIBRARIES property: \"${PKGCONFIG_LIBRARIES}\"")
+
+	get_property(
+		target_type
+		TARGET ${lib}
+		PROPERTY TYPE
+	)
+	message(DEBUG "[add_pkgconfig_library] ignored list: \"${ignored}\"")
+	foreach(dep ${PKGCONFIG_LIBRARIES})
+		# XXX: We use a (very) loose match as we are potentially comparing absolute library file
+		# names (dep) to pkg-config library names to be ignored.  The only alternative I can think
+		# of would be to maintain a map associating pkg-config names to their library file name.
+		get_filename_component(dep_base ${dep} NAME_WE)
+		string(REGEX REPLACE "^lib" "" dep_name ${dep_base})
+		# For CMake imported targets, keep only the suffix, e.g. gRPC::grpc -> grpc.
+		string(REGEX REPLACE "[^:]*::" "" dep_name ${dep_base})
+		message(DEBUG "[add_pkgconfig_library] processing dep ${dep}")
+		string(FIND "${ignored}" "${dep_name}" find_result)
+		if(NOT ${find_result} EQUAL -1)
+			message(DEBUG "[add_pkgconfig_library] \"${dep}\" ignored")
+			continue()
+		endif()
+
+		if(${target_type} STREQUAL "SHARED_LIBRARY")
+			# for shared libraries, do not add static libraries as dependencies
+			if(TARGET ${dep})
+				# skip static libraries which are CMake targets
+				get_property(
+					dep_target_type
+					TARGET ${dep}
+					PROPERTY TYPE
+				)
+				if(NOT ${dep_target_type} STREQUAL "SHARED_LIBRARY")
+					continue()
+				endif()
+			else()
+				# skip static libraries which are just file paths
+				get_filename_component(ext ${dep} LAST_EXT)
+				if("${ext}" STREQUAL "${CMAKE_STATIC_LIBRARY_SUFFIX}")
+					continue()
+				endif()
+			endif()
+		elseif(${target_type} STREQUAL "STATIC_LIBRARY")
+			# for static libraries which are not CMake targets, redirect them to
+			# ${libdir}/${LIBS_PACKAGE_NAME} note that ${libdir} is not a CMake variable, but a
+			# pkgconfig variable, so we quote it and end up with a literal ${libdir} in the
+			# pkgconfig file
+			if(NOT TARGET ${dep})
+				get_filename_component(filename ${dep} NAME)
+				set(dep "\${libdir}/${LIBS_PACKAGE_NAME}/${filename}")
+			else()
+				get_property(
+					dep_target_type
+					TARGET ${dep}
+					PROPERTY TYPE
+				)
+				if(${dep_target_type} STREQUAL "OBJECT_LIBRARY")
+					# skip object libraries
+					continue()
+				endif()
+
+				# if the library is imported, use the IMPORTED_LOCATION instead
+				get_property(
+					dep_imported_location
+					TARGET ${dep}
+					PROPERTY IMPORTED_LOCATION
+				)
+				if(NOT ${dep_imported_location} STREQUAL "")
+					get_filename_component(filename ${dep_imported_location} NAME)
+					set(dep "\${libdir}/${LIBS_PACKAGE_NAME}/${filename}")
+				endif()
+			endif()
+		endif()
+
+		add_pkgconfig_dependency(${LIBDIRS_VAR} ${LIBS_VAR} ${dep} "${ignored}")
+	endforeach()
+
+	# Remove duplicate search paths. We cannot remove duplicates from ${LIBS_VAR} because the order
+	# of libraries is important.
+	list(REMOVE_DUPLICATES ${LIBDIRS_VAR})
+
+	set(${LIBS_VAR}
+		${${LIBS_VAR}}
+		PARENT_SCOPE
+	)
+	set(${LIBDIRS_VAR}
+		${${LIBDIRS_VAR}}
+		PARENT_SCOPE
+	)
+endfunction()
+
+function(add_pkgconfig_dependency LIBDIRS_VAR LIBS_VAR lib ignored)
+	if(${lib} IN_LIST ignored)
+		# already processed, avoid infinite recursion
+	elseif(${lib} MATCHES "^-")
+		# We have a flag. Pass it through unchanged.
+		list(APPEND ${LIBS_VAR} ${lib})
+	elseif(${lib} MATCHES "/")
+		# We have a path. Convert it to -L<dir> + -l<lib>.
+		get_filename_component(lib_dir ${lib} DIRECTORY)
+		list(APPEND ${LIBDIRS_VAR} -L${lib_dir})
+		get_filename_component(lib_base ${lib} NAME_WE)
+		string(REGEX REPLACE "^lib" "" lib_base ${lib_base})
+		list(APPEND ${LIBS_VAR} -l${lib_base})
+	else()
+		# Assume we have a plain library name. Prefix it with "-l". Then recurse into its
+		# dependencies but ignore the library itself, so we don't end up in an infinite loop with
+		# cyclic dependencies
+		list(APPEND ${LIBS_VAR} -l${lib})
+		list(APPEND ignored ${lib})
+		add_pkgconfig_library(${LIBDIRS_VAR} ${LIBS_VAR} ${lib} "${ignored}")
+	endif()
+	set(${LIBS_VAR}
+		${${LIBS_VAR}}
+		PARENT_SCOPE
+	)
+	set(${LIBDIRS_VAR}
+		${${LIBDIRS_VAR}}
+		PARENT_SCOPE
+	)
+endfunction()
--- a/cmake/modules/CompilerFlags.cmake
+++ b/cmake/modules/CompilerFlags.cmake
@ -1,3 +1,18 @@
+# SPDX-License-Identifier: Apache-2.0
+#
+# Copyright (C) 2023 The Falco Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except
+# in compliance with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed under the License
+# is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express
+# or implied. See the License for the specific language governing permissions and limitations under
+# the License.
+#
+
 option(BUILD_WARNINGS_AS_ERRORS "Enable building with -Wextra -Werror flags")

 option(ENABLE_PIC "Build position independent libraries and executables" ${BUILD_SHARED_LIBS})
@ -10,30 +25,86 @@ endif()
 set(CMAKE_CXX_STANDARD 17)
 set(CMAKE_CXX_EXTENSIONS OFF)

+set(FALCOSECURITY_LIBS_USERSPACE_COMPILE_FLAGS "")
+set(FALCOSECURITY_LIBS_USERSPACE_LINK_FLAGS "")
+
 if(NOT MSVC)

 	set(FALCOSECURITY_LIBS_COMMON_FLAGS "-Wall -ggdb")
 	set(FALCOSECURITY_LIBS_DEBUG_FLAGS "-Og -D_DEBUG")
 	set(FALCOSECURITY_LIBS_RELEASE_FLAGS "-O3 -fno-strict-aliasing -DNDEBUG")
-	set(FALCOSECURITY_LIBS_COVERAGE_FLAGS "-O0 -fprofile-arcs -ftest-coverage")
-
-	if(MINIMAL_BUILD)
-	  set(FALCOSECURITY_LIBS_COMMON_FLAGS "${FALCOSECURITY_LIBS_COMMON_FLAGS} -DMINIMAL_BUILD")
-	endif()
-
 	if(MUSL_OPTIMIZED_BUILD)
 		set(FALCOSECURITY_LIBS_COMMON_FLAGS "${FALCOSECURITY_LIBS_COMMON_FLAGS} -static -Os")
 	endif()

 	if(BUILD_WARNINGS_AS_ERRORS)
 		set(CMAKE_COMPILE_WARNING_AS_ERROR ON)
-		set(CMAKE_SUPPRESSED_WARNINGS "-Wno-unused-parameter -Wno-missing-field-initializers -Wno-sign-compare -Wno-type-limits -Wno-implicit-fallthrough -Wno-format-truncation")
-		set(FALCOSECURITY_LIBS_COMMON_FLAGS "${FALCOSECURITY_LIBS_COMMON_FLAGS} -Wextra ${CMAKE_SUPPRESSED_WARNINGS}")
+		set(CMAKE_SUPPRESSED_WARNINGS
+			"-Wno-unused-parameter -Wno-sign-compare -Wno-implicit-fallthrough -Wno-format-truncation -Wno-deprecated-declarations"
+		)
+		if(CMAKE_CXX_COMPILER_ID STREQUAL "Clang")
+			# Clang needs these for suppressing these warnings: - C++20 array designators used with
+			# C++17 - C99 array designators used in C++ - avoid complaining about the option above
+			# `-Wno-format-truncation`
+			set(CMAKE_SUPPRESSED_WARNINGS
+				"${CMAKE_SUPPRESSED_WARNINGS} -Wno-c++20-designator -Wno-c99-designator -Wno-unknown-warning-option"
+			)
+		endif()
+		set(FALCOSECURITY_LIBS_COMMON_FLAGS
+			"${FALCOSECURITY_LIBS_COMMON_FLAGS} -Werror -Wextra ${CMAKE_SUPPRESSED_WARNINGS}"
+		)
+	endif()
+
+	if(USE_ASAN)
+		set(FALCOSECURITY_LIBS_USERSPACE_COMPILE_FLAGS
+			"${FALCOSECURITY_LIBS_USERSPACE_COMPILE_FLAGS};-fsanitize=address"
+		)
+		set(FALCOSECURITY_LIBS_USERSPACE_LINK_FLAGS
+			"${FALCOSECURITY_LIBS_USERSPACE_LINK_FLAGS};-fsanitize=address;-lpthread"
+		)
+	endif()
+
+	if(USE_UBSAN)
+		set(FALCOSECURITY_LIBS_USERSPACE_COMPILE_FLAGS
+			"${FALCOSECURITY_LIBS_USERSPACE_COMPILE_FLAGS};-fsanitize=undefined"
+		)
+		set(FALCOSECURITY_LIBS_USERSPACE_LINK_FLAGS
+			"${FALCOSECURITY_LIBS_USERSPACE_LINK_FLAGS};-fsanitize=undefined"
+		)
+		if(UBSAN_HALT_ON_ERROR)
+			set(FALCOSECURITY_LIBS_USERSPACE_COMPILE_FLAGS
+				"${FALCOSECURITY_LIBS_USERSPACE_COMPILE_FLAGS};-fno-sanitize-recover=undefined"
+			)
+		endif()
+	endif()
+
+	if(USE_TSAN)
+		set(FALCOSECURITY_LIBS_USERSPACE_COMPILE_FLAGS
+			"${FALCOSECURITY_LIBS_USERSPACE_COMPILE_FLAGS};-fsanitize=thread"
+		)
+		set(FALCOSECURITY_LIBS_USERSPACE_LINK_FLAGS
+			"${FALCOSECURITY_LIBS_USERSPACE_LINK_FLAGS};-fsanitize=thread"
+		)
+	endif()
+
+	if(ENABLE_COVERAGE)
+		set(FALCOSECURITY_LIBS_USERSPACE_COMPILE_FLAGS
+			"${FALCOSECURITY_LIBS_USERSPACE_COMPILE_FLAGS};--coverage"
+		)
+		set(FALCOSECURITY_LIBS_USERSPACE_LINK_FLAGS
+			"${FALCOSECURITY_LIBS_USERSPACE_COMPILE_FLAGS};--coverage"
+		)
+	endif()
+
+	if(ENABLE_THREAD_POOL)
+		set(FALCOSECURITY_LIBS_COMMON_FLAGS
+			"${FALCOSECURITY_LIBS_COMMON_FLAGS} -DENABLE_THREAD_POOL"
+		)
 	endif()

 	set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} ${FALCOSECURITY_LIBS_COMMON_FLAGS}")
-	# we need also `-std=c++17` here beacuse `set(CMAKE_CXX_STANDARD 17)` is not enough to enforce c++17
-	# with some Cmake versions: https://github.com/falcosecurity/libs/pull/950
+	# we need also `-std=c++17` here beacuse `set(CMAKE_CXX_STANDARD 17)` is not enough to enforce
+	# c++17 with some Cmake versions: https://github.com/falcosecurity/libs/pull/950
 	set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} ${FALCOSECURITY_LIBS_COMMON_FLAGS} -std=c++17")

 	set(CMAKE_C_FLAGS_DEBUG "${FALCOSECURITY_LIBS_DEBUG_FLAGS}")
@ -42,21 +113,19 @@ if(NOT MSVC)
 	set(CMAKE_C_FLAGS_RELEASE "${FALCOSECURITY_LIBS_RELEASE_FLAGS}")
 	set(CMAKE_CXX_FLAGS_RELEASE "${FALCOSECURITY_LIBS_RELEASE_FLAGS}")

-	set(CMAKE_C_FLAGS_COVERAGE "${FALCOSECURITY_LIBS_COVERAGE_FLAGS}")
-	set(CMAKE_CXX_FLAGS_COVERAGE "${FALCOSECURITY_LIBS_COVERAGE_FLAGS}")
-
-	if(CMAKE_SYSTEM_NAME MATCHES "Linux")
-		add_definitions(-DHAS_CAPTURE)
-	endif()
-
 	add_definitions(-D__STDC_FORMAT_MACROS)

 else() # MSVC
-	set(MINIMAL_BUILD ON)
-
-	set(FALCOSECURITY_LIBS_COMMON_FLAGS "-D_CRT_SECURE_NO_WARNINGS -DWIN32 -DMINIMAL_BUILD /EHsc /W3 /Zi /std:c++17")
-	set(FALCOSECURITY_LIBS_DEBUG_FLAGS "/MTd /Od")
-	set(FALCOSECURITY_LIBS_RELEASE_FLAGS "/MT")
+	set(FALCOSECURITY_LIBS_COMMON_FLAGS
+		"-D_CRT_SECURE_NO_WARNINGS -DWIN32 /EHsc /W3 /Zi /std:c++17"
+	)
+	if(CMAKE_VERSION VERSION_LESS 3.15.0)
+		set(FALCOSECURITY_LIBS_DEBUG_FLAGS "/MTd /Od")
+		set(FALCOSECURITY_LIBS_RELEASE_FLAGS "/MT")
+	else()
+		# /MT vs /MD should be determined via CMAKE_MSVC_RUNTIME_LIBRARY
+		set(FALCOSECURITY_LIBS_DEBUG_FLAGS "/Od")
+	endif()

 	set(CMAKE_C_FLAGS "${FALCOSECURITY_LIBS_COMMON_FLAGS}")
 	set(CMAKE_CXX_FLAGS "${FALCOSECURITY_LIBS_COMMON_FLAGS}")
@ -67,5 +136,9 @@ else() # MSVC
 	set(CMAKE_C_FLAGS_RELEASE "${FALCOSECURITY_LIBS_RELEASE_FLAGS}")
 	set(CMAKE_CXX_FLAGS_RELEASE "${FALCOSECURITY_LIBS_RELEASE_FLAGS}")

-	add_definitions(-D_HAS_STD_BYTE=0)
+	# "_DISABLE_CONSTEXPR_MUTEX_CONSTRUCTOR" enables a workaround for windows GH runner issue, see
+	# https://github.com/actions/runner-images/issues/10004 Also, define NOMINMAX globally.
+	add_compile_definitions(
+		_HAS_STD_BYTE=0 WIN32_LEAN_AND_MEAN _DISABLE_CONSTEXPR_MUTEX_CONSTRUCTOR NOMINMAX
+	)
 endif()
--- a/cmake/modules/FindMakedev.cmake
+++ b/cmake/modules/FindMakedev.cmake
@ -1,43 +1,34 @@
+# SPDX-License-Identifier: Apache-2.0
 #
-# Copyright (C) 2021 The Falco Authors.
+# Copyright (C) 2023 The Falco Authors.
 #
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except
+# in compliance with the License. You may obtain a copy of the License at
 #
-#     http://www.apache.org/licenses/LICENSE-2.0
+# http://www.apache.org/licenses/LICENSE-2.0
 #
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
+# Unless required by applicable law or agreed to in writing, software distributed under the License
+# is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express
+# or implied. See the License for the specific language governing permissions and limitations under
+# the License.
 #

-# This module is used to understand where the makedev function
-# is defined in the glibc in use.
-# see 'man 3 makedev'
-# Usage:
-#  In your CMakeLists.txt
-#    include(FindMakedev)
+# This module is used to understand where the makedev function is defined in the glibc in use. see
+# 'man 3 makedev' Usage: In your CMakeLists.txt include(FindMakedev)
 #
-#  In your source code:
+# In your source code:
 #
-#    #if HAVE_SYS_MKDEV_H
-#    #include <sys/mkdev.h>
-#    #endif
-#    #ifdef HAVE_SYS_SYSMACROS_H
-#    #include <sys/sysmacros.h>
-#    #endif
+# #if HAVE_SYS_MKDEV_H #include <sys/mkdev.h> #endif #ifdef HAVE_SYS_SYSMACROS_H #include
+# <sys/sysmacros.h> #endif
 #
 include(${CMAKE_ROOT}/Modules/CheckIncludeFile.cmake)

 check_include_file("sys/mkdev.h" HAVE_SYS_MKDEV_H)
 check_include_file("sys/sysmacros.h" HAVE_SYS_SYSMACROS_H)

-if (HAVE_SYS_MKDEV_H)
-    add_definitions(-DHAVE_SYS_MKDEV_H)
+if(HAVE_SYS_MKDEV_H)
+	add_definitions(-DHAVE_SYS_MKDEV_H)
 endif()
-if (HAVE_SYS_SYSMACROS_H)
-    add_definitions(-DHAVE_SYS_SYSMACROS_H)
+if(HAVE_SYS_SYSMACROS_H)
+	add_definitions(-DHAVE_SYS_SYSMACROS_H)
 endif()
--- a/cmake/modules/Findbs_threadpool.cmake
+++ b/cmake/modules/Findbs_threadpool.cmake
@ -0,0 +1,29 @@
+# SPDX-License-Identifier: Apache-2.0
+#
+# Copyright (C) 2023 The Falco Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except
+# in compliance with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed under the License
+# is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express
+# or implied. See the License for the specific language governing permissions and limitations under
+# the License.
+#
+
+find_path(BS_THREADPOOL_INCLUDE NAMES BS_thread_pool.hpp)
+
+if(BS_THREADPOOL_INCLUDE)
+	if(NOT bs_threadpool_FIND_QUIETLY)
+		message(STATUS "Found bs_threadpool: include: ${BS_THREADPOOL_INCLUDE}.")
+	endif()
+else()
+	if(bs_threadpool_FIND_REQUIRED)
+		message(FATAL_ERROR "Required component bs_threadpool missing.")
+	endif()
+	if(NOT bs_threadpool_FIND_QUIETLY)
+		message(WARNING "bs_threadpool not found.")
+	endif()
+endif()
--- a/cmake/modules/Findvalijson.cmake
+++ b/cmake/modules/Findvalijson.cmake
@ -1,35 +1,33 @@
+# SPDX-License-Identifier: Apache-2.0
 #
-# Copyright (C) 2022 The Falco Authors.
+# Copyright (C) 2023 The Falco Authors.
 #
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except
+# in compliance with the License. You may obtain a copy of the License at
 #
-#     http://www.apache.org/licenses/LICENSE-2.0
+# http://www.apache.org/licenses/LICENSE-2.0
 #
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
+# Unless required by applicable law or agreed to in writing, software distributed under the License
+# is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express
+# or implied. See the License for the specific language governing permissions and limitations under
+# the License.
 #

-# This module is used to find where the valijson headers are installed
-# on the system. This is required up to v0.6, since package config
-# files are not provided. This is fixed in master though, and this
-# file shall be automatically ignored for later versions.
+# This module is used to find where the valijson headers are installed on the system. This is
+# required up to v0.6, since package config files are not provided. This is fixed in master though,
+# and this file shall be automatically ignored for later versions.

 find_path(VALIJSON_INCLUDE NAMES valijson/validator.hpp validator.hpp)

-if (VALIJSON_INCLUDE)
-    if (NOT valijson_FIND_QUIETLY)
-        message(STATUS "Found valijson: include: ${VALIJSON_INCLUDE}.")
-    endif()
+if(VALIJSON_INCLUDE)
+	if(NOT valijson_FIND_QUIETLY)
+		message(STATUS "Found valijson: include: ${VALIJSON_INCLUDE}.")
+	endif()
 else()
-    if (valijson_FIND_REQUIRED)
-        message(FATAL_ERROR "Required component valijson missing.")
-    endif()
-    if (NOT valijson_FIND_QUIETLY)
-        message(WARNING "Valijson not found.")
-    endif()
+	if(valijson_FIND_REQUIRED)
+		message(FATAL_ERROR "Required component valijson missing.")
+	endif()
+	if(NOT valijson_FIND_QUIETLY)
+		message(WARNING "Valijson not found.")
+	endif()
 endif()
--- a/cmake/modules/GetVersionFromGit.cmake
+++ b/cmake/modules/GetVersionFromGit.cmake
@ -1,191 +1,226 @@
+# SPDX-License-Identifier: Apache-2.0
 #
 # Copyright (C) 2023 The Falco Authors.
 #
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except
+# in compliance with the License. You may obtain a copy of the License at
 #
 # http://www.apache.org/licenses/LICENSE-2.0
 #
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
+# Unless required by applicable law or agreed to in writing, software distributed under the License
+# is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express
+# or implied. See the License for the specific language governing permissions and limitations under
+# the License.
 #

 if(_falcosecurity_get_version_from_git)
-    return()
+	return()
 endif()

 set(_falcosecurity_get_version_from_git TRUE)

 if(NOT FALCOSECURITY_RELEASE_BRANCH_REGEX)
-    set(FALCOSECURITY_RELEASE_BRANCH_REGEX "^release/")
+	set(FALCOSECURITY_RELEASE_BRANCH_REGEX "^release/")
 endif()

 function(_falcosecurity_execute_git _out)
-    if(NOT GIT_FOUND)
-        find_package(Git QUIET)
-    endif()
+	if(NOT GIT_FOUND)
+		find_package(Git QUIET)
+	endif()

-    execute_process(COMMAND
-        "${GIT_EXECUTABLE}"
-        ${ARGN}
-        WORKING_DIRECTORY
-        "${CMAKE_CURRENT_SOURCE_DIR}"
-        RESULT_VARIABLE
-        res
-        OUTPUT_VARIABLE
-        out
-        ERROR_QUIET
-        OUTPUT_STRIP_TRAILING_WHITESPACE)
+	execute_process(
+		COMMAND "${GIT_EXECUTABLE}" ${ARGN}
+		WORKING_DIRECTORY "${CMAKE_CURRENT_SOURCE_DIR}"
+		RESULT_VARIABLE res
+		OUTPUT_VARIABLE out
+		ERROR_QUIET OUTPUT_STRIP_TRAILING_WHITESPACE
+	)

-    if(NOT res EQUAL 0)
-        set(out "")
-    endif()
+	if(NOT res EQUAL 0)
+		set(out "")
+	endif()

-    set(${_out} "${out}" PARENT_SCOPE)
+	set(${_out}
+		"${out}"
+		PARENT_SCOPE
+	)
 endfunction()

 function(_falcosecurity_extract_version version_str x y z found)
-    string(REGEX MATCH "^([0-9]+)\\.([0-9]+)\\.([0-9]+)" match_result ${version_str})
+	string(REGEX MATCH "^([0-9]+)\\.([0-9]+)\\.([0-9]+)" match_result ${version_str})

-    if(match_result)
-        string(REGEX REPLACE "^([0-9]+)\\.([0-9]+)\\.([0-9]+).*" "\\1" x_val ${match_result})
-        string(REGEX REPLACE "^([0-9]+)\\.([0-9]+)\\.([0-9]+).*" "\\2" y_val ${match_result})
-        string(REGEX REPLACE "^([0-9]+)\\.([0-9]+)\\.([0-9]+).*" "\\3" z_val ${match_result})
-        set(${x} ${x_val} PARENT_SCOPE)
-        set(${y} ${y_val} PARENT_SCOPE)
-        set(${z} ${z_val} PARENT_SCOPE)
-        set(${found} TRUE PARENT_SCOPE)
-    else()
-        set(${found} FALSE PARENT_SCOPE)
-    endif()
+	if(match_result)
+		string(REGEX REPLACE "^([0-9]+)\\.([0-9]+)\\.([0-9]+).*" "\\1" x_val ${match_result})
+		string(REGEX REPLACE "^([0-9]+)\\.([0-9]+)\\.([0-9]+).*" "\\2" y_val ${match_result})
+		string(REGEX REPLACE "^([0-9]+)\\.([0-9]+)\\.([0-9]+).*" "\\3" z_val ${match_result})
+		set(${x}
+			${x_val}
+			PARENT_SCOPE
+		)
+		set(${y}
+			${y_val}
+			PARENT_SCOPE
+		)
+		set(${z}
+			${z_val}
+			PARENT_SCOPE
+		)
+		set(${found}
+			TRUE
+			PARENT_SCOPE
+		)
+	else()
+		set(${found}
+			FALSE
+			PARENT_SCOPE
+		)
+	endif()
 endfunction()

 # get_version_from_git() provides a basic implementation of the Falco versioning convention.
 #
-# The primary convention is that all version numbers should be a SemVer2.0-compatible string.
-# The version number for the development build must follow a pre-release version pattern.
-# To accomplish this, we use Git as the primary data source to construct the version number
-# automatically. In this regard, the convention assumes that:
-# any Git tag represents an officially released build,
-# and each Git commit could potentially be a development build.
+# The primary convention is that all version numbers should be a SemVer2.0-compatible string. The
+# version number for the development build must follow a pre-release version pattern. To accomplish
+# this, we use Git as the primary data source to construct the version number automatically. In this
+# regard, the convention assumes that: any Git tag represents an officially released build, and each
+# Git commit could potentially be a development build.
 #
-# With those assumptions, the build system will return a version number based on one of
-# the following cases:
+# With those assumptions, the build system will return a version number based on one of the
+# following cases:
 #
-# - If the current Git checkout points to an exact Git tag,
-# we assume it is an officially released version (either a release or a pre-release).
+# * If the current Git checkout points to an exact Git tag, we assume it is an officially released
+#   version (either a release or a pre-release).
 #
-# - If we are in a release branch (with the suffix `release/`),
-# we assume that each commit (i.e., each development build) represents a potential new patch version.
+# * If we are in a release branch (with the suffix `release/`), we assume that each commit (i.e.,
+#   each development build) represents a potential new patch version.
 #
-# - If we are in any other branch,
-# we assume that each commit (i.e., each development build) represents a potential new minor version.
+# * If we are in any other branch, we assume that each commit (i.e., each development build)
+#   represents a potential new minor version.
 #
-# - In any other case (for example, if there's no git information available),
-# version `0.0.0` will be returned as a fallback.
+# * In any other case (for example, if there's no git information available), version `0.0.0` will
+#   be returned as a fallback.
 #
 # For the officially released versions, we assume the Git tag will carry on the correct information,
 # so we return it as-is.
 #
-# For development versions, the string is built as follows:
-# `<x>.<y>.<z>-<count>+<commit>[suffix]`
-# Where:
-# - `<x>.<y>.<z>` represents the next version number, reflecting either a patch for release branches
-# or a minor version for development branches.
-# - `<count>` is the number of commits ahead from either:
-# - the latest tag on the branch, for release branches; or
-# - the closest common ancestor with the branch holding the latest tagged version,
-# for development branches.
-# - `<commit>` refers to the first 7 digits of the commit hash.
-# - `[suffix]` the value of `match_suffix`, if any.
+# For development versions, the string is built as follows: `<x>.<y>.<z>-<count>+<commit>[suffix]`
+# Where: - `<x>.<y>.<z>` represents the next version number, reflecting either a patch for release
+# branches or a minor version for development branches. - `<count>` is the number of commits ahead
+# from either: - the latest tag on the branch, for release branches; or - the closest common
+# ancestor with the branch holding the latest tagged version, for development branches. - `<commit>`
+# refers to the first 7 digits of the commit hash. - `[suffix]` the value of `match_suffix`, if any.
 # Note: all non-alphanumerics will be converted to hyphens.
 #
-#
 # This function sets the resulting version string to a variable in the parent scope.
 #
-# Arguments:
-# - _var            Variable to store the resulting version string.
-# - match_suffix    Only consider Git references with this suffix.
-# - exclude_suffix  Ignore Git references with this suffix.
+# Arguments: - _var            Variable to store the resulting version string. - match_suffix Only
+# consider Git references with this suffix. - exclude_suffix  Ignore Git references with this
+# suffix.
 function(get_version_from_git _var match_suffix exclude_suffix)
-    # Release version
-    # Try to obtain the exact git tag
-    if(exclude_suffix)
-        _falcosecurity_execute_git(tag describe --tags --exact-match --match "*${match_suffix}" --exclude "*${exclude_suffix}" HEAD)
-    else()
-        _falcosecurity_execute_git(tag describe --tags --exact-match --match "*${match_suffix}" HEAD)
-    endif()
+	# Release version Try to obtain the exact git tag
+	if(exclude_suffix)
+		_falcosecurity_execute_git(
+			tag
+			describe
+			--tags
+			--exact-match
+			--match
+			"*${match_suffix}"
+			--exclude
+			"*${exclude_suffix}"
+			HEAD
+		)
+	else()
+		_falcosecurity_execute_git(
+			tag
+			describe
+			--tags
+			--exact-match
+			--match
+			"*${match_suffix}"
+			HEAD
+		)
+	endif()

-    if(tag)
-        # A tag has been found: use it as the libs version
-        set(${_var}
-            "${tag}"
-            PARENT_SCOPE)
-        return()
-    endif()
+	if(tag)
+		# A tag has been found: use it as the libs version
+		set(${_var}
+			"${tag}"
+			PARENT_SCOPE
+		)
+		return()
+	endif()

-    # Otherwise, we are on a dev version
-    _falcosecurity_execute_git(current_hash rev-parse HEAD)
-    _falcosecurity_execute_git(current_hash_short rev-parse --short=7 HEAD)
-    _falcosecurity_execute_git(current_branch rev-parse --abbrev-ref HEAD)
+	# Otherwise, we are on a dev version
+	_falcosecurity_execute_git(current_hash rev-parse HEAD)
+	_falcosecurity_execute_git(current_hash_short rev-parse --short=7 HEAD)
+	_falcosecurity_execute_git(current_branch rev-parse --abbrev-ref HEAD)

-    set(dev_version "0.0.0")
+	set(dev_version "0.0.0")

-    # dev version / in a `release/M.m.x` branch
-    if(current_branch MATCHES "${FALCOSECURITY_RELEASE_BRANCH_REGEX}")
-        # get the latest tag on the release branch
-        set(_options --match "*.*.*${match_suffix}")
+	# dev version / in a `release/M.m.x` branch
+	if(current_branch MATCHES "${FALCOSECURITY_RELEASE_BRANCH_REGEX}")
+		# get the latest tag on the release branch
+		set(_options --match "*.*.*${match_suffix}")

-        if(exclude_suffix)
-            set(_options ${_options} --exclude "*${exclude_suffix}")
-        endif()
+		if(exclude_suffix)
+			set(_options ${_options} --exclude "*${exclude_suffix}")
+		endif()

-        _falcosecurity_execute_git(tag describe --tags ${_options} --abbrev=0 "${current_branch}")
+		_falcosecurity_execute_git(tag describe --tags ${_options} --abbrev=0 "${current_branch}")

-        if(tag)
-            _falcosecurity_extract_version("${tag}" x y z match_found)
+		if(tag)
+			_falcosecurity_extract_version("${tag}" x y z match_found)

-            if(match_found)
-                math(EXPR z_plus_one "${z} + 1")
-                set(dev_version "${x}.${y}.${z_plus_one}")
-            endif()
-        endif()
-    endif()
+			if(match_found)
+				math(EXPR z_plus_one "${z} + 1")
+				set(dev_version "${x}.${y}.${z_plus_one}")
+			endif()
+		endif()
+	endif()

-    # dev version / all other cases (and fallback)
-    if(dev_version MATCHES "0.0.0")
-        # get the latest tag that exactly matches a version number, sorted by version number in descending order
-        _falcosecurity_execute_git(tag for-each-ref --count=1 --sort=-version:refname --format "%(refname:short)" refs/tags/[0-9]*.[0-9]*.[0-9]${match_suffix})
+	# dev version / all other cases (and fallback)
+	if(dev_version MATCHES "0.0.0")
+		# get the latest tag that exactly matches a version number, sorted by version number in
+		# descending order
+		_falcosecurity_execute_git(
+			tag
+			for-each-ref
+			--count=1
+			--sort=-version:refname
+			--format
+			"%(refname:short)"
+			refs/tags/[0-9]*.[0-9]*.[0-9]${match_suffix}
+		)

-        if(tag)
-            _falcosecurity_extract_version("${tag}" x y z match_found)
+		if(tag)
+			_falcosecurity_extract_version("${tag}" x y z match_found)

-            if(match_found)
-                math(EXPR y_plus_one "${y} + 1")
-                set(dev_version "${x}.${y_plus_one}.0")
-            endif()
-        endif()
-    endif()
+			if(match_found)
+				math(EXPR y_plus_one "${y} + 1")
+				set(dev_version "${x}.${y_plus_one}.0")
+			endif()
+		endif()
+	endif()

-    # complete dev version with count and hash
-    if(NOT dev_version MATCHES "0.0.0")
-        _falcosecurity_execute_git(tag_commit rev-list -n 1 "${tag}")
-        _falcosecurity_execute_git(tag_common_ancestor merge-base "${current_hash}" "${tag_commit}")
-        _falcosecurity_execute_git(commits_count rev-list --count "${tag_common_ancestor}..${current_hash}")
+	# complete dev version with count and hash
+	if(NOT dev_version MATCHES "0.0.0")
+		_falcosecurity_execute_git(tag_commit rev-list -n 1 "${tag}")
+		_falcosecurity_execute_git(tag_common_ancestor merge-base "${current_hash}" "${tag_commit}")
+		_falcosecurity_execute_git(
+			commits_count rev-list --count "${tag_common_ancestor}..${current_hash}"
+		)

-        set(dev_version "${dev_version}-${commits_count}+${current_hash_short}")
+		set(dev_version "${dev_version}-${commits_count}+${current_hash_short}")

-        if(match_suffix)
-            string(REGEX REPLACE "[^0-9A-Za-z-]" "-" suffix "${match_suffix}")
-            set(dev_version "${dev_version}${suffix}")
-        endif()
-    endif()
+		if(match_suffix)
+			string(REGEX REPLACE "[^0-9A-Za-z-]" "-" suffix "${match_suffix}")
+			set(dev_version "${dev_version}${suffix}")
+		endif()
+	endif()

-    set(${_var}
-        "${dev_version}"
-        PARENT_SCOPE)
-endfunction()
+	set(${_var}
+		"${dev_version}"
+		PARENT_SCOPE
+	)
+endfunction()
--- a/cmake/modules/b64.cmake
+++ b/cmake/modules/b64.cmake
@ -1,29 +0,0 @@
-#
-# Copyright (C) 2023 The Falco Authors.
-#
-# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an
-# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
-# specific language governing permissions and limitations under the License.
-#
-
-# We take b64 implementation directly from:
-# https://raw.githubusercontent.com/istio/proxy/1.18.2/extensions/common/wasm/base64.h
-
-set(B64_DOWNLOAD_URL "https://raw.githubusercontent.com/istio/proxy/1.18.2/extensions/common/wasm/base64.h")
-set(B64_INCLUDE "${CMAKE_BINARY_DIR}/b64")
-
-if(NOT EXISTS "${B64_INCLUDE}/base64.h")
-	file(MAKE_DIRECTORY "${B64_INCLUDE}")
-	message(STATUS "Download 'base64.h' from: ${B64_DOWNLOAD_URL}")
-	file(DOWNLOAD
-	"${B64_DOWNLOAD_URL}"
-	"${B64_INCLUDE}/base64.h"
-	)
-endif()
-
-include_directories("${B64_INCLUDE}")
--- a/cmake/modules/bs_threadpool.cmake
+++ b/cmake/modules/bs_threadpool.cmake
@ -0,0 +1,47 @@
+# SPDX-License-Identifier: Apache-2.0
+#
+# Copyright (C) 2024 The Falco Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except
+# in compliance with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed under the License
+# is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express
+# or implied. See the License for the specific language governing permissions and limitations under
+# the License.
+#
+
+#
+# bshoshany/thread-pool (https://github.com/bshoshany/thread-pool)
+#
+
+option(USE_BUNDLED_BS_THREADPOOL "Enable building of the bundled bs_threadpool" ${USE_BUNDLED_DEPS})
+
+if(BS_THREADPOOL_INCLUDE)
+	# we already have bs_threadpool
+elseif(NOT USE_BUNDLED_BS_THREADPOOL)
+	find_package(bs_threadpool REQUIRED)
+else()
+	set(BS_THREADPOOL_SRC "${PROJECT_BINARY_DIR}/bs_threadpool-prefix/src/bs_threadpool")
+	set(BS_THREADPOOL_INCLUDE "${BS_THREADPOOL_SRC}/include")
+
+	message(STATUS "Using bundled bs_threadpool in '${BS_THREADPOOL_SRC}'")
+
+	ExternalProject_Add(
+		bs_threadpool
+		PREFIX "${PROJECT_BINARY_DIR}/bs_threadpool-prefix"
+		URL "https://github.com/bshoshany/thread-pool/archive/refs/tags/v4.1.0.tar.gz"
+		URL_HASH "SHA256=be7abecbc420bb87919eeef729b13ff7c29d5ce547bdae284923296c695415bd"
+		CONFIGURE_COMMAND ""
+		BUILD_COMMAND ""
+		INSTALL_COMMAND ""
+	)
+endif()
+
+if(NOT TARGET bs_threadpool)
+	add_custom_target(bs_threadpool)
+endif()
+
+include_directories("${BS_THREADPOOL_INCLUDE}")
--- a/cmake/modules/cares.cmake
+++ b/cmake/modules/cares.cmake
@ -1,51 +0,0 @@
-option(USE_BUNDLED_CARES "Enable building of the bundled c-ares" ${USE_BUNDLED_DEPS})
-
-if(CARES_INCLUDE)
-	# we already have c-ares
-elseif(NOT USE_BUNDLED_CARES)
-	find_path(CARES_INCLUDE NAMES cares/ares.h ares.h)
-	find_library(CARES_LIB NAMES cares)
-	if(CARES_INCLUDE AND CARES_LIB)
-		message(STATUS "Found c-ares: include: ${CARES_INCLUDE}, lib: ${CARES_LIB}")
-	else()
-		message(FATAL_ERROR "Couldn't find system c-ares")
-	endif()
-else()
-	if(BUILD_SHARED_LIBS)
-		set(CARES_LIB_SUFFIX ${CMAKE_SHARED_LIBRARY_SUFFIX})
-		set(CARES_CPPFLAGS )
-		set(CARES_STATIC_OPTION )
-	else()
-		set(CARES_LIB_SUFFIX ${CMAKE_STATIC_LIBRARY_SUFFIX})
-		set(CARES_CPPFLAGS -DCARES_STATICLIB)
-		set(CARES_STATIC_OPTION --disable-shared)
-	endif()
-	set(CARES_SRC "${PROJECT_BINARY_DIR}/c-ares-prefix/src/c-ares")
-	set(CARES_INCLUDE "${CARES_SRC}/target/include/")
-	set(CARES_LIB "${CARES_SRC}/target/lib/libcares${CARES_LIB_SUFFIX}")
-	set(CARES_INSTALL_DIR "${CARES_SRC}/target")
-
-	if(NOT TARGET c-ares)
-		message(STATUS "Using bundled c-ares in '${CARES_SRC}'")
-		ExternalProject_Add(c-ares
-			PREFIX "${PROJECT_BINARY_DIR}/c-ares-prefix"
-			URL "https://c-ares.haxx.se/download/c-ares-1.19.1.tar.gz"
-			URL_HASH "SHA256=321700399b72ed0e037d0074c629e7741f6b2ec2dda92956abe3e9671d3e268e"
-			CONFIGURE_COMMAND CPPFLAGS=${CARES_CPPFLAGS} ./configure ${CARES_STATIC_OPTION} --prefix=${CARES_INSTALL_DIR}
-                        BUILD_COMMAND ${CMAKE_MAKE_PROGRAM}
-			BUILD_IN_SOURCE 1
-			BUILD_BYPRODUCTS ${CARES_INCLUDE} ${CARES_LIB}
-                        INSTALL_COMMAND ${CMAKE_MAKE_PROGRAM} install)
-		install(FILES "${CARES_LIB}" DESTINATION "${CMAKE_INSTALL_LIBDIR}/${LIBS_PACKAGE_NAME}"
-				COMPONENT "libs-deps")
-		install(DIRECTORY "${CARES_INCLUDE}" DESTINATION "${CMAKE_INSTALL_INCLUDEDIR}/${LIBS_PACKAGE_NAME}"
-				COMPONENT "libs-deps")
-	endif()
-
-endif()
-
-if(NOT TARGET c-ares)
-	add_custom_target(c-ares)
-endif()
-
-include_directories("${CARES_INCLUDE}")
--- a/cmake/modules/compute_versions.cmake
+++ b/cmake/modules/compute_versions.cmake
@ -1,23 +1,51 @@
+# SPDX-License-Identifier: Apache-2.0
+#
+# Copyright (C) 2023 The Falco Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except
+# in compliance with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed under the License
+# is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express
+# or implied. See the License for the specific language governing permissions and limitations under
+# the License.
+#
+
 # Computes API/SCHEMA major, minor, patch and git commit
 macro(compute_versions api_version_path schema_version_path)
-    
-    # API VERSION
-    file(STRINGS ${api_version_path} DRIVER_API_VERSION LIMIT_COUNT 1)
-    string(REGEX MATCHALL "[0-9]+" DRIVER_API_COMPONENTS "${DRIVER_API_VERSION}")
-    list(GET DRIVER_API_COMPONENTS 0 PPM_API_CURRENT_VERSION_MAJOR)
-    list(GET DRIVER_API_COMPONENTS 1 PPM_API_CURRENT_VERSION_MINOR)
-    list(GET DRIVER_API_COMPONENTS 2 PPM_API_CURRENT_VERSION_PATCH)
-    message(STATUS "Driver API version ${PPM_API_CURRENT_VERSION_MAJOR}.${PPM_API_CURRENT_VERSION_MINOR}.${PPM_API_CURRENT_VERSION_PATCH}")

-    # SCHEMA VERSION
-    file(STRINGS ${schema_version_path} DRIVER_SCHEMA_VERSION LIMIT_COUNT 1)
-    string(REGEX MATCHALL "[0-9]+" DRIVER_SCHEMA_COMPONENTS "${DRIVER_SCHEMA_VERSION}")
-    list(GET DRIVER_SCHEMA_COMPONENTS 0 PPM_SCHEMA_CURRENT_VERSION_MAJOR)
-    list(GET DRIVER_SCHEMA_COMPONENTS 1 PPM_SCHEMA_CURRENT_VERSION_MINOR)
-    list(GET DRIVER_SCHEMA_COMPONENTS 2 PPM_SCHEMA_CURRENT_VERSION_PATCH)
-    message(STATUS "Driver schema version ${PPM_SCHEMA_CURRENT_VERSION_MAJOR}.${PPM_SCHEMA_CURRENT_VERSION_MINOR}.${PPM_SCHEMA_CURRENT_VERSION_PATCH}")
+	# API VERSION
+	file(STRINGS ${api_version_path} DRIVER_API_VERSION LIMIT_COUNT 1)
+	string(REGEX MATCHALL "[0-9]+" DRIVER_API_COMPONENTS "${DRIVER_API_VERSION}")
+	list(GET DRIVER_API_COMPONENTS 0 PPM_API_CURRENT_VERSION_MAJOR)
+	list(GET DRIVER_API_COMPONENTS 1 PPM_API_CURRENT_VERSION_MINOR)
+	list(GET DRIVER_API_COMPONENTS 2 PPM_API_CURRENT_VERSION_PATCH)
+	message(
+		STATUS
+			"Driver API version ${PPM_API_CURRENT_VERSION_MAJOR}.${PPM_API_CURRENT_VERSION_MINOR}.${PPM_API_CURRENT_VERSION_PATCH}"
+	)

-    # GIT COMMIT
-    execute_process(COMMAND git rev-parse HEAD OUTPUT_VARIABLE GIT_COMMIT ERROR_QUIET WORKING_DIRECTORY ${CMAKE_CURRENT_SOURCE_DIR})
-    string(STRIP "${GIT_COMMIT}" GIT_COMMIT)
+	# SCHEMA VERSION
+	file(STRINGS ${schema_version_path} DRIVER_SCHEMA_VERSION LIMIT_COUNT 1)
+	string(REGEX MATCHALL "[0-9]+" DRIVER_SCHEMA_COMPONENTS "${DRIVER_SCHEMA_VERSION}")
+	list(GET DRIVER_SCHEMA_COMPONENTS 0 PPM_SCHEMA_CURRENT_VERSION_MAJOR)
+	list(GET DRIVER_SCHEMA_COMPONENTS 1 PPM_SCHEMA_CURRENT_VERSION_MINOR)
+	list(GET DRIVER_SCHEMA_COMPONENTS 2 PPM_SCHEMA_CURRENT_VERSION_PATCH)
+	message(
+		STATUS
+			"Driver schema version ${PPM_SCHEMA_CURRENT_VERSION_MAJOR}.${PPM_SCHEMA_CURRENT_VERSION_MINOR}.${PPM_SCHEMA_CURRENT_VERSION_PATCH}"
+	)
+
+	# GIT COMMIT
+	if(NOT DEFINED GIT_COMMIT)
+		execute_process(
+			COMMAND git rev-parse HEAD
+			OUTPUT_VARIABLE GIT_COMMIT
+			ERROR_QUIET
+			WORKING_DIRECTORY ${CMAKE_CURRENT_SOURCE_DIR}
+		)
+	endif()
+	string(STRIP "${GIT_COMMIT}" GIT_COMMIT)
 endmacro()
--- a/cmake/modules/container_plugin.cmake
+++ b/cmake/modules/container_plugin.cmake
@ -0,0 +1,44 @@
+# SPDX-License-Identifier: Apache-2.0
+#
+# Copyright (C) 2025 The Falco Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except
+# in compliance with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed under the License
+# is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express
+# or implied. See the License for the specific language governing permissions and limitations under
+# the License.
+#
+
+include(ExternalProject)
+
+string(TOLOWER ${CMAKE_HOST_SYSTEM_NAME} PLUGINS_SYSTEM_NAME)
+
+set(CONTAINER_LIBRARY
+	"${CMAKE_CURRENT_BINARY_DIR}/container_plugin-prefix/src/container_plugin/libcontainer.so"
+)
+
+if(NOT CONTAINER_VERSION)
+	set(CONTAINER_VERSION "0.3.4")
+endif()
+if(NOT CONTAINER_HASH)
+	if(${CMAKE_HOST_SYSTEM_PROCESSOR} STREQUAL "x86_64")
+		set(CONTAINER_HASH "658f96c4b4a56d1bf945a788d60571076f808ae1bcc877c4ba3625b0fd752d8d")
+	else() # arm64
+		set(CONTAINER_HASH "34a153aca0164843a169193aba092a3063b24bca9ef80fd4f1d1f1919aba3bde")
+	endif()
+endif()
+if(NOT TARGET container_plugin)
+	message(STATUS "Fetching container plugin ${CONTAINER_VERSION} in '${CONTAINER_LIBRARY}'")
+	ExternalProject_Add(
+		container_plugin
+		URL "https://download.falco.org/plugins/stable/container-${CONTAINER_VERSION}-${PLUGINS_SYSTEM_NAME}-${CMAKE_HOST_SYSTEM_PROCESSOR}.tar.gz"
+		URL_HASH "SHA256=${CONTAINER_HASH}"
+		CONFIGURE_COMMAND ""
+		BUILD_COMMAND ""
+		INSTALL_COMMAND ""
+	)
+endif()
--- a/cmake/modules/curl.cmake
+++ b/cmake/modules/curl.cmake
@ -1,103 +0,0 @@
-#
-# libcurl
-#
-option(USE_BUNDLED_CURL "Enable building of the bundled curl" ${USE_BUNDLED_DEPS})
-
-include(openssl)
-include(zlib)
-
-if(CURL_INCLUDE_DIRS)
-	# we already have curl
-elseif(NOT USE_BUNDLED_CURL)
-	find_package(CURL REQUIRED)
-	message(STATUS "Found CURL: include: ${CURL_INCLUDE_DIRS}, lib: ${CURL_LIBRARIES}")
-else()
-	if(BUILD_SHARED_LIBS)
-		set(CURL_LIB_SUFFIX ${CMAKE_SHARED_LIBRARY_SUFFIX})
-		set(CURL_STATIC_OPTION )
-	else()
-		set(CURL_LIB_SUFFIX ${CMAKE_STATIC_LIBRARY_SUFFIX})
-		set(CURL_STATIC_OPTION --disable-shared)
-	endif()
-	set(CURL_BUNDLE_DIR "${PROJECT_BINARY_DIR}/curl-prefix/src/curl")
-	set(CURL_INCLUDE_DIRS "${CURL_BUNDLE_DIR}/include/")
-	set(CURL_LIBRARIES "${CURL_BUNDLE_DIR}/lib/.libs/libcurl${CURL_LIB_SUFFIX}")
-
-	if(NOT USE_BUNDLED_OPENSSL)
-		set(CURL_SSL_OPTION "--with-ssl")
-	else()
-		set(CURL_SSL_OPTION "--with-ssl=${OPENSSL_INSTALL_DIR}")
-		message(STATUS "Using SSL for curl in '${OPENSSL_INSTALL_DIR}'")
-	endif()
-
-	if(NOT USE_BUNDLED_ZLIB)
-		set(CURL_ZLIB_OPTION "--with-zlib")
-	else()
-		set(CURL_ZLIB_OPTION "--with-zlib=${ZLIB_SRC}")
-		message(STATUS "Using zlib for curl in '${ZLIB_SRC}'")
-	endif()
-	message(STATUS "Using bundled curl in '${CURL_BUNDLE_DIR}'")
-
-	if(NOT TARGET curl)
-		ExternalProject_Add(
-			curl
-			PREFIX "${PROJECT_BINARY_DIR}/curl-prefix"
-			DEPENDS openssl zlib
-			URL "https://github.com/curl/curl/releases/download/curl-8_2_0/curl-8.2.0.tar.bz2"
-			URL_HASH "SHA256=080aaa5bef29ab3f592101e7a95f32ddbe88b92125cb28dde479d5a104928ea4"
-			CONFIGURE_COMMAND
-			./configure
-			${CURL_SSL_OPTION}
-			${CURL_ZLIB_OPTION}
-			${CURL_STATIC_OPTION}
-			--enable-optimize
-			--disable-curldebug
-			--disable-rt
-			--enable-http
-			--disable-ftp
-			--disable-file
-			--disable-ldap
-			--disable-ldaps
-			--disable-rtsp
-			--disable-telnet
-			--disable-tftp
-			--disable-pop3
-			--disable-imap
-			--disable-smb
-			--disable-smtp
-			--disable-gopher
-			--disable-sspi
-			--disable-ntlm-wb
-			--disable-tls-srp
-			--without-winssl
-			--without-polarssl
-			--without-cyassl
-			--without-nss
-			--without-axtls
-			--without-librtmp
-			--without-winidn
-			--without-libidn2
-			--without-libpsl
-			--without-nghttp2
-			--without-libssh2
-			--with-ca-path=/etc/ssl/certs/
-			--disable-threaded-resolver
-			--without-brotli
-			--without-zstd
-                        BUILD_COMMAND ${CMAKE_MAKE_PROGRAM}
-			BUILD_IN_SOURCE 1
-			BUILD_BYPRODUCTS ${CURL_LIBRARIES}
-			INSTALL_COMMAND "")
-		install(FILES "${CURL_LIBRARIES}" DESTINATION "${CMAKE_INSTALL_LIBDIR}/${LIBS_PACKAGE_NAME}"
-			COMPONENT "libs-deps")
-		install(DIRECTORY "${CURL_INCLUDE_DIRS}curl" DESTINATION "${CMAKE_INSTALL_INCLUDEDIR}/${LIBS_PACKAGE_NAME}"
-			COMPONENT "libs-deps"
-			FILES_MATCHING PATTERN "*.h")
-	endif()
-endif()
-
-if(NOT TARGET curl)
-	add_custom_target(curl)
-endif()
-
-include_directories("${CURL_INCLUDE_DIRS}")
--- a/cmake/modules/engine_config.cmake
+++ b/cmake/modules/engine_config.cmake
@ -0,0 +1,31 @@
+option(CREATE_TEST_TARGETS "Enable make-targets for unit testing" ON)
+
+if(CREATE_TEST_TARGETS)
+	# Add engine only used for testing
+	set(HAS_ENGINE_TEST_INPUT On)
+endif()
+
+set(HAS_ENGINE_NODRIVER On)
+set(HAS_ENGINE_SAVEFILE On)
+set(HAS_ENGINE_SOURCE_PLUGIN On)
+
+if(CMAKE_SYSTEM_NAME MATCHES "Linux")
+	option(ENABLE_ENGINE_KMOD "Enable kernel module engine" ON)
+	option(ENABLE_ENGINE_BPF "Enable bpf engine" ON)
+
+	set(HAS_ENGINE_KMOD ${ENABLE_ENGINE_KMOD})
+	set(HAS_ENGINE_BPF ${ENABLE_ENGINE_BPF})
+
+	option(BUILD_LIBSCAP_MODERN_BPF "Enable modern bpf probe" OFF)
+	if(BUILD_LIBSCAP_MODERN_BPF)
+		set(HAS_ENGINE_MODERN_BPF On)
+	endif()
+endif()
+
+# gVisor is currently only supported on Linux x86_64
+if(CMAKE_SYSTEM_PROCESSOR STREQUAL "x86_64" AND CMAKE_SYSTEM_NAME MATCHES "Linux")
+	option(BUILD_LIBSCAP_GVISOR "Build gVisor support" ON)
+	if(BUILD_LIBSCAP_GVISOR)
+		set(HAS_ENGINE_GVISOR On)
+	endif()
+endif()
--- a/cmake/modules/googleBenchmark.cmake
+++ b/cmake/modules/googleBenchmark.cmake
@ -0,0 +1,27 @@
+# SPDX-License-Identifier: Apache-2.0
+#
+# Copyright (C) 2024 The Falco Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except
+# in compliance with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed under the License
+# is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express
+# or implied. See the License for the specific language governing permissions and limitations under
+# the License.
+#
+
+# Disable the Google Benchmark requirement on Google Test
+set(BENCHMARK_ENABLE_TESTING OFF)
+
+include(FetchContent)
+
+FetchContent_Declare(
+	googlebenchmark
+	GIT_REPOSITORY https://github.com/google/benchmark.git
+	GIT_TAG v1.9.0
+)
+
+FetchContent_MakeAvailable(googlebenchmark)
--- a/cmake/modules/grpc.cmake
+++ b/cmake/modules/grpc.cmake
@ -1,208 +0,0 @@
-option(USE_BUNDLED_GRPC "Enable building of the bundled grpc" ${USE_BUNDLED_DEPS})
-
-if(GRPC_INCLUDE)
-	# we already have grpc
-elseif(NOT USE_BUNDLED_GRPC)
-	# gRPC
-	find_package(gRPC CONFIG)
-	if(gRPC_FOUND)
-		message(STATUS "Using gRPC ${gRPC_VERSION}")
-		set(GPR_LIB gRPC::gpr)
-		set(GRPC_LIB gRPC::grpc)
-		set(GRPCPP_LIB gRPC::grpc++)
-
-		# gRPC C++ plugin
-		get_target_property(GRPC_CPP_PLUGIN gRPC::grpc_cpp_plugin LOCATION)
-		if(NOT GRPC_CPP_PLUGIN)
-			message(FATAL_ERROR "System grpc_cpp_plugin not found")
-		endif()
-
-		# gRPC include dir + properly handle grpc{++,pp}
-		get_target_property(GRPC_INCLUDE gRPC::grpc++ INTERFACE_INCLUDE_DIRECTORIES)
-		find_path(GRPCXX_INCLUDE NAMES grpc++/grpc++.h PATHS ${GRPC_INCLUDE})
-		if(NOT GRPCXX_INCLUDE)
-			find_path(GRPCPP_INCLUDE NAMES grpcpp/grpcpp.h PATHS ${GRPC_INCLUDE})
-			add_definitions(-DGRPC_INCLUDE_IS_GRPCPP=1)
-		endif()
-	else()
-		# Fallback to manually find libraries;
-		# Some distro, namely Ubuntu focal, do not install gRPC config cmake module
-		find_library(GPR_LIB NAMES gpr)
-		if(GPR_LIB)
-			message(STATUS "Found gpr lib: ${GPR_LIB}")
-		else()
-			message(FATAL_ERROR "Couldn't find system gpr")
-		endif()
-		find_path(GRPCXX_INCLUDE NAMES grpc++/grpc++.h)
-		if(GRPCXX_INCLUDE)
-			set(GRPC_INCLUDE ${GRPCXX_INCLUDE})
-		else()
-			find_path(GRPCPP_INCLUDE NAMES grpcpp/grpcpp.h)
-			set(GRPC_INCLUDE ${GRPCPP_INCLUDE})
-			add_definitions(-DGRPC_INCLUDE_IS_GRPCPP=1)
-		endif()
-		find_library(GRPC_LIB NAMES grpc)
-		find_library(GRPCPP_LIB NAMES grpc++)
-		if(GRPC_INCLUDE AND GRPC_LIB AND GRPCPP_LIB)
-			message(STATUS "Found grpc: include: ${GRPC_INCLUDE}, C lib: ${GRPC_LIB}, C++ lib: ${GRPCPP_LIB}")
-		else()
-			message(FATAL_ERROR "Couldn't find system grpc")
-		endif()
-		find_program(GRPC_CPP_PLUGIN grpc_cpp_plugin)
-		if(NOT GRPC_CPP_PLUGIN)
-			message(FATAL_ERROR "System grpc_cpp_plugin not found")
-		endif()
-	endif()
-else()
-	include(cares)
-	include(protobuf)
-	include(zlib)
-	include(openssl)
-	if(BUILD_SHARED_LIBS)
-		set(GRPC_OPENSSL_STATIC_LIBS_OPTION FALSE)
-	else()
-		set(GRPC_OPENSSL_STATIC_LIBS_OPTION TRUE)
-	endif()
-	include(re2)
-	set(GRPC_SRC "${PROJECT_BINARY_DIR}/grpc-prefix/src/grpc")
-	set(GRPC_INSTALL_DIR "${GRPC_SRC}/target")
-	set(GRPC_INCLUDE 
-		"${GRPC_INSTALL_DIR}/include"
-		"${GRPC_SRC}/third_party/abseil-cpp")
-	set(GPR_LIB "${GRPC_SRC}/libgpr.a")
-	set(GRPC_LIB "${GRPC_SRC}/libgrpc.a")
-	set(GRPCPP_LIB "${GRPC_SRC}/libgrpc++.a")
-	set(GRPC_CPP_PLUGIN "${GRPC_SRC}/grpc_cpp_plugin")
-	set(GRPC_MAIN_LIBS "")
-	list(APPEND GRPC_MAIN_LIBS
-		"${GPR_LIB}" 
-		"${GRPC_LIB}" 
-		"${GRPCPP_LIB}"
-		"${GRPC_SRC}/libgrpc++_alts.a"
-		"${GRPC_SRC}/libgrpc++_error_details.a"
-		"${GRPC_SRC}/libgrpc++_reflection.a"
-		"${GRPC_SRC}/libgrpc++_unsecure.a"
-		"${GRPC_SRC}/libgrpc_plugin_support.a"
-		"${GRPC_SRC}/libgrpc_unsecure.a"
-		"${GRPC_SRC}/libgrpcpp_channelz.a"
-	)
-
-	get_filename_component(PROTOC_DIR ${PROTOC} PATH)
-
-	if(NOT TARGET grpc)
-		message(STATUS "Using bundled grpc in '${GRPC_SRC}'")
-
-		# fixme(leogr): this workaround is required to inject the missing deps (built by gRCP cmakefiles)
-		# into target_link_libraries later
-		# note: the list below is manually generated starting from the output of pkg-config --libs grpc++
-		set(GRPC_LIBRARIES "")
-		list(APPEND GRPC_LIBRARIES
-			"${GRPC_SRC}/libaddress_sorting.a"
-			"${GRPC_SRC}/libupb.a"
-			"${GRPC_SRC}/third_party/abseil-cpp/absl/hash/libabsl_hash.a"
-			"${GRPC_SRC}/third_party/abseil-cpp/absl/hash/libabsl_city.a"
-			"${GRPC_SRC}/third_party/abseil-cpp/absl/hash/libabsl_low_level_hash.a"
-			"${GRPC_SRC}/third_party/abseil-cpp/absl/container/libabsl_raw_hash_set.a"
-			"${GRPC_SRC}/third_party/abseil-cpp/absl/container/libabsl_hashtablez_sampler.a"
-			"${GRPC_SRC}/third_party/abseil-cpp/absl/status/libabsl_statusor.a"
-			"${GRPC_SRC}/third_party/abseil-cpp/absl/status/libabsl_status.a"
-			"${GRPC_SRC}/third_party/abseil-cpp/absl/strings/libabsl_cord.a"
-			"${GRPC_SRC}/third_party/abseil-cpp/absl/strings/libabsl_cordz_functions.a"
-			"${GRPC_SRC}/third_party/abseil-cpp/absl/profiling/libabsl_exponential_biased.a"
-			"${GRPC_SRC}/third_party/abseil-cpp/absl/types/libabsl_bad_optional_access.a"
-			"${GRPC_SRC}/third_party/abseil-cpp/absl/types/libabsl_bad_variant_access.a"
-			"${GRPC_SRC}/third_party/abseil-cpp/absl/strings/libabsl_str_format_internal.a"
-			"${GRPC_SRC}/third_party/abseil-cpp/absl/synchronization/libabsl_synchronization.a"
-			"${GRPC_SRC}/third_party/abseil-cpp/absl/synchronization/libabsl_graphcycles_internal.a"
-			"${GRPC_SRC}/third_party/abseil-cpp/absl/debugging/libabsl_stacktrace.a"
-			"${GRPC_SRC}/third_party/abseil-cpp/absl/debugging/libabsl_symbolize.a"
-			"${GRPC_SRC}/third_party/abseil-cpp/absl/debugging/libabsl_debugging_internal.a"
-			"${GRPC_SRC}/third_party/abseil-cpp/absl/debugging/libabsl_demangle_internal.a"
-			"${GRPC_SRC}/third_party/abseil-cpp/absl/base/libabsl_malloc_internal.a"
-			"${GRPC_SRC}/third_party/abseil-cpp/absl/time/libabsl_time.a"
-			"${GRPC_SRC}/third_party/abseil-cpp/absl/time/libabsl_civil_time.a"
-			"${GRPC_SRC}/third_party/abseil-cpp/absl/strings/libabsl_strings.a"
-			"${GRPC_SRC}/third_party/abseil-cpp/absl/strings/libabsl_strings_internal.a"
-			"${GRPC_SRC}/third_party/abseil-cpp/absl/base/libabsl_base.a"
-			"${GRPC_SRC}/third_party/abseil-cpp/absl/base/libabsl_spinlock_wait.a"
-			"${GRPC_SRC}/third_party/abseil-cpp/absl/numeric/libabsl_int128.a"
-			"${GRPC_SRC}/third_party/abseil-cpp/absl/base/libabsl_throw_delegate.a"
-			"${GRPC_SRC}/third_party/abseil-cpp/absl/base/libabsl_raw_logging_internal.a"
-			"${GRPC_SRC}/third_party/abseil-cpp/absl/base/libabsl_log_severity.a"
-			"${GRPC_SRC}/third_party/abseil-cpp/absl/time/libabsl_time_zone.a"
-			"${GRPC_SRC}/third_party/abseil-cpp/absl/strings/libabsl_cord_internal.a"
-			"${GRPC_SRC}/third_party/abseil-cpp/absl/strings/libabsl_cordz_info.a"
-			"${GRPC_SRC}/third_party/abseil-cpp/absl/strings/libabsl_cordz_handle.a"
-			"${GRPC_SRC}/third_party/abseil-cpp/absl/random/libabsl_random_internal_pool_urbg.a"
-			"${GRPC_SRC}/third_party/abseil-cpp/absl/random/libabsl_random_internal_randen.a"
-			"${GRPC_SRC}/third_party/abseil-cpp/absl/random/libabsl_random_internal_randen_hwaes.a"
-			"${GRPC_SRC}/third_party/abseil-cpp/absl/random/libabsl_random_internal_randen_hwaes_impl.a"
-			"${GRPC_SRC}/third_party/abseil-cpp/absl/random/libabsl_random_internal_randen_slow.a"
-			"${GRPC_SRC}/third_party/abseil-cpp/absl/random/libabsl_random_internal_seed_material.a"
-			"${GRPC_SRC}/third_party/abseil-cpp/absl/random/libabsl_random_internal_platform.a"
-			"${GRPC_SRC}/third_party/abseil-cpp/absl/random/libabsl_random_seed_gen_exception.a"
-		)
-		
-		ExternalProject_Add(grpc
-			PREFIX "${PROJECT_BINARY_DIR}/grpc-prefix"
-			DEPENDS openssl protobuf c-ares zlib re2
-			GIT_REPOSITORY https://github.com/grpc/grpc.git
-			GIT_TAG v1.44.0
-			GIT_SUBMODULES "third_party/abseil-cpp"
-			CMAKE_CACHE_ARGS
-				-DCMAKE_INSTALL_PREFIX:PATH=${GRPC_INSTALL_DIR}
-				-DCMAKE_BUILD_TYPE:STRING=Release
-				-DgRPC_INSTALL:BOOL=OFF
-				# disable unused stuff
-				-DgRPC_BUILD_TESTS:BOOL=OFF
-				-DgRPC_BUILD_CSHARP_EXT:BOOL=OFF
-				-DgRPC_BUILD_GRPC_CSHARP_PLUGIN:BOOL=OFF
-				-DgRPC_BUILD_GRPC_NODE_PLUGIN:BOOL=OFF
-				-DgRPC_BUILD_GRPC_OBJECTIVE_C_PLUGIN:BOOL=OFF
-				-DgRPC_BUILD_GRPC_PHP_PLUGIN:BOOL=OFF
-				-DgRPC_BUILD_GRPC_PYTHON_PLUGIN:BOOL=OFF
-				-DgRPC_BUILD_GRPC_RUBY_PLUGIN:BOOL=OFF
-				# deps provided by us
-				# https://github.com/grpc/grpc/blob/v1.32.0/cmake/modules/Findc-ares.cmake
-				-DgRPC_CARES_PROVIDER:STRING=package
-				-Dc-ares_DIR:PATH=${CARES_SRC}
-				-Dc-ares_INCLUDE_DIR:PATH=${CARES_INCLUDE}
-				-Dc-ares_LIBRARY:PATH=${CARES_LIB}
-				# https://cmake.org/cmake/help/v3.6/module/FindProtobuf.html
-				-DgRPC_PROTOBUF_PROVIDER:STRING=package
-				-DCMAKE_CXX_FLAGS:STRING=-I${PROTOBUF_INCLUDE}
-				-DProtobuf_INCLUDE_DIR:PATH=${PROTOBUF_INCLUDE}
-				-DProtobuf_LIBRARY:PATH=${PROTOBUF_LIB}
-				-DProtobuf_PROTOC_LIBRARY:PATH=${PROTOC_LIB}
-				-DProtobuf_PROTOC_EXECUTABLE:PATH=${PROTOC}
-				# https://cmake.org/cmake/help/v3.6/module/FindOpenSSL.html
-				-DgRPC_SSL_PROVIDER:STRING=package
-				-DOPENSSL_ROOT_DIR:PATH=${OPENSSL_INSTALL_DIR}
-				-DOPENSSL_USE_STATIC_LIBS:BOOL=${GRPC_OPENSSL_STATIC_LIBS_OPTION}
-				# https://cmake.org/cmake/help/v3.6/module/FindZLIB.html
-				-DgRPC_ZLIB_PROVIDER:STRING=package
-				-DZLIB_ROOT:STRING=${ZLIB_SRC}
-				# RE2
-				-DgRPC_RE2_PROVIDER:STRING=package
-				-Dre2_DIR:PATH=${RE2_DIR}
-			BUILD_IN_SOURCE 1
-			BUILD_BYPRODUCTS ${GRPC_LIB} ${GRPCPP_LIB} ${GPR_LIB} ${GRPC_LIBRARIES}
-			# Keep installation files into the local ${GRPC_INSTALL_DIR} 
-			# since here is the case when we are embedding gRPC
-			UPDATE_COMMAND ""
-                        INSTALL_COMMAND DESTDIR= ${CMAKE_MAKE_PROGRAM} install
-		)
-		install(FILES ${GRPC_MAIN_LIBS} DESTINATION "${CMAKE_INSTALL_LIBDIR}/${LIBS_PACKAGE_NAME}"
-				COMPONENT "libs-deps")
-		install(FILES ${GRPC_LIBRARIES} DESTINATION "${CMAKE_INSTALL_LIBDIR}/${LIBS_PACKAGE_NAME}"
-				COMPONENT "libs-deps")
-		install(DIRECTORY "${GRPC_SRC}/target/include/" DESTINATION "${CMAKE_INSTALL_INCLUDEDIR}/${LIBS_PACKAGE_NAME}"
-				COMPONENT "libs-deps")
-	endif()
-endif()
-
-if(NOT TARGET grpc)
-	add_custom_target(grpc)
-endif()
-
-include_directories("${GRPC_INCLUDE}")
--- a/cmake/modules/gtest.cmake
+++ b/cmake/modules/gtest.cmake
@ -1,43 +1,77 @@
+# SPDX-License-Identifier: Apache-2.0
+#
+# Copyright (C) 2023 The Falco Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except
+# in compliance with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed under the License
+# is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express
+# or implied. See the License for the specific language governing permissions and limitations under
+# the License.
+#
+
 option(USE_BUNDLED_GTEST "Enable building of the bundled gtest" ${USE_BUNDLED_DEPS})

 if(GTEST_INCLUDE_DIR)
 	# we already have gtest
 elseif(NOT USE_BUNDLED_GTEST)
-	find_path(GTEST_INCLUDE_DIR PATH_SUFFIXES gtest NAMES gtest.h)
+	find_path(
+		GTEST_INCLUDE_DIR
+		PATH_SUFFIXES gtest
+		NAMES gtest.h
+	)
 	find_library(GTEST_LIB NAMES gtest)
 	find_library(GTEST_MAIN_LIB NAMES gtest_main)
-	if(GTEST_INCLUDE_DIR AND GTEST_LIB AND GTEST_MAIN_LIB)
-		message(STATUS "Found gtest: include: ${GTEST_INCLUDE_DIR}, lib: ${GTEST_LIB}, main lib: ${GTEST_MAIN_LIB}")
+	if(GTEST_INCLUDE_DIR
+	   AND GTEST_LIB
+	   AND GTEST_MAIN_LIB
+	)
+		message(
+			STATUS
+				"Found gtest: include: ${GTEST_INCLUDE_DIR}, lib: ${GTEST_LIB}, main lib: ${GTEST_MAIN_LIB}"
+		)
 	else()
 		message(FATAL_ERROR "Couldn't find system gtest")
 	endif()
 else()
 	# https://github.com/google/googletest/tree/main/googletest#incorporating-into-an-existing-cmake-project
 	# Download and unpack googletest at configure time
-	configure_file(CMakeListsGtestInclude.cmake ${PROJECT_BINARY_DIR}/googletest-download/CMakeLists.txt)
-	execute_process(COMMAND ${CMAKE_COMMAND} -G "${CMAKE_GENERATOR}" .
+	configure_file(
+		CMakeListsGtestInclude.cmake ${PROJECT_BINARY_DIR}/googletest-download/CMakeLists.txt
+	)
+	execute_process(
+		COMMAND ${CMAKE_COMMAND} -G "${CMAKE_GENERATOR}" .
 		RESULT_VARIABLE result
-		WORKING_DIRECTORY ${PROJECT_BINARY_DIR}/googletest-download )
+		WORKING_DIRECTORY ${PROJECT_BINARY_DIR}/googletest-download
+	)
 	if(result)
 		message(FATAL_ERROR "CMake step for googletest failed: ${result}")
 	endif()
-	execute_process(COMMAND ${CMAKE_COMMAND} --build .
+	execute_process(
+		COMMAND ${CMAKE_COMMAND} --build .
 		RESULT_VARIABLE result
-		WORKING_DIRECTORY ${PROJECT_BINARY_DIR}/googletest-download )
+		WORKING_DIRECTORY ${PROJECT_BINARY_DIR}/googletest-download
+	)
 	if(result)
 		message(FATAL_ERROR "Build step for googletest failed: ${result}")
 	endif()

-	# Add googletest directly to our build. This defines
-	# the gtest and gtest_main targets.
-	add_subdirectory(${PROJECT_BINARY_DIR}/googletest-src
-					 ${PROJECT_BINARY_DIR}/googletest-build
-					 EXCLUDE_FROM_ALL)
+	# Add googletest directly to our build. This defines the gtest and gtest_main targets.
+	add_subdirectory(
+		${PROJECT_BINARY_DIR}/googletest-src ${PROJECT_BINARY_DIR}/googletest-build
+		EXCLUDE_FROM_ALL
+	)

 	set(GTEST_INCLUDE_DIR "${gtest_SOURCE_DIR}/include")
 	set(GTEST_MAIN_LIB "gtest_main")
-	install(DIRECTORY "${GTEST_INCLUDE_DIR}" DESTINATION "${CMAKE_INSTALL_INCLUDEDIR}/${LIBS_PACKAGE_NAME}"
-			COMPONENT "libs-deps")
+	install(
+		DIRECTORY "${GTEST_INCLUDE_DIR}"
+		DESTINATION "${CMAKE_INSTALL_INCLUDEDIR}/${LIBS_PACKAGE_NAME}"
+		COMPONENT "libs-deps"
+	)
 endif()

 if(NOT TARGET gtest)
--- a/cmake/modules/jq.cmake
+++ b/cmake/modules/jq.cmake
@ -1,79 +0,0 @@
-#
-# jq
-#
-option(USE_BUNDLED_JQ "Enable building of the bundled jq" ${USE_BUNDLED_DEPS})
-
-if(JQ_INCLUDE)
-	# we already have jq
-elseif(NOT USE_BUNDLED_JQ)
-	find_path(JQ_INCLUDE jq.h PATH_SUFFIXES jq)
-	find_library(JQ_LIB NAMES jq)
-	if(JQ_INCLUDE AND JQ_LIB)
-		message(STATUS "Found jq: include: ${JQ_INCLUDE}, lib: ${JQ_LIB}")
-	else()
-		message(FATAL_ERROR "Couldn't find system jq")
-	endif()
-else()
-	set(JQ_SRC "${PROJECT_BINARY_DIR}/jq-prefix/src/jq")
-	message(STATUS "Using bundled jq in '${JQ_SRC}'")
-	set(JQ_INCLUDE "${JQ_SRC}/target/include/")
-	set(JQ_INSTALL_DIR "${JQ_SRC}/target")
-	if(BUILD_SHARED_LIBS)
-		set(JQ_LIB_SUFFIX ${CMAKE_SHARED_LIBRARY_SUFFIX})
-		set(JQ_STATIC_OPTION --enable-shared --disable-static)
-		set(JQ_LDFLAGS )
-	else()
-		set(JQ_LIB_SUFFIX ${CMAKE_STATIC_LIBRARY_SUFFIX})
-		set(JQ_STATIC_OPTION --enable-all-static)
-		set(JQ_LDFLAGS -all-static)
-	endif()
-	set(JQ_LIB "${JQ_INSTALL_DIR}/lib/libjq${JQ_LIB_SUFFIX}")
-	set(ONIGURUMA_LIB "${JQ_INSTALL_DIR}/lib/libonig${JQ_LIB_SUFFIX}")
-
-	if(APPLE)
-		unset(JQ_LDFLAGS)
-		set(CPPFLAGS -D_REENTRANT)
-	endif()
-
-	if(NOT TARGET jq)
-		message(STATUS "Bundled jq: include: ${JQ_INCLUDE}, lib: ${JQ_LIB}")
-
-		# Why we mirror jq here?
-		#
-		# In their readme, jq claims that you don't have
-		# to do autoreconf -fi when downloading a released tarball.
-		#
-		# However, they forgot to push the released makefiles
-		# into their release tarbal.
-		#
-		# For this reason, we have to mirror their release after
-		# doing the configuration ourselves.
-		#
-		# This is needed because many distros do not ship the right
-		# version of autoreconf, making virtually impossible to build libs on them.
-		# Read more about it here:
-		#   https://github.com/stedolan/jq/issues/2061#issuecomment-593445920
-		ExternalProject_Add(
-			jq
-			PREFIX "${PROJECT_BINARY_DIR}/jq-prefix"
-			URL "https://download.falco.org/dependencies/jq-1.6.tar.gz"
-			URL_HASH "SHA256=787518068c35e244334cc79b8e56b60dbab352dff175b7f04a94f662b540bfd9"
-			CONFIGURE_COMMAND CPPFLAGS=${CPPFLAGS} ./configure --disable-maintainer-mode ${JQ_STATIC_OPTION} --disable-dependency-tracking --with-oniguruma=builtin --prefix=${JQ_INSTALL_DIR}
-                        BUILD_COMMAND ${CMAKE_MAKE_PROGRAM} clean all LDFLAGS=${JQ_LDFLAGS}
-			BUILD_IN_SOURCE 1
-			BUILD_BYPRODUCTS ${JQ_LIB} ${ONIGURUMA_LIB}
-                        INSTALL_COMMAND ${CMAKE_MAKE_PROGRAM} install)
-		install(FILES "${JQ_LIB}" DESTINATION "${CMAKE_INSTALL_LIBDIR}/${LIBS_PACKAGE_NAME}"
-				COMPONENT "libs-deps")
-		install(FILES "${ONIGURUMA_LIB}" DESTINATION "${CMAKE_INSTALL_LIBDIR}/${LIBS_PACKAGE_NAME}"
-				COMPONENT "libs-deps")
-		install(DIRECTORY "${JQ_INCLUDE}" DESTINATION "${CMAKE_INSTALL_INCLUDEDIR}/${LIBS_PACKAGE_NAME}"
-				COMPONENT "libs-deps")
-	endif()
-endif()
-
-if(NOT TARGET jq)
-	add_custom_target(jq)
-endif()
-
-include_directories("${JQ_INCLUDE}")
--- a/cmake/modules/jsoncpp.cmake
+++ b/cmake/modules/jsoncpp.cmake
@ -1,5 +1,16 @@
+# SPDX-License-Identifier: Apache-2.0
 #
-# JsonCpp
+# Copyright (C) 2023 The Falco Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except
+# in compliance with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed under the License
+# is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express
+# or implied. See the License for the specific language governing permissions and limitations under
+# the License.
 #

 option(USE_BUNDLED_JSONCPP "Enable building of the bundled jsoncpp" ${USE_BUNDLED_DEPS})
@ -34,65 +45,70 @@ else()
 		message(STATUS "Using bundled jsoncpp in '${JSONCPP_SRC}'")
 		if(NOT WIN32)
 			ExternalProject_Add(
-					jsoncpp
-					PREFIX "${PROJECT_BINARY_DIR}/jsoncpp-prefix"
-					URL "https://github.com/open-source-parsers/jsoncpp/archive/refs/tags/1.9.5.tar.gz"
-					URL_HASH
-					"SHA256=f409856e5920c18d0c2fb85276e24ee607d2a09b5e7d5f0a371368903c275da2"
-					CMAKE_ARGS
-						-DBUILD_OBJECT_LIBS=Off
-						${JSONCPP_STATIC_OPTION}
-						-DBUILD_SHARED_LIBS=${BUILD_SHARED_LIBS}
-						-DJSONCPP_WITH_TESTS=Off
-						-DJSONCPP_WITH_POST_BUILD_UNITTEST=Off
-						-DCMAKE_INSTALL_PREFIX=${JSONCPP_SRC}
-						-DCMAKE_INSTALL_LIBDIR=lib
+				jsoncpp
+				PREFIX "${PROJECT_BINARY_DIR}/jsoncpp-prefix"
+				URL "https://github.com/open-source-parsers/jsoncpp/archive/refs/tags/1.9.5.tar.gz"
+				URL_HASH "SHA256=f409856e5920c18d0c2fb85276e24ee607d2a09b5e7d5f0a371368903c275da2"
+				CMAKE_ARGS -DCMAKE_POSITION_INDEPENDENT_CODE=${ENABLE_PIC}
+						   -DBUILD_OBJECT_LIBS=Off
+						   ${JSONCPP_STATIC_OPTION}
+						   -DBUILD_SHARED_LIBS=${BUILD_SHARED_LIBS}
+						   -DJSONCPP_WITH_TESTS=Off
+						   -DJSONCPP_WITH_POST_BUILD_UNITTEST=Off
+						   -DCMAKE_INSTALL_PREFIX=${JSONCPP_SRC}
+						   -DCMAKE_INSTALL_LIBDIR=lib
+				BUILD_BYPRODUCTS ${JSONCPP_LIB}
 			)
 		else()
 			# see: https://cmake.org/cmake/help/latest/policy/CMP0091.html
 			if(CMAKE_VERSION VERSION_LESS 3.15.0)
 				ExternalProject_Add(
-						jsoncpp
-						PREFIX "${PROJECT_BINARY_DIR}/jsoncpp-prefix"
-						URL "https://github.com/open-source-parsers/jsoncpp/archive/refs/tags/1.9.5.tar.gz"
-						URL_HASH
+					jsoncpp
+					PREFIX "${PROJECT_BINARY_DIR}/jsoncpp-prefix"
+					URL "https://github.com/open-source-parsers/jsoncpp/archive/refs/tags/1.9.5.tar.gz"
+					URL_HASH
 						"SHA256=f409856e5920c18d0c2fb85276e24ee607d2a09b5e7d5f0a371368903c275da2"
-						CMAKE_ARGS
-						-DCMAKE_CXX_FLAGS_DEBUG="/MTd /Od"
-						-DCMAKE_CXX_FLAGS_RELEASE="/MT"
-						-DBUILD_OBJECT_LIBS=Off
-						${JSONCPP_STATIC_OPTION}
-						-DBUILD_SHARED_LIBS=${BUILD_SHARED_LIBS}
-						-DJSONCPP_WITH_TESTS=Off
-						-DJSONCPP_WITH_POST_BUILD_UNITTEST=Off
-						-DCMAKE_INSTALL_PREFIX=${JSONCPP_SRC}
-						-DCMAKE_INSTALL_LIBDIR=lib
+					CMAKE_ARGS -DCMAKE_CXX_FLAGS_DEBUG=${FALCOSECURITY_LIBS_DEBUG_FLAGS}
+							   -DCMAKE_CXX_FLAGS_RELEASE=${FALCOSECURITY_LIBS_RELEASE_FLAGS}
+							   -DCMAKE_POSITION_INDEPENDENT_CODE=${ENABLE_PIC}
+							   -DBUILD_OBJECT_LIBS=Off
+							   ${JSONCPP_STATIC_OPTION}
+							   -DBUILD_SHARED_LIBS=${BUILD_SHARED_LIBS}
+							   -DJSONCPP_WITH_TESTS=Off
+							   -DJSONCPP_WITH_POST_BUILD_UNITTEST=Off
+							   -DCMAKE_INSTALL_PREFIX=${JSONCPP_SRC}
+							   -DCMAKE_INSTALL_LIBDIR=lib
 				)
 			else()
 				ExternalProject_Add(
-						jsoncpp
-						PREFIX "${PROJECT_BINARY_DIR}/jsoncpp-prefix"
-						URL "https://github.com/open-source-parsers/jsoncpp/archive/refs/tags/1.9.5.tar.gz"
-						URL_HASH
+					jsoncpp
+					PREFIX "${PROJECT_BINARY_DIR}/jsoncpp-prefix"
+					URL "https://github.com/open-source-parsers/jsoncpp/archive/refs/tags/1.9.5.tar.gz"
+					URL_HASH
 						"SHA256=f409856e5920c18d0c2fb85276e24ee607d2a09b5e7d5f0a371368903c275da2"
-						CMAKE_ARGS
-						-DCMAKE_POLICY_DEFAULT_CMP0091:STRING=NEW
-						-DCMAKE_MSVC_RUNTIME_LIBRARY:STRING=MultiThreaded$<$<CONFIG:Debug>:Debug>
-						-DBUILD_OBJECT_LIBS=Off
-						${JSONCPP_STATIC_OPTION}
-						-DBUILD_SHARED_LIBS=${BUILD_SHARED_LIBS}
-						-DJSONCPP_WITH_TESTS=Off
-						-DJSONCPP_WITH_POST_BUILD_UNITTEST=Off
-						-DCMAKE_INSTALL_PREFIX=${JSONCPP_SRC}
-						-DCMAKE_INSTALL_LIBDIR=lib
+					CMAKE_ARGS -DCMAKE_POLICY_DEFAULT_CMP0091:STRING=NEW
+							   -DCMAKE_MSVC_RUNTIME_LIBRARY=${CMAKE_MSVC_RUNTIME_LIBRARY}
+							   -DBUILD_OBJECT_LIBS=Off
+							   ${JSONCPP_STATIC_OPTION}
+							   -DBUILD_SHARED_LIBS=${BUILD_SHARED_LIBS}
+							   -DJSONCPP_WITH_TESTS=Off
+							   -DJSONCPP_WITH_POST_BUILD_UNITTEST=Off
+							   -DCMAKE_INSTALL_PREFIX=${JSONCPP_SRC}
+							   -DCMAKE_INSTALL_LIBDIR=lib
 				)
 			endif()
 		endif()

-		install(FILES "${JSONCPP_LIB}" DESTINATION "${CMAKE_INSTALL_LIBDIR}/${LIBS_PACKAGE_NAME}"
-				COMPONENT "libs-deps")
-		install(DIRECTORY "${JSONCPP_INCLUDE}" DESTINATION "${CMAKE_INSTALL_INCLUDEDIR}/${LIBS_PACKAGE_NAME}"
-				COMPONENT "libs-deps")
+		install(
+			FILES "${JSONCPP_LIB}"
+			DESTINATION "${CMAKE_INSTALL_LIBDIR}/${LIBS_PACKAGE_NAME}"
+			COMPONENT "libs-deps"
+		)
+		install(
+			DIRECTORY "${JSONCPP_INCLUDE}"
+			DESTINATION "${CMAKE_INSTALL_INCLUDEDIR}/${LIBS_PACKAGE_NAME}"
+			COMPONENT "libs-deps"
+		)
 	endif()
 endif()

--- a/cmake/modules/libbpf.cmake
+++ b/cmake/modules/libbpf.cmake
@ -1,44 +1,80 @@
+# SPDX-License-Identifier: Apache-2.0
 #
-# libbpf
+# Copyright (C) 2023 The Falco Authors.
 #
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except
+# in compliance with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed under the License
+# is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express
+# or implied. See the License for the specific language governing permissions and limitations under
+# the License.
+#
+
 option(USE_BUNDLED_LIBBPF "Enable building of the bundled libbpf" ${USE_BUNDLED_DEPS})

-if(LIBBPF_INCLUDE)
-    # we already have libbpf
+if(TARGET lbpf)
+	# we already have libbpf
 elseif(NOT USE_BUNDLED_LIBBPF)
-    find_path(LIBBPF_INCLUDE bpf/libbpf.h)
-    find_library(LIBBPF_LIB NAMES bpf)
-    if(LIBBPF_INCLUDE AND LIBBPF_LIB)
-        message(STATUS "Found libbpf: include: ${LIBBPF_INCLUDE}, lib: ${LIBBPF_LIB}")
-    else()
-        message(FATAL_ERROR "Couldn't find system libbpf")
-    endif()
+	include(zlib)
+	include(libelf)
+	find_path(LIBBPF_INCLUDE bpf/libbpf.h)
+	find_library(LIBBPF_LIB NAMES bpf)
+	if(LIBBPF_INCLUDE AND LIBBPF_LIB)
+		add_library(lbpf STATIC IMPORTED GLOBAL)
+		set_target_properties(lbpf PROPERTIES IMPORTED_LOCATION ${LIBBPF_LIB})
+		target_include_directories(lbpf INTERFACE $<BUILD_INTERFACE:${LIBBPF_INCLUDE}>)
+		target_link_libraries(lbpf INTERFACE elf ${ZLIB_LIB})
+
+		message(STATUS "Found libbpf: include: ${LIBBPF_INCLUDE}, lib: ${LIBBPF_LIB}")
+	else()
+		message(FATAL_ERROR "Couldn't find system libbpf")
+	endif()
 else()
-    set(LIBBPF_SRC "${PROJECT_BINARY_DIR}/libbpf-prefix/src")
-    set(LIBBPF_BUILD_DIR "${LIBBPF_SRC}/libbpf-build")
-    set(LIBBPF_INCLUDE "${LIBBPF_BUILD_DIR}/root/usr/include")
-    set(LIBBPF_LIB "${LIBBPF_BUILD_DIR}/root/usr/lib64/libbpf.a")
-    ExternalProject_Add(
-        libbpf
-        PREFIX "${PROJECT_BINARY_DIR}/libbpf-prefix"
-        DEPENDS zlib libelf
-        URL "https://github.com/libbpf/libbpf/archive/refs/tags/v1.2.2.tar.gz"
-        URL_HASH
-        "SHA256=32b0c41eabfbbe8e0c8aea784d7495387ff9171b5a338480a8fbaceb9da8d5e5"
-        CONFIGURE_COMMAND mkdir -p build root
-        BUILD_COMMAND ${CMAKE_MAKE_PROGRAM} BUILD_STATIC_ONLY=y OBJDIR=${LIBBPF_BUILD_DIR}/build DESTDIR=${LIBBPF_BUILD_DIR}/root NO_PKG_CONFIG=1 "EXTRA_CFLAGS=-fPIC -I${LIBELF_INCLUDE} -I${ZLIB_INCLUDE}" "LDFLAGS=-Wl,-Bstatic" "EXTRA_LDFLAGS=-L${LIBELF_SRC}/libelf/libelf -L${ZLIB_SRC}" -C ${LIBBPF_SRC}/libbpf/src install install_uapi_headers
-        INSTALL_COMMAND ""
-        UPDATE_COMMAND ""
-    )
-    message(STATUS "Using bundled libbpf: include'${LIBBPF_INCLUDE}', lib: ${LIBBPF_LIB}")
-    install(FILES "${LIBBPF_LIB}" DESTINATION "${CMAKE_INSTALL_LIBDIR}/${LIBS_PACKAGE_NAME}"
-            COMPONENT "libs-deps")
-    install(DIRECTORY "${LIBBPF_INCLUDE}" DESTINATION "${CMAKE_INSTALL_INCLUDEDIR}/${LIBS_PACKAGE_NAME}"
-            COMPONENT "libs-deps")
-endif()
+	include(zlib)
+	include(libelf)
+	set(LIBBPF_SRC "${PROJECT_BINARY_DIR}/libbpf-prefix/src")
+	set(LIBBPF_BUILD_DIR "${LIBBPF_SRC}/libbpf-build")
+	set(LIBBPF_INCLUDE "${LIBBPF_BUILD_DIR}/root/usr/include")
+	set(LIBBPF_LIB "${LIBBPF_BUILD_DIR}/root/usr/lib64/libbpf.a")

-if(NOT TARGET libbpf)
-    add_custom_target(libbpf)
-endif()
+	get_target_property(LIBELF_INCLUDE_DIR elf INCLUDE_DIRECTORIES)

-include_directories(${LIBBPF_INCLUDE})
+	foreach(dir ${LIBELF_INCLUDE_DIR})
+		string(APPEND LIBELF_COMPILER_STRING "-I${dir} ")
+	endforeach()
+
+	ExternalProject_Add(
+		libbpf
+		PREFIX "${PROJECT_BINARY_DIR}/libbpf-prefix"
+		DEPENDS zlib elf
+		URL "https://github.com/libbpf/libbpf/archive/refs/tags/v1.3.0.tar.gz"
+		URL_HASH "SHA256=11db86acd627e468bc48b7258c1130aba41a12c4d364f78e184fd2f5a913d861"
+		CONFIGURE_COMMAND mkdir -p build root
+		BUILD_COMMAND
+			make BUILD_STATIC_ONLY=y OBJDIR=${LIBBPF_BUILD_DIR}/build
+			DESTDIR=${LIBBPF_BUILD_DIR}/root NO_PKG_CONFIG=1
+			"EXTRA_CFLAGS=-fPIC ${LIBELF_COMPILER_STRING} -I${ZLIB_INCLUDE}" "LDFLAGS=-Wl,-Bstatic"
+			"EXTRA_LDFLAGS=-L${LIBELF_SRC}/libelf/libelf -L${ZLIB_SRC}" -C ${LIBBPF_SRC}/libbpf/src
+			install install_uapi_headers
+		INSTALL_COMMAND ""
+		UPDATE_COMMAND ""
+		BUILD_BYPRODUCTS ${LIBBPF_LIB}
+	)
+
+	add_library(lbpf STATIC IMPORTED GLOBAL)
+	set_target_properties(lbpf PROPERTIES IMPORTED_LOCATION ${LIBBPF_LIB})
+	file(MAKE_DIRECTORY ${LIBBPF_INCLUDE}) # necessary to make target_include_directories() work
+	target_include_directories(lbpf INTERFACE $<BUILD_INTERFACE:${LIBBPF_INCLUDE}>)
+	add_dependencies(lbpf libbpf)
+	target_link_libraries(lbpf INTERFACE elf ${ZLIB_LIB})
+
+	message(STATUS "Using bundled libbpf: include'${LIBBPF_INCLUDE}', lib: ${LIBBPF_LIB}")
+	install(
+		FILES "${LIBBPF_LIB}"
+		DESTINATION "${CMAKE_INSTALL_LIBDIR}/${LIBS_PACKAGE_NAME}"
+		COMPONENT "libs-deps"
+	)
+endif()
--- a/cmake/modules/libelf.cmake
+++ b/cmake/modules/libelf.cmake
@ -1,59 +1,75 @@
+# SPDX-License-Identifier: Apache-2.0
 #
-# LIBELF
+# Copyright (C) 2023 The Falco Authors.
 #
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except
+# in compliance with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed under the License
+# is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express
+# or implied. See the License for the specific language governing permissions and limitations under
+# the License.
+#
+
+include_guard()
+
 option(USE_BUNDLED_LIBELF "Enable building of the bundled libelf" ${USE_BUNDLED_DEPS})
+option(USE_SHARED_LIBELF "When not using bundled libelf, link it dynamically" ON)

-if(LIBELF_INCLUDE)
-    # we already have LIBELF
+if(TARGET elf)
+	# we already have libelf
 elseif(NOT USE_BUNDLED_LIBELF)
-    find_path(LIBELF_INCLUDE elf.h PATH_SUFFIXES elf)
-    if(BUILD_SHARED_LIBS)
-        set(LIBELF_LIB_SUFFIX ${CMAKE_SHARED_LIBRARY_SUFFIX})
-    else()
-        set(LIBELF_LIB_SUFFIX ${CMAKE_STATIC_LIBRARY_SUFFIX})
-    endif()
-    find_library(LIBELF_LIB NAMES libelf${LIBELF_LIB_SUFFIX})
-    if(LIBELF_LIB)
-        message(STATUS "Found LIBELF: include: ${LIBELF_INCLUDE}, lib: ${LIBELF_LIB}")
-    else()
-        message(FATAL_ERROR "Couldn't find system libelf")
-    endif()
-    # We add a custom target, in this way we can always depend on `libelf`
-    # without distinguishing between "bundled" and "not-bundled" case
-    add_custom_target(libelf)
+	find_path(LIBELF_INCLUDE elf.h PATH_SUFFIXES elf)
+	if(BUILD_SHARED_LIBS OR USE_SHARED_LIBELF)
+		set(LIBELF_LIB_SUFFIX ${CMAKE_SHARED_LIBRARY_SUFFIX})
+	else()
+		set(LIBELF_LIB_SUFFIX ${CMAKE_STATIC_LIBRARY_SUFFIX})
+	endif()
+	# Zig workaround: since it won't look up in /usr/lib/..., add an HINT
+	if(CMAKE_C_COMPILER MATCHES "zig")
+		find_library(
+			LIBELF_LIB
+			NAMES libelf${LIBELF_LIB_SUFFIX}
+			HINTS /usr/lib/${CMAKE_SYSTEM_PROCESSOR}-linux-gnu/
+		)
+	else()
+		find_library(LIBELF_LIB NAMES libelf${LIBELF_LIB_SUFFIX})
+	endif()
+	if(LIBELF_LIB)
+		# Zig workaround: avoid include whole /usr/include because it would include also system
+		# glibc headers breaking the build since we are targeting the build against our boostrapped
+		# zig.
+		if(CMAKE_C_COMPILER MATCHES "zig")
+			message(STATUS "Enabling zig workaround for libelf")
+			configure_file(${LIBELF_INCLUDE}/libelf.h libelf/libelf.h COPYONLY)
+			configure_file(${LIBELF_INCLUDE}/elf.h libelf/elf.h COPYONLY)
+			configure_file(${LIBELF_INCLUDE}/gelf.h libelf/gelf.h COPYONLY)
+			set(LIBELF_INCLUDE ${CMAKE_CURRENT_BINARY_DIR}/libelf)
+		endif()
+		message(STATUS "Found LIBELF: include: ${LIBELF_INCLUDE}, lib: ${LIBELF_LIB}")
+	else()
+		message(FATAL_ERROR "Couldn't find system libelf")
+	endif()
+
+	if(BUILD_SHARED_LIBS OR USE_SHARED_LIBELF)
+		add_library(elf SHARED IMPORTED GLOBAL)
+	else()
+		add_library(elf STATIC IMPORTED GLOBAL)
+	endif()
+
+	set_target_properties(elf PROPERTIES IMPORTED_LOCATION ${LIBELF_LIB})
+	target_include_directories(elf INTERFACE ${LIBELF_INCLUDE})
 else()
-    if(BUILD_SHARED_LIBS)
-        set(LIBELF_LIB_SUFFIX ${CMAKE_SHARED_LIBRARY_SUFFIX})
-    else()
-        set(LIBELF_LIB_SUFFIX ${CMAKE_STATIC_LIBRARY_SUFFIX})
-    endif()
-    set(LIBELF_SRC "${PROJECT_BINARY_DIR}/libelf-prefix/src")
-    set(LIBELF_INCLUDE "${LIBELF_SRC}/libelf/libelf")
-    set(LIBELF_LIB "${LIBELF_SRC}/libelf/libelf/libelf${LIBELF_LIB_SUFFIX}")
-    ExternalProject_Add(
-            libelf
-            PREFIX "${PROJECT_BINARY_DIR}/libelf-prefix"
-            DEPENDS zlib
-            URL "https://sourceware.org/elfutils/ftp/0.187/elfutils-0.187.tar.bz2"
-            URL_HASH "SHA256=e70b0dfbe610f90c4d1fe0d71af142a4e25c3c4ef9ebab8d2d72b65159d454c8"
-            CONFIGURE_COMMAND ./configure LDFLAGS=-L${ZLIB_SRC} "CFLAGS=-I${ZLIB_INCLUDE}" --enable-deterministic-archives --disable-debuginfod --disable-libdebuginfod
-            BUILD_IN_SOURCE 1
-            BUILD_COMMAND ${CMAKE_MAKE_PROGRAM} -C lib libeu.a
-            COMMAND ${CMAKE_MAKE_PROGRAM} -C libelf libelf${LIBELF_LIB_SUFFIX}
-            INSTALL_COMMAND ""
-            UPDATE_COMMAND ""
-    )
-    message(STATUS "Using bundled libelf: include'${LIBELF_INCLUDE}', lib: ${LIBELF_LIB}")
-    install(FILES "${LIBELF_LIB}" DESTINATION "${CMAKE_INSTALL_LIBDIR}/${LIBS_PACKAGE_NAME}"
-            COMPONENT "libs-deps")
-    install(DIRECTORY "${LIBELF_INCLUDE}" DESTINATION "${CMAKE_INSTALL_INCLUDEDIR}/${LIBS_PACKAGE_NAME}"
-            COMPONENT "libs-deps")
-endif()
+	include(FetchContent)
+	FetchContent_Declare(
+		libelf_elftoolchain
+		URL https://github.com/falcosecurity/elftoolchain/releases/download/libelf-r4073-0/libelf-r4073-0.tar.gz
+		URL_HASH SHA256=adfeb3033c23ca579902f2bce7d9ffeec662f97d3846bb74e57fb65d70f6f056
+	)
+	FetchContent_MakeAvailable(libelf_elftoolchain)
+	get_target_property(LIBELF_INCLUDE elf INCLUDE_DIRECTORIES)

-# We add a custom target, in this way we can always depend on `libelf`
-# without distinguishing between "bundled" and "not-bundled" case
-if(NOT TARGET libelf)
-    add_custom_target(libelf)
+	message(STATUS "Using bundled libelf: include'${LIBELF_INCLUDE}'")
 endif()
-
-include_directories(${LIBELF_INCLUDE})
--- a/cmake/modules/libscap.cmake
+++ b/cmake/modules/libscap.cmake
@ -1,125 +1,141 @@
+# SPDX-License-Identifier: Apache-2.0
+#
+# Copyright (C) 2023 The Falco Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except
+# in compliance with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed under the License
+# is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express
+# or implied. See the License for the specific language governing permissions and limitations under
+# the License.
+#
+
 if(NOT HAVE_LIBSCAP)
-set(HAVE_LIBSCAP On)
+	set(HAVE_LIBSCAP On)

-# This should be renamed in `LIBS_DIR` not `LIBSCAP_DIR`
-if(NOT LIBSCAP_DIR)
-	get_filename_component(LIBSCAP_DIR ${CMAKE_CURRENT_LIST_DIR}/../.. ABSOLUTE)
-endif()
-
-option(USE_BUNDLED_DEPS "Enable bundled dependencies instead of using the system ones" ON)
-
-include(GNUInstallDirs)
-
-include(ExternalProject)
-
-include(uthash)
-
-include(CheckSymbolExists)
-check_symbol_exists(strlcpy "string.h" HAVE_STRLCPY)
-check_symbol_exists(strlcat "string.h" HAVE_STRLCAT)
-
-if(HAVE_STRLCPY)
-	message(STATUS "Existing strlcpy found, will *not* use local definition")
-else()
-	message(STATUS "No strlcpy found, will use local definition")
-endif()
-
-if(HAVE_STRLCAT)
-	message(STATUS "Existing strlcat found, will *not* use local definition")
-else()
-	message(STATUS "No strlcat found, will use local definition")
-endif()
-
-configure_file(${LIBSCAP_DIR}/userspace/common/common_config.h.in ${PROJECT_BINARY_DIR}/common/common_config.h)
-include_directories(${PROJECT_BINARY_DIR}/common)
-
-add_definitions(-DPLATFORM_NAME="${CMAKE_SYSTEM_NAME}")
-
-if(CMAKE_SYSTEM_NAME MATCHES "Linux")
-	get_filename_component(DRIVER_CONFIG_DIR ${CMAKE_BINARY_DIR}/driver/src ABSOLUTE)
-else()
-	# This doesn't install all of the driver headers but seems to be sufficient for
-	# non-Linux platforms.
-	get_filename_component(DRIVER_CONFIG_DIR ${PROJECT_SOURCE_DIR}/driver ABSOLUTE)
-endif()
-
-get_filename_component(LIBSCAP_INCLUDE_DIR ${LIBSCAP_DIR}/userspace/libscap ABSOLUTE)
-set(LIBSCAP_INCLUDE_DIRS ${LIBSCAP_INCLUDE_DIR} ${DRIVER_CONFIG_DIR})
-
-function(set_scap_target_properties target)
-	set_target_properties(${target} PROPERTIES
-		VERSION ${FALCOSECURITY_SHARED_LIBS_VERSION}
-		SOVERSION ${FALCOSECURITY_SHARED_LIBS_SOVERSION}
-	)
-endfunction()
-
-add_subdirectory(${LIBSCAP_DIR}/userspace/libscap ${PROJECT_BINARY_DIR}/libscap)
-
-set(LIBSCAP_INSTALL_LIBS)
-
-# All of the targets in userspace/libscap
-get_directory_property(libscap_subdirs DIRECTORY ${LIBSCAP_DIR}/userspace/libscap SUBDIRECTORIES)
-set(libscap_subdir_targets)
-foreach(libscap_subdir ${LIBSCAP_DIR}/userspace/libscap ${libscap_subdirs})
-	get_directory_property(subdir_targets DIRECTORY ${libscap_subdir} BUILDSYSTEM_TARGETS)
-	list(APPEND libscap_subdir_targets ${subdir_targets})
-endforeach()
-
-set(install_lib_type STATIC_LIBRARY)
-if (BUILD_SHARED_LIBS)
-	set(install_lib_type SHARED_LIBRARY)
-endif()
-
-# Installation targets only
-foreach(libscap_subdir_target ${libscap_subdir_targets})
-	get_target_property(cl_target_type ${libscap_subdir_target} TYPE)
-	if (${cl_target_type} STREQUAL ${install_lib_type})
-		list(APPEND LIBSCAP_INSTALL_LIBS ${libscap_subdir_target})
+	if(NOT LIBS_DIR)
+		get_filename_component(LIBS_DIR ${CMAKE_CURRENT_LIST_DIR}/../.. ABSOLUTE)
 	endif()
-endforeach()

-# Installation targets and their dependencies
-set(libscap_link_libraries)
-foreach(libscap_install_lib ${LIBSCAP_INSTALL_LIBS})
-	list(APPEND libscap_link_libraries ${libscap_install_lib})
-	get_target_property(install_lib_link_libraries ${libscap_install_lib} LINK_LIBRARIES)
-	foreach (install_lib_link_library ${install_lib_link_libraries})
-		if (NOT ${install_lib_link_library} IN_LIST libscap_subdir_targets)
-			list(APPEND libscap_link_libraries ${install_lib_link_library})
+	option(USE_BUNDLED_DEPS "Enable bundled dependencies instead of using the system ones" ON)
+
+	include(GNUInstallDirs)
+
+	include(ExternalProject)
+
+	include(uthash)
+
+	include(CheckSymbolExists)
+	check_symbol_exists(strlcpy "string.h" HAVE_STRLCPY)
+	check_symbol_exists(strlcat "string.h" HAVE_STRLCAT)
+
+	include(BuildPkgConfigDependencies)
+
+	if(HAVE_STRLCPY)
+		message(STATUS "Existing strlcpy found, will *not* use local definition")
+	else()
+		message(STATUS "No strlcpy found, will use local definition")
+	endif()
+
+	if(HAVE_STRLCAT)
+		message(STATUS "Existing strlcat found, will *not* use local definition")
+	else()
+		message(STATUS "No strlcat found, will use local definition")
+	endif()
+
+	add_definitions(-DPLATFORM_NAME="${CMAKE_SYSTEM_NAME}")
+
+	if(CMAKE_SYSTEM_NAME MATCHES "Linux")
+		get_filename_component(DRIVER_CONFIG_DIR ${CMAKE_BINARY_DIR}/driver/src ABSOLUTE)
+	else()
+		# This doesn't install all of the driver headers but seems to be sufficient for non-Linux
+		# platforms.
+		get_filename_component(DRIVER_CONFIG_DIR ${PROJECT_SOURCE_DIR}/driver ABSOLUTE)
+	endif()
+
+	get_filename_component(LIBSCAP_INCLUDE_DIR ${LIBS_DIR}/userspace/libscap ABSOLUTE)
+	set(LIBSCAP_INCLUDE_DIRS ${LIBSCAP_INCLUDE_DIR} ${PROJECT_BINARY_DIR} ${DRIVER_CONFIG_DIR})
+
+	function(set_scap_target_properties target)
+		set_target_properties(
+			${target} PROPERTIES VERSION ${FALCOSECURITY_SHARED_LIBS_VERSION}
+								 SOVERSION ${FALCOSECURITY_SHARED_LIBS_SOVERSION}
+		)
+	endfunction()
+
+	add_subdirectory(${LIBS_DIR}/userspace/libscap ${PROJECT_BINARY_DIR}/libscap)
+
+	set(LIBSCAP_INSTALL_LIBS)
+
+	# All of the targets in userspace/libscap
+	get_directory_property(libscap_subdirs DIRECTORY ${LIBS_DIR}/userspace/libscap SUBDIRECTORIES)
+	set(libscap_subdir_targets)
+	foreach(libscap_subdir ${LIBS_DIR}/userspace/libscap ${libscap_subdirs})
+		get_directory_property(subdir_targets DIRECTORY ${libscap_subdir} BUILDSYSTEM_TARGETS)
+		list(APPEND libscap_subdir_targets ${subdir_targets})
+	endforeach()
+
+	set(install_lib_type STATIC_LIBRARY)
+	if(BUILD_SHARED_LIBS)
+		set(install_lib_type SHARED_LIBRARY)
+	endif()
+
+	# Installation targets only
+	foreach(libscap_subdir_target ${libscap_subdir_targets})
+		get_target_property(cl_target_type ${libscap_subdir_target} TYPE)
+		if(${cl_target_type} STREQUAL ${install_lib_type})
+			list(APPEND LIBSCAP_INSTALL_LIBS ${libscap_subdir_target})
 		endif()
 	endforeach()
-endforeach()
-list(REMOVE_DUPLICATES libscap_link_libraries)

-set(libscap_link_flags)
-foreach(libscap_link_library ${libscap_link_libraries})
-	list(APPEND libscap_link_flags "-l${libscap_link_library}")
-endforeach()
-
-string(REPLACE ";" " " LIBSCAP_LINK_LIBRARIES_FLAGS "${libscap_link_flags}")
-configure_file(${LIBSCAP_DIR}/userspace/libscap/libscap.pc.in ${PROJECT_BINARY_DIR}/libscap/libscap.pc @ONLY)
-
-install(TARGETS ${LIBSCAP_INSTALL_LIBS}
-			ARCHIVE DESTINATION "${CMAKE_INSTALL_LIBDIR}/${LIBS_PACKAGE_NAME}"
-			LIBRARY DESTINATION "${CMAKE_INSTALL_LIBDIR}/${LIBS_PACKAGE_NAME}"
-			RUNTIME DESTINATION "${CMAKE_INSTALL_BINDIR}"
-			COMPONENT "scap" OPTIONAL)
-install(DIRECTORY "${LIBSCAP_INCLUDE_DIR}" DESTINATION "${CMAKE_INSTALL_INCLUDEDIR}/${LIBS_PACKAGE_NAME}/userspace"
-			COMPONENT "scap"
-			FILES_MATCHING PATTERN "*.h"
-			PATTERN "*examples*" EXCLUDE
-			PATTERN "*doxygen*" EXCLUDE)
-install(DIRECTORY "${DRIVER_CONFIG_DIR}/" DESTINATION "${CMAKE_INSTALL_INCLUDEDIR}/${LIBS_PACKAGE_NAME}/driver"
-			COMPONENT "scap"
-			FILES_MATCHING PATTERN "*.h")
-install(DIRECTORY "${LIBSCAP_DIR}/userspace/common" DESTINATION "${CMAKE_INSTALL_INCLUDEDIR}/${LIBS_PACKAGE_NAME}/userspace"
-			COMPONENT "scap"
-			FILES_MATCHING PATTERN "*.h")
-install(DIRECTORY "${PROJECT_BINARY_DIR}/common" DESTINATION "${CMAKE_INSTALL_INCLUDEDIR}/${LIBS_PACKAGE_NAME}/userspace"
-			COMPONENT "scap"
-			FILES_MATCHING PATTERN "*.h")
-install(DIRECTORY "${LIBSCAP_DIR}/userspace/plugin" DESTINATION "${CMAKE_INSTALL_INCLUDEDIR}/${LIBS_PACKAGE_NAME}/userspace"
+	install(
+		TARGETS ${LIBSCAP_INSTALL_LIBS}
+		ARCHIVE DESTINATION "${CMAKE_INSTALL_LIBDIR}"
+		LIBRARY DESTINATION "${CMAKE_INSTALL_LIBDIR}"
+		RUNTIME DESTINATION "${CMAKE_INSTALL_BINDIR}"
+				COMPONENT "scap"
+				OPTIONAL
+	)
+	install(
+		DIRECTORY "${LIBSCAP_INCLUDE_DIR}"
+		DESTINATION "${CMAKE_INSTALL_INCLUDEDIR}/${LIBS_PACKAGE_NAME}"
 		COMPONENT "scap"
-		FILES_MATCHING PATTERN "*.h")
-install(FILES ${PROJECT_BINARY_DIR}/libscap/libscap.pc DESTINATION ${CMAKE_INSTALL_LIBDIR}/pkgconfig)
+		FILES_MATCHING
+		PATTERN "*.h"
+		PATTERN "*examples*" EXCLUDE
+		PATTERN "*doxygen*" EXCLUDE
+	)
+	install(
+		DIRECTORY "${DRIVER_CONFIG_DIR}/"
+		DESTINATION "${CMAKE_INSTALL_INCLUDEDIR}/${LIBS_PACKAGE_NAME}/driver"
+		COMPONENT "scap"
+		FILES_MATCHING
+		PATTERN "*.h"
+	)
+	install(
+		DIRECTORY "${LIBS_DIR}/userspace/plugin"
+		DESTINATION "${CMAKE_INSTALL_INCLUDEDIR}/${LIBS_PACKAGE_NAME}"
+		COMPONENT "scap"
+		FILES_MATCHING
+		PATTERN "*.h"
+	)
+
+	if(USE_BUNDLED_UTHASH)
+		install(FILES ${UTHASH_INCLUDE}/uthash.h
+				DESTINATION ${CMAKE_INSTALL_INCLUDEDIR}/${LIBS_PACKAGE_NAME}/libscap
+		)
+	endif()
+
+	install(FILES ${PROJECT_BINARY_DIR}/libscap/scap_config.h
+			DESTINATION ${CMAKE_INSTALL_INCLUDEDIR}/${LIBS_PACKAGE_NAME}/libscap
+	)
+	install(FILES ${PROJECT_BINARY_DIR}/libscap/scap_strl_config.h
+			DESTINATION ${CMAKE_INSTALL_INCLUDEDIR}/${LIBS_PACKAGE_NAME}/libscap
+	)
+	install(FILES ${PROJECT_BINARY_DIR}/libscap/libscap.pc
+			DESTINATION ${CMAKE_INSTALL_LIBDIR}/pkgconfig
+	)
 endif()
--- a/cmake/modules/libsinsp.cmake
+++ b/cmake/modules/libsinsp.cmake
@ -1,103 +1,90 @@
+# SPDX-License-Identifier: Apache-2.0
+#
+# Copyright (C) 2023 The Falco Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except
+# in compliance with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed under the License
+# is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express
+# or implied. See the License for the specific language governing permissions and limitations under
+# the License.
+#
+
 if(NOT HAVE_LIBSINSP)
-set(HAVE_LIBSINSP On)
+	set(HAVE_LIBSINSP On)

-if(NOT LIBSINSP_DIR)
-	get_filename_component(LIBSINSP_DIR ${CMAKE_CURRENT_LIST_DIR}/../.. ABSOLUTE)
-endif()
+	if(NOT LIBS_DIR)
+		get_filename_component(LIBS_DIR ${CMAKE_CURRENT_LIST_DIR}/../.. ABSOLUTE)
+	endif()

-option(USE_BUNDLED_DEPS "Enable bundled dependencies instead of using the system ones" ON)
+	option(USE_BUNDLED_DEPS "Enable bundled dependencies instead of using the system ones" ON)
+	option(ENABLE_THREAD_POOL "Enable inspector thread pool" OFF)

-option(WITH_CHISEL "Include chisel implementation" OFF)
+	if(DEFINED LIBSINSP_USER_AGENT)
+		add_definitions(-DLIBSINSP_USER_AGENT="${LIBSINSP_USER_AGENT}")
+	endif()

-if(DEFINED LIBSINSP_USER_AGENT)
-	add_definitions(-DLIBSINSP_USER_AGENT="${LIBSINSP_USER_AGENT}")
-endif()
+	include(ExternalProject)
+	include(libscap)
+	if(NOT EMSCRIPTEN)
+		include(tbb)
+	endif()
+	include(jsoncpp)
+	include(valijson)
+	include(re2)

-include(ExternalProject)
-include(libscap)
-if (NOT EMSCRIPTEN)
-	include(tbb)
-endif()
-if(NOT WIN32 AND NOT APPLE)
-	include(b64)
-	include(jq)
-endif()
-if(NOT WIN32 AND NOT APPLE AND NOT MINIMAL_BUILD AND NOT EMSCRIPTEN)
-	include(cares)
-	include(curl)
-endif()
-include(jsoncpp)
-include(valijson)
-include(re2)
+	if(ENABLE_THREAD_POOL AND NOT EMSCRIPTEN)
+		include(bs_threadpool)
+	endif()

-set(LIBSINSP_INCLUDE_DIRS ${LIBSINSP_DIR}/userspace/libsinsp ${LIBSINSP_DIR}/userspace/common ${LIBSCAP_INCLUDE_DIRS} ${DRIVER_CONFIG_DIR})
-if(WITH_CHISEL)
-	list(APPEND LIBSINSP_INCLUDE_DIRS ${LIBSINSP_DIR}/userspace/chisel)
-endif()
+	set(LIBSINSP_INCLUDE_DIRS)

-if (NOT EMSCRIPTEN)
-	get_filename_component(TBB_ABSOLUTE_INCLUDE_DIR ${TBB_INCLUDE_DIR} ABSOLUTE)
-	list(APPEND LIBSINSP_INCLUDE_DIRS ${TBB_ABSOLUTE_INCLUDE_DIR})
-endif()
+	if(NOT USE_BUNDLED_TBB AND NOT EMSCRIPTEN)
+		list(APPEND LIBSINSP_INCLUDE_DIRS ${TBB_INCLUDE_DIR})
+	endif()

-get_filename_component(JSONCPP_ABSOLUTE_INCLUDE_DIR ${JSONCPP_INCLUDE} ABSOLUTE)
-list(APPEND LIBSINSP_INCLUDE_DIRS ${JSONCPP_ABSOLUTE_INCLUDE_DIR})
+	if(NOT USE_BUNDLED_JSONCPP)
+		list(APPEND LIBSINSP_INCLUDE_DIRS ${JSONCPP_INCLUDE})
+	endif()

-get_filename_component(VALIJSON_ABSOLUTE_INCLUDE_DIR ${VALIJSON_INCLUDE} ABSOLUTE)
-list(APPEND LIBSINSP_INCLUDE_DIRS ${VALIJSON_ABSOLUTE_INCLUDE_DIR})
+	function(set_sinsp_target_properties target)
+		set_target_properties(
+			${target} PROPERTIES VERSION ${FALCOSECURITY_SHARED_LIBS_VERSION}
+								 SOVERSION ${FALCOSECURITY_SHARED_LIBS_SOVERSION}
+		)
+	endfunction()

-get_filename_component(RE2_ABSOLUTE_INCLUDE_DIR ${RE2_INCLUDE} ABSOLUTE)
-list(APPEND LIBSINSP_INCLUDE_DIRS ${RE2_ABSOLUTE_INCLUDE_DIR})
-
-if(NOT MINIMAL_BUILD AND NOT EMSCRIPTEN AND NOT APPLE)
-	get_filename_component(CARES_ABSOLUTE_INCLUDE_DIR ${CARES_INCLUDE} ABSOLUTE)
-	list(APPEND LIBSINSP_INCLUDE_DIRS ${CARES_ABSOLUTE_INCLUDE_DIR})
-endif()
-
-if(NOT WIN32 AND NOT APPLE)
-	get_filename_component(B64_ABSOLUTE_INCLUDE_DIR ${B64_INCLUDE} ABSOLUTE)
-	list(APPEND LIBSINSP_INCLUDE_DIRS ${B64_ABSOLUTE_INCLUDE_DIR})
-	get_filename_component(JQ_ABSOLUTE_INCLUDE_DIR ${JQ_INCLUDE} ABSOLUTE)
-	list(APPEND LIBSINSP_INCLUDE_DIRS ${JQ_ABSOLUTE_INCLUDE_DIR})
-endif()
-
-if(NOT WIN32 AND NOT APPLE AND NOT MINIMAL_BUILD AND NOT EMSCRIPTEN)
-	get_filename_component(CURL_ABSOLUTE_INCLUDE_DIR ${CURL_INCLUDE_DIRS} ABSOLUTE)
-	list(APPEND LIBSINSP_INCLUDE_DIRS ${CURL_ABSOLUTE_INCLUDE_DIR})
-endif()
-
-function(set_sinsp_target_properties target)
-	set_target_properties(${target} PROPERTIES
-		VERSION ${FALCOSECURITY_SHARED_LIBS_VERSION}
-		SOVERSION ${FALCOSECURITY_SHARED_LIBS_SOVERSION}
+	add_subdirectory(${LIBS_DIR}/userspace/libsinsp ${CMAKE_BINARY_DIR}/libsinsp)
+	install(
+		TARGETS sinsp
+		ARCHIVE DESTINATION "${CMAKE_INSTALL_LIBDIR}"
+		LIBRARY DESTINATION "${CMAKE_INSTALL_LIBDIR}"
+		RUNTIME DESTINATION "${CMAKE_INSTALL_BINDIR}" COMPONENT "sinsp"
+	)
+	install(
+		DIRECTORY "${LIBS_DIR}/userspace/libsinsp"
+		DESTINATION "${CMAKE_INSTALL_INCLUDEDIR}/${LIBS_PACKAGE_NAME}"
+		COMPONENT "sinsp"
+		FILES_MATCHING
+		PATTERN "*.h"
+		PATTERN "*third_party*" EXCLUDE
+		PATTERN "*examples*" EXCLUDE
+		PATTERN "*doxygen*" EXCLUDE
+		PATTERN "*scripts*" EXCLUDE
+		PATTERN "*test*" EXCLUDE
+	)
+	install(
+		DIRECTORY "${LIBS_DIR}/userspace/async"
+		DESTINATION "${CMAKE_INSTALL_INCLUDEDIR}/${LIBS_PACKAGE_NAME}"
+		COMPONENT "sinsp"
+		FILES_MATCHING
+		PATTERN "*.h"
+	)
+	install(FILES ${PROJECT_BINARY_DIR}/libsinsp/libsinsp.pc
+			DESTINATION ${CMAKE_INSTALL_LIBDIR}/pkgconfig
 	)
-endfunction()
-
-add_subdirectory(${LIBSINSP_DIR}/userspace/libsinsp ${CMAKE_BINARY_DIR}/libsinsp)
-install(TARGETS sinsp
-			ARCHIVE DESTINATION "${CMAKE_INSTALL_LIBDIR}/${LIBS_PACKAGE_NAME}"
-			LIBRARY DESTINATION "${CMAKE_INSTALL_LIBDIR}/${LIBS_PACKAGE_NAME}"
-			RUNTIME DESTINATION "${CMAKE_INSTALL_BINDIR}"
-			COMPONENT "sinsp")
-install(DIRECTORY "${LIBSINSP_DIR}/userspace/libsinsp" DESTINATION "${CMAKE_INSTALL_INCLUDEDIR}/${LIBS_PACKAGE_NAME}/userspace"
-			COMPONENT "sinsp"
-			FILES_MATCHING PATTERN "*.h"
-			PATTERN "*third_party*" EXCLUDE
-			PATTERN "*examples*" EXCLUDE
-			PATTERN "*doxygen*" EXCLUDE
-			PATTERN "*scripts*" EXCLUDE
-			PATTERN "*test*" EXCLUDE)
-install(DIRECTORY "${LIBSINSP_DIR}/common" DESTINATION "${CMAKE_INSTALL_INCLUDEDIR}/${LIBS_PACKAGE_NAME}"
-			COMPONENT "sinsp"
-			FILES_MATCHING PATTERN "*.h")
-install(DIRECTORY "${LIBSINSP_DIR}/userspace/async" DESTINATION "${CMAKE_INSTALL_INCLUDEDIR}/${LIBS_PACKAGE_NAME}/userspace"
-			COMPONENT "sinsp"
-			FILES_MATCHING PATTERN "*.h")
-if(WITH_CHISEL)
-	install(DIRECTORY "${LIBSINSP_DIR}/userspace/chisel" DESTINATION "${CMAKE_INSTALL_INCLUDEDIR}/${LIBS_PACKAGE_NAME}/userspace"
-			COMPONENT "sinsp"
-			FILES_MATCHING PATTERN "*.h")
-endif()
-install(FILES ${PROJECT_BINARY_DIR}/libsinsp/libsinsp.pc DESTINATION ${CMAKE_INSTALL_LIBDIR}/pkgconfig)

 endif()
--- a/cmake/modules/luajit.cmake
+++ b/cmake/modules/luajit.cmake
@ -1,103 +0,0 @@
-#
-# LuaJIT
-#
-option(USE_BUNDLED_LUAJIT "Enable building of the bundled LuaJIT" ${USE_BUNDLED_DEPS})
-
-if(LUAJIT_INCLUDE)
-	# we already have luajit
-elseif(NOT USE_BUNDLED_LUAJIT)
-	find_path(LUAJIT_INCLUDE luajit.h PATH_SUFFIXES luajit-2.0 luajit-2.1 luajit)
-	find_library(LUAJIT_LIB NAMES luajit luajit-5.1)
-	if(LUAJIT_INCLUDE AND LUAJIT_LIB)
-		message(STATUS "Found LuaJIT: include: ${LUAJIT_INCLUDE}, lib: ${LUAJIT_LIB}")
-	else()
-		# alternatively try stock Lua
-		find_package(Lua51)
-		set(LUAJIT_LIB ${LUA_LIBRARY})
-		set(LUAJIT_INCLUDE ${LUA_INCLUDE_DIR})
-
-		if(NOT ${LUA51_FOUND})
-			message(FATAL_ERROR "Couldn't find system LuaJIT or Lua")
-		endif()
-	endif()
-else()
-	set(LUAJIT_SRC "${PROJECT_BINARY_DIR}/luajit-prefix/src/luajit/src")
-	set(LUAJIT_INCLUDE "${LUAJIT_SRC}/")
-
-	if(NOT WIN32)
-		set(LUAJIT_LIB "${LUAJIT_SRC}/libluajit.a")
-	else()
-		set(LUAJIT_LIB "${LUAJIT_SRC}/lua51.lib")
-	endif()
-
-	if(NOT TARGET luajit)
-		message(STATUS "Using bundled LuaJIT in '${LUAJIT_SRC}'")
-		if(NOT WIN32)
-			if("${CMAKE_SYSTEM_PROCESSOR}" STREQUAL "ppc64le")
-				ExternalProject_Add(luajit
-					PREFIX "${PROJECT_BINARY_DIR}/luajit-prefix"
-					GIT_REPOSITORY "https://github.com/moonjit/moonjit"
-					GIT_TAG "2.1.2"
-					CONFIGURE_COMMAND ""
-                                        BUILD_COMMAND ${CMAKE_MAKE_PROGRAM}
-					BUILD_IN_SOURCE 1
-					BUILD_BYPRODUCTS ${LUAJIT_LIB}
-					UPDATE_COMMAND ""
-					INSTALL_COMMAND "")
-			elseif("${CMAKE_SYSTEM_PROCESSOR}" STREQUAL "s390x")
-				ExternalProject_Add(luajit
-					PREFIX "${PROJECT_BINARY_DIR}/luajit-prefix"
-					GIT_REPOSITORY "https://github.com/linux-on-ibm-z/LuaJIT.git"
-					GIT_TAG "v2.1"
-					CONFIGURE_COMMAND ""
-                                        BUILD_COMMAND ${CMAKE_MAKE_PROGRAM}
-					BUILD_IN_SOURCE 1
-					BUILD_BYPRODUCTS ${LUAJIT_LIB}
-					UPDATE_COMMAND ""
-					INSTALL_COMMAND "")
-			elseif(APPLE)
-				ExternalProject_Add(luajit
-					PREFIX "${PROJECT_BINARY_DIR}/luajit-prefix"
-					URL "https://github.com/LuaJIT/LuaJIT/archive/8635cbabf3094c4d8bd00578c7d812bea87bb2d3.tar.gz"
-					URL_HASH "SHA256=835035b244c3dc3d3d19bdd5ac623af90b84207e6330fb78f9fa51d6e200d760"
-					CONFIGURE_COMMAND ""
-					BUILD_COMMAND make MACOSX_DEPLOYMENT_TARGET=10.14
-					BUILD_IN_SOURCE 1
-					BUILD_BYPRODUCTS ${LUAJIT_LIB}
-					INSTALL_COMMAND "")
-			else()
-				ExternalProject_Add(luajit
-					PREFIX "${PROJECT_BINARY_DIR}/luajit-prefix"
-					GIT_REPOSITORY "https://github.com/LuaJIT/LuaJIT"
-					GIT_TAG "f3c856915b4ce7ccd24341e8ac73e8a9fd934171"
-					CONFIGURE_COMMAND ""
-					BUILD_COMMAND ${CMAKE_MAKE_PROGRAM}
-					BUILD_IN_SOURCE 1
-					BUILD_BYPRODUCTS ${LUAJIT_LIB}
-					UPDATE_COMMAND ""
-					INSTALL_COMMAND "")
-			endif()
-			install(FILES "${LUAJIT_LIB}" DESTINATION "${CMAKE_INSTALL_LIBDIR}/${LIBS_PACKAGE_NAME}"
-					COMPONENT "libs-deps")
-			install(DIRECTORY "${LUAJIT_INCLUDE}" DESTINATION "${CMAKE_INSTALL_INCLUDEDIR}/${LIBS_PACKAGE_NAME}"
-					COMPONENT "libs-deps"
-					FILES_MATCHING PATTERN "*.h")
-		else()
-			ExternalProject_Add(luajit
-				PREFIX "${PROJECT_BINARY_DIR}/luajit-prefix"
-				URL "https://github.com/LuaJIT/LuaJIT/archive/v2.1.0-beta3.tar.gz"
-				URL_HASH "SHA256=409f7fe570d3c16558e594421c47bdd130238323c9d6fd6c83dedd2aaeb082a8"
-				CONFIGURE_COMMAND ""
-				BUILD_COMMAND msvcbuild.bat
-				BUILD_BYPRODUCTS ${LUAJIT_LIB}
-				BINARY_DIR "${LUAJIT_SRC}"
-				INSTALL_COMMAND "")
-		endif()
-	endif()
-endif()
-
-if(NOT TARGET luajit)
-	add_custom_target(luajit)
-endif()
-
-include_directories("${LUAJIT_INCLUDE}")
--- a/cmake/modules/openssl.cmake
+++ b/cmake/modules/openssl.cmake
@ -1,51 +0,0 @@
-#
-# OpenSSL
-#
-option(USE_BUNDLED_OPENSSL "Enable building of the bundled OpenSSL" ${USE_BUNDLED_DEPS})
-
-if(OPENSSL_INCLUDE_DIR)
-	# we already have openssl
-elseif(NOT USE_BUNDLED_OPENSSL)
-	find_package(OpenSSL REQUIRED)
-	message(STATUS "Found OpenSSL: include: ${OPENSSL_INCLUDE_DIR}, lib: ${OPENSSL_LIBRARIES}")
-else()
-	if(BUILD_SHARED_LIBS)
-		set(OPENSSL_LIB_SUFFIX ${CMAKE_SHARED_LIBRARY_SUFFIX})
-		set(OPENSSL_SHARED_OPTION shared)
-	else()
-		set(OPENSSL_LIB_SUFFIX ${CMAKE_STATIC_LIBRARY_SUFFIX})
-		set(OPENSSL_SHARED_OPTION no-shared)
-	endif()
-	set(OPENSSL_BUNDLE_DIR "${PROJECT_BINARY_DIR}/openssl-prefix/src/openssl")
-	set(OPENSSL_INSTALL_DIR "${OPENSSL_BUNDLE_DIR}/target")
-	set(OPENSSL_INCLUDE_DIR "${PROJECT_BINARY_DIR}/openssl-prefix/src/openssl/include/")
-	set(OPENSSL_LIBRARY_SSL "${OPENSSL_INSTALL_DIR}/lib/libssl${OPENSSL_LIB_SUFFIX}")
-	set(OPENSSL_LIBRARY_CRYPTO "${OPENSSL_INSTALL_DIR}/lib/libcrypto${OPENSSL_LIB_SUFFIX}")
- 	set(OPENSSL_LIBRARIES ${OPENSSL_LIBRARY_SSL} ${OPENSSL_LIBRARY_CRYPTO})
-
-	if(NOT TARGET openssl)
-		message(STATUS "Using bundled openssl in '${OPENSSL_BUNDLE_DIR}'")
-
-		ExternalProject_Add(openssl
-			PREFIX "${PROJECT_BINARY_DIR}/openssl-prefix"
-			URL "https://github.com/openssl/openssl/releases/download/openssl-3.1.1/openssl-3.1.1.tar.gz"
-			URL_HASH "SHA256=b3aa61334233b852b63ddb048df181177c2c659eb9d4376008118f9c08d07674"
-			CONFIGURE_COMMAND ./config ${OPENSSL_SHARED_OPTION} --prefix=${OPENSSL_INSTALL_DIR} --libdir=lib
-                        BUILD_COMMAND ${CMAKE_MAKE_PROGRAM}
-			BUILD_IN_SOURCE 1
-			BUILD_BYPRODUCTS ${OPENSSL_LIBRARY_SSL} ${OPENSSL_LIBRARY_CRYPTO}
-                        INSTALL_COMMAND ${CMAKE_MAKE_PROGRAM} install_sw)
-		install(FILES "${OPENSSL_LIBRARY_SSL}" DESTINATION "${CMAKE_INSTALL_LIBDIR}/${LIBS_PACKAGE_NAME}"
-				COMPONENT "libs-deps")
-		install(FILES "${OPENSSL_LIBRARY_CRYPTO}" DESTINATION "${CMAKE_INSTALL_LIBDIR}/${LIBS_PACKAGE_NAME}"
-				COMPONENT "libs-deps")
-		install(DIRECTORY "${OPENSSL_INCLUDE_DIR}" DESTINATION "${CMAKE_INSTALL_INCLUDEDIR}/${LIBS_PACKAGE_NAME}"
-				COMPONENT "libs-deps")
-	endif()
-endif()
-
-if(NOT TARGET openssl)
-	add_custom_target(openssl)
-endif()
-
-include_directories("${OPENSSL_INCLUDE_DIR}")
--- a/cmake/modules/protobuf.cmake
+++ b/cmake/modules/protobuf.cmake
@ -1,3 +1,18 @@
+# SPDX-License-Identifier: Apache-2.0
+#
+# Copyright (C) 2023 The Falco Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except
+# in compliance with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed under the License
+# is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express
+# or implied. See the License for the specific language governing permissions and limitations under
+# the License.
+#
+
 option(USE_BUNDLED_PROTOBUF "Enable building of the bundled protobuf" ${USE_BUNDLED_DEPS})

 if(PROTOBUF_INCLUDE)
@ -6,8 +21,14 @@ elseif(NOT USE_BUNDLED_PROTOBUF)
 	find_program(PROTOC NAMES protoc)
 	find_path(PROTOBUF_INCLUDE NAMES google/protobuf/message.h)
 	find_library(PROTOBUF_LIB NAMES protobuf)
-	if(PROTOC AND PROTOBUF_INCLUDE AND PROTOBUF_LIB)
-		message(STATUS "Found protobuf: compiler: ${PROTOC}, include: ${PROTOBUF_INCLUDE}, lib: ${PROTOBUF_LIB}")
+	if(PROTOC
+	   AND PROTOBUF_INCLUDE
+	   AND PROTOBUF_LIB
+	)
+		message(
+			STATUS
+				"Found protobuf: compiler: ${PROTOC}, include: ${PROTOBUF_INCLUDE}, lib: ${PROTOBUF_LIB}"
+		)
 	else()
 		message(FATAL_ERROR "Couldn't find system protobuf")
 	endif()
@ -24,29 +45,57 @@ else()
 	set(PROTOBUF_SRC "${PROJECT_BINARY_DIR}/protobuf-prefix/src/protobuf")
 	set(PROTOC "${PROTOBUF_SRC}/target/bin/protoc")
 	set(PROTOBUF_INCLUDE "${PROTOBUF_SRC}/target/include/")
-	set(PROTOBUF_LIB "${PROTOBUF_SRC}/target/lib/libprotobuf${PROTOBUF_LIB_SUFFIX}" CACHE PATH "Path to libprotobuf")
+	set(PROTOBUF_LIB
+		"${PROTOBUF_SRC}/target/lib/libprotobuf${PROTOBUF_LIB_SUFFIX}"
+		CACHE PATH "Path to libprotobuf"
+	)
 	set(PROTOC_LIB "${PROTOBUF_SRC}/target/lib/libprotoc${PROTOBUF_LIB_SUFFIX}")
 	set(PROTOBUF_INSTALL_DIR "${PROTOBUF_SRC}/target")

 	if(NOT TARGET protobuf)
+		if(NOT ENABLE_PIC)
+			set(PROTOBUF_PIC_OPTION)
+		else()
+			set(PROTOBUF_PIC_OPTION "--with-pic=yes")
+		endif()
+		# Match both release and relwithdebinfo builds
+		if(CMAKE_BUILD_TYPE MATCHES "[R,r]el*")
+			set(PROTOBUF_CXXFLAGS "-O3 -std=c++11 -DNDEBUG")
+		else()
+			set(PROTOBUF_CXXFLAGS "-g -std=c++11")
+		endif()
 		message(STATUS "Using bundled protobuf in '${PROTOBUF_SRC}'")
-		ExternalProject_Add(protobuf
+		ExternalProject_Add(
+			protobuf
 			PREFIX "${PROJECT_BINARY_DIR}/protobuf-prefix"
 			DEPENDS zlib
-			URL "https://github.com/protocolbuffers/protobuf/releases/download/v3.17.3/protobuf-cpp-3.17.3.tar.gz"
-			URL_HASH "SHA256=51cec99f108b83422b7af1170afd7aeb2dd77d2bcbb7b6bad1f92509e9ccf8cb"
+			URL "https://github.com/protocolbuffers/protobuf/releases/download/v3.20.3/protobuf-cpp-3.20.3.tar.gz"
+			URL_HASH "SHA256=e51cc8fc496f893e2a48beb417730ab6cbcb251142ad8b2cd1951faa5c76fe3d"
 			# TODO what if using system zlib?
-			CONFIGURE_COMMAND CPPFLAGS=-I${ZLIB_INCLUDE} LDFLAGS=-L${ZLIB_SRC} ./configure --with-zlib ${PROTOBUF_CONFIGURE_FLAGS} --prefix=${PROTOBUF_INSTALL_DIR}
-                        BUILD_COMMAND ${CMAKE_MAKE_PROGRAM}
+			CONFIGURE_COMMAND
+				./configure CXXFLAGS=${PROTOBUF_CXXFLAGS} --with-zlib-include=${ZLIB_INCLUDE}
+				--with-zlib-lib=${ZLIB_SRC} --with-zlib ${PROTOBUF_CONFIGURE_FLAGS}
+				${PROTOBUF_PIC_OPTION} --prefix=${PROTOBUF_INSTALL_DIR}
+			BUILD_COMMAND make
 			BUILD_IN_SOURCE 1
 			BUILD_BYPRODUCTS ${PROTOC} ${PROTOBUF_INCLUDE} ${PROTOBUF_LIB}
-			INSTALL_COMMAND make install)
-		install(FILES "${PROTOBUF_LIB}" DESTINATION "${CMAKE_INSTALL_LIBDIR}/${LIBS_PACKAGE_NAME}"
-				COMPONENT "libs-deps")
-		install(FILES "${PROTOC_LIB}" DESTINATION "${CMAKE_INSTALL_LIBDIR}/${LIBS_PACKAGE_NAME}"
-				COMPONENT "libs-deps")
-		install(DIRECTORY "${PROTOBUF_INCLUDE}" DESTINATION "${CMAKE_INSTALL_INCLUDEDIR}/${LIBS_PACKAGE_NAME}"
-				COMPONENT "libs-deps")
+			INSTALL_COMMAND make install
+		)
+		install(
+			FILES "${PROTOBUF_LIB}"
+			DESTINATION "${CMAKE_INSTALL_LIBDIR}/${LIBS_PACKAGE_NAME}"
+			COMPONENT "libs-deps"
+		)
+		install(
+			FILES "${PROTOC_LIB}"
+			DESTINATION "${CMAKE_INSTALL_LIBDIR}/${LIBS_PACKAGE_NAME}"
+			COMPONENT "libs-deps"
+		)
+		install(
+			DIRECTORY "${PROTOBUF_INCLUDE}"
+			DESTINATION "${CMAKE_INSTALL_INCLUDEDIR}/${LIBS_PACKAGE_NAME}"
+			COMPONENT "libs-deps"
+		)
 	endif()
 endif()

--- a/cmake/modules/re2.cmake
+++ b/cmake/modules/re2.cmake
@ -1,6 +1,18 @@
+# SPDX-License-Identifier: Apache-2.0
 #
-# RE2
+# Copyright (C) 2023 The Falco Authors.
 #
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except
+# in compliance with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed under the License
+# is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express
+# or implied. See the License for the specific language governing permissions and limitations under
+# the License.
+#
+
 option(USE_BUNDLED_RE2 "Enable building of the bundled RE2" ${USE_BUNDLED_DEPS})

 if(RE2_INCLUDE)
@ -29,56 +41,96 @@ else()

 	if(NOT WIN32)
 		set(RE2_LIB "${RE2_SRC}/lib/libre2${RE2_LIB_SUFFIX}")
-		ExternalProject_Add(re2
-			PREFIX "${PROJECT_BINARY_DIR}/re2-prefix"
-			URL "${RE2_URL}"
-			URL_HASH "${RE2_URL_HASH}"
-			BINARY_DIR "${PROJECT_BINARY_DIR}/re2-prefix/build"
-			BUILD_BYPRODUCTS ${RE2_LIB}
-			CMAKE_ARGS
-				-DCMAKE_INSTALL_LIBDIR=lib
-				-DRE2_BUILD_TESTING=OFF
-				-DBUILD_SHARED_LIBS=${BUILD_SHARED_LIBS}
-				-DCMAKE_INSTALL_PREFIX=${RE2_SRC})
+		set(RE2_LIB_PATTERN "libre2*")
+		if(CMAKE_VERSION VERSION_LESS 3.29.1)
+			ExternalProject_Add(
+				re2
+				PREFIX "${PROJECT_BINARY_DIR}/re2-prefix"
+				URL "${RE2_URL}"
+				URL_HASH "${RE2_URL_HASH}"
+				BINARY_DIR "${PROJECT_BINARY_DIR}/re2-prefix/build"
+				BUILD_BYPRODUCTS ${RE2_LIB}
+				CMAKE_ARGS -DCMAKE_INSTALL_LIBDIR=lib
+						   -DCMAKE_POSITION_INDEPENDENT_CODE=${ENABLE_PIC}
+						   -DRE2_BUILD_TESTING=OFF
+						   -DBUILD_SHARED_LIBS=${BUILD_SHARED_LIBS}
+						   -DCMAKE_INSTALL_PREFIX=${RE2_SRC}
+						   -DCMAKE_BUILD_TYPE=${CMAKE_BUILD_TYPE}
+			)
+		else()
+			# CMake 3.29.1 removed the support for the `PACKAGE_PREFIX_DIR` variable. The patch
+			# command just applies the same patch applied by re2 to solve the issue:
+			# https://github.com/google/re2/commit/9ebe4a22cad8a025b68a9594bdff3c047a111333
+			ExternalProject_Add(
+				re2
+				PREFIX "${PROJECT_BINARY_DIR}/re2-prefix"
+				URL "${RE2_URL}"
+				URL_HASH "${RE2_URL_HASH}"
+				BINARY_DIR "${PROJECT_BINARY_DIR}/re2-prefix/build"
+				BUILD_BYPRODUCTS ${RE2_LIB}
+				PATCH_COMMAND
+				COMMAND sed -i".bak" "/set_and_check/d" re2Config.cmake.in
+				CMAKE_ARGS -DCMAKE_INSTALL_LIBDIR=lib
+						   -DCMAKE_POSITION_INDEPENDENT_CODE=${ENABLE_PIC}
+						   -DRE2_BUILD_TESTING=OFF
+						   -DBUILD_SHARED_LIBS=${BUILD_SHARED_LIBS}
+						   -DCMAKE_INSTALL_PREFIX=${RE2_SRC}
+						   -DCMAKE_BUILD_TYPE=${CMAKE_BUILD_TYPE}
+			)
+		endif()
 	else()
 		set(RE2_LIB "${RE2_SRC}/lib/re2.lib")
+		set(RE2_LIB_PATTERN "re2.lib")
 		# see: https://cmake.org/cmake/help/latest/policy/CMP0091.html
 		if(CMAKE_VERSION VERSION_LESS 3.15.0)
-			ExternalProject_Add(re2
+			ExternalProject_Add(
+				re2
 				PREFIX "${PROJECT_BINARY_DIR}/re2-prefix"
 				URL "${RE2_URL}"
 				URL_HASH "${RE2_URL_HASH}"
 				BINARY_DIR "${PROJECT_BINARY_DIR}/re2-prefix/build"
 				BUILD_BYPRODUCTS ${RE2_LIB}
-				CMAKE_ARGS
-					-DCMAKE_CXX_FLAGS_DEBUG="/MTd /Od"
-					-DCMAKE_CXX_FLAGS_RELEASE="/MT"
-					-DCMAKE_INSTALL_LIBDIR=lib
-					-DRE2_BUILD_TESTING=OFF
-					-DBUILD_SHARED_LIBS=${BUILD_SHARED_LIBS}
-					-DCMAKE_INSTALL_PREFIX=${RE2_SRC})
+				CMAKE_ARGS -DCMAKE_CXX_FLAGS_DEBUG=${FALCOSECURITY_LIBS_DEBUG_FLAGS}
+						   -DCMAKE_CXX_FLAGS_RELEASE=${FALCOSECURITY_LIBS_RELEASE_FLAGS}
+						   -DCMAKE_INSTALL_LIBDIR=lib
+						   -DCMAKE_POSITION_INDEPENDENT_CODE=${ENABLE_PIC}
+						   -DRE2_BUILD_TESTING=OFF
+						   -DBUILD_SHARED_LIBS=${BUILD_SHARED_LIBS}
+						   -DCMAKE_INSTALL_PREFIX=${RE2_SRC}
+						   -DCMAKE_BUILD_TYPE=${CMAKE_BUILD_TYPE}
+			)
 		else()
-			ExternalProject_Add(re2
+			ExternalProject_Add(
+				re2
 				PREFIX "${PROJECT_BINARY_DIR}/re2-prefix"
 				URL "${RE2_URL}"
 				URL_HASH "${RE2_URL_HASH}"
 				BINARY_DIR "${PROJECT_BINARY_DIR}/re2-prefix/build"
 				BUILD_BYPRODUCTS ${RE2_LIB}
-				CMAKE_ARGS
-					-DCMAKE_POLICY_DEFAULT_CMP0091:STRING=NEW
-					-DCMAKE_MSVC_RUNTIME_LIBRARY:STRING=MultiThreaded$<$<CONFIG:Debug>:Debug>
-					-DCMAKE_INSTALL_LIBDIR=lib
-					-DRE2_BUILD_TESTING=OFF
-					-DBUILD_SHARED_LIBS=${BUILD_SHARED_LIBS}
-					-DCMAKE_INSTALL_PREFIX=${RE2_SRC})
+				CMAKE_ARGS -DCMAKE_POLICY_DEFAULT_CMP0091:STRING=NEW
+						   -DCMAKE_MSVC_RUNTIME_LIBRARY=${CMAKE_MSVC_RUNTIME_LIBRARY}
+						   -DCMAKE_INSTALL_LIBDIR=lib
+						   -DCMAKE_POSITION_INDEPENDENT_CODE=${ENABLE_PIC}
+						   -DRE2_BUILD_TESTING=OFF
+						   -DBUILD_SHARED_LIBS=${BUILD_SHARED_LIBS}
+						   -DCMAKE_INSTALL_PREFIX=${RE2_SRC}
+						   -DCMAKE_BUILD_TYPE=${CMAKE_BUILD_TYPE}
+			)
 		endif()
 	endif()

-	install(DIRECTORY ${RE2_SRC}/lib/ DESTINATION "${CMAKE_INSTALL_LIBDIR}/${LIBS_PACKAGE_NAME}"
-			COMPONENT "libs-deps"
-			FILES_MATCHING PATTERN "libre2*")
-	install(DIRECTORY "${RE2_INCLUDE}" DESTINATION "${CMAKE_INSTALL_INCLUDEDIR}/${LIBS_PACKAGE_NAME}"
-			COMPONENT "libs-deps")
+	install(
+		DIRECTORY ${RE2_SRC}/lib/
+		DESTINATION "${CMAKE_INSTALL_LIBDIR}/${LIBS_PACKAGE_NAME}"
+		COMPONENT "libs-deps"
+		FILES_MATCHING
+		PATTERN ${RE2_LIB_PATTERN}
+	)
+	install(
+		DIRECTORY "${RE2_INCLUDE}"
+		DESTINATION "${CMAKE_INSTALL_INCLUDEDIR}/${LIBS_PACKAGE_NAME}"
+		COMPONENT "libs-deps"
+	)
 endif()

 if(NOT TARGET re2)
--- a/cmake/modules/tbb.cmake
+++ b/cmake/modules/tbb.cmake
@ -1,6 +1,18 @@
+# SPDX-License-Identifier: Apache-2.0
 #
-# Intel tbb
+# Copyright (C) 2023 The Falco Authors.
 #
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except
+# in compliance with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed under the License
+# is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express
+# or implied. See the License for the specific language governing permissions and limitations under
+# the License.
+#
+
 option(USE_BUNDLED_TBB "Enable building of the bundled tbb" ${USE_BUNDLED_DEPS})

 if(TBB_INCLUDE_DIR)
@ -41,76 +53,106 @@ else()
 		else()
 			set(TBB_LIB_BASENAME "tbb12")
 		endif()
-	endif()	
+	endif()
 	set(TBB_LIB "${TBB_LIB_BASEDIR}/${TBB_LIB_PREFIX}${TBB_LIB_BASENAME}${TBB_LIB_SUFFIX}")

 	if(NOT TARGET tbb)
 		message(STATUS "Using bundled tbb in '${TBB_SRC}'")
-		set(TBB_SRC_URL "https://github.com/oneapi-src/oneTBB/archive/refs/tags/v2021.8.0.tar.gz")
-		set(TBB_SRC_URL_HASH "SHA256=eee380323bb7ce864355ed9431f85c43955faaae9e9bce35c62b372d7ffd9f8b")
+		set(TBB_SRC_URL "https://github.com/oneapi-src/oneTBB/archive/refs/tags/v2022.1.0.tar.gz")
+		set(TBB_SRC_URL_HASH
+			"SHA256=ed067603ece0dc832d2881ba5c516625ac2522c665d95f767ef6304e34f961b5"
+		)
 		set(TBB_FLAGS "")
-		if (CMAKE_CXX_COMPILER_ID STREQUAL "GNU")
-			# latest TBB has issues with GCC >= 12
-			# see: https://github.com/oneapi-src/oneTBB/issues/843#issuecomment-1152646035
+		if(CMAKE_CXX_COMPILER_ID STREQUAL "GNU")
+			# latest TBB has issues with GCC >= 12 see:
+			# https://github.com/oneapi-src/oneTBB/issues/843#issuecomment-1152646035
 			set(TBB_FLAGS "-Wno-error=stringop-overflow")
 		endif()
+		if(EMSCRIPTEN)
+			set(TBB_FLAGS "${TBB_FLAGS} -Wno-unused-command-line-argument")
+			set(TBB_EMSCRIPTEN "ON")
+		endif()

-		if(NOT WIN32)	
-			ExternalProject_Add(tbb
+		if(NOT WIN32)
+			ExternalProject_Add(
+				tbb
 				PREFIX "${PROJECT_BINARY_DIR}/tbb-prefix"
 				URL "${TBB_SRC_URL}"
 				URL_HASH "${TBB_SRC_URL_HASH}"
 				BUILD_IN_SOURCE 1
 				BUILD_COMMAND ${CMAKE_COMMAND} --build . --target tbb
-				CMAKE_ARGS
-					-DBUILD_SHARED_LIBS=${BUILD_SHARED_LIBS}
-					-DCMAKE_BUILD_TYPE=${CMAKE_BUILD_TYPE}
-					-DTBB_OUTPUT_DIR_BASE=lib
-					-DCMAKE_CXX_FLAGS="${TBB_FLAGS}"
+				CMAKE_ARGS -DBUILD_SHARED_LIBS=${BUILD_SHARED_LIBS}
+						   -DCMAKE_BUILD_TYPE=${CMAKE_BUILD_TYPE}
+						   -DTBB_OUTPUT_DIR_BASE=lib
+						   -DCMAKE_CXX_FLAGS=${TBB_FLAGS}
+						   -DCMAKE_POSITION_INDEPENDENT_CODE=${ENABLE_PIC}
+						   -DCMAKE_CXX_COMPILER=${CMAKE_CXX_COMPILER}
+						   -DCMAKE_C_COMPILER=${CMAKE_C_COMPILER}
+						   -DEMSCRIPTEN=${TBB_EMSCRIPTEN}
+						   -DTBB_FILE_TRIM=Off
+						   -DTBB_INSTALL=Off
 				BUILD_BYPRODUCTS ${TBB_LIB}
-				INSTALL_COMMAND "")
+				INSTALL_COMMAND ""
+			)
 		else()
 			# see: https://cmake.org/cmake/help/latest/policy/CMP0091.html
 			if(CMAKE_VERSION VERSION_LESS 3.15.0)
-				ExternalProject_Add(tbb
+				ExternalProject_Add(
+					tbb
 					PREFIX "${PROJECT_BINARY_DIR}/tbb-prefix"
 					URL "${TBB_SRC_URL}"
 					URL_HASH "${TBB_SRC_URL_HASH}"
 					BUILD_IN_SOURCE 1
-					BUILD_COMMAND ${CMAKE_COMMAND} --build . --target tbb --config ${CMAKE_BUILD_TYPE}
-					CMAKE_ARGS
-						-DCMAKE_CXX_FLAGS_DEBUG="/MTd /Od"
-						-DCMAKE_CXX_FLAGS_RELEASE="/MT"
-						-DBUILD_SHARED_LIBS=${BUILD_SHARED_LIBS}
-						-DCMAKE_BUILD_TYPE=${CMAKE_BUILD_TYPE}
-						-DTBB_OUTPUT_DIR_BASE=lib
-						-DCMAKE_CXX_FLAGS="${TBB_FLAGS}"
+					BUILD_COMMAND ${CMAKE_COMMAND} --build . --target tbb --config
+								  ${CMAKE_BUILD_TYPE}
+					CMAKE_ARGS -DCMAKE_CXX_FLAGS_DEBUG=${FALCOSECURITY_LIBS_DEBUG_FLAGS}
+							   -DCMAKE_CXX_FLAGS_RELEASE=${FALCOSECURITY_LIBS_RELEASE_FLAGS}
+							   -DBUILD_SHARED_LIBS=${BUILD_SHARED_LIBS}
+							   -DCMAKE_BUILD_TYPE=${CMAKE_BUILD_TYPE}
+							   -DTBB_OUTPUT_DIR_BASE=lib
+							   -DCMAKE_CXX_FLAGS="${TBB_FLAGS}"
+							   -DCMAKE_POSITION_INDEPENDENT_CODE=${ENABLE_PIC}
+							   -DTBB_FILE_TRIM=Off
+							   -DTBB_INSTALL=Off
 					BUILD_BYPRODUCTS ${TBB_LIB}
-					INSTALL_COMMAND "")
+					INSTALL_COMMAND ""
+				)
 			else()
-				ExternalProject_Add(tbb
+				ExternalProject_Add(
+					tbb
 					PREFIX "${PROJECT_BINARY_DIR}/tbb-prefix"
 					URL "${TBB_SRC_URL}"
 					URL_HASH "${TBB_SRC_URL_HASH}"
 					BUILD_IN_SOURCE 1
-					BUILD_COMMAND ${CMAKE_COMMAND} --build . --target tbb --config ${CMAKE_BUILD_TYPE}
-					CMAKE_ARGS
-						-DCMAKE_POLICY_DEFAULT_CMP0091:STRING=NEW
-						-DCMAKE_MSVC_RUNTIME_LIBRARY:STRING=MultiThreaded$<$<CONFIG:Debug>:Debug>
-						-DBUILD_SHARED_LIBS=${BUILD_SHARED_LIBS}
-						-DCMAKE_BUILD_TYPE=${CMAKE_BUILD_TYPE}
-						-DTBB_OUTPUT_DIR_BASE=lib
-						-DCMAKE_CXX_FLAGS="${TBB_FLAGS}"
+					BUILD_COMMAND ${CMAKE_COMMAND} --build . --target tbb --config
+								  ${CMAKE_BUILD_TYPE}
+					CMAKE_ARGS -DCMAKE_POLICY_DEFAULT_CMP0091:STRING=NEW
+							   -DCMAKE_MSVC_RUNTIME_LIBRARY=${CMAKE_MSVC_RUNTIME_LIBRARY}
+							   -DBUILD_SHARED_LIBS=${BUILD_SHARED_LIBS}
+							   -DCMAKE_BUILD_TYPE=${CMAKE_BUILD_TYPE}
+							   -DTBB_OUTPUT_DIR_BASE=lib
+							   -DCMAKE_CXX_FLAGS="${TBB_FLAGS}"
+							   -DCMAKE_POSITION_INDEPENDENT_CODE=${ENABLE_PIC}
+							   -DTBB_FILE_TRIM=Off
+							   -DTBB_INSTALL=Off
 					BUILD_BYPRODUCTS ${TBB_LIB}
-					INSTALL_COMMAND "")
+					INSTALL_COMMAND ""
+				)
 			endif()
 		endif()

-		install(DIRECTORY "${TBB_LIB_BASEDIR}/" DESTINATION "${CMAKE_INSTALL_LIBDIR}/${LIBS_PACKAGE_NAME}"
-				COMPONENT "libs-deps"
-				FILES_MATCHING PATTERN "${TBB_LIB_PREFIX}tbb*")
-		install(DIRECTORY "${TBB_INCLUDE_DIR}/tbb" DESTINATION "${CMAKE_INSTALL_INCLUDEDIR}/${LIBS_PACKAGE_NAME}"
-				COMPONENT "libs-deps")
+		install(
+			DIRECTORY "${TBB_LIB_BASEDIR}/"
+			DESTINATION "${CMAKE_INSTALL_LIBDIR}/${LIBS_PACKAGE_NAME}"
+			COMPONENT "libs-deps"
+			FILES_MATCHING
+			PATTERN "${TBB_LIB_PREFIX}tbb*"
+		)
+		install(
+			DIRECTORY "${TBB_INCLUDE_DIR}/tbb"
+			DESTINATION "${CMAKE_INSTALL_INCLUDEDIR}/${LIBS_PACKAGE_NAME}"
+			COMPONENT "libs-deps"
+		)
 	endif()
 endif()

--- a/cmake/modules/tinydir.cmake
+++ b/cmake/modules/tinydir.cmake
@ -1,48 +0,0 @@
-#
-# Copyright (C) 2023 The Falco Authors.
-#
-# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an
-# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
-# specific language governing permissions and limitations under the License.
-#
-
-#
-# Tinydir (https://github.com/cxong/tinydir/)
-#
-
-option(USE_BUNDLED_TINYDIR "Enable building of the bundled tinydir" ${USE_BUNDLED_DEPS})
-
-if(TINYDIR_INCLUDE)
-    # we already have tinydir
-elseif(NOT USE_BUNDLED_TINYDIR)
-    find_path(TINYDIR_INCLUDE tinydir.h)
-    if(TINYDIR_INCLUDE)
-        message(STATUS "Found tinydir: include: ${TINYDIR_INCLUDE}")
-    else()
-        message(FATAL_ERROR "Couldn't find system tinydir")
-    endif()
-else()
-    set(TINYDIR_SRC "${PROJECT_BINARY_DIR}/tinydir-prefix/src/tinydir")
-    set(TINYDIR_INCLUDE "${TINYDIR_SRC}")
-
-    message(STATUS "Using bundled tinydir in '${TINYDIR_SRC}'")
-
-    ExternalProject_Add(tinydir
-            PREFIX "${PROJECT_BINARY_DIR}/tinydir-prefix"
-            URL "https://github.com/cxong/tinydir/archive/refs/tags/1.2.5.tar.gz"
-            URL_HASH "SHA256=7ab150a16fa78ea76e9fd58ef88922c03eca2334c023b8d9bc94755fdde522c7"
-            CONFIGURE_COMMAND ""
-            BUILD_COMMAND ""
-            INSTALL_COMMAND "")
-endif()
-
-if(NOT TARGET tinydir)
-    add_custom_target(tinydir)
-endif()
-
-include_directories("${TINYDIR_INCLUDE}")
--- a/cmake/modules/uthash.cmake
+++ b/cmake/modules/uthash.cmake
@ -1,23 +1,50 @@
+# SPDX-License-Identifier: Apache-2.0
 #
 # Copyright (C) 2023 The Falco Authors.
 #
-# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except
+# in compliance with the License. You may obtain a copy of the License at
 #
 # http://www.apache.org/licenses/LICENSE-2.0
 #
-# Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an
-# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
-# specific language governing permissions and limitations under the License.
+# Unless required by applicable law or agreed to in writing, software distributed under the License
+# is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express
+# or implied. See the License for the specific language governing permissions and limitations under
+# the License.
 #

+option(USE_BUNDLED_UTHASH "Enable downloading of the bundled uthash library" ${USE_BUNDLED_DEPS})
 set(UTHASH_DOWNLOAD_URL "https://raw.githubusercontent.com/troydhanson/uthash/v1.9.8/src/uthash.h")
-set(UTHASH_DOWNLOAD_DIR "${LIBSCAP_DIR}/userspace/libscap")
+set(UTHASH_DOWNLOAD_DIR "${LIBS_DIR}/userspace/libscap")

-if(NOT EXISTS "${UTHASH_DOWNLOAD_DIR}/uthash.h")
-	message(STATUS "Download 'uthash.h' from: ${UTHASH_DOWNLOAD_URL}")
-	file(DOWNLOAD
-	"${UTHASH_DOWNLOAD_URL}"
-	"${UTHASH_DOWNLOAD_DIR}/uthash.h"
+if(UTHASH_INCLUDE)
+	# we already have uthash
+elseif(NOT USE_BUNDLED_UTHASH)
+	find_path(UTHASH_INCLUDE uthash.h)
+	if(UTHASH_INCLUDE)
+		message(STATUS "Found uthash: include: ${UTHASH_INCLUDE}")
+	else()
+		message(FATAL_ERROR "Couldn't find system uthash")
+	endif()
+else()
+	set(UTHASH_SRC "${PROJECT_BINARY_DIR}/uthash-prefix/src/uthash/src")
+	set(UTHASH_INCLUDE "${UTHASH_SRC}")
+
+	message(STATUS "Using bundled uthash in '${UTHASH_SRC}'")
+
+	ExternalProject_Add(
+		uthash
+		PREFIX "${PROJECT_BINARY_DIR}/uthash-prefix"
+		URL "https://github.com/troydhanson/uthash/archive/refs/tags/v1.9.8.tar.gz"
+		URL_HASH "SHA256=d9d123ce81c5d127442876fc3b12fab3ad632bee6aca685be7d461c08e24c046"
+		CONFIGURE_COMMAND ""
+		BUILD_COMMAND ""
+		INSTALL_COMMAND ""
 	)
 endif()
+
+if(NOT TARGET uthash)
+	add_custom_target(uthash)
+endif()
+
+include_directories("${UTHASH_INCLUDE}")
--- a/cmake/modules/valijson.cmake
+++ b/cmake/modules/valijson.cmake
@ -1,14 +1,16 @@
+# SPDX-License-Identifier: Apache-2.0
 #
-# Copyright (C) 2020 The Falco Authors.
+# Copyright (C) 2023 The Falco Authors.
 #
-# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except
+# in compliance with the License. You may obtain a copy of the License at
 #
 # http://www.apache.org/licenses/LICENSE-2.0
 #
-# Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an
-# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
-# specific language governing permissions and limitations under the License.
+# Unless required by applicable law or agreed to in writing, software distributed under the License
+# is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express
+# or implied. See the License for the specific language governing permissions and limitations under
+# the License.
 #

 #
@ -27,13 +29,15 @@ else()

 	message(STATUS "Using bundled valijson in '${VALIJSON_SRC}'")

-	ExternalProject_Add(valijson
+	ExternalProject_Add(
+		valijson
 		PREFIX "${PROJECT_BINARY_DIR}/valijson-prefix"
-		URL "https://github.com/tristanpenman/valijson/archive/refs/tags/v0.6.tar.gz"
-		URL_HASH "SHA256=e06bf78fc1d26d4956fabc182408ebbbc47e3a6699778cda4aa439c2a6110b09"
+		URL "https://github.com/tristanpenman/valijson/archive/refs/tags/v1.0.2.tar.gz"
+		URL_HASH "SHA256=35d86e54fc727f1265226434dc996e33000a570f833537a25c8b702b0b824431"
 		CONFIGURE_COMMAND ""
 		BUILD_COMMAND ""
-		INSTALL_COMMAND "")	
+		INSTALL_COMMAND ""
+	)
 endif()

 if(NOT TARGET valijson)
--- a/cmake/modules/versions.cmake
+++ b/cmake/modules/versions.cmake
@ -1,51 +1,58 @@
+# SPDX-License-Identifier: Apache-2.0
 #
 # Copyright (C) 2023 The Falco Authors.
 #
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except
+# in compliance with the License. You may obtain a copy of the License at
 #
 # http://www.apache.org/licenses/LICENSE-2.0
 #
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
+# Unless required by applicable law or agreed to in writing, software distributed under the License
+# is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express
+# or implied. See the License for the specific language governing permissions and limitations under
+# the License.
 #

 include(GetVersionFromGit)

 function(get_libs_version _var)
-    # `+driver` is given to ignore drivers tags when fetching the version of libs
-    get_version_from_git(ver "" "+driver")
+	# `+driver` is given to ignore drivers tags when fetching the version of libs
+	get_version_from_git(ver "" "+driver")

-    set(${_var}
-        "${ver}"
-        PARENT_SCOPE)
-    return()
+	set(${_var}
+		"${ver}"
+		PARENT_SCOPE
+	)
+	return()
 endfunction()

 function(get_drivers_version _var)
-    # `+driver` is given to only fetch drivers tags, thus excluding libs ones
-    get_version_from_git(ver "+driver" "")
+	# `+driver` is given to only fetch drivers tags, thus excluding libs ones
+	get_version_from_git(ver "+driver" "")

-    set(${_var}
-        "${ver}"
-        PARENT_SCOPE)
-    return()
+	set(${_var}
+		"${ver}"
+		PARENT_SCOPE
+	)
+	return()
 endfunction()

 function(get_shared_libs_versions _var _sovar)
-    string(REGEX MATCH "^[0-9]+\\.[0-9]+\\.[0-9]+" sl_ver ${FALCOSECURITY_LIBS_VERSION})
+	string(REGEX MATCH "^[0-9]+\\.[0-9]+\\.[0-9]+" sl_ver ${FALCOSECURITY_LIBS_VERSION})

-    if(NOT sl_ver)
-        set(sl_ver "0.0.0")
-    endif()
+	if(NOT sl_ver)
+		set(sl_ver "0.0.0")
+	endif()

-    set(${_var} ${sl_ver} PARENT_SCOPE)
-    string(REPLACE "." ";" sl_ver_list ${sl_ver})
-    list(GET sl_ver_list 0 so_ver)
-    set(${_sovar} ${so_ver} PARENT_SCOPE)
-    return()
-endfunction()
+	set(${_var}
+		${sl_ver}
+		PARENT_SCOPE
+	)
+	string(REPLACE "." ";" sl_ver_list ${sl_ver})
+	list(GET sl_ver_list 0 so_ver)
+	set(${_sovar}
+		${so_ver}
+		PARENT_SCOPE
+	)
+	return()
+endfunction()
--- a/cmake/modules/zlib.cmake
+++ b/cmake/modules/zlib.cmake
@ -1,6 +1,18 @@
+# SPDX-License-Identifier: Apache-2.0
 #
-# zlib
+# Copyright (C) 2023 The Falco Authors.
 #
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except
+# in compliance with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed under the License
+# is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express
+# or implied. See the License for the specific language governing permissions and limitations under
+# the License.
+#
+
 option(USE_BUNDLED_ZLIB "Enable building of the bundled zlib" ${USE_BUNDLED_DEPS})

 if(ZLIB_INCLUDE)
@ -17,7 +29,9 @@ else()
 	set(ZLIB_SRC "${PROJECT_BINARY_DIR}/zlib-prefix/src/zlib")
 	set(ZLIB_INCLUDE "${ZLIB_SRC}")
 	set(ZLIB_HEADERS "")
-	list(APPEND ZLIB_HEADERS
+	list(
+		APPEND
+		ZLIB_HEADERS
 		"${ZLIB_INCLUDE}/crc32.h"
 		"${ZLIB_INCLUDE}/deflate.h"
 		"${ZLIB_INCLUDE}/gzguts.h"
@ -31,44 +45,80 @@ else()
 		"${ZLIB_INCLUDE}/zutil.h"
 	)
 	if(NOT TARGET zlib)
+		# Match both release and relwithdebinfo builds
+		if(CMAKE_BUILD_TYPE MATCHES "[R,r]el*")
+			set(ZLIB_CFLAGS "-O3")
+		else()
+			set(ZLIB_CFLAGS "-g")
+		endif()
+		if(ENABLE_PIC)
+			set(ZLIB_CFLAGS "${ZLIB_CFLAGS} -fPIC")
+		endif()
+
 		message(STATUS "Using bundled zlib in '${ZLIB_SRC}'")
 		if(NOT WIN32)
 			if(BUILD_SHARED_LIBS)
 				set(ZLIB_LIB_SUFFIX ${CMAKE_SHARED_LIBRARY_SUFFIX})
-				set(ZLIB_CONFIGURE_FLAGS )
+				set(ZLIB_CONFIGURE_FLAGS)
 			else()
 				set(ZLIB_LIB_SUFFIX ${CMAKE_STATIC_LIBRARY_SUFFIX})
 				set(ZLIB_CONFIGURE_FLAGS "--static")
 			endif()
 			set(ZLIB_LIB "${ZLIB_SRC}/libz${ZLIB_LIB_SUFFIX}")
-			ExternalProject_Add(zlib
+			ExternalProject_Add(
+				zlib
 				PREFIX "${PROJECT_BINARY_DIR}/zlib-prefix"
-				URL "https://github.com/madler/zlib/archive/v1.2.13.tar.gz"
-				URL_HASH "SHA256=1525952a0a567581792613a9723333d7f8cc20b87a81f920fb8bc7e3f2251428"
-				CONFIGURE_COMMAND ./configure --prefix=${ZLIB_SRC} ${ZLIB_CONFIGURE_FLAGS}
-                                BUILD_COMMAND ${CMAKE_MAKE_PROGRAM}
+				URL "https://github.com/madler/zlib/releases/download/v1.3.1/zlib-1.3.1.tar.gz"
+				URL_HASH "SHA256=9a93b2b7dfdac77ceba5a558a580e74667dd6fede4585b91eefb60f03b72df23"
+				CONFIGURE_COMMAND CFLAGS=${ZLIB_CFLAGS} ./configure --prefix=${ZLIB_SRC}
+								  ${ZLIB_CONFIGURE_FLAGS}
+				BUILD_COMMAND make
 				BUILD_IN_SOURCE 1
 				BUILD_BYPRODUCTS ${ZLIB_LIB}
-				INSTALL_COMMAND "")
-			install(FILES "${ZLIB_LIB}" DESTINATION "${CMAKE_INSTALL_LIBDIR}/${LIBS_PACKAGE_NAME}"
-					COMPONENT "libs-deps")
-			install(FILES ${ZLIB_HEADERS} DESTINATION "${CMAKE_INSTALL_INCLUDEDIR}/${LIBS_PACKAGE_NAME}/zlib"
-					COMPONENT "libs-deps")
+				INSTALL_COMMAND ""
+			)
+			install(
+				FILES "${ZLIB_LIB}"
+				DESTINATION "${CMAKE_INSTALL_LIBDIR}/${LIBS_PACKAGE_NAME}"
+				COMPONENT "libs-deps"
+			)
+			install(
+				FILES ${ZLIB_HEADERS}
+				DESTINATION "${CMAKE_INSTALL_INCLUDEDIR}/${LIBS_PACKAGE_NAME}/zlib"
+				COMPONENT "libs-deps"
+			)
 		else()
-			set(ZLIB_LIB "${ZLIB_SRC}/zlib.lib")
-			ExternalProject_Add(zlib
+			if(BUILD_SHARED_LIBS)
+				set(ZLIB_LIB_SUFFIX "${CMAKE_SHARED_LIBRARY_SUFFIX}")
+				set(ZLIB_LIB "${ZLIB_SRC}/lib/zlib$<$<CONFIG:Debug>:d>${ZLIB_LIB_SUFFIX}")
+			else()
+				set(ZLIB_LIB_SUFFIX "${CMAKE_STATIC_LIBRARY_SUFFIX}")
+				set(ZLIB_LIB "${ZLIB_SRC}/lib/zlibstatic$<$<CONFIG:Debug>:d>${ZLIB_LIB_SUFFIX}")
+			endif()
+			ExternalProject_Add(
+				zlib
 				PREFIX "${PROJECT_BINARY_DIR}/zlib-prefix"
-				URL "https://github.com/madler/zlib/archive/v1.2.13.tar.gz"
-				URL_HASH "SHA256=1525952a0a567581792613a9723333d7f8cc20b87a81f920fb8bc7e3f2251428"
-				CONFIGURE_COMMAND ""
-				BUILD_COMMAND nmake -f win32/Makefile.msc
+				URL "https://github.com/madler/zlib/releases/download/v1.3.1/zlib-1.3.1.tar.gz"
+				URL_HASH "SHA256=9a93b2b7dfdac77ceba5a558a580e74667dd6fede4585b91eefb60f03b72df23"
 				BUILD_IN_SOURCE 1
 				BUILD_BYPRODUCTS ${ZLIB_LIB}
-				INSTALL_COMMAND "")
-			install(FILES "${ZLIB_LIB}" DESTINATION "${CMAKE_INSTALL_LIBDIR}/${LIBS_PACKAGE_NAME}"
-					COMPONENT "libs-deps")
-			install(FILES ${ZLIB_HEADERS} DESTINATION "${CMAKE_INSTALL_INCLUDEDIR}/${LIBS_PACKAGE_NAME}/zlib"
-					COMPONENT "libs-deps")
+				CMAKE_ARGS -DCMAKE_POLICY_DEFAULT_CMP0091:STRING=NEW
+						   -DCMAKE_MSVC_RUNTIME_LIBRARY=${CMAKE_MSVC_RUNTIME_LIBRARY}
+						   -DCMAKE_BUILD_TYPE=${CMAKE_BUILD_TYPE}
+						   -DCMAKE_POSITION_INDEPENDENT_CODE=${ENABLE_PIC}
+						   -DBUILD_SHARED_LIBS=${BUILD_SHARED_LIBS}
+						   -DCMAKE_INSTALL_PREFIX=${ZLIB_SRC}
+			)
+			install(
+				FILES "${ZLIB_LIB}"
+				DESTINATION "${CMAKE_INSTALL_LIBDIR}/${LIBS_PACKAGE_NAME}"
+				COMPONENT "libs-deps"
+			)
+			install(
+				FILES ${ZLIB_HEADERS}
+				DESTINATION "${CMAKE_INSTALL_INCLUDEDIR}/${LIBS_PACKAGE_NAME}/zlib"
+				COMPONENT "libs-deps"
+			)
 		endif()
 	endif()
 endif()
--- a/codecov.yml
+++ b/codecov.yml
@ -0,0 +1,16 @@
+coverage:
+  status:
+    project:
+      default: off
+      libsinsp:
+        flags:
+          - libsinsp
+
+flags:
+  libsinsp:
+    paths:
+      - userspace/libsinsp/
+
+parsers:
+  cobertura:
+    partials_as_hits: true
--- a/coding_conventions.md
+++ b/coding_conventions.md
@ -1,278 +0,0 @@
-0 Introduction
------
-
-This repository strives for a consistent high quality code base and uses the conventions
-below.  If you are going to commit code that doesn't follow them, then you put the
-work on us. :-(
-
-If you use vim or emacs, you can put a custom configuration file in the base
-directory in order to follow the conventions.
-
-Also, note that the conventions in this file apply **strictly to the userspace** part
-of this repository. For the kernel code, you should refer to
-https://www.kernel.org/doc/html/latest/process/coding-style.html
-and always run `checkpatch.pl` from the kernel tree before submitting pull requests.
-
-Thanks for your attention and time.
-
-1 Curly Braces
------
-
-Every curly brace ("{" and "}") should go on its own line.
-
-Example:
-
-    if(a == 0)
-    {
-      b = 1;
-    }
-
-2 If and for statements
------
-
-Every `if` and `for` statement should have the curly braces.
-
-Example:
-
-    if(a == 0)
-    {
-      b = 1;
-    }
-
-and not
-
-    if(a == 0)
-      b = 1;
-
-3 Whitespace usage
------
-
-Spaces are used in the following way:
-
-    int32_t foo(int32_t a, int32_t b)
-    {
-      for(j = 0; j < 10; j++)
-      {
-        foo(a, b);
-      }
-    }
-
-Note that:
-
- * in a function declaration, there is no space between the function name and the "(".
- * in a function declaration, there is no space between the "(" and the first parameter.
- * in a statement (e.g `for`, `while`...), there is no space between the "for" and the "(".
- * in a statement (e.g `for`), there is no space between the "(" and the variable name.
- * in a function call, there is no space between the function name and the "(".
- * in a function call, there is no space between the "(" and the first parameter.
- * "," and ";" work like in English: there should be a space after them.
-
-4 Primitive types
------
-
-For portability reasons, please use the standard C99 types instead of the native C types
-like `int` and `long`. C99 types types will be available in all the user level
-source files:
-
-Example:
-
-    int32_t foo;
-
-5 Commenting Style
------
-
-Comments should be in the C++ style so we can use `/* */` to quickly remove
-portions of code during development.
-
-Example:
-
-    // this is a comment
-
-6 Commenting Content
------
-
-Code comments work in the following 2-level way:
-
- * A three-line comment should document what the code does and give higher level explanations.
- * A one line comment should detail single code lines or explain specific actions.
-
-Example:
-
-    //
-    // Swap two variables
-    //
-    int a = 1, b = 2, t;
-
-    // make a copy of a
-    t = a;
-
-    // perform the swap
-    a = b;
-    b = t;
-
-7 Class variables
------
-
-In order to know whether a variable belongs to a `class` or a `function` we start member variables with "`m_`".
-
-Example:
-
-    public int32_t m_counter;
-
-8 Global variables
------
-
-Similarly, in order to know whether the variable is global or not, we start
-globals with "`g_`".
-
-Example:
-
-    int g_nplugins;
-
-9 Capitalization
------
-
-The naming convention is camel-cased "Unix" style, i.e. always lower case. Words are separated by underscores.
-
-Example:
-
-    int32_t g_global_bean_counter;
-
-    int32_t count_beans();
-
-and not,
-
-    int32_t GlobalBeanCounter;
-
-10 Packed Structures
-------
-Packed structures should use the GCC and MSVC-style supported `pragma`:
-
-    #pragma pack(push,1)
-    struct frame_control
-    {
-        struct fields....
-    };
-    #pragma pack(pop)
-
-11 OS-specific macros
-------
-
-There's an online wiki which enumerates the different macros for compilers, operating systems, and architectures.
-It's available at [http://sourceforge.net/p/predef/wiki/Home/](http://sourceforge.net/p/predef/wiki/Home/). Generally speaking we use the operating system page: [http://sourceforge.net/p/predef/wiki/OperatingSystems/](http://sourceforge.net/p/predef/wiki/OperatingSystems/).
-
-12 64-bit constants
-------
-
-Put an "LL" at the end of your 64 bit constants. Without the LL, on some platforms the compiler tries to interpret the constant on the right hand side
-as a long integer instead of a long long and in some platform this generate an error at building time.
-
-Example:
-
-    x=0X00FF00000000000LL
-
-13 Class Declaration
-------
-
-Class declarations follow the following sequence
-
-  1. constructors and destructor
-  2. public functions
-  3. public data
-  4. private functions
-  5. private data
-  6. friend declarations
-
-Example:
-
-    class foo
-    {
-    public:
-      foo();
-      ~foo();
-
-      int32_t lonli();
-      int32_t m_val;
-
-    private:
-      int32_t temustra();
-      int32_t m_val2;
-    };
-
-14 Struct guidelines
-------
-
-We think hiding the presence of a pointer makes the code unnecessarily
-ambiguous and more difficult.
-
-Seeing a * in a variable declaration immediately identifies a pointer, which
-is easier to mentally keep track of!
-
-Also we think that defining the struct as a typedef makes forward declarations
-clunky and find using the C++ style when declaring our structs makes our
-lives easier.
-
-    //
-    // Us human parsers find this confusing.
-    //
-    typedef struct _my_struct
-    {
-      u_int16	m_field;
-    } my_struct,
-    *p_my_struct;
-
-    //
-    // This is easier!
-    //
-    struct my_struct {
-      u_int16	m_field;
-    };
-
-
-15 Temporary variables
-------
-
-Since "j" is used less frequently in english prose than "a" or "i", we find
-that these variables (in hierarchical order) are great for counters: j, k, l,
-m, n.
-
-Example:
-
-    int32_t j,k;
-    for(j = 0; j < 10; j++)
-    {
-      for(k = 0; k < 10; k++)
-      {
-        int32_t foo = j + k;
-      }
-    }
-
-as opposed to:
-
-    int32_t i,counter;
-    for(i = 0; i < 10; i++)
-    {
-      for(counter = 0; counter < 10; counter++)
-      {
-        int32_t foo = i + counter;
-      }
-    }
-
-16 Error management
-------
-
-Error management inside libscap is done through return values, since the scap
-library is written in C.
-Error management in the rest of the user level code base is done through
-exceptions. We know there's a lot of debate between return values and
-exceptions. We decided to pick the latter, so please stick with that.
-
-## You Made It!
-
-Phew! That's it. Thanks!
-
-If we've left anything in the open, feel free to contact us and we'll be happy
-to get back to you.  Also, you can look at the existing code and see how it's
-done.
-
-Have a good one!
--- a/docs/index.md
+++ b/docs/index.md
@ -11,3 +11,7 @@ Navigate to the Home of Falco Drivers Kernel Testing on the left, or click this
 ## Supported Syscalls Report

 Navigate to the Home of Falco Drivers Syscalls Report on the left, or click this [link](syscalls.md), or directly proceed to the supported syscalls [report](report.md).
+
+## Perf Continuous Monitoring
+
+Navigate to the Home of Falco Perf Monitoring on the left, or click this [link](perf.md).
--- a/docs/perf.md
+++ b/docs/perf.md
@ -0,0 +1,11 @@
+# Home of Falco Perf Monitoring
+
+Our CI is capable of continuously benchmarking performance of our userspace code, both CPU and memory.   
+Every PR will have a comment with the perf diff from master for multiple aspects, while on master the flamegraph are pushed to this github pages.
+
+Navigate to the perf reports on the left, or click these links:
+
+* [unit tests cpu perf](perf_unit_tests.md)
+* [scap file reading cpu perf](perf_scap_file.md)
+* [unit tests memory profile](heaptrack_unit_tests.md)
+* [scap file reading memory profile](heaptrack_scap_file.md)
--- a/docs/report.md
+++ b/docs/report.md
@ -1,381 +1,418 @@
-|         SYSCALL         | SUPPORTED |
-|-------------------------|-----------|
-| _sysctl                 | 🟡        |
-| accept                  | 🟢        |
-| accept4                 | 🟢        |
-| access                  | 🟢        |
-| acct                    | 🟡        |
-| add_key                 | 🟡        |
-| adjtimex                | 🟡        |
-| alarm                   | 🟡        |
-| arch_prctl              | 🟡        |
-| bdflush                 | 🟡        |
-| bind                    | 🟢        |
-| bpf                     | 🟢        |
-| brk                     | 🟢        |
-| cachestat               | 🟡        |
-| capget                  | 🟡        |
-| capset                  | 🟢        |
-| chdir                   | 🟢        |
-| chmod                   | 🟢        |
-| chown                   | 🟢        |
-| chroot                  | 🟢        |
-| clock_adjtime           | 🟡        |
-| clock_getres            | 🟡        |
-| clock_gettime           | 🟡        |
-| clock_nanosleep         | 🟡        |
-| clock_settime           | 🟡        |
-| clone                   | 🟢        |
-| clone3                  | 🟢        |
-| close                   | 🟢        |
-| close_range             | 🟡        |
-| connect                 | 🟢        |
-| copy_file_range         | 🟢        |
-| creat                   | 🟢        |
-| create_module           | 🟡        |
-| delete_module           | 🟡        |
-| dup                     | 🟢        |
-| dup2                    | 🟢        |
-| dup3                    | 🟢        |
-| epoll_create            | 🟢        |
-| epoll_create1           | 🟢        |
-| epoll_ctl               | 🟡        |
-| epoll_ctl_old           | 🟡        |
-| epoll_pwait             | 🟡        |
-| epoll_pwait2            | 🟡        |
-| epoll_wait              | 🟢        |
-| epoll_wait_old          | 🟡        |
-| eventfd                 | 🟢        |
-| eventfd2                | 🟢        |
-| execve                  | 🟢        |
-| execveat                | 🟢        |
-| exit                    | 🟡        |
-| exit_group              | 🟡        |
-| faccessat               | 🟡        |
-| faccessat2              | 🟡        |
-| fadvise64               | 🟡        |
-| fallocate               | 🟡        |
-| fanotify_init           | 🟡        |
-| fanotify_mark           | 🟡        |
-| fchdir                  | 🟢        |
-| fchmod                  | 🟢        |
-| fchmodat                | 🟢        |
-| fchown                  | 🟢        |
-| fchownat                | 🟢        |
-| fcntl                   | 🟢        |
-| fdatasync               | 🟡        |
-| fgetxattr               | 🟡        |
-| finit_module            | 🟢        |
-| flistxattr              | 🟡        |
-| flock                   | 🟢        |
-| fork                    | 🟢        |
-| fremovexattr            | 🟡        |
-| fsconfig                | 🟢        |
-| fsetxattr               | 🟡        |
-| fsmount                 | 🟡        |
-| fsopen                  | 🟡        |
-| fspick                  | 🟡        |
-| fstat                   | 🟢        |
-| fstatfs                 | 🟡        |
-| fstatfs64               | 🟡        |
-| fsync                   | 🟡        |
-| ftruncate               | 🟡        |
-| futex                   | 🟢        |
-| futex_waitv             | 🟡        |
-| futimesat               | 🟡        |
-| get_kernel_syms         | 🟡        |
-| get_mempolicy           | 🟡        |
-| get_robust_list         | 🟡        |
-| get_thread_area         | 🟡        |
-| getcpu                  | 🟡        |
-| getcwd                  | 🟢        |
-| getdents                | 🟢        |
-| getdents64              | 🟢        |
-| getegid                 | 🟢        |
-| geteuid                 | 🟢        |
-| getgid                  | 🟢        |
-| getgroups               | 🟡        |
-| getitimer               | 🟡        |
-| getpeername             | 🟢        |
-| getpgid                 | 🟡        |
-| getpgrp                 | 🟡        |
-| getpid                  | 🟡        |
-| getpmsg                 | 🟡        |
-| getppid                 | 🟡        |
-| getpriority             | 🟡        |
-| getrandom               | 🟡        |
-| getresgid               | 🟢        |
-| getresuid               | 🟢        |
-| getrlimit               | 🟢        |
-| getrusage               | 🟡        |
-| getsid                  | 🟡        |
-| getsockname             | 🟢        |
-| getsockopt              | 🟢        |
-| gettid                  | 🟡        |
-| gettimeofday            | 🟡        |
-| getuid                  | 🟢        |
-| getxattr                | 🟡        |
-| idle                    | 🟡        |
-| init_module             | 🟢        |
-| inotify_add_watch       | 🟡        |
-| inotify_init            | 🟢        |
-| inotify_init1           | 🟢        |
-| inotify_rm_watch        | 🟡        |
-| io_cancel               | 🟡        |
-| io_destroy              | 🟡        |
-| io_getevents            | 🟡        |
-| io_pgetevents           | 🟡        |
-| io_setup                | 🟡        |
-| io_submit               | 🟡        |
-| io_uring_enter          | 🟢        |
-| io_uring_register       | 🟢        |
-| io_uring_setup          | 🟢        |
-| ioctl                   | 🟢        |
-| ioperm                  | 🟡        |
-| iopl                    | 🟡        |
-| ioprio_get              | 🟡        |
-| ioprio_set              | 🟡        |
-| ipc                     | 🟡        |
-| kcmp                    | 🟡        |
-| kexec_file_load         | 🟡        |
-| kexec_load              | 🟡        |
-| keyctl                  | 🟡        |
-| kill                    | 🟢        |
-| landlock_add_rule       | 🟡        |
-| landlock_create_ruleset | 🟡        |
-| landlock_restrict_self  | 🟡        |
-| lchown                  | 🟢        |
-| lgetxattr               | 🟡        |
-| link                    | 🟢        |
-| linkat                  | 🟢        |
-| listen                  | 🟢        |
-| listxattr               | 🟡        |
-| llistxattr              | 🟡        |
-| lookup_dcookie          | 🟡        |
-| lremovexattr            | 🟡        |
-| lseek                   | 🟢        |
-| lsetxattr               | 🟡        |
-| lstat                   | 🟢        |
-| madvise                 | 🟡        |
-| mbind                   | 🟡        |
-| membarrier              | 🟡        |
-| memfd_create            | 🟢        |
-| memfd_secret            | 🟡        |
-| migrate_pages           | 🟡        |
-| mincore                 | 🟡        |
-| mkdir                   | 🟢        |
-| mkdirat                 | 🟢        |
-| mknod                   | 🟢        |
-| mknodat                 | 🟢        |
-| mlock                   | 🟢        |
-| mlock2                  | 🟢        |
-| mlockall                | 🟢        |
-| mmap                    | 🟢        |
-| modify_ldt              | 🟡        |
-| mount                   | 🟢        |
-| mount_setattr           | 🟡        |
-| move_mount              | 🟡        |
-| move_pages              | 🟡        |
-| mprotect                | 🟢        |
-| mq_getsetattr           | 🟡        |
-| mq_notify               | 🟡        |
-| mq_open                 | 🟡        |
-| mq_timedreceive         | 🟡        |
-| mq_timedsend            | 🟡        |
-| mq_unlink               | 🟡        |
-| mremap                  | 🟡        |
-| msgctl                  | 🟡        |
-| msgget                  | 🟡        |
-| msgrcv                  | 🟡        |
-| msgsnd                  | 🟡        |
-| msync                   | 🟡        |
-| munlock                 | 🟢        |
-| munlockall              | 🟢        |
-| munmap                  | 🟢        |
-| name_to_handle_at       | 🟡        |
-| nanosleep               | 🟢        |
-| newfstatat              | 🟡        |
-| nfsservctl              | 🟡        |
-| nice                    | 🟡        |
-| open                    | 🟢        |
-| open_by_handle_at       | 🟢        |
-| open_tree               | 🟡        |
-| openat                  | 🟢        |
-| openat2                 | 🟢        |
-| pause                   | 🟡        |
-| perf_event_open         | 🟡        |
-| personality             | 🟡        |
-| pidfd_getfd             | 🟢        |
-| pidfd_open              | 🟢        |
-| pidfd_send_signal       | 🟡        |
-| pipe                    | 🟢        |
-| pipe2                   | 🟢        |
-| pivot_root              | 🟡        |
-| pkey_alloc              | 🟡        |
-| pkey_free               | 🟡        |
-| pkey_mprotect           | 🟡        |
-| poll                    | 🟢        |
-| ppoll                   | 🟢        |
-| prctl                   | 🟢        |
-| pread64                 | 🟢        |
-| preadv                  | 🟢        |
-| preadv2                 | 🟡        |
-| prlimit64               | 🟢        |
-| process_madvise         | 🟡        |
-| process_mrelease        | 🟡        |
-| process_vm_readv        | 🟡        |
-| process_vm_writev       | 🟡        |
-| pselect6                | 🟡        |
-| ptrace                  | 🟢        |
-| pwrite64                | 🟢        |
-| pwritev                 | 🟢        |
-| pwritev2                | 🟡        |
-| query_module            | 🟡        |
-| quotactl                | 🟢        |
-| quotactl_fd             | 🟡        |
-| read                    | 🟢        |
-| readahead               | 🟡        |
-| readdir                 | 🟡        |
-| readlink                | 🟡        |
-| readlinkat              | 🟡        |
-| readv                   | 🟢        |
-| reboot                  | 🟡        |
-| recvfrom                | 🟢        |
-| recvmmsg                | 🟢        |
-| recvmsg                 | 🟢        |
-| remap_file_pages        | 🟡        |
-| removexattr             | 🟡        |
-| rename                  | 🟢        |
-| renameat                | 🟢        |
-| renameat2               | 🟢        |
-| request_key             | 🟡        |
-| restart_syscall         | 🟡        |
-| rmdir                   | 🟢        |
-| rseq                    | 🟡        |
-| rt_sigaction            | 🟡        |
-| rt_sigpending           | 🟡        |
-| rt_sigprocmask          | 🟡        |
-| rt_sigqueueinfo         | 🟡        |
-| rt_sigreturn            | 🟡        |
-| rt_sigsuspend           | 🟡        |
-| rt_sigtimedwait         | 🟡        |
-| rt_tgsigqueueinfo       | 🟡        |
-| s390_guarded_storage    | 🟡        |
-| s390_pci_mmio_read      | 🟡        |
-| s390_pci_mmio_write     | 🟡        |
-| s390_runtime_instr      | 🟡        |
-| s390_sthyi              | 🟡        |
-| sched_get_priority_max  | 🟡        |
-| sched_get_priority_min  | 🟡        |
-| sched_getaffinity       | 🟡        |
-| sched_getattr           | 🟡        |
-| sched_getparam          | 🟡        |
-| sched_getscheduler      | 🟡        |
-| sched_rr_get_interval   | 🟡        |
-| sched_setaffinity       | 🟡        |
-| sched_setattr           | 🟡        |
-| sched_setparam          | 🟡        |
-| sched_setscheduler      | 🟡        |
-| sched_yield             | 🟡        |
-| seccomp                 | 🟢        |
-| select                  | 🟢        |
-| semctl                  | 🟢        |
-| semget                  | 🟢        |
-| semop                   | 🟢        |
-| semtimedop              | 🟡        |
-| sendfile                | 🟢        |
-| sendmmsg                | 🟢        |
-| sendmsg                 | 🟢        |
-| sendto                  | 🟢        |
-| set_mempolicy           | 🟡        |
-| set_mempolicy_home_node | 🟡        |
-| set_robust_list         | 🟡        |
-| set_thread_area         | 🟡        |
-| set_tid_address         | 🟡        |
-| setdomainname           | 🟡        |
-| setfsgid                | 🟡        |
-| setfsuid                | 🟡        |
-| setgid                  | 🟢        |
-| setgroups               | 🟡        |
-| sethostname             | 🟡        |
-| setitimer               | 🟡        |
-| setns                   | 🟢        |
-| setpgid                 | 🟢        |
-| setpriority             | 🟡        |
-| setregid                | 🟡        |
-| setresgid               | 🟢        |
-| setresuid               | 🟢        |
-| setreuid                | 🟡        |
-| setrlimit               | 🟢        |
-| setsid                  | 🟢        |
-| setsockopt              | 🟢        |
-| settimeofday            | 🟡        |
-| setuid                  | 🟢        |
-| setxattr                | 🟡        |
-| shmat                   | 🟡        |
-| shmctl                  | 🟡        |
-| shmdt                   | 🟡        |
-| shmget                  | 🟡        |
-| shutdown                | 🟢        |
-| sigaction               | 🟡        |
-| sigaltstack             | 🟡        |
-| signal                  | 🟡        |
-| signalfd                | 🟢        |
-| signalfd4               | 🟢        |
-| sigpending              | 🟡        |
-| sigprocmask             | 🟡        |
-| sigreturn               | 🟡        |
-| sigsuspend              | 🟡        |
-| socket                  | 🟢        |
-| socketcall              | 🟡        |
-| socketpair              | 🟢        |
-| splice                  | 🟢        |
-| stat                    | 🟢        |
-| statfs                  | 🟡        |
-| statfs64                | 🟡        |
-| statx                   | 🟡        |
-| swapoff                 | 🟡        |
-| swapon                  | 🟡        |
-| symlink                 | 🟢        |
-| symlinkat               | 🟢        |
-| sync                    | 🟡        |
-| sync_file_range         | 🟡        |
-| syncfs                  | 🟡        |
-| sysfs                   | 🟡        |
-| sysinfo                 | 🟡        |
-| syslog                  | 🟡        |
-| tee                     | 🟡        |
-| tgkill                  | 🟢        |
-| time                    | 🟡        |
-| timer_create            | 🟡        |
-| timer_delete            | 🟡        |
-| timer_getoverrun        | 🟡        |
-| timer_gettime           | 🟡        |
-| timer_settime           | 🟡        |
-| timerfd                 | 🟡        |
-| timerfd_create          | 🟢        |
-| timerfd_gettime         | 🟡        |
-| timerfd_settime         | 🟡        |
-| times                   | 🟡        |
-| tkill                   | 🟢        |
-| truncate                | 🟡        |
-| umask                   | 🟡        |
-| umount                  | 🟢        |
-| umount2                 | 🟢        |
-| uname                   | 🟡        |
-| unlink                  | 🟢        |
-| unlinkat                | 🟢        |
-| unshare                 | 🟢        |
-| uselib                  | 🟡        |
-| userfaultfd             | 🟢        |
-| ustat                   | 🟡        |
-| utime                   | 🟡        |
-| utimensat               | 🟡        |
-| utimes                  | 🟡        |
-| vfork                   | 🟢        |
-| vhangup                 | 🟡        |
-| vmsplice                | 🟡        |
-| wait4                   | 🟡        |
-| waitid                  | 🟡        |
-| write                   | 🟢        |
-| writev                  | 🟢        |
+|         SYSCALL         | SUPPORTED |                   ARCHITECTURE                   |
+|-------------------------|-----------|--------------------------------------------------|
+| _llseek                 | 🟢        | ppc64le                                          |
+| _newselect              | 🟡        | ppc64le                                          |
+| accept                  | 🟢        | aarch64,loongarch64,ppc64le,riscv64,x86_64       |
+| accept4                 | 🟢        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| access                  | 🟢        | ppc64le,s390x,x86_64                             |
+| acct                    | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| add_key                 | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| adjtimex                | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| alarm                   | 🟡        | ppc64le,s390x,x86_64                             |
+| arch_prctl              | 🟡        | x86_64                                           |
+| bind                    | 🟢        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| bpf                     | 🟢        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| brk                     | 🟢        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| cachestat               | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| capget                  | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| capset                  | 🟢        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| chdir                   | 🟢        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| chmod                   | 🟢        | ppc64le,s390x,x86_64                             |
+| chown                   | 🟢        | ppc64le,s390x,x86_64                             |
+| chroot                  | 🟢        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| clock_adjtime           | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| clock_getres            | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| clock_gettime           | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| clock_nanosleep         | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| clock_settime           | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| clone                   | 🟢        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| clone3                  | 🟢        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| close                   | 🟢        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| close_range             | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| connect                 | 🟢        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| copy_file_range         | 🟢        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| creat                   | 🟢        | ppc64le,s390x,x86_64                             |
+| delete_module           | 🟢        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| dup                     | 🟢        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| dup2                    | 🟢        | ppc64le,s390x,x86_64                             |
+| dup3                    | 🟢        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| epoll_create            | 🟢        | ppc64le,s390x,x86_64                             |
+| epoll_create1           | 🟢        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| epoll_ctl               | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| epoll_ctl_old           | 🟡        | x86_64                                           |
+| epoll_pwait             | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| epoll_pwait2            | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| epoll_wait              | 🟢        | ppc64le,s390x,x86_64                             |
+| epoll_wait_old          | 🟡        | x86_64                                           |
+| eventfd                 | 🟢        | ppc64le,s390x,x86_64                             |
+| eventfd2                | 🟢        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| execve                  | 🟢        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| execveat                | 🟢        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| exit                    | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| exit_group              | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| faccessat               | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| faccessat2              | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| fadvise64               | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| fallocate               | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| fanotify_init           | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| fanotify_mark           | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| fchdir                  | 🟢        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| fchmod                  | 🟢        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| fchmodat                | 🟢        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| fchmodat2               | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| fchown                  | 🟢        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| fchownat                | 🟢        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| fcntl                   | 🟢        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| fdatasync               | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| fgetxattr               | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| finit_module            | 🟢        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| flistxattr              | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| flock                   | 🟢        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| fork                    | 🟢        | ppc64le,s390x,x86_64                             |
+| fremovexattr            | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| fsconfig                | 🟢        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| fsetxattr               | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| fsmount                 | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| fsopen                  | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| fspick                  | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| fstat                   | 🟢        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| fstatfs                 | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| fstatfs64               | 🟡        | ppc64le,s390x                                    |
+| fsync                   | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| ftruncate               | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| futex                   | 🟢        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| futex_requeue           | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| futex_wait              | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| futex_waitv             | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| futex_wake              | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| futimesat               | 🟡        | ppc64le,s390x,x86_64                             |
+| get_mempolicy           | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| get_robust_list         | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| get_thread_area         | 🟡        | x86_64                                           |
+| getcpu                  | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| getcwd                  | 🟢        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| getdents                | 🟢        | ppc64le,s390x,x86_64                             |
+| getdents64              | 🟢        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| getegid                 | 🟢        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| geteuid                 | 🟢        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| getgid                  | 🟢        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| getgroups               | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| getitimer               | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| getpeername             | 🟢        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| getpgid                 | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| getpgrp                 | 🟡        | ppc64le,s390x,x86_64                             |
+| getpid                  | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| getppid                 | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| getpriority             | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| getrandom               | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| getresgid               | 🟢        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| getresuid               | 🟢        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| getrlimit               | 🟢        | aarch64,ppc64le,riscv64,s390x,x86_64             |
+| getrusage               | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| getsid                  | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| getsockname             | 🟢        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| getsockopt              | 🟢        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| gettid                  | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| gettimeofday            | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| getuid                  | 🟢        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| getxattr                | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| getxattrat              | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| init_module             | 🟢        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| inotify_add_watch       | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| inotify_init            | 🟢        | ppc64le,s390x,x86_64                             |
+| inotify_init1           | 🟢        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| inotify_rm_watch        | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| io_cancel               | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| io_destroy              | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| io_getevents            | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| io_pgetevents           | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| io_setup                | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| io_submit               | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| io_uring_enter          | 🟢        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| io_uring_register       | 🟢        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| io_uring_setup          | 🟢        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| ioctl                   | 🟢        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| ioperm                  | 🟡        | ppc64le,x86_64                                   |
+| iopl                    | 🟡        | ppc64le,x86_64                                   |
+| ioprio_get              | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| ioprio_set              | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| ipc                     | 🟡        | ppc64le,s390x                                    |
+| kcmp                    | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| kexec_file_load         | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| kexec_load              | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| keyctl                  | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| kill                    | 🟢        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| landlock_add_rule       | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| landlock_create_ruleset | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| landlock_restrict_self  | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| lchown                  | 🟢        | ppc64le,s390x,x86_64                             |
+| lgetxattr               | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| link                    | 🟢        | ppc64le,s390x,x86_64                             |
+| linkat                  | 🟢        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| listen                  | 🟢        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| listmount               | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| listxattr               | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| listxattrat             | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| llistxattr              | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| lookup_dcookie          | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| lremovexattr            | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| lseek                   | 🟢        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| lsetxattr               | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| lsm_get_self_attr       | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| lsm_list_modules        | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| lsm_set_self_attr       | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| lstat                   | 🟢        | ppc64le,s390x,x86_64                             |
+| madvise                 | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| map_shadow_stack        | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| mbind                   | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| membarrier              | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| memfd_create            | 🟢        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| memfd_secret            | 🟡        | aarch64,riscv64,s390x,x86_64                     |
+| migrate_pages           | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| mincore                 | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| mkdir                   | 🟢        | ppc64le,s390x,x86_64                             |
+| mkdirat                 | 🟢        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| mknod                   | 🟢        | ppc64le,s390x,x86_64                             |
+| mknodat                 | 🟢        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| mlock                   | 🟢        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| mlock2                  | 🟢        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| mlockall                | 🟢        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| mmap                    | 🟢        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| modify_ldt              | 🟡        | ppc64le,x86_64                                   |
+| mount                   | 🟢        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| mount_setattr           | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| move_mount              | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| move_pages              | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| mprotect                | 🟢        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| mq_getsetattr           | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| mq_notify               | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| mq_open                 | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| mq_timedreceive         | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| mq_timedsend            | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| mq_unlink               | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| mremap                  | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| mseal                   | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| msgctl                  | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| msgget                  | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| msgrcv                  | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| msgsnd                  | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| msync                   | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| multiplexer             | 🟡        | ppc64le                                          |
+| munlock                 | 🟢        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| munlockall              | 🟢        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| munmap                  | 🟢        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| name_to_handle_at       | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| nanosleep               | 🟢        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| newfstatat              | 🟢        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| nice                    | 🟡        | ppc64le,s390x                                    |
+| oldfstat                | 🟡        | ppc64le                                          |
+| oldlstat                | 🟡        | ppc64le                                          |
+| oldolduname             | 🟡        | ppc64le                                          |
+| oldstat                 | 🟡        | ppc64le                                          |
+| olduname                | 🟡        | ppc64le                                          |
+| open                    | 🟢        | ppc64le,s390x,x86_64                             |
+| open_by_handle_at       | 🟢        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| open_tree               | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| open_tree_attr          | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| openat                  | 🟢        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| openat2                 | 🟢        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| pause                   | 🟡        | ppc64le,s390x,x86_64                             |
+| pciconfig_iobase        | 🟡        | ppc64le                                          |
+| pciconfig_read          | 🟡        | ppc64le                                          |
+| pciconfig_write         | 🟡        | ppc64le                                          |
+| perf_event_open         | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| personality             | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| pidfd_getfd             | 🟢        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| pidfd_open              | 🟢        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| pidfd_send_signal       | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| pipe                    | 🟢        | ppc64le,s390x,x86_64                             |
+| pipe2                   | 🟢        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| pivot_root              | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| pkey_alloc              | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| pkey_free               | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| pkey_mprotect           | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| poll                    | 🟢        | ppc64le,s390x,x86_64                             |
+| ppoll                   | 🟢        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| prctl                   | 🟢        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| pread64                 | 🟢        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| preadv                  | 🟢        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| preadv2                 | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| prlimit64               | 🟢        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| process_madvise         | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| process_mrelease        | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| process_vm_readv        | 🟢        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| process_vm_writev       | 🟢        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| pselect6                | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| ptrace                  | 🟢        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| pwrite64                | 🟢        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| pwritev                 | 🟢        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| pwritev2                | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| quotactl                | 🟢        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| quotactl_fd             | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| read                    | 🟢        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| readahead               | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| readdir                 | 🟡        | ppc64le,s390x                                    |
+| readlink                | 🟡        | ppc64le,s390x,x86_64                             |
+| readlinkat              | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| readv                   | 🟢        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| reboot                  | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| recv                    | 🟢        | ppc64le                                          |
+| recvfrom                | 🟢        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| recvmmsg                | 🟢        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| recvmsg                 | 🟢        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| remap_file_pages        | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| removexattr             | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| removexattrat           | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| rename                  | 🟢        | ppc64le,s390x,x86_64                             |
+| renameat                | 🟢        | aarch64,ppc64le,s390x,x86_64                     |
+| renameat2               | 🟢        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| request_key             | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| restart_syscall         | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| riscv_flush_icache      | 🟡        | riscv64                                          |
+| riscv_hwprobe           | 🟡        | riscv64                                          |
+| rmdir                   | 🟢        | ppc64le,s390x,x86_64                             |
+| rseq                    | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| rt_sigaction            | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| rt_sigpending           | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| rt_sigprocmask          | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| rt_sigqueueinfo         | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| rt_sigreturn            | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| rt_sigsuspend           | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| rt_sigtimedwait         | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| rt_tgsigqueueinfo       | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| rtas                    | 🟡        | ppc64le                                          |
+| s390_guarded_storage    | 🟡        | s390x                                            |
+| s390_pci_mmio_read      | 🟡        | s390x                                            |
+| s390_pci_mmio_write     | 🟡        | s390x                                            |
+| s390_runtime_instr      | 🟡        | s390x                                            |
+| s390_sthyi              | 🟡        | s390x                                            |
+| sched_get_priority_max  | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| sched_get_priority_min  | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| sched_getaffinity       | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| sched_getattr           | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| sched_getparam          | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| sched_getscheduler      | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| sched_rr_get_interval   | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| sched_setaffinity       | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| sched_setattr           | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| sched_setparam          | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| sched_setscheduler      | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| sched_yield             | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| seccomp                 | 🟢        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| select                  | 🟢        | ppc64le,s390x,x86_64                             |
+| semctl                  | 🟢        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| semget                  | 🟢        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| semop                   | 🟢        | aarch64,loongarch64,riscv64,x86_64               |
+| semtimedop              | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| send                    | 🟢        | ppc64le                                          |
+| sendfile                | 🟢        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| sendmmsg                | 🟢        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| sendmsg                 | 🟢        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| sendto                  | 🟢        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| set_mempolicy           | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| set_mempolicy_home_node | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| set_robust_list         | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| set_thread_area         | 🟡        | x86_64                                           |
+| set_tid_address         | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| setdomainname           | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| setfsgid                | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| setfsuid                | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| setgid                  | 🟢        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| setgroups               | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| sethostname             | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| setitimer               | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| setns                   | 🟢        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| setpgid                 | 🟢        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| setpriority             | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| setregid                | 🟢        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| setresgid               | 🟢        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| setresuid               | 🟢        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| setreuid                | 🟢        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| setrlimit               | 🟢        | aarch64,ppc64le,riscv64,s390x,x86_64             |
+| setsid                  | 🟢        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| setsockopt              | 🟢        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| settimeofday            | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| setuid                  | 🟢        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| setxattr                | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| setxattrat              | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| sgetmask                | 🟡        | ppc64le                                          |
+| shmat                   | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| shmctl                  | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| shmdt                   | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| shmget                  | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| shutdown                | 🟢        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| sigaction               | 🟡        | ppc64le,s390x                                    |
+| sigaltstack             | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| signal                  | 🟡        | ppc64le,s390x                                    |
+| signalfd                | 🟢        | ppc64le,s390x,x86_64                             |
+| signalfd4               | 🟢        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| sigpending              | 🟡        | ppc64le,s390x                                    |
+| sigprocmask             | 🟡        | ppc64le,s390x                                    |
+| sigreturn               | 🟡        | ppc64le,s390x                                    |
+| sigsuspend              | 🟡        | ppc64le,s390x                                    |
+| socket                  | 🟢        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| socketcall              | 🟡        | ppc64le,s390x                                    |
+| socketpair              | 🟢        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| splice                  | 🟢        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| spu_create              | 🟡        | ppc64le                                          |
+| spu_run                 | 🟡        | ppc64le                                          |
+| ssetmask                | 🟡        | ppc64le                                          |
+| stat                    | 🟢        | ppc64le,s390x,x86_64                             |
+| statfs                  | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| statfs64                | 🟡        | ppc64le,s390x                                    |
+| statmount               | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| statx                   | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| stime                   | 🟡        | ppc64le                                          |
+| subpage_prot            | 🟡        | ppc64le                                          |
+| swapcontext             | 🟡        | ppc64le                                          |
+| swapoff                 | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| swapon                  | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| switch_endian           | 🟡        | ppc64le                                          |
+| symlink                 | 🟢        | ppc64le,s390x,x86_64                             |
+| symlinkat               | 🟢        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| sync                    | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| sync_file_range         | 🟡        | aarch64,loongarch64,riscv64,s390x,x86_64         |
+| sync_file_range2        | 🟡        | ppc64le                                          |
+| syncfs                  | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| sys_debug_setcontext    | 🟡        | ppc64le                                          |
+| sysfs                   | 🟡        | ppc64le,s390x,x86_64                             |
+| sysinfo                 | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| syslog                  | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| tee                     | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| tgkill                  | 🟢        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| time                    | 🟡        | ppc64le,x86_64                                   |
+| timer_create            | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| timer_delete            | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| timer_getoverrun        | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| timer_gettime           | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| timer_settime           | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| timerfd                 | 🟡        | s390x                                            |
+| timerfd_create          | 🟢        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| timerfd_gettime         | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| timerfd_settime         | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| times                   | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| tkill                   | 🟢        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| truncate                | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| ugetrlimit              | 🟢        | ppc64le                                          |
+| umask                   | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| umount                  | 🟢        | ppc64le,s390x                                    |
+| umount2                 | 🟢        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| uname                   | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| unlink                  | 🟢        | ppc64le,s390x,x86_64                             |
+| unlinkat                | 🟢        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| unshare                 | 🟢        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| uretprobe               | 🟡        | x86_64                                           |
+| userfaultfd             | 🟢        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| ustat                   | 🟡        | ppc64le,s390x,x86_64                             |
+| utime                   | 🟡        | ppc64le,s390x,x86_64                             |
+| utimensat               | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| utimes                  | 🟡        | ppc64le,s390x,x86_64                             |
+| vfork                   | 🟢        | ppc64le,s390x,x86_64                             |
+| vhangup                 | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| vm86                    | 🟡        | ppc64le                                          |
+| vmsplice                | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| wait4                   | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| waitid                  | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| waitpid                 | 🟡        | ppc64le                                          |
+| write                   | 🟢        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| writev                  | 🟢        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
--- a/driver/API_VERSION
+++ b/driver/API_VERSION
@ -1 +1 @@
-5.0.0
+8.0.4
--- a/driver/CMakeLists.txt
+++ b/driver/CMakeLists.txt
@ -1,30 +1,46 @@
+# SPDX-License-Identifier: GPL-2.0-only OR MIT
 #
-# Copyright (C) 2022 The Falco Authors.
+# Copyright (C) 2023 The Falco Authors.
 #
-# This file is dual licensed under either the MIT or GPL 2. See
-# MIT.txt or GPL.txt for full copies of the license.
+# This file is dual licensed under either the MIT or GPL 2. See MIT.txt or GPL.txt for full copies
+# of the license.
 #

 cmake_minimum_required(VERSION 3.12)
 project(driver)

 set(TARGET_ARCH ${CMAKE_HOST_SYSTEM_PROCESSOR})
-if((NOT TARGET_ARCH STREQUAL "x86_64") AND
-   (NOT TARGET_ARCH STREQUAL "aarch64") AND
-   (NOT TARGET_ARCH STREQUAL "s390x"))
+if((NOT TARGET_ARCH STREQUAL "x86_64")
+   AND (NOT TARGET_ARCH STREQUAL "aarch64")
+   AND (NOT TARGET_ARCH STREQUAL "s390x")
+   AND (NOT TARGET_ARCH STREQUAL "riscv64")
+   AND (NOT TARGET_ARCH STREQUAL "ppc64le")
+   AND (NOT TARGET_ARCH STREQUAL "loongarch64")
+)
 	message(WARNING "Target architecture not officially supported by our drivers!")
 else()
 	# Load current kernel version
-	execute_process(COMMAND uname -r OUTPUT_VARIABLE UNAME_RESULT OUTPUT_STRIP_TRAILING_WHITESPACE)
+	execute_process(
+		COMMAND uname -r
+		OUTPUT_VARIABLE UNAME_RESULT
+		OUTPUT_STRIP_TRAILING_WHITESPACE
+	)
 	string(REGEX MATCH "[0-9]+.[0-9]+" LINUX_KERNEL_VERSION ${UNAME_RESULT})
-	message(STATUS  "Kernel version: ${UNAME_RESULT}")
+	message(STATUS "Kernel version: ${UNAME_RESULT}")

 	# Check minimum kernel version
 	set(kmod_min_kver_map_x86_64 2.6)
 	set(kmod_min_kver_map_aarch64 3.16)
 	set(kmod_min_kver_map_s390x 2.6)
-	if (LINUX_KERNEL_VERSION VERSION_LESS ${kmod_min_kver_map_${TARGET_ARCH}})
-		message(WARNING "[KMOD] To run this driver you need a Linux kernel version >= ${kmod_min_kver_map_${TARGET_ARCH}} but actual kernel version is: ${UNAME_RESULT}")
+	set(kmod_min_kver_map_riscv64 5.0)
+	set(kmod_min_kver_map_ppc64le 2.6)
+	set(kmod_min_kver_map_loongarch64 5.10)
+
+	if(LINUX_KERNEL_VERSION VERSION_LESS ${kmod_min_kver_map_${TARGET_ARCH}})
+		message(
+			WARNING
+				"[KMOD] To run this driver you need a Linux kernel version >= ${kmod_min_kver_map_${TARGET_ARCH}} but actual kernel version is: ${UNAME_RESULT}"
+		)
 	endif()
 endif()

@ -32,14 +48,18 @@ option(BUILD_DRIVER "Build the driver on Linux" ON)
 option(ENABLE_DKMS "Enable DKMS on Linux" ON)

 if(NOT DEFINED DRIVER_VERSION)
-	message(FATAL_ERROR
-		"No DRIVER_VERSION set.\nPlease either explicitly set it or build the root project 'falcosecurity/libs' from a git working directory."
+	message(
+		FATAL_ERROR
+			"No DRIVER_VERSION set.\nPlease either explicitly set it or build the root project 'falcosecurity/libs' from a git working directory."
 	)
 endif()

 if(NOT DEFINED DRIVER_COMPONENT_NAME)
 	set(DRIVER_COMPONENT_NAME "scap-driver")
 endif()
+if(NOT DEFINED DRIVER_KMOD_COMPONENT_NAME)
+	set(DRIVER_KMOD_COMPONENT_NAME ${DRIVER_COMPONENT_NAME})
+endif()

 if(NOT DEFINED DRIVER_PACKAGE_NAME)
 	set(DRIVER_PACKAGE_NAME "scap")
@ -53,36 +73,30 @@ if(NOT DEFINED DRIVER_DEVICE_NAME)
 	set(DRIVER_DEVICE_NAME "${DRIVER_NAME}")
 endif()

-# The driver build process is somewhat involved because we use the same
-# sources for building the driver locally and for shipping as a DKMS module.
+# The driver build process is somewhat involved because we use the same sources for building the
+# driver locally and for shipping as a DKMS module.
 #
-# We need a single directory with the following files inside:
-# - all the driver *.c/*.h sources
-# - Makefile generated from Makefile.in
-# - driver_config.h generated from driver_config.h.in
+# We need a single directory with the following files inside: - all the driver *.c/*.h sources -
+# Makefile generated from Makefile.in - driver_config.h generated from driver_config.h.in
 #
-# The Makefile _must_ be called just Makefile (and not e.g. Makefile.dkms)
-# because of the module build process, which looks like this:
-# 1. The user (or some script) runs make in our driver directory
-# 2. Our Makefile runs the Makefile from kernel sources/headers
-# 3. The kernel Makefile calls our original Makefile again, with options that
-# trigger the actual build. This step cannot know that our Makefile has
-# a different name.
+# The Makefile _must_ be called just Makefile (and not e.g. Makefile.dkms) because of the module
+# build process, which looks like this: 1. The user (or some script) runs make in our driver
+# directory 2. Our Makefile runs the Makefile from kernel sources/headers 3. The kernel Makefile
+# calls our original Makefile again, with options that trigger the actual build. This step cannot
+# know that our Makefile has a different name.
 #
 # (DKMS needs a Makefile called Makefile as well).
 #
-# The files need to be in a single directory because we cannot know where
-# the sources will be built (especially by DKMS) so we cannot put _any_ paths
-# in the Makefile.
+# The files need to be in a single directory because we cannot know where the sources will be built
+# (especially by DKMS) so we cannot put _any_ paths in the Makefile.
 #
-# The chosen directory must not be ${CMAKE_CURRENT_BINARY_DIR} because CMake
-# puts its own generated Makefile in there, so we (arbitrarily) choose
-# ${CMAKE_CURRENT_BINARY_DIR}/src. To maintain compatibility with older versions,
-# after the build we copy the compiled module one directory up,
+# The chosen directory must not be ${CMAKE_CURRENT_BINARY_DIR} because CMake puts its own generated
+# Makefile in there, so we (arbitrarily) choose ${CMAKE_CURRENT_BINARY_DIR}/src. To maintain
+# compatibility with older versions, after the build we copy the compiled module one directory up,
 # to ${CMAKE_CURRENT_BINARY_DIR}.
 include(compute_versions RESULT_VARIABLE RESULT)
 if(RESULT STREQUAL NOTFOUND)
-  message(FATAL_ERROR "problem with compute_versions.cmake in ${CMAKE_MODULE_PATH}")
+	message(FATAL_ERROR "problem with compute_versions.cmake in ${CMAKE_MODULE_PATH}")
 endif()
 compute_versions(API_VERSION SCHEMA_VERSION)

@ -90,6 +104,33 @@ configure_file(dkms.conf.in src/dkms.conf)
 configure_file(Makefile.in src/Makefile)
 configure_file(driver_config.h.in src/driver_config.h)

+#
+# Copy all the "configure" modules
+#
+file(GLOB configure_modules "${CMAKE_CURRENT_SOURCE_DIR}/configure/*")
+foreach(subdir ${configure_modules})
+	if(IS_DIRECTORY "${subdir}")
+		file(RELATIVE_PATH CONFIGURE_MODULE "${CMAKE_CURRENT_SOURCE_DIR}/configure" "${subdir}")
+		configure_file(
+			configure/${CONFIGURE_MODULE}/test.c src/configure/${CONFIGURE_MODULE}/test.c COPYONLY
+		)
+		configure_file(configure/Makefile src/configure/${CONFIGURE_MODULE}/Makefile COPYONLY)
+		configure_file(configure/build.sh src/configure/${CONFIGURE_MODULE}/build.sh COPYONLY)
+		configure_file(configure/Makefile.inc.in src/configure/${CONFIGURE_MODULE}/Makefile.inc)
+		if(ENABLE_DKMS)
+			install(
+				FILES "${CMAKE_CURRENT_BINARY_DIR}/src/configure/${CONFIGURE_MODULE}/build.sh"
+					  "${CMAKE_CURRENT_BINARY_DIR}/src/configure/${CONFIGURE_MODULE}/test.c"
+					  "${CMAKE_CURRENT_BINARY_DIR}/src/configure/${CONFIGURE_MODULE}/Makefile"
+					  "${CMAKE_CURRENT_BINARY_DIR}/src/configure/${CONFIGURE_MODULE}/Makefile.inc"
+				DESTINATION
+					"src/${DRIVER_PACKAGE_NAME}-${DRIVER_VERSION}/configure/${CONFIGURE_MODULE}"
+				COMPONENT ${DRIVER_KMOD_COMPONENT_NAME}
+			)
+		endif()
+	endif()
+endforeach()
+
 set(DRIVER_SOURCES
 	dynamic_params_table.c
 	event_table.c
@ -107,9 +148,7 @@ set(DRIVER_SOURCES
 	ppm_fillers.h
 	ppm_flag_helpers.h
 	ppm_ringbuffer.h
-	ppm_syscall.h
 	syscall_table.c
-	syscall_table32.c
 	syscall_table64.c
 	ppm_cputime.c
 	ppm_version.h
@ -119,51 +158,63 @@ set(DRIVER_SOURCES
 	ppm_consumer.h
 	capture_macro.h
 	socketcall_to_syscall.h
-	socketcall_to_syscall.c
+	syscall_compat_loongarch64.h
+	syscall_compat_ppc64le.h
+	syscall_compat_riscv64.h
+	syscall_compat_s390x.h
+	syscall_compat_x86_64.h
+	syscall_ia32_64_map.c
 )

 foreach(FILENAME IN LISTS DRIVER_SOURCES)
 	configure_file(${FILENAME} src/${FILENAME} COPYONLY)
 endforeach()

-# make can be self-referenced as $(MAKE) only from Makefiles but this
-# triggers syntax errors with other generators such as Ninja
+# make can be self-referenced as $(MAKE) only from Makefiles but this triggers syntax errors with
+# other generators such as Ninja
 if(${CMAKE_GENERATOR} STREQUAL "Unix Makefiles")
 	set(MAKE_COMMAND "$(MAKE)")
 else()
 	set(MAKE_COMMAND "make")
 endif()

-# This if/else is needed because you currently cannot manipulate dependencies
-# of built-in targets like "all" in CMake:
-# http://public.kitware.com/Bug/view.php?id=8438
+# This if/else is needed because you currently cannot manipulate dependencies of built-in targets
+# like "all" in CMake: http://public.kitware.com/Bug/view.php?id=8438
 if(BUILD_DRIVER)
-	add_custom_target(driver ALL
+	add_custom_target(
+		driver ALL
 		COMMAND ${MAKE_COMMAND}
-		COMMAND "${CMAKE_COMMAND}" -E copy_if_different ${DRIVER_NAME}.ko "${CMAKE_CURRENT_BINARY_DIR}"
+		COMMAND "${CMAKE_COMMAND}" -E copy_if_different ${DRIVER_NAME}.ko
+				"${CMAKE_CURRENT_BINARY_DIR}"
 		WORKING_DIRECTORY src
-		VERBATIM)
+		VERBATIM
+	)
 else()
-	add_custom_target(driver
+	add_custom_target(
+		driver
 		COMMAND ${MAKE_COMMAND}
-		COMMAND "${CMAKE_COMMAND}" -E copy_if_different ${DRIVER_NAME}.ko "${CMAKE_CURRENT_BINARY_DIR}"
+		COMMAND "${CMAKE_COMMAND}" -E copy_if_different ${DRIVER_NAME}.ko
+				"${CMAKE_CURRENT_BINARY_DIR}"
 		WORKING_DIRECTORY src
-		VERBATIM)
+		VERBATIM
+	)
 endif()

-add_custom_target(install_driver
+add_custom_target(
+	install_driver
 	COMMAND ${MAKE_COMMAND} install
 	DEPENDS driver
 	WORKING_DIRECTORY src
-	VERBATIM)
+	VERBATIM
+)

 if(ENABLE_DKMS)
-	install(FILES ${CMAKE_CURRENT_BINARY_DIR}/src/Makefile
-		${CMAKE_CURRENT_BINARY_DIR}/src/dkms.conf
-		${CMAKE_CURRENT_BINARY_DIR}/src/driver_config.h
-		${DRIVER_SOURCES}
+	install(
+		FILES ${CMAKE_CURRENT_BINARY_DIR}/src/Makefile ${CMAKE_CURRENT_BINARY_DIR}/src/dkms.conf
+			  ${CMAKE_CURRENT_BINARY_DIR}/src/driver_config.h ${DRIVER_SOURCES}
 		DESTINATION "src/${DRIVER_PACKAGE_NAME}-${DRIVER_VERSION}"
-		COMPONENT ${DRIVER_COMPONENT_NAME})
+		COMPONENT ${DRIVER_KMOD_COMPONENT_NAME}
+	)
 endif()

 add_subdirectory(bpf)
--- a/driver/MIT.txt
+++ b/driver/MIT.txt
@ -1,4 +1,4 @@
-Copyright (C) 2021 The Falco Authors.
+Copyright (C) 2023 The Falco Authors.

 Permission is hereby granted, free of charge, to any person obtaining
 a copy of this software and associated documentation files (the
--- a/driver/Makefile.in
+++ b/driver/Makefile.in
@ -1,17 +1,23 @@
+# SPDX-License-Identifier: GPL-2.0-only OR MIT
 #
-# Copyright (C) 2022 The Falco Authors.
+# Copyright (C) 2023 The Falco Authors.
 #
 # This file is dual licensed under either the MIT or GPL 2. See
 # MIT.txt or GPL.txt for full copies of the license.
 #

-@DRIVER_NAME@-y += main.o dynamic_params_table.o fillers_table.o flags_table.o ppm_events.o ppm_fillers.o event_table.o syscall_table32.o syscall_table64.o ppm_cputime.o ppm_tp.o socketcall_to_syscall.o
+@DRIVER_NAME@-y += main.o dynamic_params_table.o fillers_table.o flags_table.o ppm_events.o ppm_fillers.o event_table.o syscall_table64.o ppm_cputime.o ppm_tp.o syscall_ia32_64_map.o
 obj-m += @DRIVER_NAME@.o
 ccflags-y := @KBUILD_FLAGS@

-KERNELDIR 		?= /lib/modules/$(shell uname -r)/build
+ifeq ($(strip $(MAKEFILE_LIST)),Makefile)
+#
+# If MAKEFILE_LIST is just "Makefile", it means `make` was invoked pointing to
+# this Makefile. Targets don't make any sense if the Makefile was included.
+#
+KERNELDIR 	?= /lib/modules/$(shell uname -r)/build
+TOP 		:= $(shell pwd)

-TOP := $(shell pwd)
 all:
 	$(MAKE) -C $(KERNELDIR) M=$(TOP) modules

@ -20,3 +26,21 @@ clean:

 install: all
 	$(MAKE) -C $(KERNELDIR) M=$(TOP) modules_install
+
+else
+
+KERNELDIR 	?= $(realpath $(objtree))
+#
+# Get the path of the module sources
+#
+FIRST_MAKEFILE := $(firstword $(MAKEFILE_LIST))
+FIRST_MAKEFILE_FILENAME := $(notdir $(FIRST_MAKEFILE))
+FIRST_MAKEFILE_DIRNAME := $(shell basename $(dir $(FIRST_MAKEFILE)))
+ifeq ($(FIRST_MAKEFILE_DIRNAME)/$(FIRST_MAKEFILE_FILENAME), scripts/Makefile.build)
+# Build phase
+MODULE_MAKEFILE_DIR := $(dir $(abspath $(lastword $(MAKEFILE_LIST))))
+MAKEFILE_INC_FILES := $(shell find $(MODULE_MAKEFILE_DIR)/configure -type f -name Makefile.inc)
+$(info [configure-kmod] Including $(MAKEFILE_INC_FILES))
+include $(MAKEFILE_INC_FILES)
+endif
+endif # $(strip $(MAKEFILE_LIST)),Makefile
--- a/driver/README.configure.md
+++ b/driver/README.configure.md
@ -0,0 +1,48 @@
+# Kernel module "configure" mechanism
+
+## Rationale
+The kernel module has several `#if` directives based on the linux kernel version,
+to deal with breaking changes.
+This unfortunately doesn't work when breaking changes are being backported by kernel providers.
+Red Hat is known to do this, but they provide `RHEL_RELEASE_CODE` we can test against.
+
+Eventually we hit some backported changes within the same RHEL release that gave us some headaches.
+The last drop was EulerOS, which backports breaking changes without providing `RHEL_RELEASE_CODE` nor any other macro.
+
+## Solution
+We introduce a *configure-ish* mechanism mimicking autoconf `AC_TRY_COMPILE`.
+
+The kernel module Makefile will include all the *sub-kmod* inside `configure` folder and compile them with the host kernel headers.
+Based on the result of the compilation we'll define macros to be used in the `#if` directives.
+
+### First use-case: `access_ok()`
+Kernel change https://github.com/torvalds/linux/commit/96d4f267e introduced in 5.0 removed an argument from `access_ok()` function.
+In the past we already covered RHEL backporting it with:
+```c
+#if (LINUX_VERSION_CODE >= KERNEL_VERSION(5, 0, 0)) || (PPM_RHEL_RELEASE_CODE > 0 && PPM_RHEL_RELEASE_CODE >= PPM_RHEL_RELEASE_VERSION(8, 1))
+#define ppm_access_ok(type, addr, size)	access_ok(addr, size)
+#else
+#define ppm_access_ok(type, addr, size)	access_ok(type, addr, size)
+#endif
+```
+What about EulerOS and alike?
+
+Now we have `ACCESS_OK_2` *sub-kmod* which is a basic kernel module calling:
+```c
+access_ok(0, 0);
+```
+If it builds, we'll add `-DHAS_ACCESS_OK_2` to `ccflags-y`.
+The kernel module code of course has been changed to:
+```c
+#ifdef HAS_ACCESS_OK_2
+#define ppm_access_ok(type, addr, size)	access_ok(addr, size)
+#else
+#define ppm_access_ok(type, addr, size)	access_ok(type, addr, size)
+#endif
+```
+
+## How to add a new "configure" check
+1. Create a new folder under `configure/` with a meaningful name. That has to be all UPPERCASE with underscores, because it will be used as a macro name, prefixed by HAS_ (e.g. `ACCESS_OK_2` generates `HAS_ACCESS_OK_2`).
+2. Name the *sub-kmod* source `test.c`. CMake and the predefined Makefile relies on the name being `test.c`.
+3. Update the kernel module code to use the new macro.
+4. Bob's your uncle.
--- a/driver/SCHEMA_VERSION
+++ b/driver/SCHEMA_VERSION
@ -1 +1 @@
-2.10.0
+3.69.0
--- a/driver/bpf/CMakeLists.txt
+++ b/driver/bpf/CMakeLists.txt
@ -1,8 +1,9 @@
+# SPDX-License-Identifier: GPL-2.0-only OR MIT
 #
-# Copyright (C) 2022 The Falco Authors.
+# Copyright (C) 2023 The Falco Authors.
 #
-# This file is dual licensed under either the MIT or GPL 2. See
-# MIT.txt or GPL.txt for full copies of the license.
+# This file is dual licensed under either the MIT or GPL 2. See MIT.txt or GPL.txt for full copies
+# of the license.
 #

 configure_file(../driver_config.h.in ${CMAKE_CURRENT_SOURCE_DIR}/../driver_config.h)
@ -14,18 +15,24 @@ if(BUILD_BPF)
 	set(bpf_min_kver_map_x86_64 4.14)
 	set(bpf_min_kver_map_aarch64 4.17)
 	set(bpf_min_kver_map_s390x 5.5)
-	if (LINUX_KERNEL_VERSION VERSION_LESS ${bpf_min_kver_map_${TARGET_ARCH}})
-		message(WARNING "[BPF] To run this driver you need a Linux kernel version >= ${bpf_min_kver_map_${TARGET_ARCH}} but actual kernel version is: ${UNAME_RESULT}")
+	set(bpf_min_kver_map_ppc64le 5.1)
+	if(LINUX_KERNEL_VERSION VERSION_LESS ${bpf_min_kver_map_${TARGET_ARCH}})
+		message(
+			WARNING
+				"[BPF] To run this driver you need a Linux kernel version >= ${bpf_min_kver_map_${TARGET_ARCH}} but actual kernel version is: ${UNAME_RESULT}"
+		)
 	endif()

-	add_custom_target(bpf ALL
+	add_custom_target(
+		bpf ALL
 		COMMAND make
 		COMMAND "${CMAKE_COMMAND}" -E copy_if_different probe.o "${CMAKE_CURRENT_BINARY_DIR}"
-		WORKING_DIRECTORY "${CMAKE_CURRENT_SOURCE_DIR}"
-		VERBATIM)
+		WORKING_DIRECTORY src
+		VERBATIM
+	)
 endif()

-install(FILES
+set(BPF_SOURCES
 	bpf_helpers.h
 	builtins.h
 	filler_helpers.h
@ -38,5 +45,52 @@ install(FILES
 	ring_helpers.h
 	missing_definitions.h
 	types.h
+)
+
+if(NOT DEFINED DRIVER_BPF_COMPONENT_NAME)
+	set(DRIVER_BPF_COMPONENT_NAME ${DRIVER_COMPONENT_NAME})
+endif()
+
+# Append driver headers too since they are used by bpf headers
+file(GLOB DRIVER_HEADERS ${CMAKE_CURRENT_SOURCE_DIR}/../*.h)
+list(APPEND BPF_SOURCES ${DRIVER_HEADERS})
+
+set(INSTALL_SET "")
+# Copy all needed sources under src folder in current binary dir and add them to the set of
+# installed files
+foreach(SOURCE IN LISTS BPF_SOURCES)
+	get_filename_component(FILENAME ${SOURCE} NAME)
+	configure_file(${SOURCE} src/${FILENAME} COPYONLY)
+	list(APPEND INSTALL_SET ${CMAKE_CURRENT_BINARY_DIR}/src/${FILENAME})
+endforeach()
+
+install(
+	FILES ${INSTALL_SET}
 	DESTINATION "src/${DRIVER_PACKAGE_NAME}-${DRIVER_VERSION}/bpf"
-	COMPONENT ${DRIVER_COMPONENT_NAME})
+	COMPONENT ${DRIVER_BPF_COMPONENT_NAME}
+)
+
+#
+# Copy all the "configure" modules
+#
+file(GLOB configure_modules "${CMAKE_CURRENT_SOURCE_DIR}/configure/*")
+foreach(subdir ${configure_modules})
+	if(IS_DIRECTORY "${subdir}")
+		file(RELATIVE_PATH CONFIGURE_MODULE "${CMAKE_CURRENT_SOURCE_DIR}/configure" "${subdir}")
+		configure_file(
+			configure/${CONFIGURE_MODULE}/test.c src/configure/${CONFIGURE_MODULE}/test.c COPYONLY
+		)
+		configure_file(configure/Makefile src/configure/${CONFIGURE_MODULE}/Makefile COPYONLY)
+		configure_file(configure/build.sh src/configure/${CONFIGURE_MODULE}/build.sh COPYONLY)
+		configure_file(configure/Makefile.inc.in src/configure/${CONFIGURE_MODULE}/Makefile.inc)
+		install(
+			FILES "${CMAKE_CURRENT_BINARY_DIR}/src/configure/${CONFIGURE_MODULE}/build.sh"
+				  "${CMAKE_CURRENT_BINARY_DIR}/src/configure/${CONFIGURE_MODULE}/test.c"
+				  "${CMAKE_CURRENT_BINARY_DIR}/src/configure/${CONFIGURE_MODULE}/Makefile"
+				  "${CMAKE_CURRENT_BINARY_DIR}/src/configure/${CONFIGURE_MODULE}/Makefile.inc"
+			DESTINATION
+				"src/${DRIVER_PACKAGE_NAME}-${DRIVER_VERSION}/bpf/configure/${CONFIGURE_MODULE}"
+			COMPONENT ${DRIVER_BPF_COMPONENT_NAME}
+		)
+	endif()
+endforeach()
--- a/driver/bpf/Makefile
+++ b/driver/bpf/Makefile
@ -1,5 +1,6 @@
+# SPDX-License-Identifier: GPL-2.0-only OR MIT
 #
-# Copyright (C) 2021 The Falco Authors.
+# Copyright (C) 2023 The Falco Authors.
 #
 # This file is dual licensed under either the MIT or GPL 2. See
 # MIT.txt or GPL.txt for full copies of the license.
@ -12,14 +13,40 @@ always = $(always-y)
 LLC ?= llc
 CLANG ?= clang

+# DEBUG = -DBPF_DEBUG
+
+ifeq ($(strip $(MAKEFILE_LIST)),Makefile)
+
 KERNELDIR ?= /lib/modules/$(shell uname -r)/build

-# DEBUG = -DBPF_DEBUG
+all:
+	$(MAKE) -C $(KERNELDIR) M=$$PWD
+
+clean:
+	$(MAKE) -C $(KERNELDIR) M=$$PWD clean
+	@rm -f *~
+
+else
+
+KERNELDIR 	?= $(realpath $(objtree))
+#
+# Get the path of the module sources
+#
+FIRST_MAKEFILE := $(firstword $(MAKEFILE_LIST))
+FIRST_MAKEFILE_FILENAME := $(notdir $(FIRST_MAKEFILE))
+FIRST_MAKEFILE_DIRNAME := $(shell basename $(dir $(FIRST_MAKEFILE)))
+ifeq ($(FIRST_MAKEFILE_DIRNAME)/$(FIRST_MAKEFILE_FILENAME), scripts/Makefile.build)
+# Build phase
+MODULE_MAKEFILE_DIR := $(dir $(abspath $(lastword $(MAKEFILE_LIST))))
+MAKEFILE_INC_FILES := $(shell find $(MODULE_MAKEFILE_DIR)/configure -type f -name Makefile.inc)
+$(info [configure-bpf] Including $(MAKEFILE_INC_FILES))
+include $(MAKEFILE_INC_FILES)
+endif

 #
 # https://chromium.googlesource.com/chromiumos/third_party/kernel/+/096925a44076ba5c52faa84d255a847130ff341e%5E%21/#F2
 # This commit diverged the ChromiumOS kernel from stock in the area of audit information, which this probe accesses.
-# 
+#
 # This enables the workaround for this divergence.
 #
 NEEDS_COS_73_WORKAROUND = $(shell expr `grep -sc "^\s*struct\s\+audit_task_info\s\+\*audit;\s*$$" $(KERNELDIR)/include/linux/sched.h` = 1)
@ -34,13 +61,6 @@ ifeq ($(IS_CLANG_OLDER_THAN_10), 1)
 	KBUILD_CPPFLAGS := $(filter-out -fmacro-prefix-map=%,$(KBUILD_CPPFLAGS))
 endif

-all:
-	$(MAKE) -C $(KERNELDIR) M=$$PWD
-
-clean:
-	$(MAKE) -C $(KERNELDIR) M=$$PWD clean
-	@rm -f *~
-
 $(obj)/probe.o: $(src)/probe.c \
 		$(src)/bpf_helpers.h \
 		$(src)/filler_helpers.h \
@ -65,3 +85,5 @@ $(obj)/probe.o: $(src)/probe.c \
 		-Wno-unknown-attributes \
 		-O2 -g -emit-llvm -c $< -o $(patsubst %.o,%.ll,$@)
 	$(LLC) -march=bpf -filetype=obj -o $@ $(patsubst %.o,%.ll,$@)
+
+endif # $(strip $(MAKEFILE_LIST)),Makefile
--- a/driver/bpf/bpf_helpers.h
+++ b/driver/bpf/bpf_helpers.h
@ -1,6 +1,7 @@
+// SPDX-License-Identifier: GPL-2.0-only OR MIT
 /*

-Copyright (C) 2021 The Falco Authors.
+Copyright (C) 2023 The Falco Authors.

 This file is dual licensed under either the MIT or GPL 2. See MIT.txt
 or GPL2.txt for full copies of the license.
@ -9,102 +10,99 @@ or GPL2.txt for full copies of the license.
 #ifndef __BPF_HELPERS_H
 #define __BPF_HELPERS_H

-static void *(*bpf_map_lookup_elem)(void *map, void *key) =
-	(void *)BPF_FUNC_map_lookup_elem;
-static int (*bpf_map_update_elem)(void *map, void *key, void *value,
-				  unsigned long long flags) =
-	(void *)BPF_FUNC_map_update_elem;
-static int (*bpf_map_delete_elem)(void *map, void *key) =
-	(void *)BPF_FUNC_map_delete_elem;
-static int (*bpf_probe_read)(void *dst, int size, void *unsafe_ptr) =
-	(void *)BPF_FUNC_probe_read;
+static void *(*bpf_map_lookup_elem)(void *map, void *key) = (void *)BPF_FUNC_map_lookup_elem;
+static int (*bpf_map_update_elem)(void *map,
+                                  void *key,
+                                  void *value,
+                                  unsigned long long flags) = (void *)BPF_FUNC_map_update_elem;
+static int (*bpf_map_delete_elem)(void *map, void *key) = (void *)BPF_FUNC_map_delete_elem;
+static int (*bpf_probe_read)(void *dst, int size, void *unsafe_ptr) = (void *)BPF_FUNC_probe_read;

-/* Introduced in linux 5.8, see https://github.com/torvalds/linux/commit/71d19214776e61b33da48f7c1b46e522c7f78221 */
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(5,8,0)
-static unsigned long long (*bpf_ktime_get_boot_ns)(void) =
-	(void *)BPF_FUNC_ktime_get_boot_ns;
+/* Introduced in linux 5.8, see
+ * https://github.com/torvalds/linux/commit/71d19214776e61b33da48f7c1b46e522c7f78221 */
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 8, 0)
+static unsigned long long (*bpf_ktime_get_boot_ns)(void) = (void *)BPF_FUNC_ktime_get_boot_ns;
 #else
 /* fallback at using old, non suspend-time aware, helper */
-static unsigned long long (*bpf_ktime_get_boot_ns)(void) =
-	(void *)BPF_FUNC_ktime_get_ns;
+static unsigned long long (*bpf_ktime_get_boot_ns)(void) = (void *)BPF_FUNC_ktime_get_ns;
 #endif

-static int (*bpf_trace_printk)(const char *fmt, int fmt_size, ...) =
-	(void *)BPF_FUNC_trace_printk;
-static void (*bpf_tail_call)(void *ctx, void *map, int index) =
-	(void *)BPF_FUNC_tail_call;
-static unsigned long long (*bpf_get_smp_processor_id)(void) =
-	(void *)BPF_FUNC_get_smp_processor_id;
-static unsigned long long (*bpf_get_current_pid_tgid)(void) =
-	(void *)BPF_FUNC_get_current_pid_tgid;
-static unsigned long long (*bpf_get_current_uid_gid)(void) =
-	(void *)BPF_FUNC_get_current_uid_gid;
-static int (*bpf_get_current_comm)(void *buf, int buf_size) =
-	(void *)BPF_FUNC_get_current_comm;
-static int (*bpf_perf_event_read)(void *map, int index) =
-	(void *)BPF_FUNC_perf_event_read;
-static int (*bpf_clone_redirect)(void *ctx, int ifindex, int flags) =
-	(void *)BPF_FUNC_clone_redirect;
-static int (*bpf_redirect)(int ifindex, int flags) =
-	(void *)BPF_FUNC_redirect;
-static int (*bpf_perf_event_output)(void *ctx, void *map,
-				    unsigned long long flags, void *data,
-				    int size) =
-	(void *)BPF_FUNC_perf_event_output;
-static int (*bpf_get_stackid)(void *ctx, void *map, int flags) =
-	(void *)BPF_FUNC_get_stackid;
-static int (*bpf_probe_write_user)(void *dst, void *src, int size) =
-	(void *)BPF_FUNC_probe_write_user;
-static int (*bpf_current_task_under_cgroup)(void *map, int index) =
-	(void *)BPF_FUNC_current_task_under_cgroup;
-static int (*bpf_skb_get_tunnel_key)(void *ctx, void *key, int size, int flags) =
-	(void *)BPF_FUNC_skb_get_tunnel_key;
-static int (*bpf_skb_set_tunnel_key)(void *ctx, void *key, int size, int flags) =
-	(void *)BPF_FUNC_skb_set_tunnel_key;
-static int (*bpf_skb_get_tunnel_opt)(void *ctx, void *md, int size) =
-	(void *)BPF_FUNC_skb_get_tunnel_opt;
-static int (*bpf_skb_set_tunnel_opt)(void *ctx, void *md, int size) =
-	(void *)BPF_FUNC_skb_set_tunnel_opt;
-static unsigned long long (*bpf_get_prandom_u32)(void) =
-	(void *)BPF_FUNC_get_prandom_u32;
-static int (*bpf_xdp_adjust_head)(void *ctx, int offset) =
-	(void *)BPF_FUNC_xdp_adjust_head;
-static int (*bpf_probe_read_str)(void *dst, u64 size, const void *unsafe_ptr) =
-	(void *)BPF_FUNC_probe_read_str;
+static int (*bpf_trace_printk)(const char *fmt, int fmt_size, ...) = (void *)BPF_FUNC_trace_printk;
+static void (*bpf_tail_call)(void *ctx, void *map, int index) = (void *)BPF_FUNC_tail_call;
+static unsigned long long (*bpf_get_smp_processor_id)(void) = (void *)BPF_FUNC_get_smp_processor_id;
+static unsigned long long (*bpf_get_current_pid_tgid)(void) = (void *)BPF_FUNC_get_current_pid_tgid;
+static unsigned long long (*bpf_get_current_uid_gid)(void) = (void *)BPF_FUNC_get_current_uid_gid;
+static int (*bpf_get_current_comm)(void *buf, int buf_size) = (void *)BPF_FUNC_get_current_comm;
+static int (*bpf_perf_event_read)(void *map, int index) = (void *)BPF_FUNC_perf_event_read;
+static int (*bpf_clone_redirect)(void *ctx,
+                                 int ifindex,
+                                 int flags) = (void *)BPF_FUNC_clone_redirect;
+static int (*bpf_redirect)(int ifindex, int flags) = (void *)BPF_FUNC_redirect;
+static int (*bpf_perf_event_output)(void *ctx,
+                                    void *map,
+                                    unsigned long long flags,
+                                    void *data,
+                                    int size) = (void *)BPF_FUNC_perf_event_output;
+static int (*bpf_get_stackid)(void *ctx, void *map, int flags) = (void *)BPF_FUNC_get_stackid;
+static int (*bpf_probe_write_user)(void *dst,
+                                   void *src,
+                                   int size) = (void *)BPF_FUNC_probe_write_user;
+static int (*bpf_current_task_under_cgroup)(void *map,
+                                            int index) = (void *)BPF_FUNC_current_task_under_cgroup;
+static int (*bpf_skb_get_tunnel_key)(void *ctx, void *key, int size, int flags) = (void *)
+        BPF_FUNC_skb_get_tunnel_key;
+static int (*bpf_skb_set_tunnel_key)(void *ctx, void *key, int size, int flags) = (void *)
+        BPF_FUNC_skb_set_tunnel_key;
+static int (*bpf_skb_get_tunnel_opt)(void *ctx,
+                                     void *md,
+                                     int size) = (void *)BPF_FUNC_skb_get_tunnel_opt;
+static int (*bpf_skb_set_tunnel_opt)(void *ctx,
+                                     void *md,
+                                     int size) = (void *)BPF_FUNC_skb_set_tunnel_opt;
+static unsigned long long (*bpf_get_prandom_u32)(void) = (void *)BPF_FUNC_get_prandom_u32;
+static int (*bpf_xdp_adjust_head)(void *ctx, int offset) = (void *)BPF_FUNC_xdp_adjust_head;
+static int (*bpf_probe_read_str)(void *dst,
+                                 uint64_t size,
+                                 const void *unsafe_ptr) = (void *)BPF_FUNC_probe_read_str;

 #if defined(USE_BPF_PROBE_KERNEL_USER_VARIANTS)
-static int (*bpf_probe_read_user)(void *dst, u32 size, const void *unsafe_ptr) =
-	(void *)BPF_FUNC_probe_read_user;
-static int (*bpf_probe_read_kernel)(void *dst, u32 size, const void *unsafe_ptr) =
-	(void *)BPF_FUNC_probe_read_kernel;
-static int (*bpf_probe_read_user_str)(void *dst, u32 size, const void *unsafe_ptr) =
-	(void *)BPF_FUNC_probe_read_user_str;
-static int (*bpf_probe_read_kernel_str)(void *dst, u32 size, const void *unsafe_ptr) =
-	(void *)BPF_FUNC_probe_read_kernel_str;
+static int (*bpf_probe_read_user)(void *dst,
+                                  uint32_t size,
+                                  const void *unsafe_ptr) = (void *)BPF_FUNC_probe_read_user;
+static int (*bpf_probe_read_kernel)(void *dst,
+                                    uint32_t size,
+                                    const void *unsafe_ptr) = (void *)BPF_FUNC_probe_read_kernel;
+static int (*bpf_probe_read_user_str)(void *dst, uint32_t size, const void *unsafe_ptr) = (void *)
+        BPF_FUNC_probe_read_user_str;
+static int (*bpf_probe_read_kernel_str)(void *dst, uint32_t size, const void *unsafe_ptr) = (void *)
+        BPF_FUNC_probe_read_kernel_str;
 #else
-static int (*bpf_probe_read_user)(void *dst, u32 size, const void *unsafe_ptr) =
-	(void *)BPF_FUNC_probe_read;
-static int (*bpf_probe_read_kernel)(void *dst, u32 size, const void *unsafe_ptr) =
-	(void *)BPF_FUNC_probe_read;
-static int (*bpf_probe_read_user_str)(void *dst, u32 size, const void *unsafe_ptr) =
-	(void *)BPF_FUNC_probe_read_str;
-static int (*bpf_probe_read_kernel_str)(void *dst, u32 size, const void *unsafe_ptr) =
-	(void *)BPF_FUNC_probe_read_str;
+static int (*bpf_probe_read_user)(void *dst,
+                                  uint32_t size,
+                                  const void *unsafe_ptr) = (void *)BPF_FUNC_probe_read;
+static int (*bpf_probe_read_kernel)(void *dst,
+                                    uint32_t size,
+                                    const void *unsafe_ptr) = (void *)BPF_FUNC_probe_read;
+static int (*bpf_probe_read_user_str)(void *dst,
+                                      uint32_t size,
+                                      const void *unsafe_ptr) = (void *)BPF_FUNC_probe_read_str;
+static int (*bpf_probe_read_kernel_str)(void *dst,
+                                        uint32_t size,
+                                        const void *unsafe_ptr) = (void *)BPF_FUNC_probe_read_str;
 #endif

-static u64 (*bpf_get_current_task)(void) =
-	(void *)BPF_FUNC_get_current_task;
-static int (*bpf_skb_load_bytes)(void *ctx, int off, void *to, int len) =
-	(void *)BPF_FUNC_skb_load_bytes;
-static int (*bpf_skb_store_bytes)(void *ctx, int off, void *from, int len, int flags) =
-	(void *)BPF_FUNC_skb_store_bytes;
-static int (*bpf_l3_csum_replace)(void *ctx, int off, int from, int to, int flags) =
-	(void *)BPF_FUNC_l3_csum_replace;
-static int (*bpf_l4_csum_replace)(void *ctx, int off, int from, int to, int flags) =
-	(void *)BPF_FUNC_l4_csum_replace;
-static int (*bpf_skb_under_cgroup)(void *ctx, void *map, int index) =
-	(void *)BPF_FUNC_skb_under_cgroup;
-static int (*bpf_skb_change_head)(void *, int len, int flags) =
-	(void *)BPF_FUNC_skb_change_head;
+static uint64_t (*bpf_get_current_task)(void) = (void *)BPF_FUNC_get_current_task;
+static int (*bpf_skb_load_bytes)(void *ctx, int off, void *to, int len) = (void *)
+        BPF_FUNC_skb_load_bytes;
+static int (*bpf_skb_store_bytes)(void *ctx, int off, void *from, int len, int flags) = (void *)
+        BPF_FUNC_skb_store_bytes;
+static int (*bpf_l3_csum_replace)(void *ctx, int off, int from, int to, int flags) = (void *)
+        BPF_FUNC_l3_csum_replace;
+static int (*bpf_l4_csum_replace)(void *ctx, int off, int from, int to, int flags) = (void *)
+        BPF_FUNC_l4_csum_replace;
+static int (*bpf_skb_under_cgroup)(void *ctx,
+                                   void *map,
+                                   int index) = (void *)BPF_FUNC_skb_under_cgroup;
+static int (*bpf_skb_change_head)(void *, int len, int flags) = (void *)BPF_FUNC_skb_change_head;

 #endif
--- a/driver/bpf/builtins.h
+++ b/driver/bpf/builtins.h
@ -1,3 +1,4 @@
+// SPDX-License-Identifier: GPL-2.0-only OR MIT
 /*

 Copyright (c) 2021 The Falco Authors
@ -27,4 +28,4 @@ or GPL2.txt for full copies of the license.
 #endif
 #define memcpy __builtin_memcpy

-#endif // __BUILTINS_H
+#endif  // __BUILTINS_H
--- a/driver/bpf/configure/0__SANITY/test.c
+++ b/driver/bpf/configure/0__SANITY/test.c
@ -0,0 +1,23 @@
+// SPDX-License-Identifier: GPL-2.0-only OR MIT
+/*
+
+Copyright (C) 2024 The Falco Authors.
+
+This file is dual licensed under either the MIT or GPL 2. See MIT.txt
+or GPL2.txt for full copies of the license.
+
+*/
+
+/*
+ * Check that the build system is sane.
+ */
+
+#include "../../quirks.h"
+#include "../../ppm_events_public.h"
+#include "../../types.h"
+
+BPF_PROBE("sanity/", sanity, sanity_args) {
+	return 0;
+}
+
+char __license[] __bpf_section("license") = "Dual MIT/GPL";
--- a/driver/bpf/configure/KERNFS_NODE_PARENT/test.c
+++ b/driver/bpf/configure/KERNFS_NODE_PARENT/test.c
@ -0,0 +1,32 @@
+// SPDX-License-Identifier: GPL-2.0-only OR MIT
+/*
+
+Copyright (C) 2025 The Falco Authors.
+
+This file is dual licensed under either the MIT or GPL 2. See MIT.txt
+or GPL2.txt for full copies of the license.
+
+*/
+
+/*
+ * Check that kernfs_node's field `parent` exists.
+ * See 6.15 kernel commit it is named __parent:
+ * https://github.com/torvalds/linux/commit/633488947ef66b194377411322dc9e12aab79b65
+ */
+
+#include "../../quirks.h"
+#include "../../ppm_events_public.h"
+#include "../../types.h"
+
+// struct kernfs_node declaration
+#include <linux/kernfs.h>
+
+BPF_PROBE("signal/", signal_deliver, signal_deliver_args) {
+	struct kernfs_node *parent;
+	struct kernfs_node node;
+
+	parent = node.parent;
+	return 0;
+}
+
+char __license[] __bpf_section("license") = "Dual MIT/GPL";
--- a/driver/bpf/configure/Makefile
+++ b/driver/bpf/configure/Makefile
@ -0,0 +1,45 @@
+# SPDX-License-Identifier: GPL-2.0-only OR MIT
+#
+# Copyright (C) 2023 The Falco Authors.
+#
+# This file is dual licensed under either the MIT or GPL 2. See
+# MIT.txt or GPL.txt for full copies of the license.
+#
+
+always-y += test.o
+# kept for compatibility with kernels < 5.11
+always = $(always-y)
+
+LLC ?= llc
+CLANG ?= clang
+
+KERNELDIR ?= /lib/modules/$(shell uname -r)/build
+
+# -fmacro-prefix-map is not supported on version of clang older than 10
+# so remove it if necessary.
+IS_CLANG_OLDER_THAN_10 := $(shell expr `$(CLANG) -dumpversion | cut -f1 -d.` \<= 10)
+ifeq ($(IS_CLANG_OLDER_THAN_10), 1)
+	KBUILD_CPPFLAGS := $(filter-out -fmacro-prefix-map=%,$(KBUILD_CPPFLAGS))
+endif
+
+all:
+	$(MAKE) -C $(KERNELDIR) M=$$PWD
+
+clean:
+	$(MAKE) -C $(KERNELDIR) M=$$PWD clean
+	@rm -f *~
+
+$(obj)/test.o: $(src)/test.c
+	$(CLANG) $(LINUXINCLUDE) \
+		$(KBUILD_CPPFLAGS) \
+		$(KBUILD_EXTRA_CPPFLAGS) \
+		-D__KERNEL__ \
+		-D__BPF_TRACING__ \
+		-Wno-gnu-variable-sized-type-not-at-end \
+		-Wno-address-of-packed-member \
+		-fno-jump-tables \
+		-fno-stack-protector \
+		-Wno-tautological-compare \
+		-Wno-unknown-attributes \
+		-O2 -g -emit-llvm -c $< -o $(patsubst %.o,%.ll,$@)
+	$(LLC) -march=bpf -filetype=obj -o $@ $(patsubst %.o,%.ll,$@)
--- a/driver/bpf/configure/Makefile.inc.in
+++ b/driver/bpf/configure/Makefile.inc.in
@ -0,0 +1,23 @@
+MODULE_MAKEFILE_DIR := $(shell dirname $(abspath $(lastword $(MAKEFILE_LIST))))
+
+# Run the module build.sh (wrapper for make) script with an empty environment, but PATH
+HAS_@CONFIGURE_MODULE@ := $(shell env -i CLANG="$(CLANG)" LLC="$(LLC)" PATH="$(PATH)" KERNELDIR="$(KERNELDIR)" sh $(MODULE_MAKEFILE_DIR)/build.sh ; echo $$?)
+
+ifeq ($(HAS_@CONFIGURE_MODULE@),0)
+$(info [configure-bpf] Setting HAS_@CONFIGURE_MODULE@ flag)
+KBUILD_CPPFLAGS += -DHAS_@CONFIGURE_MODULE@
+else
+HAS_@CONFIGURE_MODULE@_OUT1 := $(shell cat $(MODULE_MAKEFILE_DIR)/build.log | sed -n ':a;N;$$$!ba;s/\n/@@NEWLINE@@/g;P')
+HAS_@CONFIGURE_MODULE@_OUT := $(subst @@NEWLINE@@,$(newline),$(HAS_@CONFIGURE_MODULE@_OUT1))
+$(info [configure-bpf] Build output for HAS_@CONFIGURE_MODULE@:)
+$(info [configure-bpf] $(HAS_@CONFIGURE_MODULE@_OUT))
+endif
+
+ifeq ('@CONFIGURE_MODULE@','0__SANITY')
+    ifeq ($(HAS_@CONFIGURE_MODULE@),0)
+        $(info [configure-bpf] Build system is sane)
+    else
+        $(info [configure-bpf] Build system is broken, please see above errors)
+        $(error The build system is broken, please see above errors)
+    endif
+endif
--- a/driver/bpf/configure/RSS_STAT_ARRAY/test.c
+++ b/driver/bpf/configure/RSS_STAT_ARRAY/test.c
@ -0,0 +1,31 @@
+// SPDX-License-Identifier: GPL-2.0-only OR MIT
+/*
+
+Copyright (C) 2023 The Falco Authors.
+
+This file is dual licensed under either the MIT or GPL 2. See MIT.txt
+or GPL2.txt for full copies of the license.
+
+*/
+
+/*
+ * Check that mm_struct's field `rss_stat` is an array.
+ * See 6.2 kernel commit:
+ * https://github.com/torvalds/linux/commit/f1a7941243c102a44e8847e3b94ff4ff3ec56f25
+ */
+
+#include "../../quirks.h"
+#include "../../ppm_events_public.h"
+#include "../../types.h"
+
+// struct mm_struct declaration
+#include <linux/mm_types.h>
+
+BPF_PROBE("signal/", signal_deliver, signal_deliver_args) {
+	long val;
+	struct mm_struct *mm;
+	val = mm->rss_stat[0].count;
+	return 0;
+}
+
+char __license[] __bpf_section("license") = "Dual MIT/GPL";
--- a/driver/bpf/configure/TASK_PIDS_FIELD/test.c
+++ b/driver/bpf/configure/TASK_PIDS_FIELD/test.c
@ -0,0 +1,29 @@
+// SPDX-License-Identifier: GPL-2.0-only OR MIT
+/*
+
+Copyright (C) 2024 The Falco Authors.
+
+This file is dual licensed under either the MIT or GPL 2. See MIT.txt
+or GPL2.txt for full copies of the license.
+
+*/
+
+/*
+ * Check that the `pids` field is defined in the `task_struct` struct.
+ * Since kernel version 4.19.0 the `pids` field is moved in the `signal_struct` struct, but this
+ * change has been backported to older kernels.
+ */
+
+#include "../../quirks.h"
+#include "../../ppm_events_public.h"
+#include "../../types.h"
+
+BPF_PROBE("signal/", signal_deliver, signal_deliver_args) {
+	struct task_struct *task = (struct task_struct *)0;
+	if(task->pids) {
+		return 1;
+	}
+	return 0;
+}
+
+char __license[] __bpf_section("license") = "Dual MIT/GPL";
--- a/driver/bpf/configure/build.sh
+++ b/driver/bpf/configure/build.sh
@ -0,0 +1,13 @@
+#!/bin/sh
+
+#
+# Copyright (C) 2023 The Falco Authors.
+#
+# This file is dual licensed under either the MIT or GPL 2. See
+# MIT.txt or GPL.txt for full copies of the license.
+#
+
+SCRIPT=$(readlink -f "$0")
+SCRIPT_DIR=$(dirname ${SCRIPT})
+
+make -C ${SCRIPT_DIR} > ${SCRIPT_DIR}/build.log 2>&1
--- a/driver/bpf/filler_helpers.h
+++ b/driver/bpf/filler_helpers.h
--- a/Show More
+++ b/Show More
 @ -1 +1 @@
 .0.0
 .0.4
 @ -1 +1 @@
 .10.0
 .69.0