fix(userspace/libsinsp): sinsp_filter_check_user::extract_single return-stack-address

Address the following warning (we build with -Werror...): ``` /__w/libs/libs/userspace/libsinsp/sinsp_filtercheck_user.cpp:104:26: warning: address of stack memory associated with local variable 'user' returned [-Wreturn-stack-address] 104 | RETURN_EXTRACT_STRING(user); | ^~~~ /__w/libs/libs/userspace/libsinsp/sinsp_filtercheck_user.cpp:34:21: note: expanded from macro 'RETURN_EXTRACT_STRING' 34 | return (uint8_t*)(x).c_str(); \ | ^ ``` Signed-off-by: Angelo Puglisi <angelopuglisi86@gmail.com>
fix(libsinsp): use proper INET6_ADDRSTRLEN buffer size for inet_ntop
2025-08-06 16:39:05 +02:00 · 2025-08-04 12:16:49 +02:00 · 2025-08-04 10:00:48 +02:00 · 2025-08-04 10:00:48 +02:00 · 2025-08-04 09:46:48 +02:00 · 2025-08-04 09:46:48 +02:00
1348 changed files with 123384 additions and 97384 deletions
--- a/.clang-format
+++ b/.clang-format
@ -1,16 +1,36 @@
---
 Language: Cpp
-BasedOnStyle: LLVM
-AccessModifierOffset: -8
-BreakBeforeBraces: Allman
+BasedOnStyle: Google
+AccessModifierOffset: -4
+BreakBeforeBraces: Attach
+AllowAllArgumentsOnNextLine: false
+AllowAllConstructorInitializersOnNextLine: false
+AllowAllParametersOfDeclarationOnNextLine: false
+AllowShortFunctionsOnASingleLine: Inline
+AllowShortIfStatementsOnASingleLine: Never
+AllowShortLoopsOnASingleLine: false
+BinPackArguments: false
+BinPackParameters: false
+ColumnLimit: 100
+DerivePointerBinding: false
+IndentCaseLabels: false
+IndentWidth: 4
+SpaceAfterTemplateKeyword: false
+TabWidth: 4
+UseTab: ForIndentation
 BreakConstructorInitializers: AfterColon
-ColumnLimit: 120
 ConstructorInitializerIndentWidth: 8
 ContinuationIndentWidth: 8
 DerivePointerAlignment: true
-IndentWidth: 8
-SortIncludes: false
-SpaceAfterTemplateKeyword: false
+SortIncludes: Never
 SpaceBeforeCtorInitializerColon: false
 SpaceBeforeParens: Never
-UseTab: Always
+InsertNewlineAtEOF: true
+---
+Language: Proto
+DisableFormat: true
+---
+Language: JavaScript
+DisableFormat: true
+---
+Language: Java
+DisableFormat: true
--- a/.clang-format-ignore
+++ b/.clang-format-ignore
@ -0,0 +1,16 @@
+# All vmlinux autogenerated headers are not formatted
+driver/modern_bpf/definitions/aarch64/vmlinux.h
+driver/modern_bpf/definitions/ppc64le/vmlinux.h
+driver/modern_bpf/definitions/s390x/vmlinux.h
+driver/modern_bpf/definitions/x86_64/vmlinux.h
+# Autogenerated events dimensions file for modern probe is not formatted
+driver/modern_bpf/definitions/events_dimensions.h
+# All syscall_compat autogenerated headers are not formatted
+driver/syscall_compat_aarch64.h
+driver/syscall_compat_loongarch64.h
+driver/syscall_compat_ppc64le.h
+driver/syscall_compat_riscv64.h
+driver/syscall_compat_s390x.h
+driver/syscall_compat_x86_64.h
+driver/syscall_ia32_64_map.c
+driver/syscall_table.c
--- a/.clang-tidy
+++ b/.clang-tidy
@ -0,0 +1,16 @@
+Checks:
+  - clang-diagnostic-*
+  - clang-analyzer-*
+  - clang-analyzer-core.*
+  - clang-analyzer-cplusplus.*
+  - clang-analyzer-nullability.*
+  - clang-analyzer-unix.*
+  - performance-*
+  - bugprone-use-after-move
+  - bugprone-move-forwarding-reference
+  - cppcoreguidelines-rvalue-reference-param-not-moved
+  - misc-unused-parameters
+WarningsAsErrors: 'bugprone-use-after-move'
+# UseColor true causes sarif conversion and reviewdog fail
+UseColor: false
+ExtraArgsBefore: ['-Wno-unknown-warning-option']
--- a/.cmake-format.json
+++ b/.cmake-format.json
@ -0,0 +1,254 @@
+{
+	"_help_format": "Options affecting formatting.",
+	"format": {
+		"_help_disable": [
+			"Disable formatting entirely, making cmake-format a no-op"
+		],
+		"disable": false,
+		"_help_line_width": [
+			"How wide to allow formatted cmake files"
+		],
+		"line_width": 100,
+		"_help_tab_size": [
+			"How many spaces to tab for indent"
+		],
+		"tab_size": 4,
+		"_help_use_tabchars": [
+			"If true, lines are indented using tab characters (utf-8",
+			"0x09) instead of <tab_size> space characters (utf-8 0x20).",
+			"In cases where the layout would require a fractional tab",
+			"character, the behavior of the  fractional indentation is",
+			"governed by <fractional_tab_policy>"
+		],
+		"use_tabchars": true,
+		"_help_fractional_tab_policy": [
+			"If <use_tabchars> is True, then the value of this variable",
+			"indicates how fractional indentions are handled during",
+			"whitespace replacement. If set to 'use-space', fractional",
+			"indentation is left as spaces (utf-8 0x20). If set to",
+			"`round-up` fractional indentation is replaced with a single",
+			"tab character (utf-8 0x09) effectively shifting the column",
+			"to the next tabstop"
+		],
+		"fractional_tab_policy": "use-space",
+		"_help_max_subgroups_hwrap": [
+			"If an argument group contains more than this many sub-groups",
+			"(parg or kwarg groups) then force it to a vertical layout."
+		],
+		"max_subgroups_hwrap": 2,
+		"_help_max_pargs_hwrap": [
+			"If a positional argument group contains more than this many",
+			"arguments, then force it to a vertical layout."
+		],
+		"max_pargs_hwrap": 6,
+		"_help_max_rows_cmdline": [
+			"If a cmdline positional group consumes more than this many",
+			"lines without nesting, then invalidate the layout (and nest)"
+		],
+		"max_rows_cmdline": 2,
+		"_help_separate_ctrl_name_with_space": [
+			"If true, separate flow control names from their parentheses",
+			"with a space"
+		],
+		"separate_ctrl_name_with_space": false,
+		"_help_separate_fn_name_with_space": [
+			"If true, separate function names from parentheses with a",
+			"space"
+		],
+		"separate_fn_name_with_space": false,
+		"_help_dangle_parens": [
+			"If a statement is wrapped to more than one line, than dangle",
+			"the closing parenthesis on its own line."
+		],
+		"dangle_parens": true,
+		"_help_dangle_align": [
+			"If the trailing parenthesis must be 'dangled' on its on",
+			"line, then align it to this reference: `prefix`: the start",
+			"of the statement,  `prefix-indent`: the start of the",
+			"statement, plus one indentation  level, `child`: align to",
+			"the column of the arguments"
+		],
+		"dangle_align": "prefix",
+		"_help_min_prefix_chars": [
+			"If the statement spelling length (including space and",
+			"parenthesis) is smaller than this amount, then force reject",
+			"nested layouts."
+		],
+		"min_prefix_chars": 4,
+		"_help_max_prefix_chars": [
+			"If the statement spelling length (including space and",
+			"parenthesis) is larger than the tab width by more than this",
+			"amount, then force reject un-nested layouts."
+		],
+		"max_prefix_chars": 10,
+		"_help_max_lines_hwrap": [
+			"If a candidate layout is wrapped horizontally but it exceeds",
+			"this many lines, then reject the layout."
+		],
+		"max_lines_hwrap": 2,
+		"_help_line_ending": [
+			"What style line endings to use in the output."
+		],
+		"line_ending": "unix",
+		"_help_command_case": [
+			"Format command names consistently as 'lower' or 'upper' case"
+		],
+		"command_case": "canonical",
+		"_help_keyword_case": [
+			"Format keywords consistently as 'lower' or 'upper' case"
+		],
+		"keyword_case": "unchanged",
+		"_help_always_wrap": [
+			"A list of command names which should always be wrapped"
+		],
+		"always_wrap": [],
+		"_help_enable_sort": [
+			"If true, the argument lists which are known to be sortable",
+			"will be sorted lexicographicall"
+		],
+		"enable_sort": true,
+		"_help_autosort": [
+			"If true, the parsers may infer whether or not an argument",
+			"list is sortable (without annotation)."
+		],
+		"autosort": false,
+		"_help_require_valid_layout": [
+			"By default, if cmake-format cannot successfully fit",
+			"everything into the desired linewidth it will apply the",
+			"last, most agressive attempt that it made. If this flag is",
+			"True, however, cmake-format will print error, exit with non-",
+			"zero status code, and write-out nothing"
+		],
+		"require_valid_layout": false,
+		"_help_layout_passes": [
+			"A dictionary mapping layout nodes to a list of wrap",
+			"decisions. See the documentation for more information."
+		],
+		"layout_passes": {}
+	},
+	"_help_markup": "Options affecting comment reflow and formatting.",
+	"markup": {
+		"_help_bullet_char": [
+			"What character to use for bulleted lists"
+		],
+		"bullet_char": "*",
+		"_help_enum_char": [
+			"What character to use as punctuation after numerals in an",
+			"enumerated list"
+		],
+		"enum_char": ".",
+		"_help_first_comment_is_literal": [
+			"If comment markup is enabled, don't reflow the first comment",
+			"block in each listfile. Use this to preserve formatting of",
+			"your copyright/license statements."
+		],
+		"first_comment_is_literal": false,
+		"_help_literal_comment_pattern": [
+			"If comment markup is enabled, don't reflow any comment block",
+			"which matches this (regex) pattern. Default is `None`",
+			"(disabled)."
+		],
+		"literal_comment_pattern": null,
+		"_help_fence_pattern": [
+			"Regular expression to match preformat fences in comments",
+			"default= ``r'^\\s*([`~]{3}[`~]*)(.*)$'``"
+		],
+		"fence_pattern": "^\\s*([`~]{3}[`~]*)(.*)$",
+		"_help_ruler_pattern": [
+			"Regular expression to match rulers in comments default=",
+			"``r'^\\s*[^\\w\\s]{3}.*[^\\w\\s]{3}$'``"
+		],
+		"ruler_pattern": "^\\s*[^\\w\\s]{3}.*[^\\w\\s]{3}$",
+		"_help_explicit_trailing_pattern": [
+			"If a comment line matches starts with this pattern then it",
+			"is explicitly a trailing comment for the preceeding",
+			"argument. Default is '#<'"
+		],
+		"explicit_trailing_pattern": "#<",
+		"_help_hashruler_min_length": [
+			"If a comment line starts with at least this many consecutive",
+			"hash characters, then don't lstrip() them off. This allows",
+			"for lazy hash rulers where the first hash char is not",
+			"separated by space"
+		],
+		"hashruler_min_length": 10,
+		"_help_canonicalize_hashrulers": [
+			"If true, then insert a space between the first hash char and",
+			"remaining hash chars in a hash ruler, and normalize its",
+			"length to fill the column"
+		],
+		"canonicalize_hashrulers": true,
+		"_help_enable_markup": [
+			"enable comment markup parsing and reflow"
+		],
+		"enable_markup": true
+	},
+	"_help_lint": "Options affecting the linter",
+	"lint": {
+		"_help_disabled_codes": [
+			"a list of lint codes to disable"
+		],
+		"disabled_codes": [],
+		"_help_function_pattern": [
+			"regular expression pattern describing valid function names"
+		],
+		"function_pattern": "[0-9a-z_]+",
+		"_help_macro_pattern": [
+			"regular expression pattern describing valid macro names"
+		],
+		"macro_pattern": "[0-9A-Z_]+",
+		"_help_global_var_pattern": [
+			"regular expression pattern describing valid names for",
+			"variables with global (cache) scope"
+		],
+		"global_var_pattern": "[A-Z][0-9A-Z_]+",
+		"_help_internal_var_pattern": [
+			"regular expression pattern describing valid names for",
+			"variables with global scope (but internal semantic)"
+		],
+		"internal_var_pattern": "_[A-Z][0-9A-Z_]+",
+		"_help_local_var_pattern": [
+			"regular expression pattern describing valid names for",
+			"variables with local scope"
+		],
+		"local_var_pattern": "[a-z][a-z0-9_]+",
+		"_help_private_var_pattern": [
+			"regular expression pattern describing valid names for",
+			"privatedirectory variables"
+		],
+		"private_var_pattern": "_[0-9a-z_]+",
+		"_help_public_var_pattern": [
+			"regular expression pattern describing valid names for public",
+			"directory variables"
+		],
+		"public_var_pattern": "[A-Z][0-9A-Z_]+",
+		"_help_argument_var_pattern": [
+			"regular expression pattern describing valid names for",
+			"function/macro arguments and loop variables."
+		],
+		"argument_var_pattern": "[a-z][a-z0-9_]+",
+		"_help_keyword_pattern": [
+			"regular expression pattern describing valid names for",
+			"keywords used in functions or macros"
+		],
+		"keyword_pattern": "[A-Z][0-9A-Z_]+",
+		"_help_max_conditionals_custom_parser": [
+			"In the heuristic for C0201, how many conditionals to match",
+			"within a loop in before considering the loop a parser."
+		],
+		"max_conditionals_custom_parser": 2,
+		"_help_min_statement_spacing": [
+			"Require at least this many newlines between statements"
+		],
+		"min_statement_spacing": 1,
+		"_help_max_statement_spacing": [
+			"Require no more than this many newlines between statements"
+		],
+		"max_statement_spacing": 2,
+		"max_returns": 6,
+		"max_branches": 12,
+		"max_arguments": 5,
+		"max_localvars": 15,
+		"max_statements": 50
+	}
+}
--- a/.git-blame-ignore-revs
+++ b/.git-blame-ignore-revs
@ -0,0 +1,16 @@
+# These commits altered the blame only to change types
+89ec22f38ce06145a10d52fd9be2cb1b872bfd11
+4dd9c8a2517dcda5aab0fc7a26197e74bf557fd6
+9326b1dd23efd095908a723a1d94acbe91032cab
+c8b971ecbff766003c736f01c0455e73dbd0efb3
+a5730f7a18e2e81b270105c2f81cf6c6a0201feb
+56b6e591cf8bf6849c27adfccc1557835daa1529
+93240ff1106f54add1e620e861bdfe890cf99108
+5c9b3cd3eb485ff8e4a3c364383f246d79146194
+0736581e22da38f260e01b64a9c73a4d66c7c02a
+2bea7ba762ed916eaf283066b20ad989b77276a6
+# This commit formatted the libs code for the first time.
+215db2d9de0cb15061873a2e3bea33f731a54cab
+# This commit has completely rewritten the history of file `userspace/libscap/engine/savefile/scap_savefile.c`. 
+# https://github.com/falcosecurity/libs/commit/a6df8fc90e3be0209c5a5f9bb0443077cd5d0967
+a6df8fc90e3be0209c5a5f9bb0443077cd5d0967
--- a/.github/PULL_REQUEST_TEMPLATE.md
+++ b/.github/PULL_REQUEST_TEMPLATE.md
@ -20,6 +20,8 @@

 > /kind failing-test

+> /kind test
+
 > /kind feature

 <!--
--- a/.github/actions/composite-perf/action.yml
+++ b/.github/actions/composite-perf/action.yml
@ -0,0 +1,92 @@
+name: 'libs-perf'
+description: 'Run multiple perf tests on libs.'
+
+outputs:
+  perf_tests:
+    description: "Unit tests perf.data"
+    value: ${{ steps.store-outputs.outputs.perf_tests }}
+  perf_scap:
+    description: "Scap file perf.data"
+    value: ${{ steps.store-outputs.outputs.perf_scap }}
+  heaptrack_tests:
+    description: "Unit tests heaptrack data"
+    value: ${{ steps.store-outputs.outputs.heaptrack_tests }}
+  heaptrack_scap:
+    description: "Scap file heaptrack data"
+    value: ${{ steps.store-outputs.outputs.heaptrack_scap }}
+  gbench_json:
+    description: "Google benchmarks json data"
+    value: ${{ steps.store-outputs.outputs.gbench_json }}
+
+runs:
+  using: "composite"
+  steps:
+    - name: Install deps ⛓️
+      shell: bash
+      run: |
+        sudo apt update && sudo apt install -y --no-install-recommends ca-certificates cmake build-essential git clang llvm pkg-config autoconf automake libtool libelf-dev wget libtbb-dev libjq-dev libjsoncpp-dev protobuf-compiler libgtest-dev libprotobuf-dev linux-tools-common linux-tools-generic linux-tools-`uname -r` heaptrack coreutils util-linux
+        sudo .github/install-deps.sh
+
+    - name: Build
+      shell: bash
+      run: |
+        mkdir -p build
+        cd build && cmake -DUSE_BUNDLED_DEPS=False -DCMAKE_BUILD_TYPE=Debug -DENABLE_BENCHMARKS=True ../
+        make unit-test-libsinsp -j4
+        make bench -j4
+        make sinsp-example -j4
+
+    - name: Download scap file
+      shell: bash
+      run: |
+        cd build
+        wget https://download.falco.org/fixtures/trace-files/traces-positive.zip
+        unzip traces-positive.zip
+
+    - name: Run - perf unit tests
+      shell: bash
+      run: |
+        cd build
+        sudo perf record --call-graph dwarf -o perf_tests.data -q libsinsp/test/unit-test-libsinsp
+
+    # First empty run to stabilize disk IO (scap file read) perf
+    - name: Run - load scap file
+      shell: bash
+      run: |
+        cd build
+        sudo ./libsinsp/examples/sinsp-example -s traces-positive/falco-event-generator.scap &> /dev/null
+
+    - name: Run - perf scap file
+      shell: bash
+      run: |
+        cd build
+        sudo perf record --call-graph dwarf -o perf_scap.data -q ./libsinsp/examples/sinsp-example -s traces-positive/falco-event-generator.scap
+
+    - name: Run - heaptrack unit tests
+      shell: bash
+      run: |
+        cd build
+        sudo heaptrack -o heaptrack_tests.data libsinsp/test/unit-test-libsinsp
+
+    - name: Run - heaptrack scap file
+      shell: bash
+      run: |
+        cd build
+        sudo heaptrack -o heaptrack_scap.data ./libsinsp/examples/sinsp-example -s traces-positive/falco-event-generator.scap
+
+    - name: Run - gbench
+      shell: bash
+      run: |
+        cd build
+        ./benchmark/bench --benchmark_repetitions=20 --benchmark_report_aggregates_only --benchmark_out=gbench_data.json --benchmark_out_format=json
+
+    - name: Set Outputs
+      id: store-outputs
+      shell: bash
+      run: |
+        cd build
+        echo "perf_tests=$(realpath perf_tests.data)" >> $GITHUB_OUTPUT
+        echo "perf_scap=$(realpath perf_scap.data)" >> $GITHUB_OUTPUT
+        echo "heaptrack_tests=$(realpath heaptrack_tests.data.zst)" >> $GITHUB_OUTPUT
+        echo "heaptrack_scap=$(realpath heaptrack_scap.data.zst)" >> $GITHUB_OUTPUT
+        echo "gbench_json=$(realpath gbench_data.json)" >> $GITHUB_OUTPUT
--- a/.github/actions/install-zig/action.yml
+++ b/.github/actions/install-zig/action.yml
@ -0,0 +1,43 @@
+name: 'install-zig'
+description: 'Install zig compiler and make it available in PATH.'
+
+runs:
+  using: "composite"
+  steps:
+    - name: Store zig version as local output
+      shell: bash
+      id: store
+      env:
+        ZIG_VERSION: '0.14.1'
+      run: |
+        echo "zig_version=${ZIG_VERSION}" >> "$GITHUB_OUTPUT"
+
+    - name: Download zig
+      shell: bash
+      run: |
+        curl -L -o zig.tar.xz https://ziglang.org/download/${{ steps.store.outputs.zig_version }}/zig-$(uname -m)-linux-${{ steps.store.outputs.zig_version }}.tar.xz
+        tar -xvf zig.tar.xz
+
+        cat > zig-$(uname -m)-linux-${{ steps.store.outputs.zig_version }}/zig-cc <<EOF
+        #!/bin/bash
+        exec zig cc -target $(uname -m)-linux-gnu.2.17 -mcpu=baseline "\$@"
+        EOF
+        chmod +x zig-$(uname -m)-linux-${{ steps.store.outputs.zig_version }}/zig-cc
+
+        cat > zig-$(uname -m)-linux-${{ steps.store.outputs.zig_version }}/zig-c++ <<EOF
+        #!/bin/bash
+        exec zig c++ -target $(uname -m)-linux-gnu.2.17 -mcpu=baseline "\$@"
+        EOF
+        chmod +x zig-$(uname -m)-linux-${{ steps.store.outputs.zig_version }}/zig-c++
+
+        mv zig-$(uname -m)-linux-${{ steps.store.outputs.zig_version }}/ zig
+
+    - name: Setup zig
+      shell: bash
+      id: zig
+      run: |
+        echo "$(pwd)/zig" >> $GITHUB_PATH
+        echo "CC=zig-cc" >> $GITHUB_ENV
+        echo "CXX=zig-c++" >> $GITHUB_ENV
+        echo "AR=zig ar" >> $GITHUB_ENV
+        echo "RANLIB=zig ranlib" >> $GITHUB_ENV
--- a/.github/dependabot.yaml
+++ b/.github/dependabot.yaml
@ -0,0 +1,12 @@
+version: 2
+updates:
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    open-pull-requests-limit: 10
+    groups:
+      actions:
+        update-types:
+          - "minor"
+          - "patch"
--- a/.github/install-deps.sh
+++ b/.github/install-deps.sh
@ -66,3 +66,8 @@ popd
 echo "=== Downloading uthash.h (1.9.8) ==="

 wget -P "/usr/include" "https://raw.githubusercontent.com/troydhanson/uthash/v1.9.8/src/uthash.h"
+
+# === BS_thread_pool ===
+echo "=== Downloading BS_thread_pool.h (4.1.0) ==="
+
+wget -P "/usr/include" "https://github.com/bshoshany/thread-pool/raw/v4.1.0/include/BS_thread_pool.hpp"
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@ -16,30 +16,40 @@ concurrency:
 jobs:
  build-libs-linux:
    name: build-libs-linux-${{ matrix.arch }} 😁 (${{ matrix.name }})
-    runs-on: ${{ (matrix.arch == 'arm64' && 'actuated-arm64-8cpu-16gb') || 'ubuntu-22.04' }}
+    runs-on: ${{ (matrix.arch == 'arm64' && 'ubuntu-22.04-arm') || 'ubuntu-22.04' }}
    strategy:
      fail-fast: false
      matrix:
        arch: [amd64, arm64]
-        name: [system_deps, bundled_deps, system_deps_minimal, sanitizers]
+        name: [system_deps, bundled_deps, sanitizers, zig]
        include:
          - name: system_deps
            cmake_opts: -DBUILD_WARNINGS_AS_ERRORS=On -DBUILD_BPF=On -DUSE_BUNDLED_DEPS=False
          - name: bundled_deps
            cmake_opts: -DBUILD_WARNINGS_AS_ERRORS=On -DBUILD_BPF=On -DUSE_BUNDLED_DEPS=True
-          - name: system_deps_minimal
-            cmake_opts: -DBUILD_WARNINGS_AS_ERRORS=On -DUSE_BUNDLED_DEPS=False -DMINIMAL_BUILD=True
          - name: sanitizers
            cmake_opts: -DUSE_ASAN=On -DUSE_UBSAN=On -DUSE_BUNDLED_DEPS=False
+          - name: zig
+            cmake_opts: -DUSE_BUNDLED_DEPS=True
    container:
      image: debian:buster
    steps:
      - name: Install deps ⛓️
        run: |
-          apt update && apt install -y --no-install-recommends ca-certificates cmake build-essential git clang llvm pkg-config autoconf automake libtool libelf-dev wget libc-ares-dev libcurl4-openssl-dev libssl-dev libtbb-dev libjq-dev libjsoncpp-dev libgrpc++-dev protobuf-compiler-grpc libgtest-dev libprotobuf-dev linux-headers-${{ matrix.arch }}
+          # Use 20250630T203427Z debian apt snapshot as it still contains support for buster.
+          printf "deb http://snapshot.debian.org/archive/debian/20250630T203427Z buster main\ndeb http://snapshot.debian.org/archive/debian-security/20250630T203427Z buster/updates main\ndeb http://snapshot.debian.org/archive/debian/20250630T203427Z buster-updates main" > /etc/apt/sources.list
+          apt update && apt install -y --no-install-recommends curl ca-certificates build-essential git clang llvm pkg-config autoconf automake libtool libelf-dev wget libtbb-dev libjq-dev libjsoncpp-dev protobuf-compiler libgtest-dev libprotobuf-dev linux-headers-${{ matrix.arch }}
+
+      - name: Install a recent version of CMake ⛓️
+        run: |
+          curl -L -o /tmp/cmake.tar.gz https://github.com/Kitware/CMake/releases/download/v3.22.5/cmake-3.22.5-linux-$(uname -m).tar.gz
+          gzip -d /tmp/cmake.tar.gz
+          tar -xpf /tmp/cmake.tar --directory=/tmp
+          cp -R /tmp/cmake-3.22.5-linux-$(uname -m)/* /usr
+          rm -rf /tmp/cmake-3.22.5-linux-$(uname -m)/

      - name: Checkout Libs ⤵️
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          fetch-depth: 0

@ -51,15 +61,39 @@ jobs:
        run: |
          git config --global --add safe.directory $GITHUB_WORKSPACE

+      - name: Install zig
+        if: matrix.name == 'zig'
+        uses: ./.github/actions/install-zig
+
      - name: Build and test 🏗️🧪
        env:
          UBSAN_OPTIONS: print_stacktrace=1
        run: |
          mkdir -p build
-          cd build && cmake ${{ matrix.cmake_opts }} ../
+          cd build && cmake ${{ matrix.cmake_opts }} -DENABLE_THREAD_POOL=ON ../
          KERNELDIR=/lib/modules/$(ls /lib/modules)/build make -j4
          make run-unit-tests

+      - name: Test sinsp-example and .scap files
+        run: |
+          cd build && make sinsp-example
+          libsinsp/examples/sinsp-example -s ../test/libsinsp_e2e/resources/captures/curl_google.scap | grep --extended-regexp --invert-match '^(Time spent|Events/ms): ' > /tmp/curl_google.txt
+          libsinsp/examples/sinsp-example -s ../test/libsinsp_e2e/resources/captures/curl_google_comments.scap | grep --extended-regexp --invert-match '^(Time spent|Events/ms): ' > /tmp/curl_google_comments.txt
+          diff -u /tmp/curl_google.txt /tmp/curl_google_comments.txt
+
+      # On zig, build also sinsp-example and check the glibc linked versions
+      # to make sure we are actually using the correct glibc version.
+      - name: Test zig build glibc version
+        if: matrix.name == 'zig'
+        run: |
+          cd build
+          objdump -T libsinsp/test/unit-test-libsinsp | grep -Eo 'GLIBC_\S+' | sort -u -t "." -k1,1n -k2,2n -k3,3n
+          linked_glibc=$(objdump -T libsinsp/test/unit-test-libsinsp | grep -Eo 'GLIBC_\S+' | sort -u -t "." -k1,1n -k2,2n -k3,3n | tail -n1 | tr -d ')')
+          if [ "$linked_glibc" != "GLIBC_2.17" ]; then
+            echo "Expected glibc 2.17; found $linked_glibc" 
+            exit 1
+          fi
+
  build-libs-linux-amd64-static:
    name: build-libs-linux-amd64-static 🎃
    runs-on: ubuntu-latest
@ -68,10 +102,14 @@ jobs:
    steps:
      - name: Install deps ⛓️
        run: |
-          apk add g++ gcc cmake make git bash perl linux-headers autoconf automake m4 libtool elfutils-dev libelf-static patch binutils bpftool clang
+          apk add g++ gcc cmake make git bash perl linux-headers autoconf automake m4 libtool elfutils-dev libelf-static patch binutils clang llvm
+          git clone https://github.com/libbpf/bpftool.git --branch v7.3.0 --single-branch
+          cd bpftool
+          git submodule update --init
+          cd src && make install

      - name: Checkout Libs ⤵️
-        uses: actions/checkout@v3
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          fetch-depth: 0

@ -82,32 +120,28 @@ jobs:
      - name: Build and test 🏗️🧪
        run: |
          mkdir -p build
-          cd build && cmake -DBUILD_BPF=On -DBUILD_DRIVER=Off -DUSE_BUNDLED_DEPS=On -DUSE_BUNDLED_LIBELF=Off -DUSE_SHARED_LIBELF=Off -DBUILD_LIBSCAP_MODERN_BPF=ON -DMUSL_OPTIMIZED_BUILD=On ../
+          cd build && cmake -DBUILD_BPF=On -DBUILD_DRIVER=Off -DUSE_BUNDLED_DEPS=On -DUSE_BUNDLED_LIBELF=Off -DUSE_SHARED_LIBELF=Off -DBUILD_LIBSCAP_MODERN_BPF=ON -DMUSL_OPTIMIZED_BUILD=On -DENABLE_THREAD_POOL=ON ../
          make run-unit-tests -j4

  build-shared-libs-linux-amd64:
    name: build-shared-libs-linux-amd64 🧐
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
    steps:
      - name: Checkout Libs ⤵️
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          fetch-depth: 0

-      - name: Git safe directory
-        run: |
-          git config --global --add safe.directory $GITHUB_WORKSPACE
-
      - name: Install deps ⛓️
        run: |
          sudo apt update
-          sudo apt install -y --no-install-recommends ca-certificates cmake build-essential git clang llvm pkg-config autoconf automake libtool libelf-dev wget libc-ares-dev libcurl4-openssl-dev libssl-dev libre2-dev libtbb-dev libjq-dev libjsoncpp-dev libgrpc++-dev protobuf-compiler-grpc libgtest-dev libprotobuf-dev linux-headers-$(uname -r)
+          sudo apt install -y --no-install-recommends ca-certificates cmake build-essential git clang llvm pkg-config autoconf automake libtool libelf-dev wget libre2-dev libtbb-dev libjq-dev libjsoncpp-dev protobuf-compiler libgtest-dev libprotobuf-dev linux-headers-$(uname -r)
          sudo .github/install-deps.sh

      - name: Build and test 🏗️🧪
        run: |
          mkdir -p build
-          cd build && cmake -DBUILD_SHARED_LIBS=True -DUSE_BUNDLED_DEPS=False -DMINIMAL_BUILD=True -DCMAKE_INSTALL_PREFIX=/tmp/libs-test ../
+          cd build && cmake -DBUILD_SHARED_LIBS=True -DUSE_BUNDLED_DEPS=False -DCMAKE_INSTALL_PREFIX=/tmp/libs-test -DENABLE_THREAD_POOL=ON ../
          make -j4
          make run-unit-tests

@ -120,7 +154,7 @@ jobs:
        run: |
          cd userspace/libsinsp/examples
          export PKG_CONFIG_PATH=/tmp/libs-test/lib/pkgconfig
-          g++ -o sinsp-example test.cpp util.cpp $(pkg-config --cflags --libs libsinsp)
+          g++ -o sinsp-example *.cpp $(pkg-config --cflags --libs libsinsp)

      - name: Test sinsp-example runtime linker
        run: |
@ -140,24 +174,22 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Checkout Libs ⤵️
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          fetch-depth: 0

      - name: Build and test 🏗️🧪
        run: |
          mkdir -p build
-          cd build && cmake -DUSE_BUNDLED_DEPS=ON -DCMAKE_BUILD_TYPE=Release -DCMAKE_MSVC_RUNTIME_LIBRARY=${{ matrix.crt }} -DCREATE_TEST_TARGETS=ON -DMINIMAL_BUILD=ON ..
-          cmake --build . --config Release && make run-unit-tests || libsinsp\test\Release\unit-test-libsinsp.exe
+          cd build && cmake -DUSE_BUNDLED_DEPS=ON -DCMAKE_BUILD_TYPE=Release -DCMAKE_MSVC_RUNTIME_LIBRARY=${{ matrix.crt }} -DCREATE_TEST_TARGETS=ON -DENABLE_THREAD_POOL=ON ..
+          cmake --build . --config Release --parallel 4 && make run-unit-tests || libsinsp\test\Release\unit-test-libsinsp.exe

  build-shared-libs-macos-amd64:
    name: build-shared-libs-macos-amd64 😨
-    strategy:
-      fail-fast: false
    runs-on: macos-latest
    steps:
      - name: Checkout Libs ⤵️
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          fetch-depth: 0

@ -168,8 +200,8 @@ jobs:
      - name: Build 🏗️
        run: |
          mkdir -p build
-          cd build && cmake -DBUILD_SHARED_LIBS=True -DUSE_BUNDLED_DEPS=False -DUSE_BUNDLED_VALIJSON=ON -DCMAKE_BUILD_TYPE=Release -DCREATE_TEST_TARGETS=OFF -DMINIMAL_BUILD=ON -DCMAKE_INSTALL_PREFIX=/tmp/libs-test ..
-          cmake --build . --config Release
+          cd build && cmake -DBUILD_SHARED_LIBS=True -DUSE_BUNDLED_DEPS=False -DUSE_BUNDLED_VALIJSON=ON -DUSE_BUNDLED_BS_THREADPOOL=ON -DENABLE_THREAD_POOL=ON -DCMAKE_BUILD_TYPE=Release -DCREATE_TEST_TARGETS=OFF -DCMAKE_INSTALL_PREFIX=/tmp/libs-test ..
+          cmake --build . --config Release --parallel $(getconf _NPROCESSORS_ONLN)

      - name: Install
        run: |
@ -194,7 +226,7 @@ jobs:
    runs-on: ubuntu-22.04
    steps:
      - name: Checkout Libs ⤵️
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          fetch-depth: 0

@ -226,96 +258,15 @@ jobs:
          diff -u expected_ldd_out.txt ldd_out.txt

  run-e2e-tests-amd64:
-    name: run-e2e-tests-amd64
-    strategy:
-      fail-fast: false
-      matrix:
-        name: [system_deps, bundled_deps, asan]
-        include:
-          - name: system_deps
-            cmake_opts: -DUSE_BUNDLED_DEPS=False
-          - name: bundled_deps
-            cmake_opts: -DUSE_BUNDLED_DEPS=True
-          - name: asan
-            cmake_opts: -DUSE_BUNDLED_DEPS=True -DCMAKE_C_FLAGS=-fsanitize=address -DCMAKE_CXX_FLAGS=-fsanitize=address
-    runs-on: ubuntu-22.04
-    steps:
-      - name: Install deps ⛓️
-        run: |
-          sudo apt-get update && sudo apt-get install -y --no-install-recommends \
-            ca-certificates \
-            cmake \
-            build-essential \
-            clang-14 llvm-14 \
-            git \
-            clang \
-            llvm \
-            pkg-config \
-            autoconf \
-            automake \
-            libtool \
-            libelf-dev \
-            wget \
-            libc-ares-dev \
-            libbpf-dev \
-            libcap-dev \
-            libcurl4-openssl-dev \
-            libssl-dev \
-            libtbb-dev \
-            libjq-dev \
-            libjsoncpp-dev \
-            libgrpc++-dev \
-            protobuf-compiler-grpc \
-            libgtest-dev \
-            libprotobuf-dev \
-            "linux-headers-$(uname -r)"
-          sudo update-alternatives --install /usr/bin/clang clang /usr/bin/clang-14 90
-          sudo update-alternatives --install /usr/bin/llvm-strip llvm-strip /usr/bin/llvm-strip-14 90
-          sudo update-alternatives --install /usr/bin/llc llc /usr/bin/llc-14 90
+    uses: ./.github/workflows/reusable_e2e_tests.yaml
+    with:
+      libsversion: ${{ github.sha }}
+    secrets: inherit

-      - name: Checkout Libs ⤵️
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
-        with:
-          fetch-depth: 0
-          
-      - name: Fix kernel mmap rnd bits
-        # Asan in llvm 14 provided in ubuntu 22.04 is incompatible with
-        # high-entropy ASLR in much newer kernels that GitHub runners are
-        # using leading to random crashes: https://reviews.llvm.org/D148280
-        run: sudo sysctl vm.mmap_rnd_bits=28    
-
-      - name: Install deps ⛓️
-        run: |
-          sudo .github/install-deps.sh
-
-      - name: Git safe directory
-        run: |
-          git config --global --add safe.directory $GITHUB_WORKSPACE
-
-      - name: Build and test 🏗️🧪
-        run: |
-          mkdir -p build && cd build
-          cmake -DBUILD_BPF=ON \
-                -DBUILD_LIBSCAP_MODERN_BPF=ON \
-                -DBUILD_LIBSCAP_GVISOR=OFF \
-                ${{ matrix.cmake_opts }} \
-                -DUSE_BUNDLED_LIBBPF=ON \
-                ..
-          make -j$(nproc) sinsp-example driver bpf
-          sudo make e2e-install-deps
-          sudo ../test/e2e/scripts/run_tests.sh
-
-      - name: Archive test reports
-        uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
-        if: failure()
-        with:
-          name: ${{ matrix.name }}_report
-          path: |
-            ${{ github.workspace }}/build/report/

  build-libs-emscripten:
    name: build-libs-emscripten 🧐
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
    steps:
      - name: Install deps ⛓️
        run: |
@ -323,14 +274,10 @@ jobs:
          sudo apt install -y --no-install-recommends ca-certificates cmake build-essential clang-14 llvm-14 git pkg-config autoconf automake libtool libelf-dev libcap-dev linux-headers-$(uname -r) emscripten

      - name: Checkout Libs ⤵️
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          fetch-depth: 0

-      - name: Git safe directory
-        run: |
-          git config --global --add safe.directory $GITHUB_WORKSPACE
-
      - name: Build and test 🏗️🧪
        run: |
          mkdir -p build
--- a/.github/workflows/create-comment-kernel-testing.yml
+++ b/.github/workflows/create-comment-kernel-testing.yml
@ -0,0 +1,87 @@
+# NOTE: This has read-write repo token and access to secrets, so this must
+# not run any untrusted code.
+# see: https://securitylab.github.com/research/github-actions-preventing-pwn-requests/
+name: Comment with Kernel testing results on pull requests
+
+on:
+  workflow_run:
+    workflows: ["Drivers CI Build"]
+    types:
+      - completed
+
+jobs:
+  upload:
+    runs-on: ubuntu-latest
+    if: github.event.workflow_run.event == 'pull_request'
+    steps:
+      - name: 'Download artifact'
+        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+        with:
+          script: |
+            var artifacts = await github.rest.actions.listWorkflowRunArtifacts({
+               owner: context.repo.owner,
+               repo: context.repo.repo,
+               run_id: ${{github.event.workflow_run.id }},
+            });
+            var matchArtifacts = artifacts.data.artifacts.filter((artifact) => {
+              return artifact.name == "pr-kernel-testing"
+            });
+            if (!Array.isArray(matchArtifacts) || !matchArtifacts.length) {
+              var process = require('process');
+              process.exit();
+            }
+            var matchArtifact = matchArtifacts[0];
+            var download = await github.rest.actions.downloadArtifact({
+               owner: context.repo.owner,
+               repo: context.repo.repo,
+               artifact_id: matchArtifact.id,
+               archive_format: 'zip',
+            });
+            var fs = require('fs');
+            fs.writeFileSync('${{github.workspace}}/pr.zip', Buffer.from(download.data));
+
+      - name: 'Unpack artifact'
+        run: |
+          if [ -f pr.zip ]; then
+            unzip pr.zip
+          fi
+
+      - name: 'Comment on PR'
+        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          # Taken from https://github.com/actions/github-script/blob/main/.github/workflows/pull-request-test.yml
+          script: |
+            var fs = require('fs');
+            if (!fs.existsSync('./NR')) {
+              var process = require('process');
+              process.exit();
+            }
+            var issue_number = Number(fs.readFileSync('./NR'));
+            var comment_body = fs.readFileSync('./COMMENT');
+
+            // Get the existing comments.
+            const {data: comments} = await github.rest.issues.listComments({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              issue_number: issue_number,
+            });
+
+            // Find any comment already made by the bot.
+            const botComment = comments.find(comment => comment.user.id === 41898282 && comment.body.includes('# X64 kernel testing matrix'));
+
+            if (botComment) {
+              await github.rest.issues.updateComment({
+                  owner: context.repo.owner,
+                  repo: context.repo.repo,
+                  comment_id: botComment.id,
+                  body: comment_body.toString('utf8')
+              });
+            } else {
+              await github.rest.issues.createComment({
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                issue_number: issue_number,
+                body: comment_body.toString('utf8')
+              });
+            }
--- a/.github/workflows/create-comment-perf.yml
+++ b/.github/workflows/create-comment-perf.yml
@ -0,0 +1,87 @@
+# NOTE: This has read-write repo token and access to secrets, so this must
+# not run any untrusted code.
+# see: https://securitylab.github.com/research/github-actions-preventing-pwn-requests/
+name: Comment with Perf diff on pull requests
+
+on:
+  workflow_run:
+    workflows: ["Perf CI"]
+    types:
+      - completed
+
+jobs:
+  upload:
+    runs-on: ubuntu-latest
+    if: github.event.workflow_run.event == 'pull_request'
+    steps:
+      - name: 'Download artifact'
+        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+        with:
+          script: |
+            var artifacts = await github.rest.actions.listWorkflowRunArtifacts({
+               owner: context.repo.owner,
+               repo: context.repo.repo,
+               run_id: ${{github.event.workflow_run.id }},
+            });
+            var matchArtifacts = artifacts.data.artifacts.filter((artifact) => {
+              return artifact.name == "pr-perf"
+            });
+            if (!Array.isArray(matchArtifacts) || !matchArtifacts.length) {
+              var process = require('process');
+              process.exit();
+            }
+            var matchArtifact = matchArtifacts[0];
+            var download = await github.rest.actions.downloadArtifact({
+               owner: context.repo.owner,
+               repo: context.repo.repo,
+               artifact_id: matchArtifact.id,
+               archive_format: 'zip',
+            });
+            var fs = require('fs');
+            fs.writeFileSync('${{github.workspace}}/pr.zip', Buffer.from(download.data));
+
+      - name: 'Unpack artifact'
+        run: |
+          if [ -f pr.zip ]; then
+            unzip pr.zip
+          fi
+
+      - name: 'Comment on PR'
+        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          # Taken from https://github.com/actions/github-script/blob/main/.github/workflows/pull-request-test.yml
+          script: |
+            var fs = require('fs');
+            if (!fs.existsSync('./NR')) {
+              var process = require('process');
+              process.exit();
+            }
+            var issue_number = Number(fs.readFileSync('./NR'));
+            var comment_body = fs.readFileSync('./COMMENT');
+
+            // Get the existing comments.
+            const {data: comments} = await github.rest.issues.listComments({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              issue_number: issue_number,
+            });
+
+            // Find any comment already made by the bot.
+            const botComment = comments.find(comment => comment.user.id === 41898282 && comment.body.includes('# Perf diff from master'));
+
+            if (botComment) {
+              await github.rest.issues.updateComment({
+                  owner: context.repo.owner,
+                  repo: context.repo.repo,
+                  comment_id: botComment.id,
+                  body: comment_body.toString('utf8')
+              });
+            } else {
+              await github.rest.issues.createComment({
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                issue_number: issue_number,
+                body: comment_body.toString('utf8')
+              });
+            }
--- a/.github/workflows/driver-api-version.yml
+++ b/.github/workflows/driver-api-version.yml
@ -12,7 +12,6 @@ on:
      - 'driver/ppm_events_public.h'
      - 'driver/bpf/maps.h'
      - 'driver/modern_bpf/maps/maps.h'
-      

 jobs:
  paths-filter:
@ -20,8 +19,8 @@ jobs:
    outputs:
      driver_api_changed: ${{ steps.filter.outputs.driver_api }}
    steps:
-    - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
-    - uses: dorny/paths-filter@4512585405083f25c027a35db413c2b3b9006d50 # v2.11.1
+    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+    - uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3.0.2
      id: filter
      with:
        filters: |
@ -36,7 +35,7 @@ jobs:
    if: needs.paths-filter.outputs.driver_api_changed == 'false'
    steps:
      - name: Check driver API_VERSION
-        uses: mshick/add-pr-comment@7c0890544fb33b0bdd2e59467fbacb62e028a096 # v2.8.1
+        uses: mshick/add-pr-comment@b8f338c590a895d50bcbfa6c5859251edc8952fc # v2.8.2
        with:
          message: |
            Please double check **driver/API_VERSION** file. See [versioning](https://github.com/falcosecurity/libs/blob/master/driver/README.VERSION.md#api-version-number).
--- a/.github/workflows/driver-schema-version.yml
+++ b/.github/workflows/driver-schema-version.yml
@ -19,8 +19,8 @@ jobs:
    outputs:
      driver_schema_changed: ${{ steps.filter.outputs.driver_schema }}
    steps:
-    - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
-    - uses: dorny/paths-filter@4512585405083f25c027a35db413c2b3b9006d50 # v2.11.1
+    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+    - uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3.0.2
      id: filter
      with:
        filters: |
@ -34,14 +34,14 @@ jobs:
    needs: paths-filter
    if: needs.paths-filter.outputs.driver_schema_changed == 'false'
    steps:
-      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

      - name: Check driver SCHEMA_VERSION
-        uses: mshick/add-pr-comment@7c0890544fb33b0bdd2e59467fbacb62e028a096 # v2.8.1
+        uses: mshick/add-pr-comment@b8f338c590a895d50bcbfa6c5859251edc8952fc # v2.8.2
        with:
          message: |
            Please double check **driver/SCHEMA_VERSION** file. See [versioning](https://github.com/falcosecurity/libs/blob/master/driver/README.VERSION.md#schema-version-number).
-            
+
            /hold

      - name: Trigger failure
--- a/.github/workflows/driverkit.yml
+++ b/.github/workflows/driverkit.yml
@ -37,7 +37,7 @@ jobs:
      - name: Test drivers build on ${{ matrix.name }}
        run: |
          driverkit docker --kernelrelease ${{ matrix.kernelrelease }} --target ${{ matrix.target }} --output-module /tmp/libs.ko --output-probe /tmp/libs.o --driverversion $GITHUB_SHA --loglevel debug --kernelurls ${{ matrix.kernelurls }}
-          
+
  build-drivers-arm64:
    strategy:
      matrix:
@ -55,7 +55,7 @@ jobs:
            kernelrelease: 6.4.1-1.el9.elrepo.aarch64
            target: centos
            kernelurls: https://download.falco.org/fixtures/libs/kernel-ml-devel-6.4.1-1.el9.elrepo.aarch64.rpm
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04-arm
    container:
      image: falcosecurity/driverkit:latest
    steps:
--- a/.github/workflows/drivers_ci.yml
+++ b/.github/workflows/drivers_ci.yml
@ -24,8 +24,8 @@ jobs:
      libscap: ${{ steps.filter.outputs.libscap }}
      libpman: ${{ steps.filter.outputs.libpman }}
    steps:
-    - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
-    - uses: dorny/paths-filter@4512585405083f25c027a35db413c2b3b9006d50 # v2.11.1
+    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+    - uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3.0.2
      id: filter
      with:
        filters: |
@ -39,7 +39,7 @@ jobs:
  # This job run all engine tests and scap-open
  test-scap:
    name: test-scap-${{ matrix.arch }} 😆 (bundled_deps)
-    runs-on: ${{ (matrix.arch == 'arm64' && 'actuated-arm64-8cpu-16gb') || 'ubuntu-22.04' }}
+    runs-on: ${{ (matrix.arch == 'arm64' && 'ubuntu-24.04-arm') || 'ubuntu-24.04' }}
    needs: paths-filter
    strategy:
      matrix:
@ -48,14 +48,14 @@ jobs:
          - arch: amd64
            enable_gvisor: True
          - arch: amd64
-            enable_gvisor: False  
-      fail-fast: false  
+            enable_gvisor: False
+      fail-fast: false
    steps:
      - name: Checkout Libs ⤵️
        # We need to skip each step because of https://github.com/orgs/community/discussions/9141.
        # This avoids having a skipped job whose name is not the resolved matrix name, like "test-scap-${{ matrix.arch }} 😆 (bundled_deps)"
        if: needs.paths-filter.outputs.driver == 'true' || needs.paths-filter.outputs.libscap == 'true' || needs.paths-filter.outputs.libpman == 'true'
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          fetch-depth: 0

@ -63,29 +63,17 @@ jobs:
        if: needs.paths-filter.outputs.driver == 'true' || needs.paths-filter.outputs.libscap == 'true' || needs.paths-filter.outputs.libpman == 'true'
        run: |
          sudo apt update
-          sudo apt install -y --no-install-recommends ca-certificates cmake build-essential clang-14 llvm-14 git pkg-config autoconf automake libtool libelf-dev libcap-dev
-          sudo update-alternatives --install /usr/bin/clang clang /usr/bin/clang-14 90
-          sudo update-alternatives --install /usr/bin/llvm-strip llvm-strip /usr/bin/llvm-strip-14 90
-          sudo update-alternatives --install /usr/bin/llc llc /usr/bin/llc-14 90
+          sudo apt install -y --no-install-recommends ca-certificates cmake build-essential clang llvm git pkg-config autoconf automake libtool libelf-dev libcap-dev linux-headers-$(uname -r)
          git clone https://github.com/libbpf/bpftool.git --branch v7.3.0 --single-branch
          cd bpftool
          git submodule update --init
          cd src && sudo make install

-      - name: Install kernel headers (actuated)
-        uses: self-actuated/get-kernel-sources@201eed7d915ac0a6021fb402cde5be7a6b945b59
-        if: (needs.paths-filter.outputs.driver == 'true' || needs.paths-filter.outputs.libscap == 'true' || needs.paths-filter.outputs.libpman == 'true') && matrix.arch == 'arm64'
-
-      - name: Install kernel headers
-        if: (needs.paths-filter.outputs.driver == 'true' || needs.paths-filter.outputs.libscap == 'true' || needs.paths-filter.outputs.libpman == 'true') && matrix.arch == 'amd64'
-        run: |
-          sudo apt install -y --no-install-recommends linux-headers-$(uname -r)
-          
      - name: Build scap-open and drivers 🏗️
        if: needs.paths-filter.outputs.driver == 'true' || needs.paths-filter.outputs.libscap == 'true' || needs.paths-filter.outputs.libpman == 'true'
        run: |
          mkdir -p build
-          cd build && cmake -DUSE_BUNDLED_DEPS=On -DBUILD_DRIVER=ON -DBUILD_LIBSCAP_MODERN_BPF=ON -DBUILD_BPF=On -DBUILD_LIBSCAP_GVISOR=${{ matrix.enable_gvisor }} -DCREATE_TEST_TARGETS=On -DENABLE_LIBSCAP_TESTS=On ../
+          cd build && cmake -DBUILD_WARNINGS_AS_ERRORS=On -DUSE_BUNDLED_DEPS=On -DBUILD_DRIVER=ON -DBUILD_LIBSCAP_MODERN_BPF=ON -DBUILD_BPF=On -DBUILD_LIBSCAP_GVISOR=${{ matrix.enable_gvisor }} -DCREATE_TEST_TARGETS=On -DENABLE_LIBSCAP_TESTS=On -DUSE_ASAN=On -DUSE_UBSAN=On ../
          make scap-open driver bpf libscap_test -j6

      - name: Run scap-open with modern bpf 🏎️
@ -114,9 +102,16 @@ jobs:
          cd build
          sudo ./test/libscap/libscap_test

+      - name: Validate scap-open with modern bpf
+        if: needs.paths-filter.outputs.driver == 'true' || needs.paths-filter.outputs.libscap == 'true' || needs.paths-filter.outputs.libpman == 'true'
+        uses: Andreagit97/bpfvalidator@v0.3.0
+        with:
+          args: |
+            --config=$GITHUB_WORKSPACE/driver/modern_bpf/bpfvalidator_config.yaml --cmd="$GITHUB_WORKSPACE/build/libscap/examples/01-open/scap-open --modern_bpf --num_events 10"
+
  test-drivers:
    name: test-drivers-${{ matrix.arch }} 😇 (bundled_deps)
-    runs-on: ${{ (matrix.arch == 'arm64' && 'actuated-arm64-8cpu-16gb') || 'ubuntu-22.04' }}
+    runs-on: ${{ (matrix.arch == 'arm64' && 'ubuntu-22.04-arm') || 'ubuntu-22.04' }}
    needs: paths-filter
    strategy:
      matrix:
@ -125,7 +120,7 @@ jobs:
    steps:
      - name: Checkout Libs ⤵️
        if: needs.paths-filter.outputs.driver == 'true' || needs.paths-filter.outputs.libscap == 'true' || needs.paths-filter.outputs.libpman == 'true'
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          fetch-depth: 0

@ -133,29 +128,22 @@ jobs:
        if: needs.paths-filter.outputs.driver == 'true' || needs.paths-filter.outputs.libscap == 'true' || needs.paths-filter.outputs.libpman == 'true'
        run: |
          sudo apt update
-          sudo apt install -y --no-install-recommends ca-certificates cmake build-essential git pkg-config autoconf automake libelf-dev libcap-dev clang-14 llvm-14 libtool
-          sudo update-alternatives --install /usr/bin/clang clang /usr/bin/clang-14 90
-          sudo update-alternatives --install /usr/bin/llvm-strip llvm-strip /usr/bin/llvm-strip-14 90
-          sudo update-alternatives --install /usr/bin/llc llc /usr/bin/llc-14 90
+          sudo apt install -y --no-install-recommends ca-certificates cmake build-essential git pkg-config autoconf automake libelf-dev libcap-dev clang llvm libtool linux-headers-$(uname -r)
          git clone https://github.com/libbpf/bpftool.git --branch v7.3.0 --single-branch
          cd bpftool
          git submodule update --init
          cd src && sudo make install

-      - name: Install kernel headers (actuated)
-        uses: self-actuated/get-kernel-sources@201eed7d915ac0a6021fb402cde5be7a6b945b59
-        if: (needs.paths-filter.outputs.driver == 'true' || needs.paths-filter.outputs.libscap == 'true' || needs.paths-filter.outputs.libpman == 'true') && matrix.arch == 'arm64'
-
-      - name: Install kernel headers and gcc
+      - name: Install multilib compilers for ia32 tests
        if: (needs.paths-filter.outputs.driver == 'true' || needs.paths-filter.outputs.libscap == 'true' || needs.paths-filter.outputs.libpman == 'true') && matrix.arch == 'amd64'
        run: |
-          sudo apt install -y --no-install-recommends linux-headers-$(uname -r) gcc-multilib g++-multilib
+          sudo apt install -y --no-install-recommends gcc-multilib g++-multilib

      - name: Build drivers tests 🏗️
        if: needs.paths-filter.outputs.driver == 'true' || needs.paths-filter.outputs.libscap == 'true' || needs.paths-filter.outputs.libpman == 'true'
        run: |
          mkdir -p build
-          cd build && cmake -DUSE_BUNDLED_DEPS=ON -DENABLE_DRIVERS_TESTS=ON -DBUILD_LIBSCAP_MODERN_BPF=ON -DMODERN_BPF_DEBUG_MODE=ON -DBUILD_BPF=True -DBUILD_LIBSCAP_GVISOR=OFF ../
+          cd build && cmake -DBUILD_WARNINGS_AS_ERRORS=On -DUSE_BUNDLED_DEPS=ON -DENABLE_DRIVERS_TESTS=ON -DBUILD_LIBSCAP_MODERN_BPF=ON -DMODERN_BPF_DEBUG_MODE=ON -DBUILD_BPF=True -DBUILD_LIBSCAP_GVISOR=OFF ../
          make drivers_test driver bpf -j6

      - name: Run drivers_test with modern bpf 🏎️
@ -175,18 +163,21 @@ jobs:
        run: |
          cd build
          sudo ./test/drivers/drivers_test -k
-          
+
  test-drivers-ppc64le:
    name: test-drivers-ppc64le 😁 (system_deps,custom node)
    runs-on: ubuntu-22.04
+    # Avoid running on forks since this job uses a private secret
+    # not available on forks, leading to failures.
+    if: github.event_name == 'push' || github.event.pull_request.head.repo.full_name == 'falcosecurity/libs'
    needs: paths-filter
    steps:
      - name: Extract branch name
        run: echo "GIT_BRANCH=${GITHUB_HEAD_REF:-${GITHUB_REF#refs/heads/}}" >> $GITHUB_ENV

      - name: Build and test drivers on ppc64le node via ssh
-        if: needs.paths-filter.outputs.driver_needs_rebuild
-        uses: appleboy/ssh-action@v1.0.3
+        if: needs.paths-filter.outputs.driver == 'true' || needs.paths-filter.outputs.libscap == 'true' || needs.paths-filter.outputs.libpman == 'true'
+        uses: appleboy/ssh-action@2ead5e36573f08b82fbfce1504f1a4b05a647c6f # v1.2.2
        with:
          host: ${{ secrets.PPC64LE_HOST }}
          username: ${{ secrets.PPC64LE_USERNAME }}
@ -196,10 +187,12 @@ jobs:
          command_timeout: 60m
          script: |
            sudo dnf install -y bpftool ca-certificates cmake make automake gcc gcc-c++ kernel-devel clang git pkg-config autoconf automake libbpf-devel
+            # Remove, if present, any libs clone created by a previous job run.
+            rm -rf libs
            git clone -b $GIT_BRANCH $GITHUB_SERVER_URL/$GITHUB_REPOSITORY.git libs
            cd libs
            mkdir -p build
-            cd build && cmake -DUSE_BUNDLED_DEPS=ON -DENABLE_DRIVERS_TESTS=ON -DBUILD_LIBSCAP_MODERN_BPF=ON -DMODERN_BPF_DEBUG_MODE=ON -DBUILD_BPF=True -DBUILD_LIBSCAP_GVISOR=OFF ../
+            cd build && cmake -DBUILD_WARNINGS_AS_ERRORS=On -DUSE_BUNDLED_DEPS=ON -DENABLE_DRIVERS_TESTS=ON -DBUILD_LIBSCAP_MODERN_BPF=ON -DMODERN_BPF_DEBUG_MODE=ON -DBUILD_BPF=True -DBUILD_LIBSCAP_GVISOR=OFF -DUSE_BUNDLED_LIBELF=OFF ../
            make drivers_test driver bpf -j6
            sudo ./test/drivers/drivers_test -m
            rc_modern=$?
@ -208,7 +201,7 @@ jobs:
            sudo ./test/drivers/drivers_test -k
            rc_kmod=$?
            exit $(($rc_modern + $rc_bpf +$rc_kmod))
-        
+
  build-drivers-s390x:
    name: build-drivers-s390x 😁 (system_deps)
    runs-on: ubuntu-22.04
@ -216,11 +209,11 @@ jobs:
    steps:
      - name: Checkout Libs ⤵️
        if: needs.paths-filter.outputs.driver == 'true' || needs.paths-filter.outputs.libscap == 'true' || needs.paths-filter.outputs.libpman == 'true'
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          fetch-depth: 0

-      - uses: uraimo/run-on-arch-action@4ed76f16f09d12e83abd8a49e1ac1e5bf08784d4 # v2.5.1
+      - uses: uraimo/run-on-arch-action@d94c13912ea685de38fccc1109385b83fd79427d # v3.0.1
        name: Run s390x build 🏗️
        if: needs.paths-filter.outputs.driver == 'true' || needs.paths-filter.outputs.libscap == 'true' || needs.paths-filter.outputs.libpman == 'true'
        with:
@ -229,29 +222,30 @@ jobs:
          githubToken: ${{ github.token }}

          install: |
-            apt update && apt install -y --no-install-recommends ca-certificates cmake build-essential clang llvm git pkg-config autoconf automake libtool libelf-dev wget libc-ares-dev libcurl4-openssl-dev libssl-dev libtbb-dev libjq-dev libjsoncpp-dev libgrpc++-dev protobuf-compiler-grpc libcap-dev libgtest-dev libprotobuf-dev linux-headers-generic            
+            apt update && apt install -y --no-install-recommends ca-certificates cmake build-essential clang llvm git pkg-config autoconf automake libtool libelf-dev wget libtbb-dev libjq-dev libjsoncpp-dev libcap-dev protobuf-compiler libgtest-dev libprotobuf-dev linux-headers-generic
            git clone https://github.com/libbpf/bpftool.git --branch v7.3.0 --single-branch
            cd bpftool
            git submodule update --init
            cd src && make install
            cd ../../
            git clone https://github.com/libbpf/libbpf.git --branch v1.3.0 --single-branch
-            cd libbpf/src && BUILD_STATIC_ONLY=y DESTDIR=/ make install
+            cd libbpf/src && BUILD_STATIC_ONLY=y DESTDIR=/ make install install_uapi_headers 
            ln -s /usr/lib64/libbpf.a /usr/lib/s390x-linux-gnu/
+            ln -s /usr/include/bpf /usr/include/s390x-linux-gnu/
          # Please note: we cannot inject the BPF probe inside QEMU, so right now, we only build it
          run: |
            git config --global --add safe.directory $GITHUB_WORKSPACE
            .github/install-deps.sh
            mkdir -p build
-            cd build && cmake -DBUILD_BPF=On -DUSE_BUNDLED_DEPS=OFF -DMODERN_PROBE_INCLUDE="-I/usr/include/s390x-linux-gnu" -DBUILD_LIBSCAP_MODERN_BPF=ON -DMODERN_BPF_DEBUG_MODE=ON -DENABLE_DRIVERS_TESTS=On -DCREATE_TEST_TARGETS=On -DBUILD_LIBSCAP_GVISOR=OFF ../
+            cd build && cmake -DBUILD_WARNINGS_AS_ERRORS=On -DBUILD_BPF=On -DUSE_BUNDLED_DEPS=OFF -DMODERN_PROBE_INCLUDE="-I/usr/include/s390x-linux-gnu" -DBUILD_LIBSCAP_MODERN_BPF=ON -DMODERN_BPF_DEBUG_MODE=ON -DENABLE_DRIVERS_TESTS=On -DCREATE_TEST_TARGETS=On -DBUILD_LIBSCAP_GVISOR=OFF ../
            KERNELDIR=/lib/modules/$(ls /lib/modules)/build make driver bpf drivers_test -j6
-  
+
  build-modern-bpf-skeleton:
    needs: paths-filter
    # See https://github.com/actions/runner/issues/409#issuecomment-1158849936
-    runs-on: ${{ (inputs.arch == 'aarch64' && 'actuated-arm64-8cpu-16gb') || 'ubuntu-latest' }}
+    runs-on: 'ubuntu-latest'
    if: needs.paths-filter.outputs.driver == 'true' || needs.paths-filter.outputs.libscap == 'true' || needs.paths-filter.outputs.libpman == 'true'
-    container: fedora:latest
+    container: fedora:41
    steps:
      # Always install deps before invoking checkout action, to properly perform a full clone.
      - name: Install build dependencies
@ -259,7 +253,7 @@ jobs:
          dnf install -y bpftool ca-certificates cmake make automake gcc gcc-c++ kernel-devel clang git pkg-config autoconf automake libbpf-devel

      - name: Checkout
-        uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

      - name: Build modern BPF skeleton
        run: |
@ -268,49 +262,39 @@ jobs:
          make ProbeSkeleton -j6

      - name: Upload skeleton
-        uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
        with:
-          name: bpf_probe_${{ inputs.arch }}.skel.h
+          name: bpf_probe_x86_64.skel.h
          path: skeleton-build/skel_dir/bpf_probe.skel.h
          retention-days: 1

  build-scap-open-w-extern-bpf-skeleton:
-    needs: [paths-filter,build-modern-bpf-skeleton] 
-    # See https://github.com/actions/runner/issues/409#issuecomment-1158849936
-    runs-on: ${{ (inputs.arch == 'aarch64' && 'actuated-arm64-8cpu-16gb') || 'ubuntu-latest' }}
+    env:
+      ACTIONS_ALLOW_USE_UNSECURE_NODE_VERSION: true
+    needs: [paths-filter,build-modern-bpf-skeleton]
+    runs-on: 'ubuntu-latest'
    if: needs.paths-filter.outputs.driver == 'true' || needs.paths-filter.outputs.libscap == 'true' || needs.paths-filter.outputs.libpman == 'true'
-    container: centos:7
    steps:
-      # Always install deps before invoking checkout action, to properly perform a full clone.
      - name: Install build dependencies
        run: |
-          yum -y install centos-release-scl
-          yum -y install devtoolset-9-gcc devtoolset-9-gcc-c++
-          source /opt/rh/devtoolset-9/enable
-          yum install -y wget git make m4 rpm-build perl-IPC-Cmd
+          sudo apt update
+          sudo apt install -y --no-install-recommends ca-certificates cmake build-essential clang-14 llvm-14 git pkg-config autoconf automake libtool libelf-dev libcap-dev
+          sudo update-alternatives --install /usr/bin/clang clang /usr/bin/clang-14 90
+          sudo update-alternatives --install /usr/bin/llvm-strip llvm-strip /usr/bin/llvm-strip-14 90
+          sudo update-alternatives --install /usr/bin/llc llc /usr/bin/llc-14 90

      - name: Checkout
-        # It is not possible to upgrade the checkout action to versions >= v4.0.0 because of incompatibilities with centos 7's libc.
-        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

      - name: Download skeleton
-        uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
+        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
        with:
-          name: bpf_probe_${{ inputs.arch }}.skel.h
+          name: bpf_probe_x86_64.skel.h
          path: /tmp

-      - name: Install updated cmake
-        run: |
-          curl -L -o /tmp/cmake.tar.gz https://github.com/Kitware/CMake/releases/download/v3.22.5/cmake-3.22.5-linux-$(uname -m).tar.gz
-          gzip -d /tmp/cmake.tar.gz
-          tar -xpf /tmp/cmake.tar --directory=/tmp
-          cp -R /tmp/cmake-3.22.5-linux-$(uname -m)/* /usr
-          rm -rf /tmp/cmake-3.22.5-linux-$(uname -m)
-
      - name: Prepare project
        run: |
          mkdir build && cd build
-          source /opt/rh/devtoolset-9/enable
          cmake \
              -DCMAKE_BUILD_TYPE=Release \
              -DUSE_BUNDLED_DEPS=On \
@ -323,5 +307,57 @@ jobs:
      - name: Build project
        run: |
          cd build
-          source /opt/rh/devtoolset-9/enable
-          make scap-open -j6          
+          make scap-open -j6
+
+  # Only runs on pull request since on master branch it is already triggered by pages CI.
+  kernel-tests-dev:
+    needs: paths-filter
+    # Avoid running on forks since this job uses a private secret
+    # not available on forks, leading to failures.
+    if: github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == 'falcosecurity/libs' && (needs.paths-filter.outputs.driver == 'true' || needs.paths-filter.outputs.libscap == 'true' || needs.paths-filter.outputs.libpman == 'true')
+    uses: ./.github/workflows/reusable_kernel_tests.yaml
+    with:
+      # Use real branch's HEAD sha, not the merge commit
+      libsversion: ${{ github.event.pull_request.head.sha }}
+    secrets: inherit
+
+  kernel-tests-pr-info-upload:
+    needs: kernel-tests-dev
+    # Avoid running on forks since this job uses a private secret
+    # not available on forks, leading to failures.
+    if: github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == 'falcosecurity/libs' && (needs.paths-filter.outputs.driver == 'true' || needs.paths-filter.outputs.libscap == 'true' || needs.paths-filter.outputs.libpman == 'true')
+    runs-on: ubuntu-latest
+    steps:
+      - name: Download X64 matrix
+        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
+        with:
+          name: matrix_X64
+          path: matrix_X64
+
+      - name: Download ARM64 matrix
+        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
+        with:
+          name: matrix_ARM64
+          path: matrix_ARM64
+
+      - name: Save PR info
+        run: |
+          mkdir -p ./pr
+          echo ${{ github.event.number }} > ./pr/NR
+          touch ./pr/COMMENT
+          echo "# X64 kernel testing matrix" >> ./pr/COMMENT
+          echo "$(head -n $(grep -n -v -m1 '^|' matrix_X64/matrix.md | awk -F':'  '{ print $1 }') matrix_X64/matrix.md)" >> ./pr/COMMENT
+          echo "" >> ./pr/COMMENT
+          echo "# ARM64 kernel testing matrix" >> ./pr/COMMENT
+          echo "$(head -n $(grep -n -v -m1 '^|' matrix_ARM64/matrix.md | awk -F':'  '{ print $1 }') matrix_ARM64/matrix.md)" >> ./pr/COMMENT
+          echo Uploading PR info...
+          cat ./pr/COMMENT
+          echo ""
+
+      - name: Upload PR info as artifact
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
+        with:
+          name: pr-kernel-testing
+          path: pr/
+          retention-days: 1
+          if-no-files-found: warn
--- a/.github/workflows/e2e_ci.yml
+++ b/.github/workflows/e2e_ci.yml
@ -15,14 +15,14 @@ concurrency:
 jobs:
  build-test-e2e:
    name: build-test-e2e-${{ matrix.arch }} 😇 (bundled_deps)
-    runs-on: ${{ (matrix.arch == 'arm64' && 'actuated-arm64-8cpu-16gb') || 'ubuntu-22.04' }}
+    runs-on: ${{ (matrix.arch == 'arm64' && 'ubuntu-22.04-arm') || 'ubuntu-22.04' }}
    strategy:
      matrix:
        arch: [amd64, arm64]
      fail-fast: false
    steps:
      - name: Checkout Libs ⤵️
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          fetch-depth: 0

@ -32,9 +32,9 @@ jobs:
            ca-certificates \
            cmake \
            build-essential \
-            clang-14 llvm-14 \
-            git \
            clang \
+            llvm \
+            git \
            ccache \
            llvm \
            pkg-config \
@ -43,38 +43,28 @@ jobs:
            libtool \
            libelf-dev \
            wget \
-            libc-ares-dev \
            libbpf-dev \
            libcap-dev \
-            libcurl4-openssl-dev \
-            libssl-dev \
            libtbb-dev \
            libjq-dev \
            libjsoncpp-dev \
-            libgrpc++-dev \
-            protobuf-compiler-grpc \
            libgtest-dev \
-            libprotobuf-dev
-          sudo update-alternatives --install /usr/bin/clang clang /usr/bin/clang-14 90
-          sudo update-alternatives --install /usr/bin/llvm-strip llvm-strip /usr/bin/llvm-strip-14 90
-          sudo update-alternatives --install /usr/bin/llc llc /usr/bin/llc-14 90
+            libprotobuf-dev \
+            protobuf-compiler \
+            linux-headers-$(uname -r)
          sudo .github/install-deps.sh
          git clone https://github.com/libbpf/bpftool.git --branch v7.3.0 --single-branch
          cd bpftool
          git submodule update --init
          cd src && sudo make install

-      - name: Install kernel headers (actuated)
-        uses: self-actuated/get-kernel-sources@201eed7d915ac0a6021fb402cde5be7a6b945b59
-        if: matrix.arch == 'arm64'
-
-      - name: Install kernel headers and gcc
+      - name: Install multilib compilers for ia32 tests
        if: matrix.arch == 'amd64'
        run: |
-          sudo apt install -y --no-install-recommends linux-headers-$(uname -r) gcc-multilib g++-multilib
+          sudo apt install -y --no-install-recommends gcc-multilib g++-multilib

      - name: Run sccache-cache
-        uses: mozilla-actions/sccache-action@v0.0.3
+        uses: mozilla-actions/sccache-action@7d986dd989559c6ecdb630a3fd2557667be217ad # v0.0.9

      - name: Build e2e tests 🏗️
        env:
@ -96,10 +86,11 @@ jobs:
                -DUSE_BUNDLED_GTEST=ON \
                ..
          make -j6 libsinsp_e2e_tests
+          sudo rm -vfr test/libsinsp_e2e/resources/_proc
          cd ..

      - name: Cache build
-        uses: actions/cache/save@v3
+        uses: actions/cache/save@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3
        if: always()
        id: cache
        with:
@ -109,7 +100,7 @@ jobs:
  test-e2e:
    name: test-e2e-${{ matrix.arch }}-${{ matrix.driver.name }} 😇 (bundled_deps)
    needs: [build-test-e2e]
-    runs-on: ${{ (matrix.arch == 'arm64' && 'actuated-arm64-8cpu-16gb') || 'ubuntu-22.04' }}
+    runs-on: ${{ (matrix.arch == 'arm64' && 'ubuntu-22.04-arm') || 'ubuntu-22.04' }}
    strategy:
      matrix:
        arch: [amd64, arm64]
@ -117,18 +108,18 @@ jobs:
      fail-fast: false
    steps:
      - name: Checkout Libs ⤵️
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          fetch-depth: 0

      - name: Restore build
        id: cache
-        uses: actions/cache/restore@v3
+        uses: actions/cache/restore@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3
        with:
          path: build
          key: build-e2e-${{ matrix.arch }}-${{ github.run_id }}
          restore-keys: build-e2e-
-          
+
      - name: Fix kernel mmap rnd bits
        # Asan in llvm 14 provided in ubuntu 22.04 is incompatible with
        # high-entropy ASLR in much newer kernels that GitHub runners are
@ -139,31 +130,25 @@ jobs:
        run: |
          sudo apt update

-      - name: Install multilib
+      - name: Install multilib compilers for ia32 tests
        if: matrix.arch == 'amd64'
        run: |
          sudo apt install -y --no-install-recommends gcc-multilib g++-multilib

      - name: Install deps
        run: |
-          sudo apt install -y --no-install-recommends clang gcc llvm build-essential cmake
-
-      - name: Install kernel headers (actuated)
-        uses: self-actuated/get-kernel-sources@201eed7d915ac0a6021fb402cde5be7a6b945b59
-        if: matrix.arch == 'arm64'
-
-      - name: Install kernel headers and gcc
-        if: matrix.arch == 'amd64'
-        run: |
-          sudo apt install -y --no-install-recommends linux-headers-$(uname -r) gcc-multilib g++-multilib
+          sudo apt install -y --no-install-recommends clang gcc llvm build-essential cmake python3 quota linux-headers-$(uname -r)

        # We have no guarantees that the kernel version is the same for the
        # different workers, so we rebuild the drivers.
      - name: Rebuild drivers
        run: |
-          cd build
+          pushd build
          make -B driver bpf
-          cd ..
+          pushd test/libsinsp_e2e/resources/
+          sudo tar xzf fake-proc.tar.gz
+          popd
+          popd

      - name: Run e2e tests with ${{ matrix.driver.name }} 🏎️
        if: matrix.arch == 'amd64'
@ -173,7 +158,7 @@ jobs:
          cd build/test/libsinsp_e2e/
          sudo -E ./libsinsp_e2e_tests ${{ matrix.driver.option }}

-        # the actuated arm64 workers doesn't have the CONFIG_QFMT_V2 flag
+        # the arm64 workers don't have the CONFIG_QFMT_V2 flag
        # which is needed for the quotactl_ok test (cmd=QQUOTA_ON + id=QFMT_VFS_V0).
      - name: Run e2e tests with ${{ matrix.driver.name }} 🏎️
        if: matrix.arch == 'arm64'
--- a/.github/workflows/format.yml
+++ b/.github/workflows/format.yml
@ -0,0 +1,38 @@
+name: Format code
+on:
+  pull_request:
+  push:
+    branches:
+      - master
+      - "release/**"
+
+jobs:
+  format:
+    name: format code 🐲
+    runs-on: ubuntu-22.04
+    steps:
+      - name: Checkout repository 🎉
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          fetch-depth: 0
+
+      - name: Install deps ⛓️
+        run: |
+          sudo apt update -y
+          sudo apt install -y --no-install-recommends ca-certificates pip git
+          pip install pre-commit
+
+      - name: Run pre-commit ©️
+        run: |
+          pre-commit run --show-diff-on-failure --color=always --all-files
+
+      - name: Generate the git-diff 🚒
+        if: failure()
+        run: git diff > format_diff.patch
+
+      - name: Upload the git diff artifact 📦
+        if: failure()
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+        with:
+          name: format_diff.patch
+          path: ./format_diff.patch
--- a/.github/workflows/latest-kernel.yml
+++ b/.github/workflows/latest-kernel.yml
@ -11,26 +11,23 @@ on:
    - cron: '0 8 * * *' # every day at 8am

 jobs:
-  build-latest-kernel:
-    name: build-latest-kernel
-    runs-on: ubuntu-latest
-    container:
-      image: falcosecurity/driverkit:latest
+  compute-latest-version:
+    outputs:
+      latest_vers: ${{ steps.latest-version.outputs.latest_vers }}
+    runs-on: 'ubuntu-latest'
    steps:
      - name: Checkout Archlinux mainline package ⤵️
        run: |
-          apk update && apk add git
          git clone https://aur.archlinux.org/linux-mainline.git linux/
-    
+
      - name: Generate driverkit config
        id: latest-version
        # Note: in case we are building latest mainline,
        # we grep the linux-mainline aur PKGBUILD "_tag" line, that is made like: "_tag=v6.4-rc1"
        # We then need to extract the part after the "=" and finally remove the starting "v".
-        run: |    
+        run: |
          cd linux/
          echo "kernelversion: 1" > dk.yaml
-          echo "architecture: amd64" >> dk.yaml
          echo "driverversion: ${{ github.sha }}" >> dk.yaml
          echo "output:" >> dk.yaml
          echo "  module: mod.ko" >> dk.yaml
@ -45,26 +42,80 @@ jobs:
            echo "target: arch" >> dk.yaml
          fi
          echo "latest_vers=$(grep kernelrelease dk.yaml | awk -F": " '{print $2}')" >> $GITHUB_OUTPUT
-      
+
      - name: Upload driverkit config
-        uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
        with:
          name: driverkit_config.yaml
          path: linux/dk.yaml
-          
+
+  build-latest-kernel-amd64:
+    needs: 'compute-latest-version'
+    outputs:
+      build: ${{ steps.build.outcome }}
+    runs-on: 'ubuntu-latest'
+    steps:
+      - name: Download driverkit config
+        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
+        with:
+          name: driverkit_config.yaml
+
+      - name: Download latest driverkit artifact
+        uses: robinraju/release-downloader@daf26c55d821e836577a15f77d86ddc078948b05 # v1.12
+        with:
+          fileName: driverkit_*_linux_amd64.tar.gz
+          latest: true
+          repository: falcosecurity/driverkit
+          tarBall: false
+          zipBall: false
+          extract: true
+
      - name: Test drivers build
        id: build
        run: |
-          echo "Testing build of drivers against: ${{ steps.latest-version.outputs.latest_vers }}"
-          driverkit docker -c linux/dk.yaml -l debug
-          
+          echo "Testing build of drivers against: ${{ needs.compute-latest-version.outputs.latest_vers }}"
+          chmod +x driverkit
+          ./driverkit docker -c dk.yaml -l debug --timeout 300
+
+  build-latest-kernel-arm64:
+    needs: 'compute-latest-version'
+    outputs:
+      build: ${{ steps.build.outcome }}
+    runs-on: 'ubuntu-22.04-arm'
+    steps:
+      - name: Download driverkit config
+        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
+        with:
+          name: driverkit_config.yaml
+
+      - name: Download latest driverkit artifact
+        uses: robinraju/release-downloader@daf26c55d821e836577a15f77d86ddc078948b05 # v1.12
+        with:
+          fileName:  driverkit_*_linux_arm64.tar.gz
+          latest: true
+          repository: falcosecurity/driverkit
+          tarBall: false
+          zipBall: false
+          extract: true
+
+      - name: Test drivers build
+        id: build
+        run: |
+          echo "Testing build of drivers against: ${{ needs.compute-latest-version.outputs.latest_vers }}"
+          chmod +x driverkit
+          ./driverkit docker -c dk.yaml -l debug --timeout 300
+
+  badge-latest-kernel:
+    if: always() && github.event_name == 'schedule'
+    runs-on: 'ubuntu-latest'
+    needs: [compute-latest-version,build-latest-kernel-amd64,build-latest-kernel-arm64]
+    steps:
      - name: Update README badge
        uses: schneegans/dynamic-badges-action@e9a478b16159b4d31420099ba146cdc50f134483 # v1.7.0
-        if: always() && github.event_name == 'schedule'
        with:
          auth: ${{ secrets.FEDEDP_GIST_SECRET }}
          gistID: 1cbc5d42edf8e3a02fb75e76625f1072
          filename: kernel.json
          label: Drivers build
-          message: ${{ steps.latest-version.outputs.latest_vers }}
-          color: ${{ steps.build.outcome != 'success' && 'red' || 'brightgreen' }}
+          message: ${{ needs.compute-latest-version.outputs.latest_vers }}
+          color: ${{ (needs.build-latest-kernel-amd64.outputs.build != 'success' || needs.build-latest-kernel-arm64.outputs.build != 'success') && 'red' || 'brightgreen' }}
--- a/.github/workflows/pages.yml
+++ b/.github/workflows/pages.yml
@ -2,7 +2,7 @@ name: Deploy Github Pages
 on:
  push:
    branches: [master]
-      
+
 permissions:
  contents: read
  pages: write
@ -17,47 +17,128 @@ jobs:
    uses: ./.github/workflows/reusable_kernel_tests.yaml
    secrets: inherit

+  perf-libs-master:
+    runs-on: [ "self-hosted", "linux", "X64" ]
+    steps:
+      - name: Checkout Libs ⤵️
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+      - name: Run perf
+        id: perf
+        uses: ./.github/actions/composite-perf
+
+      - name: Archive master perf report
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+        with:
+          name: perf_report
+          retention-days: 30 # 30 days because this is the artifact on master; we need to retain it to be able to properly diff it
+          path: |
+            ${{ steps.perf.outputs.perf_tests }}
+            ${{ steps.perf.outputs.perf_scap }}
+            ${{ steps.perf.outputs.heaptrack_tests }}
+            ${{ steps.perf.outputs.heaptrack_scap }}
+            ${{ steps.perf.outputs.gbench_json }}
+          if-no-files-found: error
+
+      - name: Checkout Flamegraph ⤵️
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          repository: 'brendangregg/FlameGraph'
+          path: flamegraph
+          ref: master
+
+      - name: Generate svg file - perf unit tests
+        run: |
+          sudo perf script --dsos unit-test-libsinsp -i ${{ steps.perf.outputs.perf_tests }} > perf_tests.perf
+          ./flamegraph/stackcollapse-perf.pl perf_tests.perf > perf_tests.folded
+          ./flamegraph/flamegraph.pl perf_tests.folded > perf_tests.svg
+
+      - name: Generate svg file - perf scap file
+        run: |
+          sudo perf script --dsos sinsp-example -i ${{ steps.perf.outputs.perf_scap }} > perf_scap.perf
+          ./flamegraph/stackcollapse-perf.pl perf_scap.perf > perf_scap.folded
+          ./flamegraph/flamegraph.pl perf_scap.folded > perf_scap.svg
+
+      - name: Generate svg file - heaptrack unit tests
+        run: |
+          heaptrack_print ${{ steps.perf.outputs.heaptrack_tests }} -F stacks.txt
+          ./flamegraph/flamegraph.pl stacks.txt > heaptrack_tests.svg
+          rm -rf stacks.txt
+
+      - name: Generate svg file - heaptrack scap file
+        run: |
+          heaptrack_print ${{ steps.perf.outputs.heaptrack_scap }} -F stacks.txt
+          ./flamegraph/flamegraph.pl stacks.txt > heaptrack_scap.svg
+          rm -rf stacks.txt
+
+      - name: Upload svg files
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+        with:
+          name: perf_svg
+          path: '*.svg'
+          if-no-files-found: error
+
  deploy-pages:
-    needs: [kernel-tests-master]
+    needs: [kernel-tests-master,perf-libs-master]
    environment:
      name: github-pages
      url: ${{ steps.deployment.outputs.page_url }}
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
-      
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
      - name: Download matrix X64
-        uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
+        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
        with:
          name: matrix_X64
-      
+
      - name: Move X64 matrix under docs
        run: mv matrix.md docs/matrix_X64.md
-      
+
      - name: Download matrix ARM64
-        uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
+        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
        with:
          name: matrix_ARM64
-          
+
      - name: Move ARM64 matrix under docs
-        run: mv matrix.md docs/matrix_ARM64.md    
-      
+        run: mv matrix.md docs/matrix_ARM64.md
+
      - name: Disable Table Of Content for matrixes pages
        run: |
          sed -i '1s/^/---\nhide:\n- toc\n---\n\n/' docs/matrix_X64.md
          sed -i '1s/^/---\nhide:\n- toc\n---\n\n/' docs/matrix_ARM64.md

-      - uses: actions/setup-python@65d7f2d534ac1bc67fcd62888c5f4f3d2cb2b236 # v4.7.1
+      - name: Download perf svg files
+        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
+        with:
+          name: perf_svg
+
+      - name: Generate perf pages
+        run: |
+          mv perf_tests.svg docs/
+          echo '<object data="../perf_tests.svg" type="image/svg+xml" id="perf_unit_tests"></object>' > docs/perf_unit_tests.md
+          sed -i '1s/^/---\nhide:\n- toc\n---\n\n/' docs/perf_unit_tests.md
+          mv perf_scap.svg docs/
+          echo '<object data="../perf_scap.svg" type="image/svg+xml" id="perf_scap_file"></object>' > docs/perf_scap_file.md
+          sed -i '1s/^/---\nhide:\n- toc\n---\n\n/' docs/perf_scap_file.md
+          mv heaptrack_tests.svg docs/
+          echo '<object data="../heaptrack_tests.svg" type="image/svg+xml" id="heaptrack_unit_tests"></object>' > docs/heaptrack_unit_tests.md
+          sed -i '1s/^/---\nhide:\n- toc\n---\n\n/' docs/heaptrack_unit_tests.md
+          mv heaptrack_scap.svg docs/
+          echo '<object data="../heaptrack_scap.svg" type="image/svg+xml" id="heaptrack_scap_file"></object>' > docs/heaptrack_scap_file.md
+          sed -i '1s/^/---\nhide:\n- toc\n---\n\n/' docs/heaptrack_scap_file.md
+
+      - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
        with:
          python-version: 3.x
-          
+
      - run: pip install mkdocs mkdocs-material
-      
+
      - run: mkdocs build
-      
-      - uses: actions/upload-pages-artifact@a753861a5debcf57bf8b404356158c8e1e33150c # v2.0.0
+
+      - uses: actions/upload-pages-artifact@56afc609e74202658d3ffba0e8f6dda462b719fa # v3.0.1
        with:
          path: 'site'

      - id: deployment
-        uses: actions/deploy-pages@9dbe3824824f8a1377b8e298bafde1a50ede43e5 # v2.0.4
+        uses: actions/deploy-pages@d6db90164ac5ed86f2b6aed7e0febac5b3c0c03e # v4.0.5
--- a/.github/workflows/perf.yml
+++ b/.github/workflows/perf.yml
@ -0,0 +1,168 @@
+name: Perf CI
+on:
+  pull_request:
+  workflow_dispatch:
+
+# Checks if any concurrent jobs under the same pull request or branch are being executed
+concurrency:
+  group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}-perf
+  cancel-in-progress: true
+
+jobs:
+  perf-libs-linux-amd64:
+    runs-on: [ "self-hosted", "linux", "X64" ]
+    steps:
+      - name: Checkout Libs ⤵️
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+      - name: Checkout Google benchmark ⤵️
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          repository: 'google/benchmark'
+          ref: 'v1.9.0'
+          path: google-benchmark/
+
+      - name: Run perf
+        id: perf
+        uses: ./.github/actions/composite-perf
+
+      - name: Download latest master report
+        uses: dawidd6/action-download-artifact@ac66b43f0e6a346234dd65d4d0c8fbb31cb316e5 # v11
+        with:
+          branch: master
+          event: push
+          name: perf_report
+          workflow: pages.yml
+
+      - name: Diff from master - perf unit tests
+        run: |
+          sudo perf diff perf_tests.data ${{ steps.perf.outputs.perf_tests }} -d unit-test-libsinsp -b -o 1 --percentage relative -q &> perf_tests_diff.txt
+
+      - name: Diff from master - perf scap file
+        run: |
+          sudo perf diff perf_scap.data ${{ steps.perf.outputs.perf_scap }} -d sinsp-example -b -o 1 --percentage relative -q &> perf_scap_diff.txt
+
+      - name: Diff from master - heaptrack unit tests
+        run: |
+          sudo heaptrack_print heaptrack_tests.data.zst -d ${{ steps.perf.outputs.heaptrack_tests }} &> heaptrack_tests_diff.txt
+
+      - name: Diff from master - heaptrack scap file
+        run: |
+          sudo heaptrack_print heaptrack_scap.data.zst -d ${{ steps.perf.outputs.heaptrack_scap }} &> heaptrack_scap_diff.txt
+
+      - name: Diff from master - gbench
+        run: |
+          pip3 install -r google-benchmark/tools/requirements.txt
+          python3 google-benchmark/tools/compare.py --no-color benchmarks gbench_data.json ${{ steps.perf.outputs.gbench_json }} &> gbench_diff.txt
+
+      - name: Archive perf diff
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+        with:
+          name: perf_diff
+          path: '*_diff.txt'
+          if-no-files-found: error
+
+      - name: Save PR info
+        run: |
+          mkdir -p ./pr
+          echo ${{ github.event.number }} > ./pr/NR
+          touch ./pr/COMMENT
+          echo "# Perf diff from master - unit tests" >> ./pr/COMMENT
+          echo "\`\`\`" >> ./pr/COMMENT
+          head -n10 "perf_tests_diff.txt" >> ./pr/COMMENT
+          echo "\`\`\`" >> ./pr/COMMENT
+          echo "" >> ./pr/COMMENT
+          # Drop unstable perf results!
+          # echo "# Perf diff from master - scap file" >> ./pr/COMMENT
+          # echo "\`\`\`" >> ./pr/COMMENT
+          # head -n10 "perf_scap_diff.txt" >> ./pr/COMMENT
+          # echo "\`\`\`" >> ./pr/COMMENT
+          # echo "" >> ./pr/COMMENT
+          echo "# Heap diff from master - unit tests" >> ./pr/COMMENT
+          echo "\`\`\`" >> ./pr/COMMENT
+          tail -n3 "heaptrack_tests_diff.txt" >> ./pr/COMMENT
+          echo "\`\`\`" >> ./pr/COMMENT
+          echo "" >> ./pr/COMMENT
+          echo "# Heap diff from master - scap file" >> ./pr/COMMENT
+          echo "\`\`\`" >> ./pr/COMMENT
+          tail -n3 "heaptrack_scap_diff.txt" >> ./pr/COMMENT
+          echo "\`\`\`" >> ./pr/COMMENT
+          echo "# Benchmarks diff from master" >> ./pr/COMMENT
+          echo "\`\`\`" >> ./pr/COMMENT
+          cat "gbench_diff.txt" >> ./pr/COMMENT
+          echo "\`\`\`" >> ./pr/COMMENT
+          echo Uploading PR info...
+          cat ./pr/COMMENT
+          echo ""
+
+      - name: Upload PR info as artifact
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
+        with:
+          name: pr-perf
+          path: pr/
+          retention-days: 1
+          if-no-files-found: warn
+
+      # Check will fail if sum of all differences is >= 1%.
+      # But we will always comment with the perf diff from master
+      - name: Check >= 5% threshold - perf unit tests
+        if: always()
+        run: |
+          sum=$(awk '{sum+=sprintf("%f",$2)}END{printf "%.6f\n",sum}' perf_tests_diff.txt | tr ',' '.')
+          if (( $(echo "$sum >= 5.0" | bc -l) )); then
+            exit 1
+          fi
+
+      # Check will fail if sum of all differences is >= 1%.
+      # But we will always comment with the perf diff from master
+      # CHECK DISABLED: UNSTABLE PERF TEST.
+#      - name: Check >= 1% threshold - perf scap file
+#        if: always() # Even if other threshold checks failed
+#        run: |
+#          sum=$(awk '{sum+=sprintf("%f",$2)}END{printf "%.6f\n",sum}' perf_scap_diff.txt | tr ',' '.')
+#          if (( $(echo "$sum >= 1.0" | bc -l) )); then
+#            exit 1
+#          fi
+
+      # Check will fail if there is any heap memory usage difference >= 1M,
+      # or if there is new memory leaked.
+      - name: Check >= 1M threshold or new leaked mem - heaptrack unit tests
+        if: always() # Even if other threshold checks failed
+        run: |
+          tail -n 3 heaptrack_tests_diff.txt | grep "peak heap memory consumption" | awk -F': ' '{print $2 }' | tr '.' ',' | numfmt --from=iec | awk '{if (substr($1,RSTART+RLENGTH)+0 >= 1048576) print }' &> heaptrack_tests_diff_above_thresh.txt
+          if [ -s heaptrack_tests_diff_above_thresh.txt ]; then
+            exit 1
+          fi
+          tail -n 3 heaptrack_scap_diff.txt | grep "total memory leaked" | awk -F': ' '{print $2 }' | tr '.' ',' | numfmt --from=iec | awk '{if (substr($1,RSTART+RLENGTH)+0 > 0) print }' &> heaptrack_scap_diff_above_thresh.txt
+          if [ -s heaptrack_scap_diff_above_thresh.txt ]; then
+            exit 2
+          fi
+
+      # Check will fail if there is any heap memory usage difference >= 1M,
+      # or if there is new memory leaked.
+      - name: Check >= 1M threshold or new leaked mem - heaptrack scap file
+        if: always() # Even if other threshold checks failed
+        run: |
+          tail -n 3 heaptrack_scap_diff.txt | grep "peak heap memory consumption" | awk -F': ' '{print $2 }' | tr '.' ',' | numfmt --from=iec | awk '{if (substr($1,RSTART+RLENGTH)+0 >= 1048576) print }' &> heaptrack_scap_diff_above_thresh.txt
+          if [ -s heaptrack_scap_diff_above_thresh.txt ]; then
+            exit 1
+          fi
+          tail -n 3 heaptrack_scap_diff.txt | grep "total memory leaked" | awk -F': ' '{print $2 }' | tr '.' ',' | numfmt --from=iec | awk '{if (substr($1,RSTART+RLENGTH)+0 > 0) print }' &> heaptrack_scap_diff_above_thresh.txt
+          if [ -s heaptrack_scap_diff_above_thresh.txt ]; then
+            exit 2
+          fi
+
+      # Check will fail if there any google benchmark is slowed more than 5%
+      - name: Check >= 5% slowdown on google benchmarks
+        if: always() # Even if other threshold checks failed
+        run: |
+          # Remove first 3 lines and last line that are no tests results
+          tail -n+4 gbench_diff.txt | head -n -1 | while read p; do
+            test_name=$(echo "$p" | awk '{print $1}')
+            if [[ "$test_name" =~ _mean$ ]]; then
+              diff_pct=$(echo "$p" | awk '{print $3}' | tr -d '+')
+              if (( $(echo "$diff_pct >= 5.0" | bc -l) )); then
+                exit 1
+              fi
+            fi
+          done
--- a/.github/workflows/release-body.yml
+++ b/.github/workflows/release-body.yml
@ -43,13 +43,13 @@ jobs:

          # Safeguard: you need to both set "latest" in GH and not have suffixes to overwrite latest
          is_latest = '${{ steps.latest_release.outputs.release }}' == tag_name and not is_prerelease
-          
+
          is_driver = "+driver" in tag_name

          with open(os.environ['GITHUB_OUTPUT'], 'a') as ofp:
            print(f'is_latest={is_latest}'.lower(), file=ofp)
            print(f'is_driver={is_driver}'.lower(), file=ofp)
-            
+
  release-body-libs:
    needs: [release-settings]
    if: ${{ needs.release-settings.outputs.is_latest == 'true' && needs.release-settings.outputs.is_driver == 'false' }} # only for latest releases and not driver ones
@ -58,12 +58,12 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Clone repo
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
-        
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
      - name: Create release body file
        run: |
          touch release-body.md
-          
+
      - name: Extract MIN_API version
        run: |
          MIN_API_VER=$(grep SCAP_MINIMUM_DRIVER_API_VERSION userspace/libscap/scap.h)
@ -72,7 +72,7 @@ jobs:
          MIN_API_VER=$(echo $MIN_API_VER | tr -d "(" | tr -d ")")
          MIN_API_VER=$(echo $MIN_API_VER | sed -r 's/, /./g')
          echo '!'"[MIN_DRIVER_API](https://img.shields.io/badge/MIN_DRIVER_API-${MIN_API_VER}-yellow)" >> release-body.md
-          
+
      - name: Extract MIN_SCHEMA version
        run: |
          MIN_SCHEMA_VER=$(grep SCAP_MINIMUM_DRIVER_SCHEMA_VERSION userspace/libscap/scap.h)
@ -82,36 +82,36 @@ jobs:
          MIN_SCHEMA_VER=$(echo $MIN_SCHEMA_VER | sed -r 's/, /./g')
          echo '!'"[MIN_DRIVER_SCHEMA](https://img.shields.io/badge/MIN_DRIVER_SCHEMA-${MIN_SCHEMA_VER}-yellow)" >> release-body.md
          echo "" >> release-body.md
-          
+
      - name: Generate release notes
        uses: leodido/rn2md@9c351d81278644c0e17b1ca68edbdba305276c73
        with:
          milestone: ${{ github.event.release.tag_name }}
          output: ./notes.md
-        
+
      - name: Merge release notes to pre existent body
        run: cat notes.md >> release-body.md
-        
+
      - name: Attach release creator to release body
        run: |
          echo "" >> release-body.md
          echo "#### Release Manager @${{ github.event.release.author.login }}" >> release-body.md
-        
+
      - name: Release
-        uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844 # v0.1.15
+        uses: softprops/action-gh-release@72f2c25fcb47643c292f7107632f7a47c1df5cd8 # v2.3.2
        with:
          body_path: ./release-body.md
          tag_name: ${{ github.event.release.tag_name }}
-          name: ${{ github.event.release.name }}          
+          name: ${{ github.event.release.name }}

  kernel-tests-release:
    needs: [release-settings]
-    if: ${{ needs.release-settings.outputs.is_latest == 'true' && needs.release-settings.outputs.is_driver == 'true' }} # only for latest driver releases 
+    if: ${{ needs.release-settings.outputs.is_latest == 'true' && needs.release-settings.outputs.is_driver == 'true' }} # only for latest driver releases
    uses: ./.github/workflows/reusable_kernel_tests.yaml
    with:
      libsversion: ${{ github.event.release.tag_name }}
-    secrets: inherit            
-            
+    secrets: inherit
+
  release-body-driver:
    needs: [release-settings, kernel-tests-release]
    if: ${{ needs.release-settings.outputs.is_latest == 'true' && needs.release-settings.outputs.is_driver == 'true' }} # only for latest driver releases
@ -120,12 +120,12 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Clone libs repo
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
-          
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
      - name: Create release body file
        run: |
-          touch release-body.md    
-          
+          touch release-body.md
+
      - name: Extract API and SCHEMA versions
        run: |
          touch release-body.md
@ -134,20 +134,41 @@ jobs:
          echo '!'"[API](https://img.shields.io/badge/API-${API_VERS}-yellow)" >> release-body.md
          echo '!'"[SCHEMA](https://img.shields.io/badge/SCHEMA-${SCHEMA_VERS}-yellow)" >> release-body.md
          echo "" >> release-body.md
-      
+
+      - name: Push badge to latest kernel release
+        run: |
+          wget https://gist.githubusercontent.com/FedeDP/1cbc5d42edf8e3a02fb75e76625f1072/raw/kernel.json
+          # 6.15-rc2 -> 6.15
+          # 6.10.6 -> 6.10
+          # 6.10 -> 6.10
+          KVER=$(cat kernel.json | jq '.message' | tr -d '"' | grep -oE -- '[0-9]+.[0-9]+')
+          SUCCESS=$(cat kernel.json | jq '.color' | tr -d '"')
+          # If latest run was not successful,
+          # revert back to previous kernel release.
+          # Of course, the fallback logic is bugged in case minor is 0,
+          # as we cannot know which was the previous version.
+          # It should not matter until kernel 7.0 :P
+          if [[ "$SUCCESS" = "red" ]]; then
+            n=${KVER//[!0-9]/ }
+            a=(${n//\./ })
+            KVER=$(echo "${a[0]}.$((a[1] - 1))")
+          fi
+          echo '!'"[Latest Compatible Kernel](https://img.shields.io/badge/KERNEL-${KVER}-brightgreen)" >> release-body.md
+          echo "" >> release-body.md
+
      - name: Download matrix X64
-        uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
+        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
        with:
          name: matrix_X64
-      
+
      - name: Rename X64 matrix
        run: mv matrix.md matrix_X64.md
-      
+
      - name: Download matrix ARM64
-        uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
+        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
        with:
          name: matrix_ARM64
-          
+
      - name: Rename ARM64 matrix
        run: mv matrix.md matrix_ARM64.md

@ -166,23 +187,23 @@ jobs:
          sed -i '1s/^/# Driver Testing Matrix amd64\n\n/' matrix_X64.md
          sed -i '1s/^/# Driver Testing Matrix arm64\n\n/' matrix_ARM64.md
          cat matrix_X64.md matrix_ARM64.md >> release-body.md
-          
+
      - name: Generate release notes
-        uses: leodido/rn2md@9c351d81278644c0e17b1ca68edbdba305276c73
+        uses: leodido/rn2md@9c351d81278644c0e17b1ca68edbdba305276c73 # main
        with:
          milestone: ${{ github.event.release.tag_name }}
          output: ./notes.md
-        
+
      - name: Merge release notes to pre existent body
        run: cat notes.md >> release-body.md
-        
+
      - name: Attach release creator to release body
        run: |
          echo "" >> release-body.md
-          echo "#### Release Manager @${{ github.event.release.author.login }}" >> release-body.md    
+          echo "#### Release Manager @${{ github.event.release.author.login }}" >> release-body.md

      - name: Release
-        uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844 # v0.1.15
+        uses: softprops/action-gh-release@72f2c25fcb47643c292f7107632f7a47c1df5cd8 # v2.3.2
        with:
          body_path: ./release-body.md
          tag_name: ${{ github.event.release.tag_name }}
--- a/.github/workflows/reusable_e2e_tests.yaml
+++ b/.github/workflows/reusable_e2e_tests.yaml
@ -0,0 +1,137 @@
+name: Run libs e2e tests python framework
+
+on:
+  workflow_call:
+    inputs:
+      container_plugin_artifact_name:
+        description: 'use a previously built custom container plugin; artifact name to be downloaded, or empty'
+        type: string
+        required: false
+        default: ''
+      test-docker:
+        description: "Whether to run tests with docker socket"
+        type: boolean
+        required: false
+        default: true
+      test-podman:
+        description: "Whether to run tests with podman socket"
+        type: boolean
+        required: false
+        default: true
+      libsversion:
+        description: 'libs version to be tested, eg: master'
+        type: string
+        required: false
+        default: 'master'
+      libsrepo:
+        description: 'libs repo to be tested, eg: falcosecurity/libs'
+        type: string
+        required: false
+        default: 'falcosecurity/libs'
+
+jobs:
+  test-e2e:
+    if: inputs.test-docker || inputs.test-podman
+    strategy:
+      fail-fast: false
+      matrix:
+        name: [ system_deps, bundled_deps, asan ]
+        include:
+          - name: system_deps
+            cmake_opts: -DUSE_BUNDLED_DEPS=False
+          - name: bundled_deps
+            cmake_opts: -DUSE_BUNDLED_DEPS=True
+          - name: asan
+            cmake_opts: -DUSE_BUNDLED_DEPS=True -DCMAKE_C_FLAGS=-fsanitize=address -DCMAKE_CXX_FLAGS=-fsanitize=address
+    runs-on: ubuntu-24.04
+    steps:
+      - name: Install deps ⛓️
+        run: |
+          sudo apt-get update && sudo apt-get install -y --no-install-recommends \
+            ca-certificates \
+            cmake \
+            build-essential \
+            git \
+            clang \
+            llvm \
+            pkg-config \
+            autoconf \
+            automake \
+            libtool \
+            libelf-dev \
+            wget \
+            libbpf-dev \
+            libcap-dev \
+            libtbb-dev \
+            libjq-dev \
+            libjsoncpp-dev \
+            libgtest-dev \
+            libprotobuf-dev \
+            protobuf-compiler \
+            "linux-headers-$(uname -r)"
+
+      - name: Checkout Libs ⤵️
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          fetch-depth: 0
+          repository: ${{ inputs.libsrepo }}
+          ref: ${{ inputs.libsversion }}
+
+      - name: Install deps ⛓️
+        run: |
+          sudo .github/install-deps.sh
+
+      - name: Build tests 🏗️
+        run: |
+          mkdir -p build && cd build
+          cmake -DBUILD_BPF=ON \
+                -DBUILD_LIBSCAP_MODERN_BPF=ON \
+                -DBUILD_LIBSCAP_GVISOR=OFF \
+                -DENABLE_E2E_TESTS=ON \
+                ${{ matrix.cmake_opts }} \
+                -DUSE_BUNDLED_LIBBPF=ON \
+                ..
+          make -j$(nproc) sinsp-example driver bpf container_plugin
+          sudo -E make e2e-install-deps
+
+      - name: Download overriding custom container plugin
+        if: inputs.container_plugin_artifact_name != ''
+        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
+        with:
+          name: ${{ inputs.container_plugin_artifact_name }}
+          path: build/test/e2e/container_plugin-prefix/src/container_plugin/
+
+      - name: Run tests - docker 🧪
+        if: inputs.test-docker
+        working-directory: build
+        run: |
+          sudo -E ../test/e2e/scripts/run_tests.sh
+
+      - name: Archive test reports - docker
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+        if: inputs.test-docker && failure()
+        with:
+          name: ${{ matrix.name }}_docker_report
+          path: |
+            /tmp/report/
+
+      - name: Run tests - podman 🧪
+        if: inputs.test-podman && always()
+        working-directory: build
+        env:
+          # Set DOCKER_HOST pointing to podman socket
+          DOCKER_HOST: unix://run/podman/podman.sock
+        run: |
+          # Cleanup docker tests generated report folder
+          sudo rm -rf /tmp/report
+          # Podman tests require podman socket
+          sudo systemctl start podman
+          sudo -E ../test/e2e/scripts/run_tests.sh
+
+      - name: Archive test reports - podman
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+        if: inputs.test-podman && failure()
+        with:
+          name: ${{ matrix.name }}_podman_report
+          path: |
+            /tmp/report/
--- a/.github/workflows/reusable_kernel_tests.yaml
+++ b/.github/workflows/reusable_kernel_tests.yaml
@ -13,7 +13,7 @@ on:
        type: string
        required: false
        default: 'falcosecurity/libs'
-  workflow_call:    
+  workflow_call:
    inputs:
      libsversion:
        description: 'libs version to be tested, eg: master'
@ -29,15 +29,17 @@ on:
 concurrency:
  group: kernel-tests
  cancel-in-progress: false
-        
+
 jobs:
  test-kernels:
    strategy:
      fail-fast: false
      matrix:
        architecture: [X64, ARM64]
-    runs-on: [ "self-hosted", "linux", "${{matrix.architecture}}" ]    
+    runs-on: [ "self-hosted", "linux", "${{matrix.architecture}}" ]
    steps:
+      # We need to use v0.3.2 instead of the hash because the tagname is 
+      # used by the action to download release tagged images.
      - uses: falcosecurity/kernel-testing@v0.3.2
        id: kernel_tests
        with:
@ -45,12 +47,12 @@ jobs:
          libsrepo: ${{ inputs.libsrepo }}
          build_matrix: 'true'

-      - uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
+      - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
        with:
          name: ansible_output_${{matrix.architecture}}
          path: ${{ steps.kernel_tests.outputs.ansible_output }}
-        
-      - uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
+
+      - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
        with:
          name: matrix_${{matrix.architecture}}
          path: ${{ steps.kernel_tests.outputs.matrix_output }}
--- a/.github/workflows/semgrep_checks.yml
+++ b/.github/workflows/semgrep_checks.yml
@ -11,10 +11,10 @@ jobs:
    name: check-insecure-api
    runs-on: ubuntu-latest
    container:
-      image: returntocorp/semgrep:1.41.0
+      image: docker.io/semgrep/semgrep:1.85.0@sha256:b4c2272e0a2e59ca551ff96d3bbae657bd2b7356e339af557b27a96d9e751544
    steps:
      - name: Checkout Libs ⤵️
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          fetch-depth: 0
      - name: Scan PR for insecure API usage 🕵️
@ -29,10 +29,10 @@ jobs:
    name: check-absolute-include-paths
    runs-on: ubuntu-latest
    container:
-      image: returntocorp/semgrep:1.41.0
+      image: docker.io/semgrep/semgrep:1.85.0@sha256:b4c2272e0a2e59ca551ff96d3bbae657bd2b7356e339af557b27a96d9e751544
    steps:
      - name: Checkout Libs ⤵️
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          fetch-depth: 0
      - name: Scan PR for libs relateive include paths 🕵️
--- a/.github/workflows/test_coverage_ci.yml
+++ b/.github/workflows/test_coverage_ci.yml
@ -0,0 +1,46 @@
+name: Test Coverage CI
+on:
+  pull_request:
+  push:
+    branches:
+      - master
+
+# Checks if any concurrent jobs under the same pull request or branch are being executed
+concurrency:
+  group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
+
+jobs:
+  unit-test-libsinsp-coverage:
+    name: unit-test-libsinsp-coverage 🧐
+    runs-on: 'ubuntu-22.04'
+    steps:
+      - name: Checkout Libs ⤵️
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          fetch-depth: 0
+
+      - name: Install deps ⛓️
+        run: |
+          sudo apt-get update && sudo apt install -y --no-install-recommends ca-certificates cmake build-essential git clang llvm pkg-config autoconf automake libtool libelf-dev wget libre2-dev libtbb-dev libjq-dev libjsoncpp-dev protobuf-compiler libgtest-dev libprotobuf-dev linux-headers-$(uname -r) gpg gpg-agent gcovr
+          sudo .github/install-deps.sh
+
+      - name: Build and test 🏗️🧪
+        run: |
+          mkdir -p build
+          cd build && cmake -DBUILD_WARNINGS_AS_ERRORS=True -DENABLE_COVERAGE=True -DUSE_BUNDLED_DEPS=False ../
+          KERNELDIR=/lib/modules/$(ls /lib/modules)/build make -j4
+          make run-unit-tests
+
+      - name: Generate libsinsp coverage report
+        run: |
+          gcovr --xml -o ./libsinsp.coverage.xml
+
+      - name: Upload to codecov
+        uses: codecov/codecov-action@18283e04ce6e62d37312384ff67231eb8fd56d24 # v5.4.3
+        with:
+          fail_ci_if_error: true
+          files: ./libsinsp.coverage.xml
+          token: ${{ secrets.CODECOV_TOKEN }}
+          verbose: true
+          flags: libsinsp
--- a/.github/workflows/update-syscalls.yml
+++ b/.github/workflows/update-syscalls.yml
@ -13,18 +13,18 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          ref: master
          path: libs

      - name: Bump syscalls
-        uses: falcosecurity/syscalls-bumper@main
+        uses: falcosecurity/syscalls-bumper@main # should be pointing to main
        with:
          repo-root: ${{ github.workspace }}/libs

      - name: Create Pull Request
-        uses: peter-evans/create-pull-request@153407881ec5c347639a548ade7d8ad1d6740e38 # v5.0.2
+        uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7.0.8
        with:
          path: libs
          signoff: true
--- a/.gitignore
+++ b/.gitignore
@ -28,3 +28,4 @@ cscope.out
 tags
 third_party
 *.vagrant*
+.DS_Store
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@ -0,0 +1,23 @@
+# See https://pre-commit.com for more information
+# See https://pre-commit.com/hooks.html for more hooks
+fail_fast: false
+minimum_pre_commit_version: '0'
+repos:
+- repo: https://github.com/cheshirekow/cmake-format-precommit
+  rev: v0.6.13
+  hooks:
+  - id: cmake-format
+    stages: [pre-commit]
+- repo: https://github.com/pre-commit/mirrors-clang-format
+  rev: v18.1.8
+  hooks:
+  - id: clang-format
+    types_or: [c++, c]
+    stages: [pre-commit]
+- repo: local
+  hooks:
+  - id: dco-hook-local
+    name: DCO hook local
+    entry: ./tools/local_hooks/dco-pre-commit-msg.sh
+    language: script
+    stages: [prepare-commit-msg]
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@ -2,33 +2,32 @@
 #
 # Copyright (C) 2023 The Falco Authors.
 #
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except
+# in compliance with the License. You may obtain a copy of the License at
 #
-#     http://www.apache.org/licenses/LICENSE-2.0
+# http://www.apache.org/licenses/LICENSE-2.0
 #
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
+# Unless required by applicable law or agreed to in writing, software distributed under the License
+# is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express
+# or implied. See the License for the specific language governing permissions and limitations under
+# the License.
 #

-# Prior to doing anything, we make sure that we aren't trying to
-# run cmake in-tree.
+# Prior to doing anything, we make sure that we aren't trying to run cmake in-tree.
 if(EXISTS ${CMAKE_CURRENT_BINARY_DIR}/CMakeLists.txt)
-	message(FATAL_ERROR
-		"Looks like you are trying to run CMake from the base source directory.\n"
-		"** RUNNING CMAKE FROM THE BASE DIRECTORY WILL NOT WORK **\n"
-		"To Fix:\n"
-		" 1. Remove the CMakeCache.txt file in this directory. ex: rm CMakeCache.txt\n"
-		" 2. Create a build directory from here. ex: mkdir build\n"
-		" 3. cd into that directory. ex: cd build\n"
-		" 4. Run cmake from the build directory. ex: cmake ..\n"
-		" 5. Run make from the build directory. ex: make\n"
-		"Full paste-able example:\n"
-		"( rm -f CMakeCache.txt; mkdir build; cd build; cmake ..; make )")
+	message(
+		FATAL_ERROR
+			"Looks like you are trying to run CMake from the base source directory.\n"
+			"** RUNNING CMAKE FROM THE BASE DIRECTORY WILL NOT WORK **\n"
+			"To Fix:\n"
+			" 1. Remove the CMakeCache.txt file in this directory. ex: rm CMakeCache.txt\n"
+			" 2. Create a build directory from here. ex: mkdir build\n"
+			" 3. cd into that directory. ex: cd build\n"
+			" 4. Run cmake from the build directory. ex: cmake ..\n"
+			" 5. Run make from the build directory. ex: make\n"
+			"Full paste-able example:\n"
+			"( rm -f CMakeCache.txt; mkdir build; cd build; cmake ..; make )"
+	)
 endif()

 cmake_minimum_required(VERSION 3.12)
@ -38,8 +37,8 @@ if(POLICY CMP0042)
 	cmake_policy(SET CMP0042 NEW)
 endif()

-# Enable CMAKE_MSVC_RUNTIME_LIBRARY on Windows + CMake >= 3.15 and link
-# with the static (MultiThreaded) CRT unless instructed otherwise.
+# Enable CMAKE_MSVC_RUNTIME_LIBRARY on Windows + CMake >= 3.15 and link with the static
+# (MultiThreaded) CRT unless instructed otherwise.
 if(NOT (CMAKE_MSVC_RUNTIME_LIBRARY OR BUILD_SHARED_LIBS))
 	set(CMAKE_MSVC_RUNTIME_LIBRARY "MultiThreaded$<$<CONFIG:Debug>:Debug>")
 endif()
@ -54,16 +53,18 @@ endif()
 project(falcosecurity-libs)

 option(USE_BUNDLED_DEPS "Enable bundled dependencies instead of using the system ones" ON)
-option(MINIMAL_BUILD "Produce a minimal build with only the essential features (no container metadata)" OFF)
 option(MUSL_OPTIMIZED_BUILD "Enable if you want a musl optimized build" OFF)
-option(USE_BUNDLED_DRIVER "Use the driver/ subdirectory in the build process (only available in Linux)" ON)
+option(USE_BUNDLED_DRIVER
+	   "Use the driver/ subdirectory in the build process (only available in Linux)" ON
+)
+option(ENABLE_E2E_TESTS "Enable e2e tests" OFF)
 option(ENABLE_DRIVERS_TESTS "Enable driver tests (bpf, kernel module, modern bpf)" OFF)
 option(ENABLE_LIBSCAP_TESTS "Enable libscap unit tests" OFF)
 option(ENABLE_LIBSINSP_E2E_TESTS "Enable libsinsp e2e tests" OFF)
 option(BUILD_SHARED_LIBS "Build libscap and libsinsp as shared libraries" OFF)
-option(ENABLE_VM_TESTS "Enable driver sanity tests" OFF)
 option(USE_ASAN "Build with AddressSanitizer" OFF)
 option(USE_UBSAN "Build with UndefinedBehaviorSanitizer" OFF)
+option(USE_TSAN "Build with ThreadSanitizer" OFF)
 option(ENABLE_COVERAGE "Build with code coverage" OFF)
 option(UBSAN_HALT_ON_ERROR "Halt on error when building with UBSan" ON)

@ -75,8 +76,7 @@ endif()
 include(GNUInstallDirs)

 # Add path for custom CMake modules.
-list(APPEND CMAKE_MODULE_PATH
-	"${CMAKE_CURRENT_SOURCE_DIR}/cmake/modules")
+list(APPEND CMAKE_MODULE_PATH "${CMAKE_CURRENT_SOURCE_DIR}/cmake/modules")

 include(versions)

@ -112,7 +112,7 @@ if(CREATE_TEST_TARGETS)
 	include(gtest)
 endif()

-if (BUILD_SHARED_LIBS)
+if(BUILD_SHARED_LIBS)
 	get_shared_libs_versions(FALCOSECURITY_SHARED_LIBS_VERSION FALCOSECURITY_SHARED_LIBS_SOVERSION)
 	message(STATUS "Shared library version: ${FALCOSECURITY_SHARED_LIBS_VERSION}")
 	message(STATUS "Shared library soversion: ${FALCOSECURITY_SHARED_LIBS_SOVERSION}")
@ -122,14 +122,13 @@ include(libscap)
 include(libsinsp)

 if(CREATE_TEST_TARGETS)
-	# Add command to run all unit tests at once via the make system.
-	# This is preferred vs using ctest's add_test because it will build
-	# the code and output to stdout.
-	add_custom_target(run-unit-tests
-		COMMAND ${CMAKE_MAKE_PROGRAM} run-unit-test-libsinsp
-	)
+	# Add command to run all unit tests at once via the make system. This is preferred vs using
+	# ctest's add_test because it will build the code and output to stdout.
+	add_custom_target(run-unit-tests COMMAND ${CMAKE_MAKE_PROGRAM} run-unit-test-libsinsp)

-	add_subdirectory(test/e2e)
+	if(ENABLE_E2E_TESTS)
+		add_subdirectory(test/e2e)
+	endif()

 	if(ENABLE_DRIVERS_TESTS)
 		add_subdirectory(test/drivers)
@ -145,8 +144,9 @@ if(CREATE_TEST_TARGETS)
 		add_subdirectory(test/libsinsp_e2e/resources)
 	endif()

-	if(ENABLE_VM_TESTS)
-		add_subdirectory(test/vm)
-	endif()
-
+endif()
+
+option(ENABLE_BENCHMARKS "Enable Benchmarks" OFF)
+if(ENABLE_BENCHMARKS)
+	add_subdirectory(benchmark)
 endif()
--- a/CMakeListsGtestInclude.cmake
+++ b/CMakeListsGtestInclude.cmake
@ -2,17 +2,15 @@
 #
 # Copyright (C) 2023 The Falco Authors.
 #
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except
+# in compliance with the License. You may obtain a copy of the License at
 #
-#     http://www.apache.org/licenses/LICENSE-2.0
+# http://www.apache.org/licenses/LICENSE-2.0
 #
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
+# Unless required by applicable law or agreed to in writing, software distributed under the License
+# is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express
+# or implied. See the License for the specific language governing permissions and limitations under
+# the License.
 #

 cmake_minimum_required(VERSION 3.12)
@ -20,14 +18,15 @@ cmake_minimum_required(VERSION 3.12)
 project(googletest-download NONE)

 include(ExternalProject)
-ExternalProject_Add(googletest
-  GIT_REPOSITORY    https://github.com/google/googletest.git
-  GIT_TAG           "release-1.12.1"
-  SOURCE_DIR        "${PROJECT_BINARY_DIR}/googletest-src"
-  BINARY_DIR        "${PROJECT_BINARY_DIR}/googletest-build"
-  CONFIGURE_COMMAND ""
-  BUILD_COMMAND     ""
-  INSTALL_COMMAND   ""
-  UPDATE_COMMAND    ""
-  TEST_COMMAND      ""
+ExternalProject_Add(
+	googletest
+	GIT_REPOSITORY https://github.com/google/googletest.git
+	GIT_TAG "release-1.12.1"
+	SOURCE_DIR "${PROJECT_BINARY_DIR}/googletest-src"
+	BINARY_DIR "${PROJECT_BINARY_DIR}/googletest-build"
+	CONFIGURE_COMMAND ""
+	BUILD_COMMAND ""
+	INSTALL_COMMAND ""
+	UPDATE_COMMAND ""
+	TEST_COMMAND ""
 )
--- a/CMakePresets.json
+++ b/CMakePresets.json
@ -0,0 +1,47 @@
+{
+	"version": 3,
+	"configurePresets": [
+		{
+			"name": "base",
+			"hidden": true,
+			"generator": "Unix Makefiles",
+			"cacheVariables": {
+				"CMAKE_BUILD_TYPE": "Release",
+				"CMAKE_EXPORT_COMPILE_COMMANDS": "ON",
+				"BUILD_DRIVER": "ON",
+				"BUILD_BPF": "ON",
+				"BUILD_WARNINGS_AS_ERRORS": "ON"
+			}
+		},
+		{
+			"name": "scap-drivers",
+			"inherits": "base",
+			"displayName": "Build scap drivers and their tests",
+			"description": "Build all scap drivers (modern eBPF, legacy eBPF, kmod) and their tests",
+			"binaryDir": "${sourceDir}/build-scap-drivers",
+			"cacheVariables": {
+				"USE_BUNDLED_DEPS": "ON",
+				"ENABLE_DRIVERS_TESTS": "ON",
+				"MODERN_BPF_DEBUG_MODE": "ON",
+				"BUILD_LIBSCAP_MODERN_BPF": "ON",
+				"BUILD_LIBSCAP_GVISOR": "OFF",
+				"CREATE_TEST_TARGETS": "ON",
+				"ENABLE_LIBSCAP_TESTS": "ON",
+				"SCAP_FILES_SUITE_ENABLE": "OFF"
+			}
+		},
+		{
+			"name": "sinsp-minimal",
+			"inherits": "base",
+			"displayName": "Build minimal sinsp",
+			"description": "Build sinsp without gvisor and protobuf deps",
+			"binaryDir": "${sourceDir}/build-sinsp-minimal",
+			"cacheVariables": {
+				"USE_BUNDLED_DEPS": "ON",
+				"BUILD_LIBSCAP_GVISOR": "OFF",
+				"CREATE_TEST_TARGETS": "ON",
+				"SCAP_FILES_SUITE_ENABLE": "OFF"
+			}
+		}
+	]
+}
--- a/Contributing.md
+++ b/Contributing.md
@ -0,0 +1,207 @@
+# How to contribute
+
+## Enforce coding style 💻
+
+### Introduction
+
+This document introduces the coding style that will be applied in this repository.
+This coding style involves all the following files: `.c`, `.h`, `.cpp`, `.cmake`, `CMakeLists.txt`. To enforce it we rely on two main tools:
+
+1. `clang-format` version `18.1.8`.
+2. `cmake-format` version `0.6.13`.
+
+> __Please note__: tools versions are important! Different versions will enforce slightly different changes on the code. For example `clang-format-18` will produce a slightly different output respect to `clang-format-17` always respecting the imposed style.
+
+The coding style is expressed through the 2 configuration file that you find in this repo: `.clang-format`, `.cmake-format.json`.  
+
+### Enforce the style locally
+
+There are many ways to enforce the style locally, here we will describe two of them:
+
+1. Use `pre-commit` framework.
+2. Use the repo `Makefile`.
+
+#### 1.Pre-commit framework (suggested if you don't have the 2 tools already installed on your machine)
+
+The `pre-commit` framework allows you to automatically install different `git-hooks` that will run at every new commit. More precisely, if you use the `.pre-commit-config.yaml` in this repo you will install 3 different hooks:
+
+1. The `clang-format` hook: this is a `pre-commit` git hook that runs `clang-format` on your staged changes.
+2. The `cmake-format` hook: this is a `pre-commit` git hook that runs `cmake-format` on your staged changes.
+3. The `DCO signed-off` hook: this is a `pre-commit-msg` git hook that adds the `DCO` on your commit if not present. This hook is not strictly related to the coding style so we will talk about it in a separate section: [Add DCO signed-off to your commits](#add-dco-signed-off-to-your-commits).
+
+Now let's see what we need to use `pre-commit` framework.
+
+##### Step 1
+
+Install `pre-commit` framework following the [official documentation](https://pre-commit.com/#installation).
+
+> __Please note__: you have to follow only the "Installation" section.
+
+##### Step 2
+
+Once you have installed `pre-commit`, you don't need to install anything else! This is the good point of using a framework like `pre-commit`, all the tools necessary to format your code will be directly managed by the framework. But in order to be ready, you need to install the git hooks in your local repo.
+
+This simple command allows you to install the two `pre-commit` git hooks, `clang-format` and `cmake-format`.
+
+```bash
+pre-commit install --install-hooks --hook-type pre-commit --overwrite  
+```
+
+If you want to install also the `pre-commit-msg` git hook for the DCO you have to type the following command, but be sure to have configured all you need as said in the [dedicated section]((#add-dco-signed-off-to-your-commits))
+
+```bash
+pre-commit install --install-hooks --hook-type prepare-commit-msg --overwrite 
+```
+
+You have done, at every new commit, this hook will check that your patch respects the coding style of this repo!
+
+If you want to detach the git hooks, you can simply type:
+
+```bash
+pre-commit uninstall --hook-type prepare-commit-msg
+pre-commit uninstall --hook-type pre-commit 
+```
+
+#### 2.Makefile
+
+##### Step 1
+
+In order to use the repo `Makefile`, you need to install on your local machine the two aforementioned tools:
+
+__clang-format v18.1.8__
+
+One of the easiest ways to install `clang-format` could be directly downloading its static binary from [here](https://github.com/muttleyxd/clang-tools-static-binaries).
+There are other ways for example you can download the package for your distro or you can also build it from sources.
+
+__cmake-format v0.6.13__
+
+To install `cmake-format` you can follow the official documentation [here](https://cmake-format.readthedocs.io/en/latest/installation.html).
+
+> __NOTE__: Please check the versions of the two tool with `clang-format --version` and `cmake-format --version`.
+
+##### Step 2
+
+Once you have installed the __right__ versions of the 2 tools, you can simply type `make format-all` from the root directory of the project (`/libs`) to format all your code according to the coding style.
+
+Remember to do that before submitting a new patch upstream! 😁
+
+#### Other solutions
+
+Obviously, you can also install the 2 tools locally and enable some extension of your favorite IDE (like `VScode`) to format your code every time you save your files!
+
+## Add DCO signed-off to your commits 🔏
+
+### Introduction
+
+Another requirement for contributing to the `libs` repository, is applying the [DCO](https://cert-manager.io/docs/contributing/sign-off/) to every commit you want to push upstream.
+Before doing this you have to configure your git user `name` and `email` if you haven't already done it. To check your actual `name` and `email` type:
+
+```bash
+git config --get user.name
+git config --get user.email
+```
+
+If they are correct you have done, otherwise, you have to set them:
+
+```bash
+git config user.name <full-name>
+git config user.email <mail-used_with-GitHub-profile>
+```
+
+>__Please note__: If you have problems in doing this you can read the full documentation [here](https://docs.github.com/en/get-started/getting-started-with-git/setting-your-username-in-git).
+
+### Enforce the DCO locally
+
+Now you are ready to sign your commits! You have two main ways to do this:
+
+1. Manually with `git` tool.
+2. Use the `pre-commit-msg` hook quoted before.
+
+### Manually
+
+To do this you just need to remember the `-s` while performing your commits:
+
+```bash
+git commit -s
+```
+
+or with the inline message:
+
+```bash
+git commit -s -m "my first commit"
+```
+
+### Use `pre-commit` hook
+
+Here if you have already added the hook in the [previous section](#step-2), you have to do nothing otherwise you have to simply install the DCO hook with:
+
+```bash
+pre-commit install --install-hooks --hook-type prepare-commit-msg --overwrite 
+```
+
+And you have done! Now you don't have to remember the `-s` option every time you commit something, the DCO hook will automatically add the DCO if you forget it! 😄
+
+## Some best practices 📏
+
+### Class variables
+
+To know whether a variable belongs to a `class` or a `function`, we start member variables with `m_`.
+
+Example:
+
+```c
+    public int32_t m_counter;
+```
+
+### Global variables
+
+To know whether the variable is global or not, we start globals with `g_`.
+
+Example:
+
+```c
+    int g_nplugins;
+```
+
+### Capitalization
+
+The naming convention is camel-cased "Unix" style, i.e. always lower case. Words are separated by underscores.
+
+Example:
+
+```c
+    int32_t g_global_bean_counter;
+    int32_t count_beans();
+```
+
+and not,
+
+```c
+    int32_t GlobalBeanCounter;
+    int32_t CountBeans();
+```
+
+### Packed Structures
+
+Packed structures should use the GCC and MSVC-style supported `pragma`:
+
+Example:
+
+```c
+    #pragma pack(push,1)
+    struct frame_control
+    {
+        struct fields....
+    };
+    #pragma pack(pop)
+```
+
+### 64-bit constants
+
+Put an `LL` at the end of your `64-bit` constants. Without the `LL`, some platform compilers try to interpret the constant on the right-hand side as a `long integer` instead of a `long long` and this could lead to an error at building time.
+
+Example:
+
+```c
+    x=0X00FF00000000000LL
+```
--- a/81
+++ b/81
@ -0,0 +1,81 @@
+#
+# Copyright (C) 2024 The Falco Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+# mofidy the following variables to match your paths
+CLANG_FORMAT_EXE ?= clang-format
+CLANG_FORMAT_VERSION = "$(shell ${CLANG_FORMAT_EXE} --version | grep -o '[0-9]*\.[0-9]*\.[0-9]*')"
+CLANG_FORMAT_DESIRED_VERSION ="18.1.8"
+
+CMAKE_FORMAT_EXE ?= cmake-format
+CMAKE_FORMAT_VERSION = "$(shell ${CMAKE_FORMAT_EXE} --version | grep -o '[0-9]*\.[0-9]*\.[0-9]*')"
+CMAKE_FORMAT_DESIRED_VERSION = "0.6.13"
+
+PROJECT_ROOT_DIR = $(shell git rev-parse --show-toplevel)
+
+######################
+#    Clang-format    #
+######################
+.PHONY: clang-format-install
+clang-format-install:
+ifeq (, $(shell ${CLANG_FORMAT_EXE} --version))
+	@echo "${CLANG_FORMAT_EXE} is not installed. Please read the 'coding style' doc to get more info."
+	@exit 1
+endif
+
+ifneq ($(CLANG_FORMAT_VERSION), $(CLANG_FORMAT_DESIRED_VERSION))
+	@echo "${CLANG_FORMAT_EXE} version is not '${CLANG_FORMAT_DESIRED_VERSION}'. Actual version is '${CLANG_FORMAT_VERSION}'"
+	@exit 1
+endif
+
+.PHONY: format-clang
+format-clang: clang-format-install
+	git ls-files --directory ${PROJECT_ROOT_DIR} | grep -E '\.(cpp|h|c)$$' | xargs ${CLANG_FORMAT_EXE} -Werror --style=file:${PROJECT_ROOT_DIR}/.clang-format -i
+
+.PHONY: check-clang
+check-clang: clang-format-install
+	git ls-files --directory ${PROJECT_ROOT_DIR} | grep -E '\.(cpp|h|c)$$' | xargs ${CLANG_FORMAT_EXE} -Werror --style=file:${PROJECT_ROOT_DIR}/.clang-format -n
+
+######################
+#    Cmake-format    #
+######################
+.PHONY: cmake-format-install
+cmake-format-install:
+ifeq (, $(shell ${CMAKE_FORMAT_EXE} --version))
+	@echo "${CMAKE_FORMAT_EXE} is not installed. Please read the 'coding style' doc to get more info."
+	@exit 1
+endif
+
+ifneq ($(CMAKE_FORMAT_VERSION), $(CMAKE_FORMAT_DESIRED_VERSION))
+	@echo "${CMAKE_FORMAT_EXE} version is not '${CMAKE_FORMAT_DESIRED_VERSION}'. Actual version is '${CMAKE_FORMAT_VERSION}'"
+	@exit 1
+endif
+
+.PHONY: format-cmake
+format-cmake: cmake-format-install
+	git ls-files --directory ${PROJECT_ROOT_DIR} | grep -E '\.(cmake)$$|CMakeLists.txt$$' | xargs ${CMAKE_FORMAT_EXE} --config-files ${PROJECT_ROOT_DIR}/.cmake-format.json -i
+
+.PHONY: check-cmake
+check-cmake: cmake-format-install
+	git ls-files --directory ${PROJECT_ROOT_DIR} | grep -E '\.(cmake)$$|CMakeLists.txt$$' | xargs ${CMAKE_FORMAT_EXE} --config-files ${PROJECT_ROOT_DIR}/.cmake-format.json --check
+
+# Add new formatters here...
+
+.PHONY: format-all
+format-all: format-clang format-cmake
+
+.PHONY: check-all
+check-all: check-clang check-cmake
+
--- a/3
+++ b/3
@ -7,10 +7,11 @@ approvers:
  - molter73
  - lucaguerra
  - jasondellaluce
-  - incertum
+  - ekoops
 reviewers:
  - hbrueckner
 emeritus_approvers:
  - fntlnz
  - leodido
  - ldegio
+  - incertum
--- a/README.md
+++ b/README.md
@ -11,7 +11,7 @@ This repository contains **libsinsp**, **libscap**, the **kernel module** and th

 These components are at the foundation of [Falco](https://github.com/falcosecurity/falco) and other projects that work with the same kind of data.

-This component stack mainly operates on syscall events. We monitor syscalls using either a kernel module or an eBPF probe, which we call *drivers*. On top of the drivers, `libscap` manages the data capture process, while `libsinsp` enriches the data, and provides a rich set of API to consume the data. Furthermore, these two libraries also implement a [plugin](https://github.com/falcosecurity/plugins) framework that extends this stack to potentially any other data sources. For further details, please refer to the [official documentation](https://falco.org/docs/).
+This component stack mainly operates on syscall events. We monitor syscalls using either a kernel module or an eBPF probe, which we call *drivers*. On top of the drivers, `libscap` manages the data capture process, while `libsinsp` enriches the data, and provides a rich set of API to consume the data. Furthermore, these two libraries also implement a [plugin](https://github.com/falcosecurity/plugins) framework that extends this stack to potentially any other data sources. For further details, please refer to Falco's [official documentation](https://falco.org/docs/).

 An image is worth a thousand words, they say:

@ -104,13 +104,13 @@ If you are building this project outside of a Git working directory, or if you w
 <details>
 	<summary>Expand Build Instructions</summary>

-For your convenience, we have included the instructions for building the `libs` modules here, in addition to the information available in the [official documentation](https://falco.org/docs/install-operate/source/). These instructions are designed for building and testing `libs` on your own Linux development machine. However, if you intend to adopt CI or build within containers, there are additional considerations to take into account. The official [website]((https://falco.org/docs/install-operate/source/)) continually extends its guidance in this respect.
+For your convenience, we have included the instructions for building the `libs` modules here, in addition to the information available in Falco's [official documentation](https://falco.org/docs/install-operate/source/). These instructions are designed for building and testing `libs` on your own Linux development machine. However, if you intend to adopt CI or build within containers, there are additional considerations to take into account. The official [website]((https://falco.org/docs/install-operate/source/)) continually extends its guidance in this respect.

 The project utilizes the `cmake` build system, and the key `make` targets are as follows: 

 * `driver` -> build the kmod
-* `bpf` -> build the eBPF probe
-* `scap` -> build libscap (`modern_bpf` driver will be bundled into `scap` if enabled)
+* `bpf` -> build the legacy `ebpf` probe
+* `scap` -> build libscap (`modern_ebpf` driver will be bundled into `scap` if enabled)
 * `sinsp` -> build libsinsp (depends upon `scap` target)
 * `scap-open` -> build a small example binary for `libscap` to test the drivers (dependent on `scap`)
 * `sinsp-example` -> build a small example binary for `libsinsp` to test the drivers and/or `libsinsp` functionality (dependent on `scap` and `sinsp`)
@ -135,7 +135,7 @@ make sinsp

 ### Build userspace using system deps

-To build using the system deps instead, first, make sure to have all the needed packages installed. Refer to the [official documentation](https://falco.org/docs/install-operate/source/).
+To build using the system deps instead, first, make sure to have all the needed packages installed. Refer to Falco's [official documentation](https://falco.org/docs/install-operate/source/).

 ```bash
 cmake -DUSE_BUNDLED_DEPS=OFF ../;
@ -146,29 +146,27 @@ make sinsp

 ### Build driver - kmod

-To build the kmod driver, you need your kernel headers installed. Check out the [official documentation](https://falco.org/docs/install-operate/source/).
+To build the kmod driver, you need your kernel headers installed. Check out Falco's [official documentation](https://falco.org/docs/install-operate/source/).

 ```bash
 make driver
-# Verify the kmod object code was created, uses `.ko` extension.
+# Verify the kmod binary object file was created, uses `.ko` extension.
 ls -l driver/src/scap.ko;
 ```

 ### Build driver - eBPF probe

-To build the eBPF probe, you need `clang` and `llvm` packages and you also need your kernel headers installed. Check out the [official documentation](https://falco.org/docs/install-operate/source/).
+To build the eBPF probe, you need `clang` and `llvm` packages and you also need your kernel headers installed. Check out Falco's [official documentation](https://falco.org/docs/install-operate/source/).

 ```bash
 cmake -DBUILD_BPF=ON ../;
 make bpf
-# Verify the eBPF object code was created, uses `.o` extension.
+# Verify the eBPF bytecode file was created, uses `.o` extension.
 ls -l driver/bpf/probe.o;
 ```

 >__WARNING__: **clang-7** is the oldest supported version to build our BPF probe.

-Initial guidance for CI and building within containers: To build either the kmod or eBPF probe in a container, you will need to make the extracted kernel headers available. The [test/vm](test/vm/) directory contains example [scripts](test/vm/scripts/compile_drivers.sh) demonstrating how to pass them to the `make` command using the argument `KERNELDIR=${EXTRACTED_KERNEL_HEADERS_DIR}`. You can also use the [falcosecurity/driverkit](https://github.com/falcosecurity/driverkit) or explore the scripts within the driverkit repository. The mentioned resources also provide candidate builder containers.
-
 ### Build driver - modern eBPF probe

 To build the modern eBPF probe, further prerequisites are necessary:
@ -193,13 +191,13 @@ To build the modern eBPF probe, further prerequisites are necessary:

 > __NOTE:__ These are not the requirements to use the modern BPF probe, but rather for building it from source.

-Regarding the previously discussed bpf drivers, they create a kernel-specific object code (`driver/bpf/probe.o`) for your machine's kernel release (`uname -r`). This object code is then used as an argument for testing with `scap-open` and `sinsp-example` binaries.
+Regarding the previously discussed legacy eBPF driver, it generates kernel-specific bytecode (`driver/bpf/probe.o`) tailored to your machine's kernel release (`uname -r`). The location of the bytecode file can then be passed as an argument for testing with the `scap-open` and `sinsp-example` binaries.

-However, the modern BPF driver operates differently. It doesn't require kernel headers, and its build isn't tied to your kernel release. This is enabled by the CO-RE (Compile Once - Run Everywhere) feature of the modern BPF driver. CO-RE allows the driver to work on kernels with backported BTF (BPF Type Format) support or kernel versions >= 5.8.
+However, the modern eBPF driver build process doesn't require kernel headers, and it isn't tied to your kernel release. This is enabled by the CO-RE (Compile Once - Run Everywhere) feature of the modern eBPF driver.

-To comprehend how the driver understands kernel data structures without knowledge of the kernel it runs on, there's no black magic involved. We maintain a [vmlinux.h](driver/modern_bpf/definitions/vmlinux.h) file in our project containing all necessary kernel data structure definitions. Additionally, we sometimes rely on macros or functions typically found in system header files, which we redefine in [struct_flavors.h](driver/modern_bpf/definitions/struct_flavors.h).
+CO-RE allows the driver to work on kernels with backported BTF (BPF Type Format) support or kernel versions >= 5.8. The way the driver interprets kernel data structures without direct knowledge of the running kernel is not magic — it leverages predefined type information and BTF-based relocations. We maintain a [vmlinux.h](driver/modern_bpf/definitions/vmlinux.h) file containing essential kernel data structure definitions, allowing the eBPF program to reference fields dynamically. Additionally, for cases where macros or functions from system headers are required, we redefine them in [struct_flavors.h](driver/modern_bpf/definitions/struct_flavors.h). Combined with CO-RE (Compile Once, Run Everywhere), this enables the driver to remain portable across different kernel versions.
 
-That being said, the modern BPF driver still produces an object file, which you can create using the target below. Nevertheless, we ultimately include it in `scap` regardless. Hence, when modern BPF is enabled, building `scap` will already cover this step for you.
+The modern eBPF driver build process produces an eBPF header skeleton file using `bpftool`. The skeleton file is a C header file that embeds the compiled eBPF program as bytecode.

 ```bash
 cmake \
@ -207,13 +205,15 @@ cmake \
 -DBUILD_LIBSCAP_MODERN_BPF=ON ../;

 make ProbeSkeleton
-# Verify the modern eBPF object code / final composed header file including all `.o` modern_bpf files was created, uses `.h` extension.
+# Verify the modern eBPF bytecode / final composed header file including all `.o` modern_ebpf files was created, uses `.h` extension.
 ls -l skel_dir/bpf_probe.skel.h;
 # Now includes skel_dir/bpf_probe.skel.h in `scap` during the linking process.
 make scap
 ```

-Initial guidance for CI and building within containers: The Falco Project, for instance, compiles the final Falco userspace binary within older centos7 [falco-builder](https://falco.org/docs/install-operate/source/#build-using-falco-builder-container) containers with bundled dependencies. This ensures compatibility across supported systems, mainly due to GLIBC versions and other intricacies. However, you won't be able to compile the modern BPF driver on such old systems or builder containers. One solution is to build `skel_dir/bpf_probe.skel.h` in a more recent builder container. For example, you can refer to this [container](test/vm/containers/ubuntu2310.Dockerfile) as a guide. Subsequently, you can provide the modern BPF header file as an artifact to `scap` during building in an older builder container. As an illustrative example, we use `/tmp/skel-dir` containing the `bpf_probe.skel.h` file.
+Since modern eBPF is included in `scap`, running `make scap` automatically covers the `make ProbeSkeleton` build step.
+
+You can also split the build process and specify the directory containing the `bpf_probe.skel.h` file.

 ```bash
 cmake \
@ -243,7 +243,7 @@ This repository includes convenient test example binaries for both `scap` and `s

 When developing new features, you would run either one depending on what you're working on, in order to test and validate your changes.

-> __NOTE:__ When you're working on driver development, it can be quite useful to make use of the kernel's built-in `printk` functionality. However, for the traditional bpf driver, you'll need to uncomment a line in the [bpf Makefile](driver/bpf/Makefile) first and use a dedicated build flag `BPF_DEBUG`. For modern BPF, use the build flag `MODERN_BPF_DEBUG_MODE`. Any logs generated by `bpf_printk()` will be written to `/sys/kernel/debug/tracing/trace_pipe`. Just make sure you have the right permissions set up for this.
+> __NOTE:__ When you're working on driver development, it can be quite useful to make use of the kernel's built-in `printk` functionality. However, for the traditional bpf driver, you'll need to uncomment a line in the [bpf Makefile](driver/bpf/Makefile) first and use a dedicated build flag `BPF_DEBUG`. For modern eBPF, use the build flag `MODERN_BPF_DEBUG_MODE`. Any logs generated by `bpf_printk()` will be written to `/sys/kernel/debug/tracing/trace_pipe`. Just make sure you have the right permissions set up for this.

 Here's an example of a `cmake` command that will enable everything you need for all tests and components. By default, the following flags are disabled, with the exception of `USE_BUNDLED_DEPS` and `CREATE_TEST_TARGETS` (they are enabled by default).

@ -259,8 +259,7 @@ cmake \
 -DCREATE_TEST_TARGETS=ON \
 -DENABLE_LIBSCAP_TESTS=ON \
 -DENABLE_DRIVERS_TESTS=ON \
-DENABLE_LIBSINSP_E2E_TESTS=ON \
-DENABLE_VM_TESTS=ON ../;
+-DENABLE_LIBSINSP_E2E_TESTS=ON ../;
 ```

 > __NOTE:__ The `ENABLE_LIBSINSP_E2E_TESTS` flag enables the new e2e tests for libsinsp. Please keep in mind these tests are currently in heavy development and need some extra steps (see in the section below) to run correctly.
@ -302,9 +301,10 @@ sudo ./test/drivers/drivers_test -m;
 The tests mentioned below expand beyond the scope of "unit tests". In this context as well, we are dedicated to making sure they run smoothly on your `localhost` for pre-PR testing, to the best of our ability:

 - [test/e2e](test/e2e) - enforced by our CI
- [test/vm](test/vm) - our CI includes comparable tests, but it employs a distinct framework. For current status reports on Falco drivers kernel testing, please visit this [page](https://falcosecurity.github.io/libs/).

-As mentioned earlier, The Falco Project's `libs` repository includes numerous CI-powered checks. For the most current information, please refer to the CI definitions under the [workflows](.github/workflows/) directory.
+For current status reports on the CI powered Falco drivers kernel testing, please visit this [page](https://falcosecurity.github.io/libs/).
+
+In general, The Falco Project's `libs` repository includes numerous CI-powered checks. For the most current information, please refer to the CI definitions under the [workflows](.github/workflows/) directory.

 ### [EXPERIMENTAL] Run libsinsp e2e tests

--- a/benchmark/CMakeLists.txt
+++ b/benchmark/CMakeLists.txt
@ -0,0 +1,33 @@
+# SPDX-License-Identifier: Apache-2.0
+#
+# Copyright (C) 2024 The Falco Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except
+# in compliance with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed under the License
+# is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express
+# or implied. See the License for the specific language governing permissions and limitations under
+# the License.
+#
+
+message(STATUS "Benchmarks enabled")
+
+include(googleBenchmark)
+
+set(BENCHMARK_SOURCES ./main.cpp)
+set(BENCHMARK_DEPENDENCIES sinsp)
+set(BENCHMARK_LIBRARIES benchmark::benchmark sinsp)
+set(BENCHMARK_INCLUDE PRIVATE "${LIBSINSP_INCLUDE_DIRS}")
+
+file(GLOB_RECURSE SINSP_SUITE "${CMAKE_CURRENT_SOURCE_DIR}/libsinsp/*.cpp")
+list(APPEND BENCHMARK_SOURCES ${SINSP_SUITE})
+
+add_compile_options(${FALCOSECURITY_LIBS_USERSPACE_COMPILE_FLAGS})
+add_link_options(${FALCOSECURITY_LIBS_USERSPACE_LINK_FLAGS})
+add_executable(bench ${BENCHMARK_SOURCES})
+target_link_libraries(bench ${BENCHMARK_LIBRARIES})
+target_include_directories(bench ${BENCHMARK_INCLUDE})
+add_dependencies(bench ${BENCHMARK_DEPENDENCIES})
--- a/benchmark/README.md
+++ b/benchmark/README.md
@ -0,0 +1,14 @@
+# Benchmarks
+
+## Build
+
+```bash
+cmake -DENABLE_BENCHMARKS=ON ..
+make bench
+```
+
+## Run
+
+```bash
+sudo ./benchmark/bench
+```
--- a/benchmark/libsinsp/utils.cpp
+++ b/benchmark/libsinsp/utils.cpp
@ -0,0 +1,55 @@
+// SPDX-License-Identifier: Apache-2.0
+/*
+Copyright (C) 2024 The Falco Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+
+*/
+
+#include <libsinsp/utils.h>
+#include <benchmark/benchmark.h>
+
+static void BM_sinsp_split(benchmark::State& state) {
+	for(auto _ : state) {
+		std::string str = "hello,world,";
+		benchmark::DoNotOptimize(sinsp_split(str, ','));
+	}
+}
+BENCHMARK(BM_sinsp_split);
+
+static void BM_sinsp_concatenate_paths_relative_path(benchmark::State& state) {
+	for(auto _ : state) {
+		std::string path1 = "/tmp/";
+		std::string path2 = "foo/bar";
+		benchmark::DoNotOptimize(sinsp_utils::concatenate_paths(path1, path2));
+	}
+}
+BENCHMARK(BM_sinsp_concatenate_paths_relative_path);
+
+static void BM_sinsp_concatenate_paths_empty_path(benchmark::State& state) {
+	for(auto _ : state) {
+		std::string path1 = "/tmp/";
+		std::string path2 = "";
+		benchmark::DoNotOptimize(sinsp_utils::concatenate_paths(path1, path2));
+	}
+}
+BENCHMARK(BM_sinsp_concatenate_paths_empty_path);
+
+static void BM_sinsp_concatenate_paths_absolute_path(benchmark::State& state) {
+	for(auto _ : state) {
+		std::string path1 = "/tmp/";
+		std::string path2 = "/foo/bar";
+		benchmark::DoNotOptimize(sinsp_utils::concatenate_paths(path1, path2));
+	}
+}
+BENCHMARK(BM_sinsp_concatenate_paths_absolute_path);
--- a/benchmark/main.cpp
+++ b/benchmark/main.cpp
@ -0,0 +1,21 @@
+// SPDX-License-Identifier: Apache-2.0
+/*
+Copyright (C) 2024 The Falco Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+
+*/
+
+#include <benchmark/benchmark.h>
+
+BENCHMARK_MAIN();
--- a/cmake/modules/BuildPkgConfigDependencies.cmake
+++ b/cmake/modules/BuildPkgConfigDependencies.cmake
@ -0,0 +1,138 @@
+# Get all dependencies for ${lib} and add them to ${LIBDIRS_VAR} and ${LIBS_VAR}. Ignore any
+# dependencies in the list ${ignored} to: - avoid infinite recursion - avoid libscap dependencies in
+# libsinsp.pc (which requires libscap.pc and pulls them in that way)
+function(add_pkgconfig_library LIBDIRS_VAR LIBS_VAR lib ignored)
+
+	message(DEBUG "[add_pkgconfig_library] processing lib \"${lib}\"")
+	# if it's not a target, it doesn't have dependencies we know or care about
+	if(NOT TARGET ${lib})
+		return()
+	endif()
+
+	# get the libraries that ${lib} links to
+	get_target_property(PKGCONFIG_LIBRARIES ${lib} LINK_LIBRARIES)
+	if("${PKGCONFIG_LIBRARIES}" STREQUAL "PKGCONFIG_LIBRARIES-NOTFOUND")
+		return()
+	endif()
+
+	message(DEBUG "[add_pkgconfig_library] LINK_LIBRARIES property: \"${PKGCONFIG_LIBRARIES}\"")
+
+	get_property(
+		target_type
+		TARGET ${lib}
+		PROPERTY TYPE
+	)
+	message(DEBUG "[add_pkgconfig_library] ignored list: \"${ignored}\"")
+	foreach(dep ${PKGCONFIG_LIBRARIES})
+		# XXX: We use a (very) loose match as we are potentially comparing absolute library file
+		# names (dep) to pkg-config library names to be ignored.  The only alternative I can think
+		# of would be to maintain a map associating pkg-config names to their library file name.
+		get_filename_component(dep_base ${dep} NAME_WE)
+		string(REGEX REPLACE "^lib" "" dep_name ${dep_base})
+		# For CMake imported targets, keep only the suffix, e.g. gRPC::grpc -> grpc.
+		string(REGEX REPLACE "[^:]*::" "" dep_name ${dep_base})
+		message(DEBUG "[add_pkgconfig_library] processing dep ${dep}")
+		string(FIND "${ignored}" "${dep_name}" find_result)
+		if(NOT ${find_result} EQUAL -1)
+			message(DEBUG "[add_pkgconfig_library] \"${dep}\" ignored")
+			continue()
+		endif()
+
+		if(${target_type} STREQUAL "SHARED_LIBRARY")
+			# for shared libraries, do not add static libraries as dependencies
+			if(TARGET ${dep})
+				# skip static libraries which are CMake targets
+				get_property(
+					dep_target_type
+					TARGET ${dep}
+					PROPERTY TYPE
+				)
+				if(NOT ${dep_target_type} STREQUAL "SHARED_LIBRARY")
+					continue()
+				endif()
+			else()
+				# skip static libraries which are just file paths
+				get_filename_component(ext ${dep} LAST_EXT)
+				if("${ext}" STREQUAL "${CMAKE_STATIC_LIBRARY_SUFFIX}")
+					continue()
+				endif()
+			endif()
+		elseif(${target_type} STREQUAL "STATIC_LIBRARY")
+			# for static libraries which are not CMake targets, redirect them to
+			# ${libdir}/${LIBS_PACKAGE_NAME} note that ${libdir} is not a CMake variable, but a
+			# pkgconfig variable, so we quote it and end up with a literal ${libdir} in the
+			# pkgconfig file
+			if(NOT TARGET ${dep})
+				get_filename_component(filename ${dep} NAME)
+				set(dep "\${libdir}/${LIBS_PACKAGE_NAME}/${filename}")
+			else()
+				get_property(
+					dep_target_type
+					TARGET ${dep}
+					PROPERTY TYPE
+				)
+				if(${dep_target_type} STREQUAL "OBJECT_LIBRARY")
+					# skip object libraries
+					continue()
+				endif()
+
+				# if the library is imported, use the IMPORTED_LOCATION instead
+				get_property(
+					dep_imported_location
+					TARGET ${dep}
+					PROPERTY IMPORTED_LOCATION
+				)
+				if(NOT ${dep_imported_location} STREQUAL "")
+					get_filename_component(filename ${dep_imported_location} NAME)
+					set(dep "\${libdir}/${LIBS_PACKAGE_NAME}/${filename}")
+				endif()
+			endif()
+		endif()
+
+		add_pkgconfig_dependency(${LIBDIRS_VAR} ${LIBS_VAR} ${dep} "${ignored}")
+	endforeach()
+
+	# Remove duplicate search paths. We cannot remove duplicates from ${LIBS_VAR} because the order
+	# of libraries is important.
+	list(REMOVE_DUPLICATES ${LIBDIRS_VAR})
+
+	set(${LIBS_VAR}
+		${${LIBS_VAR}}
+		PARENT_SCOPE
+	)
+	set(${LIBDIRS_VAR}
+		${${LIBDIRS_VAR}}
+		PARENT_SCOPE
+	)
+endfunction()
+
+function(add_pkgconfig_dependency LIBDIRS_VAR LIBS_VAR lib ignored)
+	if(${lib} IN_LIST ignored)
+		# already processed, avoid infinite recursion
+	elseif(${lib} MATCHES "^-")
+		# We have a flag. Pass it through unchanged.
+		list(APPEND ${LIBS_VAR} ${lib})
+	elseif(${lib} MATCHES "/")
+		# We have a path. Convert it to -L<dir> + -l<lib>.
+		get_filename_component(lib_dir ${lib} DIRECTORY)
+		list(APPEND ${LIBDIRS_VAR} -L${lib_dir})
+		get_filename_component(lib_base ${lib} NAME_WE)
+		string(REGEX REPLACE "^lib" "" lib_base ${lib_base})
+		list(APPEND ${LIBS_VAR} -l${lib_base})
+	else()
+		# Assume we have a plain library name. Prefix it with "-l". Then recurse into its
+		# dependencies but ignore the library itself, so we don't end up in an infinite loop with
+		# cyclic dependencies
+		list(APPEND ${LIBS_VAR} -l${lib})
+		list(APPEND ignored ${lib})
+		add_pkgconfig_library(${LIBDIRS_VAR} ${LIBS_VAR} ${lib} "${ignored}")
+	endif()
+	set(${LIBS_VAR}
+		${${LIBS_VAR}}
+		PARENT_SCOPE
+	)
+	set(${LIBDIRS_VAR}
+		${${LIBDIRS_VAR}}
+		PARENT_SCOPE
+	)
+endfunction()
--- a/cmake/modules/CompilerFlags.cmake
+++ b/cmake/modules/CompilerFlags.cmake
@ -2,14 +2,15 @@
 #
 # Copyright (C) 2023 The Falco Authors.
 #
-# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except
+# in compliance with the License. You may obtain a copy of the License at
 #
 # http://www.apache.org/licenses/LICENSE-2.0
 #
-# Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an
-# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
-# specific language governing permissions and limitations under the License.
+# Unless required by applicable law or agreed to in writing, software distributed under the License
+# is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express
+# or implied. See the License for the specific language governing permissions and limitations under
+# the License.
 #

 option(BUILD_WARNINGS_AS_ERRORS "Enable building with -Wextra -Werror flags")
@ -32,49 +33,78 @@ if(NOT MSVC)
 	set(FALCOSECURITY_LIBS_COMMON_FLAGS "-Wall -ggdb")
 	set(FALCOSECURITY_LIBS_DEBUG_FLAGS "-Og -D_DEBUG")
 	set(FALCOSECURITY_LIBS_RELEASE_FLAGS "-O3 -fno-strict-aliasing -DNDEBUG")
-
-	if(MINIMAL_BUILD)
-	  set(FALCOSECURITY_LIBS_COMMON_FLAGS "${FALCOSECURITY_LIBS_COMMON_FLAGS} -DMINIMAL_BUILD")
-	endif()
-
 	if(MUSL_OPTIMIZED_BUILD)
 		set(FALCOSECURITY_LIBS_COMMON_FLAGS "${FALCOSECURITY_LIBS_COMMON_FLAGS} -static -Os")
 	endif()

 	if(BUILD_WARNINGS_AS_ERRORS)
 		set(CMAKE_COMPILE_WARNING_AS_ERROR ON)
-		set(CMAKE_SUPPRESSED_WARNINGS "-Wno-unused-parameter -Wno-sign-compare -Wno-implicit-fallthrough -Wno-format-truncation")
-		if (CMAKE_CXX_COMPILER_ID STREQUAL "Clang")
-			# Clang needs these for suppressing these warnings:
-			#   - C++20 array designators used with C++17
-			#   - C99 array designators used in C++
-			#   - avoid complaining about the option above `-Wno-format-truncation`
-			set(CMAKE_SUPPRESSED_WARNINGS "${CMAKE_SUPPRESSED_WARNINGS} -Wno-c++20-designator -Wno-c99-designator -Wno-unknown-warning-option")
+		set(CMAKE_SUPPRESSED_WARNINGS
+			"-Wno-unused-parameter -Wno-sign-compare -Wno-implicit-fallthrough -Wno-format-truncation -Wno-deprecated-declarations"
+		)
+		if(CMAKE_CXX_COMPILER_ID STREQUAL "Clang")
+			# Clang needs these for suppressing these warnings: - C++20 array designators used with
+			# C++17 - C99 array designators used in C++ - avoid complaining about the option above
+			# `-Wno-format-truncation`
+			set(CMAKE_SUPPRESSED_WARNINGS
+				"${CMAKE_SUPPRESSED_WARNINGS} -Wno-c++20-designator -Wno-c99-designator -Wno-unknown-warning-option"
+			)
 		endif()
-		set(FALCOSECURITY_LIBS_COMMON_FLAGS "${FALCOSECURITY_LIBS_COMMON_FLAGS} -Werror -Wextra ${CMAKE_SUPPRESSED_WARNINGS}")
+		set(FALCOSECURITY_LIBS_COMMON_FLAGS
+			"${FALCOSECURITY_LIBS_COMMON_FLAGS} -Werror -Wextra ${CMAKE_SUPPRESSED_WARNINGS}"
+		)
 	endif()

 	if(USE_ASAN)
-		set(FALCOSECURITY_LIBS_USERSPACE_COMPILE_FLAGS "${FALCOSECURITY_LIBS_USERSPACE_COMPILE_FLAGS};-fsanitize=address")
-		set(FALCOSECURITY_LIBS_USERSPACE_LINK_FLAGS "${FALCOSECURITY_LIBS_USERSPACE_LINK_FLAGS};-fsanitize=address;-lpthread")
+		set(FALCOSECURITY_LIBS_USERSPACE_COMPILE_FLAGS
+			"${FALCOSECURITY_LIBS_USERSPACE_COMPILE_FLAGS};-fsanitize=address"
+		)
+		set(FALCOSECURITY_LIBS_USERSPACE_LINK_FLAGS
+			"${FALCOSECURITY_LIBS_USERSPACE_LINK_FLAGS};-fsanitize=address;-lpthread"
+		)
 	endif()

 	if(USE_UBSAN)
-		set(FALCOSECURITY_LIBS_USERSPACE_COMPILE_FLAGS "${FALCOSECURITY_LIBS_USERSPACE_COMPILE_FLAGS};-fsanitize=undefined")
-		set(FALCOSECURITY_LIBS_USERSPACE_LINK_FLAGS "${FALCOSECURITY_LIBS_USERSPACE_LINK_FLAGS};-fsanitize=undefined")
+		set(FALCOSECURITY_LIBS_USERSPACE_COMPILE_FLAGS
+			"${FALCOSECURITY_LIBS_USERSPACE_COMPILE_FLAGS};-fsanitize=undefined"
+		)
+		set(FALCOSECURITY_LIBS_USERSPACE_LINK_FLAGS
+			"${FALCOSECURITY_LIBS_USERSPACE_LINK_FLAGS};-fsanitize=undefined"
+		)
 		if(UBSAN_HALT_ON_ERROR)
-			set(FALCOSECURITY_LIBS_USERSPACE_COMPILE_FLAGS "${FALCOSECURITY_LIBS_USERSPACE_COMPILE_FLAGS};-fno-sanitize-recover=undefined")
+			set(FALCOSECURITY_LIBS_USERSPACE_COMPILE_FLAGS
+				"${FALCOSECURITY_LIBS_USERSPACE_COMPILE_FLAGS};-fno-sanitize-recover=undefined"
+			)
 		endif()
 	endif()

+	if(USE_TSAN)
+		set(FALCOSECURITY_LIBS_USERSPACE_COMPILE_FLAGS
+			"${FALCOSECURITY_LIBS_USERSPACE_COMPILE_FLAGS};-fsanitize=thread"
+		)
+		set(FALCOSECURITY_LIBS_USERSPACE_LINK_FLAGS
+			"${FALCOSECURITY_LIBS_USERSPACE_LINK_FLAGS};-fsanitize=thread"
+		)
+	endif()
+
 	if(ENABLE_COVERAGE)
-		set(FALCOSECURITY_LIBS_USERSPACE_COMPILE_FLAGS "${FALCOSECURITY_LIBS_USERSPACE_COMPILE_FLAGS};--coverage")
-		set(FALCOSECURITY_LIBS_USERSPACE_LINK_FLAGS "${FALCOSECURITY_LIBS_USERSPACE_COMPILE_FLAGS};--coverage")
+		set(FALCOSECURITY_LIBS_USERSPACE_COMPILE_FLAGS
+			"${FALCOSECURITY_LIBS_USERSPACE_COMPILE_FLAGS};--coverage"
+		)
+		set(FALCOSECURITY_LIBS_USERSPACE_LINK_FLAGS
+			"${FALCOSECURITY_LIBS_USERSPACE_COMPILE_FLAGS};--coverage"
+		)
+	endif()
+
+	if(ENABLE_THREAD_POOL)
+		set(FALCOSECURITY_LIBS_COMMON_FLAGS
+			"${FALCOSECURITY_LIBS_COMMON_FLAGS} -DENABLE_THREAD_POOL"
+		)
 	endif()

 	set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} ${FALCOSECURITY_LIBS_COMMON_FLAGS}")
-	# we need also `-std=c++17` here beacuse `set(CMAKE_CXX_STANDARD 17)` is not enough to enforce c++17
-	# with some Cmake versions: https://github.com/falcosecurity/libs/pull/950
+	# we need also `-std=c++17` here beacuse `set(CMAKE_CXX_STANDARD 17)` is not enough to enforce
+	# c++17 with some Cmake versions: https://github.com/falcosecurity/libs/pull/950
 	set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} ${FALCOSECURITY_LIBS_COMMON_FLAGS} -std=c++17")

 	set(CMAKE_C_FLAGS_DEBUG "${FALCOSECURITY_LIBS_DEBUG_FLAGS}")
@ -86,9 +116,9 @@ if(NOT MSVC)
 	add_definitions(-D__STDC_FORMAT_MACROS)

 else() # MSVC
-	set(MINIMAL_BUILD ON)
-
-	set(FALCOSECURITY_LIBS_COMMON_FLAGS "-D_CRT_SECURE_NO_WARNINGS -DWIN32 -DMINIMAL_BUILD /EHsc /W3 /Zi /std:c++17")
+	set(FALCOSECURITY_LIBS_COMMON_FLAGS
+		"-D_CRT_SECURE_NO_WARNINGS -DWIN32 /EHsc /W3 /Zi /std:c++17"
+	)
 	if(CMAKE_VERSION VERSION_LESS 3.15.0)
 		set(FALCOSECURITY_LIBS_DEBUG_FLAGS "/MTd /Od")
 		set(FALCOSECURITY_LIBS_RELEASE_FLAGS "/MT")
@ -106,8 +136,9 @@ else() # MSVC
 	set(CMAKE_C_FLAGS_RELEASE "${FALCOSECURITY_LIBS_RELEASE_FLAGS}")
 	set(CMAKE_CXX_FLAGS_RELEASE "${FALCOSECURITY_LIBS_RELEASE_FLAGS}")

+	# "_DISABLE_CONSTEXPR_MUTEX_CONSTRUCTOR" enables a workaround for windows GH runner issue, see
+	# https://github.com/actions/runner-images/issues/10004 Also, define NOMINMAX globally.
 	add_compile_definitions(
-		_HAS_STD_BYTE=0
-		WIN32_LEAN_AND_MEAN
+		_HAS_STD_BYTE=0 WIN32_LEAN_AND_MEAN _DISABLE_CONSTEXPR_MUTEX_CONSTRUCTOR NOMINMAX
 	)
 endif()
--- a/cmake/modules/FindMakedev.cmake
+++ b/cmake/modules/FindMakedev.cmake
@ -2,43 +2,33 @@
 #
 # Copyright (C) 2023 The Falco Authors.
 #
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except
+# in compliance with the License. You may obtain a copy of the License at
 #
-#     http://www.apache.org/licenses/LICENSE-2.0
+# http://www.apache.org/licenses/LICENSE-2.0
 #
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
+# Unless required by applicable law or agreed to in writing, software distributed under the License
+# is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express
+# or implied. See the License for the specific language governing permissions and limitations under
+# the License.
 #

-# This module is used to understand where the makedev function
-# is defined in the glibc in use.
-# see 'man 3 makedev'
-# Usage:
-#  In your CMakeLists.txt
-#    include(FindMakedev)
+# This module is used to understand where the makedev function is defined in the glibc in use. see
+# 'man 3 makedev' Usage: In your CMakeLists.txt include(FindMakedev)
 #
-#  In your source code:
+# In your source code:
 #
-#    #if HAVE_SYS_MKDEV_H
-#    #include <sys/mkdev.h>
-#    #endif
-#    #ifdef HAVE_SYS_SYSMACROS_H
-#    #include <sys/sysmacros.h>
-#    #endif
+# #if HAVE_SYS_MKDEV_H #include <sys/mkdev.h> #endif #ifdef HAVE_SYS_SYSMACROS_H #include
+# <sys/sysmacros.h> #endif
 #
 include(${CMAKE_ROOT}/Modules/CheckIncludeFile.cmake)

 check_include_file("sys/mkdev.h" HAVE_SYS_MKDEV_H)
 check_include_file("sys/sysmacros.h" HAVE_SYS_SYSMACROS_H)

-if (HAVE_SYS_MKDEV_H)
-    add_definitions(-DHAVE_SYS_MKDEV_H)
+if(HAVE_SYS_MKDEV_H)
+	add_definitions(-DHAVE_SYS_MKDEV_H)
 endif()
-if (HAVE_SYS_SYSMACROS_H)
-    add_definitions(-DHAVE_SYS_SYSMACROS_H)
+if(HAVE_SYS_SYSMACROS_H)
+	add_definitions(-DHAVE_SYS_SYSMACROS_H)
 endif()
--- a/cmake/modules/Findbs_threadpool.cmake
+++ b/cmake/modules/Findbs_threadpool.cmake
@ -0,0 +1,29 @@
+# SPDX-License-Identifier: Apache-2.0
+#
+# Copyright (C) 2023 The Falco Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except
+# in compliance with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed under the License
+# is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express
+# or implied. See the License for the specific language governing permissions and limitations under
+# the License.
+#
+
+find_path(BS_THREADPOOL_INCLUDE NAMES BS_thread_pool.hpp)
+
+if(BS_THREADPOOL_INCLUDE)
+	if(NOT bs_threadpool_FIND_QUIETLY)
+		message(STATUS "Found bs_threadpool: include: ${BS_THREADPOOL_INCLUDE}.")
+	endif()
+else()
+	if(bs_threadpool_FIND_REQUIRED)
+		message(FATAL_ERROR "Required component bs_threadpool missing.")
+	endif()
+	if(NOT bs_threadpool_FIND_QUIETLY)
+		message(WARNING "bs_threadpool not found.")
+	endif()
+endif()
--- a/cmake/modules/Findvalijson.cmake
+++ b/cmake/modules/Findvalijson.cmake
@ -2,35 +2,32 @@
 #
 # Copyright (C) 2023 The Falco Authors.
 #
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except
+# in compliance with the License. You may obtain a copy of the License at
 #
-#     http://www.apache.org/licenses/LICENSE-2.0
+# http://www.apache.org/licenses/LICENSE-2.0
 #
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
+# Unless required by applicable law or agreed to in writing, software distributed under the License
+# is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express
+# or implied. See the License for the specific language governing permissions and limitations under
+# the License.
 #

-# This module is used to find where the valijson headers are installed
-# on the system. This is required up to v0.6, since package config
-# files are not provided. This is fixed in master though, and this
-# file shall be automatically ignored for later versions.
+# This module is used to find where the valijson headers are installed on the system. This is
+# required up to v0.6, since package config files are not provided. This is fixed in master though,
+# and this file shall be automatically ignored for later versions.

 find_path(VALIJSON_INCLUDE NAMES valijson/validator.hpp validator.hpp)

-if (VALIJSON_INCLUDE)
-    if (NOT valijson_FIND_QUIETLY)
-        message(STATUS "Found valijson: include: ${VALIJSON_INCLUDE}.")
-    endif()
+if(VALIJSON_INCLUDE)
+	if(NOT valijson_FIND_QUIETLY)
+		message(STATUS "Found valijson: include: ${VALIJSON_INCLUDE}.")
+	endif()
 else()
-    if (valijson_FIND_REQUIRED)
-        message(FATAL_ERROR "Required component valijson missing.")
-    endif()
-    if (NOT valijson_FIND_QUIETLY)
-        message(WARNING "Valijson not found.")
-    endif()
+	if(valijson_FIND_REQUIRED)
+		message(FATAL_ERROR "Required component valijson missing.")
+	endif()
+	if(NOT valijson_FIND_QUIETLY)
+		message(WARNING "Valijson not found.")
+	endif()
 endif()
--- a/cmake/modules/GetVersionFromGit.cmake
+++ b/cmake/modules/GetVersionFromGit.cmake
@ -2,191 +2,225 @@
 #
 # Copyright (C) 2023 The Falco Authors.
 #
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except
+# in compliance with the License. You may obtain a copy of the License at
 #
 # http://www.apache.org/licenses/LICENSE-2.0
 #
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
+# Unless required by applicable law or agreed to in writing, software distributed under the License
+# is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express
+# or implied. See the License for the specific language governing permissions and limitations under
+# the License.
 #

 if(_falcosecurity_get_version_from_git)
-    return()
+	return()
 endif()

 set(_falcosecurity_get_version_from_git TRUE)

 if(NOT FALCOSECURITY_RELEASE_BRANCH_REGEX)
-    set(FALCOSECURITY_RELEASE_BRANCH_REGEX "^release/")
+	set(FALCOSECURITY_RELEASE_BRANCH_REGEX "^release/")
 endif()

 function(_falcosecurity_execute_git _out)
-    if(NOT GIT_FOUND)
-        find_package(Git QUIET)
-    endif()
+	if(NOT GIT_FOUND)
+		find_package(Git QUIET)
+	endif()

-    execute_process(COMMAND
-        "${GIT_EXECUTABLE}"
-        ${ARGN}
-        WORKING_DIRECTORY
-        "${CMAKE_CURRENT_SOURCE_DIR}"
-        RESULT_VARIABLE
-        res
-        OUTPUT_VARIABLE
-        out
-        ERROR_QUIET
-        OUTPUT_STRIP_TRAILING_WHITESPACE)
+	execute_process(
+		COMMAND "${GIT_EXECUTABLE}" ${ARGN}
+		WORKING_DIRECTORY "${CMAKE_CURRENT_SOURCE_DIR}"
+		RESULT_VARIABLE res
+		OUTPUT_VARIABLE out
+		ERROR_QUIET OUTPUT_STRIP_TRAILING_WHITESPACE
+	)

-    if(NOT res EQUAL 0)
-        set(out "")
-    endif()
+	if(NOT res EQUAL 0)
+		set(out "")
+	endif()

-    set(${_out} "${out}" PARENT_SCOPE)
+	set(${_out}
+		"${out}"
+		PARENT_SCOPE
+	)
 endfunction()

 function(_falcosecurity_extract_version version_str x y z found)
-    string(REGEX MATCH "^([0-9]+)\\.([0-9]+)\\.([0-9]+)" match_result ${version_str})
+	string(REGEX MATCH "^([0-9]+)\\.([0-9]+)\\.([0-9]+)" match_result ${version_str})

-    if(match_result)
-        string(REGEX REPLACE "^([0-9]+)\\.([0-9]+)\\.([0-9]+).*" "\\1" x_val ${match_result})
-        string(REGEX REPLACE "^([0-9]+)\\.([0-9]+)\\.([0-9]+).*" "\\2" y_val ${match_result})
-        string(REGEX REPLACE "^([0-9]+)\\.([0-9]+)\\.([0-9]+).*" "\\3" z_val ${match_result})
-        set(${x} ${x_val} PARENT_SCOPE)
-        set(${y} ${y_val} PARENT_SCOPE)
-        set(${z} ${z_val} PARENT_SCOPE)
-        set(${found} TRUE PARENT_SCOPE)
-    else()
-        set(${found} FALSE PARENT_SCOPE)
-    endif()
+	if(match_result)
+		string(REGEX REPLACE "^([0-9]+)\\.([0-9]+)\\.([0-9]+).*" "\\1" x_val ${match_result})
+		string(REGEX REPLACE "^([0-9]+)\\.([0-9]+)\\.([0-9]+).*" "\\2" y_val ${match_result})
+		string(REGEX REPLACE "^([0-9]+)\\.([0-9]+)\\.([0-9]+).*" "\\3" z_val ${match_result})
+		set(${x}
+			${x_val}
+			PARENT_SCOPE
+		)
+		set(${y}
+			${y_val}
+			PARENT_SCOPE
+		)
+		set(${z}
+			${z_val}
+			PARENT_SCOPE
+		)
+		set(${found}
+			TRUE
+			PARENT_SCOPE
+		)
+	else()
+		set(${found}
+			FALSE
+			PARENT_SCOPE
+		)
+	endif()
 endfunction()

 # get_version_from_git() provides a basic implementation of the Falco versioning convention.
 #
-# The primary convention is that all version numbers should be a SemVer2.0-compatible string.
-# The version number for the development build must follow a pre-release version pattern.
-# To accomplish this, we use Git as the primary data source to construct the version number
-# automatically. In this regard, the convention assumes that:
-# any Git tag represents an officially released build,
-# and each Git commit could potentially be a development build.
+# The primary convention is that all version numbers should be a SemVer2.0-compatible string. The
+# version number for the development build must follow a pre-release version pattern. To accomplish
+# this, we use Git as the primary data source to construct the version number automatically. In this
+# regard, the convention assumes that: any Git tag represents an officially released build, and each
+# Git commit could potentially be a development build.
 #
-# With those assumptions, the build system will return a version number based on one of
-# the following cases:
+# With those assumptions, the build system will return a version number based on one of the
+# following cases:
 #
-# - If the current Git checkout points to an exact Git tag,
-# we assume it is an officially released version (either a release or a pre-release).
+# * If the current Git checkout points to an exact Git tag, we assume it is an officially released
+#   version (either a release or a pre-release).
 #
-# - If we are in a release branch (with the suffix `release/`),
-# we assume that each commit (i.e., each development build) represents a potential new patch version.
+# * If we are in a release branch (with the suffix `release/`), we assume that each commit (i.e.,
+#   each development build) represents a potential new patch version.
 #
-# - If we are in any other branch,
-# we assume that each commit (i.e., each development build) represents a potential new minor version.
+# * If we are in any other branch, we assume that each commit (i.e., each development build)
+#   represents a potential new minor version.
 #
-# - In any other case (for example, if there's no git information available),
-# version `0.0.0` will be returned as a fallback.
+# * In any other case (for example, if there's no git information available), version `0.0.0` will
+#   be returned as a fallback.
 #
 # For the officially released versions, we assume the Git tag will carry on the correct information,
 # so we return it as-is.
 #
-# For development versions, the string is built as follows:
-# `<x>.<y>.<z>-<count>+<commit>[suffix]`
-# Where:
-# - `<x>.<y>.<z>` represents the next version number, reflecting either a patch for release branches
-# or a minor version for development branches.
-# - `<count>` is the number of commits ahead from either:
-# - the latest tag on the branch, for release branches; or
-# - the closest common ancestor with the branch holding the latest tagged version,
-# for development branches.
-# - `<commit>` refers to the first 7 digits of the commit hash.
-# - `[suffix]` the value of `match_suffix`, if any.
+# For development versions, the string is built as follows: `<x>.<y>.<z>-<count>+<commit>[suffix]`
+# Where: - `<x>.<y>.<z>` represents the next version number, reflecting either a patch for release
+# branches or a minor version for development branches. - `<count>` is the number of commits ahead
+# from either: - the latest tag on the branch, for release branches; or - the closest common
+# ancestor with the branch holding the latest tagged version, for development branches. - `<commit>`
+# refers to the first 7 digits of the commit hash. - `[suffix]` the value of `match_suffix`, if any.
 # Note: all non-alphanumerics will be converted to hyphens.
 #
-#
 # This function sets the resulting version string to a variable in the parent scope.
 #
-# Arguments:
-# - _var            Variable to store the resulting version string.
-# - match_suffix    Only consider Git references with this suffix.
-# - exclude_suffix  Ignore Git references with this suffix.
+# Arguments: - _var            Variable to store the resulting version string. - match_suffix Only
+# consider Git references with this suffix. - exclude_suffix  Ignore Git references with this
+# suffix.
 function(get_version_from_git _var match_suffix exclude_suffix)
-    # Release version
-    # Try to obtain the exact git tag
-    if(exclude_suffix)
-        _falcosecurity_execute_git(tag describe --tags --exact-match --match "*${match_suffix}" --exclude "*${exclude_suffix}" HEAD)
-    else()
-        _falcosecurity_execute_git(tag describe --tags --exact-match --match "*${match_suffix}" HEAD)
-    endif()
+	# Release version Try to obtain the exact git tag
+	if(exclude_suffix)
+		_falcosecurity_execute_git(
+			tag
+			describe
+			--tags
+			--exact-match
+			--match
+			"*${match_suffix}"
+			--exclude
+			"*${exclude_suffix}"
+			HEAD
+		)
+	else()
+		_falcosecurity_execute_git(
+			tag
+			describe
+			--tags
+			--exact-match
+			--match
+			"*${match_suffix}"
+			HEAD
+		)
+	endif()

-    if(tag)
-        # A tag has been found: use it as the libs version
-        set(${_var}
-            "${tag}"
-            PARENT_SCOPE)
-        return()
-    endif()
+	if(tag)
+		# A tag has been found: use it as the libs version
+		set(${_var}
+			"${tag}"
+			PARENT_SCOPE
+		)
+		return()
+	endif()

-    # Otherwise, we are on a dev version
-    _falcosecurity_execute_git(current_hash rev-parse HEAD)
-    _falcosecurity_execute_git(current_hash_short rev-parse --short=7 HEAD)
-    _falcosecurity_execute_git(current_branch rev-parse --abbrev-ref HEAD)
+	# Otherwise, we are on a dev version
+	_falcosecurity_execute_git(current_hash rev-parse HEAD)
+	_falcosecurity_execute_git(current_hash_short rev-parse --short=7 HEAD)
+	_falcosecurity_execute_git(current_branch rev-parse --abbrev-ref HEAD)

-    set(dev_version "0.0.0")
+	set(dev_version "0.0.0")

-    # dev version / in a `release/M.m.x` branch
-    if(current_branch MATCHES "${FALCOSECURITY_RELEASE_BRANCH_REGEX}")
-        # get the latest tag on the release branch
-        set(_options --match "*.*.*${match_suffix}")
+	# dev version / in a `release/M.m.x` branch
+	if(current_branch MATCHES "${FALCOSECURITY_RELEASE_BRANCH_REGEX}")
+		# get the latest tag on the release branch
+		set(_options --match "*.*.*${match_suffix}")

-        if(exclude_suffix)
-            set(_options ${_options} --exclude "*${exclude_suffix}")
-        endif()
+		if(exclude_suffix)
+			set(_options ${_options} --exclude "*${exclude_suffix}")
+		endif()

-        _falcosecurity_execute_git(tag describe --tags ${_options} --abbrev=0 "${current_branch}")
+		_falcosecurity_execute_git(tag describe --tags ${_options} --abbrev=0 "${current_branch}")

-        if(tag)
-            _falcosecurity_extract_version("${tag}" x y z match_found)
+		if(tag)
+			_falcosecurity_extract_version("${tag}" x y z match_found)

-            if(match_found)
-                math(EXPR z_plus_one "${z} + 1")
-                set(dev_version "${x}.${y}.${z_plus_one}")
-            endif()
-        endif()
-    endif()
+			if(match_found)
+				math(EXPR z_plus_one "${z} + 1")
+				set(dev_version "${x}.${y}.${z_plus_one}")
+			endif()
+		endif()
+	endif()

-    # dev version / all other cases (and fallback)
-    if(dev_version MATCHES "0.0.0")
-        # get the latest tag that exactly matches a version number, sorted by version number in descending order
-        _falcosecurity_execute_git(tag for-each-ref --count=1 --sort=-version:refname --format "%(refname:short)" refs/tags/[0-9]*.[0-9]*.[0-9]${match_suffix})
+	# dev version / all other cases (and fallback)
+	if(dev_version MATCHES "0.0.0")
+		# get the latest tag that exactly matches a version number, sorted by version number in
+		# descending order
+		_falcosecurity_execute_git(
+			tag
+			for-each-ref
+			--count=1
+			--sort=-version:refname
+			--format
+			"%(refname:short)"
+			refs/tags/[0-9]*.[0-9]*.[0-9]${match_suffix}
+		)

-        if(tag)
-            _falcosecurity_extract_version("${tag}" x y z match_found)
+		if(tag)
+			_falcosecurity_extract_version("${tag}" x y z match_found)

-            if(match_found)
-                math(EXPR y_plus_one "${y} + 1")
-                set(dev_version "${x}.${y_plus_one}.0")
-            endif()
-        endif()
-    endif()
+			if(match_found)
+				math(EXPR y_plus_one "${y} + 1")
+				set(dev_version "${x}.${y_plus_one}.0")
+			endif()
+		endif()
+	endif()

-    # complete dev version with count and hash
-    if(NOT dev_version MATCHES "0.0.0")
-        _falcosecurity_execute_git(tag_commit rev-list -n 1 "${tag}")
-        _falcosecurity_execute_git(tag_common_ancestor merge-base "${current_hash}" "${tag_commit}")
-        _falcosecurity_execute_git(commits_count rev-list --count "${tag_common_ancestor}..${current_hash}")
+	# complete dev version with count and hash
+	if(NOT dev_version MATCHES "0.0.0")
+		_falcosecurity_execute_git(tag_commit rev-list -n 1 "${tag}")
+		_falcosecurity_execute_git(tag_common_ancestor merge-base "${current_hash}" "${tag_commit}")
+		_falcosecurity_execute_git(
+			commits_count rev-list --count "${tag_common_ancestor}..${current_hash}"
+		)

-        set(dev_version "${dev_version}-${commits_count}+${current_hash_short}")
+		set(dev_version "${dev_version}-${commits_count}+${current_hash_short}")

-        if(match_suffix)
-            string(REGEX REPLACE "[^0-9A-Za-z-]" "-" suffix "${match_suffix}")
-            set(dev_version "${dev_version}${suffix}")
-        endif()
-    endif()
+		if(match_suffix)
+			string(REGEX REPLACE "[^0-9A-Za-z-]" "-" suffix "${match_suffix}")
+			set(dev_version "${dev_version}${suffix}")
+		endif()
+	endif()

-    set(${_var}
-        "${dev_version}"
-        PARENT_SCOPE)
+	set(${_var}
+		"${dev_version}"
+		PARENT_SCOPE
+	)
 endfunction()
--- a/cmake/modules/bs_threadpool.cmake
+++ b/cmake/modules/bs_threadpool.cmake
@ -0,0 +1,47 @@
+# SPDX-License-Identifier: Apache-2.0
+#
+# Copyright (C) 2024 The Falco Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except
+# in compliance with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed under the License
+# is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express
+# or implied. See the License for the specific language governing permissions and limitations under
+# the License.
+#
+
+#
+# bshoshany/thread-pool (https://github.com/bshoshany/thread-pool)
+#
+
+option(USE_BUNDLED_BS_THREADPOOL "Enable building of the bundled bs_threadpool" ${USE_BUNDLED_DEPS})
+
+if(BS_THREADPOOL_INCLUDE)
+	# we already have bs_threadpool
+elseif(NOT USE_BUNDLED_BS_THREADPOOL)
+	find_package(bs_threadpool REQUIRED)
+else()
+	set(BS_THREADPOOL_SRC "${PROJECT_BINARY_DIR}/bs_threadpool-prefix/src/bs_threadpool")
+	set(BS_THREADPOOL_INCLUDE "${BS_THREADPOOL_SRC}/include")
+
+	message(STATUS "Using bundled bs_threadpool in '${BS_THREADPOOL_SRC}'")
+
+	ExternalProject_Add(
+		bs_threadpool
+		PREFIX "${PROJECT_BINARY_DIR}/bs_threadpool-prefix"
+		URL "https://github.com/bshoshany/thread-pool/archive/refs/tags/v4.1.0.tar.gz"
+		URL_HASH "SHA256=be7abecbc420bb87919eeef729b13ff7c29d5ce547bdae284923296c695415bd"
+		CONFIGURE_COMMAND ""
+		BUILD_COMMAND ""
+		INSTALL_COMMAND ""
+	)
+endif()
+
+if(NOT TARGET bs_threadpool)
+	add_custom_target(bs_threadpool)
+endif()
+
+include_directories("${BS_THREADPOOL_INCLUDE}")
--- a/cmake/modules/cares.cmake
+++ b/cmake/modules/cares.cmake
@ -1,65 +0,0 @@
-# SPDX-License-Identifier: Apache-2.0
-#
-# Copyright (C) 2023 The Falco Authors.
-#
-# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an
-# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
-# specific language governing permissions and limitations under the License.
-#
-
-option(USE_BUNDLED_CARES "Enable building of the bundled c-ares" ${USE_BUNDLED_DEPS})
-
-if(CARES_INCLUDE)
-	# we already have c-ares
-elseif(NOT USE_BUNDLED_CARES)
-	find_path(CARES_INCLUDE NAMES cares/ares.h ares.h)
-	find_library(CARES_LIB NAMES cares)
-	if(CARES_INCLUDE AND CARES_LIB)
-		message(STATUS "Found c-ares: include: ${CARES_INCLUDE}, lib: ${CARES_LIB}")
-	else()
-		message(FATAL_ERROR "Couldn't find system c-ares")
-	endif()
-else()
-	if(BUILD_SHARED_LIBS)
-		set(CARES_LIB_SUFFIX ${CMAKE_SHARED_LIBRARY_SUFFIX})
-		set(CARES_CPPFLAGS )
-		set(CARES_STATIC_OPTION )
-	else()
-		set(CARES_LIB_SUFFIX ${CMAKE_STATIC_LIBRARY_SUFFIX})
-		set(CARES_CPPFLAGS -DCARES_STATICLIB)
-		set(CARES_STATIC_OPTION --disable-shared)
-	endif()
-	set(CARES_SRC "${PROJECT_BINARY_DIR}/c-ares-prefix/src/c-ares")
-	set(CARES_INCLUDE "${CARES_SRC}/target/include/")
-	set(CARES_LIB "${CARES_SRC}/target/lib/libcares${CARES_LIB_SUFFIX}")
-	set(CARES_INSTALL_DIR "${CARES_SRC}/target")
-
-	if(NOT TARGET c-ares)
-		message(STATUS "Using bundled c-ares in '${CARES_SRC}'")
-		ExternalProject_Add(c-ares
-			PREFIX "${PROJECT_BINARY_DIR}/c-ares-prefix"
-			URL "https://c-ares.haxx.se/download/c-ares-1.19.1.tar.gz"
-			URL_HASH "SHA256=321700399b72ed0e037d0074c629e7741f6b2ec2dda92956abe3e9671d3e268e"
-			CONFIGURE_COMMAND CPPFLAGS=${CARES_CPPFLAGS} ./configure ${CARES_STATIC_OPTION} --prefix=${CARES_INSTALL_DIR}
-			BUILD_COMMAND make
-			BUILD_IN_SOURCE 1
-			BUILD_BYPRODUCTS ${CARES_INCLUDE} ${CARES_LIB}
-			INSTALL_COMMAND make install)
-		install(FILES "${CARES_LIB}" DESTINATION "${CMAKE_INSTALL_LIBDIR}/${LIBS_PACKAGE_NAME}"
-				COMPONENT "libs-deps")
-		install(DIRECTORY "${CARES_INCLUDE}" DESTINATION "${CMAKE_INSTALL_INCLUDEDIR}/${LIBS_PACKAGE_NAME}"
-				COMPONENT "libs-deps")
-	endif()
-
-endif()
-
-if(NOT TARGET c-ares)
-	add_custom_target(c-ares)
-endif()
-
-include_directories("${CARES_INCLUDE}")
--- a/cmake/modules/compute_versions.cmake
+++ b/cmake/modules/compute_versions.cmake
@ -2,38 +2,50 @@
 #
 # Copyright (C) 2023 The Falco Authors.
 #
-# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except
+# in compliance with the License. You may obtain a copy of the License at
 #
 # http://www.apache.org/licenses/LICENSE-2.0
 #
-# Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an
-# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
-# specific language governing permissions and limitations under the License.
+# Unless required by applicable law or agreed to in writing, software distributed under the License
+# is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express
+# or implied. See the License for the specific language governing permissions and limitations under
+# the License.
 #

 # Computes API/SCHEMA major, minor, patch and git commit
 macro(compute_versions api_version_path schema_version_path)
-    
-    # API VERSION
-    file(STRINGS ${api_version_path} DRIVER_API_VERSION LIMIT_COUNT 1)
-    string(REGEX MATCHALL "[0-9]+" DRIVER_API_COMPONENTS "${DRIVER_API_VERSION}")
-    list(GET DRIVER_API_COMPONENTS 0 PPM_API_CURRENT_VERSION_MAJOR)
-    list(GET DRIVER_API_COMPONENTS 1 PPM_API_CURRENT_VERSION_MINOR)
-    list(GET DRIVER_API_COMPONENTS 2 PPM_API_CURRENT_VERSION_PATCH)
-    message(STATUS "Driver API version ${PPM_API_CURRENT_VERSION_MAJOR}.${PPM_API_CURRENT_VERSION_MINOR}.${PPM_API_CURRENT_VERSION_PATCH}")

-    # SCHEMA VERSION
-    file(STRINGS ${schema_version_path} DRIVER_SCHEMA_VERSION LIMIT_COUNT 1)
-    string(REGEX MATCHALL "[0-9]+" DRIVER_SCHEMA_COMPONENTS "${DRIVER_SCHEMA_VERSION}")
-    list(GET DRIVER_SCHEMA_COMPONENTS 0 PPM_SCHEMA_CURRENT_VERSION_MAJOR)
-    list(GET DRIVER_SCHEMA_COMPONENTS 1 PPM_SCHEMA_CURRENT_VERSION_MINOR)
-    list(GET DRIVER_SCHEMA_COMPONENTS 2 PPM_SCHEMA_CURRENT_VERSION_PATCH)
-    message(STATUS "Driver schema version ${PPM_SCHEMA_CURRENT_VERSION_MAJOR}.${PPM_SCHEMA_CURRENT_VERSION_MINOR}.${PPM_SCHEMA_CURRENT_VERSION_PATCH}")
+	# API VERSION
+	file(STRINGS ${api_version_path} DRIVER_API_VERSION LIMIT_COUNT 1)
+	string(REGEX MATCHALL "[0-9]+" DRIVER_API_COMPONENTS "${DRIVER_API_VERSION}")
+	list(GET DRIVER_API_COMPONENTS 0 PPM_API_CURRENT_VERSION_MAJOR)
+	list(GET DRIVER_API_COMPONENTS 1 PPM_API_CURRENT_VERSION_MINOR)
+	list(GET DRIVER_API_COMPONENTS 2 PPM_API_CURRENT_VERSION_PATCH)
+	message(
+		STATUS
+			"Driver API version ${PPM_API_CURRENT_VERSION_MAJOR}.${PPM_API_CURRENT_VERSION_MINOR}.${PPM_API_CURRENT_VERSION_PATCH}"
+	)

-    # GIT COMMIT
-    if(NOT DEFINED GIT_COMMIT)
-        execute_process(COMMAND git rev-parse HEAD OUTPUT_VARIABLE GIT_COMMIT ERROR_QUIET WORKING_DIRECTORY ${CMAKE_CURRENT_SOURCE_DIR})
-    endif()
-    string(STRIP "${GIT_COMMIT}" GIT_COMMIT)
+	# SCHEMA VERSION
+	file(STRINGS ${schema_version_path} DRIVER_SCHEMA_VERSION LIMIT_COUNT 1)
+	string(REGEX MATCHALL "[0-9]+" DRIVER_SCHEMA_COMPONENTS "${DRIVER_SCHEMA_VERSION}")
+	list(GET DRIVER_SCHEMA_COMPONENTS 0 PPM_SCHEMA_CURRENT_VERSION_MAJOR)
+	list(GET DRIVER_SCHEMA_COMPONENTS 1 PPM_SCHEMA_CURRENT_VERSION_MINOR)
+	list(GET DRIVER_SCHEMA_COMPONENTS 2 PPM_SCHEMA_CURRENT_VERSION_PATCH)
+	message(
+		STATUS
+			"Driver schema version ${PPM_SCHEMA_CURRENT_VERSION_MAJOR}.${PPM_SCHEMA_CURRENT_VERSION_MINOR}.${PPM_SCHEMA_CURRENT_VERSION_PATCH}"
+	)
+
+	# GIT COMMIT
+	if(NOT DEFINED GIT_COMMIT)
+		execute_process(
+			COMMAND git rev-parse HEAD
+			OUTPUT_VARIABLE GIT_COMMIT
+			ERROR_QUIET
+			WORKING_DIRECTORY ${CMAKE_CURRENT_SOURCE_DIR}
+		)
+	endif()
+	string(STRIP "${GIT_COMMIT}" GIT_COMMIT)
 endmacro()
--- a/cmake/modules/container_plugin.cmake
+++ b/cmake/modules/container_plugin.cmake
@ -0,0 +1,44 @@
+# SPDX-License-Identifier: Apache-2.0
+#
+# Copyright (C) 2025 The Falco Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except
+# in compliance with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed under the License
+# is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express
+# or implied. See the License for the specific language governing permissions and limitations under
+# the License.
+#
+
+include(ExternalProject)
+
+string(TOLOWER ${CMAKE_HOST_SYSTEM_NAME} PLUGINS_SYSTEM_NAME)
+
+set(CONTAINER_LIBRARY
+	"${CMAKE_CURRENT_BINARY_DIR}/container_plugin-prefix/src/container_plugin/libcontainer.so"
+)
+
+if(NOT CONTAINER_VERSION)
+	set(CONTAINER_VERSION "0.3.4")
+endif()
+if(NOT CONTAINER_HASH)
+	if(${CMAKE_HOST_SYSTEM_PROCESSOR} STREQUAL "x86_64")
+		set(CONTAINER_HASH "658f96c4b4a56d1bf945a788d60571076f808ae1bcc877c4ba3625b0fd752d8d")
+	else() # arm64
+		set(CONTAINER_HASH "34a153aca0164843a169193aba092a3063b24bca9ef80fd4f1d1f1919aba3bde")
+	endif()
+endif()
+if(NOT TARGET container_plugin)
+	message(STATUS "Fetching container plugin ${CONTAINER_VERSION} in '${CONTAINER_LIBRARY}'")
+	ExternalProject_Add(
+		container_plugin
+		URL "https://download.falco.org/plugins/stable/container-${CONTAINER_VERSION}-${PLUGINS_SYSTEM_NAME}-${CMAKE_HOST_SYSTEM_PROCESSOR}.tar.gz"
+		URL_HASH "SHA256=${CONTAINER_HASH}"
+		CONFIGURE_COMMAND ""
+		BUILD_COMMAND ""
+		INSTALL_COMMAND ""
+	)
+endif()
--- a/cmake/modules/curl.cmake
+++ b/cmake/modules/curl.cmake
@ -1,114 +0,0 @@
-# SPDX-License-Identifier: Apache-2.0
-#
-# Copyright (C) 2023 The Falco Authors.
-#
-# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an
-# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
-# specific language governing permissions and limitations under the License.
-#
-
-option(USE_BUNDLED_CURL "Enable building of the bundled curl" ${USE_BUNDLED_DEPS})
-
-include(openssl)
-include(zlib)
-
-if(CURL_INCLUDE_DIRS)
-	# we already have curl
-elseif(NOT USE_BUNDLED_CURL)
-	find_package(CURL REQUIRED)
-	message(STATUS "Found CURL: include: ${CURL_INCLUDE_DIRS}, lib: ${CURL_LIBRARIES}")
-else()
-	if(BUILD_SHARED_LIBS)
-		set(CURL_LIB_SUFFIX ${CMAKE_SHARED_LIBRARY_SUFFIX})
-		set(CURL_STATIC_OPTION )
-	else()
-		set(CURL_LIB_SUFFIX ${CMAKE_STATIC_LIBRARY_SUFFIX})
-		set(CURL_STATIC_OPTION --disable-shared)
-	endif()
-	set(CURL_BUNDLE_DIR "${PROJECT_BINARY_DIR}/curl-prefix/src/curl")
-	set(CURL_INCLUDE_DIRS "${CURL_BUNDLE_DIR}/include/")
-	set(CURL_LIBRARIES "${CURL_BUNDLE_DIR}/lib/.libs/libcurl${CURL_LIB_SUFFIX}")
-
-	if(NOT USE_BUNDLED_OPENSSL)
-		set(CURL_SSL_OPTION "--with-ssl")
-	else()
-		set(CURL_SSL_OPTION "--with-ssl=${OPENSSL_INSTALL_DIR}")
-		message(STATUS "Using SSL for curl in '${OPENSSL_INSTALL_DIR}'")
-	endif()
-
-	if(NOT USE_BUNDLED_ZLIB)
-		set(CURL_ZLIB_OPTION "--with-zlib")
-	else()
-		set(CURL_ZLIB_OPTION "--with-zlib=${ZLIB_SRC}")
-		message(STATUS "Using zlib for curl in '${ZLIB_SRC}'")
-	endif()
-	message(STATUS "Using bundled curl in '${CURL_BUNDLE_DIR}'")
-
-	if(NOT TARGET curl)
-		ExternalProject_Add(
-			curl
-			PREFIX "${PROJECT_BINARY_DIR}/curl-prefix"
-			DEPENDS openssl zlib
-			URL "https://github.com/curl/curl/releases/download/curl-8_7_1/curl-8.7.1.tar.bz2"
-			URL_HASH "SHA256=05bbd2b698e9cfbab477c33aa5e99b4975501835a41b7ca6ca71de03d8849e76"
-			CONFIGURE_COMMAND
-			./configure
-			${CURL_SSL_OPTION}
-			${CURL_ZLIB_OPTION}
-			${CURL_STATIC_OPTION}
-			--enable-optimize
-			--disable-curldebug
-			--disable-rt
-			--enable-http
-			--disable-ftp
-			--disable-file
-			--disable-ldap
-			--disable-ldaps
-			--disable-rtsp
-			--disable-telnet
-			--disable-tftp
-			--disable-pop3
-			--disable-imap
-			--disable-smb
-			--disable-smtp
-			--disable-gopher
-			--disable-sspi
-			--disable-ntlm-wb
-			--disable-tls-srp
-			--without-winssl
-			--without-polarssl
-			--without-cyassl
-			--without-nss
-			--without-axtls
-			--without-librtmp
-			--without-winidn
-			--without-libidn2
-			--without-libpsl
-			--without-nghttp2
-			--without-libssh2
-			--with-ca-path=/etc/ssl/certs/
-			--disable-threaded-resolver
-			--without-brotli
-			--without-zstd
-			BUILD_COMMAND make
-			BUILD_IN_SOURCE 1
-			BUILD_BYPRODUCTS ${CURL_LIBRARIES}
-			INSTALL_COMMAND "")
-		install(FILES "${CURL_LIBRARIES}" DESTINATION "${CMAKE_INSTALL_LIBDIR}/${LIBS_PACKAGE_NAME}"
-			COMPONENT "libs-deps")
-		install(DIRECTORY "${CURL_INCLUDE_DIRS}curl" DESTINATION "${CMAKE_INSTALL_INCLUDEDIR}/${LIBS_PACKAGE_NAME}"
-			COMPONENT "libs-deps"
-			FILES_MATCHING PATTERN "*.h")
-	endif()
-endif()
-
-if(NOT TARGET curl)
-	add_custom_target(curl)
-endif()
-
-include_directories("${CURL_INCLUDE_DIRS}")
--- a/cmake/modules/engine_config.cmake
+++ b/cmake/modules/engine_config.cmake
@ -23,9 +23,9 @@ if(CMAKE_SYSTEM_NAME MATCHES "Linux")
 endif()

 # gVisor is currently only supported on Linux x86_64
-if(CMAKE_SYSTEM_PROCESSOR STREQUAL "x86_64" AND CMAKE_SYSTEM_NAME MATCHES "Linux" AND NOT MINIMAL_BUILD)
+if(CMAKE_SYSTEM_PROCESSOR STREQUAL "x86_64" AND CMAKE_SYSTEM_NAME MATCHES "Linux")
 	option(BUILD_LIBSCAP_GVISOR "Build gVisor support" ON)
-	if (BUILD_LIBSCAP_GVISOR)
+	if(BUILD_LIBSCAP_GVISOR)
 		set(HAS_ENGINE_GVISOR On)
 	endif()
 endif()
--- a/cmake/modules/googleBenchmark.cmake
+++ b/cmake/modules/googleBenchmark.cmake
@ -0,0 +1,27 @@
+# SPDX-License-Identifier: Apache-2.0
+#
+# Copyright (C) 2024 The Falco Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except
+# in compliance with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed under the License
+# is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express
+# or implied. See the License for the specific language governing permissions and limitations under
+# the License.
+#
+
+# Disable the Google Benchmark requirement on Google Test
+set(BENCHMARK_ENABLE_TESTING OFF)
+
+include(FetchContent)
+
+FetchContent_Declare(
+	googlebenchmark
+	GIT_REPOSITORY https://github.com/google/benchmark.git
+	GIT_TAG v1.9.0
+)
+
+FetchContent_MakeAvailable(googlebenchmark)
--- a/cmake/modules/grpc.cmake
+++ b/cmake/modules/grpc.cmake
@ -1,222 +0,0 @@
-# SPDX-License-Identifier: Apache-2.0
-#
-# Copyright (C) 2023 The Falco Authors.
-#
-# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an
-# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
-# specific language governing permissions and limitations under the License.
-#
-
-option(USE_BUNDLED_GRPC "Enable building of the bundled grpc" ${USE_BUNDLED_DEPS})
-
-if(GRPC_INCLUDE)
-	# we already have grpc
-elseif(NOT USE_BUNDLED_GRPC)
-	# gRPC
-	find_package(gRPC CONFIG)
-	if(gRPC_FOUND)
-		message(STATUS "Using gRPC ${gRPC_VERSION}")
-		set(GPR_LIB gRPC::gpr)
-		set(GRPC_LIB gRPC::grpc)
-		set(GRPCPP_LIB gRPC::grpc++)
-
-		# gRPC C++ plugin
-		get_target_property(GRPC_CPP_PLUGIN gRPC::grpc_cpp_plugin LOCATION)
-		if(NOT GRPC_CPP_PLUGIN)
-			message(FATAL_ERROR "System grpc_cpp_plugin not found")
-		endif()
-
-		# gRPC include dir + properly handle grpc{++,pp}
-		get_target_property(GRPC_INCLUDE gRPC::grpc++ INTERFACE_INCLUDE_DIRECTORIES)
-		find_path(GRPCXX_INCLUDE NAMES grpc++/grpc++.h PATHS ${GRPC_INCLUDE})
-		if(NOT GRPCXX_INCLUDE)
-			find_path(GRPCPP_INCLUDE NAMES grpcpp/grpcpp.h PATHS ${GRPC_INCLUDE})
-			add_definitions(-DGRPC_INCLUDE_IS_GRPCPP=1)
-		endif()
-	else()
-		# Fallback to manually find libraries;
-		# Some distro, namely Ubuntu focal, do not install gRPC config cmake module
-		find_library(GPR_LIB NAMES gpr)
-		if(GPR_LIB)
-			message(STATUS "Found gpr lib: ${GPR_LIB}")
-		else()
-			message(FATAL_ERROR "Couldn't find system gpr")
-		endif()
-		find_path(GRPCXX_INCLUDE NAMES grpc++/grpc++.h)
-		if(GRPCXX_INCLUDE)
-			set(GRPC_INCLUDE ${GRPCXX_INCLUDE})
-		else()
-			find_path(GRPCPP_INCLUDE NAMES grpcpp/grpcpp.h)
-			set(GRPC_INCLUDE ${GRPCPP_INCLUDE})
-			add_definitions(-DGRPC_INCLUDE_IS_GRPCPP=1)
-		endif()
-		find_library(GRPC_LIB NAMES grpc)
-		find_library(GRPCPP_LIB NAMES grpc++)
-		if(GRPC_INCLUDE AND GRPC_LIB AND GRPCPP_LIB)
-			message(STATUS "Found grpc: include: ${GRPC_INCLUDE}, C lib: ${GRPC_LIB}, C++ lib: ${GRPCPP_LIB}")
-		else()
-			message(FATAL_ERROR "Couldn't find system grpc")
-		endif()
-		find_program(GRPC_CPP_PLUGIN grpc_cpp_plugin)
-		if(NOT GRPC_CPP_PLUGIN)
-			message(FATAL_ERROR "System grpc_cpp_plugin not found")
-		endif()
-	endif()
-else()
-	include(cares)
-	include(protobuf)
-	include(zlib)
-	include(openssl)
-	if(BUILD_SHARED_LIBS)
-		set(GRPC_OPENSSL_STATIC_LIBS_OPTION FALSE)
-	else()
-		set(GRPC_OPENSSL_STATIC_LIBS_OPTION TRUE)
-	endif()
-	include(re2)
-	set(GRPC_SRC "${PROJECT_BINARY_DIR}/grpc-prefix/src/grpc")
-	set(GRPC_INSTALL_DIR "${GRPC_SRC}/target")
-	set(GRPC_INCLUDE 
-		"${GRPC_INSTALL_DIR}/include"
-		"${GRPC_SRC}/third_party/abseil-cpp")
-	set(GPR_LIB "${GRPC_SRC}/libgpr.a")
-	set(GRPC_LIB "${GRPC_SRC}/libgrpc.a")
-	set(GRPCPP_LIB "${GRPC_SRC}/libgrpc++.a")
-	set(GRPC_CPP_PLUGIN "${GRPC_SRC}/grpc_cpp_plugin")
-	set(GRPC_MAIN_LIBS "")
-	list(APPEND GRPC_MAIN_LIBS
-		"${GPR_LIB}" 
-		"${GRPC_LIB}" 
-		"${GRPCPP_LIB}"
-		"${GRPC_SRC}/libgrpc++_alts.a"
-		"${GRPC_SRC}/libgrpc++_error_details.a"
-		"${GRPC_SRC}/libgrpc++_reflection.a"
-		"${GRPC_SRC}/libgrpc++_unsecure.a"
-		"${GRPC_SRC}/libgrpc_plugin_support.a"
-		"${GRPC_SRC}/libgrpc_unsecure.a"
-		"${GRPC_SRC}/libgrpcpp_channelz.a"
-	)
-
-	get_filename_component(PROTOC_DIR ${PROTOC} PATH)
-
-	if(NOT TARGET grpc)
-		message(STATUS "Using bundled grpc in '${GRPC_SRC}'")
-
-		# fixme(leogr): this workaround is required to inject the missing deps (built by gRCP cmakefiles)
-		# into target_link_libraries later
-		# note: the list below is manually generated starting from the output of pkg-config --libs grpc++
-		set(GRPC_LIBRARIES "")
-		list(APPEND GRPC_LIBRARIES
-			"${GRPC_SRC}/libaddress_sorting.a"
-			"${GRPC_SRC}/libupb.a"
-			"${GRPC_SRC}/third_party/abseil-cpp/absl/hash/libabsl_hash.a"
-			"${GRPC_SRC}/third_party/abseil-cpp/absl/hash/libabsl_city.a"
-			"${GRPC_SRC}/third_party/abseil-cpp/absl/hash/libabsl_low_level_hash.a"
-			"${GRPC_SRC}/third_party/abseil-cpp/absl/container/libabsl_raw_hash_set.a"
-			"${GRPC_SRC}/third_party/abseil-cpp/absl/container/libabsl_hashtablez_sampler.a"
-			"${GRPC_SRC}/third_party/abseil-cpp/absl/status/libabsl_statusor.a"
-			"${GRPC_SRC}/third_party/abseil-cpp/absl/status/libabsl_status.a"
-			"${GRPC_SRC}/third_party/abseil-cpp/absl/strings/libabsl_cord.a"
-			"${GRPC_SRC}/third_party/abseil-cpp/absl/strings/libabsl_cordz_functions.a"
-			"${GRPC_SRC}/third_party/abseil-cpp/absl/profiling/libabsl_exponential_biased.a"
-			"${GRPC_SRC}/third_party/abseil-cpp/absl/types/libabsl_bad_optional_access.a"
-			"${GRPC_SRC}/third_party/abseil-cpp/absl/types/libabsl_bad_variant_access.a"
-			"${GRPC_SRC}/third_party/abseil-cpp/absl/strings/libabsl_str_format_internal.a"
-			"${GRPC_SRC}/third_party/abseil-cpp/absl/synchronization/libabsl_synchronization.a"
-			"${GRPC_SRC}/third_party/abseil-cpp/absl/synchronization/libabsl_graphcycles_internal.a"
-			"${GRPC_SRC}/third_party/abseil-cpp/absl/debugging/libabsl_stacktrace.a"
-			"${GRPC_SRC}/third_party/abseil-cpp/absl/debugging/libabsl_symbolize.a"
-			"${GRPC_SRC}/third_party/abseil-cpp/absl/debugging/libabsl_debugging_internal.a"
-			"${GRPC_SRC}/third_party/abseil-cpp/absl/debugging/libabsl_demangle_internal.a"
-			"${GRPC_SRC}/third_party/abseil-cpp/absl/base/libabsl_malloc_internal.a"
-			"${GRPC_SRC}/third_party/abseil-cpp/absl/time/libabsl_time.a"
-			"${GRPC_SRC}/third_party/abseil-cpp/absl/time/libabsl_civil_time.a"
-			"${GRPC_SRC}/third_party/abseil-cpp/absl/strings/libabsl_strings.a"
-			"${GRPC_SRC}/third_party/abseil-cpp/absl/strings/libabsl_strings_internal.a"
-			"${GRPC_SRC}/third_party/abseil-cpp/absl/base/libabsl_base.a"
-			"${GRPC_SRC}/third_party/abseil-cpp/absl/base/libabsl_spinlock_wait.a"
-			"${GRPC_SRC}/third_party/abseil-cpp/absl/numeric/libabsl_int128.a"
-			"${GRPC_SRC}/third_party/abseil-cpp/absl/base/libabsl_throw_delegate.a"
-			"${GRPC_SRC}/third_party/abseil-cpp/absl/base/libabsl_raw_logging_internal.a"
-			"${GRPC_SRC}/third_party/abseil-cpp/absl/base/libabsl_log_severity.a"
-			"${GRPC_SRC}/third_party/abseil-cpp/absl/time/libabsl_time_zone.a"
-			"${GRPC_SRC}/third_party/abseil-cpp/absl/strings/libabsl_cord_internal.a"
-			"${GRPC_SRC}/third_party/abseil-cpp/absl/strings/libabsl_cordz_info.a"
-			"${GRPC_SRC}/third_party/abseil-cpp/absl/strings/libabsl_cordz_handle.a"
-			"${GRPC_SRC}/third_party/abseil-cpp/absl/random/libabsl_random_internal_pool_urbg.a"
-			"${GRPC_SRC}/third_party/abseil-cpp/absl/random/libabsl_random_internal_randen.a"
-			"${GRPC_SRC}/third_party/abseil-cpp/absl/random/libabsl_random_internal_randen_hwaes.a"
-			"${GRPC_SRC}/third_party/abseil-cpp/absl/random/libabsl_random_internal_randen_hwaes_impl.a"
-			"${GRPC_SRC}/third_party/abseil-cpp/absl/random/libabsl_random_internal_randen_slow.a"
-			"${GRPC_SRC}/third_party/abseil-cpp/absl/random/libabsl_random_internal_seed_material.a"
-			"${GRPC_SRC}/third_party/abseil-cpp/absl/random/libabsl_random_internal_platform.a"
-			"${GRPC_SRC}/third_party/abseil-cpp/absl/random/libabsl_random_seed_gen_exception.a"
-		)
-		
-		ExternalProject_Add(grpc
-			PREFIX "${PROJECT_BINARY_DIR}/grpc-prefix"
-			DEPENDS openssl protobuf c-ares zlib re2
-			GIT_REPOSITORY https://github.com/grpc/grpc.git
-			GIT_TAG v1.44.0
-			GIT_SUBMODULES "third_party/abseil-cpp"
-			CMAKE_CACHE_ARGS
-				-DCMAKE_INSTALL_PREFIX:PATH=${GRPC_INSTALL_DIR}
-				-DCMAKE_BUILD_TYPE:STRING=Release
-				-DgRPC_INSTALL:BOOL=OFF
-				# disable unused stuff
-				-DgRPC_BUILD_TESTS:BOOL=OFF
-				-DgRPC_BUILD_CSHARP_EXT:BOOL=OFF
-				-DgRPC_BUILD_GRPC_CSHARP_PLUGIN:BOOL=OFF
-				-DgRPC_BUILD_GRPC_NODE_PLUGIN:BOOL=OFF
-				-DgRPC_BUILD_GRPC_OBJECTIVE_C_PLUGIN:BOOL=OFF
-				-DgRPC_BUILD_GRPC_PHP_PLUGIN:BOOL=OFF
-				-DgRPC_BUILD_GRPC_PYTHON_PLUGIN:BOOL=OFF
-				-DgRPC_BUILD_GRPC_RUBY_PLUGIN:BOOL=OFF
-				# deps provided by us
-				# https://github.com/grpc/grpc/blob/v1.32.0/cmake/modules/Findc-ares.cmake
-				-DgRPC_CARES_PROVIDER:STRING=package
-				-Dc-ares_DIR:PATH=${CARES_SRC}
-				-Dc-ares_INCLUDE_DIR:PATH=${CARES_INCLUDE}
-				-Dc-ares_LIBRARY:PATH=${CARES_LIB}
-				# https://cmake.org/cmake/help/v3.6/module/FindProtobuf.html
-				-DgRPC_PROTOBUF_PROVIDER:STRING=package
-				-DCMAKE_CXX_FLAGS:STRING=-I${PROTOBUF_INCLUDE}
-				-DProtobuf_INCLUDE_DIR:PATH=${PROTOBUF_INCLUDE}
-				-DProtobuf_LIBRARY:PATH=${PROTOBUF_LIB}
-				-DProtobuf_PROTOC_LIBRARY:PATH=${PROTOC_LIB}
-				-DProtobuf_PROTOC_EXECUTABLE:PATH=${PROTOC}
-				# https://cmake.org/cmake/help/v3.6/module/FindOpenSSL.html
-				-DgRPC_SSL_PROVIDER:STRING=package
-				-DOPENSSL_ROOT_DIR:PATH=${OPENSSL_INSTALL_DIR}
-				-DOPENSSL_USE_STATIC_LIBS:BOOL=${GRPC_OPENSSL_STATIC_LIBS_OPTION}
-				# https://cmake.org/cmake/help/v3.6/module/FindZLIB.html
-				-DgRPC_ZLIB_PROVIDER:STRING=package
-				-DZLIB_ROOT:STRING=${ZLIB_SRC}
-				# RE2
-				-DgRPC_RE2_PROVIDER:STRING=package
-				-Dre2_DIR:PATH=${RE2_DIR}
-			BUILD_IN_SOURCE 1
-			BUILD_BYPRODUCTS ${GRPC_LIB} ${GRPCPP_LIB} ${GPR_LIB} ${GRPC_LIBRARIES}
-			# Keep installation files into the local ${GRPC_INSTALL_DIR} 
-			# since here is the case when we are embedding gRPC
-			UPDATE_COMMAND ""
-			INSTALL_COMMAND DESTDIR= ${CMAKE_MAKE_PROGRAM} install
-		)
-		install(FILES ${GRPC_MAIN_LIBS} DESTINATION "${CMAKE_INSTALL_LIBDIR}/${LIBS_PACKAGE_NAME}"
-				COMPONENT "libs-deps")
-		install(FILES ${GRPC_LIBRARIES} DESTINATION "${CMAKE_INSTALL_LIBDIR}/${LIBS_PACKAGE_NAME}"
-				COMPONENT "libs-deps")
-		install(DIRECTORY "${GRPC_SRC}/target/include/" DESTINATION "${CMAKE_INSTALL_INCLUDEDIR}/${LIBS_PACKAGE_NAME}"
-				COMPONENT "libs-deps")
-	endif()
-endif()
-
-if(NOT TARGET grpc)
-	add_custom_target(grpc)
-endif()
-
-include_directories("${GRPC_INCLUDE}")
--- a/cmake/modules/gtest.cmake
+++ b/cmake/modules/gtest.cmake
@ -2,14 +2,15 @@
 #
 # Copyright (C) 2023 The Falco Authors.
 #
-# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except
+# in compliance with the License. You may obtain a copy of the License at
 #
 # http://www.apache.org/licenses/LICENSE-2.0
 #
-# Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an
-# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
-# specific language governing permissions and limitations under the License.
+# Unless required by applicable law or agreed to in writing, software distributed under the License
+# is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express
+# or implied. See the License for the specific language governing permissions and limitations under
+# the License.
 #

 option(USE_BUNDLED_GTEST "Enable building of the bundled gtest" ${USE_BUNDLED_DEPS})
@ -17,41 +18,60 @@ option(USE_BUNDLED_GTEST "Enable building of the bundled gtest" ${USE_BUNDLED_DE
 if(GTEST_INCLUDE_DIR)
 	# we already have gtest
 elseif(NOT USE_BUNDLED_GTEST)
-	find_path(GTEST_INCLUDE_DIR PATH_SUFFIXES gtest NAMES gtest.h)
+	find_path(
+		GTEST_INCLUDE_DIR
+		PATH_SUFFIXES gtest
+		NAMES gtest.h
+	)
 	find_library(GTEST_LIB NAMES gtest)
 	find_library(GTEST_MAIN_LIB NAMES gtest_main)
-	if(GTEST_INCLUDE_DIR AND GTEST_LIB AND GTEST_MAIN_LIB)
-		message(STATUS "Found gtest: include: ${GTEST_INCLUDE_DIR}, lib: ${GTEST_LIB}, main lib: ${GTEST_MAIN_LIB}")
+	if(GTEST_INCLUDE_DIR
+	   AND GTEST_LIB
+	   AND GTEST_MAIN_LIB
+	)
+		message(
+			STATUS
+				"Found gtest: include: ${GTEST_INCLUDE_DIR}, lib: ${GTEST_LIB}, main lib: ${GTEST_MAIN_LIB}"
+		)
 	else()
 		message(FATAL_ERROR "Couldn't find system gtest")
 	endif()
 else()
 	# https://github.com/google/googletest/tree/main/googletest#incorporating-into-an-existing-cmake-project
 	# Download and unpack googletest at configure time
-	configure_file(CMakeListsGtestInclude.cmake ${PROJECT_BINARY_DIR}/googletest-download/CMakeLists.txt)
-	execute_process(COMMAND ${CMAKE_COMMAND} -G "${CMAKE_GENERATOR}" .
+	configure_file(
+		CMakeListsGtestInclude.cmake ${PROJECT_BINARY_DIR}/googletest-download/CMakeLists.txt
+	)
+	execute_process(
+		COMMAND ${CMAKE_COMMAND} -G "${CMAKE_GENERATOR}" .
 		RESULT_VARIABLE result
-		WORKING_DIRECTORY ${PROJECT_BINARY_DIR}/googletest-download )
+		WORKING_DIRECTORY ${PROJECT_BINARY_DIR}/googletest-download
+	)
 	if(result)
 		message(FATAL_ERROR "CMake step for googletest failed: ${result}")
 	endif()
-	execute_process(COMMAND ${CMAKE_COMMAND} --build .
+	execute_process(
+		COMMAND ${CMAKE_COMMAND} --build .
 		RESULT_VARIABLE result
-		WORKING_DIRECTORY ${PROJECT_BINARY_DIR}/googletest-download )
+		WORKING_DIRECTORY ${PROJECT_BINARY_DIR}/googletest-download
+	)
 	if(result)
 		message(FATAL_ERROR "Build step for googletest failed: ${result}")
 	endif()

-	# Add googletest directly to our build. This defines
-	# the gtest and gtest_main targets.
-	add_subdirectory(${PROJECT_BINARY_DIR}/googletest-src
-					 ${PROJECT_BINARY_DIR}/googletest-build
-					 EXCLUDE_FROM_ALL)
+	# Add googletest directly to our build. This defines the gtest and gtest_main targets.
+	add_subdirectory(
+		${PROJECT_BINARY_DIR}/googletest-src ${PROJECT_BINARY_DIR}/googletest-build
+		EXCLUDE_FROM_ALL
+	)

 	set(GTEST_INCLUDE_DIR "${gtest_SOURCE_DIR}/include")
 	set(GTEST_MAIN_LIB "gtest_main")
-	install(DIRECTORY "${GTEST_INCLUDE_DIR}" DESTINATION "${CMAKE_INSTALL_INCLUDEDIR}/${LIBS_PACKAGE_NAME}"
-			COMPONENT "libs-deps")
+	install(
+		DIRECTORY "${GTEST_INCLUDE_DIR}"
+		DESTINATION "${CMAKE_INSTALL_INCLUDEDIR}/${LIBS_PACKAGE_NAME}"
+		COMPONENT "libs-deps"
+	)
 endif()

 if(NOT TARGET gtest)
--- a/cmake/modules/jsoncpp.cmake
+++ b/cmake/modules/jsoncpp.cmake
@ -2,14 +2,15 @@
 #
 # Copyright (C) 2023 The Falco Authors.
 #
-# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except
+# in compliance with the License. You may obtain a copy of the License at
 #
 # http://www.apache.org/licenses/LICENSE-2.0
 #
-# Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an
-# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
-# specific language governing permissions and limitations under the License.
+# Unless required by applicable law or agreed to in writing, software distributed under the License
+# is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express
+# or implied. See the License for the specific language governing permissions and limitations under
+# the License.
 #

 option(USE_BUNDLED_JSONCPP "Enable building of the bundled jsoncpp" ${USE_BUNDLED_DEPS})
@ -44,66 +45,70 @@ else()
 		message(STATUS "Using bundled jsoncpp in '${JSONCPP_SRC}'")
 		if(NOT WIN32)
 			ExternalProject_Add(
-					jsoncpp
-					PREFIX "${PROJECT_BINARY_DIR}/jsoncpp-prefix"
-					URL "https://github.com/open-source-parsers/jsoncpp/archive/refs/tags/1.9.5.tar.gz"
-					URL_HASH
-					"SHA256=f409856e5920c18d0c2fb85276e24ee607d2a09b5e7d5f0a371368903c275da2"
-					CMAKE_ARGS
-						-DBUILD_OBJECT_LIBS=Off
-						${JSONCPP_STATIC_OPTION}
-						-DBUILD_SHARED_LIBS=${BUILD_SHARED_LIBS}
-						-DJSONCPP_WITH_TESTS=Off
-						-DJSONCPP_WITH_POST_BUILD_UNITTEST=Off
-						-DCMAKE_INSTALL_PREFIX=${JSONCPP_SRC}
-						-DCMAKE_INSTALL_LIBDIR=lib
-					BUILD_BYPRODUCTS ${JSONCPP_LIB}
+				jsoncpp
+				PREFIX "${PROJECT_BINARY_DIR}/jsoncpp-prefix"
+				URL "https://github.com/open-source-parsers/jsoncpp/archive/refs/tags/1.9.5.tar.gz"
+				URL_HASH "SHA256=f409856e5920c18d0c2fb85276e24ee607d2a09b5e7d5f0a371368903c275da2"
+				CMAKE_ARGS -DCMAKE_POSITION_INDEPENDENT_CODE=${ENABLE_PIC}
+						   -DBUILD_OBJECT_LIBS=Off
+						   ${JSONCPP_STATIC_OPTION}
+						   -DBUILD_SHARED_LIBS=${BUILD_SHARED_LIBS}
+						   -DJSONCPP_WITH_TESTS=Off
+						   -DJSONCPP_WITH_POST_BUILD_UNITTEST=Off
+						   -DCMAKE_INSTALL_PREFIX=${JSONCPP_SRC}
+						   -DCMAKE_INSTALL_LIBDIR=lib
+				BUILD_BYPRODUCTS ${JSONCPP_LIB}
 			)
 		else()
 			# see: https://cmake.org/cmake/help/latest/policy/CMP0091.html
 			if(CMAKE_VERSION VERSION_LESS 3.15.0)
 				ExternalProject_Add(
-						jsoncpp
-						PREFIX "${PROJECT_BINARY_DIR}/jsoncpp-prefix"
-						URL "https://github.com/open-source-parsers/jsoncpp/archive/refs/tags/1.9.5.tar.gz"
-						URL_HASH
+					jsoncpp
+					PREFIX "${PROJECT_BINARY_DIR}/jsoncpp-prefix"
+					URL "https://github.com/open-source-parsers/jsoncpp/archive/refs/tags/1.9.5.tar.gz"
+					URL_HASH
 						"SHA256=f409856e5920c18d0c2fb85276e24ee607d2a09b5e7d5f0a371368903c275da2"
-						CMAKE_ARGS
-						-DCMAKE_CXX_FLAGS_DEBUG=${FALCOSECURITY_LIBS_DEBUG_FLAGS}
-						-DCMAKE_CXX_FLAGS_RELEASE=${FALCOSECURITY_LIBS_RELEASE_FLAGS}
-						-DBUILD_OBJECT_LIBS=Off
-						${JSONCPP_STATIC_OPTION}
-						-DBUILD_SHARED_LIBS=${BUILD_SHARED_LIBS}
-						-DJSONCPP_WITH_TESTS=Off
-						-DJSONCPP_WITH_POST_BUILD_UNITTEST=Off
-						-DCMAKE_INSTALL_PREFIX=${JSONCPP_SRC}
-						-DCMAKE_INSTALL_LIBDIR=lib
+					CMAKE_ARGS -DCMAKE_CXX_FLAGS_DEBUG=${FALCOSECURITY_LIBS_DEBUG_FLAGS}
+							   -DCMAKE_CXX_FLAGS_RELEASE=${FALCOSECURITY_LIBS_RELEASE_FLAGS}
+							   -DCMAKE_POSITION_INDEPENDENT_CODE=${ENABLE_PIC}
+							   -DBUILD_OBJECT_LIBS=Off
+							   ${JSONCPP_STATIC_OPTION}
+							   -DBUILD_SHARED_LIBS=${BUILD_SHARED_LIBS}
+							   -DJSONCPP_WITH_TESTS=Off
+							   -DJSONCPP_WITH_POST_BUILD_UNITTEST=Off
+							   -DCMAKE_INSTALL_PREFIX=${JSONCPP_SRC}
+							   -DCMAKE_INSTALL_LIBDIR=lib
 				)
 			else()
 				ExternalProject_Add(
-						jsoncpp
-						PREFIX "${PROJECT_BINARY_DIR}/jsoncpp-prefix"
-						URL "https://github.com/open-source-parsers/jsoncpp/archive/refs/tags/1.9.5.tar.gz"
-						URL_HASH
+					jsoncpp
+					PREFIX "${PROJECT_BINARY_DIR}/jsoncpp-prefix"
+					URL "https://github.com/open-source-parsers/jsoncpp/archive/refs/tags/1.9.5.tar.gz"
+					URL_HASH
 						"SHA256=f409856e5920c18d0c2fb85276e24ee607d2a09b5e7d5f0a371368903c275da2"
-						CMAKE_ARGS
-						-DCMAKE_POLICY_DEFAULT_CMP0091:STRING=NEW
-						-DCMAKE_MSVC_RUNTIME_LIBRARY=${CMAKE_MSVC_RUNTIME_LIBRARY}
-						-DBUILD_OBJECT_LIBS=Off
-						${JSONCPP_STATIC_OPTION}
-						-DBUILD_SHARED_LIBS=${BUILD_SHARED_LIBS}
-						-DJSONCPP_WITH_TESTS=Off
-						-DJSONCPP_WITH_POST_BUILD_UNITTEST=Off
-						-DCMAKE_INSTALL_PREFIX=${JSONCPP_SRC}
-						-DCMAKE_INSTALL_LIBDIR=lib
+					CMAKE_ARGS -DCMAKE_POLICY_DEFAULT_CMP0091:STRING=NEW
+							   -DCMAKE_MSVC_RUNTIME_LIBRARY=${CMAKE_MSVC_RUNTIME_LIBRARY}
+							   -DBUILD_OBJECT_LIBS=Off
+							   ${JSONCPP_STATIC_OPTION}
+							   -DBUILD_SHARED_LIBS=${BUILD_SHARED_LIBS}
+							   -DJSONCPP_WITH_TESTS=Off
+							   -DJSONCPP_WITH_POST_BUILD_UNITTEST=Off
+							   -DCMAKE_INSTALL_PREFIX=${JSONCPP_SRC}
+							   -DCMAKE_INSTALL_LIBDIR=lib
 				)
 			endif()
 		endif()

-		install(FILES "${JSONCPP_LIB}" DESTINATION "${CMAKE_INSTALL_LIBDIR}/${LIBS_PACKAGE_NAME}"
-				COMPONENT "libs-deps")
-		install(DIRECTORY "${JSONCPP_INCLUDE}" DESTINATION "${CMAKE_INSTALL_INCLUDEDIR}/${LIBS_PACKAGE_NAME}"
-				COMPONENT "libs-deps")
+		install(
+			FILES "${JSONCPP_LIB}"
+			DESTINATION "${CMAKE_INSTALL_LIBDIR}/${LIBS_PACKAGE_NAME}"
+			COMPONENT "libs-deps"
+		)
+		install(
+			DIRECTORY "${JSONCPP_INCLUDE}"
+			DESTINATION "${CMAKE_INSTALL_INCLUDEDIR}/${LIBS_PACKAGE_NAME}"
+			COMPONENT "libs-deps"
+		)
 	endif()
 endif()

--- a/cmake/modules/libbpf.cmake
+++ b/cmake/modules/libbpf.cmake
@ -2,57 +2,79 @@
 #
 # Copyright (C) 2023 The Falco Authors.
 #
-# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except
+# in compliance with the License. You may obtain a copy of the License at
 #
 # http://www.apache.org/licenses/LICENSE-2.0
 #
-# Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an
-# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
-# specific language governing permissions and limitations under the License.
+# Unless required by applicable law or agreed to in writing, software distributed under the License
+# is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express
+# or implied. See the License for the specific language governing permissions and limitations under
+# the License.
 #

 option(USE_BUNDLED_LIBBPF "Enable building of the bundled libbpf" ${USE_BUNDLED_DEPS})

-if(LIBBPF_INCLUDE)
-    # we already have libbpf
+if(TARGET lbpf)
+	# we already have libbpf
 elseif(NOT USE_BUNDLED_LIBBPF)
-    find_path(LIBBPF_INCLUDE bpf/libbpf.h)
-    find_library(LIBBPF_LIB NAMES bpf)
-    if(LIBBPF_INCLUDE AND LIBBPF_LIB)
-        message(STATUS "Found libbpf: include: ${LIBBPF_INCLUDE}, lib: ${LIBBPF_LIB}")
-    else()
-        message(FATAL_ERROR "Couldn't find system libbpf")
-    endif()
+	include(zlib)
+	include(libelf)
+	find_path(LIBBPF_INCLUDE bpf/libbpf.h)
+	find_library(LIBBPF_LIB NAMES bpf)
+	if(LIBBPF_INCLUDE AND LIBBPF_LIB)
+		add_library(lbpf STATIC IMPORTED GLOBAL)
+		set_target_properties(lbpf PROPERTIES IMPORTED_LOCATION ${LIBBPF_LIB})
+		target_include_directories(lbpf INTERFACE $<BUILD_INTERFACE:${LIBBPF_INCLUDE}>)
+		target_link_libraries(lbpf INTERFACE elf ${ZLIB_LIB})
+
+		message(STATUS "Found libbpf: include: ${LIBBPF_INCLUDE}, lib: ${LIBBPF_LIB}")
+	else()
+		message(FATAL_ERROR "Couldn't find system libbpf")
+	endif()
 else()
-    include(zlib)
-    include(libelf)
-    set(LIBBPF_SRC "${PROJECT_BINARY_DIR}/libbpf-prefix/src")
-    set(LIBBPF_BUILD_DIR "${LIBBPF_SRC}/libbpf-build")
-    set(LIBBPF_INCLUDE "${LIBBPF_BUILD_DIR}/root/usr/include")
-    set(LIBBPF_LIB "${LIBBPF_BUILD_DIR}/root/usr/lib64/libbpf.a")
-    ExternalProject_Add(
-        libbpf
-        PREFIX "${PROJECT_BINARY_DIR}/libbpf-prefix"
-        DEPENDS zlib libelf
-        URL "https://github.com/libbpf/libbpf/archive/refs/tags/v1.3.0.tar.gz"
-        URL_HASH
-        "SHA256=11db86acd627e468bc48b7258c1130aba41a12c4d364f78e184fd2f5a913d861"
-        CONFIGURE_COMMAND mkdir -p build root
-        BUILD_COMMAND make BUILD_STATIC_ONLY=y OBJDIR=${LIBBPF_BUILD_DIR}/build DESTDIR=${LIBBPF_BUILD_DIR}/root NO_PKG_CONFIG=1 "EXTRA_CFLAGS=-fPIC -I${LIBELF_INCLUDE} -I${ZLIB_INCLUDE}" "LDFLAGS=-Wl,-Bstatic" "EXTRA_LDFLAGS=-L${LIBELF_SRC}/libelf/libelf -L${ZLIB_SRC}" -C ${LIBBPF_SRC}/libbpf/src install install_uapi_headers
-        INSTALL_COMMAND ""
-        UPDATE_COMMAND ""
-        BUILD_BYPRODUCTS ${LIBBPF_LIB}
-    )
-    message(STATUS "Using bundled libbpf: include'${LIBBPF_INCLUDE}', lib: ${LIBBPF_LIB}")
-    install(FILES "${LIBBPF_LIB}" DESTINATION "${CMAKE_INSTALL_LIBDIR}/${LIBS_PACKAGE_NAME}"
-            COMPONENT "libs-deps")
-    install(DIRECTORY "${LIBBPF_INCLUDE}" DESTINATION "${CMAKE_INSTALL_INCLUDEDIR}/${LIBS_PACKAGE_NAME}"
-            COMPONENT "libs-deps")
-endif()
+	include(zlib)
+	include(libelf)
+	set(LIBBPF_SRC "${PROJECT_BINARY_DIR}/libbpf-prefix/src")
+	set(LIBBPF_BUILD_DIR "${LIBBPF_SRC}/libbpf-build")
+	set(LIBBPF_INCLUDE "${LIBBPF_BUILD_DIR}/root/usr/include")
+	set(LIBBPF_LIB "${LIBBPF_BUILD_DIR}/root/usr/lib64/libbpf.a")

-if(NOT TARGET libbpf)
-    add_custom_target(libbpf)
-endif()
+	get_target_property(LIBELF_INCLUDE_DIR elf INCLUDE_DIRECTORIES)

-include_directories(${LIBBPF_INCLUDE})
+	foreach(dir ${LIBELF_INCLUDE_DIR})
+		string(APPEND LIBELF_COMPILER_STRING "-I${dir} ")
+	endforeach()
+
+	ExternalProject_Add(
+		libbpf
+		PREFIX "${PROJECT_BINARY_DIR}/libbpf-prefix"
+		DEPENDS zlib elf
+		URL "https://github.com/libbpf/libbpf/archive/refs/tags/v1.3.0.tar.gz"
+		URL_HASH "SHA256=11db86acd627e468bc48b7258c1130aba41a12c4d364f78e184fd2f5a913d861"
+		CONFIGURE_COMMAND mkdir -p build root
+		BUILD_COMMAND
+			make BUILD_STATIC_ONLY=y OBJDIR=${LIBBPF_BUILD_DIR}/build
+			DESTDIR=${LIBBPF_BUILD_DIR}/root NO_PKG_CONFIG=1
+			"EXTRA_CFLAGS=-fPIC ${LIBELF_COMPILER_STRING} -I${ZLIB_INCLUDE}" "LDFLAGS=-Wl,-Bstatic"
+			"EXTRA_LDFLAGS=-L${LIBELF_SRC}/libelf/libelf -L${ZLIB_SRC}" -C ${LIBBPF_SRC}/libbpf/src
+			install install_uapi_headers
+		INSTALL_COMMAND ""
+		UPDATE_COMMAND ""
+		BUILD_BYPRODUCTS ${LIBBPF_LIB}
+	)
+
+	add_library(lbpf STATIC IMPORTED GLOBAL)
+	set_target_properties(lbpf PROPERTIES IMPORTED_LOCATION ${LIBBPF_LIB})
+	file(MAKE_DIRECTORY ${LIBBPF_INCLUDE}) # necessary to make target_include_directories() work
+	target_include_directories(lbpf INTERFACE $<BUILD_INTERFACE:${LIBBPF_INCLUDE}>)
+	add_dependencies(lbpf libbpf)
+	target_link_libraries(lbpf INTERFACE elf ${ZLIB_LIB})
+
+	message(STATUS "Using bundled libbpf: include'${LIBBPF_INCLUDE}', lib: ${LIBBPF_LIB}")
+	install(
+		FILES "${LIBBPF_LIB}"
+		DESTINATION "${CMAKE_INSTALL_LIBDIR}/${LIBS_PACKAGE_NAME}"
+		COMPONENT "libs-deps"
+	)
+endif()
--- a/cmake/modules/libelf.cmake
+++ b/cmake/modules/libelf.cmake
@ -2,71 +2,74 @@
 #
 # Copyright (C) 2023 The Falco Authors.
 #
-# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except
+# in compliance with the License. You may obtain a copy of the License at
 #
 # http://www.apache.org/licenses/LICENSE-2.0
 #
-# Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an
-# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
-# specific language governing permissions and limitations under the License.
+# Unless required by applicable law or agreed to in writing, software distributed under the License
+# is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express
+# or implied. See the License for the specific language governing permissions and limitations under
+# the License.
 #

+include_guard()
+
 option(USE_BUNDLED_LIBELF "Enable building of the bundled libelf" ${USE_BUNDLED_DEPS})
 option(USE_SHARED_LIBELF "When not using bundled libelf, link it dynamically" ON)

-if(LIBELF_INCLUDE)
-    # we already have LIBELF
+if(TARGET elf)
+	# we already have libelf
 elseif(NOT USE_BUNDLED_LIBELF)
-    find_path(LIBELF_INCLUDE elf.h PATH_SUFFIXES elf)
-    if(BUILD_SHARED_LIBS OR USE_SHARED_LIBELF)
-        set(LIBELF_LIB_SUFFIX ${CMAKE_SHARED_LIBRARY_SUFFIX})
-    else()
-        set(LIBELF_LIB_SUFFIX ${CMAKE_STATIC_LIBRARY_SUFFIX})
-    endif()
-    find_library(LIBELF_LIB NAMES libelf${LIBELF_LIB_SUFFIX})
-    if(LIBELF_LIB)
-        message(STATUS "Found LIBELF: include: ${LIBELF_INCLUDE}, lib: ${LIBELF_LIB}")
-    else()
-        message(FATAL_ERROR "Couldn't find system libelf")
-    endif()
-    # We add a custom target, in this way we can always depend on `libelf`
-    # without distinguishing between "bundled" and "not-bundled" case
-    add_custom_target(libelf)
+	find_path(LIBELF_INCLUDE elf.h PATH_SUFFIXES elf)
+	if(BUILD_SHARED_LIBS OR USE_SHARED_LIBELF)
+		set(LIBELF_LIB_SUFFIX ${CMAKE_SHARED_LIBRARY_SUFFIX})
+	else()
+		set(LIBELF_LIB_SUFFIX ${CMAKE_STATIC_LIBRARY_SUFFIX})
+	endif()
+	# Zig workaround: since it won't look up in /usr/lib/..., add an HINT
+	if(CMAKE_C_COMPILER MATCHES "zig")
+		find_library(
+			LIBELF_LIB
+			NAMES libelf${LIBELF_LIB_SUFFIX}
+			HINTS /usr/lib/${CMAKE_SYSTEM_PROCESSOR}-linux-gnu/
+		)
+	else()
+		find_library(LIBELF_LIB NAMES libelf${LIBELF_LIB_SUFFIX})
+	endif()
+	if(LIBELF_LIB)
+		# Zig workaround: avoid include whole /usr/include because it would include also system
+		# glibc headers breaking the build since we are targeting the build against our boostrapped
+		# zig.
+		if(CMAKE_C_COMPILER MATCHES "zig")
+			message(STATUS "Enabling zig workaround for libelf")
+			configure_file(${LIBELF_INCLUDE}/libelf.h libelf/libelf.h COPYONLY)
+			configure_file(${LIBELF_INCLUDE}/elf.h libelf/elf.h COPYONLY)
+			configure_file(${LIBELF_INCLUDE}/gelf.h libelf/gelf.h COPYONLY)
+			set(LIBELF_INCLUDE ${CMAKE_CURRENT_BINARY_DIR}/libelf)
+		endif()
+		message(STATUS "Found LIBELF: include: ${LIBELF_INCLUDE}, lib: ${LIBELF_LIB}")
+	else()
+		message(FATAL_ERROR "Couldn't find system libelf")
+	endif()
+
+	if(BUILD_SHARED_LIBS OR USE_SHARED_LIBELF)
+		add_library(elf SHARED IMPORTED GLOBAL)
+	else()
+		add_library(elf STATIC IMPORTED GLOBAL)
+	endif()
+
+	set_target_properties(elf PROPERTIES IMPORTED_LOCATION ${LIBELF_LIB})
+	target_include_directories(elf INTERFACE ${LIBELF_INCLUDE})
 else()
-    if(BUILD_SHARED_LIBS)
-        set(LIBELF_LIB_SUFFIX ${CMAKE_SHARED_LIBRARY_SUFFIX})
-    else()
-        set(LIBELF_LIB_SUFFIX ${CMAKE_STATIC_LIBRARY_SUFFIX})
-    endif()
-    set(LIBELF_SRC "${PROJECT_BINARY_DIR}/libelf-prefix/src")
-    set(LIBELF_INCLUDE "${LIBELF_SRC}/libelf/libelf")
-    set(LIBELF_LIB "${LIBELF_SRC}/libelf/libelf/libelf${LIBELF_LIB_SUFFIX}")
-    ExternalProject_Add(
-            libelf
-            PREFIX "${PROJECT_BINARY_DIR}/libelf-prefix"
-            DEPENDS zlib
-            URL "https://sourceware.org/elfutils/ftp/0.189/elfutils-0.189.tar.bz2"
-            URL_HASH "SHA256=39bd8f1a338e2b7cd4abc3ff11a0eddc6e690f69578a57478d8179b4148708c8"
-            CONFIGURE_COMMAND ./configure LDFLAGS=-L${ZLIB_SRC} "CFLAGS=-I${ZLIB_INCLUDE}" --enable-deterministic-archives --disable-debuginfod --disable-libdebuginfod --without-zstd
-            BUILD_IN_SOURCE 1
-            BUILD_COMMAND make -C lib libeu.a
-            COMMAND make -C libelf libelf${LIBELF_LIB_SUFFIX}
-            INSTALL_COMMAND ""
-            UPDATE_COMMAND ""
-            BUILD_BYPRODUCTS ${LIBELF_LIB}
-    )
-    message(STATUS "Using bundled libelf: include'${LIBELF_INCLUDE}', lib: ${LIBELF_LIB}")
-    install(FILES "${LIBELF_LIB}" DESTINATION "${CMAKE_INSTALL_LIBDIR}/${LIBS_PACKAGE_NAME}"
-            COMPONENT "libs-deps")
-    install(DIRECTORY "${LIBELF_INCLUDE}" DESTINATION "${CMAKE_INSTALL_INCLUDEDIR}/${LIBS_PACKAGE_NAME}"
-            COMPONENT "libs-deps")
-endif()
+	include(FetchContent)
+	FetchContent_Declare(
+		libelf_elftoolchain
+		URL https://github.com/falcosecurity/elftoolchain/releases/download/libelf-r4073-0/libelf-r4073-0.tar.gz
+		URL_HASH SHA256=adfeb3033c23ca579902f2bce7d9ffeec662f97d3846bb74e57fb65d70f6f056
+	)
+	FetchContent_MakeAvailable(libelf_elftoolchain)
+	get_target_property(LIBELF_INCLUDE elf INCLUDE_DIRECTORIES)

-# We add a custom target, in this way we can always depend on `libelf`
-# without distinguishing between "bundled" and "not-bundled" case
-if(NOT TARGET libelf)
-    add_custom_target(libelf)
+	message(STATUS "Using bundled libelf: include'${LIBELF_INCLUDE}'")
 endif()
-
-include_directories(${LIBELF_INCLUDE})
--- a/cmake/modules/libscap.cmake
+++ b/cmake/modules/libscap.cmake
@ -2,141 +2,140 @@
 #
 # Copyright (C) 2023 The Falco Authors.
 #
-# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except
+# in compliance with the License. You may obtain a copy of the License at
 #
 # http://www.apache.org/licenses/LICENSE-2.0
 #
-# Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an
-# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
-# specific language governing permissions and limitations under the License.
+# Unless required by applicable law or agreed to in writing, software distributed under the License
+# is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express
+# or implied. See the License for the specific language governing permissions and limitations under
+# the License.
 #

 if(NOT HAVE_LIBSCAP)
-set(HAVE_LIBSCAP On)
+	set(HAVE_LIBSCAP On)

-if(NOT LIBS_DIR)
-	get_filename_component(LIBS_DIR ${CMAKE_CURRENT_LIST_DIR}/../.. ABSOLUTE)
-endif()
-
-option(USE_BUNDLED_DEPS "Enable bundled dependencies instead of using the system ones" ON)
-
-include(GNUInstallDirs)
-
-include(ExternalProject)
-
-include(uthash)
-
-include(CheckSymbolExists)
-check_symbol_exists(strlcpy "string.h" HAVE_STRLCPY)
-check_symbol_exists(strlcat "string.h" HAVE_STRLCAT)
-
-if(HAVE_STRLCPY)
-	message(STATUS "Existing strlcpy found, will *not* use local definition")
-else()
-	message(STATUS "No strlcpy found, will use local definition")
-endif()
-
-if(HAVE_STRLCAT)
-	message(STATUS "Existing strlcat found, will *not* use local definition")
-else()
-	message(STATUS "No strlcat found, will use local definition")
-endif()
-
-add_definitions(-DPLATFORM_NAME="${CMAKE_SYSTEM_NAME}")
-
-if(CMAKE_SYSTEM_NAME MATCHES "Linux")
-	get_filename_component(DRIVER_CONFIG_DIR ${CMAKE_BINARY_DIR}/driver/src ABSOLUTE)
-else()
-	# This doesn't install all of the driver headers but seems to be sufficient for
-	# non-Linux platforms.
-	get_filename_component(DRIVER_CONFIG_DIR ${PROJECT_SOURCE_DIR}/driver ABSOLUTE)
-endif()
-
-get_filename_component(LIBSCAP_INCLUDE_DIR ${LIBS_DIR}/userspace/libscap ABSOLUTE)
-set(LIBSCAP_INCLUDE_DIRS ${LIBSCAP_INCLUDE_DIR} ${PROJECT_BINARY_DIR} ${DRIVER_CONFIG_DIR})
-
-function(set_scap_target_properties target)
-	set_target_properties(${target} PROPERTIES
-		VERSION ${FALCOSECURITY_SHARED_LIBS_VERSION}
-		SOVERSION ${FALCOSECURITY_SHARED_LIBS_SOVERSION}
-	)
-endfunction()
-
-add_subdirectory(${LIBS_DIR}/userspace/libscap ${PROJECT_BINARY_DIR}/libscap)
-
-set(LIBSCAP_INSTALL_LIBS)
-
-# All of the targets in userspace/libscap
-get_directory_property(libscap_subdirs DIRECTORY ${LIBS_DIR}/userspace/libscap SUBDIRECTORIES)
-set(libscap_subdir_targets)
-foreach(libscap_subdir ${LIBS_DIR}/userspace/libscap ${libscap_subdirs})
-	get_directory_property(subdir_targets DIRECTORY ${libscap_subdir} BUILDSYSTEM_TARGETS)
-	list(APPEND libscap_subdir_targets ${subdir_targets})
-endforeach()
-
-set(install_lib_type STATIC_LIBRARY)
-if (BUILD_SHARED_LIBS)
-	set(install_lib_type SHARED_LIBRARY)
-endif()
-
-# Installation targets only
-foreach(libscap_subdir_target ${libscap_subdir_targets})
-	get_target_property(cl_target_type ${libscap_subdir_target} TYPE)
-	if (${cl_target_type} STREQUAL ${install_lib_type})
-		list(APPEND LIBSCAP_INSTALL_LIBS ${libscap_subdir_target})
+	if(NOT LIBS_DIR)
+		get_filename_component(LIBS_DIR ${CMAKE_CURRENT_LIST_DIR}/../.. ABSOLUTE)
 	endif()
-endforeach()

-# Installation targets and their dependencies
-set(libscap_link_libraries)
-set(libscap_link_libdirs)
-foreach(libscap_install_lib ${LIBSCAP_INSTALL_LIBS})
-	list(APPEND libscap_link_libraries ${libscap_install_lib})
-	get_target_property(install_lib_link_libraries ${libscap_install_lib} LINK_LIBRARIES)
-	foreach (install_lib_link_library ${install_lib_link_libraries})
-		if (NOT ${install_lib_link_library} IN_LIST libscap_subdir_targets)
-			if(${install_lib_link_library} MATCHES "/")
-				# We have a path. Convert it to -L<dir> + -l<lib>.
-				get_filename_component(scap_lib_dir ${install_lib_link_library} DIRECTORY)
-				list(APPEND libscap_link_libdirs -L${scap_lib_dir})
-				get_filename_component(scap_lib_base ${install_lib_link_library} NAME_WE)
-				string(REGEX REPLACE "^lib" "" scap_lib_base ${scap_lib_base})
-				list(APPEND libscap_link_libraries ${scap_lib_base})
-			else()
-				list(APPEND libscap_link_libraries ${install_lib_link_library})
-			endif()
+	option(USE_BUNDLED_DEPS "Enable bundled dependencies instead of using the system ones" ON)
+
+	include(GNUInstallDirs)
+
+	include(ExternalProject)
+
+	include(uthash)
+
+	include(CheckSymbolExists)
+	check_symbol_exists(strlcpy "string.h" HAVE_STRLCPY)
+	check_symbol_exists(strlcat "string.h" HAVE_STRLCAT)
+
+	include(BuildPkgConfigDependencies)
+
+	if(HAVE_STRLCPY)
+		message(STATUS "Existing strlcpy found, will *not* use local definition")
+	else()
+		message(STATUS "No strlcpy found, will use local definition")
+	endif()
+
+	if(HAVE_STRLCAT)
+		message(STATUS "Existing strlcat found, will *not* use local definition")
+	else()
+		message(STATUS "No strlcat found, will use local definition")
+	endif()
+
+	add_definitions(-DPLATFORM_NAME="${CMAKE_SYSTEM_NAME}")
+
+	if(CMAKE_SYSTEM_NAME MATCHES "Linux")
+		get_filename_component(DRIVER_CONFIG_DIR ${CMAKE_BINARY_DIR}/driver/src ABSOLUTE)
+	else()
+		# This doesn't install all of the driver headers but seems to be sufficient for non-Linux
+		# platforms.
+		get_filename_component(DRIVER_CONFIG_DIR ${PROJECT_SOURCE_DIR}/driver ABSOLUTE)
+	endif()
+
+	get_filename_component(LIBSCAP_INCLUDE_DIR ${LIBS_DIR}/userspace/libscap ABSOLUTE)
+	set(LIBSCAP_INCLUDE_DIRS ${LIBSCAP_INCLUDE_DIR} ${PROJECT_BINARY_DIR} ${DRIVER_CONFIG_DIR})
+
+	function(set_scap_target_properties target)
+		set_target_properties(
+			${target} PROPERTIES VERSION ${FALCOSECURITY_SHARED_LIBS_VERSION}
+								 SOVERSION ${FALCOSECURITY_SHARED_LIBS_SOVERSION}
+		)
+	endfunction()
+
+	add_subdirectory(${LIBS_DIR}/userspace/libscap ${PROJECT_BINARY_DIR}/libscap)
+
+	set(LIBSCAP_INSTALL_LIBS)
+
+	# All of the targets in userspace/libscap
+	get_directory_property(libscap_subdirs DIRECTORY ${LIBS_DIR}/userspace/libscap SUBDIRECTORIES)
+	set(libscap_subdir_targets)
+	foreach(libscap_subdir ${LIBS_DIR}/userspace/libscap ${libscap_subdirs})
+		get_directory_property(subdir_targets DIRECTORY ${libscap_subdir} BUILDSYSTEM_TARGETS)
+		list(APPEND libscap_subdir_targets ${subdir_targets})
+	endforeach()
+
+	set(install_lib_type STATIC_LIBRARY)
+	if(BUILD_SHARED_LIBS)
+		set(install_lib_type SHARED_LIBRARY)
+	endif()
+
+	# Installation targets only
+	foreach(libscap_subdir_target ${libscap_subdir_targets})
+		get_target_property(cl_target_type ${libscap_subdir_target} TYPE)
+		if(${cl_target_type} STREQUAL ${install_lib_type})
+			list(APPEND LIBSCAP_INSTALL_LIBS ${libscap_subdir_target})
 		endif()
 	endforeach()
-endforeach()
-list(REMOVE_DUPLICATES libscap_link_libraries)

-set(libscap_link_flags)
-foreach(libscap_link_library ${libscap_link_libraries})
-	list(APPEND libscap_link_flags "-l${libscap_link_library}")
-endforeach()
-
-string(REPLACE ";" " " LIBSCAP_LINK_LIBRARIES_FLAGS "${libscap_link_flags}")
-string(REPLACE ";" " " LIBSCAP_LINK_LIBDIRS_FLAGS "${libscap_link_libdirs}")
-configure_file(${LIBS_DIR}/userspace/libscap/libscap.pc.in ${PROJECT_BINARY_DIR}/libscap/libscap.pc @ONLY)
-
-install(TARGETS ${LIBSCAP_INSTALL_LIBS}
-			ARCHIVE DESTINATION "${CMAKE_INSTALL_LIBDIR}"
-			LIBRARY DESTINATION "${CMAKE_INSTALL_LIBDIR}"
-			RUNTIME DESTINATION "${CMAKE_INSTALL_BINDIR}"
-			COMPONENT "scap" OPTIONAL)
-install(DIRECTORY "${LIBSCAP_INCLUDE_DIR}" DESTINATION "${CMAKE_INSTALL_INCLUDEDIR}/${LIBS_PACKAGE_NAME}"
-			COMPONENT "scap"
-			FILES_MATCHING PATTERN "*.h"
-			PATTERN "*examples*" EXCLUDE
-			PATTERN "*doxygen*" EXCLUDE)
-install(DIRECTORY "${DRIVER_CONFIG_DIR}/" DESTINATION "${CMAKE_INSTALL_INCLUDEDIR}/${LIBS_PACKAGE_NAME}/driver"
-			COMPONENT "scap"
-			FILES_MATCHING PATTERN "*.h")
-install(DIRECTORY "${LIBS_DIR}/userspace/plugin" DESTINATION "${CMAKE_INSTALL_INCLUDEDIR}/${LIBS_PACKAGE_NAME}"
+	install(
+		TARGETS ${LIBSCAP_INSTALL_LIBS}
+		ARCHIVE DESTINATION "${CMAKE_INSTALL_LIBDIR}"
+		LIBRARY DESTINATION "${CMAKE_INSTALL_LIBDIR}"
+		RUNTIME DESTINATION "${CMAKE_INSTALL_BINDIR}"
+				COMPONENT "scap"
+				OPTIONAL
+	)
+	install(
+		DIRECTORY "${LIBSCAP_INCLUDE_DIR}"
+		DESTINATION "${CMAKE_INSTALL_INCLUDEDIR}/${LIBS_PACKAGE_NAME}"
 		COMPONENT "scap"
-		FILES_MATCHING PATTERN "*.h")
-install(FILES ${PROJECT_BINARY_DIR}/libscap/scap_config.h DESTINATION ${CMAKE_INSTALL_INCLUDEDIR}/${LIBS_PACKAGE_NAME}/libscap)
-install(FILES ${PROJECT_BINARY_DIR}/libscap/scap_strl_config.h DESTINATION ${CMAKE_INSTALL_INCLUDEDIR}/${LIBS_PACKAGE_NAME}/libscap)
-install(FILES ${PROJECT_BINARY_DIR}/libscap/libscap.pc DESTINATION ${CMAKE_INSTALL_LIBDIR}/pkgconfig)
+		FILES_MATCHING
+		PATTERN "*.h"
+		PATTERN "*examples*" EXCLUDE
+		PATTERN "*doxygen*" EXCLUDE
+	)
+	install(
+		DIRECTORY "${DRIVER_CONFIG_DIR}/"
+		DESTINATION "${CMAKE_INSTALL_INCLUDEDIR}/${LIBS_PACKAGE_NAME}/driver"
+		COMPONENT "scap"
+		FILES_MATCHING
+		PATTERN "*.h"
+	)
+	install(
+		DIRECTORY "${LIBS_DIR}/userspace/plugin"
+		DESTINATION "${CMAKE_INSTALL_INCLUDEDIR}/${LIBS_PACKAGE_NAME}"
+		COMPONENT "scap"
+		FILES_MATCHING
+		PATTERN "*.h"
+	)
+
+	if(USE_BUNDLED_UTHASH)
+		install(FILES ${UTHASH_INCLUDE}/uthash.h
+				DESTINATION ${CMAKE_INSTALL_INCLUDEDIR}/${LIBS_PACKAGE_NAME}/libscap
+		)
+	endif()
+
+	install(FILES ${PROJECT_BINARY_DIR}/libscap/scap_config.h
+			DESTINATION ${CMAKE_INSTALL_INCLUDEDIR}/${LIBS_PACKAGE_NAME}/libscap
+	)
+	install(FILES ${PROJECT_BINARY_DIR}/libscap/scap_strl_config.h
+			DESTINATION ${CMAKE_INSTALL_INCLUDEDIR}/${LIBS_PACKAGE_NAME}/libscap
+	)
+	install(FILES ${PROJECT_BINARY_DIR}/libscap/libscap.pc
+			DESTINATION ${CMAKE_INSTALL_LIBDIR}/pkgconfig
+	)
 endif()
--- a/cmake/modules/libsinsp.cmake
+++ b/cmake/modules/libsinsp.cmake
@ -2,92 +2,89 @@
 #
 # Copyright (C) 2023 The Falco Authors.
 #
-# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except
+# in compliance with the License. You may obtain a copy of the License at
 #
 # http://www.apache.org/licenses/LICENSE-2.0
 #
-# Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an
-# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
-# specific language governing permissions and limitations under the License.
+# Unless required by applicable law or agreed to in writing, software distributed under the License
+# is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express
+# or implied. See the License for the specific language governing permissions and limitations under
+# the License.
 #

 if(NOT HAVE_LIBSINSP)
-set(HAVE_LIBSINSP On)
+	set(HAVE_LIBSINSP On)

-if(NOT LIBS_DIR)
-	get_filename_component(LIBS_DIR ${CMAKE_CURRENT_LIST_DIR}/../.. ABSOLUTE)
-endif()
+	if(NOT LIBS_DIR)
+		get_filename_component(LIBS_DIR ${CMAKE_CURRENT_LIST_DIR}/../.. ABSOLUTE)
+	endif()

-option(USE_BUNDLED_DEPS "Enable bundled dependencies instead of using the system ones" ON)
+	option(USE_BUNDLED_DEPS "Enable bundled dependencies instead of using the system ones" ON)
+	option(ENABLE_THREAD_POOL "Enable inspector thread pool" OFF)

-if(DEFINED LIBSINSP_USER_AGENT)
-	add_definitions(-DLIBSINSP_USER_AGENT="${LIBSINSP_USER_AGENT}")
-endif()
+	if(DEFINED LIBSINSP_USER_AGENT)
+		add_definitions(-DLIBSINSP_USER_AGENT="${LIBSINSP_USER_AGENT}")
+	endif()

-include(ExternalProject)
-include(libscap)
-if (NOT EMSCRIPTEN)
-	include(tbb)
-endif()
-if(NOT WIN32 AND NOT APPLE AND NOT MINIMAL_BUILD AND NOT EMSCRIPTEN)
-	include(cares)
-	include(curl)
-endif()
-include(jsoncpp)
-include(valijson)
-include(re2)
+	include(ExternalProject)
+	include(libscap)
+	if(NOT EMSCRIPTEN)
+		include(tbb)
+	endif()
+	include(jsoncpp)
+	include(valijson)
+	include(re2)

-set(LIBSINSP_INCLUDE_DIRS ${LIBS_DIR} ${LIBS_DIR}/userspace ${LIBSCAP_INCLUDE_DIRS} ${DRIVER_CONFIG_DIR})
+	if(ENABLE_THREAD_POOL AND NOT EMSCRIPTEN)
+		include(bs_threadpool)
+	endif()

-if (NOT EMSCRIPTEN)
-	get_filename_component(TBB_ABSOLUTE_INCLUDE_DIR ${TBB_INCLUDE_DIR} ABSOLUTE)
-	list(APPEND LIBSINSP_INCLUDE_DIRS ${TBB_ABSOLUTE_INCLUDE_DIR})
-endif()
+	set(LIBSINSP_INCLUDE_DIRS)

-get_filename_component(JSONCPP_ABSOLUTE_INCLUDE_DIR ${JSONCPP_INCLUDE} ABSOLUTE)
-list(APPEND LIBSINSP_INCLUDE_DIRS ${JSONCPP_ABSOLUTE_INCLUDE_DIR})
+	if(NOT USE_BUNDLED_TBB AND NOT EMSCRIPTEN)
+		list(APPEND LIBSINSP_INCLUDE_DIRS ${TBB_INCLUDE_DIR})
+	endif()

-get_filename_component(VALIJSON_ABSOLUTE_INCLUDE_DIR ${VALIJSON_INCLUDE} ABSOLUTE)
-list(APPEND LIBSINSP_INCLUDE_DIRS ${VALIJSON_ABSOLUTE_INCLUDE_DIR})
+	if(NOT USE_BUNDLED_JSONCPP)
+		list(APPEND LIBSINSP_INCLUDE_DIRS ${JSONCPP_INCLUDE})
+	endif()

-get_filename_component(RE2_ABSOLUTE_INCLUDE_DIR ${RE2_INCLUDE} ABSOLUTE)
-list(APPEND LIBSINSP_INCLUDE_DIRS ${RE2_ABSOLUTE_INCLUDE_DIR})
+	function(set_sinsp_target_properties target)
+		set_target_properties(
+			${target} PROPERTIES VERSION ${FALCOSECURITY_SHARED_LIBS_VERSION}
+								 SOVERSION ${FALCOSECURITY_SHARED_LIBS_SOVERSION}
+		)
+	endfunction()

-if(NOT MINIMAL_BUILD AND NOT EMSCRIPTEN AND NOT APPLE)
-	get_filename_component(CARES_ABSOLUTE_INCLUDE_DIR ${CARES_INCLUDE} ABSOLUTE)
-	list(APPEND LIBSINSP_INCLUDE_DIRS ${CARES_ABSOLUTE_INCLUDE_DIR})
-endif()
-
-if(NOT WIN32 AND NOT APPLE AND NOT MINIMAL_BUILD AND NOT EMSCRIPTEN)
-	get_filename_component(CURL_ABSOLUTE_INCLUDE_DIR ${CURL_INCLUDE_DIRS} ABSOLUTE)
-	list(APPEND LIBSINSP_INCLUDE_DIRS ${CURL_ABSOLUTE_INCLUDE_DIR})
-endif()
-
-function(set_sinsp_target_properties target)
-	set_target_properties(${target} PROPERTIES
-		VERSION ${FALCOSECURITY_SHARED_LIBS_VERSION}
-		SOVERSION ${FALCOSECURITY_SHARED_LIBS_SOVERSION}
+	add_subdirectory(${LIBS_DIR}/userspace/libsinsp ${CMAKE_BINARY_DIR}/libsinsp)
+	install(
+		TARGETS sinsp
+		ARCHIVE DESTINATION "${CMAKE_INSTALL_LIBDIR}"
+		LIBRARY DESTINATION "${CMAKE_INSTALL_LIBDIR}"
+		RUNTIME DESTINATION "${CMAKE_INSTALL_BINDIR}" COMPONENT "sinsp"
+	)
+	install(
+		DIRECTORY "${LIBS_DIR}/userspace/libsinsp"
+		DESTINATION "${CMAKE_INSTALL_INCLUDEDIR}/${LIBS_PACKAGE_NAME}"
+		COMPONENT "sinsp"
+		FILES_MATCHING
+		PATTERN "*.h"
+		PATTERN "*third_party*" EXCLUDE
+		PATTERN "*examples*" EXCLUDE
+		PATTERN "*doxygen*" EXCLUDE
+		PATTERN "*scripts*" EXCLUDE
+		PATTERN "*test*" EXCLUDE
+	)
+	install(
+		DIRECTORY "${LIBS_DIR}/userspace/async"
+		DESTINATION "${CMAKE_INSTALL_INCLUDEDIR}/${LIBS_PACKAGE_NAME}"
+		COMPONENT "sinsp"
+		FILES_MATCHING
+		PATTERN "*.h"
+	)
+	install(FILES ${PROJECT_BINARY_DIR}/libsinsp/libsinsp.pc
+			DESTINATION ${CMAKE_INSTALL_LIBDIR}/pkgconfig
 	)
-endfunction()
-
-add_subdirectory(${LIBS_DIR}/userspace/libsinsp ${CMAKE_BINARY_DIR}/libsinsp)
-install(TARGETS sinsp
-			ARCHIVE DESTINATION "${CMAKE_INSTALL_LIBDIR}"
-			LIBRARY DESTINATION "${CMAKE_INSTALL_LIBDIR}"
-			RUNTIME DESTINATION "${CMAKE_INSTALL_BINDIR}"
-			COMPONENT "sinsp")
-install(DIRECTORY "${LIBS_DIR}/userspace/libsinsp" DESTINATION "${CMAKE_INSTALL_INCLUDEDIR}/${LIBS_PACKAGE_NAME}"
-			COMPONENT "sinsp"
-			FILES_MATCHING PATTERN "*.h"
-			PATTERN "*third_party*" EXCLUDE
-			PATTERN "*examples*" EXCLUDE
-			PATTERN "*doxygen*" EXCLUDE
-			PATTERN "*scripts*" EXCLUDE
-			PATTERN "*test*" EXCLUDE)
-install(DIRECTORY "${LIBS_DIR}/userspace/async" DESTINATION "${CMAKE_INSTALL_INCLUDEDIR}/${LIBS_PACKAGE_NAME}"
-			COMPONENT "sinsp"
-			FILES_MATCHING PATTERN "*.h")
-install(FILES ${PROJECT_BINARY_DIR}/libsinsp/libsinsp.pc DESTINATION ${CMAKE_INSTALL_LIBDIR}/pkgconfig)

 endif()
--- a/cmake/modules/openssl.cmake
+++ b/cmake/modules/openssl.cmake
@ -1,62 +0,0 @@
-# SPDX-License-Identifier: Apache-2.0
-#
-# Copyright (C) 2023 The Falco Authors.
-#
-# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an
-# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
-# specific language governing permissions and limitations under the License.
-#
-
-option(USE_BUNDLED_OPENSSL "Enable building of the bundled OpenSSL" ${USE_BUNDLED_DEPS})
-
-if(OPENSSL_INCLUDE_DIR)
-	# we already have openssl
-elseif(NOT USE_BUNDLED_OPENSSL)
-	find_package(OpenSSL REQUIRED)
-	message(STATUS "Found OpenSSL: include: ${OPENSSL_INCLUDE_DIR}, lib: ${OPENSSL_LIBRARIES}")
-else()
-	if(BUILD_SHARED_LIBS)
-		set(OPENSSL_LIB_SUFFIX ${CMAKE_SHARED_LIBRARY_SUFFIX})
-		set(OPENSSL_SHARED_OPTION shared)
-	else()
-		set(OPENSSL_LIB_SUFFIX ${CMAKE_STATIC_LIBRARY_SUFFIX})
-		set(OPENSSL_SHARED_OPTION no-shared)
-	endif()
-	set(OPENSSL_BUNDLE_DIR "${PROJECT_BINARY_DIR}/openssl-prefix/src/openssl")
-	set(OPENSSL_INSTALL_DIR "${OPENSSL_BUNDLE_DIR}/target")
-	set(OPENSSL_INCLUDE_DIR "${PROJECT_BINARY_DIR}/openssl-prefix/src/openssl/include/")
-	set(OPENSSL_LIBRARY_SSL "${OPENSSL_INSTALL_DIR}/lib/libssl${OPENSSL_LIB_SUFFIX}")
-	set(OPENSSL_LIBRARY_CRYPTO "${OPENSSL_INSTALL_DIR}/lib/libcrypto${OPENSSL_LIB_SUFFIX}")
- 	set(OPENSSL_LIBRARIES ${OPENSSL_LIBRARY_SSL} ${OPENSSL_LIBRARY_CRYPTO})
-
-	if(NOT TARGET openssl)
-		message(STATUS "Using bundled openssl in '${OPENSSL_BUNDLE_DIR}'")
-
-		ExternalProject_Add(openssl
-			PREFIX "${PROJECT_BINARY_DIR}/openssl-prefix"
-			URL "https://github.com/openssl/openssl/releases/download/openssl-3.1.4/openssl-3.1.4.tar.gz"
-			URL_HASH "SHA256=840af5366ab9b522bde525826be3ef0fb0af81c6a9ebd84caa600fea1731eee3"
-			CONFIGURE_COMMAND ./config ${OPENSSL_SHARED_OPTION} --prefix=${OPENSSL_INSTALL_DIR} --libdir=lib
-			BUILD_COMMAND make
-			BUILD_IN_SOURCE 1
-			BUILD_BYPRODUCTS ${OPENSSL_LIBRARY_SSL} ${OPENSSL_LIBRARY_CRYPTO}
-			INSTALL_COMMAND make install_sw)
-		install(FILES "${OPENSSL_LIBRARY_SSL}" DESTINATION "${CMAKE_INSTALL_LIBDIR}/${LIBS_PACKAGE_NAME}"
-				COMPONENT "libs-deps")
-		install(FILES "${OPENSSL_LIBRARY_CRYPTO}" DESTINATION "${CMAKE_INSTALL_LIBDIR}/${LIBS_PACKAGE_NAME}"
-				COMPONENT "libs-deps")
-		install(DIRECTORY "${OPENSSL_INCLUDE_DIR}" DESTINATION "${CMAKE_INSTALL_INCLUDEDIR}/${LIBS_PACKAGE_NAME}"
-				COMPONENT "libs-deps")
-	endif()
-endif()
-
-if(NOT TARGET openssl)
-	add_custom_target(openssl)
-endif()
-
-include_directories("${OPENSSL_INCLUDE_DIR}")
--- a/cmake/modules/protobuf.cmake
+++ b/cmake/modules/protobuf.cmake
@ -2,14 +2,15 @@
 #
 # Copyright (C) 2023 The Falco Authors.
 #
-# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except
+# in compliance with the License. You may obtain a copy of the License at
 #
 # http://www.apache.org/licenses/LICENSE-2.0
 #
-# Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an
-# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
-# specific language governing permissions and limitations under the License.
+# Unless required by applicable law or agreed to in writing, software distributed under the License
+# is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express
+# or implied. See the License for the specific language governing permissions and limitations under
+# the License.
 #

 option(USE_BUNDLED_PROTOBUF "Enable building of the bundled protobuf" ${USE_BUNDLED_DEPS})
@ -20,8 +21,14 @@ elseif(NOT USE_BUNDLED_PROTOBUF)
 	find_program(PROTOC NAMES protoc)
 	find_path(PROTOBUF_INCLUDE NAMES google/protobuf/message.h)
 	find_library(PROTOBUF_LIB NAMES protobuf)
-	if(PROTOC AND PROTOBUF_INCLUDE AND PROTOBUF_LIB)
-		message(STATUS "Found protobuf: compiler: ${PROTOC}, include: ${PROTOBUF_INCLUDE}, lib: ${PROTOBUF_LIB}")
+	if(PROTOC
+	   AND PROTOBUF_INCLUDE
+	   AND PROTOBUF_LIB
+	)
+		message(
+			STATUS
+				"Found protobuf: compiler: ${PROTOC}, include: ${PROTOBUF_INCLUDE}, lib: ${PROTOBUF_LIB}"
+		)
 	else()
 		message(FATAL_ERROR "Couldn't find system protobuf")
 	endif()
@ -38,29 +45,57 @@ else()
 	set(PROTOBUF_SRC "${PROJECT_BINARY_DIR}/protobuf-prefix/src/protobuf")
 	set(PROTOC "${PROTOBUF_SRC}/target/bin/protoc")
 	set(PROTOBUF_INCLUDE "${PROTOBUF_SRC}/target/include/")
-	set(PROTOBUF_LIB "${PROTOBUF_SRC}/target/lib/libprotobuf${PROTOBUF_LIB_SUFFIX}" CACHE PATH "Path to libprotobuf")
+	set(PROTOBUF_LIB
+		"${PROTOBUF_SRC}/target/lib/libprotobuf${PROTOBUF_LIB_SUFFIX}"
+		CACHE PATH "Path to libprotobuf"
+	)
 	set(PROTOC_LIB "${PROTOBUF_SRC}/target/lib/libprotoc${PROTOBUF_LIB_SUFFIX}")
 	set(PROTOBUF_INSTALL_DIR "${PROTOBUF_SRC}/target")

 	if(NOT TARGET protobuf)
+		if(NOT ENABLE_PIC)
+			set(PROTOBUF_PIC_OPTION)
+		else()
+			set(PROTOBUF_PIC_OPTION "--with-pic=yes")
+		endif()
+		# Match both release and relwithdebinfo builds
+		if(CMAKE_BUILD_TYPE MATCHES "[R,r]el*")
+			set(PROTOBUF_CXXFLAGS "-O3 -std=c++11 -DNDEBUG")
+		else()
+			set(PROTOBUF_CXXFLAGS "-g -std=c++11")
+		endif()
 		message(STATUS "Using bundled protobuf in '${PROTOBUF_SRC}'")
-		ExternalProject_Add(protobuf
+		ExternalProject_Add(
+			protobuf
 			PREFIX "${PROJECT_BINARY_DIR}/protobuf-prefix"
 			DEPENDS zlib
 			URL "https://github.com/protocolbuffers/protobuf/releases/download/v3.20.3/protobuf-cpp-3.20.3.tar.gz"
 			URL_HASH "SHA256=e51cc8fc496f893e2a48beb417730ab6cbcb251142ad8b2cd1951faa5c76fe3d"
 			# TODO what if using system zlib?
-			CONFIGURE_COMMAND CPPFLAGS=-I${ZLIB_INCLUDE} LDFLAGS=-L${ZLIB_SRC} ./configure --with-zlib ${PROTOBUF_CONFIGURE_FLAGS} --prefix=${PROTOBUF_INSTALL_DIR}
+			CONFIGURE_COMMAND
+				./configure CXXFLAGS=${PROTOBUF_CXXFLAGS} --with-zlib-include=${ZLIB_INCLUDE}
+				--with-zlib-lib=${ZLIB_SRC} --with-zlib ${PROTOBUF_CONFIGURE_FLAGS}
+				${PROTOBUF_PIC_OPTION} --prefix=${PROTOBUF_INSTALL_DIR}
 			BUILD_COMMAND make
 			BUILD_IN_SOURCE 1
 			BUILD_BYPRODUCTS ${PROTOC} ${PROTOBUF_INCLUDE} ${PROTOBUF_LIB}
-			INSTALL_COMMAND make install)
-		install(FILES "${PROTOBUF_LIB}" DESTINATION "${CMAKE_INSTALL_LIBDIR}/${LIBS_PACKAGE_NAME}"
-				COMPONENT "libs-deps")
-		install(FILES "${PROTOC_LIB}" DESTINATION "${CMAKE_INSTALL_LIBDIR}/${LIBS_PACKAGE_NAME}"
-				COMPONENT "libs-deps")
-		install(DIRECTORY "${PROTOBUF_INCLUDE}" DESTINATION "${CMAKE_INSTALL_INCLUDEDIR}/${LIBS_PACKAGE_NAME}"
-				COMPONENT "libs-deps")
+			INSTALL_COMMAND make install
+		)
+		install(
+			FILES "${PROTOBUF_LIB}"
+			DESTINATION "${CMAKE_INSTALL_LIBDIR}/${LIBS_PACKAGE_NAME}"
+			COMPONENT "libs-deps"
+		)
+		install(
+			FILES "${PROTOC_LIB}"
+			DESTINATION "${CMAKE_INSTALL_LIBDIR}/${LIBS_PACKAGE_NAME}"
+			COMPONENT "libs-deps"
+		)
+		install(
+			DIRECTORY "${PROTOBUF_INCLUDE}"
+			DESTINATION "${CMAKE_INSTALL_INCLUDEDIR}/${LIBS_PACKAGE_NAME}"
+			COMPONENT "libs-deps"
+		)
 	endif()
 endif()

--- a/cmake/modules/re2.cmake
+++ b/cmake/modules/re2.cmake
@ -2,14 +2,15 @@
 #
 # Copyright (C) 2023 The Falco Authors.
 #
-# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except
+# in compliance with the License. You may obtain a copy of the License at
 #
 # http://www.apache.org/licenses/LICENSE-2.0
 #
-# Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an
-# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
-# specific language governing permissions and limitations under the License.
+# Unless required by applicable law or agreed to in writing, software distributed under the License
+# is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express
+# or implied. See the License for the specific language governing permissions and limitations under
+# the License.
 #

 option(USE_BUNDLED_RE2 "Enable building of the bundled RE2" ${USE_BUNDLED_DEPS})
@ -42,76 +43,94 @@ else()
 		set(RE2_LIB "${RE2_SRC}/lib/libre2${RE2_LIB_SUFFIX}")
 		set(RE2_LIB_PATTERN "libre2*")
 		if(CMAKE_VERSION VERSION_LESS 3.29.1)
-			ExternalProject_Add(re2
+			ExternalProject_Add(
+				re2
 				PREFIX "${PROJECT_BINARY_DIR}/re2-prefix"
 				URL "${RE2_URL}"
 				URL_HASH "${RE2_URL_HASH}"
 				BINARY_DIR "${PROJECT_BINARY_DIR}/re2-prefix/build"
 				BUILD_BYPRODUCTS ${RE2_LIB}
-				CMAKE_ARGS
-					-DCMAKE_INSTALL_LIBDIR=lib
-					-DRE2_BUILD_TESTING=OFF
-					-DBUILD_SHARED_LIBS=${BUILD_SHARED_LIBS}
-					-DCMAKE_INSTALL_PREFIX=${RE2_SRC})
+				CMAKE_ARGS -DCMAKE_INSTALL_LIBDIR=lib
+						   -DCMAKE_POSITION_INDEPENDENT_CODE=${ENABLE_PIC}
+						   -DRE2_BUILD_TESTING=OFF
+						   -DBUILD_SHARED_LIBS=${BUILD_SHARED_LIBS}
+						   -DCMAKE_INSTALL_PREFIX=${RE2_SRC}
+						   -DCMAKE_BUILD_TYPE=${CMAKE_BUILD_TYPE}
+			)
 		else()
-			# CMake 3.29.1 removed the support for the `PACKAGE_PREFIX_DIR`
-			# variable. The patch command just applies the same patch applied
-			# by re2 to solve the issue:
+			# CMake 3.29.1 removed the support for the `PACKAGE_PREFIX_DIR` variable. The patch
+			# command just applies the same patch applied by re2 to solve the issue:
 			# https://github.com/google/re2/commit/9ebe4a22cad8a025b68a9594bdff3c047a111333
-			ExternalProject_Add(re2
+			ExternalProject_Add(
+				re2
 				PREFIX "${PROJECT_BINARY_DIR}/re2-prefix"
 				URL "${RE2_URL}"
 				URL_HASH "${RE2_URL_HASH}"
 				BINARY_DIR "${PROJECT_BINARY_DIR}/re2-prefix/build"
 				BUILD_BYPRODUCTS ${RE2_LIB}
 				PATCH_COMMAND
-					COMMAND sed -i".bak" "/set_and_check/d" re2Config.cmake.in
-				CMAKE_ARGS
-					-DCMAKE_INSTALL_LIBDIR=lib
-					-DRE2_BUILD_TESTING=OFF
-					-DBUILD_SHARED_LIBS=${BUILD_SHARED_LIBS}
-					-DCMAKE_INSTALL_PREFIX=${RE2_SRC})
+				COMMAND sed -i".bak" "/set_and_check/d" re2Config.cmake.in
+				CMAKE_ARGS -DCMAKE_INSTALL_LIBDIR=lib
+						   -DCMAKE_POSITION_INDEPENDENT_CODE=${ENABLE_PIC}
+						   -DRE2_BUILD_TESTING=OFF
+						   -DBUILD_SHARED_LIBS=${BUILD_SHARED_LIBS}
+						   -DCMAKE_INSTALL_PREFIX=${RE2_SRC}
+						   -DCMAKE_BUILD_TYPE=${CMAKE_BUILD_TYPE}
+			)
 		endif()
 	else()
 		set(RE2_LIB "${RE2_SRC}/lib/re2.lib")
 		set(RE2_LIB_PATTERN "re2.lib")
 		# see: https://cmake.org/cmake/help/latest/policy/CMP0091.html
 		if(CMAKE_VERSION VERSION_LESS 3.15.0)
-			ExternalProject_Add(re2
+			ExternalProject_Add(
+				re2
 				PREFIX "${PROJECT_BINARY_DIR}/re2-prefix"
 				URL "${RE2_URL}"
 				URL_HASH "${RE2_URL_HASH}"
 				BINARY_DIR "${PROJECT_BINARY_DIR}/re2-prefix/build"
 				BUILD_BYPRODUCTS ${RE2_LIB}
-				CMAKE_ARGS
-					-DCMAKE_CXX_FLAGS_DEBUG=${FALCOSECURITY_LIBS_DEBUG_FLAGS}
-					-DCMAKE_CXX_FLAGS_RELEASE=${FALCOSECURITY_LIBS_RELEASE_FLAGS}
-					-DCMAKE_INSTALL_LIBDIR=lib
-					-DRE2_BUILD_TESTING=OFF
-					-DBUILD_SHARED_LIBS=${BUILD_SHARED_LIBS}
-					-DCMAKE_INSTALL_PREFIX=${RE2_SRC})
+				CMAKE_ARGS -DCMAKE_CXX_FLAGS_DEBUG=${FALCOSECURITY_LIBS_DEBUG_FLAGS}
+						   -DCMAKE_CXX_FLAGS_RELEASE=${FALCOSECURITY_LIBS_RELEASE_FLAGS}
+						   -DCMAKE_INSTALL_LIBDIR=lib
+						   -DCMAKE_POSITION_INDEPENDENT_CODE=${ENABLE_PIC}
+						   -DRE2_BUILD_TESTING=OFF
+						   -DBUILD_SHARED_LIBS=${BUILD_SHARED_LIBS}
+						   -DCMAKE_INSTALL_PREFIX=${RE2_SRC}
+						   -DCMAKE_BUILD_TYPE=${CMAKE_BUILD_TYPE}
+			)
 		else()
-			ExternalProject_Add(re2
+			ExternalProject_Add(
+				re2
 				PREFIX "${PROJECT_BINARY_DIR}/re2-prefix"
 				URL "${RE2_URL}"
 				URL_HASH "${RE2_URL_HASH}"
 				BINARY_DIR "${PROJECT_BINARY_DIR}/re2-prefix/build"
 				BUILD_BYPRODUCTS ${RE2_LIB}
-				CMAKE_ARGS
-					-DCMAKE_POLICY_DEFAULT_CMP0091:STRING=NEW
-					-DCMAKE_MSVC_RUNTIME_LIBRARY=${CMAKE_MSVC_RUNTIME_LIBRARY}
-					-DCMAKE_INSTALL_LIBDIR=lib
-					-DRE2_BUILD_TESTING=OFF
-					-DBUILD_SHARED_LIBS=${BUILD_SHARED_LIBS}
-					-DCMAKE_INSTALL_PREFIX=${RE2_SRC})
+				CMAKE_ARGS -DCMAKE_POLICY_DEFAULT_CMP0091:STRING=NEW
+						   -DCMAKE_MSVC_RUNTIME_LIBRARY=${CMAKE_MSVC_RUNTIME_LIBRARY}
+						   -DCMAKE_INSTALL_LIBDIR=lib
+						   -DCMAKE_POSITION_INDEPENDENT_CODE=${ENABLE_PIC}
+						   -DRE2_BUILD_TESTING=OFF
+						   -DBUILD_SHARED_LIBS=${BUILD_SHARED_LIBS}
+						   -DCMAKE_INSTALL_PREFIX=${RE2_SRC}
+						   -DCMAKE_BUILD_TYPE=${CMAKE_BUILD_TYPE}
+			)
 		endif()
 	endif()

-	install(DIRECTORY ${RE2_SRC}/lib/ DESTINATION "${CMAKE_INSTALL_LIBDIR}/${LIBS_PACKAGE_NAME}"
-			COMPONENT "libs-deps"
-			FILES_MATCHING PATTERN ${RE2_LIB_PATTERN})
-	install(DIRECTORY "${RE2_INCLUDE}" DESTINATION "${CMAKE_INSTALL_INCLUDEDIR}/${LIBS_PACKAGE_NAME}"
-			COMPONENT "libs-deps")
+	install(
+		DIRECTORY ${RE2_SRC}/lib/
+		DESTINATION "${CMAKE_INSTALL_LIBDIR}/${LIBS_PACKAGE_NAME}"
+		COMPONENT "libs-deps"
+		FILES_MATCHING
+		PATTERN ${RE2_LIB_PATTERN}
+	)
+	install(
+		DIRECTORY "${RE2_INCLUDE}"
+		DESTINATION "${CMAKE_INSTALL_INCLUDEDIR}/${LIBS_PACKAGE_NAME}"
+		COMPONENT "libs-deps"
+	)
 endif()

 if(NOT TARGET re2)
--- a/cmake/modules/tbb.cmake
+++ b/cmake/modules/tbb.cmake
@ -2,14 +2,15 @@
 #
 # Copyright (C) 2023 The Falco Authors.
 #
-# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except
+# in compliance with the License. You may obtain a copy of the License at
 #
 # http://www.apache.org/licenses/LICENSE-2.0
 #
-# Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an
-# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
-# specific language governing permissions and limitations under the License.
+# Unless required by applicable law or agreed to in writing, software distributed under the License
+# is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express
+# or implied. See the License for the specific language governing permissions and limitations under
+# the License.
 #

 option(USE_BUNDLED_TBB "Enable building of the bundled tbb" ${USE_BUNDLED_DEPS})
@ -52,76 +53,106 @@ else()
 		else()
 			set(TBB_LIB_BASENAME "tbb12")
 		endif()
-	endif()	
+	endif()
 	set(TBB_LIB "${TBB_LIB_BASEDIR}/${TBB_LIB_PREFIX}${TBB_LIB_BASENAME}${TBB_LIB_SUFFIX}")

 	if(NOT TARGET tbb)
 		message(STATUS "Using bundled tbb in '${TBB_SRC}'")
-		set(TBB_SRC_URL "https://github.com/oneapi-src/oneTBB/archive/refs/tags/v2021.9.0.tar.gz")
-		set(TBB_SRC_URL_HASH "SHA256=1ce48f34dada7837f510735ff1172f6e2c261b09460e3bf773b49791d247d24e")
+		set(TBB_SRC_URL "https://github.com/oneapi-src/oneTBB/archive/refs/tags/v2022.1.0.tar.gz")
+		set(TBB_SRC_URL_HASH
+			"SHA256=ed067603ece0dc832d2881ba5c516625ac2522c665d95f767ef6304e34f961b5"
+		)
 		set(TBB_FLAGS "")
-		if (CMAKE_CXX_COMPILER_ID STREQUAL "GNU")
-			# latest TBB has issues with GCC >= 12
-			# see: https://github.com/oneapi-src/oneTBB/issues/843#issuecomment-1152646035
+		if(CMAKE_CXX_COMPILER_ID STREQUAL "GNU")
+			# latest TBB has issues with GCC >= 12 see:
+			# https://github.com/oneapi-src/oneTBB/issues/843#issuecomment-1152646035
 			set(TBB_FLAGS "-Wno-error=stringop-overflow")
 		endif()
+		if(EMSCRIPTEN)
+			set(TBB_FLAGS "${TBB_FLAGS} -Wno-unused-command-line-argument")
+			set(TBB_EMSCRIPTEN "ON")
+		endif()

-		if(NOT WIN32)	
-			ExternalProject_Add(tbb
+		if(NOT WIN32)
+			ExternalProject_Add(
+				tbb
 				PREFIX "${PROJECT_BINARY_DIR}/tbb-prefix"
 				URL "${TBB_SRC_URL}"
 				URL_HASH "${TBB_SRC_URL_HASH}"
 				BUILD_IN_SOURCE 1
 				BUILD_COMMAND ${CMAKE_COMMAND} --build . --target tbb
-				CMAKE_ARGS
-					-DBUILD_SHARED_LIBS=${BUILD_SHARED_LIBS}
-					-DCMAKE_BUILD_TYPE=${CMAKE_BUILD_TYPE}
-					-DTBB_OUTPUT_DIR_BASE=lib
-					-DCMAKE_CXX_FLAGS="${TBB_FLAGS}"
+				CMAKE_ARGS -DBUILD_SHARED_LIBS=${BUILD_SHARED_LIBS}
+						   -DCMAKE_BUILD_TYPE=${CMAKE_BUILD_TYPE}
+						   -DTBB_OUTPUT_DIR_BASE=lib
+						   -DCMAKE_CXX_FLAGS=${TBB_FLAGS}
+						   -DCMAKE_POSITION_INDEPENDENT_CODE=${ENABLE_PIC}
+						   -DCMAKE_CXX_COMPILER=${CMAKE_CXX_COMPILER}
+						   -DCMAKE_C_COMPILER=${CMAKE_C_COMPILER}
+						   -DEMSCRIPTEN=${TBB_EMSCRIPTEN}
+						   -DTBB_FILE_TRIM=Off
+						   -DTBB_INSTALL=Off
 				BUILD_BYPRODUCTS ${TBB_LIB}
-				INSTALL_COMMAND "")
+				INSTALL_COMMAND ""
+			)
 		else()
 			# see: https://cmake.org/cmake/help/latest/policy/CMP0091.html
 			if(CMAKE_VERSION VERSION_LESS 3.15.0)
-				ExternalProject_Add(tbb
+				ExternalProject_Add(
+					tbb
 					PREFIX "${PROJECT_BINARY_DIR}/tbb-prefix"
 					URL "${TBB_SRC_URL}"
 					URL_HASH "${TBB_SRC_URL_HASH}"
 					BUILD_IN_SOURCE 1
-					BUILD_COMMAND ${CMAKE_COMMAND} --build . --target tbb --config ${CMAKE_BUILD_TYPE}
-					CMAKE_ARGS
-						-DCMAKE_CXX_FLAGS_DEBUG=${FALCOSECURITY_LIBS_DEBUG_FLAGS}
-						-DCMAKE_CXX_FLAGS_RELEASE=${FALCOSECURITY_LIBS_RELEASE_FLAGS}
-						-DBUILD_SHARED_LIBS=${BUILD_SHARED_LIBS}
-						-DCMAKE_BUILD_TYPE=${CMAKE_BUILD_TYPE}
-						-DTBB_OUTPUT_DIR_BASE=lib
-						-DCMAKE_CXX_FLAGS="${TBB_FLAGS}"
+					BUILD_COMMAND ${CMAKE_COMMAND} --build . --target tbb --config
+								  ${CMAKE_BUILD_TYPE}
+					CMAKE_ARGS -DCMAKE_CXX_FLAGS_DEBUG=${FALCOSECURITY_LIBS_DEBUG_FLAGS}
+							   -DCMAKE_CXX_FLAGS_RELEASE=${FALCOSECURITY_LIBS_RELEASE_FLAGS}
+							   -DBUILD_SHARED_LIBS=${BUILD_SHARED_LIBS}
+							   -DCMAKE_BUILD_TYPE=${CMAKE_BUILD_TYPE}
+							   -DTBB_OUTPUT_DIR_BASE=lib
+							   -DCMAKE_CXX_FLAGS="${TBB_FLAGS}"
+							   -DCMAKE_POSITION_INDEPENDENT_CODE=${ENABLE_PIC}
+							   -DTBB_FILE_TRIM=Off
+							   -DTBB_INSTALL=Off
 					BUILD_BYPRODUCTS ${TBB_LIB}
-					INSTALL_COMMAND "")
+					INSTALL_COMMAND ""
+				)
 			else()
-				ExternalProject_Add(tbb
+				ExternalProject_Add(
+					tbb
 					PREFIX "${PROJECT_BINARY_DIR}/tbb-prefix"
 					URL "${TBB_SRC_URL}"
 					URL_HASH "${TBB_SRC_URL_HASH}"
 					BUILD_IN_SOURCE 1
-					BUILD_COMMAND ${CMAKE_COMMAND} --build . --target tbb --config ${CMAKE_BUILD_TYPE}
-					CMAKE_ARGS
-						-DCMAKE_POLICY_DEFAULT_CMP0091:STRING=NEW
-						-DCMAKE_MSVC_RUNTIME_LIBRARY=${CMAKE_MSVC_RUNTIME_LIBRARY}
-						-DBUILD_SHARED_LIBS=${BUILD_SHARED_LIBS}
-						-DCMAKE_BUILD_TYPE=${CMAKE_BUILD_TYPE}
-						-DTBB_OUTPUT_DIR_BASE=lib
-						-DCMAKE_CXX_FLAGS="${TBB_FLAGS}"
+					BUILD_COMMAND ${CMAKE_COMMAND} --build . --target tbb --config
+								  ${CMAKE_BUILD_TYPE}
+					CMAKE_ARGS -DCMAKE_POLICY_DEFAULT_CMP0091:STRING=NEW
+							   -DCMAKE_MSVC_RUNTIME_LIBRARY=${CMAKE_MSVC_RUNTIME_LIBRARY}
+							   -DBUILD_SHARED_LIBS=${BUILD_SHARED_LIBS}
+							   -DCMAKE_BUILD_TYPE=${CMAKE_BUILD_TYPE}
+							   -DTBB_OUTPUT_DIR_BASE=lib
+							   -DCMAKE_CXX_FLAGS="${TBB_FLAGS}"
+							   -DCMAKE_POSITION_INDEPENDENT_CODE=${ENABLE_PIC}
+							   -DTBB_FILE_TRIM=Off
+							   -DTBB_INSTALL=Off
 					BUILD_BYPRODUCTS ${TBB_LIB}
-					INSTALL_COMMAND "")
+					INSTALL_COMMAND ""
+				)
 			endif()
 		endif()

-		install(DIRECTORY "${TBB_LIB_BASEDIR}/" DESTINATION "${CMAKE_INSTALL_LIBDIR}/${LIBS_PACKAGE_NAME}"
-				COMPONENT "libs-deps"
-				FILES_MATCHING PATTERN "${TBB_LIB_PREFIX}tbb*")
-		install(DIRECTORY "${TBB_INCLUDE_DIR}/tbb" DESTINATION "${CMAKE_INSTALL_INCLUDEDIR}/${LIBS_PACKAGE_NAME}"
-				COMPONENT "libs-deps")
+		install(
+			DIRECTORY "${TBB_LIB_BASEDIR}/"
+			DESTINATION "${CMAKE_INSTALL_LIBDIR}/${LIBS_PACKAGE_NAME}"
+			COMPONENT "libs-deps"
+			FILES_MATCHING
+			PATTERN "${TBB_LIB_PREFIX}tbb*"
+		)
+		install(
+			DIRECTORY "${TBB_INCLUDE_DIR}/tbb"
+			DESTINATION "${CMAKE_INSTALL_INCLUDEDIR}/${LIBS_PACKAGE_NAME}"
+			COMPONENT "libs-deps"
+		)
 	endif()
 endif()

--- a/cmake/modules/uthash.cmake
+++ b/cmake/modules/uthash.cmake
@ -2,14 +2,15 @@
 #
 # Copyright (C) 2023 The Falco Authors.
 #
-# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except
+# in compliance with the License. You may obtain a copy of the License at
 #
 # http://www.apache.org/licenses/LICENSE-2.0
 #
-# Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an
-# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
-# specific language governing permissions and limitations under the License.
+# Unless required by applicable law or agreed to in writing, software distributed under the License
+# is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express
+# or implied. See the License for the specific language governing permissions and limitations under
+# the License.
 #

 option(USE_BUNDLED_UTHASH "Enable downloading of the bundled uthash library" ${USE_BUNDLED_DEPS})
@ -31,13 +32,15 @@ else()

 	message(STATUS "Using bundled uthash in '${UTHASH_SRC}'")

-	ExternalProject_Add(uthash
-			PREFIX "${PROJECT_BINARY_DIR}/uthash-prefix"
-			URL "https://github.com/troydhanson/uthash/archive/refs/tags/v1.9.8.tar.gz"
-			URL_HASH "SHA256=d9d123ce81c5d127442876fc3b12fab3ad632bee6aca685be7d461c08e24c046"
-			CONFIGURE_COMMAND ""
-			BUILD_COMMAND ""
-			INSTALL_COMMAND "")
+	ExternalProject_Add(
+		uthash
+		PREFIX "${PROJECT_BINARY_DIR}/uthash-prefix"
+		URL "https://github.com/troydhanson/uthash/archive/refs/tags/v1.9.8.tar.gz"
+		URL_HASH "SHA256=d9d123ce81c5d127442876fc3b12fab3ad632bee6aca685be7d461c08e24c046"
+		CONFIGURE_COMMAND ""
+		BUILD_COMMAND ""
+		INSTALL_COMMAND ""
+	)
 endif()

 if(NOT TARGET uthash)
--- a/cmake/modules/valijson.cmake
+++ b/cmake/modules/valijson.cmake
@ -2,14 +2,15 @@
 #
 # Copyright (C) 2023 The Falco Authors.
 #
-# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except
+# in compliance with the License. You may obtain a copy of the License at
 #
 # http://www.apache.org/licenses/LICENSE-2.0
 #
-# Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an
-# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
-# specific language governing permissions and limitations under the License.
+# Unless required by applicable law or agreed to in writing, software distributed under the License
+# is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express
+# or implied. See the License for the specific language governing permissions and limitations under
+# the License.
 #

 #
@ -28,13 +29,15 @@ else()

 	message(STATUS "Using bundled valijson in '${VALIJSON_SRC}'")

-	ExternalProject_Add(valijson
+	ExternalProject_Add(
+		valijson
 		PREFIX "${PROJECT_BINARY_DIR}/valijson-prefix"
 		URL "https://github.com/tristanpenman/valijson/archive/refs/tags/v1.0.2.tar.gz"
 		URL_HASH "SHA256=35d86e54fc727f1265226434dc996e33000a570f833537a25c8b702b0b824431"
 		CONFIGURE_COMMAND ""
 		BUILD_COMMAND ""
-		INSTALL_COMMAND "")	
+		INSTALL_COMMAND ""
+	)
 endif()

 if(NOT TARGET valijson)
--- a/cmake/modules/versions.cmake
+++ b/cmake/modules/versions.cmake
@ -2,51 +2,57 @@
 #
 # Copyright (C) 2023 The Falco Authors.
 #
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except
+# in compliance with the License. You may obtain a copy of the License at
 #
 # http://www.apache.org/licenses/LICENSE-2.0
 #
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
+# Unless required by applicable law or agreed to in writing, software distributed under the License
+# is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express
+# or implied. See the License for the specific language governing permissions and limitations under
+# the License.
 #

 include(GetVersionFromGit)

 function(get_libs_version _var)
-    # `+driver` is given to ignore drivers tags when fetching the version of libs
-    get_version_from_git(ver "" "+driver")
+	# `+driver` is given to ignore drivers tags when fetching the version of libs
+	get_version_from_git(ver "" "+driver")

-    set(${_var}
-        "${ver}"
-        PARENT_SCOPE)
-    return()
+	set(${_var}
+		"${ver}"
+		PARENT_SCOPE
+	)
+	return()
 endfunction()

 function(get_drivers_version _var)
-    # `+driver` is given to only fetch drivers tags, thus excluding libs ones
-    get_version_from_git(ver "+driver" "")
+	# `+driver` is given to only fetch drivers tags, thus excluding libs ones
+	get_version_from_git(ver "+driver" "")

-    set(${_var}
-        "${ver}"
-        PARENT_SCOPE)
-    return()
+	set(${_var}
+		"${ver}"
+		PARENT_SCOPE
+	)
+	return()
 endfunction()

 function(get_shared_libs_versions _var _sovar)
-    string(REGEX MATCH "^[0-9]+\\.[0-9]+\\.[0-9]+" sl_ver ${FALCOSECURITY_LIBS_VERSION})
+	string(REGEX MATCH "^[0-9]+\\.[0-9]+\\.[0-9]+" sl_ver ${FALCOSECURITY_LIBS_VERSION})

-    if(NOT sl_ver)
-        set(sl_ver "0.0.0")
-    endif()
+	if(NOT sl_ver)
+		set(sl_ver "0.0.0")
+	endif()

-    set(${_var} ${sl_ver} PARENT_SCOPE)
-    string(REPLACE "." ";" sl_ver_list ${sl_ver})
-    list(GET sl_ver_list 0 so_ver)
-    set(${_sovar} ${so_ver} PARENT_SCOPE)
-    return()
+	set(${_var}
+		${sl_ver}
+		PARENT_SCOPE
+	)
+	string(REPLACE "." ";" sl_ver_list ${sl_ver})
+	list(GET sl_ver_list 0 so_ver)
+	set(${_sovar}
+		${so_ver}
+		PARENT_SCOPE
+	)
+	return()
 endfunction()
--- a/cmake/modules/zlib.cmake
+++ b/cmake/modules/zlib.cmake
@ -2,14 +2,15 @@
 #
 # Copyright (C) 2023 The Falco Authors.
 #
-# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except
+# in compliance with the License. You may obtain a copy of the License at
 #
 # http://www.apache.org/licenses/LICENSE-2.0
 #
-# Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an
-# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
-# specific language governing permissions and limitations under the License.
+# Unless required by applicable law or agreed to in writing, software distributed under the License
+# is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express
+# or implied. See the License for the specific language governing permissions and limitations under
+# the License.
 #

 option(USE_BUNDLED_ZLIB "Enable building of the bundled zlib" ${USE_BUNDLED_DEPS})
@ -28,7 +29,9 @@ else()
 	set(ZLIB_SRC "${PROJECT_BINARY_DIR}/zlib-prefix/src/zlib")
 	set(ZLIB_INCLUDE "${ZLIB_SRC}")
 	set(ZLIB_HEADERS "")
-	list(APPEND ZLIB_HEADERS
+	list(
+		APPEND
+		ZLIB_HEADERS
 		"${ZLIB_INCLUDE}/crc32.h"
 		"${ZLIB_INCLUDE}/deflate.h"
 		"${ZLIB_INCLUDE}/gzguts.h"
@ -42,49 +45,80 @@ else()
 		"${ZLIB_INCLUDE}/zutil.h"
 	)
 	if(NOT TARGET zlib)
+		# Match both release and relwithdebinfo builds
+		if(CMAKE_BUILD_TYPE MATCHES "[R,r]el*")
+			set(ZLIB_CFLAGS "-O3")
+		else()
+			set(ZLIB_CFLAGS "-g")
+		endif()
+		if(ENABLE_PIC)
+			set(ZLIB_CFLAGS "${ZLIB_CFLAGS} -fPIC")
+		endif()
+
 		message(STATUS "Using bundled zlib in '${ZLIB_SRC}'")
 		if(NOT WIN32)
 			if(BUILD_SHARED_LIBS)
 				set(ZLIB_LIB_SUFFIX ${CMAKE_SHARED_LIBRARY_SUFFIX})
-				set(ZLIB_CONFIGURE_FLAGS )
+				set(ZLIB_CONFIGURE_FLAGS)
 			else()
 				set(ZLIB_LIB_SUFFIX ${CMAKE_STATIC_LIBRARY_SUFFIX})
 				set(ZLIB_CONFIGURE_FLAGS "--static")
 			endif()
 			set(ZLIB_LIB "${ZLIB_SRC}/libz${ZLIB_LIB_SUFFIX}")
-			ExternalProject_Add(zlib
+			ExternalProject_Add(
+				zlib
 				PREFIX "${PROJECT_BINARY_DIR}/zlib-prefix"
-				URL "https://github.com/madler/zlib/archive/v1.2.13.tar.gz"
-				URL_HASH "SHA256=1525952a0a567581792613a9723333d7f8cc20b87a81f920fb8bc7e3f2251428"
-				CONFIGURE_COMMAND ./configure --prefix=${ZLIB_SRC} ${ZLIB_CONFIGURE_FLAGS}
+				URL "https://github.com/madler/zlib/releases/download/v1.3.1/zlib-1.3.1.tar.gz"
+				URL_HASH "SHA256=9a93b2b7dfdac77ceba5a558a580e74667dd6fede4585b91eefb60f03b72df23"
+				CONFIGURE_COMMAND CFLAGS=${ZLIB_CFLAGS} ./configure --prefix=${ZLIB_SRC}
+								  ${ZLIB_CONFIGURE_FLAGS}
 				BUILD_COMMAND make
 				BUILD_IN_SOURCE 1
 				BUILD_BYPRODUCTS ${ZLIB_LIB}
-				INSTALL_COMMAND "")
-			install(FILES "${ZLIB_LIB}" DESTINATION "${CMAKE_INSTALL_LIBDIR}/${LIBS_PACKAGE_NAME}"
-					COMPONENT "libs-deps")
-			install(FILES ${ZLIB_HEADERS} DESTINATION "${CMAKE_INSTALL_INCLUDEDIR}/${LIBS_PACKAGE_NAME}/zlib"
-					COMPONENT "libs-deps")
+				INSTALL_COMMAND ""
+			)
+			install(
+				FILES "${ZLIB_LIB}"
+				DESTINATION "${CMAKE_INSTALL_LIBDIR}/${LIBS_PACKAGE_NAME}"
+				COMPONENT "libs-deps"
+			)
+			install(
+				FILES ${ZLIB_HEADERS}
+				DESTINATION "${CMAKE_INSTALL_INCLUDEDIR}/${LIBS_PACKAGE_NAME}/zlib"
+				COMPONENT "libs-deps"
+			)
 		else()
 			if(BUILD_SHARED_LIBS)
 				set(ZLIB_LIB_SUFFIX "${CMAKE_SHARED_LIBRARY_SUFFIX}")
+				set(ZLIB_LIB "${ZLIB_SRC}/lib/zlib$<$<CONFIG:Debug>:d>${ZLIB_LIB_SUFFIX}")
 			else()
 				set(ZLIB_LIB_SUFFIX "${CMAKE_STATIC_LIBRARY_SUFFIX}")
+				set(ZLIB_LIB "${ZLIB_SRC}/lib/zlibstatic$<$<CONFIG:Debug>:d>${ZLIB_LIB_SUFFIX}")
 			endif()
-			set(ZLIB_LIB "${ZLIB_SRC}/zlib${ZLIB_LIB_SUFFIX}")
-			ExternalProject_Add(zlib
+			ExternalProject_Add(
+				zlib
 				PREFIX "${PROJECT_BINARY_DIR}/zlib-prefix"
-				URL "https://github.com/madler/zlib/archive/v1.2.13.tar.gz"
-				URL_HASH "SHA256=1525952a0a567581792613a9723333d7f8cc20b87a81f920fb8bc7e3f2251428"
-				CONFIGURE_COMMAND ""
-				BUILD_COMMAND nmake -f win32/Makefile.msc LOC=-DZLIB_WINAPI
+				URL "https://github.com/madler/zlib/releases/download/v1.3.1/zlib-1.3.1.tar.gz"
+				URL_HASH "SHA256=9a93b2b7dfdac77ceba5a558a580e74667dd6fede4585b91eefb60f03b72df23"
 				BUILD_IN_SOURCE 1
 				BUILD_BYPRODUCTS ${ZLIB_LIB}
-				INSTALL_COMMAND "")
-			install(FILES "${ZLIB_LIB}" DESTINATION "${CMAKE_INSTALL_LIBDIR}/${LIBS_PACKAGE_NAME}"
-					COMPONENT "libs-deps")
-			install(FILES ${ZLIB_HEADERS} DESTINATION "${CMAKE_INSTALL_INCLUDEDIR}/${LIBS_PACKAGE_NAME}/zlib"
-					COMPONENT "libs-deps")
+				CMAKE_ARGS -DCMAKE_POLICY_DEFAULT_CMP0091:STRING=NEW
+						   -DCMAKE_MSVC_RUNTIME_LIBRARY=${CMAKE_MSVC_RUNTIME_LIBRARY}
+						   -DCMAKE_BUILD_TYPE=${CMAKE_BUILD_TYPE}
+						   -DCMAKE_POSITION_INDEPENDENT_CODE=${ENABLE_PIC}
+						   -DBUILD_SHARED_LIBS=${BUILD_SHARED_LIBS}
+						   -DCMAKE_INSTALL_PREFIX=${ZLIB_SRC}
+			)
+			install(
+				FILES "${ZLIB_LIB}"
+				DESTINATION "${CMAKE_INSTALL_LIBDIR}/${LIBS_PACKAGE_NAME}"
+				COMPONENT "libs-deps"
+			)
+			install(
+				FILES ${ZLIB_HEADERS}
+				DESTINATION "${CMAKE_INSTALL_INCLUDEDIR}/${LIBS_PACKAGE_NAME}/zlib"
+				COMPONENT "libs-deps"
+			)
 		endif()
 	endif()
 endif()
--- a/codecov.yml
+++ b/codecov.yml
@ -0,0 +1,16 @@
+coverage:
+  status:
+    project:
+      default: off
+      libsinsp:
+        flags:
+          - libsinsp
+
+flags:
+  libsinsp:
+    paths:
+      - userspace/libsinsp/
+
+parsers:
+  cobertura:
+    partials_as_hits: true
--- a/coding_conventions.md
+++ b/coding_conventions.md
@ -1,278 +0,0 @@
-0 Introduction
------
-
-This repository strives for a consistent high quality code base and uses the conventions
-below.  If you are going to commit code that doesn't follow them, then you put the
-work on us. :-(
-
-If you use vim or emacs, you can put a custom configuration file in the base
-directory in order to follow the conventions.
-
-Also, note that the conventions in this file apply **strictly to the userspace** part
-of this repository. For the kernel code, you should refer to
-https://www.kernel.org/doc/html/latest/process/coding-style.html
-and always run `checkpatch.pl` from the kernel tree before submitting pull requests.
-
-Thanks for your attention and time.
-
-1 Curly Braces
------
-
-Every curly brace ("{" and "}") should go on its own line.
-
-Example:
-
-    if(a == 0)
-    {
-      b = 1;
-    }
-
-2 If and for statements
------
-
-Every `if` and `for` statement should have the curly braces.
-
-Example:
-
-    if(a == 0)
-    {
-      b = 1;
-    }
-
-and not
-
-    if(a == 0)
-      b = 1;
-
-3 Whitespace usage
------
-
-Spaces are used in the following way:
-
-    int32_t foo(int32_t a, int32_t b)
-    {
-      for(j = 0; j < 10; j++)
-      {
-        foo(a, b);
-      }
-    }
-
-Note that:
-
- * in a function declaration, there is no space between the function name and the "(".
- * in a function declaration, there is no space between the "(" and the first parameter.
- * in a statement (e.g `for`, `while`...), there is no space between the "for" and the "(".
- * in a statement (e.g `for`), there is no space between the "(" and the variable name.
- * in a function call, there is no space between the function name and the "(".
- * in a function call, there is no space between the "(" and the first parameter.
- * "," and ";" work like in English: there should be a space after them.
-
-4 Primitive types
------
-
-For portability reasons, please use the standard C99 types instead of the native C types
-like `int` and `long`. C99 types types will be available in all the user level
-source files:
-
-Example:
-
-    int32_t foo;
-
-5 Commenting Style
------
-
-Comments should be in the C++ style so we can use `/* */` to quickly remove
-portions of code during development.
-
-Example:
-
-    // this is a comment
-
-6 Commenting Content
------
-
-Code comments work in the following 2-level way:
-
- * A three-line comment should document what the code does and give higher level explanations.
- * A one line comment should detail single code lines or explain specific actions.
-
-Example:
-
-    //
-    // Swap two variables
-    //
-    int a = 1, b = 2, t;
-
-    // make a copy of a
-    t = a;
-
-    // perform the swap
-    a = b;
-    b = t;
-
-7 Class variables
------
-
-In order to know whether a variable belongs to a `class` or a `function` we start member variables with "`m_`".
-
-Example:
-
-    public int32_t m_counter;
-
-8 Global variables
------
-
-Similarly, in order to know whether the variable is global or not, we start
-globals with "`g_`".
-
-Example:
-
-    int g_nplugins;
-
-9 Capitalization
------
-
-The naming convention is camel-cased "Unix" style, i.e. always lower case. Words are separated by underscores.
-
-Example:
-
-    int32_t g_global_bean_counter;
-
-    int32_t count_beans();
-
-and not,
-
-    int32_t GlobalBeanCounter;
-
-10 Packed Structures
-------
-Packed structures should use the GCC and MSVC-style supported `pragma`:
-
-    #pragma pack(push,1)
-    struct frame_control
-    {
-        struct fields....
-    };
-    #pragma pack(pop)
-
-11 OS-specific macros
-------
-
-There's an online wiki which enumerates the different macros for compilers, operating systems, and architectures.
-It's available at [http://sourceforge.net/p/predef/wiki/Home/](http://sourceforge.net/p/predef/wiki/Home/). Generally speaking we use the operating system page: [http://sourceforge.net/p/predef/wiki/OperatingSystems/](http://sourceforge.net/p/predef/wiki/OperatingSystems/).
-
-12 64-bit constants
-------
-
-Put an "LL" at the end of your 64 bit constants. Without the LL, on some platforms the compiler tries to interpret the constant on the right hand side
-as a long integer instead of a long long and in some platform this generate an error at building time.
-
-Example:
-
-    x=0X00FF00000000000LL
-
-13 Class Declaration
-------
-
-Class declarations follow the following sequence
-
-  1. constructors and destructor
-  2. public functions
-  3. public data
-  4. private functions
-  5. private data
-  6. friend declarations
-
-Example:
-
-    class foo
-    {
-    public:
-      foo();
-      ~foo();
-
-      int32_t lonli();
-      int32_t m_val;
-
-    private:
-      int32_t temustra();
-      int32_t m_val2;
-    };
-
-14 Struct guidelines
-------
-
-We think hiding the presence of a pointer makes the code unnecessarily
-ambiguous and more difficult.
-
-Seeing a * in a variable declaration immediately identifies a pointer, which
-is easier to mentally keep track of!
-
-Also we think that defining the struct as a typedef makes forward declarations
-clunky and find using the C++ style when declaring our structs makes our
-lives easier.
-
-    //
-    // Us human parsers find this confusing.
-    //
-    typedef struct _my_struct
-    {
-      u_int16	m_field;
-    } my_struct,
-    *p_my_struct;
-
-    //
-    // This is easier!
-    //
-    struct my_struct {
-      u_int16	m_field;
-    };
-
-
-15 Temporary variables
-------
-
-Since "j" is used less frequently in english prose than "a" or "i", we find
-that these variables (in hierarchical order) are great for counters: j, k, l,
-m, n.
-
-Example:
-
-    int32_t j,k;
-    for(j = 0; j < 10; j++)
-    {
-      for(k = 0; k < 10; k++)
-      {
-        int32_t foo = j + k;
-      }
-    }
-
-as opposed to:
-
-    int32_t i,counter;
-    for(i = 0; i < 10; i++)
-    {
-      for(counter = 0; counter < 10; counter++)
-      {
-        int32_t foo = i + counter;
-      }
-    }
-
-16 Error management
-------
-
-Error management inside libscap is done through return values, since the scap
-library is written in C.
-Error management in the rest of the user level code base is done through
-exceptions. We know there's a lot of debate between return values and
-exceptions. We decided to pick the latter, so please stick with that.
-
-## You Made It!
-
-Phew! That's it. Thanks!
-
-If we've left anything in the open, feel free to contact us and we'll be happy
-to get back to you.  Also, you can look at the existing code and see how it's
-done.
-
-Have a good one!
--- a/docs/index.md
+++ b/docs/index.md
@ -11,3 +11,7 @@ Navigate to the Home of Falco Drivers Kernel Testing on the left, or click this
 ## Supported Syscalls Report

 Navigate to the Home of Falco Drivers Syscalls Report on the left, or click this [link](syscalls.md), or directly proceed to the supported syscalls [report](report.md).
+
+## Perf Continuous Monitoring
+
+Navigate to the Home of Falco Perf Monitoring on the left, or click this [link](perf.md).
--- a/docs/perf.md
+++ b/docs/perf.md
@ -0,0 +1,11 @@
+# Home of Falco Perf Monitoring
+
+Our CI is capable of continuously benchmarking performance of our userspace code, both CPU and memory.   
+Every PR will have a comment with the perf diff from master for multiple aspects, while on master the flamegraph are pushed to this github pages.
+
+Navigate to the perf reports on the left, or click these links:
+
+* [unit tests cpu perf](perf_unit_tests.md)
+* [scap file reading cpu perf](perf_scap_file.md)
+* [unit tests memory profile](heaptrack_unit_tests.md)
+* [scap file reading memory profile](heaptrack_scap_file.md)
--- a/docs/report.md
+++ b/docs/report.md
@ -1,411 +1,418 @@
-|         SYSCALL         | SUPPORTED |             ARCHITECTURE             |
-|-------------------------|-----------|--------------------------------------|
-| _llseek                 | 🟢        | ppc64le                              |
-| _newselect              | 🟡        | ppc64le                              |
-| accept                  | 🟢        | aarch64,ppc64le,riscv64,x86_64       |
-| accept4                 | 🟢        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| access                  | 🟢        | ppc64le,s390x,x86_64                 |
-| acct                    | 🟡        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| add_key                 | 🟡        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| adjtimex                | 🟡        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| alarm                   | 🟡        | ppc64le,s390x,x86_64                 |
-| arch_prctl              | 🟡        | x86_64                               |
-| bind                    | 🟢        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| bpf                     | 🟢        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| brk                     | 🟢        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| cachestat               | 🟡        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| capget                  | 🟡        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| capset                  | 🟢        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| chdir                   | 🟢        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| chmod                   | 🟢        | ppc64le,s390x,x86_64                 |
-| chown                   | 🟢        | ppc64le,s390x,x86_64                 |
-| chroot                  | 🟢        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| clock_adjtime           | 🟡        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| clock_getres            | 🟡        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| clock_gettime           | 🟡        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| clock_nanosleep         | 🟡        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| clock_settime           | 🟡        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| clone                   | 🟢        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| clone3                  | 🟢        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| close                   | 🟢        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| close_range             | 🟡        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| connect                 | 🟢        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| copy_file_range         | 🟢        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| creat                   | 🟢        | ppc64le,s390x,x86_64                 |
-| delete_module           | 🟡        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| dup                     | 🟢        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| dup2                    | 🟢        | ppc64le,s390x,x86_64                 |
-| dup3                    | 🟢        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| epoll_create            | 🟢        | ppc64le,s390x,x86_64                 |
-| epoll_create1           | 🟢        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| epoll_ctl               | 🟡        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| epoll_ctl_old           | 🟡        | x86_64                               |
-| epoll_pwait             | 🟡        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| epoll_pwait2            | 🟡        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| epoll_wait              | 🟢        | ppc64le,s390x,x86_64                 |
-| epoll_wait_old          | 🟡        | x86_64                               |
-| eventfd                 | 🟢        | ppc64le,s390x,x86_64                 |
-| eventfd2                | 🟢        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| execve                  | 🟢        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| execveat                | 🟢        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| exit                    | 🟡        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| exit_group              | 🟡        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| faccessat               | 🟡        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| faccessat2              | 🟡        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| fadvise64               | 🟡        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| fallocate               | 🟡        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| fanotify_init           | 🟡        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| fanotify_mark           | 🟡        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| fchdir                  | 🟢        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| fchmod                  | 🟢        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| fchmodat                | 🟢        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| fchmodat2               | 🟡        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| fchown                  | 🟢        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| fchownat                | 🟢        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| fcntl                   | 🟢        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| fdatasync               | 🟡        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| fgetxattr               | 🟡        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| finit_module            | 🟢        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| flistxattr              | 🟡        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| flock                   | 🟢        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| fork                    | 🟢        | ppc64le,s390x,x86_64                 |
-| fremovexattr            | 🟡        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| fsconfig                | 🟢        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| fsetxattr               | 🟡        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| fsmount                 | 🟡        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| fsopen                  | 🟡        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| fspick                  | 🟡        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| fstat                   | 🟢        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| fstatfs                 | 🟡        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| fstatfs64               | 🟡        | ppc64le,s390x                        |
-| fsync                   | 🟡        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| ftruncate               | 🟡        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| futex                   | 🟢        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| futex_requeue           | 🟡        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| futex_wait              | 🟡        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| futex_waitv             | 🟡        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| futex_wake              | 🟡        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| futimesat               | 🟡        | ppc64le,s390x,x86_64                 |
-| get_mempolicy           | 🟡        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| get_robust_list         | 🟡        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| get_thread_area         | 🟡        | x86_64                               |
-| getcpu                  | 🟡        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| getcwd                  | 🟢        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| getdents                | 🟢        | ppc64le,s390x,x86_64                 |
-| getdents64              | 🟢        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| getegid                 | 🟢        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| geteuid                 | 🟢        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| getgid                  | 🟢        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| getgroups               | 🟡        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| getitimer               | 🟡        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| getpeername             | 🟢        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| getpgid                 | 🟡        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| getpgrp                 | 🟡        | ppc64le,s390x,x86_64                 |
-| getpid                  | 🟡        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| getppid                 | 🟡        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| getpriority             | 🟡        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| getrandom               | 🟡        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| getresgid               | 🟢        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| getresuid               | 🟢        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| getrlimit               | 🟢        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| getrusage               | 🟡        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| getsid                  | 🟡        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| getsockname             | 🟢        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| getsockopt              | 🟢        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| gettid                  | 🟡        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| gettimeofday            | 🟡        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| getuid                  | 🟢        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| getxattr                | 🟡        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| init_module             | 🟢        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| inotify_add_watch       | 🟡        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| inotify_init            | 🟢        | ppc64le,s390x,x86_64                 |
-| inotify_init1           | 🟢        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| inotify_rm_watch        | 🟡        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| io_cancel               | 🟡        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| io_destroy              | 🟡        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| io_getevents            | 🟡        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| io_pgetevents           | 🟡        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| io_setup                | 🟡        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| io_submit               | 🟡        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| io_uring_enter          | 🟢        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| io_uring_register       | 🟢        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| io_uring_setup          | 🟢        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| ioctl                   | 🟢        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| ioperm                  | 🟡        | ppc64le,x86_64                       |
-| iopl                    | 🟡        | ppc64le,x86_64                       |
-| ioprio_get              | 🟡        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| ioprio_set              | 🟡        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| ipc                     | 🟡        | ppc64le,s390x                        |
-| kcmp                    | 🟡        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| kexec_file_load         | 🟡        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| kexec_load              | 🟡        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| keyctl                  | 🟡        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| kill                    | 🟢        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| landlock_add_rule       | 🟡        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| landlock_create_ruleset | 🟡        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| landlock_restrict_self  | 🟡        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| lchown                  | 🟢        | ppc64le,s390x,x86_64                 |
-| lgetxattr               | 🟡        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| link                    | 🟢        | ppc64le,s390x,x86_64                 |
-| linkat                  | 🟢        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| listen                  | 🟢        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| listmount               | 🟡        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| listxattr               | 🟡        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| llistxattr              | 🟡        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| lookup_dcookie          | 🟡        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| lremovexattr            | 🟡        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| lseek                   | 🟢        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| lsetxattr               | 🟡        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| lsm_get_self_attr       | 🟡        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| lsm_list_modules        | 🟡        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| lsm_set_self_attr       | 🟡        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| lstat                   | 🟢        | ppc64le,s390x,x86_64                 |
-| madvise                 | 🟡        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| map_shadow_stack        | 🟡        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| mbind                   | 🟡        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| membarrier              | 🟡        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| memfd_create            | 🟢        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| memfd_secret            | 🟡        | aarch64,riscv64,s390x,x86_64         |
-| migrate_pages           | 🟡        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| mincore                 | 🟡        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| mkdir                   | 🟢        | ppc64le,s390x,x86_64                 |
-| mkdirat                 | 🟢        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| mknod                   | 🟢        | ppc64le,s390x,x86_64                 |
-| mknodat                 | 🟢        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| mlock                   | 🟢        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| mlock2                  | 🟢        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| mlockall                | 🟢        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| mmap                    | 🟢        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| modify_ldt              | 🟡        | ppc64le,x86_64                       |
-| mount                   | 🟢        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| mount_setattr           | 🟡        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| move_mount              | 🟡        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| move_pages              | 🟡        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| mprotect                | 🟢        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| mq_getsetattr           | 🟡        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| mq_notify               | 🟡        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| mq_open                 | 🟡        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| mq_timedreceive         | 🟡        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| mq_timedsend            | 🟡        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| mq_unlink               | 🟡        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| mremap                  | 🟡        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| msgctl                  | 🟡        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| msgget                  | 🟡        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| msgrcv                  | 🟡        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| msgsnd                  | 🟡        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| msync                   | 🟡        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| multiplexer             | 🟡        | ppc64le                              |
-| munlock                 | 🟢        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| munlockall              | 🟢        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| munmap                  | 🟢        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| name_to_handle_at       | 🟡        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| nanosleep               | 🟢        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| newfstatat              | 🟢        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| nice                    | 🟡        | ppc64le,s390x                        |
-| oldfstat                | 🟡        | ppc64le                              |
-| oldlstat                | 🟡        | ppc64le                              |
-| oldolduname             | 🟡        | ppc64le                              |
-| oldstat                 | 🟡        | ppc64le                              |
-| olduname                | 🟡        | ppc64le                              |
-| open                    | 🟢        | ppc64le,s390x,x86_64                 |
-| open_by_handle_at       | 🟢        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| open_tree               | 🟡        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| openat                  | 🟢        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| openat2                 | 🟢        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| pause                   | 🟡        | ppc64le,s390x,x86_64                 |
-| pciconfig_iobase        | 🟡        | ppc64le                              |
-| pciconfig_read          | 🟡        | ppc64le                              |
-| pciconfig_write         | 🟡        | ppc64le                              |
-| perf_event_open         | 🟡        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| personality             | 🟡        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| pidfd_getfd             | 🟢        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| pidfd_open              | 🟢        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| pidfd_send_signal       | 🟡        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| pipe                    | 🟢        | ppc64le,s390x,x86_64                 |
-| pipe2                   | 🟢        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| pivot_root              | 🟡        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| pkey_alloc              | 🟡        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| pkey_free               | 🟡        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| pkey_mprotect           | 🟡        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| poll                    | 🟢        | ppc64le,s390x,x86_64                 |
-| ppoll                   | 🟢        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| prctl                   | 🟢        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| pread64                 | 🟢        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| preadv                  | 🟢        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| preadv2                 | 🟡        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| prlimit64               | 🟢        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| process_madvise         | 🟡        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| process_mrelease        | 🟡        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| process_vm_readv        | 🟡        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| process_vm_writev       | 🟡        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| pselect6                | 🟡        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| ptrace                  | 🟢        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| pwrite64                | 🟢        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| pwritev                 | 🟢        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| pwritev2                | 🟡        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| quotactl                | 🟢        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| quotactl_fd             | 🟡        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| read                    | 🟢        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| readahead               | 🟡        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| readdir                 | 🟡        | ppc64le,s390x                        |
-| readlink                | 🟡        | ppc64le,s390x,x86_64                 |
-| readlinkat              | 🟡        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| readv                   | 🟢        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| reboot                  | 🟡        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| recv                    | 🟢        | ppc64le                              |
-| recvfrom                | 🟢        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| recvmmsg                | 🟢        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| recvmsg                 | 🟢        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| remap_file_pages        | 🟡        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| removexattr             | 🟡        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| rename                  | 🟢        | ppc64le,s390x,x86_64                 |
-| renameat                | 🟢        | aarch64,ppc64le,s390x,x86_64         |
-| renameat2               | 🟢        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| request_key             | 🟡        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| restart_syscall         | 🟡        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| riscv_flush_icache      | 🟡        | riscv64                              |
-| riscv_hwprobe           | 🟡        | riscv64                              |
-| rmdir                   | 🟢        | ppc64le,s390x,x86_64                 |
-| rseq                    | 🟡        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| rt_sigaction            | 🟡        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| rt_sigpending           | 🟡        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| rt_sigprocmask          | 🟡        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| rt_sigqueueinfo         | 🟡        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| rt_sigreturn            | 🟡        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| rt_sigsuspend           | 🟡        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| rt_sigtimedwait         | 🟡        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| rt_tgsigqueueinfo       | 🟡        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| rtas                    | 🟡        | ppc64le                              |
-| s390_guarded_storage    | 🟡        | s390x                                |
-| s390_pci_mmio_read      | 🟡        | s390x                                |
-| s390_pci_mmio_write     | 🟡        | s390x                                |
-| s390_runtime_instr      | 🟡        | s390x                                |
-| s390_sthyi              | 🟡        | s390x                                |
-| sched_get_priority_max  | 🟡        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| sched_get_priority_min  | 🟡        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| sched_getaffinity       | 🟡        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| sched_getattr           | 🟡        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| sched_getparam          | 🟡        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| sched_getscheduler      | 🟡        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| sched_rr_get_interval   | 🟡        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| sched_setaffinity       | 🟡        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| sched_setattr           | 🟡        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| sched_setparam          | 🟡        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| sched_setscheduler      | 🟡        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| sched_yield             | 🟡        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| seccomp                 | 🟢        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| select                  | 🟢        | ppc64le,s390x,x86_64                 |
-| semctl                  | 🟢        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| semget                  | 🟢        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| semop                   | 🟢        | aarch64,riscv64,x86_64               |
-| semtimedop              | 🟡        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| send                    | 🟢        | ppc64le                              |
-| sendfile                | 🟢        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| sendmmsg                | 🟢        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| sendmsg                 | 🟢        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| sendto                  | 🟢        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| set_mempolicy           | 🟡        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| set_mempolicy_home_node | 🟡        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| set_robust_list         | 🟡        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| set_thread_area         | 🟡        | x86_64                               |
-| set_tid_address         | 🟡        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| setdomainname           | 🟡        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| setfsgid                | 🟡        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| setfsuid                | 🟡        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| setgid                  | 🟢        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| setgroups               | 🟡        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| sethostname             | 🟡        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| setitimer               | 🟡        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| setns                   | 🟢        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| setpgid                 | 🟢        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| setpriority             | 🟡        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| setregid                | 🟡        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| setresgid               | 🟢        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| setresuid               | 🟢        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| setreuid                | 🟡        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| setrlimit               | 🟢        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| setsid                  | 🟢        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| setsockopt              | 🟢        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| settimeofday            | 🟡        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| setuid                  | 🟢        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| setxattr                | 🟡        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| sgetmask                | 🟡        | ppc64le                              |
-| shmat                   | 🟡        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| shmctl                  | 🟡        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| shmdt                   | 🟡        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| shmget                  | 🟡        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| shutdown                | 🟢        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| sigaction               | 🟡        | ppc64le,s390x                        |
-| sigaltstack             | 🟡        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| signal                  | 🟡        | ppc64le,s390x                        |
-| signalfd                | 🟢        | ppc64le,s390x,x86_64                 |
-| signalfd4               | 🟢        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| sigpending              | 🟡        | ppc64le,s390x                        |
-| sigprocmask             | 🟡        | ppc64le,s390x                        |
-| sigreturn               | 🟡        | ppc64le,s390x                        |
-| sigsuspend              | 🟡        | ppc64le,s390x                        |
-| socket                  | 🟢        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| socketcall              | 🟡        | ppc64le,s390x                        |
-| socketpair              | 🟢        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| splice                  | 🟢        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| spu_create              | 🟡        | ppc64le                              |
-| spu_run                 | 🟡        | ppc64le                              |
-| ssetmask                | 🟡        | ppc64le                              |
-| stat                    | 🟢        | ppc64le,s390x,x86_64                 |
-| statfs                  | 🟡        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| statfs64                | 🟡        | ppc64le,s390x                        |
-| statmount               | 🟡        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| statx                   | 🟡        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| stime                   | 🟡        | ppc64le                              |
-| subpage_prot            | 🟡        | ppc64le                              |
-| swapcontext             | 🟡        | ppc64le                              |
-| swapoff                 | 🟡        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| swapon                  | 🟡        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| switch_endian           | 🟡        | ppc64le                              |
-| symlink                 | 🟢        | ppc64le,s390x,x86_64                 |
-| symlinkat               | 🟢        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| sync                    | 🟡        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| sync_file_range         | 🟡        | aarch64,riscv64,s390x,x86_64         |
-| sync_file_range2        | 🟡        | ppc64le                              |
-| syncfs                  | 🟡        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| sys_debug_setcontext    | 🟡        | ppc64le                              |
-| sysfs                   | 🟡        | ppc64le,s390x,x86_64                 |
-| sysinfo                 | 🟡        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| syslog                  | 🟡        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| tee                     | 🟡        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| tgkill                  | 🟢        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| time                    | 🟡        | ppc64le,x86_64                       |
-| timer_create            | 🟡        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| timer_delete            | 🟡        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| timer_getoverrun        | 🟡        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| timer_gettime           | 🟡        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| timer_settime           | 🟡        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| timerfd                 | 🟡        | s390x                                |
-| timerfd_create          | 🟢        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| timerfd_gettime         | 🟡        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| timerfd_settime         | 🟡        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| times                   | 🟡        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| tkill                   | 🟢        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| truncate                | 🟡        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| ugetrlimit              | 🟢        | ppc64le                              |
-| umask                   | 🟡        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| umount                  | 🟢        | ppc64le,s390x                        |
-| umount2                 | 🟢        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| uname                   | 🟡        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| unlink                  | 🟢        | ppc64le,s390x,x86_64                 |
-| unlinkat                | 🟢        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| unshare                 | 🟢        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| userfaultfd             | 🟢        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| ustat                   | 🟡        | ppc64le,s390x,x86_64                 |
-| utime                   | 🟡        | ppc64le,s390x,x86_64                 |
-| utimensat               | 🟡        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| utimes                  | 🟡        | ppc64le,s390x,x86_64                 |
-| vfork                   | 🟢        | ppc64le,s390x,x86_64                 |
-| vhangup                 | 🟡        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| vm86                    | 🟡        | ppc64le                              |
-| vmsplice                | 🟡        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| wait4                   | 🟡        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| waitid                  | 🟡        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| waitpid                 | 🟡        | ppc64le                              |
-| write                   | 🟢        | aarch64,ppc64le,riscv64,s390x,x86_64 |
-| writev                  | 🟢        | aarch64,ppc64le,riscv64,s390x,x86_64 |
+|         SYSCALL         | SUPPORTED |                   ARCHITECTURE                   |
+|-------------------------|-----------|--------------------------------------------------|
+| _llseek                 | 🟢        | ppc64le                                          |
+| _newselect              | 🟡        | ppc64le                                          |
+| accept                  | 🟢        | aarch64,loongarch64,ppc64le,riscv64,x86_64       |
+| accept4                 | 🟢        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| access                  | 🟢        | ppc64le,s390x,x86_64                             |
+| acct                    | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| add_key                 | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| adjtimex                | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| alarm                   | 🟡        | ppc64le,s390x,x86_64                             |
+| arch_prctl              | 🟡        | x86_64                                           |
+| bind                    | 🟢        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| bpf                     | 🟢        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| brk                     | 🟢        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| cachestat               | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| capget                  | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| capset                  | 🟢        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| chdir                   | 🟢        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| chmod                   | 🟢        | ppc64le,s390x,x86_64                             |
+| chown                   | 🟢        | ppc64le,s390x,x86_64                             |
+| chroot                  | 🟢        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| clock_adjtime           | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| clock_getres            | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| clock_gettime           | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| clock_nanosleep         | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| clock_settime           | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| clone                   | 🟢        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| clone3                  | 🟢        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| close                   | 🟢        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| close_range             | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| connect                 | 🟢        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| copy_file_range         | 🟢        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| creat                   | 🟢        | ppc64le,s390x,x86_64                             |
+| delete_module           | 🟢        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| dup                     | 🟢        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| dup2                    | 🟢        | ppc64le,s390x,x86_64                             |
+| dup3                    | 🟢        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| epoll_create            | 🟢        | ppc64le,s390x,x86_64                             |
+| epoll_create1           | 🟢        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| epoll_ctl               | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| epoll_ctl_old           | 🟡        | x86_64                                           |
+| epoll_pwait             | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| epoll_pwait2            | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| epoll_wait              | 🟢        | ppc64le,s390x,x86_64                             |
+| epoll_wait_old          | 🟡        | x86_64                                           |
+| eventfd                 | 🟢        | ppc64le,s390x,x86_64                             |
+| eventfd2                | 🟢        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| execve                  | 🟢        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| execveat                | 🟢        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| exit                    | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| exit_group              | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| faccessat               | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| faccessat2              | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| fadvise64               | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| fallocate               | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| fanotify_init           | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| fanotify_mark           | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| fchdir                  | 🟢        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| fchmod                  | 🟢        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| fchmodat                | 🟢        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| fchmodat2               | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| fchown                  | 🟢        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| fchownat                | 🟢        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| fcntl                   | 🟢        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| fdatasync               | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| fgetxattr               | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| finit_module            | 🟢        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| flistxattr              | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| flock                   | 🟢        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| fork                    | 🟢        | ppc64le,s390x,x86_64                             |
+| fremovexattr            | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| fsconfig                | 🟢        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| fsetxattr               | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| fsmount                 | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| fsopen                  | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| fspick                  | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| fstat                   | 🟢        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| fstatfs                 | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| fstatfs64               | 🟡        | ppc64le,s390x                                    |
+| fsync                   | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| ftruncate               | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| futex                   | 🟢        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| futex_requeue           | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| futex_wait              | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| futex_waitv             | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| futex_wake              | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| futimesat               | 🟡        | ppc64le,s390x,x86_64                             |
+| get_mempolicy           | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| get_robust_list         | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| get_thread_area         | 🟡        | x86_64                                           |
+| getcpu                  | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| getcwd                  | 🟢        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| getdents                | 🟢        | ppc64le,s390x,x86_64                             |
+| getdents64              | 🟢        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| getegid                 | 🟢        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| geteuid                 | 🟢        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| getgid                  | 🟢        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| getgroups               | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| getitimer               | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| getpeername             | 🟢        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| getpgid                 | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| getpgrp                 | 🟡        | ppc64le,s390x,x86_64                             |
+| getpid                  | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| getppid                 | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| getpriority             | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| getrandom               | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| getresgid               | 🟢        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| getresuid               | 🟢        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| getrlimit               | 🟢        | aarch64,ppc64le,riscv64,s390x,x86_64             |
+| getrusage               | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| getsid                  | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| getsockname             | 🟢        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| getsockopt              | 🟢        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| gettid                  | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| gettimeofday            | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| getuid                  | 🟢        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| getxattr                | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| getxattrat              | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| init_module             | 🟢        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| inotify_add_watch       | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| inotify_init            | 🟢        | ppc64le,s390x,x86_64                             |
+| inotify_init1           | 🟢        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| inotify_rm_watch        | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| io_cancel               | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| io_destroy              | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| io_getevents            | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| io_pgetevents           | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| io_setup                | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| io_submit               | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| io_uring_enter          | 🟢        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| io_uring_register       | 🟢        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| io_uring_setup          | 🟢        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| ioctl                   | 🟢        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| ioperm                  | 🟡        | ppc64le,x86_64                                   |
+| iopl                    | 🟡        | ppc64le,x86_64                                   |
+| ioprio_get              | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| ioprio_set              | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| ipc                     | 🟡        | ppc64le,s390x                                    |
+| kcmp                    | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| kexec_file_load         | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| kexec_load              | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| keyctl                  | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| kill                    | 🟢        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| landlock_add_rule       | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| landlock_create_ruleset | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| landlock_restrict_self  | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| lchown                  | 🟢        | ppc64le,s390x,x86_64                             |
+| lgetxattr               | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| link                    | 🟢        | ppc64le,s390x,x86_64                             |
+| linkat                  | 🟢        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| listen                  | 🟢        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| listmount               | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| listxattr               | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| listxattrat             | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| llistxattr              | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| lookup_dcookie          | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| lremovexattr            | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| lseek                   | 🟢        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| lsetxattr               | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| lsm_get_self_attr       | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| lsm_list_modules        | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| lsm_set_self_attr       | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| lstat                   | 🟢        | ppc64le,s390x,x86_64                             |
+| madvise                 | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| map_shadow_stack        | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| mbind                   | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| membarrier              | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| memfd_create            | 🟢        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| memfd_secret            | 🟡        | aarch64,riscv64,s390x,x86_64                     |
+| migrate_pages           | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| mincore                 | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| mkdir                   | 🟢        | ppc64le,s390x,x86_64                             |
+| mkdirat                 | 🟢        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| mknod                   | 🟢        | ppc64le,s390x,x86_64                             |
+| mknodat                 | 🟢        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| mlock                   | 🟢        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| mlock2                  | 🟢        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| mlockall                | 🟢        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| mmap                    | 🟢        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| modify_ldt              | 🟡        | ppc64le,x86_64                                   |
+| mount                   | 🟢        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| mount_setattr           | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| move_mount              | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| move_pages              | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| mprotect                | 🟢        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| mq_getsetattr           | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| mq_notify               | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| mq_open                 | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| mq_timedreceive         | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| mq_timedsend            | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| mq_unlink               | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| mremap                  | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| mseal                   | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| msgctl                  | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| msgget                  | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| msgrcv                  | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| msgsnd                  | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| msync                   | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| multiplexer             | 🟡        | ppc64le                                          |
+| munlock                 | 🟢        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| munlockall              | 🟢        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| munmap                  | 🟢        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| name_to_handle_at       | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| nanosleep               | 🟢        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| newfstatat              | 🟢        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| nice                    | 🟡        | ppc64le,s390x                                    |
+| oldfstat                | 🟡        | ppc64le                                          |
+| oldlstat                | 🟡        | ppc64le                                          |
+| oldolduname             | 🟡        | ppc64le                                          |
+| oldstat                 | 🟡        | ppc64le                                          |
+| olduname                | 🟡        | ppc64le                                          |
+| open                    | 🟢        | ppc64le,s390x,x86_64                             |
+| open_by_handle_at       | 🟢        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| open_tree               | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| open_tree_attr          | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| openat                  | 🟢        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| openat2                 | 🟢        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| pause                   | 🟡        | ppc64le,s390x,x86_64                             |
+| pciconfig_iobase        | 🟡        | ppc64le                                          |
+| pciconfig_read          | 🟡        | ppc64le                                          |
+| pciconfig_write         | 🟡        | ppc64le                                          |
+| perf_event_open         | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| personality             | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| pidfd_getfd             | 🟢        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| pidfd_open              | 🟢        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| pidfd_send_signal       | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| pipe                    | 🟢        | ppc64le,s390x,x86_64                             |
+| pipe2                   | 🟢        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| pivot_root              | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| pkey_alloc              | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| pkey_free               | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| pkey_mprotect           | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| poll                    | 🟢        | ppc64le,s390x,x86_64                             |
+| ppoll                   | 🟢        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| prctl                   | 🟢        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| pread64                 | 🟢        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| preadv                  | 🟢        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| preadv2                 | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| prlimit64               | 🟢        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| process_madvise         | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| process_mrelease        | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| process_vm_readv        | 🟢        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| process_vm_writev       | 🟢        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| pselect6                | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| ptrace                  | 🟢        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| pwrite64                | 🟢        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| pwritev                 | 🟢        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| pwritev2                | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| quotactl                | 🟢        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| quotactl_fd             | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| read                    | 🟢        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| readahead               | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| readdir                 | 🟡        | ppc64le,s390x                                    |
+| readlink                | 🟡        | ppc64le,s390x,x86_64                             |
+| readlinkat              | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| readv                   | 🟢        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| reboot                  | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| recv                    | 🟢        | ppc64le                                          |
+| recvfrom                | 🟢        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| recvmmsg                | 🟢        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| recvmsg                 | 🟢        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| remap_file_pages        | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| removexattr             | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| removexattrat           | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| rename                  | 🟢        | ppc64le,s390x,x86_64                             |
+| renameat                | 🟢        | aarch64,ppc64le,s390x,x86_64                     |
+| renameat2               | 🟢        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| request_key             | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| restart_syscall         | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| riscv_flush_icache      | 🟡        | riscv64                                          |
+| riscv_hwprobe           | 🟡        | riscv64                                          |
+| rmdir                   | 🟢        | ppc64le,s390x,x86_64                             |
+| rseq                    | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| rt_sigaction            | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| rt_sigpending           | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| rt_sigprocmask          | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| rt_sigqueueinfo         | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| rt_sigreturn            | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| rt_sigsuspend           | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| rt_sigtimedwait         | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| rt_tgsigqueueinfo       | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| rtas                    | 🟡        | ppc64le                                          |
+| s390_guarded_storage    | 🟡        | s390x                                            |
+| s390_pci_mmio_read      | 🟡        | s390x                                            |
+| s390_pci_mmio_write     | 🟡        | s390x                                            |
+| s390_runtime_instr      | 🟡        | s390x                                            |
+| s390_sthyi              | 🟡        | s390x                                            |
+| sched_get_priority_max  | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| sched_get_priority_min  | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| sched_getaffinity       | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| sched_getattr           | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| sched_getparam          | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| sched_getscheduler      | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| sched_rr_get_interval   | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| sched_setaffinity       | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| sched_setattr           | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| sched_setparam          | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| sched_setscheduler      | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| sched_yield             | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| seccomp                 | 🟢        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| select                  | 🟢        | ppc64le,s390x,x86_64                             |
+| semctl                  | 🟢        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| semget                  | 🟢        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| semop                   | 🟢        | aarch64,loongarch64,riscv64,x86_64               |
+| semtimedop              | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| send                    | 🟢        | ppc64le                                          |
+| sendfile                | 🟢        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| sendmmsg                | 🟢        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| sendmsg                 | 🟢        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| sendto                  | 🟢        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| set_mempolicy           | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| set_mempolicy_home_node | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| set_robust_list         | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| set_thread_area         | 🟡        | x86_64                                           |
+| set_tid_address         | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| setdomainname           | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| setfsgid                | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| setfsuid                | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| setgid                  | 🟢        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| setgroups               | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| sethostname             | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| setitimer               | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| setns                   | 🟢        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| setpgid                 | 🟢        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| setpriority             | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| setregid                | 🟢        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| setresgid               | 🟢        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| setresuid               | 🟢        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| setreuid                | 🟢        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| setrlimit               | 🟢        | aarch64,ppc64le,riscv64,s390x,x86_64             |
+| setsid                  | 🟢        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| setsockopt              | 🟢        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| settimeofday            | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| setuid                  | 🟢        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| setxattr                | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| setxattrat              | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| sgetmask                | 🟡        | ppc64le                                          |
+| shmat                   | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| shmctl                  | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| shmdt                   | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| shmget                  | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| shutdown                | 🟢        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| sigaction               | 🟡        | ppc64le,s390x                                    |
+| sigaltstack             | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| signal                  | 🟡        | ppc64le,s390x                                    |
+| signalfd                | 🟢        | ppc64le,s390x,x86_64                             |
+| signalfd4               | 🟢        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| sigpending              | 🟡        | ppc64le,s390x                                    |
+| sigprocmask             | 🟡        | ppc64le,s390x                                    |
+| sigreturn               | 🟡        | ppc64le,s390x                                    |
+| sigsuspend              | 🟡        | ppc64le,s390x                                    |
+| socket                  | 🟢        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| socketcall              | 🟡        | ppc64le,s390x                                    |
+| socketpair              | 🟢        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| splice                  | 🟢        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| spu_create              | 🟡        | ppc64le                                          |
+| spu_run                 | 🟡        | ppc64le                                          |
+| ssetmask                | 🟡        | ppc64le                                          |
+| stat                    | 🟢        | ppc64le,s390x,x86_64                             |
+| statfs                  | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| statfs64                | 🟡        | ppc64le,s390x                                    |
+| statmount               | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| statx                   | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| stime                   | 🟡        | ppc64le                                          |
+| subpage_prot            | 🟡        | ppc64le                                          |
+| swapcontext             | 🟡        | ppc64le                                          |
+| swapoff                 | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| swapon                  | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| switch_endian           | 🟡        | ppc64le                                          |
+| symlink                 | 🟢        | ppc64le,s390x,x86_64                             |
+| symlinkat               | 🟢        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| sync                    | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| sync_file_range         | 🟡        | aarch64,loongarch64,riscv64,s390x,x86_64         |
+| sync_file_range2        | 🟡        | ppc64le                                          |
+| syncfs                  | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| sys_debug_setcontext    | 🟡        | ppc64le                                          |
+| sysfs                   | 🟡        | ppc64le,s390x,x86_64                             |
+| sysinfo                 | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| syslog                  | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| tee                     | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| tgkill                  | 🟢        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| time                    | 🟡        | ppc64le,x86_64                                   |
+| timer_create            | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| timer_delete            | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| timer_getoverrun        | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| timer_gettime           | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| timer_settime           | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| timerfd                 | 🟡        | s390x                                            |
+| timerfd_create          | 🟢        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| timerfd_gettime         | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| timerfd_settime         | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| times                   | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| tkill                   | 🟢        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| truncate                | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| ugetrlimit              | 🟢        | ppc64le                                          |
+| umask                   | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| umount                  | 🟢        | ppc64le,s390x                                    |
+| umount2                 | 🟢        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| uname                   | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| unlink                  | 🟢        | ppc64le,s390x,x86_64                             |
+| unlinkat                | 🟢        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| unshare                 | 🟢        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| uretprobe               | 🟡        | x86_64                                           |
+| userfaultfd             | 🟢        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| ustat                   | 🟡        | ppc64le,s390x,x86_64                             |
+| utime                   | 🟡        | ppc64le,s390x,x86_64                             |
+| utimensat               | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| utimes                  | 🟡        | ppc64le,s390x,x86_64                             |
+| vfork                   | 🟢        | ppc64le,s390x,x86_64                             |
+| vhangup                 | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| vm86                    | 🟡        | ppc64le                                          |
+| vmsplice                | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| wait4                   | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| waitid                  | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| waitpid                 | 🟡        | ppc64le                                          |
+| write                   | 🟢        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| writev                  | 🟢        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
--- a/driver/API_VERSION
+++ b/driver/API_VERSION
@ -1 +1 @@
-8.0.3
+8.0.4
--- a/driver/CMakeLists.txt
+++ b/driver/CMakeLists.txt
@ -2,26 +2,31 @@
 #
 # Copyright (C) 2023 The Falco Authors.
 #
-# This file is dual licensed under either the MIT or GPL 2. See
-# MIT.txt or GPL.txt for full copies of the license.
+# This file is dual licensed under either the MIT or GPL 2. See MIT.txt or GPL.txt for full copies
+# of the license.
 #

 cmake_minimum_required(VERSION 3.12)
 project(driver)

 set(TARGET_ARCH ${CMAKE_HOST_SYSTEM_PROCESSOR})
-if((NOT TARGET_ARCH STREQUAL "x86_64") AND
-   (NOT TARGET_ARCH STREQUAL "aarch64") AND
-   (NOT TARGET_ARCH STREQUAL "s390x") AND
-   (NOT TARGET_ARCH STREQUAL "riscv64") AND
-   (NOT TARGET_ARCH STREQUAL "ppc64le") AND
-   (NOT TARGET_ARCH STREQUAL "loongarch64"))
+if((NOT TARGET_ARCH STREQUAL "x86_64")
+   AND (NOT TARGET_ARCH STREQUAL "aarch64")
+   AND (NOT TARGET_ARCH STREQUAL "s390x")
+   AND (NOT TARGET_ARCH STREQUAL "riscv64")
+   AND (NOT TARGET_ARCH STREQUAL "ppc64le")
+   AND (NOT TARGET_ARCH STREQUAL "loongarch64")
+)
 	message(WARNING "Target architecture not officially supported by our drivers!")
 else()
 	# Load current kernel version
-	execute_process(COMMAND uname -r OUTPUT_VARIABLE UNAME_RESULT OUTPUT_STRIP_TRAILING_WHITESPACE)
+	execute_process(
+		COMMAND uname -r
+		OUTPUT_VARIABLE UNAME_RESULT
+		OUTPUT_STRIP_TRAILING_WHITESPACE
+	)
 	string(REGEX MATCH "[0-9]+.[0-9]+" LINUX_KERNEL_VERSION ${UNAME_RESULT})
-	message(STATUS  "Kernel version: ${UNAME_RESULT}")
+	message(STATUS "Kernel version: ${UNAME_RESULT}")

 	# Check minimum kernel version
 	set(kmod_min_kver_map_x86_64 2.6)
@ -31,8 +36,11 @@ else()
 	set(kmod_min_kver_map_ppc64le 2.6)
 	set(kmod_min_kver_map_loongarch64 5.10)

-	if (LINUX_KERNEL_VERSION VERSION_LESS ${kmod_min_kver_map_${TARGET_ARCH}})
-		message(WARNING "[KMOD] To run this driver you need a Linux kernel version >= ${kmod_min_kver_map_${TARGET_ARCH}} but actual kernel version is: ${UNAME_RESULT}")
+	if(LINUX_KERNEL_VERSION VERSION_LESS ${kmod_min_kver_map_${TARGET_ARCH}})
+		message(
+			WARNING
+				"[KMOD] To run this driver you need a Linux kernel version >= ${kmod_min_kver_map_${TARGET_ARCH}} but actual kernel version is: ${UNAME_RESULT}"
+		)
 	endif()
 endif()

@ -40,8 +48,9 @@ option(BUILD_DRIVER "Build the driver on Linux" ON)
 option(ENABLE_DKMS "Enable DKMS on Linux" ON)

 if(NOT DEFINED DRIVER_VERSION)
-	message(FATAL_ERROR
-		"No DRIVER_VERSION set.\nPlease either explicitly set it or build the root project 'falcosecurity/libs' from a git working directory."
+	message(
+		FATAL_ERROR
+			"No DRIVER_VERSION set.\nPlease either explicitly set it or build the root project 'falcosecurity/libs' from a git working directory."
 	)
 endif()

@ -64,36 +73,30 @@ if(NOT DEFINED DRIVER_DEVICE_NAME)
 	set(DRIVER_DEVICE_NAME "${DRIVER_NAME}")
 endif()

-# The driver build process is somewhat involved because we use the same
-# sources for building the driver locally and for shipping as a DKMS module.
+# The driver build process is somewhat involved because we use the same sources for building the
+# driver locally and for shipping as a DKMS module.
 #
-# We need a single directory with the following files inside:
-# - all the driver *.c/*.h sources
-# - Makefile generated from Makefile.in
-# - driver_config.h generated from driver_config.h.in
+# We need a single directory with the following files inside: - all the driver *.c/*.h sources -
+# Makefile generated from Makefile.in - driver_config.h generated from driver_config.h.in
 #
-# The Makefile _must_ be called just Makefile (and not e.g. Makefile.dkms)
-# because of the module build process, which looks like this:
-# 1. The user (or some script) runs make in our driver directory
-# 2. Our Makefile runs the Makefile from kernel sources/headers
-# 3. The kernel Makefile calls our original Makefile again, with options that
-# trigger the actual build. This step cannot know that our Makefile has
-# a different name.
+# The Makefile _must_ be called just Makefile (and not e.g. Makefile.dkms) because of the module
+# build process, which looks like this: 1. The user (or some script) runs make in our driver
+# directory 2. Our Makefile runs the Makefile from kernel sources/headers 3. The kernel Makefile
+# calls our original Makefile again, with options that trigger the actual build. This step cannot
+# know that our Makefile has a different name.
 #
 # (DKMS needs a Makefile called Makefile as well).
 #
-# The files need to be in a single directory because we cannot know where
-# the sources will be built (especially by DKMS) so we cannot put _any_ paths
-# in the Makefile.
+# The files need to be in a single directory because we cannot know where the sources will be built
+# (especially by DKMS) so we cannot put _any_ paths in the Makefile.
 #
-# The chosen directory must not be ${CMAKE_CURRENT_BINARY_DIR} because CMake
-# puts its own generated Makefile in there, so we (arbitrarily) choose
-# ${CMAKE_CURRENT_BINARY_DIR}/src. To maintain compatibility with older versions,
-# after the build we copy the compiled module one directory up,
+# The chosen directory must not be ${CMAKE_CURRENT_BINARY_DIR} because CMake puts its own generated
+# Makefile in there, so we (arbitrarily) choose ${CMAKE_CURRENT_BINARY_DIR}/src. To maintain
+# compatibility with older versions, after the build we copy the compiled module one directory up,
 # to ${CMAKE_CURRENT_BINARY_DIR}.
 include(compute_versions RESULT_VARIABLE RESULT)
 if(RESULT STREQUAL NOTFOUND)
-  message(FATAL_ERROR "problem with compute_versions.cmake in ${CMAKE_MODULE_PATH}")
+	message(FATAL_ERROR "problem with compute_versions.cmake in ${CMAKE_MODULE_PATH}")
 endif()
 compute_versions(API_VERSION SCHEMA_VERSION)

@ -108,23 +111,26 @@ file(GLOB configure_modules "${CMAKE_CURRENT_SOURCE_DIR}/configure/*")
 foreach(subdir ${configure_modules})
 	if(IS_DIRECTORY "${subdir}")
 		file(RELATIVE_PATH CONFIGURE_MODULE "${CMAKE_CURRENT_SOURCE_DIR}/configure" "${subdir}")
-		configure_file(configure/${CONFIGURE_MODULE}/test.c src/configure/${CONFIGURE_MODULE}/test.c COPYONLY)
+		configure_file(
+			configure/${CONFIGURE_MODULE}/test.c src/configure/${CONFIGURE_MODULE}/test.c COPYONLY
+		)
 		configure_file(configure/Makefile src/configure/${CONFIGURE_MODULE}/Makefile COPYONLY)
 		configure_file(configure/build.sh src/configure/${CONFIGURE_MODULE}/build.sh COPYONLY)
 		configure_file(configure/Makefile.inc.in src/configure/${CONFIGURE_MODULE}/Makefile.inc)
 		if(ENABLE_DKMS)
-			install(FILES
-				"${CMAKE_CURRENT_BINARY_DIR}/src/configure/${CONFIGURE_MODULE}/build.sh"
-				"${CMAKE_CURRENT_BINARY_DIR}/src/configure/${CONFIGURE_MODULE}/test.c"
-				"${CMAKE_CURRENT_BINARY_DIR}/src/configure/${CONFIGURE_MODULE}/Makefile"
-				"${CMAKE_CURRENT_BINARY_DIR}/src/configure/${CONFIGURE_MODULE}/Makefile.inc"
-				DESTINATION "src/${DRIVER_PACKAGE_NAME}-${DRIVER_VERSION}/configure/${CONFIGURE_MODULE}"
-				COMPONENT ${DRIVER_KMOD_COMPONENT_NAME})
+			install(
+				FILES "${CMAKE_CURRENT_BINARY_DIR}/src/configure/${CONFIGURE_MODULE}/build.sh"
+					  "${CMAKE_CURRENT_BINARY_DIR}/src/configure/${CONFIGURE_MODULE}/test.c"
+					  "${CMAKE_CURRENT_BINARY_DIR}/src/configure/${CONFIGURE_MODULE}/Makefile"
+					  "${CMAKE_CURRENT_BINARY_DIR}/src/configure/${CONFIGURE_MODULE}/Makefile.inc"
+				DESTINATION
+					"src/${DRIVER_PACKAGE_NAME}-${DRIVER_VERSION}/configure/${CONFIGURE_MODULE}"
+				COMPONENT ${DRIVER_KMOD_COMPONENT_NAME}
+			)
 		endif()
 	endif()
 endforeach()

-
 set(DRIVER_SOURCES
 	dynamic_params_table.c
 	event_table.c
@ -152,6 +158,11 @@ set(DRIVER_SOURCES
 	ppm_consumer.h
 	capture_macro.h
 	socketcall_to_syscall.h
+	syscall_compat_loongarch64.h
+	syscall_compat_ppc64le.h
+	syscall_compat_riscv64.h
+	syscall_compat_s390x.h
+	syscall_compat_x86_64.h
 	syscall_ia32_64_map.c
 )

@ -159,44 +170,51 @@ foreach(FILENAME IN LISTS DRIVER_SOURCES)
 	configure_file(${FILENAME} src/${FILENAME} COPYONLY)
 endforeach()

-# make can be self-referenced as $(MAKE) only from Makefiles but this
-# triggers syntax errors with other generators such as Ninja
+# make can be self-referenced as $(MAKE) only from Makefiles but this triggers syntax errors with
+# other generators such as Ninja
 if(${CMAKE_GENERATOR} STREQUAL "Unix Makefiles")
 	set(MAKE_COMMAND "$(MAKE)")
 else()
 	set(MAKE_COMMAND "make")
 endif()

-# This if/else is needed because you currently cannot manipulate dependencies
-# of built-in targets like "all" in CMake:
-# http://public.kitware.com/Bug/view.php?id=8438
+# This if/else is needed because you currently cannot manipulate dependencies of built-in targets
+# like "all" in CMake: http://public.kitware.com/Bug/view.php?id=8438
 if(BUILD_DRIVER)
-	add_custom_target(driver ALL
+	add_custom_target(
+		driver ALL
 		COMMAND ${MAKE_COMMAND}
-		COMMAND "${CMAKE_COMMAND}" -E copy_if_different ${DRIVER_NAME}.ko "${CMAKE_CURRENT_BINARY_DIR}"
+		COMMAND "${CMAKE_COMMAND}" -E copy_if_different ${DRIVER_NAME}.ko
+				"${CMAKE_CURRENT_BINARY_DIR}"
 		WORKING_DIRECTORY src
-		VERBATIM)
+		VERBATIM
+	)
 else()
-	add_custom_target(driver
+	add_custom_target(
+		driver
 		COMMAND ${MAKE_COMMAND}
-		COMMAND "${CMAKE_COMMAND}" -E copy_if_different ${DRIVER_NAME}.ko "${CMAKE_CURRENT_BINARY_DIR}"
+		COMMAND "${CMAKE_COMMAND}" -E copy_if_different ${DRIVER_NAME}.ko
+				"${CMAKE_CURRENT_BINARY_DIR}"
 		WORKING_DIRECTORY src
-		VERBATIM)
+		VERBATIM
+	)
 endif()

-add_custom_target(install_driver
+add_custom_target(
+	install_driver
 	COMMAND ${MAKE_COMMAND} install
 	DEPENDS driver
 	WORKING_DIRECTORY src
-	VERBATIM)
+	VERBATIM
+)

 if(ENABLE_DKMS)
-	install(FILES ${CMAKE_CURRENT_BINARY_DIR}/src/Makefile
-		${CMAKE_CURRENT_BINARY_DIR}/src/dkms.conf
-		${CMAKE_CURRENT_BINARY_DIR}/src/driver_config.h
-		${DRIVER_SOURCES}
+	install(
+		FILES ${CMAKE_CURRENT_BINARY_DIR}/src/Makefile ${CMAKE_CURRENT_BINARY_DIR}/src/dkms.conf
+			  ${CMAKE_CURRENT_BINARY_DIR}/src/driver_config.h ${DRIVER_SOURCES}
 		DESTINATION "src/${DRIVER_PACKAGE_NAME}-${DRIVER_VERSION}"
-		COMPONENT ${DRIVER_KMOD_COMPONENT_NAME})
+		COMPONENT ${DRIVER_KMOD_COMPONENT_NAME}
+	)
 endif()

 add_subdirectory(bpf)
--- a/driver/Makefile.in
+++ b/driver/Makefile.in
@ -29,7 +29,7 @@ install: all

 else

-KERNELDIR 	?= $(CURDIR)
+KERNELDIR 	?= $(realpath $(objtree))
 #
 # Get the path of the module sources
 #
--- a/driver/SCHEMA_VERSION
+++ b/driver/SCHEMA_VERSION
@ -1 +1 @@
-2.20.0
+3.69.0
--- a/driver/bpf/CMakeLists.txt
+++ b/driver/bpf/CMakeLists.txt
@ -2,8 +2,8 @@
 #
 # Copyright (C) 2023 The Falco Authors.
 #
-# This file is dual licensed under either the MIT or GPL 2. See
-# MIT.txt or GPL.txt for full copies of the license.
+# This file is dual licensed under either the MIT or GPL 2. See MIT.txt or GPL.txt for full copies
+# of the license.
 #

 configure_file(../driver_config.h.in ${CMAKE_CURRENT_SOURCE_DIR}/../driver_config.h)
@ -16,15 +16,20 @@ if(BUILD_BPF)
 	set(bpf_min_kver_map_aarch64 4.17)
 	set(bpf_min_kver_map_s390x 5.5)
 	set(bpf_min_kver_map_ppc64le 5.1)
-	if (LINUX_KERNEL_VERSION VERSION_LESS ${bpf_min_kver_map_${TARGET_ARCH}})
-		message(WARNING "[BPF] To run this driver you need a Linux kernel version >= ${bpf_min_kver_map_${TARGET_ARCH}} but actual kernel version is: ${UNAME_RESULT}")
+	if(LINUX_KERNEL_VERSION VERSION_LESS ${bpf_min_kver_map_${TARGET_ARCH}})
+		message(
+			WARNING
+				"[BPF] To run this driver you need a Linux kernel version >= ${bpf_min_kver_map_${TARGET_ARCH}} but actual kernel version is: ${UNAME_RESULT}"
+		)
 	endif()

-	add_custom_target(bpf ALL
-			COMMAND make
-			COMMAND "${CMAKE_COMMAND}" -E copy_if_different probe.o "${CMAKE_CURRENT_BINARY_DIR}"
-			WORKING_DIRECTORY src
-			VERBATIM)
+	add_custom_target(
+		bpf ALL
+		COMMAND make
+		COMMAND "${CMAKE_COMMAND}" -E copy_if_different probe.o "${CMAKE_CURRENT_BINARY_DIR}"
+		WORKING_DIRECTORY src
+		VERBATIM
+	)
 endif()

 set(BPF_SOURCES
@ -51,16 +56,16 @@ file(GLOB DRIVER_HEADERS ${CMAKE_CURRENT_SOURCE_DIR}/../*.h)
 list(APPEND BPF_SOURCES ${DRIVER_HEADERS})

 set(INSTALL_SET "")
-# Copy all needed sources under src folder in current binary dir
-# and add them to the set of installed files
+# Copy all needed sources under src folder in current binary dir and add them to the set of
+# installed files
 foreach(SOURCE IN LISTS BPF_SOURCES)
 	get_filename_component(FILENAME ${SOURCE} NAME)
 	configure_file(${SOURCE} src/${FILENAME} COPYONLY)
 	list(APPEND INSTALL_SET ${CMAKE_CURRENT_BINARY_DIR}/src/${FILENAME})
 endforeach()

-install(FILES
-	${INSTALL_SET}
+install(
+	FILES ${INSTALL_SET}
 	DESTINATION "src/${DRIVER_PACKAGE_NAME}-${DRIVER_VERSION}/bpf"
 	COMPONENT ${DRIVER_BPF_COMPONENT_NAME}
 )
@ -72,16 +77,20 @@ file(GLOB configure_modules "${CMAKE_CURRENT_SOURCE_DIR}/configure/*")
 foreach(subdir ${configure_modules})
 	if(IS_DIRECTORY "${subdir}")
 		file(RELATIVE_PATH CONFIGURE_MODULE "${CMAKE_CURRENT_SOURCE_DIR}/configure" "${subdir}")
-		configure_file(configure/${CONFIGURE_MODULE}/test.c src/configure/${CONFIGURE_MODULE}/test.c COPYONLY)
+		configure_file(
+			configure/${CONFIGURE_MODULE}/test.c src/configure/${CONFIGURE_MODULE}/test.c COPYONLY
+		)
 		configure_file(configure/Makefile src/configure/${CONFIGURE_MODULE}/Makefile COPYONLY)
 		configure_file(configure/build.sh src/configure/${CONFIGURE_MODULE}/build.sh COPYONLY)
 		configure_file(configure/Makefile.inc.in src/configure/${CONFIGURE_MODULE}/Makefile.inc)
-		install(FILES
-				"${CMAKE_CURRENT_BINARY_DIR}/src/configure/${CONFIGURE_MODULE}/build.sh"
-				"${CMAKE_CURRENT_BINARY_DIR}/src/configure/${CONFIGURE_MODULE}/test.c"
-				"${CMAKE_CURRENT_BINARY_DIR}/src/configure/${CONFIGURE_MODULE}/Makefile"
-				"${CMAKE_CURRENT_BINARY_DIR}/src/configure/${CONFIGURE_MODULE}/Makefile.inc"
-				DESTINATION "src/${DRIVER_PACKAGE_NAME}-${DRIVER_VERSION}/bpf/configure/${CONFIGURE_MODULE}"
-				COMPONENT ${DRIVER_BPF_COMPONENT_NAME})
+		install(
+			FILES "${CMAKE_CURRENT_BINARY_DIR}/src/configure/${CONFIGURE_MODULE}/build.sh"
+				  "${CMAKE_CURRENT_BINARY_DIR}/src/configure/${CONFIGURE_MODULE}/test.c"
+				  "${CMAKE_CURRENT_BINARY_DIR}/src/configure/${CONFIGURE_MODULE}/Makefile"
+				  "${CMAKE_CURRENT_BINARY_DIR}/src/configure/${CONFIGURE_MODULE}/Makefile.inc"
+			DESTINATION
+				"src/${DRIVER_PACKAGE_NAME}-${DRIVER_VERSION}/bpf/configure/${CONFIGURE_MODULE}"
+			COMPONENT ${DRIVER_BPF_COMPONENT_NAME}
+		)
 	endif()
-endforeach()
+endforeach()
--- a/driver/bpf/Makefile
+++ b/driver/bpf/Makefile
@ -28,7 +28,7 @@ clean:

 else

-KERNELDIR 	?= $(CURDIR)
+KERNELDIR 	?= $(realpath $(objtree))
 #
 # Get the path of the module sources
 #
--- a/driver/bpf/bpf_helpers.h
+++ b/driver/bpf/bpf_helpers.h
@ -10,102 +10,99 @@ or GPL2.txt for full copies of the license.
 #ifndef __BPF_HELPERS_H
 #define __BPF_HELPERS_H

-static void *(*bpf_map_lookup_elem)(void *map, void *key) =
-	(void *)BPF_FUNC_map_lookup_elem;
-static int (*bpf_map_update_elem)(void *map, void *key, void *value,
-				  unsigned long long flags) =
-	(void *)BPF_FUNC_map_update_elem;
-static int (*bpf_map_delete_elem)(void *map, void *key) =
-	(void *)BPF_FUNC_map_delete_elem;
-static int (*bpf_probe_read)(void *dst, int size, void *unsafe_ptr) =
-	(void *)BPF_FUNC_probe_read;
+static void *(*bpf_map_lookup_elem)(void *map, void *key) = (void *)BPF_FUNC_map_lookup_elem;
+static int (*bpf_map_update_elem)(void *map,
+                                  void *key,
+                                  void *value,
+                                  unsigned long long flags) = (void *)BPF_FUNC_map_update_elem;
+static int (*bpf_map_delete_elem)(void *map, void *key) = (void *)BPF_FUNC_map_delete_elem;
+static int (*bpf_probe_read)(void *dst, int size, void *unsafe_ptr) = (void *)BPF_FUNC_probe_read;

-/* Introduced in linux 5.8, see https://github.com/torvalds/linux/commit/71d19214776e61b33da48f7c1b46e522c7f78221 */
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(5,8,0)
-static unsigned long long (*bpf_ktime_get_boot_ns)(void) =
-	(void *)BPF_FUNC_ktime_get_boot_ns;
+/* Introduced in linux 5.8, see
+ * https://github.com/torvalds/linux/commit/71d19214776e61b33da48f7c1b46e522c7f78221 */
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 8, 0)
+static unsigned long long (*bpf_ktime_get_boot_ns)(void) = (void *)BPF_FUNC_ktime_get_boot_ns;
 #else
 /* fallback at using old, non suspend-time aware, helper */
-static unsigned long long (*bpf_ktime_get_boot_ns)(void) =
-	(void *)BPF_FUNC_ktime_get_ns;
+static unsigned long long (*bpf_ktime_get_boot_ns)(void) = (void *)BPF_FUNC_ktime_get_ns;
 #endif

-static int (*bpf_trace_printk)(const char *fmt, int fmt_size, ...) =
-	(void *)BPF_FUNC_trace_printk;
-static void (*bpf_tail_call)(void *ctx, void *map, int index) =
-	(void *)BPF_FUNC_tail_call;
-static unsigned long long (*bpf_get_smp_processor_id)(void) =
-	(void *)BPF_FUNC_get_smp_processor_id;
-static unsigned long long (*bpf_get_current_pid_tgid)(void) =
-	(void *)BPF_FUNC_get_current_pid_tgid;
-static unsigned long long (*bpf_get_current_uid_gid)(void) =
-	(void *)BPF_FUNC_get_current_uid_gid;
-static int (*bpf_get_current_comm)(void *buf, int buf_size) =
-	(void *)BPF_FUNC_get_current_comm;
-static int (*bpf_perf_event_read)(void *map, int index) =
-	(void *)BPF_FUNC_perf_event_read;
-static int (*bpf_clone_redirect)(void *ctx, int ifindex, int flags) =
-	(void *)BPF_FUNC_clone_redirect;
-static int (*bpf_redirect)(int ifindex, int flags) =
-	(void *)BPF_FUNC_redirect;
-static int (*bpf_perf_event_output)(void *ctx, void *map,
-				    unsigned long long flags, void *data,
-				    int size) =
-	(void *)BPF_FUNC_perf_event_output;
-static int (*bpf_get_stackid)(void *ctx, void *map, int flags) =
-	(void *)BPF_FUNC_get_stackid;
-static int (*bpf_probe_write_user)(void *dst, void *src, int size) =
-	(void *)BPF_FUNC_probe_write_user;
-static int (*bpf_current_task_under_cgroup)(void *map, int index) =
-	(void *)BPF_FUNC_current_task_under_cgroup;
-static int (*bpf_skb_get_tunnel_key)(void *ctx, void *key, int size, int flags) =
-	(void *)BPF_FUNC_skb_get_tunnel_key;
-static int (*bpf_skb_set_tunnel_key)(void *ctx, void *key, int size, int flags) =
-	(void *)BPF_FUNC_skb_set_tunnel_key;
-static int (*bpf_skb_get_tunnel_opt)(void *ctx, void *md, int size) =
-	(void *)BPF_FUNC_skb_get_tunnel_opt;
-static int (*bpf_skb_set_tunnel_opt)(void *ctx, void *md, int size) =
-	(void *)BPF_FUNC_skb_set_tunnel_opt;
-static unsigned long long (*bpf_get_prandom_u32)(void) =
-	(void *)BPF_FUNC_get_prandom_u32;
-static int (*bpf_xdp_adjust_head)(void *ctx, int offset) =
-	(void *)BPF_FUNC_xdp_adjust_head;
-static int (*bpf_probe_read_str)(void *dst, uint64_t size, const void *unsafe_ptr) =
-	(void *)BPF_FUNC_probe_read_str;
+static int (*bpf_trace_printk)(const char *fmt, int fmt_size, ...) = (void *)BPF_FUNC_trace_printk;
+static void (*bpf_tail_call)(void *ctx, void *map, int index) = (void *)BPF_FUNC_tail_call;
+static unsigned long long (*bpf_get_smp_processor_id)(void) = (void *)BPF_FUNC_get_smp_processor_id;
+static unsigned long long (*bpf_get_current_pid_tgid)(void) = (void *)BPF_FUNC_get_current_pid_tgid;
+static unsigned long long (*bpf_get_current_uid_gid)(void) = (void *)BPF_FUNC_get_current_uid_gid;
+static int (*bpf_get_current_comm)(void *buf, int buf_size) = (void *)BPF_FUNC_get_current_comm;
+static int (*bpf_perf_event_read)(void *map, int index) = (void *)BPF_FUNC_perf_event_read;
+static int (*bpf_clone_redirect)(void *ctx,
+                                 int ifindex,
+                                 int flags) = (void *)BPF_FUNC_clone_redirect;
+static int (*bpf_redirect)(int ifindex, int flags) = (void *)BPF_FUNC_redirect;
+static int (*bpf_perf_event_output)(void *ctx,
+                                    void *map,
+                                    unsigned long long flags,
+                                    void *data,
+                                    int size) = (void *)BPF_FUNC_perf_event_output;
+static int (*bpf_get_stackid)(void *ctx, void *map, int flags) = (void *)BPF_FUNC_get_stackid;
+static int (*bpf_probe_write_user)(void *dst,
+                                   void *src,
+                                   int size) = (void *)BPF_FUNC_probe_write_user;
+static int (*bpf_current_task_under_cgroup)(void *map,
+                                            int index) = (void *)BPF_FUNC_current_task_under_cgroup;
+static int (*bpf_skb_get_tunnel_key)(void *ctx, void *key, int size, int flags) = (void *)
+        BPF_FUNC_skb_get_tunnel_key;
+static int (*bpf_skb_set_tunnel_key)(void *ctx, void *key, int size, int flags) = (void *)
+        BPF_FUNC_skb_set_tunnel_key;
+static int (*bpf_skb_get_tunnel_opt)(void *ctx,
+                                     void *md,
+                                     int size) = (void *)BPF_FUNC_skb_get_tunnel_opt;
+static int (*bpf_skb_set_tunnel_opt)(void *ctx,
+                                     void *md,
+                                     int size) = (void *)BPF_FUNC_skb_set_tunnel_opt;
+static unsigned long long (*bpf_get_prandom_u32)(void) = (void *)BPF_FUNC_get_prandom_u32;
+static int (*bpf_xdp_adjust_head)(void *ctx, int offset) = (void *)BPF_FUNC_xdp_adjust_head;
+static int (*bpf_probe_read_str)(void *dst,
+                                 uint64_t size,
+                                 const void *unsafe_ptr) = (void *)BPF_FUNC_probe_read_str;

 #if defined(USE_BPF_PROBE_KERNEL_USER_VARIANTS)
-static int (*bpf_probe_read_user)(void *dst, uint32_t size, const void *unsafe_ptr) =
-	(void *)BPF_FUNC_probe_read_user;
-static int (*bpf_probe_read_kernel)(void *dst, uint32_t size, const void *unsafe_ptr) =
-	(void *)BPF_FUNC_probe_read_kernel;
-static int (*bpf_probe_read_user_str)(void *dst, uint32_t size, const void *unsafe_ptr) =
-	(void *)BPF_FUNC_probe_read_user_str;
-static int (*bpf_probe_read_kernel_str)(void *dst, uint32_t size, const void *unsafe_ptr) =
-	(void *)BPF_FUNC_probe_read_kernel_str;
+static int (*bpf_probe_read_user)(void *dst,
+                                  uint32_t size,
+                                  const void *unsafe_ptr) = (void *)BPF_FUNC_probe_read_user;
+static int (*bpf_probe_read_kernel)(void *dst,
+                                    uint32_t size,
+                                    const void *unsafe_ptr) = (void *)BPF_FUNC_probe_read_kernel;
+static int (*bpf_probe_read_user_str)(void *dst, uint32_t size, const void *unsafe_ptr) = (void *)
+        BPF_FUNC_probe_read_user_str;
+static int (*bpf_probe_read_kernel_str)(void *dst, uint32_t size, const void *unsafe_ptr) = (void *)
+        BPF_FUNC_probe_read_kernel_str;
 #else
-static int (*bpf_probe_read_user)(void *dst, uint32_t size, const void *unsafe_ptr) =
-	(void *)BPF_FUNC_probe_read;
-static int (*bpf_probe_read_kernel)(void *dst, uint32_t size, const void *unsafe_ptr) =
-	(void *)BPF_FUNC_probe_read;
-static int (*bpf_probe_read_user_str)(void *dst, uint32_t size, const void *unsafe_ptr) =
-	(void *)BPF_FUNC_probe_read_str;
-static int (*bpf_probe_read_kernel_str)(void *dst, uint32_t size, const void *unsafe_ptr) =
-	(void *)BPF_FUNC_probe_read_str;
+static int (*bpf_probe_read_user)(void *dst,
+                                  uint32_t size,
+                                  const void *unsafe_ptr) = (void *)BPF_FUNC_probe_read;
+static int (*bpf_probe_read_kernel)(void *dst,
+                                    uint32_t size,
+                                    const void *unsafe_ptr) = (void *)BPF_FUNC_probe_read;
+static int (*bpf_probe_read_user_str)(void *dst,
+                                      uint32_t size,
+                                      const void *unsafe_ptr) = (void *)BPF_FUNC_probe_read_str;
+static int (*bpf_probe_read_kernel_str)(void *dst,
+                                        uint32_t size,
+                                        const void *unsafe_ptr) = (void *)BPF_FUNC_probe_read_str;
 #endif

-static uint64_t (*bpf_get_current_task)(void) =
-	(void *)BPF_FUNC_get_current_task;
-static int (*bpf_skb_load_bytes)(void *ctx, int off, void *to, int len) =
-	(void *)BPF_FUNC_skb_load_bytes;
-static int (*bpf_skb_store_bytes)(void *ctx, int off, void *from, int len, int flags) =
-	(void *)BPF_FUNC_skb_store_bytes;
-static int (*bpf_l3_csum_replace)(void *ctx, int off, int from, int to, int flags) =
-	(void *)BPF_FUNC_l3_csum_replace;
-static int (*bpf_l4_csum_replace)(void *ctx, int off, int from, int to, int flags) =
-	(void *)BPF_FUNC_l4_csum_replace;
-static int (*bpf_skb_under_cgroup)(void *ctx, void *map, int index) =
-	(void *)BPF_FUNC_skb_under_cgroup;
-static int (*bpf_skb_change_head)(void *, int len, int flags) =
-	(void *)BPF_FUNC_skb_change_head;
+static uint64_t (*bpf_get_current_task)(void) = (void *)BPF_FUNC_get_current_task;
+static int (*bpf_skb_load_bytes)(void *ctx, int off, void *to, int len) = (void *)
+        BPF_FUNC_skb_load_bytes;
+static int (*bpf_skb_store_bytes)(void *ctx, int off, void *from, int len, int flags) = (void *)
+        BPF_FUNC_skb_store_bytes;
+static int (*bpf_l3_csum_replace)(void *ctx, int off, int from, int to, int flags) = (void *)
+        BPF_FUNC_l3_csum_replace;
+static int (*bpf_l4_csum_replace)(void *ctx, int off, int from, int to, int flags) = (void *)
+        BPF_FUNC_l4_csum_replace;
+static int (*bpf_skb_under_cgroup)(void *ctx,
+                                   void *map,
+                                   int index) = (void *)BPF_FUNC_skb_under_cgroup;
+static int (*bpf_skb_change_head)(void *, int len, int flags) = (void *)BPF_FUNC_skb_change_head;

 #endif
--- a/driver/bpf/builtins.h
+++ b/driver/bpf/builtins.h
@ -28,4 +28,4 @@ or GPL2.txt for full copies of the license.
 #endif
 #define memcpy __builtin_memcpy

-#endif // __BUILTINS_H
+#endif  // __BUILTINS_H
--- a/driver/bpf/configure/0__SANITY/test.c
+++ b/driver/bpf/configure/0__SANITY/test.c
@ -0,0 +1,23 @@
+// SPDX-License-Identifier: GPL-2.0-only OR MIT
+/*
+
+Copyright (C) 2024 The Falco Authors.
+
+This file is dual licensed under either the MIT or GPL 2. See MIT.txt
+or GPL2.txt for full copies of the license.
+
+*/
+
+/*
+ * Check that the build system is sane.
+ */
+
+#include "../../quirks.h"
+#include "../../ppm_events_public.h"
+#include "../../types.h"
+
+BPF_PROBE("sanity/", sanity, sanity_args) {
+	return 0;
+}
+
+char __license[] __bpf_section("license") = "Dual MIT/GPL";
--- a/driver/bpf/configure/KERNFS_NODE_PARENT/test.c
+++ b/driver/bpf/configure/KERNFS_NODE_PARENT/test.c
@ -0,0 +1,32 @@
+// SPDX-License-Identifier: GPL-2.0-only OR MIT
+/*
+
+Copyright (C) 2025 The Falco Authors.
+
+This file is dual licensed under either the MIT or GPL 2. See MIT.txt
+or GPL2.txt for full copies of the license.
+
+*/
+
+/*
+ * Check that kernfs_node's field `parent` exists.
+ * See 6.15 kernel commit it is named __parent:
+ * https://github.com/torvalds/linux/commit/633488947ef66b194377411322dc9e12aab79b65
+ */
+
+#include "../../quirks.h"
+#include "../../ppm_events_public.h"
+#include "../../types.h"
+
+// struct kernfs_node declaration
+#include <linux/kernfs.h>
+
+BPF_PROBE("signal/", signal_deliver, signal_deliver_args) {
+	struct kernfs_node *parent;
+	struct kernfs_node node;
+
+	parent = node.parent;
+	return 0;
+}
+
+char __license[] __bpf_section("license") = "Dual MIT/GPL";
--- a/driver/bpf/configure/Makefile.inc.in
+++ b/driver/bpf/configure/Makefile.inc.in
@ -7,7 +7,17 @@ ifeq ($(HAS_@CONFIGURE_MODULE@),0)
 $(info [configure-bpf] Setting HAS_@CONFIGURE_MODULE@ flag)
 KBUILD_CPPFLAGS += -DHAS_@CONFIGURE_MODULE@
 else
-HAS_@CONFIGURE_MODULE@_OUT := $(shell cat $(MODULE_MAKEFILE_DIR)/build.log)
+HAS_@CONFIGURE_MODULE@_OUT1 := $(shell cat $(MODULE_MAKEFILE_DIR)/build.log | sed -n ':a;N;$$$!ba;s/\n/@@NEWLINE@@/g;P')
+HAS_@CONFIGURE_MODULE@_OUT := $(subst @@NEWLINE@@,$(newline),$(HAS_@CONFIGURE_MODULE@_OUT1))
 $(info [configure-bpf] Build output for HAS_@CONFIGURE_MODULE@:)
 $(info [configure-bpf] $(HAS_@CONFIGURE_MODULE@_OUT))
 endif
+
+ifeq ('@CONFIGURE_MODULE@','0__SANITY')
+    ifeq ($(HAS_@CONFIGURE_MODULE@),0)
+        $(info [configure-bpf] Build system is sane)
+    else
+        $(info [configure-bpf] Build system is broken, please see above errors)
+        $(error The build system is broken, please see above errors)
+    endif
+endif
--- a/driver/bpf/configure/RSS_STAT_ARRAY/test.c
+++ b/driver/bpf/configure/RSS_STAT_ARRAY/test.c
@ -10,7 +10,8 @@ or GPL2.txt for full copies of the license.

 /*
 * Check that mm_struct's field `rss_stat` is an array.
- * See 6.2 kernel commit: https://github.com/torvalds/linux/commit/f1a7941243c102a44e8847e3b94ff4ff3ec56f25
+ * See 6.2 kernel commit:
+ * https://github.com/torvalds/linux/commit/f1a7941243c102a44e8847e3b94ff4ff3ec56f25
 */

 #include "../../quirks.h"
@ -20,8 +21,7 @@ or GPL2.txt for full copies of the license.
 // struct mm_struct declaration
 #include <linux/mm_types.h>

-BPF_PROBE("signal/", signal_deliver, signal_deliver_args)
-{
+BPF_PROBE("signal/", signal_deliver, signal_deliver_args) {
 	long val;
 	struct mm_struct *mm;
 	val = mm->rss_stat[0].count;
--- a/driver/bpf/configure/TASK_PIDS_FIELD/test.c
+++ b/driver/bpf/configure/TASK_PIDS_FIELD/test.c
@ -0,0 +1,29 @@
+// SPDX-License-Identifier: GPL-2.0-only OR MIT
+/*
+
+Copyright (C) 2024 The Falco Authors.
+
+This file is dual licensed under either the MIT or GPL 2. See MIT.txt
+or GPL2.txt for full copies of the license.
+
+*/
+
+/*
+ * Check that the `pids` field is defined in the `task_struct` struct.
+ * Since kernel version 4.19.0 the `pids` field is moved in the `signal_struct` struct, but this
+ * change has been backported to older kernels.
+ */
+
+#include "../../quirks.h"
+#include "../../ppm_events_public.h"
+#include "../../types.h"
+
+BPF_PROBE("signal/", signal_deliver, signal_deliver_args) {
+	struct task_struct *task = (struct task_struct *)0;
+	if(task->pids) {
+		return 1;
+	}
+	return 0;
+}
+
+char __license[] __bpf_section("license") = "Dual MIT/GPL";
--- a/driver/bpf/filler_helpers.h
+++ b/driver/bpf/filler_helpers.h
--- a/driver/bpf/fillers.h
+++ b/driver/bpf/fillers.h
--- a/driver/bpf/maps.h
+++ b/driver/bpf/maps.h
@ -22,92 +22,92 @@ struct bpf_map_def {

 #ifdef __KERNEL__
 struct bpf_map_def __bpf_section("maps") perf_map = {
-	.type = BPF_MAP_TYPE_PERF_EVENT_ARRAY,
-	.key_size = sizeof(uint32_t),
-	.value_size = sizeof(uint32_t),
-	.max_entries = 0,
+        .type = BPF_MAP_TYPE_PERF_EVENT_ARRAY,
+        .key_size = sizeof(uint32_t),
+        .value_size = sizeof(uint32_t),
+        .max_entries = 0,
 };

 struct bpf_map_def __bpf_section("maps") tail_map = {
-	.type = BPF_MAP_TYPE_PROG_ARRAY,
-	.key_size = sizeof(uint32_t),
-	.value_size = sizeof(uint32_t),
-	.max_entries = PPM_FILLER_MAX,
+        .type = BPF_MAP_TYPE_PROG_ARRAY,
+        .key_size = sizeof(uint32_t),
+        .value_size = sizeof(uint32_t),
+        .max_entries = PPM_FILLER_MAX,
 };

 struct bpf_map_def __bpf_section("maps") syscall_table = {
-	.type = BPF_MAP_TYPE_ARRAY,
-	.key_size = sizeof(uint32_t),
-	.value_size = sizeof(struct syscall_evt_pair),
-	.max_entries = SYSCALL_TABLE_SIZE,
+        .type = BPF_MAP_TYPE_ARRAY,
+        .key_size = sizeof(uint32_t),
+        .value_size = sizeof(struct syscall_evt_pair),
+        .max_entries = SYSCALL_TABLE_SIZE,
 };

 struct bpf_map_def __bpf_section("maps") event_info_table = {
-	.type = BPF_MAP_TYPE_ARRAY,
-	.key_size = sizeof(uint32_t),
-	.value_size = sizeof(struct ppm_event_info),
-	.max_entries = PPM_EVENT_MAX,
+        .type = BPF_MAP_TYPE_ARRAY,
+        .key_size = sizeof(uint32_t),
+        .value_size = sizeof(struct ppm_event_info),
+        .max_entries = PPM_EVENT_MAX,
 };

 struct bpf_map_def __bpf_section("maps") fillers_table = {
-	.type = BPF_MAP_TYPE_ARRAY,
-	.key_size = sizeof(uint32_t),
-	.value_size = sizeof(struct ppm_event_entry),
-	.max_entries = PPM_EVENT_MAX,
+        .type = BPF_MAP_TYPE_ARRAY,
+        .key_size = sizeof(uint32_t),
+        .value_size = sizeof(struct ppm_event_entry),
+        .max_entries = PPM_EVENT_MAX,
 };

 struct bpf_map_def __bpf_section("maps") frame_scratch_map = {
-	.type = BPF_MAP_TYPE_ARRAY,
-	.key_size = sizeof(uint32_t),
-	.value_size = SCRATCH_SIZE,
-	.max_entries = 0,
+        .type = BPF_MAP_TYPE_ARRAY,
+        .key_size = sizeof(uint32_t),
+        .value_size = SCRATCH_SIZE,
+        .max_entries = 0,
 };

 struct bpf_map_def __bpf_section("maps") tmp_scratch_map = {
-	.type = BPF_MAP_TYPE_ARRAY,
-	.key_size = sizeof(uint32_t),
-	.value_size = SCRATCH_SIZE,
-	.max_entries = 0,
+        .type = BPF_MAP_TYPE_ARRAY,
+        .key_size = sizeof(uint32_t),
+        .value_size = SCRATCH_SIZE,
+        .max_entries = 0,
 };

 struct bpf_map_def __bpf_section("maps") settings_map = {
-	.type = BPF_MAP_TYPE_ARRAY,
-	.key_size = sizeof(uint32_t),
-	.value_size = sizeof(struct scap_bpf_settings),
-	.max_entries = 1,
+        .type = BPF_MAP_TYPE_ARRAY,
+        .key_size = sizeof(uint32_t),
+        .value_size = sizeof(struct scap_bpf_settings),
+        .max_entries = 1,
 };

 struct bpf_map_def __bpf_section("maps") local_state_map = {
-	.type = BPF_MAP_TYPE_ARRAY,
-	.key_size = sizeof(uint32_t),
-	.value_size = sizeof(struct scap_bpf_per_cpu_state),
-	.max_entries = 0,
+        .type = BPF_MAP_TYPE_ARRAY,
+        .key_size = sizeof(uint32_t),
+        .value_size = sizeof(struct scap_bpf_per_cpu_state),
+        .max_entries = 0,
 };

 struct bpf_map_def __bpf_section("maps") interesting_syscalls_table = {
-	.type = BPF_MAP_TYPE_ARRAY,
-	.key_size = sizeof(uint32_t),
-	.value_size = sizeof(bool),
-	.max_entries = SYSCALL_TABLE_SIZE,
+        .type = BPF_MAP_TYPE_ARRAY,
+        .key_size = sizeof(uint32_t),
+        .value_size = sizeof(bool),
+        .max_entries = SYSCALL_TABLE_SIZE,
 };

 // The key is the 32-bit syscall code while the value is 64-bit one
 struct bpf_map_def __bpf_section("maps") ia32_64_map = {
-	.type = BPF_MAP_TYPE_ARRAY,
-	.key_size = sizeof(uint32_t),
-	.value_size = sizeof(uint32_t),
-	.max_entries = SYSCALL_TABLE_SIZE,
+        .type = BPF_MAP_TYPE_ARRAY,
+        .key_size = sizeof(uint32_t),
+        .value_size = sizeof(uint32_t),
+        .max_entries = SYSCALL_TABLE_SIZE,
 };

 #ifndef BPF_SUPPORTS_RAW_TRACEPOINTS
 struct bpf_map_def __bpf_section("maps") stash_map = {
-	.type = BPF_MAP_TYPE_HASH,
-	.key_size = sizeof(uint64_t),
-	.value_size = sizeof(struct sys_stash_args),
-	.max_entries = 65535,
+        .type = BPF_MAP_TYPE_HASH,
+        .key_size = sizeof(uint64_t),
+        .value_size = sizeof(struct sys_stash_args),
+        .max_entries = 65535,
 };
 #endif

-#endif // __KERNEL__
+#endif  // __KERNEL__

 #endif
--- a/driver/bpf/missing_definitions.h
+++ b/driver/bpf/missing_definitions.h
@ -10,45 +10,14 @@ or GPL2.txt for full copies of the license.
 #ifndef __BPF_MISSING_DEFINITIONS_H__
 #define __BPF_MISSING_DEFINITIONS_H__

-#if LINUX_VERSION_CODE < KERNEL_VERSION(4, 16, 0)
-struct ovl_entry {
-	union {
-		struct {
-			unsigned long has_upper;
-			bool opaque;
-		};
-		struct rcu_head rcu;
-	};
-	unsigned numlower;
-	struct path lowerstack[];
-};
-#else
-struct ovl_entry {
-	union {
-		struct {
-			unsigned long flags;
-		};
-		struct rcu_head rcu;
-	};
-	unsigned numlower;
-	//struct ovl_path lowerstack[];
-};
-
-enum ovl_entry_flag {
-	OVL_E_UPPER_ALIAS,
-	OVL_E_OPAQUE,
-	OVL_E_CONNECTED,
-};
-#endif
-
 #include <linux/mount.h>
 /* This require the inlclude `linux/mount.h` for `vfsmount` definition */
 struct mount {
-    struct hlist_node mnt_hash;
-    struct mount *mnt_parent;
-    struct dentry *mnt_mountpoint;
-    struct vfsmount mnt;
-    // ...
+	struct hlist_node mnt_hash;
+	struct mount *mnt_parent;
+	struct dentry *mnt_mountpoint;
+	struct vfsmount mnt;
+	// ...
 };

 #endif /*__BPF_MISSING_DEFINITIONS_H__*/
--- a/driver/bpf/plumbing_helpers.h
+++ b/driver/bpf/plumbing_helpers.h
@ -18,65 +18,63 @@ or GPL2.txt for full copies of the license.
 #include "builtins.h"
 #include "socketcall_to_syscall.h"

-#define _READ(P) ({ typeof(P) _val;					\
-		    bpf_probe_read_kernel(&_val, sizeof(_val), &P);	\
-		    _val;						\
-		 })
+#define _READ(P)                                        \
+	({                                                  \
+		typeof(P) _val;                                 \
+		bpf_probe_read_kernel(&_val, sizeof(_val), &P); \
+		_val;                                           \
+	})
 #define _READ_KERNEL(P) _READ(P)
-#define _READ_USER(P) ({ typeof(P) _val;				\
-			 bpf_probe_read_user(&_val, sizeof(_val), &P);	\
-			 _val;						\
-		 })
+#define _READ_USER(P)                                 \
+	({                                                \
+		typeof(P) _val;                               \
+		bpf_probe_read_user(&_val, sizeof(_val), &P); \
+		_val;                                         \
+	})

 #ifdef BPF_DEBUG
-#define bpf_printk(fmt, ...)					\
-	do {							\
-		char s[] = fmt;					\
-		bpf_trace_printk(s, sizeof(s), ##__VA_ARGS__);	\
-	} while (0)
+#define bpf_printk(fmt, ...)                           \
+	do {                                               \
+		char s[] = fmt;                                \
+		bpf_trace_printk(s, sizeof(s), ##__VA_ARGS__); \
+	} while(0)
 #else
 #define bpf_printk(fmt, ...)
 #endif

 #ifndef BPF_SUPPORTS_RAW_TRACEPOINTS
-static __always_inline int __stash_args(unsigned long long id,
-					unsigned long *args)
-{
+static __always_inline int __stash_args(unsigned long long id, unsigned long *args) {
 	int ret = bpf_map_update_elem(&stash_map, &id, args, BPF_ANY);

-	if (ret)
+	if(ret)
 		bpf_printk("error stashing arguments for %d:%d\n", id, ret);

 	return ret;
 }

-static __always_inline int stash_args(unsigned long *args)
-{
+static __always_inline int stash_args(unsigned long *args) {
 	unsigned long long id = bpf_get_current_pid_tgid() & 0xffffffff;

 	return __stash_args(id, args);
 }

-static __always_inline unsigned long *__unstash_args(unsigned long long id)
-{
+static __always_inline unsigned long *__unstash_args(unsigned long long id) {
 	struct sys_stash_args *args;

 	args = bpf_map_lookup_elem(&stash_map, &id);
-	if (!args)
+	if(!args)
 		return NULL;

 	return args->args;
 }

-static __always_inline unsigned long *unstash_args(void)
-{
+static __always_inline unsigned long *unstash_args(void) {
 	unsigned long long id = bpf_get_current_pid_tgid() & 0xffffffff;

 	return __unstash_args(id);
 }

-static __always_inline void delete_args(void)
-{
+static __always_inline void delete_args(void) {
 	unsigned long long id = bpf_get_current_pid_tgid() & 0xffffffff;

 	bpf_map_delete_elem(&stash_map, &id);
@ -85,15 +83,13 @@ static __always_inline void delete_args(void)

 /* Can be called just from an exit event
 */
-static __always_inline long bpf_syscall_get_retval(void *ctx)
-{
+static __always_inline long bpf_syscall_get_retval(void *ctx) {
 	struct sys_exit_args *args = (struct sys_exit_args *)ctx;

 	return args->ret;
 }

-static __always_inline bool bpf_in_ia32_syscall()
-{
+static __always_inline bool bpf_in_ia32_syscall() {
 	struct task_struct *task = (struct task_struct *)bpf_get_current_task();
 	uint32_t status = 0;

@ -160,8 +156,7 @@ static __always_inline bool bpf_in_ia32_syscall()
 /* Can be called from both enter and exit event, id is at the same
 * offset in both struct sys_enter_args and struct sys_exit_args
 */
-static __always_inline long bpf_syscall_get_nr(void *ctx)
-{
+static __always_inline long bpf_syscall_get_nr(void *ctx) {
 	struct sys_enter_args *args = (struct sys_enter_args *)ctx;
 	long id = 0;

@ -173,14 +168,14 @@ static __always_inline long bpf_syscall_get_nr(void *ctx)

 	/* See here for the definition:
 	 * https://github.com/torvalds/linux/blob/69cb6c6556ad89620547318439d6be8bb1629a5a/arch/x86/include/asm/syscall.h#L40
-	 */	
+	 */
 	id = _READ(regs->orig_ax);

 #elif CONFIG_ARM64

 	/* See here for the definition:
 	 * https://github.com/torvalds/linux/blob/69cb6c6556ad89620547318439d6be8bb1629a5a/arch/arm64/include/asm/syscall.h#L23
-	 */	
+	 */
 	id = _READ(regs->syscallno);

 #elif CONFIG_S390
@ -211,12 +206,10 @@ static __always_inline long bpf_syscall_get_nr(void *ctx)

 #ifndef BPF_SUPPORTS_RAW_TRACEPOINTS
 static __always_inline unsigned long bpf_syscall_get_argument_from_args(unsigned long *args,
-									int idx)
-{
+                                                                        int idx) {
 	unsigned long arg = 0;

-	if(idx <= 5)
-	{
+	if(idx <= 5) {
 		arg = args[idx];
 	}

@ -224,9 +217,7 @@ static __always_inline unsigned long bpf_syscall_get_argument_from_args(unsigned
 }
 #endif

-static __always_inline unsigned long bpf_syscall_get_argument_from_ctx(void *ctx,
-								       int idx)
-{
+static __always_inline unsigned long bpf_syscall_get_argument_from_ctx(void *ctx, int idx) {
 	unsigned long arg = 0;

 #ifdef BPF_SUPPORTS_RAW_TRACEPOINTS
@ -235,9 +226,8 @@ static __always_inline unsigned long bpf_syscall_get_argument_from_ctx(void *ctx
 	struct pt_regs *regs = (struct pt_regs *)args->regs;

 #ifdef CONFIG_X86_64
-	if (bpf_in_ia32_syscall())
-	{
-		switch (idx) {
+	if(bpf_in_ia32_syscall()) {
+		switch(idx) {
 		case 0:
 			arg = _READ(regs->bx);
 			break;
@ -265,7 +255,7 @@ static __always_inline unsigned long bpf_syscall_get_argument_from_ctx(void *ctx
 	/* See here for the definition:
 	 * https://github.com/libbpf/libbpf/blob/master/src/bpf_tracing.h#L75-L87
 	 */
-	switch (idx) {
+	switch(idx) {
 	case 0:
 		arg = _READ(regs->di);
 		break;
@ -291,10 +281,10 @@ static __always_inline unsigned long bpf_syscall_get_argument_from_ctx(void *ctx
 #elif CONFIG_ARM64

 	/* See here for the definition:
-	 * https://github.com/libbpf/libbpf/blob/master/src/bpf_tracing.h#L166-L178 
+	 * https://github.com/libbpf/libbpf/blob/master/src/bpf_tracing.h#L166-L178
 	 */
 	struct user_pt_regs *user_regs = (struct user_pt_regs *)args->regs;
-	switch (idx) {
+	switch(idx) {
 	case 0:
 		arg = _READ(regs->orig_x0);
 		break;
@ -310,12 +300,12 @@ static __always_inline unsigned long bpf_syscall_get_argument_from_ctx(void *ctx
 	}

 #elif CONFIG_S390
-	
+
 	/* See here for the definition:
 	 * https://github.com/libbpf/libbpf/blob/master/src/bpf_tracing.h#L132-L144
 	 */
 	user_pt_regs *user_regs = (user_pt_regs *)args->regs;
-	switch (idx) {
+	switch(idx) {
 	case 0:
 		arg = _READ(regs->orig_gpr2);
 		break;
@ -324,7 +314,7 @@ static __always_inline unsigned long bpf_syscall_get_argument_from_ctx(void *ctx
 	case 3:
 	case 4:
 	case 5:
-		arg = _READ(user_regs->gprs[idx+2]);
+		arg = _READ(user_regs->gprs[idx + 2]);
 		break;
 	default:
 		arg = 0;
@ -335,7 +325,7 @@ static __always_inline unsigned long bpf_syscall_get_argument_from_ctx(void *ctx
 	/* See here for the definition:
 	 * https://github.com/libbpf/libbpf/blob/master/src/bpf_tracing.h#L290-L306
 	 */
-	switch (idx) {
+	switch(idx) {
 	case 0:
 		arg = _READ(regs->orig_gpr3);
 		break;
@ -344,7 +334,7 @@ static __always_inline unsigned long bpf_syscall_get_argument_from_ctx(void *ctx
 	case 3:
 	case 4:
 	case 5:
-		arg = _READ(regs->gpr[idx+3]);
+		arg = _READ(regs->gpr[idx + 3]);
 		break;
 	default:
 		arg = 0;
@ -355,41 +345,40 @@ static __always_inline unsigned long bpf_syscall_get_argument_from_ctx(void *ctx
 #else

 	unsigned long *args = unstash_args();
-	if (args)
+	if(args)
 		arg = bpf_syscall_get_argument_from_args(args, idx);
 	else
 		arg = 0;
-		
+
 #endif /* BPF_SUPPORTS_RAW_TRACEPOINTS */

 	return arg;
 }

-static __always_inline unsigned long bpf_syscall_get_socketcall_arg(void *ctx, int idx)
-{
+static __always_inline unsigned long bpf_syscall_get_socketcall_arg(void *ctx, int idx) {
 	unsigned long arg = 0;
 	unsigned long args_pointer = 0;

 	args_pointer = bpf_syscall_get_argument_from_ctx(ctx, 1);
-	if (bpf_in_ia32_syscall())
-	{
-		bpf_probe_read_user(&arg, sizeof(uint32_t), (void*)(args_pointer + (idx * sizeof(uint32_t))));
-	}
-	else
-	{
-		bpf_probe_read_user(&arg, sizeof(unsigned long), (void*)(args_pointer + (idx * sizeof(unsigned long))));
+	if(bpf_in_ia32_syscall()) {
+		bpf_probe_read_user(&arg,
+		                    sizeof(uint32_t),
+		                    (void *)(args_pointer + (idx * sizeof(uint32_t))));
+	} else {
+		bpf_probe_read_user(&arg,
+		                    sizeof(unsigned long),
+		                    (void *)(args_pointer + (idx * sizeof(unsigned long))));
 	}
 	return arg;
 }

-static __always_inline unsigned long bpf_syscall_get_argument(struct filler_data *data,
-							      int idx)
-{
+static __always_inline unsigned long bpf_syscall_get_argument(struct filler_data *data, int idx) {
 #ifdef BPF_SUPPORTS_RAW_TRACEPOINTS
-	// We define it here because we support socket calls only on kernels with BPF_SUPPORTS_RAW_TRACEPOINTS
-	// `data->state->tail_ctx.socketcall_syscall_id != -1` just to improve perf
-	if(data->state->tail_ctx.socketcall_syscall_id != -1 && bpf_syscall_get_nr(data->ctx) == data->state->tail_ctx.socketcall_syscall_id)
-	{
+	// We define it here because we support socket calls only on kernels with
+	// BPF_SUPPORTS_RAW_TRACEPOINTS `data->state->tail_ctx.socketcall_syscall_id != -1` just to
+	// improve perf
+	if(data->state->tail_ctx.socketcall_syscall_id != -1 &&
+	   bpf_syscall_get_nr(data->ctx) == data->state->tail_ctx.socketcall_syscall_id) {
 		return bpf_syscall_get_socketcall_arg(data->ctx, idx);
 	}
 	return bpf_syscall_get_argument_from_ctx(data->ctx, idx);
@ -398,45 +387,39 @@ static __always_inline unsigned long bpf_syscall_get_argument(struct filler_data
 #endif
 }

-static __always_inline char *get_frame_scratch_area(unsigned int cpu)
-{
+static __always_inline char *get_frame_scratch_area(unsigned int cpu) {
 	char *scratchp;

 	scratchp = bpf_map_lookup_elem(&frame_scratch_map, &cpu);
-	if (!scratchp)
+	if(!scratchp)
 		bpf_printk("frame scratch NULL\n");

 	return scratchp;
 }

-static __always_inline char *get_tmp_scratch_area(unsigned int cpu)
-{
+static __always_inline char *get_tmp_scratch_area(unsigned int cpu) {
 	char *scratchp;

 	scratchp = bpf_map_lookup_elem(&tmp_scratch_map, &cpu);
-	if (!scratchp)
+	if(!scratchp)
 		bpf_printk("tmp scratch NULL\n");

 	return scratchp;
 }

-static __always_inline const struct syscall_evt_pair *get_syscall_info(int id)
-{
-	const struct syscall_evt_pair *p =
-			bpf_map_lookup_elem(&syscall_table, &id);
+static __always_inline const struct syscall_evt_pair *get_syscall_info(int id) {
+	const struct syscall_evt_pair *p = bpf_map_lookup_elem(&syscall_table, &id);

-	if (!p)
+	if(!p)
 		bpf_printk("no syscall_info for %d\n", id);

 	return p;
 }

-static __always_inline bool is_syscall_interesting(int id)
-{
+static __always_inline bool is_syscall_interesting(int id) {
 	bool *enabled = bpf_map_lookup_elem(&interesting_syscalls_table, &id);

-	if (!enabled)
-	{
+	if(!enabled) {
 		bpf_printk("no syscall_info for %d\n", id);
 		return false;
 	}
@ -444,12 +427,10 @@ static __always_inline bool is_syscall_interesting(int id)
 	return *enabled;
 }

-static __always_inline int convert_ia32_to_64(int id)
-{
+static __always_inline int convert_ia32_to_64(int id) {
 	int *x64_id = bpf_map_lookup_elem(&ia32_64_map, &id);

-	if (!x64_id)
-	{
+	if(!x64_id) {
 		bpf_printk("no 64bit mapped value for %d\n", id);
 		return -1;
 	}
@ -457,54 +438,49 @@ static __always_inline int convert_ia32_to_64(int id)
 	return *x64_id;
 }

-static __always_inline const struct ppm_event_info *get_event_info(ppm_event_code event_type)
-{
-	const struct ppm_event_info *e =
-		bpf_map_lookup_elem(&event_info_table, &event_type);
+static __always_inline const struct ppm_event_info *get_event_info(ppm_event_code event_type) {
+	const struct ppm_event_info *e = bpf_map_lookup_elem(&event_info_table, &event_type);

-	if (!e)
+	if(!e)
 		bpf_printk("no event info for %d\n", event_type);

 	return e;
 }

-static __always_inline const struct ppm_event_entry *get_event_filler_info(ppm_event_code event_type)
-{
+static __always_inline const struct ppm_event_entry *get_event_filler_info(
+        ppm_event_code event_type) {
 	const struct ppm_event_entry *e;

 	e = bpf_map_lookup_elem(&fillers_table, &event_type);
-	if (!e)
+	if(!e)
 		bpf_printk("no filler info for %d\n", event_type);

 	return e;
 }

-static __always_inline struct scap_bpf_settings *get_bpf_settings(void)
-{
+static __always_inline struct scap_bpf_settings *get_bpf_settings(void) {
 	struct scap_bpf_settings *settings;
 	int id = 0;

 	settings = bpf_map_lookup_elem(&settings_map, &id);
-	if (!settings)
+	if(!settings)
 		bpf_printk("settings NULL\n");

 	return settings;
 }

-static __always_inline struct scap_bpf_per_cpu_state *get_local_state(unsigned int cpu)
-{
+static __always_inline struct scap_bpf_per_cpu_state *get_local_state(unsigned int cpu) {
 	struct scap_bpf_per_cpu_state *state;

 	state = bpf_map_lookup_elem(&local_state_map, &cpu);
-	if (!state)
+	if(!state)
 		bpf_printk("state NULL\n");

 	return state;
 }

-static __always_inline bool acquire_local_state(struct scap_bpf_per_cpu_state *state)
-{
-	if (state->in_use) {
+static __always_inline bool acquire_local_state(struct scap_bpf_per_cpu_state *state) {
+	if(state->in_use) {
 		bpf_printk("acquire_local_state: already in use\n");
 		return false;
 	}
@ -513,9 +489,8 @@ static __always_inline bool acquire_local_state(struct scap_bpf_per_cpu_state *s
 	return true;
 }

-static __always_inline bool release_local_state(struct scap_bpf_per_cpu_state *state)
-{
-	if (!state->in_use) {
+static __always_inline bool release_local_state(struct scap_bpf_per_cpu_state *state) {
+	if(!state->in_use) {
 		bpf_printk("release_local_state: already not in use\n");
 		return false;
 	}
@ -524,44 +499,41 @@ static __always_inline bool release_local_state(struct scap_bpf_per_cpu_state *s
 	return true;
 }

-static __always_inline int init_filler_data(void *ctx,
-					    struct filler_data *data,
-					    bool is_syscall)
-{
+static __always_inline int init_filler_data(void *ctx, struct filler_data *data, bool is_syscall) {
 	unsigned int cpu;

 	data->ctx = ctx;

 	data->settings = get_bpf_settings();
-	if (!data->settings)
+	if(!data->settings)
 		return PPM_FAILURE_BUG;

 	cpu = bpf_get_smp_processor_id();

 	data->buf = get_frame_scratch_area(cpu);
-	if (!data->buf)
+	if(!data->buf)
 		return PPM_FAILURE_BUG;

 	data->state = get_local_state(cpu);
-	if (!data->state)
+	if(!data->state)
 		return PPM_FAILURE_BUG;

 	data->tmp_scratch = get_tmp_scratch_area(cpu);
-	if (!data->tmp_scratch)
+	if(!data->tmp_scratch)
 		return PPM_FAILURE_BUG;

 	data->evt = get_event_info(data->state->tail_ctx.evt_type);
-	if (!data->evt)
+	if(!data->evt)
 		return PPM_FAILURE_BUG;

 	data->filler_info = get_event_filler_info(data->state->tail_ctx.evt_type);
-	if (!data->filler_info)
+	if(!data->filler_info)
 		return PPM_FAILURE_BUG;

 #ifndef BPF_SUPPORTS_RAW_TRACEPOINTS
-	if (is_syscall) {
+	if(is_syscall) {
 		data->args = unstash_args();
-		if (!data->args)
+		if(!data->args)
 			return PPM_SKIP_EVENT;
 	}
 #endif
@ -572,17 +544,14 @@ static __always_inline int init_filler_data(void *ctx,
 	return PPM_SUCCESS;
 }

-static __always_inline int bpf_test_bit(int nr, unsigned long *addr)
-{
+static __always_inline int bpf_test_bit(int nr, unsigned long *addr) {
 	return 1UL & (_READ(addr[BIT_WORD(nr)]) >> (nr & (BITS_PER_LONG - 1)));
 }

 #if defined(CAPTURE_SCHED_PROC_FORK) || defined(CAPTURE_SCHED_PROC_EXEC)
-static __always_inline bool bpf_drop_syscall_exit_events(void *ctx, ppm_event_code evt_type)
-{
+static __always_inline bool bpf_drop_syscall_exit_events(void *ctx, ppm_event_code evt_type) {
 	long ret = 0;
-	switch (evt_type)
-	{
+	switch(evt_type) {
 		/* On s390x, clone and fork child events will be generated but
 		 * due to page faults, no args/envp information will be collected.
 		 * Also no child events appear for clone3 syscall.
@ -591,48 +560,47 @@ static __always_inline bool bpf_drop_syscall_exit_events(void *ctx, ppm_event_co
 		 * let proactively ignore them.
 		 */
 #ifdef CAPTURE_SCHED_PROC_FORK
-		case PPME_SYSCALL_CLONE_20_X:
-		case PPME_SYSCALL_FORK_20_X:
-		case PPME_SYSCALL_VFORK_20_X:
-		case PPME_SYSCALL_CLONE3_X:
-			ret = bpf_syscall_get_retval(ctx);
-			/* We ignore only child events, so ret == 0! */
-			return ret == 0;
+	case PPME_SYSCALL_CLONE_20_X:
+	case PPME_SYSCALL_FORK_20_X:
+	case PPME_SYSCALL_VFORK_20_X:
+	case PPME_SYSCALL_CLONE3_X:
+		ret = bpf_syscall_get_retval(ctx);
+		/* We ignore only child events, so ret == 0! */
+		return ret == 0;
 #endif

 		/* If `CAPTURE_SCHED_PROC_EXEC` logic is enabled we collect execve-family
 		 * exit events through a dedicated tracepoint so we can ignore them here.
 		 */
 #ifdef CAPTURE_SCHED_PROC_EXEC
-		case PPME_SYSCALL_EXECVE_19_X:
-		case PPME_SYSCALL_EXECVEAT_X:
-			ret = bpf_syscall_get_retval(ctx);
-			/* We ignore only successful events, so ret == 0! */
-			return ret == 0;
+	case PPME_SYSCALL_EXECVE_19_X:
+	case PPME_SYSCALL_EXECVEAT_X:
+		ret = bpf_syscall_get_retval(ctx);
+		/* We ignore only successful events, so ret == 0! */
+		return ret == 0;
 #endif

-		default:
-			break;
+	default:
+		break;
 	}
 	return false;
 }
 #endif

 static __always_inline bool drop_event(void *ctx,
-				       struct scap_bpf_per_cpu_state *state,
-				       ppm_event_code evt_type,
-				       struct scap_bpf_settings *settings,
-				       enum syscall_flags drop_flags)
-{
-	if (!settings->dropping_mode)
+                                       struct scap_bpf_per_cpu_state *state,
+                                       ppm_event_code evt_type,
+                                       struct scap_bpf_settings *settings,
+                                       enum syscall_flags drop_flags) {
+	if(!settings->dropping_mode)
 		return false;

-	switch (evt_type) {
+	switch(evt_type) {
 	case PPME_SYSCALL_CLOSE_X:
 	case PPME_SOCKET_BIND_X: {
 		long ret = bpf_syscall_get_retval(ctx);

-		if (ret < 0)
+		if(ret < 0)
 			return true;

 		break;
@ -647,30 +615,30 @@ static __always_inline bool drop_event(void *ctx,
 		int max_fds;

 		close_fd = bpf_syscall_get_argument_from_ctx(ctx, 0);
-		if (close_fd < 0)
+		if(close_fd < 0)
 			return true;

 		task = (struct task_struct *)bpf_get_current_task();
-		if (!task)
+		if(!task)
 			break;

 		files = _READ(task->files);
-		if (!files)
+		if(!files)
 			break;

 		fdt = _READ(files->fdt);
-		if (!fdt)
+		if(!fdt)
 			break;

 		max_fds = _READ(fdt->max_fds);
-		if (close_fd >= max_fds)
+		if(close_fd >= max_fds)
 			return true;

 		open_fds = _READ(fdt->open_fds);
-		if (!open_fds)
+		if(!open_fds)
 			break;

-		if (!bpf_test_bit(close_fd, open_fds))
+		if(!bpf_test_bit(close_fd, open_fds))
 			return true;

 		break;
@ -679,7 +647,7 @@ static __always_inline bool drop_event(void *ctx,
 	case PPME_SYSCALL_FCNTL_X: {
 		long cmd = bpf_syscall_get_argument_from_ctx(ctx, 1);

-		if (cmd != F_DUPFD && cmd != F_DUPFD_CLOEXEC)
+		if(cmd != F_DUPFD && cmd != F_DUPFD_CLOEXEC)
 			return true;

 		break;
@ -688,15 +656,14 @@ static __always_inline bool drop_event(void *ctx,
 		break;
 	}

-	if (drop_flags & UF_NEVER_DROP)
+	if(drop_flags & UF_NEVER_DROP)
 		return false;

-	if (drop_flags & UF_ALWAYS_DROP)
+	if(drop_flags & UF_ALWAYS_DROP)
 		return true;

-	if (state->tail_ctx.ts % 1000000000 >= 1000000000 /
-	    settings->sampling_ratio) {
-		if (!settings->is_dropping) {
+	if(state->tail_ctx.ts % 1000000000 >= 1000000000 / settings->sampling_ratio) {
+		if(!settings->is_dropping) {
 			settings->is_dropping = true;
 			state->tail_ctx.evt_type = PPME_DROP_E;
 			return false;
@ -705,7 +672,7 @@ static __always_inline bool drop_event(void *ctx,
 		return true;
 	}

-	if (settings->is_dropping) {
+	if(settings->is_dropping) {
 		settings->is_dropping = false;
 		state->tail_ctx.evt_type = PPME_DROP_X;
 		return false;
@ -715,9 +682,8 @@ static __always_inline bool drop_event(void *ctx,
 }

 static __always_inline void reset_tail_ctx(struct scap_bpf_per_cpu_state *state,
-					   ppm_event_code evt_type,
-					   unsigned long long ts)
-{
+                                           ppm_event_code evt_type,
+                                           unsigned long long ts) {
 	state->tail_ctx.evt_type = evt_type;
 	state->tail_ctx.ts = ts;
 	state->tail_ctx.curarg = 0;
@ -727,11 +693,10 @@ static __always_inline void reset_tail_ctx(struct scap_bpf_per_cpu_state *state,
 }

 static __always_inline void call_filler(void *ctx,
-					void *stack_ctx,
-					ppm_event_code evt_type,
-					enum syscall_flags drop_flags,
-					int socketcall_syscall_id)
-{
+                                        void *stack_ctx,
+                                        ppm_event_code evt_type,
+                                        enum syscall_flags drop_flags,
+                                        int socketcall_syscall_id) {
 	struct scap_bpf_settings *settings;
 	const struct ppm_event_entry *filler_info;
 	struct scap_bpf_per_cpu_state *state;
@ -742,17 +707,17 @@ static __always_inline void call_filler(void *ctx,
 	cpu = bpf_get_smp_processor_id();

 	state = get_local_state(cpu);
-	if (!state)
+	if(!state)
 		return;

 	settings = get_bpf_settings();
-	if (!settings)
+	if(!settings)
 		return;

-	if (!acquire_local_state(state))
+	if(!acquire_local_state(state))
 		return;

-	if (cpu == 0 && state->hotplug_cpu != 0) {
+	if(cpu == 0 && state->hotplug_cpu != 0) {
 		evt_type = PPME_CPU_HOTPLUG_E;
 		drop_flags = UF_NEVER_DROP;
 	}
@ -761,7 +726,7 @@ static __always_inline void call_filler(void *ctx,
 	reset_tail_ctx(state, evt_type, ts);

 	/* drop_event can change state->tail_ctx.evt_type */
-	if (drop_event(stack_ctx, state, evt_type, settings, drop_flags))
+	if(drop_event(stack_ctx, state, evt_type, settings, drop_flags))
 		goto cleanup;

 	++state->n_evts;
@ -769,21 +734,20 @@ static __always_inline void call_filler(void *ctx,
 	state->tail_ctx.socketcall_syscall_id = socketcall_syscall_id;

 	filler_info = get_event_filler_info(state->tail_ctx.evt_type);
-	if (!filler_info)
+	if(!filler_info)
 		goto cleanup;

 	bpf_tail_call(ctx, &tail_map, filler_info->filler_id);
 	bpf_printk("Can't tail call filler evt=%d, filler=%d\n",
-		   state->tail_ctx.evt_type,
-		   filler_info->filler_id);
+	           state->tail_ctx.evt_type,
+	           filler_info->filler_id);

 cleanup:
 	release_local_state(state);
 }

 #ifdef BPF_SUPPORTS_RAW_TRACEPOINTS
-static __always_inline long convert_network_syscalls(void *ctx, bool *is_syscall)
-{
+static __always_inline long convert_network_syscalls(void *ctx, bool *is_syscall) {
 	int socketcall_id = (int)bpf_syscall_get_argument_from_ctx(ctx, 0);
 	return socketcall_code_to_syscall_code(socketcall_id, is_syscall);
 }
--- a/driver/bpf/probe.c
+++ b/driver/bpf/probe.c
@ -14,7 +14,6 @@ or GPL2.txt for full copies of the license.
 #if __has_include(<asm/rwonce.h>)
 #include <asm/rwonce.h>
 #endif
-#include <linux/sched.h>

 #include "driver_config.h"
 #include "ppm_events_public.h"
@ -29,8 +28,7 @@ or GPL2.txt for full copies of the license.

 #define __NR_ia32_socketcall 102

-BPF_PROBE("raw_syscalls/", sys_enter, sys_enter_args)
-{
+BPF_PROBE("raw_syscalls/", sys_enter, sys_enter_args) {
 	const struct syscall_evt_pair *sc_evt = NULL;
 	ppm_event_code evt_type = -1;
 	int drop_flags = 0;
@ -39,59 +37,47 @@ BPF_PROBE("raw_syscalls/", sys_enter, sys_enter_args)
 	int socketcall_syscall_id = -1;

 	id = bpf_syscall_get_nr(ctx);
-	if (id < 0 || id >= SYSCALL_TABLE_SIZE)
+	if(id < 0 || id >= SYSCALL_TABLE_SIZE)
 		return 0;

-	if (bpf_in_ia32_syscall())
-	{
-	// Right now we support 32-bit emulation only on x86.
-	// We try to convert the 32-bit id into the 64-bit one.
+	if(bpf_in_ia32_syscall()) {
+		// Right now we support 32-bit emulation only on x86.
+		// We try to convert the 32-bit id into the 64-bit one.
 #if defined(CONFIG_X86_64) && defined(CONFIG_IA32_EMULATION)
-		if (id == __NR_ia32_socketcall)
-		{
+		if(id == __NR_ia32_socketcall) {
 			socketcall_syscall_id = __NR_ia32_socketcall;
-		}
-		else
-		{
+		} else {
 			id = convert_ia32_to_64(id);
 			// syscalls defined only on 32 bits are dropped here.
-			if(id == -1)
-			{
+			if(id == -1) {
 				return 0;
 			}
 		}
 #else
 		// Unsupported arch
 		return 0;
-#endif		
-	}
-	else
-	{
-	// Right now only s390x supports it
+#endif
+	} else {
+		// Right now only s390x supports it
 #ifdef __NR_socketcall
 		socketcall_syscall_id = __NR_socketcall;
 #endif
 	}
-	
+
 	// Now all syscalls on 32-bit should be converted to 64-bit apart from `socketcall`.
 	// This one deserves a special treatment
-	if(id == socketcall_syscall_id)
-	{
+	if(id == socketcall_syscall_id) {
 #ifdef BPF_SUPPORTS_RAW_TRACEPOINTS
 		bool is_syscall_return = false;
 		int return_code = convert_network_syscalls(ctx, &is_syscall_return);
-		if (return_code == -1)
-		{
+		if(return_code == -1) {
 			// Wrong SYS_ argument passed. Drop the syscall.
 			return 0;
 		}
-		if(!is_syscall_return)
-		{
+		if(!is_syscall_return) {
 			evt_type = return_code;
 			drop_flags = UF_USED;
-		}
-		else
-		{
+		} else {
 			id = return_code;
 		}
 #else
@ -105,11 +91,9 @@ BPF_PROBE("raw_syscalls/", sys_enter, sys_enter_args)
 	// There could be cases in which we have a `PPME_SOCKET_SEND_E` event
 	// and`id=__NR_ia32_socketcall`...We resolved the correct event type but we cannot
 	// update the `id`.
-	if (evt_type == -1)
-	{
+	if(evt_type == -1) {
 		enabled = is_syscall_interesting(id);
-		if(!enabled)
-		{
+		if(!enabled) {
 			return 0;
 		}

@ -117,19 +101,15 @@ BPF_PROBE("raw_syscalls/", sys_enter, sys_enter_args)
 		if(!sc_evt)
 			return 0;

-		if(sc_evt->flags & UF_USED)
-		{
+		if(sc_evt->flags & UF_USED) {
 			evt_type = sc_evt->enter_event_type;
 			drop_flags = sc_evt->flags;
-		}
-		else
-		{
+		} else {
 			evt_type = PPME_GENERIC_E;
 			drop_flags = UF_ALWAYS_DROP;
 		}
 	}

-
 #ifdef BPF_SUPPORTS_RAW_TRACEPOINTS
 	call_filler(ctx, ctx, evt_type, drop_flags, socketcall_syscall_id);
 #else
@ -137,7 +117,7 @@ BPF_PROBE("raw_syscalls/", sys_enter, sys_enter_args)
 	struct sys_enter_args stack_ctx;

 	memcpy(stack_ctx.args, ctx->args, sizeof(ctx->args));
-	if (stash_args(stack_ctx.args))
+	if(stash_args(stack_ctx.args))
 		return 0;

 	call_filler(ctx, &stack_ctx, evt_type, drop_flags, socketcall_syscall_id);
@ -145,30 +125,25 @@ BPF_PROBE("raw_syscalls/", sys_enter, sys_enter_args)
 	return 0;
 }

-BPF_PROBE("raw_syscalls/", sys_exit, sys_exit_args)
-{
+BPF_PROBE("raw_syscalls/", sys_exit, sys_exit_args) {
 	const struct syscall_evt_pair *sc_evt = NULL;
 	ppm_event_code evt_type = -1;
 	int drop_flags = 0;
 	long id = 0;
 	bool enabled = false;
-	struct scap_bpf_settings *settings = 0; 
+	struct scap_bpf_settings *settings = 0;
 	long retval = 0;
 	int socketcall_syscall_id = -1;

 	id = bpf_syscall_get_nr(ctx);
-	if (id < 0 || id >= SYSCALL_TABLE_SIZE)
+	if(id < 0 || id >= SYSCALL_TABLE_SIZE)
 		return 0;

-	if (bpf_in_ia32_syscall())
-	{
+	if(bpf_in_ia32_syscall()) {
 #if defined(CONFIG_X86_64) && defined(CONFIG_IA32_EMULATION)
-		if (id == __NR_ia32_socketcall)
-		{
+		if(id == __NR_ia32_socketcall) {
 			socketcall_syscall_id = __NR_ia32_socketcall;
-		}
-		else
-		{
+		} else {
 			/*
 			 * When a process does execve from 64bit to 32bit, TS_COMPAT is marked true
 			 * but the id of the syscall is __NR_execve, so to correctly parse it we need to
@ -182,8 +157,7 @@ BPF_PROBE("raw_syscalls/", sys_exit, sys_exit_args)
 #endif
 			{
 				id = convert_ia32_to_64(id);
-				if(id == -1)
-				{
+				if(id == -1) {
 					return 0;
 				}
 			}
@ -192,31 +166,24 @@ BPF_PROBE("raw_syscalls/", sys_exit, sys_exit_args)
 		// Unsupported arch
 		return 0;
 #endif
-	}
-	else
-	{
+	} else {
 #ifdef __NR_socketcall
 		socketcall_syscall_id = __NR_socketcall;
 #endif
 	}

-	if(id == socketcall_syscall_id)
-	{
+	if(id == socketcall_syscall_id) {
 #ifdef BPF_SUPPORTS_RAW_TRACEPOINTS
 		bool is_syscall_return = false;
 		int return_code = convert_network_syscalls(ctx, &is_syscall_return);
-		if (return_code == -1)
-		{
+		if(return_code == -1) {
 			// Wrong SYS_ argument passed. Drop the syscall.
 			return 0;
 		}
-		if(!is_syscall_return)
-		{
-			evt_type = return_code + 1; // we are in sys_exit!
+		if(!is_syscall_return) {
+			evt_type = return_code + 1;  // we are in sys_exit!
 			drop_flags = UF_USED;
-		}
-		else
-		{
+		} else {
 			id = return_code;
 		}
 #else
@ -225,39 +192,32 @@ BPF_PROBE("raw_syscalls/", sys_exit, sys_exit_args)
 #endif
 	}

-	if(evt_type == -1)
-	{
+	if(evt_type == -1) {
 		enabled = is_syscall_interesting(id);
-		if(!enabled)
-		{
+		if(!enabled) {
 			return 0;
 		}
 		sc_evt = get_syscall_info(id);
 		if(!sc_evt)
 			return 0;

-		if(sc_evt->flags & UF_USED)
-		{
+		if(sc_evt->flags & UF_USED) {
 			evt_type = sc_evt->exit_event_type;
 			drop_flags = sc_evt->flags;
-		}
-		else
-		{
+		} else {
 			evt_type = PPME_GENERIC_X;
 			drop_flags = UF_ALWAYS_DROP;
 		}
 	}

 	settings = get_bpf_settings();
-	if (!settings)
+	if(!settings)
 		return 0;

 	// Drop failed syscalls if necessary
-	if (settings->drop_failed)
-	{
+	if(settings->drop_failed) {
 		retval = bpf_syscall_get_retval(ctx);
-		if (retval < 0)
-		{
+		if(retval < 0) {
 			return 0;
 		}
 	}
@ -271,8 +231,7 @@ BPF_PROBE("raw_syscalls/", sys_exit, sys_exit_args)
 	return 0;
 }

-BPF_PROBE("sched/", sched_process_exit, sched_process_exit_args)
-{
+BPF_PROBE("sched/", sched_process_exit, sched_process_exit_args) {
 	ppm_event_code evt_type;
 	struct task_struct *task;
 	unsigned int flags;
@ -280,7 +239,7 @@ BPF_PROBE("sched/", sched_process_exit, sched_process_exit_args)
 	task = (struct task_struct *)bpf_get_current_task();

 	flags = _READ(task->flags);
-	if (flags & PF_KTHREAD)
+	if(flags & PF_KTHREAD)
 		return 0;

 	evt_type = PPME_PROCEXIT_1_E;
@ -289,19 +248,17 @@ BPF_PROBE("sched/", sched_process_exit, sched_process_exit_args)
 	return 0;
 }

-BPF_PROBE("sched/", sched_switch, sched_switch_args)
-{
+BPF_PROBE("sched/", sched_switch, sched_switch_args) {
 	ppm_event_code evt_type;

 	evt_type = PPME_SCHEDSWITCH_6_E;

-	call_filler(ctx, ctx, evt_type, 0, -1);
+	call_filler(ctx, ctx, evt_type, UF_ALWAYS_DROP, -1);
 	return 0;
 }

 #ifdef CAPTURE_PAGE_FAULTS
-static __always_inline int bpf_page_fault(struct page_fault_args *ctx)
-{
+static __always_inline int bpf_page_fault(struct page_fault_args *ctx) {
 	ppm_event_code evt_type;

 	evt_type = PPME_PAGE_FAULT_E;
@ -310,19 +267,16 @@ static __always_inline int bpf_page_fault(struct page_fault_args *ctx)
 	return 0;
 }

-BPF_PROBE("exceptions/", page_fault_user, page_fault_args)
-{
+BPF_PROBE("exceptions/", page_fault_user, page_fault_args) {
 	return bpf_page_fault(ctx);
 }

-BPF_PROBE("exceptions/", page_fault_kernel, page_fault_args)
-{
+BPF_PROBE("exceptions/", page_fault_kernel, page_fault_args) {
 	return bpf_page_fault(ctx);
 }
 #endif

-BPF_PROBE("signal/", signal_deliver, signal_deliver_args)
-{
+BPF_PROBE("signal/", signal_deliver, signal_deliver_args) {
 	ppm_event_code evt_type;

 	evt_type = PPME_SIGNALDELIVER_E;
@ -332,15 +286,14 @@ BPF_PROBE("signal/", signal_deliver, signal_deliver_args)
 }

 #ifndef BPF_SUPPORTS_RAW_TRACEPOINTS
-__bpf_section(TP_NAME "sched/sched_process_fork&1")
-int bpf_sched_process_fork(struct sched_process_fork_args *ctx)
-{
+__bpf_section(TP_NAME "sched/sched_process_fork&1") int bpf_sched_process_fork(
+        struct sched_process_fork_args *ctx) {
 	ppm_event_code evt_type;
 	struct sys_stash_args args;
 	unsigned long *argsp;

 	argsp = __unstash_args(ctx->parent_pid);
-	if (!argsp)
+	if(!argsp)
 		return 0;

 	memcpy(&args, argsp, sizeof(args));
@ -352,8 +305,7 @@ int bpf_sched_process_fork(struct sched_process_fork_args *ctx)
 #endif

 #ifdef CAPTURE_SCHED_PROC_EXEC
-BPF_PROBE("sched/", sched_process_exec, sched_process_exec_args)
-{
+BPF_PROBE("sched/", sched_process_exec, sched_process_exec_args) {
 	struct scap_bpf_settings *settings;
 	/* We will always send an execve exit event. */
 	ppm_event_code event_type = PPME_SYSCALL_EXECVE_19_X;
@ -361,42 +313,37 @@ BPF_PROBE("sched/", sched_process_exec, sched_process_exec_args)
 	/* We are not interested in kernel threads. */
 	struct task_struct *task = (struct task_struct *)bpf_get_current_task();
 	unsigned int flags = _READ(task->flags);
-	if(flags & PF_KTHREAD)
-	{
+	if(flags & PF_KTHREAD) {
 		return 0;
 	}

 	/* Reset the tail context in the CPU state map. */
 	uint32_t cpu = bpf_get_smp_processor_id();
-	struct scap_bpf_per_cpu_state * state = get_local_state(cpu);
-	if(!state)
-	{
+	struct scap_bpf_per_cpu_state *state = get_local_state(cpu);
+	if(!state) {
 		return 0;
 	}

 	settings = get_bpf_settings();
-	if(!settings)
-	{
+	if(!settings) {
 		return 0;
 	}
 	uint64_t ts = settings->boot_time + bpf_ktime_get_boot_ns();
 	reset_tail_ctx(state, event_type, ts);
 	++state->n_evts;

-
 	int filler_code = PPM_FILLER_sched_prog_exec;
 	bpf_tail_call(ctx, &tail_map, filler_code);
 	bpf_printk("Can't tail call filler 'sched_proc_exec' evt=%d, filler=%d\n",
-		   event_type,
-		   filler_code);	
+	           event_type,
+	           filler_code);
 	return 0;
 }
 #endif /* CAPTURE_SCHED_PROC_EXEC */

 #ifdef CAPTURE_SCHED_PROC_FORK
-__bpf_section("raw_tracepoint/sched_process_fork&2")
-int bpf_sched_process_fork(struct sched_process_fork_raw_args *ctx)
-{
+__bpf_section("raw_tracepoint/sched_process_fork&2") int bpf_sched_process_fork(
+        struct sched_process_fork_raw_args *ctx) {
 	struct scap_bpf_settings *settings;
 	/* We will always send a clone exit event. */
 	ppm_event_code event_type = PPME_SYSCALL_CLONE_20_X;
@ -404,22 +351,19 @@ int bpf_sched_process_fork(struct sched_process_fork_raw_args *ctx)
 	/* We are not interested in kernel threads. */
 	struct task_struct *task = (struct task_struct *)bpf_get_current_task();
 	unsigned int flags = _READ(task->flags);
-	if(flags & PF_KTHREAD)
-	{
+	if(flags & PF_KTHREAD) {
 		return 0;
 	}

 	/* Reset the tail context in the CPU state map. */
 	uint32_t cpu = bpf_get_smp_processor_id();
-	struct scap_bpf_per_cpu_state * state = get_local_state(cpu);
-	if(!state)
-	{
+	struct scap_bpf_per_cpu_state *state = get_local_state(cpu);
+	if(!state) {
 		return 0;
 	}

 	settings = get_bpf_settings();
-	if(!settings)
-	{
+	if(!settings) {
 		return 0;
 	}
 	uint64_t ts = settings->boot_time + bpf_ktime_get_boot_ns();
@ -429,8 +373,8 @@ int bpf_sched_process_fork(struct sched_process_fork_raw_args *ctx)
 	int filler_code = PPM_FILLER_sched_prog_fork;
 	bpf_tail_call(ctx, &tail_map, filler_code);
 	bpf_printk("Can't tail call filler 'sched_proc_fork' evt=%d, filler=%d\n",
-		   event_type,
-		   filler_code);	
+	           event_type,
+	           filler_code);
 	return 0;
 }
 #endif /* CAPTURE_SCHED_PROC_FORK */
--- a/driver/bpf/quirks.h
+++ b/driver/bpf/quirks.h
@ -17,20 +17,24 @@ or GPL2.txt for full copies of the license.
 #endif

 #if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 13, 0) && LINUX_VERSION_CODE < KERNEL_VERSION(4, 14, 4)
-#define randomized_struct_fields_start  struct {
-#define randomized_struct_fields_end    };
+#define randomized_struct_fields_start struct {
+#define randomized_struct_fields_end \
+	}                                \
+	;
 #endif

 #if LINUX_VERSION_CODE < KERNEL_VERSION(4, 15, 0)
 #define BPF_FORBIDS_ZERO_ACCESS
 #endif

-#if (defined(CONFIG_X86_64) || defined(CONFIG_ARM64) || defined(CONFIG_S390) || defined(CONFIG_PPC64)) && LINUX_VERSION_CODE >= KERNEL_VERSION(4, 17, 0)
-    #define BPF_SUPPORTS_RAW_TRACEPOINTS
+#if(defined(CONFIG_X86_64) || defined(CONFIG_ARM64) || defined(CONFIG_S390) || \
+    defined(CONFIG_PPC64)) &&                                                  \
+        LINUX_VERSION_CODE >= KERNEL_VERSION(4, 17, 0)
+#define BPF_SUPPORTS_RAW_TRACEPOINTS
 #endif

 #if CAPTURE_SCHED_PROC_FORK && !defined(BPF_SUPPORTS_RAW_TRACEPOINTS)
-    #error The CAPTURE_SCHED_PROC_FORK support requires 'raw_tracepoints' so kernel versions greater or equal than '4.17'.
+#error The CAPTURE_SCHED_PROC_FORK support requires 'raw_tracepoints' so kernel versions greater or equal than '4.17'.
 #endif

 /* Redefine asm_volatile_goto to work around clang not supporting it
--- a/driver/bpf/ring_helpers.h
+++ b/driver/bpf/ring_helpers.h
@ -10,8 +10,7 @@ or GPL2.txt for full copies of the license.
 #ifndef __RING_HELPERS_H
 #define __RING_HELPERS_H

-static __always_inline void write_evt_hdr(struct filler_data *data)
-{
+static __always_inline void write_evt_hdr(struct filler_data *data) {
 	struct ppm_evt_hdr *evt_hdr = (struct ppm_evt_hdr *)data->buf;

 	evt_hdr->ts = data->state->tail_ctx.ts;
@ -19,43 +18,35 @@ static __always_inline void write_evt_hdr(struct filler_data *data)
 	evt_hdr->type = data->state->tail_ctx.evt_type;
 	evt_hdr->nparams = data->evt->nparams;

-	data->state->tail_ctx.curoff = sizeof(struct ppm_evt_hdr) +
-				       sizeof(uint16_t) * data->evt->nparams;
+	data->state->tail_ctx.curoff =
+	        sizeof(struct ppm_evt_hdr) + sizeof(uint16_t) * data->evt->nparams;
 	data->state->tail_ctx.len = data->state->tail_ctx.curoff;
 }

-static __always_inline void fixup_evt_len(char *p, unsigned long len)
-{
+static __always_inline void fixup_evt_len(char *p, unsigned long len) {
 	struct ppm_evt_hdr *evt_hdr = (struct ppm_evt_hdr *)p;

 	evt_hdr->len = len;
 }

-static __always_inline void fixup_evt_arg_len(char *p,
-					      unsigned int argnum,
-					      unsigned int arglen)
-{
-	if (argnum > PPM_MAX_EVENT_PARAMS)
-	{
+static __always_inline void fixup_evt_arg_len(char *p, unsigned int argnum, unsigned int arglen) {
+	if(argnum > PPM_MAX_EVENT_PARAMS) {
 		return;
 	}
 	volatile unsigned int argnumv = argnum;
 	*((uint16_t *)&p[sizeof(struct ppm_evt_hdr)] + (argnumv & (PPM_MAX_EVENT_PARAMS - 1))) = arglen;
 }

-static __always_inline int push_evt_frame(void *ctx,
-					  struct filler_data *data)
-{
-	if (data->state->tail_ctx.curarg != data->evt->nparams) {
+static __always_inline int push_evt_frame(void *ctx, struct filler_data *data) {
+	if(data->state->tail_ctx.curarg != data->evt->nparams) {
 		bpf_printk("corrupted filler for event type %d (added %u args, should have added %u)\n",
-			   data->state->tail_ctx.evt_type,
-			   data->state->tail_ctx.curarg,
-			   data->evt->nparams);
+		           data->state->tail_ctx.evt_type,
+		           data->state->tail_ctx.curarg,
+		           data->evt->nparams);
 		return PPM_FAILURE_BUG;
 	}

-	if (data->state->tail_ctx.len > PERF_EVENT_MAX_SIZE)
-	{
+	if(data->state->tail_ctx.len > PERF_EVENT_MAX_SIZE) {
 		return PPM_FAILURE_FRAME_SCRATCH_MAP_FULL;
 	}

@ -63,18 +54,18 @@ static __always_inline int push_evt_frame(void *ctx,

 #ifdef BPF_FORBIDS_ZERO_ACCESS
 	int res = bpf_perf_event_output(ctx,
-					&perf_map,
-					BPF_F_CURRENT_CPU,
-					data->buf,
-					((data->state->tail_ctx.len - 1) & SCRATCH_SIZE_MAX) + 1);
+	                                &perf_map,
+	                                BPF_F_CURRENT_CPU,
+	                                data->buf,
+	                                ((data->state->tail_ctx.len - 1) & SCRATCH_SIZE_MAX) + 1);
 #else
 	int res = bpf_perf_event_output(ctx,
-					&perf_map,
-					BPF_F_CURRENT_CPU,
-					data->buf,
-					data->state->tail_ctx.len & SCRATCH_SIZE_MAX);
+	                                &perf_map,
+	                                BPF_F_CURRENT_CPU,
+	                                data->buf,
+	                                data->state->tail_ctx.len & SCRATCH_SIZE_MAX);
 #endif
-	if (res == -ENOENT || res == -EOPNOTSUPP) {
+	if(res == -ENOENT || res == -EOPNOTSUPP) {
 		/*
 		 * ENOENT = likely a new CPU is online that wasn't
 		 *          opened in userspace
@ -86,15 +77,15 @@ static __always_inline int push_evt_frame(void *ctx,
 		 */
 		struct scap_bpf_per_cpu_state *state = get_local_state(0);

-		if (!state)
+		if(!state)
 			return PPM_FAILURE_BUG;

 		state->hotplug_cpu = bpf_get_smp_processor_id();
 		bpf_printk("detected hotplug event, cpu=%d\n", state->hotplug_cpu);
-	} else if (res == -ENOSPC) {
+	} else if(res == -ENOSPC) {
 		bpf_printk("bpf_perf_buffer full\n");
 		return PPM_FAILURE_BUFFER_FULL;
-	} else if (res) {
+	} else if(res) {
 		bpf_printk("bpf_perf_event_output failed, res=%d\n", res);
 		return PPM_FAILURE_BUG;
 	}
--- a/driver/bpf/types.h
+++ b/driver/bpf/types.h
@ -12,6 +12,8 @@ or GPL2.txt for full copies of the license.

 #ifdef __KERNEL__

+#include <linux/sched.h>  // TASK_COMM_LEN definition
+
 #define __bpf_section(NAME) __attribute__((section(NAME), used))

 #ifndef __always_inline
@ -25,13 +27,11 @@ or GPL2.txt for full copies of the license.
 #endif

 #ifdef BPF_SUPPORTS_RAW_TRACEPOINTS
-#define BPF_PROBE(prefix, event, type)			\
-__bpf_section(TP_NAME #event)				\
-int bpf_##event(struct type *ctx)
+#define BPF_PROBE(prefix, event, type) \
+	__bpf_section(TP_NAME #event) int bpf_##event(struct type *ctx)
 #else
-#define BPF_PROBE(prefix, event, type)			\
-__bpf_section(TP_NAME prefix #event)			\
-int bpf_##event(struct type *ctx)
+#define BPF_PROBE(prefix, event, type) \
+	__bpf_section(TP_NAME prefix #event) int bpf_##event(struct type *ctx)
 #endif

 #ifdef BPF_SUPPORTS_RAW_TRACEPOINTS
@ -143,26 +143,24 @@ struct sys_stash_args {
 #ifdef CAPTURE_SCHED_PROC_EXEC

 #ifndef BPF_SUPPORTS_RAW_TRACEPOINTS
-/* TP_PROTO(struct task_struct *p, pid_t old_pid, struct linux_binprm *bprm)
- * Taken from `/include/trace/events/sched.h`
- */
-struct sched_process_exec_args
-{
-	struct task_struct *p;
-	pid_t old_pid;
-	struct linux_binprm *bprm;
-};
-#else
-struct sched_process_exec_args
-{
+struct sched_process_exec_args {
 	unsigned short common_type;
 	unsigned char common_flags;
 	unsigned char common_preempt_count;
 	int common_pid;
-	int filename;
+	__u32 filename;  // This is actually defined as "__data_loc char[] filename;".
 	pid_t pid;
 	pid_t old_pid;
 };
+#else
+/* TP_PROTO(struct task_struct *p, pid_t old_pid, struct linux_binprm *bprm)
+ * Taken from `/include/trace/events/sched.h`
+ */
+struct sched_process_exec_args {
+	struct task_struct *p;
+	pid_t old_pid;
+	struct linux_binprm *bprm;
+};
 #endif /* BPF_SUPPORTS_RAW_TRACEPOINTS */

 #endif /* CAPTURE_SCHED_PROC_EXEC */
@ -171,10 +169,9 @@ struct sched_process_exec_args
 /* TP_PROTO(struct task_struct *parent, struct task_struct *child)
 * Taken from `/include/trace/events/sched.h`
 */
-struct sched_process_fork_raw_args
-{
+struct sched_process_fork_raw_args {
 	struct task_struct *parent;
- 	struct task_struct *child;
+	struct task_struct *child;
 };
 #endif

@ -220,7 +217,6 @@ struct perf_event_sample {

 #endif /* __KERNEL__ */

-
 /* WARNING: This enum must follow the order in which BPF maps are defined in
 * `driver/bpf/maps.h`.
 */
@ -267,9 +263,13 @@ struct tail_context {

 struct scap_bpf_per_cpu_state {
 	struct tail_context tail_ctx;
-	unsigned long long n_evts;		/* Total number of kernel side events actively traced (not including events discarded due to simple consumer mode). */
-	unsigned long long n_drops_buffer;		/* Total number of kernel side drops due to full buffer, includes all categories below, likely higher than sum of syscall categories. */
-	/* Kernel side drops due to full buffer for categories of system calls. Not all system calls of interest are mapped into one of the categories. */
+	unsigned long long n_evts; /* Total number of kernel side events actively traced (not including
+	                              events discarded due to simple consumer mode). */
+	unsigned long long
+	        n_drops_buffer; /* Total number of kernel side drops due to full buffer, includes all
+	                           categories below, likely higher than sum of syscall categories. */
+	/* Kernel side drops due to full buffer for categories of system calls. Not all system calls of
+	 * interest are mapped into one of the categories. */
 	unsigned long long n_drops_buffer_clone_fork_enter;
 	unsigned long long n_drops_buffer_clone_fork_exit;
 	unsigned long long n_drops_buffer_execve_enter;
@ -280,13 +280,18 @@ struct scap_bpf_per_cpu_state {
 	unsigned long long n_drops_buffer_open_exit;
 	unsigned long long n_drops_buffer_dir_file_enter;
 	unsigned long long n_drops_buffer_dir_file_exit;
-	unsigned long long n_drops_buffer_other_interest_enter;		/* Category of other system calls of interest, not all other system calls that did not match a category from above. */
+	unsigned long long
+	        n_drops_buffer_other_interest_enter; /* Category of other system calls of interest, not
+	                                                all other system calls that did not match a
+	                                                category from above. */
 	unsigned long long n_drops_buffer_other_interest_exit;
 	unsigned long long n_drops_buffer_close_exit;
 	unsigned long long n_drops_buffer_proc_exit;
-	unsigned long long n_drops_scratch_map;		/* Number of kernel side scratch map drops. */
-	unsigned long long n_drops_pf;		/* Number of kernel side page faults drops (invalid memory access). */
-	unsigned long long n_drops_bug;		/* Number of kernel side bug drops (invalid condition in the kernel instrumentation). */
+	unsigned long long n_drops_scratch_map; /* Number of kernel side scratch map drops. */
+	unsigned long long
+	        n_drops_pf; /* Number of kernel side page faults drops (invalid memory access). */
+	unsigned long long n_drops_bug; /* Number of kernel side bug drops (invalid condition in the
+	                                   kernel instrumentation). */
 	unsigned int hotplug_cpu;
 	bool in_use;
 } __attribute__((packed));
--- a/driver/capture_macro.h
+++ b/driver/capture_macro.h
@ -13,6 +13,7 @@ or GPL2.txt for full copies of the license.
 // #define SNAPLEN_TRACERS_ENABLED 4096 // note: deprecated
 #define SNAPLEN_FULLCAPTURE_PORT 16000
 #define SNAPLEN_MAX 65000
+#define SNAPLEN_DNS_UDP 512

 /* Deep packet inspection logic */
 #define DPI_LOOKAHEAD_SIZE 16
@ -20,6 +21,7 @@ or GPL2.txt for full copies of the license.
 #define PPM_PORT_POSTGRES 5432
 #define PPM_PORT_STATSD 8125
 #define PPM_PORT_MONGODB 27017
+#define PPM_PORT_DNS 53

 /* HTTP */
 #define BPF_HTTP_GET 0x20544547
@ -35,5 +37,5 @@ or GPL2.txt for full copies of the license.
 #define SECOND_TO_NS 1000000000ULL

 #ifdef PAGE_SIZE
-	#define STR_STORAGE_SIZE PAGE_SIZE
+#define STR_STORAGE_SIZE PAGE_SIZE
 #endif
--- a/driver/configure/0__SANITY/test.c
+++ b/driver/configure/0__SANITY/test.c
@ -0,0 +1,26 @@
+/*
+
+Copyright (C) 2023 The Falco Authors.
+
+This file is dual licensed under either the MIT or GPL 2. See MIT.txt
+or GPL2.txt for full copies of the license.
+
+*/
+
+/*
+ * Check that the build environment is sane
+ */
+
+#include <linux/module.h>
+
+MODULE_LICENSE("GPL");
+MODULE_AUTHOR("the Falco authors");
+
+static int empty_init(void) {
+	return 0;
+}
+
+static void empty_exit(void) {}
+
+module_init(empty_init);
+module_exit(empty_exit);
--- a/driver/configure/ACCESS_OK_2/test.c
+++ b/driver/configure/ACCESS_OK_2/test.c
@ -18,15 +18,12 @@ or GPL2.txt for full copies of the license.
 MODULE_LICENSE("GPL");
 MODULE_AUTHOR("the Falco authors");

-static int access_ok_init(void)
-{
+static int access_ok_init(void) {
 	access_ok(0, 0);
 	return 0;
 }

-static void access_ok_exit(void)
-{
-}
+static void access_ok_exit(void) {}

 module_init(access_ok_init);
 module_exit(access_ok_exit);
--- a/driver/configure/CLASS_CREATE_1/test.c
+++ b/driver/configure/CLASS_CREATE_1/test.c
@ -9,7 +9,8 @@ or GPL2.txt for full copies of the license.

 /*
 * Check that `class_create` builds with only a single parameter
- * See https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=1aaba11da9aa7d7d6b52a74d45b31cac118295a1
+ * See
+ * https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=1aaba11da9aa7d7d6b52a74d45b31cac118295a1
 */

 #include <linux/module.h>
@ -18,15 +19,13 @@ or GPL2.txt for full copies of the license.
 MODULE_LICENSE("GPL");
 MODULE_AUTHOR("the Falco authors");

-static int class_create_test_init(void)
-{
+static int class_create_test_init(void) {
 	struct class *g_ppm_class = class_create("test");
+	(void)g_ppm_class;
 	return 0;
 }

-static void class_create_test_exit(void)
-{
-}
+static void class_create_test_exit(void) {}

 module_init(class_create_test_init);
 module_exit(class_create_test_exit);
--- a/Show More
+++ b/Show More
 @ -1 +1 @@
 .0.3
 .0.4
 @ -1 +1 @@
 .20.0
 .69.0