fix(userspace/libsinsp): sinsp_filter_check_user::extract_single return-stack-address

Address the following warning (we build with -Werror...):
```
/__w/libs/libs/userspace/libsinsp/sinsp_filtercheck_user.cpp:104:26: warning: address of stack memory associated with local variable 'user' returned [-Wreturn-stack-address]
  104 |                         RETURN_EXTRACT_STRING(user);
      |                                               ^~~~
/__w/libs/libs/userspace/libsinsp/sinsp_filtercheck_user.cpp:34:21: note: expanded from macro 'RETURN_EXTRACT_STRING'
   34 |                 return (uint8_t*)(x).c_str(); \
      |                                   ^
```

Signed-off-by: Angelo Puglisi <angelopuglisi86@gmail.com>

.clang-format-ignore

@@ -3,6 +3,8 @@ driver/modern_bpf/definitions/aarch64/vmlinux.h
 driver/modern_bpf/definitions/ppc64le/vmlinux.h
 driver/modern_bpf/definitions/s390x/vmlinux.h
 driver/modern_bpf/definitions/x86_64/vmlinux.h
+# Autogenerated events dimensions file for modern probe is not formatted
+driver/modern_bpf/definitions/events_dimensions.h
 # All syscall_compat autogenerated headers are not formatted
 driver/syscall_compat_aarch64.h
 driver/syscall_compat_loongarch64.h

.github/PULL_REQUEST_TEMPLATE.md

@@ -20,6 +20,8 @@
 
 > /kind failing-test
 
+> /kind test
+
 > /kind feature
 
 <!--

.github/actions/composite-perf/action.yml

@@ -24,7 +24,7 @@ runs:
     - name: Install deps ⛓️
       shell: bash
       run: |
-        sudo apt update && sudo apt install -y --no-install-recommends ca-certificates cmake build-essential git clang llvm pkg-config autoconf automake libtool libelf-dev wget libc-ares-dev libcurl4-openssl-dev libssl-dev libtbb-dev libjq-dev libjsoncpp-dev libgrpc++-dev protobuf-compiler-grpc libgtest-dev libprotobuf-dev linux-tools-common linux-tools-generic linux-tools-`uname -r` heaptrack coreutils util-linux
+        sudo apt update && sudo apt install -y --no-install-recommends ca-certificates cmake build-essential git clang llvm pkg-config autoconf automake libtool libelf-dev wget libtbb-dev libjq-dev libjsoncpp-dev protobuf-compiler libgtest-dev libprotobuf-dev linux-tools-common linux-tools-generic linux-tools-`uname -r` heaptrack coreutils util-linux
         sudo .github/install-deps.sh
 
     - name: Build

.github/actions/install-zig/action.yml

@@ -8,41 +8,29 @@ runs:
       shell: bash
       id: store
       env:
-        ZIG_VERSION: '0.14.0-dev.1952+9f84f7f92'
+        ZIG_VERSION: '0.14.1'
       run: |
         echo "zig_version=${ZIG_VERSION}" >> "$GITHUB_OUTPUT"
 
-    # TODO: this is only needed because we are using a development version of zig,
-    # since we need https://github.com/ziglang/zig/pull/21253 to be included.
-    # Development versions of zig are not kept alive forever, but get overridden.
-    # We cache it to keep it alive.
-    - name: Download zig (cached)
-      id: cache-zig
-      uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2
-      with:
-        path: zig
-        key: zig-${{ runner.os }}-${{ runner.arch }}-${{ steps.store.outputs.zig_version }}
-
     - name: Download zig
-      if: steps.cache-zig.outputs.cache-hit != 'true'
       shell: bash
       run: |
-        curl -L -o zig.tar.xz https://ziglang.org/builds/zig-linux-$(uname -m)-${{ steps.store.outputs.zig_version }}.tar.xz
+        curl -L -o zig.tar.xz https://ziglang.org/download/${{ steps.store.outputs.zig_version }}/zig-$(uname -m)-linux-${{ steps.store.outputs.zig_version }}.tar.xz
         tar -xvf zig.tar.xz
 
-        cat > zig-linux-$(uname -m)-${{ steps.store.outputs.zig_version }}/zig-cc <<EOF
+        cat > zig-$(uname -m)-linux-${{ steps.store.outputs.zig_version }}/zig-cc <<EOF
         #!/bin/bash
         exec zig cc -target $(uname -m)-linux-gnu.2.17 -mcpu=baseline "\$@"
         EOF
-        chmod +x zig-linux-$(uname -m)-${{ steps.store.outputs.zig_version }}/zig-cc
+        chmod +x zig-$(uname -m)-linux-${{ steps.store.outputs.zig_version }}/zig-cc
 
-        cat > zig-linux-$(uname -m)-${{ steps.store.outputs.zig_version }}/zig-c++ <<EOF
+        cat > zig-$(uname -m)-linux-${{ steps.store.outputs.zig_version }}/zig-c++ <<EOF
         #!/bin/bash
         exec zig c++ -target $(uname -m)-linux-gnu.2.17 -mcpu=baseline "\$@"
         EOF
-        chmod +x zig-linux-$(uname -m)-${{ steps.store.outputs.zig_version }}/zig-c++
+        chmod +x zig-$(uname -m)-linux-${{ steps.store.outputs.zig_version }}/zig-c++
 
-        mv zig-linux-$(uname -m)-${{ steps.store.outputs.zig_version }}/ zig
+        mv zig-$(uname -m)-linux-${{ steps.store.outputs.zig_version }}/ zig
 
     - name: Setup zig
       shell: bash
@@ -52,4 +40,4 @@ runs:
         echo "CC=zig-cc" >> $GITHUB_ENV
         echo "CXX=zig-c++" >> $GITHUB_ENV
         echo "AR=zig ar" >> $GITHUB_ENV
-        echo "RANLIB=zig ranlib" >> $GITHUB_ENV
+        echo "RANLIB=zig ranlib" >> $GITHUB_ENV

.github/workflows/ci.yml

@@ -16,19 +16,17 @@ concurrency:
 jobs:
   build-libs-linux:
     name: build-libs-linux-${{ matrix.arch }} 😁 (${{ matrix.name }})
-    runs-on: ${{ (matrix.arch == 'arm64' && 'github-arm64-2c-8gb') || 'ubuntu-22.04' }}
+    runs-on: ${{ (matrix.arch == 'arm64' && 'ubuntu-22.04-arm') || 'ubuntu-22.04' }}
     strategy:
       fail-fast: false
       matrix:
         arch: [amd64, arm64]
-        name: [system_deps, bundled_deps, system_deps_minimal, sanitizers, zig]
+        name: [system_deps, bundled_deps, sanitizers, zig]
         include:
           - name: system_deps
             cmake_opts: -DBUILD_WARNINGS_AS_ERRORS=On -DBUILD_BPF=On -DUSE_BUNDLED_DEPS=False
           - name: bundled_deps
             cmake_opts: -DBUILD_WARNINGS_AS_ERRORS=On -DBUILD_BPF=On -DUSE_BUNDLED_DEPS=True
-          - name: system_deps_minimal
-            cmake_opts: -DBUILD_WARNINGS_AS_ERRORS=On -DUSE_BUNDLED_DEPS=False -DMINIMAL_BUILD=True
           - name: sanitizers
             cmake_opts: -DUSE_ASAN=On -DUSE_UBSAN=On -DUSE_BUNDLED_DEPS=False
           - name: zig
@@ -38,7 +36,9 @@ jobs:
     steps:
       - name: Install deps ⛓️
         run: |
-          apt update && apt install -y --no-install-recommends curl ca-certificates build-essential git clang llvm pkg-config autoconf automake libtool libelf-dev wget libc-ares-dev libcurl4-openssl-dev libssl-dev libtbb-dev libjq-dev libjsoncpp-dev libgrpc++-dev protobuf-compiler-grpc libgtest-dev libprotobuf-dev linux-headers-${{ matrix.arch }}
+          # Use 20250630T203427Z debian apt snapshot as it still contains support for buster.
+          printf "deb http://snapshot.debian.org/archive/debian/20250630T203427Z buster main\ndeb http://snapshot.debian.org/archive/debian-security/20250630T203427Z buster/updates main\ndeb http://snapshot.debian.org/archive/debian/20250630T203427Z buster-updates main" > /etc/apt/sources.list
+          apt update && apt install -y --no-install-recommends curl ca-certificates build-essential git clang llvm pkg-config autoconf automake libtool libelf-dev wget libtbb-dev libjq-dev libjsoncpp-dev protobuf-compiler libgtest-dev libprotobuf-dev linux-headers-${{ matrix.arch }}
 
       - name: Install a recent version of CMake ⛓️
         run: |
@@ -74,6 +74,13 @@ jobs:
           KERNELDIR=/lib/modules/$(ls /lib/modules)/build make -j4
           make run-unit-tests
 
+      - name: Test sinsp-example and .scap files
+        run: |
+          cd build && make sinsp-example
+          libsinsp/examples/sinsp-example -s ../test/libsinsp_e2e/resources/captures/curl_google.scap | grep --extended-regexp --invert-match '^(Time spent|Events/ms): ' > /tmp/curl_google.txt
+          libsinsp/examples/sinsp-example -s ../test/libsinsp_e2e/resources/captures/curl_google_comments.scap | grep --extended-regexp --invert-match '^(Time spent|Events/ms): ' > /tmp/curl_google_comments.txt
+          diff -u /tmp/curl_google.txt /tmp/curl_google_comments.txt
+
       # On zig, build also sinsp-example and check the glibc linked versions
       # to make sure we are actually using the correct glibc version.
       - name: Test zig build glibc version
@@ -95,7 +102,11 @@ jobs:
     steps:
       - name: Install deps ⛓️
         run: |
-          apk add g++ gcc cmake make git bash perl linux-headers autoconf automake m4 libtool elfutils-dev libelf-static patch binutils bpftool clang
+          apk add g++ gcc cmake make git bash perl linux-headers autoconf automake m4 libtool elfutils-dev libelf-static patch binutils clang llvm
+          git clone https://github.com/libbpf/bpftool.git --branch v7.3.0 --single-branch
+          cd bpftool
+          git submodule update --init
+          cd src && make install
 
       - name: Checkout Libs ⤵️
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
@@ -114,27 +125,23 @@ jobs:
 
   build-shared-libs-linux-amd64:
     name: build-shared-libs-linux-amd64 🧐
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     steps:
       - name: Checkout Libs ⤵️
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           fetch-depth: 0
 
-      - name: Git safe directory
-        run: |
-          git config --global --add safe.directory $GITHUB_WORKSPACE
-
       - name: Install deps ⛓️
         run: |
           sudo apt update
-          sudo apt install -y --no-install-recommends ca-certificates cmake build-essential git clang llvm pkg-config autoconf automake libtool libelf-dev wget libc-ares-dev libcurl4-openssl-dev libssl-dev libre2-dev libtbb-dev libjq-dev libjsoncpp-dev libgrpc++-dev protobuf-compiler-grpc libgtest-dev libprotobuf-dev linux-headers-$(uname -r)
+          sudo apt install -y --no-install-recommends ca-certificates cmake build-essential git clang llvm pkg-config autoconf automake libtool libelf-dev wget libre2-dev libtbb-dev libjq-dev libjsoncpp-dev protobuf-compiler libgtest-dev libprotobuf-dev linux-headers-$(uname -r)
           sudo .github/install-deps.sh
 
       - name: Build and test 🏗️🧪
         run: |
           mkdir -p build
-          cd build && cmake -DBUILD_SHARED_LIBS=True -DUSE_BUNDLED_DEPS=False -DMINIMAL_BUILD=True -DCMAKE_INSTALL_PREFIX=/tmp/libs-test -DENABLE_THREAD_POOL=ON ../
+          cd build && cmake -DBUILD_SHARED_LIBS=True -DUSE_BUNDLED_DEPS=False -DCMAKE_INSTALL_PREFIX=/tmp/libs-test -DENABLE_THREAD_POOL=ON ../
           make -j4
           make run-unit-tests
 
@@ -147,7 +154,7 @@ jobs:
         run: |
           cd userspace/libsinsp/examples
           export PKG_CONFIG_PATH=/tmp/libs-test/lib/pkgconfig
-          g++ -o sinsp-example test.cpp util.cpp $(pkg-config --cflags --libs libsinsp)
+          g++ -o sinsp-example *.cpp $(pkg-config --cflags --libs libsinsp)
 
       - name: Test sinsp-example runtime linker
         run: |
@@ -174,7 +181,7 @@ jobs:
       - name: Build and test 🏗️🧪
         run: |
           mkdir -p build
-          cd build && cmake -DUSE_BUNDLED_DEPS=ON -DCMAKE_BUILD_TYPE=Release -DCMAKE_MSVC_RUNTIME_LIBRARY=${{ matrix.crt }} -DCREATE_TEST_TARGETS=ON -DMINIMAL_BUILD=ON -DENABLE_THREAD_POOL=ON ..
+          cd build && cmake -DUSE_BUNDLED_DEPS=ON -DCMAKE_BUILD_TYPE=Release -DCMAKE_MSVC_RUNTIME_LIBRARY=${{ matrix.crt }} -DCREATE_TEST_TARGETS=ON -DENABLE_THREAD_POOL=ON ..
           cmake --build . --config Release --parallel 4 && make run-unit-tests || libsinsp\test\Release\unit-test-libsinsp.exe
 
   build-shared-libs-macos-amd64:
@@ -193,7 +200,7 @@ jobs:
       - name: Build 🏗️
         run: |
           mkdir -p build
-          cd build && cmake -DBUILD_SHARED_LIBS=True -DUSE_BUNDLED_DEPS=False -DUSE_BUNDLED_VALIJSON=ON -DUSE_BUNDLED_BS_THREADPOOL=ON -DENABLE_THREAD_POOL=ON -DCMAKE_BUILD_TYPE=Release -DCREATE_TEST_TARGETS=OFF -DMINIMAL_BUILD=ON -DCMAKE_INSTALL_PREFIX=/tmp/libs-test ..
+          cd build && cmake -DBUILD_SHARED_LIBS=True -DUSE_BUNDLED_DEPS=False -DUSE_BUNDLED_VALIJSON=ON -DUSE_BUNDLED_BS_THREADPOOL=ON -DENABLE_THREAD_POOL=ON -DCMAKE_BUILD_TYPE=Release -DCREATE_TEST_TARGETS=OFF -DCMAKE_INSTALL_PREFIX=/tmp/libs-test ..
           cmake --build . --config Release --parallel $(getconf _NPROCESSORS_ONLN)
 
       - name: Install
@@ -251,100 +258,15 @@ jobs:
           diff -u expected_ldd_out.txt ldd_out.txt
 
   run-e2e-tests-amd64:
-    name: run-e2e-tests-amd64
-    strategy:
-      fail-fast: false
-      matrix:
-        name: [system_deps, bundled_deps, asan]
-        include:
-          - name: system_deps
-            cmake_opts: -DUSE_BUNDLED_DEPS=False
-          - name: bundled_deps
-            cmake_opts: -DUSE_BUNDLED_DEPS=True
-          - name: asan
-            cmake_opts: -DUSE_BUNDLED_DEPS=True -DCMAKE_C_FLAGS=-fsanitize=address -DCMAKE_CXX_FLAGS=-fsanitize=address
-    runs-on: ubuntu-22.04
-    steps:
-      - name: Install deps ⛓️
-        run: |
-          sudo apt-get update && sudo apt-get install -y --no-install-recommends \
-            ca-certificates \
-            cmake \
-            build-essential \
-            clang-14 llvm-14 \
-            git \
-            clang \
-            llvm \
-            pkg-config \
-            autoconf \
-            automake \
-            libtool \
-            libelf-dev \
-            wget \
-            libc-ares-dev \
-            libbpf-dev \
-            libcap-dev \
-            libcurl4-openssl-dev \
-            libssl-dev \
-            libtbb-dev \
-            libjq-dev \
-            libjsoncpp-dev \
-            libgrpc++-dev \
-            protobuf-compiler-grpc \
-            libgtest-dev \
-            libprotobuf-dev \
-            "linux-headers-$(uname -r)"
-          sudo update-alternatives --install /usr/bin/clang clang /usr/bin/clang-14 90
-          sudo update-alternatives --install /usr/bin/llvm-strip llvm-strip /usr/bin/llvm-strip-14 90
-          sudo update-alternatives --install /usr/bin/llc llc /usr/bin/llc-14 90
+    uses: ./.github/workflows/reusable_e2e_tests.yaml
+    with:
+      libsversion: ${{ github.sha }}
+    secrets: inherit
 
-      - name: Checkout Libs ⤵️
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-        with:
-          fetch-depth: 0
-
-      - name: Fix kernel mmap rnd bits
-        # Asan in llvm 14 provided in ubuntu 22.04 is incompatible with
-        # high-entropy ASLR in much newer kernels that GitHub runners are
-        # using leading to random crashes: https://reviews.llvm.org/D148280
-        run: sudo sysctl vm.mmap_rnd_bits=28
-
-      - name: Install deps ⛓️
-        run: |
-          sudo .github/install-deps.sh
-
-      - name: Git safe directory
-        run: |
-          git config --global --add safe.directory $GITHUB_WORKSPACE
-
-      - name: Build and test 🏗️🧪
-        env:
-          # This avoids random failures on CI.
-          # (https://github.com/google/sanitizers/issues/1322#issuecomment-699946942)
-          ASAN_OPTIONS: intercept_tls_get_addr=0
-        run: |
-          mkdir -p build && cd build
-          cmake -DBUILD_BPF=ON \
-                -DBUILD_LIBSCAP_MODERN_BPF=ON \
-                -DBUILD_LIBSCAP_GVISOR=OFF \
-                ${{ matrix.cmake_opts }} \
-                -DUSE_BUNDLED_LIBBPF=ON \
-                ..
-          make -j$(nproc) sinsp-example driver bpf
-          sudo -E make e2e-install-deps
-          sudo -E ../test/e2e/scripts/run_tests.sh
-
-      - name: Archive test reports
-        uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
-        if: failure()
-        with:
-          name: ${{ matrix.name }}_report
-          path: |
-            /tmp/report/
 
   build-libs-emscripten:
     name: build-libs-emscripten 🧐
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     steps:
       - name: Install deps ⛓️
         run: |
@@ -356,10 +278,6 @@ jobs:
         with:
           fetch-depth: 0
 
-      - name: Git safe directory
-        run: |
-          git config --global --add safe.directory $GITHUB_WORKSPACE
-
       - name: Build and test 🏗️🧪
         run: |
           mkdir -p build

.github/workflows/driverkit.yml

@@ -55,7 +55,7 @@ jobs:
             kernelrelease: 6.4.1-1.el9.elrepo.aarch64
             target: centos
             kernelurls: https://download.falco.org/fixtures/libs/kernel-ml-devel-6.4.1-1.el9.elrepo.aarch64.rpm
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04-arm
     container:
       image: falcosecurity/driverkit:latest
     steps:

.github/workflows/drivers_ci.yml

@@ -39,7 +39,7 @@ jobs:
   # This job run all engine tests and scap-open
   test-scap:
     name: test-scap-${{ matrix.arch }} 😆 (bundled_deps)
-    runs-on: ${{ (matrix.arch == 'arm64' && 'github-arm64-2c-8gb') || 'ubuntu-22.04' }}
+    runs-on: ${{ (matrix.arch == 'arm64' && 'ubuntu-24.04-arm') || 'ubuntu-24.04' }}
     needs: paths-filter
     strategy:
       matrix:
@@ -73,7 +73,7 @@ jobs:
         if: needs.paths-filter.outputs.driver == 'true' || needs.paths-filter.outputs.libscap == 'true' || needs.paths-filter.outputs.libpman == 'true'
         run: |
           mkdir -p build
-          cd build && cmake -DBUILD_WARNINGS_AS_ERRORS=On -DUSE_BUNDLED_DEPS=On -DBUILD_DRIVER=ON -DBUILD_LIBSCAP_MODERN_BPF=ON -DBUILD_BPF=On -DBUILD_LIBSCAP_GVISOR=${{ matrix.enable_gvisor }} -DCREATE_TEST_TARGETS=On -DENABLE_LIBSCAP_TESTS=On ../
+          cd build && cmake -DBUILD_WARNINGS_AS_ERRORS=On -DUSE_BUNDLED_DEPS=On -DBUILD_DRIVER=ON -DBUILD_LIBSCAP_MODERN_BPF=ON -DBUILD_BPF=On -DBUILD_LIBSCAP_GVISOR=${{ matrix.enable_gvisor }} -DCREATE_TEST_TARGETS=On -DENABLE_LIBSCAP_TESTS=On -DUSE_ASAN=On -DUSE_UBSAN=On ../
           make scap-open driver bpf libscap_test -j6
 
       - name: Run scap-open with modern bpf 🏎️
@@ -102,9 +102,16 @@ jobs:
           cd build
           sudo ./test/libscap/libscap_test
 
+      - name: Validate scap-open with modern bpf
+        if: needs.paths-filter.outputs.driver == 'true' || needs.paths-filter.outputs.libscap == 'true' || needs.paths-filter.outputs.libpman == 'true'
+        uses: Andreagit97/bpfvalidator@v0.3.0
+        with:
+          args: |
+            --config=$GITHUB_WORKSPACE/driver/modern_bpf/bpfvalidator_config.yaml --cmd="$GITHUB_WORKSPACE/build/libscap/examples/01-open/scap-open --modern_bpf --num_events 10"
+
   test-drivers:
     name: test-drivers-${{ matrix.arch }} 😇 (bundled_deps)
-    runs-on: ${{ (matrix.arch == 'arm64' && 'github-arm64-2c-8gb') || 'ubuntu-22.04' }}
+    runs-on: ${{ (matrix.arch == 'arm64' && 'ubuntu-22.04-arm') || 'ubuntu-22.04' }}
     needs: paths-filter
     strategy:
       matrix:
@@ -170,7 +177,7 @@ jobs:
 
       - name: Build and test drivers on ppc64le node via ssh
         if: needs.paths-filter.outputs.driver == 'true' || needs.paths-filter.outputs.libscap == 'true' || needs.paths-filter.outputs.libpman == 'true'
-        uses: appleboy/ssh-action@25ce8cbbcb08177468c7ff7ec5cbfa236f9341e1 # v1.1.0
+        uses: appleboy/ssh-action@2ead5e36573f08b82fbfce1504f1a4b05a647c6f # v1.2.2
         with:
           host: ${{ secrets.PPC64LE_HOST }}
           username: ${{ secrets.PPC64LE_USERNAME }}
@@ -180,10 +187,12 @@ jobs:
           command_timeout: 60m
           script: |
             sudo dnf install -y bpftool ca-certificates cmake make automake gcc gcc-c++ kernel-devel clang git pkg-config autoconf automake libbpf-devel
+            # Remove, if present, any libs clone created by a previous job run.
+            rm -rf libs
             git clone -b $GIT_BRANCH $GITHUB_SERVER_URL/$GITHUB_REPOSITORY.git libs
             cd libs
             mkdir -p build
-            cd build && cmake -DBUILD_WARNINGS_AS_ERRORS=On -DUSE_BUNDLED_DEPS=ON -DENABLE_DRIVERS_TESTS=ON -DBUILD_LIBSCAP_MODERN_BPF=ON -DMODERN_BPF_DEBUG_MODE=ON -DBUILD_BPF=True -DBUILD_LIBSCAP_GVISOR=OFF ../
+            cd build && cmake -DBUILD_WARNINGS_AS_ERRORS=On -DUSE_BUNDLED_DEPS=ON -DENABLE_DRIVERS_TESTS=ON -DBUILD_LIBSCAP_MODERN_BPF=ON -DMODERN_BPF_DEBUG_MODE=ON -DBUILD_BPF=True -DBUILD_LIBSCAP_GVISOR=OFF -DUSE_BUNDLED_LIBELF=OFF ../
             make drivers_test driver bpf -j6
             sudo ./test/drivers/drivers_test -m
             rc_modern=$?
@@ -204,7 +213,7 @@ jobs:
         with:
           fetch-depth: 0
 
-      - uses: uraimo/run-on-arch-action@5397f9e30a9b62422f302092631c99ae1effcd9e # v2.8.1
+      - uses: uraimo/run-on-arch-action@d94c13912ea685de38fccc1109385b83fd79427d # v3.0.1
         name: Run s390x build 🏗️
         if: needs.paths-filter.outputs.driver == 'true' || needs.paths-filter.outputs.libscap == 'true' || needs.paths-filter.outputs.libpman == 'true'
         with:
@@ -213,15 +222,16 @@ jobs:
           githubToken: ${{ github.token }}
 
           install: |
-            apt update && apt install -y --no-install-recommends ca-certificates cmake build-essential clang llvm git pkg-config autoconf automake libtool libelf-dev wget libc-ares-dev libcurl4-openssl-dev libssl-dev libtbb-dev libjq-dev libjsoncpp-dev libgrpc++-dev protobuf-compiler-grpc libcap-dev libgtest-dev libprotobuf-dev linux-headers-generic
+            apt update && apt install -y --no-install-recommends ca-certificates cmake build-essential clang llvm git pkg-config autoconf automake libtool libelf-dev wget libtbb-dev libjq-dev libjsoncpp-dev libcap-dev protobuf-compiler libgtest-dev libprotobuf-dev linux-headers-generic
             git clone https://github.com/libbpf/bpftool.git --branch v7.3.0 --single-branch
             cd bpftool
             git submodule update --init
             cd src && make install
             cd ../../
             git clone https://github.com/libbpf/libbpf.git --branch v1.3.0 --single-branch
-            cd libbpf/src && BUILD_STATIC_ONLY=y DESTDIR=/ make install
+            cd libbpf/src && BUILD_STATIC_ONLY=y DESTDIR=/ make install install_uapi_headers 
             ln -s /usr/lib64/libbpf.a /usr/lib/s390x-linux-gnu/
+            ln -s /usr/include/bpf /usr/include/s390x-linux-gnu/
           # Please note: we cannot inject the BPF probe inside QEMU, so right now, we only build it
           run: |
             git config --global --add safe.directory $GITHUB_WORKSPACE
@@ -235,7 +245,7 @@ jobs:
     # See https://github.com/actions/runner/issues/409#issuecomment-1158849936
     runs-on: 'ubuntu-latest'
     if: needs.paths-filter.outputs.driver == 'true' || needs.paths-filter.outputs.libscap == 'true' || needs.paths-filter.outputs.libpman == 'true'
-    container: fedora:latest
+    container: fedora:41
     steps:
       # Always install deps before invoking checkout action, to properly perform a full clone.
       - name: Install build dependencies
@@ -252,7 +262,7 @@ jobs:
           make ProbeSkeleton -j6
 
       - name: Upload skeleton
-        uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         with:
           name: bpf_probe_x86_64.skel.h
           path: skeleton-build/skel_dir/bpf_probe.skel.h
@@ -277,7 +287,7 @@ jobs:
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
       - name: Download skeleton
-        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
+        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
         with:
           name: bpf_probe_x86_64.skel.h
           path: /tmp
@@ -319,13 +329,13 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Download X64 matrix
-        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
+        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
         with:
           name: matrix_X64
           path: matrix_X64
 
       - name: Download ARM64 matrix
-        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
+        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
         with:
           name: matrix_ARM64
           path: matrix_ARM64
@@ -345,7 +355,7 @@ jobs:
           echo ""
 
       - name: Upload PR info as artifact
-        uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
         with:
           name: pr-kernel-testing
           path: pr/

.github/workflows/e2e_ci.yml

@@ -15,7 +15,7 @@ concurrency:
 jobs:
   build-test-e2e:
     name: build-test-e2e-${{ matrix.arch }} 😇 (bundled_deps)
-    runs-on: ${{ (matrix.arch == 'arm64' && 'github-arm64-2c-8gb') || 'ubuntu-22.04' }}
+    runs-on: ${{ (matrix.arch == 'arm64' && 'ubuntu-22.04-arm') || 'ubuntu-22.04' }}
     strategy:
       matrix:
         arch: [amd64, arm64]
@@ -35,7 +35,6 @@ jobs:
             clang \
             llvm \
             git \
-            clang \
             ccache \
             llvm \
             pkg-config \
@@ -44,18 +43,14 @@ jobs:
             libtool \
             libelf-dev \
             wget \
-            libc-ares-dev \
             libbpf-dev \
             libcap-dev \
-            libcurl4-openssl-dev \
-            libssl-dev \
             libtbb-dev \
             libjq-dev \
             libjsoncpp-dev \
-            libgrpc++-dev \
-            protobuf-compiler-grpc \
             libgtest-dev \
             libprotobuf-dev \
+            protobuf-compiler \
             linux-headers-$(uname -r)
           sudo .github/install-deps.sh
           git clone https://github.com/libbpf/bpftool.git --branch v7.3.0 --single-branch
@@ -69,7 +64,7 @@ jobs:
           sudo apt install -y --no-install-recommends gcc-multilib g++-multilib
 
       - name: Run sccache-cache
-        uses: mozilla-actions/sccache-action@9e326ebed976843c9932b3aa0e021c6f50310eb4 # v0.0.6
+        uses: mozilla-actions/sccache-action@7d986dd989559c6ecdb630a3fd2557667be217ad # v0.0.9
 
       - name: Build e2e tests 🏗️
         env:
@@ -95,7 +90,7 @@ jobs:
           cd ..
 
       - name: Cache build
-        uses: actions/cache/save@6849a6489940f00c2f30c0fb92c6274307ccb58a # v4.1.2
+        uses: actions/cache/save@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3
         if: always()
         id: cache
         with:
@@ -105,7 +100,7 @@ jobs:
   test-e2e:
     name: test-e2e-${{ matrix.arch }}-${{ matrix.driver.name }} 😇 (bundled_deps)
     needs: [build-test-e2e]
-    runs-on: ${{ (matrix.arch == 'arm64' && 'github-arm64-2c-8gb') || 'ubuntu-22.04' }}
+    runs-on: ${{ (matrix.arch == 'arm64' && 'ubuntu-22.04-arm') || 'ubuntu-22.04' }}
     strategy:
       matrix:
         arch: [amd64, arm64]
@@ -119,7 +114,7 @@ jobs:
 
       - name: Restore build
         id: cache
-        uses: actions/cache/restore@6849a6489940f00c2f30c0fb92c6274307ccb58a # v4.1.2
+        uses: actions/cache/restore@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3
         with:
           path: build
           key: build-e2e-${{ matrix.arch }}-${{ github.run_id }}
@@ -171,4 +166,4 @@ jobs:
           UBSAN_OPTIONS: print_stacktrace=1
         run: |
           cd build/test/libsinsp_e2e/
-          sudo -E ./libsinsp_e2e_tests ${{ matrix.driver.option }} --gtest_filter=-sys_call_test.quotactl_ok
+          sudo -E ./libsinsp_e2e_tests ${{ matrix.driver.option }} --gtest_filter=-sys_call_test.quotactl_ok

.github/workflows/format.yml

@@ -32,7 +32,7 @@ jobs:
 
       - name: Upload the git diff artifact 📦
         if: failure()
-        uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         with:
           name: format_diff.patch
           path: ./format_diff.patch

.github/workflows/latest-kernel.yml

@@ -44,7 +44,7 @@ jobs:
           echo "latest_vers=$(grep kernelrelease dk.yaml | awk -F": " '{print $2}')" >> $GITHUB_OUTPUT
 
       - name: Upload driverkit config
-        uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         with:
           name: driverkit_config.yaml
           path: linux/dk.yaml
@@ -56,16 +56,19 @@ jobs:
     runs-on: 'ubuntu-latest'
     steps:
       - name: Download driverkit config
-        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
+        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
         with:
           name: driverkit_config.yaml
 
       - name: Download latest driverkit artifact
-        uses: dawidd6/action-download-artifact@bf251b5aa9c2f7eeb574a96ee720e24f801b7c11 # v6
+        uses: robinraju/release-downloader@daf26c55d821e836577a15f77d86ddc078948b05 # v1.12
         with:
-          name: driverkit-amd64
-          workflow: release.yml
-          repo: falcosecurity/driverkit
+          fileName: driverkit_*_linux_amd64.tar.gz
+          latest: true
+          repository: falcosecurity/driverkit
+          tarBall: false
+          zipBall: false
+          extract: true
 
       - name: Test drivers build
         id: build
@@ -78,19 +81,22 @@ jobs:
     needs: 'compute-latest-version'
     outputs:
       build: ${{ steps.build.outcome }}
-    runs-on: 'github-arm64-2c-8gb'
+    runs-on: 'ubuntu-22.04-arm'
     steps:
       - name: Download driverkit config
-        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
+        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
         with:
           name: driverkit_config.yaml
 
       - name: Download latest driverkit artifact
-        uses: dawidd6/action-download-artifact@bf251b5aa9c2f7eeb574a96ee720e24f801b7c11 # v6
+        uses: robinraju/release-downloader@daf26c55d821e836577a15f77d86ddc078948b05 # v1.12
         with:
-          name: driverkit-arm64
-          workflow: release.yml
-          repo: falcosecurity/driverkit
+          fileName:  driverkit_*_linux_arm64.tar.gz
+          latest: true
+          repository: falcosecurity/driverkit
+          tarBall: false
+          zipBall: false
+          extract: true
 
       - name: Test drivers build
         id: build

.github/workflows/pages.yml

@@ -28,7 +28,7 @@ jobs:
         uses: ./.github/actions/composite-perf
 
       - name: Archive master perf report
-        uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         with:
           name: perf_report
           retention-days: 30 # 30 days because this is the artifact on master; we need to retain it to be able to properly diff it
@@ -72,7 +72,7 @@ jobs:
           rm -rf stacks.txt
 
       - name: Upload svg files
-        uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         with:
           name: perf_svg
           path: '*.svg'
@@ -88,7 +88,7 @@ jobs:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
       - name: Download matrix X64
-        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
+        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
         with:
           name: matrix_X64
 
@@ -96,7 +96,7 @@ jobs:
         run: mv matrix.md docs/matrix_X64.md
 
       - name: Download matrix ARM64
-        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
+        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
         with:
           name: matrix_ARM64
 
@@ -109,7 +109,7 @@ jobs:
           sed -i '1s/^/---\nhide:\n- toc\n---\n\n/' docs/matrix_ARM64.md
 
       - name: Download perf svg files
-        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
+        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
         with:
           name: perf_svg
 
@@ -128,7 +128,7 @@ jobs:
           echo '<object data="../heaptrack_scap.svg" type="image/svg+xml" id="heaptrack_scap_file"></object>' > docs/heaptrack_scap_file.md
           sed -i '1s/^/---\nhide:\n- toc\n---\n\n/' docs/heaptrack_scap_file.md
 
-      - uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0
+      - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
         with:
           python-version: 3.x
 

.github/workflows/perf.yml

@@ -27,7 +27,7 @@ jobs:
         uses: ./.github/actions/composite-perf
 
       - name: Download latest master report
-        uses: dawidd6/action-download-artifact@bf251b5aa9c2f7eeb574a96ee720e24f801b7c11 # v6
+        uses: dawidd6/action-download-artifact@ac66b43f0e6a346234dd65d4d0c8fbb31cb316e5 # v11
         with:
           branch: master
           event: push
@@ -56,7 +56,7 @@ jobs:
           python3 google-benchmark/tools/compare.py --no-color benchmarks gbench_data.json ${{ steps.perf.outputs.gbench_json }} &> gbench_diff.txt
 
       - name: Archive perf diff
-        uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         with:
           name: perf_diff
           path: '*_diff.txt'
@@ -96,7 +96,7 @@ jobs:
           echo ""
 
       - name: Upload PR info as artifact
-        uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
         with:
           name: pr-perf
           path: pr/

.github/workflows/release-body.yml

@@ -98,7 +98,7 @@ jobs:
           echo "#### Release Manager @${{ github.event.release.author.login }}" >> release-body.md
 
       - name: Release
-        uses: softprops/action-gh-release@e7a8f85e1c67a31e6ed99a94b41bd0b71bbee6b8 # v2.0.9
+        uses: softprops/action-gh-release@72f2c25fcb47643c292f7107632f7a47c1df5cd8 # v2.3.2
         with:
           body_path: ./release-body.md
           tag_name: ${{ github.event.release.tag_name }}
@@ -135,8 +135,29 @@ jobs:
           echo '!'"[SCHEMA](https://img.shields.io/badge/SCHEMA-${SCHEMA_VERS}-yellow)" >> release-body.md
           echo "" >> release-body.md
 
+      - name: Push badge to latest kernel release
+        run: |
+          wget https://gist.githubusercontent.com/FedeDP/1cbc5d42edf8e3a02fb75e76625f1072/raw/kernel.json
+          # 6.15-rc2 -> 6.15
+          # 6.10.6 -> 6.10
+          # 6.10 -> 6.10
+          KVER=$(cat kernel.json | jq '.message' | tr -d '"' | grep -oE -- '[0-9]+.[0-9]+')
+          SUCCESS=$(cat kernel.json | jq '.color' | tr -d '"')
+          # If latest run was not successful,
+          # revert back to previous kernel release.
+          # Of course, the fallback logic is bugged in case minor is 0,
+          # as we cannot know which was the previous version.
+          # It should not matter until kernel 7.0 :P
+          if [[ "$SUCCESS" = "red" ]]; then
+            n=${KVER//[!0-9]/ }
+            a=(${n//\./ })
+            KVER=$(echo "${a[0]}.$((a[1] - 1))")
+          fi
+          echo '!'"[Latest Compatible Kernel](https://img.shields.io/badge/KERNEL-${KVER}-brightgreen)" >> release-body.md
+          echo "" >> release-body.md
+
       - name: Download matrix X64
-        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
+        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
         with:
           name: matrix_X64
 
@@ -144,7 +165,7 @@ jobs:
         run: mv matrix.md matrix_X64.md
 
       - name: Download matrix ARM64
-        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
+        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
         with:
           name: matrix_ARM64
 
@@ -182,7 +203,7 @@ jobs:
           echo "#### Release Manager @${{ github.event.release.author.login }}" >> release-body.md
 
       - name: Release
-        uses: softprops/action-gh-release@e7a8f85e1c67a31e6ed99a94b41bd0b71bbee6b8 # v2.0.9
+        uses: softprops/action-gh-release@72f2c25fcb47643c292f7107632f7a47c1df5cd8 # v2.3.2
         with:
           body_path: ./release-body.md
           tag_name: ${{ github.event.release.tag_name }}

.github/workflows/reusable_e2e_tests.yaml

@@ -0,0 +1,137 @@
+name: Run libs e2e tests python framework
+
+on:
+  workflow_call:
+    inputs:
+      container_plugin_artifact_name:
+        description: 'use a previously built custom container plugin; artifact name to be downloaded, or empty'
+        type: string
+        required: false
+        default: ''
+      test-docker:
+        description: "Whether to run tests with docker socket"
+        type: boolean
+        required: false
+        default: true
+      test-podman:
+        description: "Whether to run tests with podman socket"
+        type: boolean
+        required: false
+        default: true
+      libsversion:
+        description: 'libs version to be tested, eg: master'
+        type: string
+        required: false
+        default: 'master'
+      libsrepo:
+        description: 'libs repo to be tested, eg: falcosecurity/libs'
+        type: string
+        required: false
+        default: 'falcosecurity/libs'
+
+jobs:
+  test-e2e:
+    if: inputs.test-docker || inputs.test-podman
+    strategy:
+      fail-fast: false
+      matrix:
+        name: [ system_deps, bundled_deps, asan ]
+        include:
+          - name: system_deps
+            cmake_opts: -DUSE_BUNDLED_DEPS=False
+          - name: bundled_deps
+            cmake_opts: -DUSE_BUNDLED_DEPS=True
+          - name: asan
+            cmake_opts: -DUSE_BUNDLED_DEPS=True -DCMAKE_C_FLAGS=-fsanitize=address -DCMAKE_CXX_FLAGS=-fsanitize=address
+    runs-on: ubuntu-24.04
+    steps:
+      - name: Install deps ⛓️
+        run: |
+          sudo apt-get update && sudo apt-get install -y --no-install-recommends \
+            ca-certificates \
+            cmake \
+            build-essential \
+            git \
+            clang \
+            llvm \
+            pkg-config \
+            autoconf \
+            automake \
+            libtool \
+            libelf-dev \
+            wget \
+            libbpf-dev \
+            libcap-dev \
+            libtbb-dev \
+            libjq-dev \
+            libjsoncpp-dev \
+            libgtest-dev \
+            libprotobuf-dev \
+            protobuf-compiler \
+            "linux-headers-$(uname -r)"
+
+      - name: Checkout Libs ⤵️
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          fetch-depth: 0
+          repository: ${{ inputs.libsrepo }}
+          ref: ${{ inputs.libsversion }}
+
+      - name: Install deps ⛓️
+        run: |
+          sudo .github/install-deps.sh
+
+      - name: Build tests 🏗️
+        run: |
+          mkdir -p build && cd build
+          cmake -DBUILD_BPF=ON \
+                -DBUILD_LIBSCAP_MODERN_BPF=ON \
+                -DBUILD_LIBSCAP_GVISOR=OFF \
+                -DENABLE_E2E_TESTS=ON \
+                ${{ matrix.cmake_opts }} \
+                -DUSE_BUNDLED_LIBBPF=ON \
+                ..
+          make -j$(nproc) sinsp-example driver bpf container_plugin
+          sudo -E make e2e-install-deps
+
+      - name: Download overriding custom container plugin
+        if: inputs.container_plugin_artifact_name != ''
+        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
+        with:
+          name: ${{ inputs.container_plugin_artifact_name }}
+          path: build/test/e2e/container_plugin-prefix/src/container_plugin/
+
+      - name: Run tests - docker 🧪
+        if: inputs.test-docker
+        working-directory: build
+        run: |
+          sudo -E ../test/e2e/scripts/run_tests.sh
+
+      - name: Archive test reports - docker
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+        if: inputs.test-docker && failure()
+        with:
+          name: ${{ matrix.name }}_docker_report
+          path: |
+            /tmp/report/
+
+      - name: Run tests - podman 🧪
+        if: inputs.test-podman && always()
+        working-directory: build
+        env:
+          # Set DOCKER_HOST pointing to podman socket
+          DOCKER_HOST: unix://run/podman/podman.sock
+        run: |
+          # Cleanup docker tests generated report folder
+          sudo rm -rf /tmp/report
+          # Podman tests require podman socket
+          sudo systemctl start podman
+          sudo -E ../test/e2e/scripts/run_tests.sh
+
+      - name: Archive test reports - podman
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+        if: inputs.test-podman && failure()
+        with:
+          name: ${{ matrix.name }}_podman_report
+          path: |
+            /tmp/report/

.github/workflows/reusable_kernel_tests.yaml

@@ -47,12 +47,12 @@ jobs:
           libsrepo: ${{ inputs.libsrepo }}
           build_matrix: 'true'
 
-      - uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
+      - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         with:
           name: ansible_output_${{matrix.architecture}}
           path: ${{ steps.kernel_tests.outputs.ansible_output }}
 
-      - uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
+      - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         with:
           name: matrix_${{matrix.architecture}}
           path: ${{ steps.kernel_tests.outputs.matrix_output }}

.github/workflows/test_coverage_ci.yml

@@ -14,18 +14,7 @@ jobs:
   unit-test-libsinsp-coverage:
     name: unit-test-libsinsp-coverage 🧐
     runs-on: 'ubuntu-22.04'
-    container:
-      image: debian:bookworm
     steps:
-      - name: Install deps ⛓️
-        run: |
-          apt update && apt install -y --no-install-recommends ca-certificates \
-            cmake build-essential git clang llvm pkg-config autoconf automake \
-            libtool libelf-dev wget libc-ares-dev libcurl4-openssl-dev libssl-dev \
-            libtbb-dev libjq-dev libjsoncpp-dev libgrpc++-dev protobuf-compiler-grpc \
-            libgtest-dev libprotobuf-dev linux-headers-amd64 \
-            gpg gpg-agent gcovr
-
       - name: Checkout Libs ⤵️
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
@@ -33,11 +22,8 @@ jobs:
 
       - name: Install deps ⛓️
         run: |
-          .github/install-deps.sh
-
-      - name: Git safe directory
-        run: |
-          git config --global --add safe.directory $GITHUB_WORKSPACE
+          sudo apt-get update && sudo apt install -y --no-install-recommends ca-certificates cmake build-essential git clang llvm pkg-config autoconf automake libtool libelf-dev wget libre2-dev libtbb-dev libjq-dev libjsoncpp-dev protobuf-compiler libgtest-dev libprotobuf-dev linux-headers-$(uname -r) gpg gpg-agent gcovr
+          sudo .github/install-deps.sh
 
       - name: Build and test 🏗️🧪
         run: |
@@ -51,7 +37,7 @@ jobs:
           gcovr --xml -o ./libsinsp.coverage.xml
 
       - name: Upload to codecov
-        uses: codecov/codecov-action@b9fd7d16f6d7d1b5d2bec1a2887e65ceed900238 # v4.6.0
+        uses: codecov/codecov-action@18283e04ce6e62d37312384ff67231eb8fd56d24 # v5.4.3
         with:
           fail_ci_if_error: true
           files: ./libsinsp.coverage.xml

.github/workflows/update-syscalls.yml

@@ -24,7 +24,7 @@ jobs:
           repo-root: ${{ github.workspace }}/libs
 
       - name: Create Pull Request
-        uses: peter-evans/create-pull-request@5e914681df9dc83aa4e4905692ca88beb2f9e91f # v7.0.5
+        uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7.0.8
         with:
           path: libs
           signoff: true

.gitignore

@@ -28,3 +28,4 @@ cscope.out
 tags
 third_party
 *.vagrant*
+.DS_Store

.pre-commit-config.yaml

@@ -7,13 +7,13 @@ repos:
   rev: v0.6.13
   hooks:
   - id: cmake-format
-    stages: [commit]
+    stages: [pre-commit]
 - repo: https://github.com/pre-commit/mirrors-clang-format
   rev: v18.1.8
   hooks:
   - id: clang-format
     types_or: [c++, c]
-    stages: [commit]
+    stages: [pre-commit]
 - repo: local
   hooks:
   - id: dco-hook-local

CMakeLists.txt

@@ -53,18 +53,15 @@ endif()
 project(falcosecurity-libs)
 
 option(USE_BUNDLED_DEPS "Enable bundled dependencies instead of using the system ones" ON)
-option(MINIMAL_BUILD
-	   "Produce a minimal build with only the essential features (no container metadata)" OFF
-)
 option(MUSL_OPTIMIZED_BUILD "Enable if you want a musl optimized build" OFF)
 option(USE_BUNDLED_DRIVER
 	   "Use the driver/ subdirectory in the build process (only available in Linux)" ON
 )
+option(ENABLE_E2E_TESTS "Enable e2e tests" OFF)
 option(ENABLE_DRIVERS_TESTS "Enable driver tests (bpf, kernel module, modern bpf)" OFF)
 option(ENABLE_LIBSCAP_TESTS "Enable libscap unit tests" OFF)
 option(ENABLE_LIBSINSP_E2E_TESTS "Enable libsinsp e2e tests" OFF)
 option(BUILD_SHARED_LIBS "Build libscap and libsinsp as shared libraries" OFF)
-option(ENABLE_VM_TESTS "Enable driver sanity tests" OFF)
 option(USE_ASAN "Build with AddressSanitizer" OFF)
 option(USE_UBSAN "Build with UndefinedBehaviorSanitizer" OFF)
 option(USE_TSAN "Build with ThreadSanitizer" OFF)
@@ -129,7 +126,9 @@ if(CREATE_TEST_TARGETS)
 	# ctest's add_test because it will build the code and output to stdout.
 	add_custom_target(run-unit-tests COMMAND ${CMAKE_MAKE_PROGRAM} run-unit-test-libsinsp)
 
-	add_subdirectory(test/e2e)
+	if(ENABLE_E2E_TESTS)
+		add_subdirectory(test/e2e)
+	endif()
 
 	if(ENABLE_DRIVERS_TESTS)
 		add_subdirectory(test/drivers)
@@ -145,10 +144,6 @@ if(CREATE_TEST_TARGETS)
 		add_subdirectory(test/libsinsp_e2e/resources)
 	endif()
 
-	if(ENABLE_VM_TESTS)
-		add_subdirectory(test/vm)
-	endif()
-
 endif()
 
 option(ENABLE_BENCHMARKS "Enable Benchmarks" OFF)

CMakePresets.json

@@ -2,15 +2,24 @@
 	"version": 3,
 	"configurePresets": [
 		{
-			"name": "scap-drivers",
-			"displayName": "Build scap drivers and their tests",
-			"description": "Build all scap drivers (modern eBPF, legacy eBPF, kmod) and their tests",
+			"name": "base",
+			"hidden": true,
 			"generator": "Unix Makefiles",
-			"binaryDir": "${sourceDir}/build-scap-drivers",
 			"cacheVariables": {
 				"CMAKE_BUILD_TYPE": "Release",
-				"BUILD_BPF": "ON",
+				"CMAKE_EXPORT_COMPILE_COMMANDS": "ON",
 				"BUILD_DRIVER": "ON",
+				"BUILD_BPF": "ON",
+				"BUILD_WARNINGS_AS_ERRORS": "ON"
+			}
+		},
+		{
+			"name": "scap-drivers",
+			"inherits": "base",
+			"displayName": "Build scap drivers and their tests",
+			"description": "Build all scap drivers (modern eBPF, legacy eBPF, kmod) and their tests",
+			"binaryDir": "${sourceDir}/build-scap-drivers",
+			"cacheVariables": {
 				"USE_BUNDLED_DEPS": "ON",
 				"ENABLE_DRIVERS_TESTS": "ON",
 				"MODERN_BPF_DEBUG_MODE": "ON",
@@ -18,27 +27,20 @@
 				"BUILD_LIBSCAP_GVISOR": "OFF",
 				"CREATE_TEST_TARGETS": "ON",
 				"ENABLE_LIBSCAP_TESTS": "ON",
-				"SCAP_FILES_SUITE_ENABLE": "OFF",
-				"CMAKE_EXPORT_COMPILE_COMMANDS": "ON",
-				"BUILD_WARNINGS_AS_ERRORS": "ON"
+				"SCAP_FILES_SUITE_ENABLE": "OFF"
 			}
 		},
 		{
 			"name": "sinsp-minimal",
-			"displayName": "Build sinsp in minimal build",
-			"description": "Build sinsp in minimal build with its tests",
-			"generator": "Unix Makefiles",
+			"inherits": "base",
+			"displayName": "Build minimal sinsp",
+			"description": "Build sinsp without gvisor and protobuf deps",
 			"binaryDir": "${sourceDir}/build-sinsp-minimal",
 			"cacheVariables": {
-				"CMAKE_BUILD_TYPE": "Release",
-				"BUILD_DRIVER": "ON",
-				"BUILD_BPF": "ON",
 				"USE_BUNDLED_DEPS": "ON",
+				"BUILD_LIBSCAP_GVISOR": "OFF",
 				"CREATE_TEST_TARGETS": "ON",
-				"MINIMAL_BUILD": "ON",
-				"SCAP_FILES_SUITE_ENABLE": "OFF",
-				"CMAKE_EXPORT_COMPILE_COMMANDS": "ON",
-				"BUILD_WARNINGS_AS_ERRORS": "ON"
+				"SCAP_FILES_SUITE_ENABLE": "OFF"
 			}
 		}
 	]

OWNERS

@@ -7,10 +7,11 @@ approvers:
   - molter73
   - lucaguerra
   - jasondellaluce
-  - incertum
+  - ekoops
 reviewers:
   - hbrueckner
 emeritus_approvers:
   - fntlnz
   - leodido
   - ldegio
+  - incertum

README.md

@@ -11,7 +11,7 @@ This repository contains **libsinsp**, **libscap**, the **kernel module** and th
 
 These components are at the foundation of [Falco](https://github.com/falcosecurity/falco) and other projects that work with the same kind of data.
 
-This component stack mainly operates on syscall events. We monitor syscalls using either a kernel module or an eBPF probe, which we call *drivers*. On top of the drivers, `libscap` manages the data capture process, while `libsinsp` enriches the data, and provides a rich set of API to consume the data. Furthermore, these two libraries also implement a [plugin](https://github.com/falcosecurity/plugins) framework that extends this stack to potentially any other data sources. For further details, please refer to the [official documentation](https://falco.org/docs/).
+This component stack mainly operates on syscall events. We monitor syscalls using either a kernel module or an eBPF probe, which we call *drivers*. On top of the drivers, `libscap` manages the data capture process, while `libsinsp` enriches the data, and provides a rich set of API to consume the data. Furthermore, these two libraries also implement a [plugin](https://github.com/falcosecurity/plugins) framework that extends this stack to potentially any other data sources. For further details, please refer to Falco's [official documentation](https://falco.org/docs/).
 
 An image is worth a thousand words, they say:
 
@@ -104,13 +104,13 @@ If you are building this project outside of a Git working directory, or if you w
 <details>
 	<summary>Expand Build Instructions</summary>
 
-For your convenience, we have included the instructions for building the `libs` modules here, in addition to the information available in the [official documentation](https://falco.org/docs/install-operate/source/). These instructions are designed for building and testing `libs` on your own Linux development machine. However, if you intend to adopt CI or build within containers, there are additional considerations to take into account. The official [website]((https://falco.org/docs/install-operate/source/)) continually extends its guidance in this respect.
+For your convenience, we have included the instructions for building the `libs` modules here, in addition to the information available in Falco's [official documentation](https://falco.org/docs/install-operate/source/). These instructions are designed for building and testing `libs` on your own Linux development machine. However, if you intend to adopt CI or build within containers, there are additional considerations to take into account. The official [website]((https://falco.org/docs/install-operate/source/)) continually extends its guidance in this respect.
 
 The project utilizes the `cmake` build system, and the key `make` targets are as follows: 
 
 * `driver` -> build the kmod
-* `bpf` -> build the eBPF probe
-* `scap` -> build libscap (`modern_bpf` driver will be bundled into `scap` if enabled)
+* `bpf` -> build the legacy `ebpf` probe
+* `scap` -> build libscap (`modern_ebpf` driver will be bundled into `scap` if enabled)
 * `sinsp` -> build libsinsp (depends upon `scap` target)
 * `scap-open` -> build a small example binary for `libscap` to test the drivers (dependent on `scap`)
 * `sinsp-example` -> build a small example binary for `libsinsp` to test the drivers and/or `libsinsp` functionality (dependent on `scap` and `sinsp`)
@@ -135,7 +135,7 @@ make sinsp
 
 ### Build userspace using system deps
 
-To build using the system deps instead, first, make sure to have all the needed packages installed. Refer to the [official documentation](https://falco.org/docs/install-operate/source/).
+To build using the system deps instead, first, make sure to have all the needed packages installed. Refer to Falco's [official documentation](https://falco.org/docs/install-operate/source/).
 
 ```bash
 cmake -DUSE_BUNDLED_DEPS=OFF ../;
@@ -146,29 +146,27 @@ make sinsp
 
 ### Build driver - kmod
 
-To build the kmod driver, you need your kernel headers installed. Check out the [official documentation](https://falco.org/docs/install-operate/source/).
+To build the kmod driver, you need your kernel headers installed. Check out Falco's [official documentation](https://falco.org/docs/install-operate/source/).
 
 ```bash
 make driver
-# Verify the kmod object code was created, uses `.ko` extension.
+# Verify the kmod binary object file was created, uses `.ko` extension.
 ls -l driver/src/scap.ko;
 ```
 
 ### Build driver - eBPF probe
 
-To build the eBPF probe, you need `clang` and `llvm` packages and you also need your kernel headers installed. Check out the [official documentation](https://falco.org/docs/install-operate/source/).
+To build the eBPF probe, you need `clang` and `llvm` packages and you also need your kernel headers installed. Check out Falco's [official documentation](https://falco.org/docs/install-operate/source/).
 
 ```bash
 cmake -DBUILD_BPF=ON ../;
 make bpf
-# Verify the eBPF object code was created, uses `.o` extension.
+# Verify the eBPF bytecode file was created, uses `.o` extension.
 ls -l driver/bpf/probe.o;
 ```
 
 >__WARNING__: **clang-7** is the oldest supported version to build our BPF probe.
 
-Initial guidance for CI and building within containers: To build either the kmod or eBPF probe in a container, you will need to make the extracted kernel headers available. The [test/vm](test/vm/) directory contains example [scripts](test/vm/scripts/compile_drivers.sh) demonstrating how to pass them to the `make` command using the argument `KERNELDIR=${EXTRACTED_KERNEL_HEADERS_DIR}`. You can also use the [falcosecurity/driverkit](https://github.com/falcosecurity/driverkit) or explore the scripts within the driverkit repository. The mentioned resources also provide candidate builder containers.
-
 ### Build driver - modern eBPF probe
 
 To build the modern eBPF probe, further prerequisites are necessary:
@@ -193,13 +191,13 @@ To build the modern eBPF probe, further prerequisites are necessary:
 
 > __NOTE:__ These are not the requirements to use the modern BPF probe, but rather for building it from source.
 
-Regarding the previously discussed bpf drivers, they create a kernel-specific object code (`driver/bpf/probe.o`) for your machine's kernel release (`uname -r`). This object code is then used as an argument for testing with `scap-open` and `sinsp-example` binaries.
+Regarding the previously discussed legacy eBPF driver, it generates kernel-specific bytecode (`driver/bpf/probe.o`) tailored to your machine's kernel release (`uname -r`). The location of the bytecode file can then be passed as an argument for testing with the `scap-open` and `sinsp-example` binaries.
 
-However, the modern BPF driver operates differently. It doesn't require kernel headers, and its build isn't tied to your kernel release. This is enabled by the CO-RE (Compile Once - Run Everywhere) feature of the modern BPF driver. CO-RE allows the driver to work on kernels with backported BTF (BPF Type Format) support or kernel versions >= 5.8.
+However, the modern eBPF driver build process doesn't require kernel headers, and it isn't tied to your kernel release. This is enabled by the CO-RE (Compile Once - Run Everywhere) feature of the modern eBPF driver.
 
-To comprehend how the driver understands kernel data structures without knowledge of the kernel it runs on, there's no black magic involved. We maintain a [vmlinux.h](driver/modern_bpf/definitions/vmlinux.h) file in our project containing all necessary kernel data structure definitions. Additionally, we sometimes rely on macros or functions typically found in system header files, which we redefine in [struct_flavors.h](driver/modern_bpf/definitions/struct_flavors.h).
+CO-RE allows the driver to work on kernels with backported BTF (BPF Type Format) support or kernel versions >= 5.8. The way the driver interprets kernel data structures without direct knowledge of the running kernel is not magic — it leverages predefined type information and BTF-based relocations. We maintain a [vmlinux.h](driver/modern_bpf/definitions/vmlinux.h) file containing essential kernel data structure definitions, allowing the eBPF program to reference fields dynamically. Additionally, for cases where macros or functions from system headers are required, we redefine them in [struct_flavors.h](driver/modern_bpf/definitions/struct_flavors.h). Combined with CO-RE (Compile Once, Run Everywhere), this enables the driver to remain portable across different kernel versions.
  
-That being said, the modern BPF driver still produces an object file, which you can create using the target below. Nevertheless, we ultimately include it in `scap` regardless. Hence, when modern BPF is enabled, building `scap` will already cover this step for you.
+The modern eBPF driver build process produces an eBPF header skeleton file using `bpftool`. The skeleton file is a C header file that embeds the compiled eBPF program as bytecode.
 
 ```bash
 cmake \
@@ -207,13 +205,15 @@ cmake \
 -DBUILD_LIBSCAP_MODERN_BPF=ON ../;
 
 make ProbeSkeleton
-# Verify the modern eBPF object code / final composed header file including all `.o` modern_bpf files was created, uses `.h` extension.
+# Verify the modern eBPF bytecode / final composed header file including all `.o` modern_ebpf files was created, uses `.h` extension.
 ls -l skel_dir/bpf_probe.skel.h;
 # Now includes skel_dir/bpf_probe.skel.h in `scap` during the linking process.
 make scap
 ```
 
-Initial guidance for CI and building within containers: The Falco Project, for instance, compiles the final Falco userspace binary within older centos7 [falco-builder](https://falco.org/docs/install-operate/source/#build-using-falco-builder-container) containers with bundled dependencies. This ensures compatibility across supported systems, mainly due to GLIBC versions and other intricacies. However, you won't be able to compile the modern BPF driver on such old systems or builder containers. One solution is to build `skel_dir/bpf_probe.skel.h` in a more recent builder container. For example, you can refer to this [container](test/vm/containers/ubuntu2310.Dockerfile) as a guide. Subsequently, you can provide the modern BPF header file as an artifact to `scap` during building in an older builder container. As an illustrative example, we use `/tmp/skel-dir` containing the `bpf_probe.skel.h` file.
+Since modern eBPF is included in `scap`, running `make scap` automatically covers the `make ProbeSkeleton` build step.
+
+You can also split the build process and specify the directory containing the `bpf_probe.skel.h` file.
 
 ```bash
 cmake \
@@ -243,7 +243,7 @@ This repository includes convenient test example binaries for both `scap` and `s
 
 When developing new features, you would run either one depending on what you're working on, in order to test and validate your changes.
 
-> __NOTE:__ When you're working on driver development, it can be quite useful to make use of the kernel's built-in `printk` functionality. However, for the traditional bpf driver, you'll need to uncomment a line in the [bpf Makefile](driver/bpf/Makefile) first and use a dedicated build flag `BPF_DEBUG`. For modern BPF, use the build flag `MODERN_BPF_DEBUG_MODE`. Any logs generated by `bpf_printk()` will be written to `/sys/kernel/debug/tracing/trace_pipe`. Just make sure you have the right permissions set up for this.
+> __NOTE:__ When you're working on driver development, it can be quite useful to make use of the kernel's built-in `printk` functionality. However, for the traditional bpf driver, you'll need to uncomment a line in the [bpf Makefile](driver/bpf/Makefile) first and use a dedicated build flag `BPF_DEBUG`. For modern eBPF, use the build flag `MODERN_BPF_DEBUG_MODE`. Any logs generated by `bpf_printk()` will be written to `/sys/kernel/debug/tracing/trace_pipe`. Just make sure you have the right permissions set up for this.
 
 Here's an example of a `cmake` command that will enable everything you need for all tests and components. By default, the following flags are disabled, with the exception of `USE_BUNDLED_DEPS` and `CREATE_TEST_TARGETS` (they are enabled by default).
 
@@ -259,8 +259,7 @@ cmake \
 -DCREATE_TEST_TARGETS=ON \
 -DENABLE_LIBSCAP_TESTS=ON \
 -DENABLE_DRIVERS_TESTS=ON \
--DENABLE_LIBSINSP_E2E_TESTS=ON \
--DENABLE_VM_TESTS=ON ../;
+-DENABLE_LIBSINSP_E2E_TESTS=ON ../;
 ```
 
 > __NOTE:__ The `ENABLE_LIBSINSP_E2E_TESTS` flag enables the new e2e tests for libsinsp. Please keep in mind these tests are currently in heavy development and need some extra steps (see in the section below) to run correctly.
@@ -302,9 +301,10 @@ sudo ./test/drivers/drivers_test -m;
 The tests mentioned below expand beyond the scope of "unit tests". In this context as well, we are dedicated to making sure they run smoothly on your `localhost` for pre-PR testing, to the best of our ability:
 
 - [test/e2e](test/e2e) - enforced by our CI
-- [test/vm](test/vm) - our CI includes comparable tests, but it employs a distinct framework. For current status reports on Falco drivers kernel testing, please visit this [page](https://falcosecurity.github.io/libs/).
 
-As mentioned earlier, The Falco Project's `libs` repository includes numerous CI-powered checks. For the most current information, please refer to the CI definitions under the [workflows](.github/workflows/) directory.
+For current status reports on the CI powered Falco drivers kernel testing, please visit this [page](https://falcosecurity.github.io/libs/).
+
+In general, The Falco Project's `libs` repository includes numerous CI-powered checks. For the most current information, please refer to the CI definitions under the [workflows](.github/workflows/) directory.
 
 ### [EXPERIMENTAL] Run libsinsp e2e tests
 

benchmark/libsinsp/utils.cpp

@@ -53,19 +53,3 @@ static void BM_sinsp_concatenate_paths_absolute_path(benchmark::State& state) {
 	}
 }
 BENCHMARK(BM_sinsp_concatenate_paths_absolute_path);
-
-static void BM_sinsp_split_container_image(benchmark::State& state) {
-	for(auto _ : state) {
-		std::string container_image =
-		        "localhost:12345/library/"
-		        "busybox:1.27.2@sha256:da39a3ee5e6b4b0d3255bfef95601890afd80709";
-		std::string hostname, port, name, tag, digest;
-		sinsp_utils::split_container_image(container_image, hostname, port, name, tag, digest);
-		benchmark::DoNotOptimize(hostname);
-		benchmark::DoNotOptimize(port);
-		benchmark::DoNotOptimize(name);
-		benchmark::DoNotOptimize(tag);
-		benchmark::DoNotOptimize(digest);
-	}
-}
-BENCHMARK(BM_sinsp_split_container_image);

cmake/modules/BuildPkgConfigDependencies.cmake

@@ -3,6 +3,7 @@
 # libsinsp.pc (which requires libscap.pc and pulls them in that way)
 function(add_pkgconfig_library LIBDIRS_VAR LIBS_VAR lib ignored)
 
+	message(DEBUG "[add_pkgconfig_library] processing lib \"${lib}\"")
 	# if it's not a target, it doesn't have dependencies we know or care about
 	if(NOT TARGET ${lib})
 		return()
@@ -14,14 +15,26 @@ function(add_pkgconfig_library LIBDIRS_VAR LIBS_VAR lib ignored)
 		return()
 	endif()
 
+	message(DEBUG "[add_pkgconfig_library] LINK_LIBRARIES property: \"${PKGCONFIG_LIBRARIES}\"")
+
 	get_property(
 		target_type
 		TARGET ${lib}
 		PROPERTY TYPE
 	)
+	message(DEBUG "[add_pkgconfig_library] ignored list: \"${ignored}\"")
 	foreach(dep ${PKGCONFIG_LIBRARIES})
-		# ignore dependencies in the list ${ignored}
-		if(${dep} IN_LIST "${ignored}")
+		# XXX: We use a (very) loose match as we are potentially comparing absolute library file
+		# names (dep) to pkg-config library names to be ignored.  The only alternative I can think
+		# of would be to maintain a map associating pkg-config names to their library file name.
+		get_filename_component(dep_base ${dep} NAME_WE)
+		string(REGEX REPLACE "^lib" "" dep_name ${dep_base})
+		# For CMake imported targets, keep only the suffix, e.g. gRPC::grpc -> grpc.
+		string(REGEX REPLACE "[^:]*::" "" dep_name ${dep_base})
+		message(DEBUG "[add_pkgconfig_library] processing dep ${dep}")
+		string(FIND "${ignored}" "${dep_name}" find_result)
+		if(NOT ${find_result} EQUAL -1)
+			message(DEBUG "[add_pkgconfig_library] \"${dep}\" ignored")
 			continue()
 		endif()
 
@@ -34,7 +47,7 @@ function(add_pkgconfig_library LIBDIRS_VAR LIBS_VAR lib ignored)
 					TARGET ${dep}
 					PROPERTY TYPE
 				)
-				if(${dep_target_type} STREQUAL "STATIC_LIBRARY")
+				if(NOT ${dep_target_type} STREQUAL "SHARED_LIBRARY")
 					continue()
 				endif()
 			else()
@@ -52,6 +65,27 @@ function(add_pkgconfig_library LIBDIRS_VAR LIBS_VAR lib ignored)
 			if(NOT TARGET ${dep})
 				get_filename_component(filename ${dep} NAME)
 				set(dep "\${libdir}/${LIBS_PACKAGE_NAME}/${filename}")
+			else()
+				get_property(
+					dep_target_type
+					TARGET ${dep}
+					PROPERTY TYPE
+				)
+				if(${dep_target_type} STREQUAL "OBJECT_LIBRARY")
+					# skip object libraries
+					continue()
+				endif()
+
+				# if the library is imported, use the IMPORTED_LOCATION instead
+				get_property(
+					dep_imported_location
+					TARGET ${dep}
+					PROPERTY IMPORTED_LOCATION
+				)
+				if(NOT ${dep_imported_location} STREQUAL "")
+					get_filename_component(filename ${dep_imported_location} NAME)
+					set(dep "\${libdir}/${LIBS_PACKAGE_NAME}/${filename}")
+				endif()
 			endif()
 		endif()
 

cmake/modules/CompilerFlags.cmake

@@ -33,11 +33,6 @@ if(NOT MSVC)
 	set(FALCOSECURITY_LIBS_COMMON_FLAGS "-Wall -ggdb")
 	set(FALCOSECURITY_LIBS_DEBUG_FLAGS "-Og -D_DEBUG")
 	set(FALCOSECURITY_LIBS_RELEASE_FLAGS "-O3 -fno-strict-aliasing -DNDEBUG")
-
-	if(MINIMAL_BUILD)
-		set(FALCOSECURITY_LIBS_COMMON_FLAGS "${FALCOSECURITY_LIBS_COMMON_FLAGS} -DMINIMAL_BUILD")
-	endif()
-
 	if(MUSL_OPTIMIZED_BUILD)
 		set(FALCOSECURITY_LIBS_COMMON_FLAGS "${FALCOSECURITY_LIBS_COMMON_FLAGS} -static -Os")
 	endif()
@@ -45,7 +40,7 @@ if(NOT MSVC)
 	if(BUILD_WARNINGS_AS_ERRORS)
 		set(CMAKE_COMPILE_WARNING_AS_ERROR ON)
 		set(CMAKE_SUPPRESSED_WARNINGS
-			"-Wno-unused-parameter -Wno-sign-compare -Wno-implicit-fallthrough -Wno-format-truncation"
+			"-Wno-unused-parameter -Wno-sign-compare -Wno-implicit-fallthrough -Wno-format-truncation -Wno-deprecated-declarations"
 		)
 		if(CMAKE_CXX_COMPILER_ID STREQUAL "Clang")
 			# Clang needs these for suppressing these warnings: - C++20 array designators used with
@@ -121,10 +116,8 @@ if(NOT MSVC)
 	add_definitions(-D__STDC_FORMAT_MACROS)
 
 else() # MSVC
-	set(MINIMAL_BUILD ON)
-
 	set(FALCOSECURITY_LIBS_COMMON_FLAGS
-		"-D_CRT_SECURE_NO_WARNINGS -DWIN32 -DMINIMAL_BUILD /EHsc /W3 /Zi /std:c++17"
+		"-D_CRT_SECURE_NO_WARNINGS -DWIN32 /EHsc /W3 /Zi /std:c++17"
 	)
 	if(CMAKE_VERSION VERSION_LESS 3.15.0)
 		set(FALCOSECURITY_LIBS_DEBUG_FLAGS "/MTd /Od")
@@ -144,8 +137,8 @@ else() # MSVC
 	set(CMAKE_CXX_FLAGS_RELEASE "${FALCOSECURITY_LIBS_RELEASE_FLAGS}")
 
 	# "_DISABLE_CONSTEXPR_MUTEX_CONSTRUCTOR" enables a workaround for windows GH runner issue, see
-	# https://github.com/actions/runner-images/issues/10004
+	# https://github.com/actions/runner-images/issues/10004 Also, define NOMINMAX globally.
 	add_compile_definitions(
-		_HAS_STD_BYTE=0 WIN32_LEAN_AND_MEAN _DISABLE_CONSTEXPR_MUTEX_CONSTRUCTOR
+		_HAS_STD_BYTE=0 WIN32_LEAN_AND_MEAN _DISABLE_CONSTEXPR_MUTEX_CONSTRUCTOR NOMINMAX
 	)
 endif()

cmake/modules/cares.cmake

@@ -1,76 +0,0 @@
-# SPDX-License-Identifier: Apache-2.0
-#
-# Copyright (C) 2023 The Falco Authors.
-#
-# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except
-# in compliance with the License. You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software distributed under the License
-# is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express
-# or implied. See the License for the specific language governing permissions and limitations under
-# the License.
-#
-
-option(USE_BUNDLED_CARES "Enable building of the bundled c-ares" ${USE_BUNDLED_DEPS})
-
-if(CARES_INCLUDE)
-	# we already have c-ares
-elseif(NOT USE_BUNDLED_CARES)
-	find_path(CARES_INCLUDE NAMES cares/ares.h ares.h)
-	find_library(CARES_LIB NAMES cares)
-	if(CARES_INCLUDE AND CARES_LIB)
-		message(STATUS "Found c-ares: include: ${CARES_INCLUDE}, lib: ${CARES_LIB}")
-	else()
-		message(FATAL_ERROR "Couldn't find system c-ares")
-	endif()
-else()
-	if(BUILD_SHARED_LIBS)
-		set(CARES_LIB_SUFFIX ${CMAKE_SHARED_LIBRARY_SUFFIX})
-		set(CARES_STATIC_OPTION "Off")
-	else()
-		set(CARES_LIB_SUFFIX ${CMAKE_STATIC_LIBRARY_SUFFIX})
-		set(CARES_STATIC_OPTION "On")
-	endif()
-	set(CARES_SRC "${PROJECT_BINARY_DIR}/c-ares-prefix/src/c-ares")
-	set(CARES_INCLUDE "${CARES_SRC}/include/")
-	set(CARES_LIB "${CARES_SRC}/lib/libcares${CARES_LIB_SUFFIX}")
-
-	if(NOT TARGET c-ares)
-		message(STATUS "Using bundled c-ares in '${CARES_SRC}'")
-		ExternalProject_Add(
-			c-ares
-			PREFIX "${PROJECT_BINARY_DIR}/c-ares-prefix"
-			URL "https://github.com/c-ares/c-ares/releases/download/v1.33.1/c-ares-1.33.1.tar.gz"
-			URL_HASH "SHA256=06869824094745872fa26efd4c48e622b9bd82a89ef0ce693dc682a23604f415"
-			BUILD_IN_SOURCE 1
-			CMAKE_ARGS -DCMAKE_POLICY_DEFAULT_CMP0091:STRING=NEW
-					   -DCMAKE_MSVC_RUNTIME_LIBRARY=${CMAKE_MSVC_RUNTIME_LIBRARY}
-					   -DCARES_SHARED=${BUILD_SHARED_LIBS}
-					   -DCARES_STATIC=${CARES_STATIC_OPTION}
-					   -DCARES_STATIC_PIC=${ENABLE_PIC}
-					   -DCARES_BUILD_TOOLS=Off
-					   -DCARES_INSTALL=Off
-			BUILD_BYPRODUCTS ${CARES_INCLUDE} ${CARES_LIB}
-			INSTALL_COMMAND ""
-		)
-		install(
-			FILES "${CARES_LIB}"
-			DESTINATION "${CMAKE_INSTALL_LIBDIR}/${LIBS_PACKAGE_NAME}"
-			COMPONENT "libs-deps"
-		)
-		install(
-			DIRECTORY "${CARES_INCLUDE}"
-			DESTINATION "${CMAKE_INSTALL_INCLUDEDIR}/${LIBS_PACKAGE_NAME}"
-			COMPONENT "libs-deps"
-		)
-	endif()
-
-endif()
-
-if(NOT TARGET c-ares)
-	add_custom_target(c-ares)
-endif()
-
-include_directories("${CARES_INCLUDE}")

cmake/modules/container_plugin.cmake

@@ -0,0 +1,44 @@
+# SPDX-License-Identifier: Apache-2.0
+#
+# Copyright (C) 2025 The Falco Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except
+# in compliance with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed under the License
+# is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express
+# or implied. See the License for the specific language governing permissions and limitations under
+# the License.
+#
+
+include(ExternalProject)
+
+string(TOLOWER ${CMAKE_HOST_SYSTEM_NAME} PLUGINS_SYSTEM_NAME)
+
+set(CONTAINER_LIBRARY
+	"${CMAKE_CURRENT_BINARY_DIR}/container_plugin-prefix/src/container_plugin/libcontainer.so"
+)
+
+if(NOT CONTAINER_VERSION)
+	set(CONTAINER_VERSION "0.3.4")
+endif()
+if(NOT CONTAINER_HASH)
+	if(${CMAKE_HOST_SYSTEM_PROCESSOR} STREQUAL "x86_64")
+		set(CONTAINER_HASH "658f96c4b4a56d1bf945a788d60571076f808ae1bcc877c4ba3625b0fd752d8d")
+	else() # arm64
+		set(CONTAINER_HASH "34a153aca0164843a169193aba092a3063b24bca9ef80fd4f1d1f1919aba3bde")
+	endif()
+endif()
+if(NOT TARGET container_plugin)
+	message(STATUS "Fetching container plugin ${CONTAINER_VERSION} in '${CONTAINER_LIBRARY}'")
+	ExternalProject_Add(
+		container_plugin
+		URL "https://download.falco.org/plugins/stable/container-${CONTAINER_VERSION}-${PLUGINS_SYSTEM_NAME}-${CMAKE_HOST_SYSTEM_PROCESSOR}.tar.gz"
+		URL_HASH "SHA256=${CONTAINER_HASH}"
+		CONFIGURE_COMMAND ""
+		BUILD_COMMAND ""
+		INSTALL_COMMAND ""
+	)
+endif()

cmake/modules/curl.cmake

@@ -1,100 +0,0 @@
-# SPDX-License-Identifier: Apache-2.0
-#
-# Copyright (C) 2023 The Falco Authors.
-#
-# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except
-# in compliance with the License. You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software distributed under the License
-# is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express
-# or implied. See the License for the specific language governing permissions and limitations under
-# the License.
-#
-
-option(USE_BUNDLED_CURL "Enable building of the bundled curl" ${USE_BUNDLED_DEPS})
-
-include(openssl)
-include(zlib)
-
-if(CURL_INCLUDE_DIRS)
-	# we already have curl
-elseif(NOT USE_BUNDLED_CURL)
-	find_package(CURL REQUIRED)
-	message(STATUS "Found CURL: include: ${CURL_INCLUDE_DIRS}, lib: ${CURL_LIBRARIES}")
-else()
-	if(BUILD_SHARED_LIBS)
-		set(CURL_LIB_SUFFIX ${CMAKE_SHARED_LIBRARY_SUFFIX})
-		set(CURL_STATIC_OPTION)
-	else()
-		set(CURL_LIB_SUFFIX ${CMAKE_STATIC_LIBRARY_SUFFIX})
-		set(CURL_STATIC_OPTION --disable-shared)
-	endif()
-	set(CURL_BUNDLE_DIR "${PROJECT_BINARY_DIR}/curl-prefix/src/curl")
-	set(CURL_INCLUDE_DIRS "${CURL_BUNDLE_DIR}/include/")
-	set(CURL_LIBRARIES "${CURL_BUNDLE_DIR}/lib/.libs/libcurl${CURL_LIB_SUFFIX}")
-
-	if(NOT USE_BUNDLED_OPENSSL)
-		set(CURL_SSL_OPTION "--with-ssl")
-	else()
-		set(CURL_SSL_OPTION "--with-ssl=${OPENSSL_INSTALL_DIR}")
-		message(STATUS "Using SSL for curl in '${OPENSSL_INSTALL_DIR}'")
-	endif()
-
-	if(NOT USE_BUNDLED_ZLIB)
-		set(CURL_ZLIB_OPTION "--with-zlib")
-	else()
-		set(CURL_ZLIB_OPTION "--with-zlib=${ZLIB_SRC}")
-		message(STATUS "Using zlib for curl in '${ZLIB_SRC}'")
-	endif()
-	message(STATUS "Using bundled curl in '${CURL_BUNDLE_DIR}'")
-
-	if(NOT ENABLE_PIC)
-		set(CURL_PIC_OPTION)
-	else()
-		set(CURL_PIC_OPTION "--with-pic")
-	endif()
-
-	if(NOT TARGET curl)
-		ExternalProject_Add(
-			curl
-			PREFIX "${PROJECT_BINARY_DIR}/curl-prefix"
-			DEPENDS openssl zlib
-			URL "https://github.com/curl/curl/releases/download/curl-8_7_1/curl-8.7.1.tar.bz2"
-			URL_HASH "SHA256=05bbd2b698e9cfbab477c33aa5e99b4975501835a41b7ca6ca71de03d8849e76"
-			CONFIGURE_COMMAND
-				./configure ${CURL_SSL_OPTION} ${CURL_ZLIB_OPTION} ${CURL_STATIC_OPTION}
-				${CURL_PIC_OPTION} --enable-optimize --disable-curldebug --disable-rt --enable-http
-				--disable-ftp --disable-file --disable-ldap --disable-ldaps --disable-rtsp
-				--disable-telnet --disable-tftp --disable-pop3 --disable-imap --disable-smb
-				--disable-smtp --disable-gopher --disable-sspi --disable-ntlm-wb --disable-tls-srp
-				--without-winssl --without-polarssl --without-cyassl --without-nss --without-axtls
-				--without-librtmp --without-winidn --without-libidn2 --without-libpsl
-				--without-nghttp2 --without-libssh2 --with-ca-path=/etc/ssl/certs/
-				--disable-threaded-resolver --without-brotli --without-zstd
-			BUILD_COMMAND make
-			BUILD_IN_SOURCE 1
-			BUILD_BYPRODUCTS ${CURL_LIBRARIES}
-			INSTALL_COMMAND ""
-		)
-		install(
-			FILES "${CURL_LIBRARIES}"
-			DESTINATION "${CMAKE_INSTALL_LIBDIR}/${LIBS_PACKAGE_NAME}"
-			COMPONENT "libs-deps"
-		)
-		install(
-			DIRECTORY "${CURL_INCLUDE_DIRS}curl"
-			DESTINATION "${CMAKE_INSTALL_INCLUDEDIR}/${LIBS_PACKAGE_NAME}"
-			COMPONENT "libs-deps"
-			FILES_MATCHING
-			PATTERN "*.h"
-		)
-	endif()
-endif()
-
-if(NOT TARGET curl)
-	add_custom_target(curl)
-endif()
-
-include_directories("${CURL_INCLUDE_DIRS}")

cmake/modules/engine_config.cmake

@@ -23,10 +23,7 @@ if(CMAKE_SYSTEM_NAME MATCHES "Linux")
 endif()
 
 # gVisor is currently only supported on Linux x86_64
-if(CMAKE_SYSTEM_PROCESSOR STREQUAL "x86_64"
-   AND CMAKE_SYSTEM_NAME MATCHES "Linux"
-   AND NOT MINIMAL_BUILD
-)
+if(CMAKE_SYSTEM_PROCESSOR STREQUAL "x86_64" AND CMAKE_SYSTEM_NAME MATCHES "Linux")
 	option(BUILD_LIBSCAP_GVISOR "Build gVisor support" ON)
 	if(BUILD_LIBSCAP_GVISOR)
 		set(HAS_ENGINE_GVISOR On)

cmake/modules/grpc.cmake

@@ -1,274 +0,0 @@
-# SPDX-License-Identifier: Apache-2.0
-#
-# Copyright (C) 2023 The Falco Authors.
-#
-# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except
-# in compliance with the License. You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software distributed under the License
-# is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express
-# or implied. See the License for the specific language governing permissions and limitations under
-# the License.
-#
-
-option(USE_BUNDLED_GRPC "Enable building of the bundled grpc" ${USE_BUNDLED_DEPS})
-
-if(GRPC_INCLUDE)
-	# we already have grpc
-elseif(NOT USE_BUNDLED_GRPC)
-	# gRPC
-	find_package(gRPC CONFIG)
-	if(gRPC_FOUND)
-		message(STATUS "Using gRPC ${gRPC_VERSION}")
-		set(GPR_LIB gRPC::gpr)
-		set(GRPC_LIB gRPC::grpc)
-		set(GRPCPP_LIB gRPC::grpc++)
-
-		# gRPC C++ plugin
-		get_target_property(GRPC_CPP_PLUGIN gRPC::grpc_cpp_plugin LOCATION)
-		if(NOT GRPC_CPP_PLUGIN)
-			message(FATAL_ERROR "System grpc_cpp_plugin not found")
-		endif()
-
-		# gRPC include dir + properly handle grpc{++,pp}
-		get_target_property(GRPC_INCLUDE gRPC::grpc++ INTERFACE_INCLUDE_DIRECTORIES)
-		find_path(
-			GRPCXX_INCLUDE
-			NAMES grpc++/grpc++.h
-			PATHS ${GRPC_INCLUDE}
-		)
-		if(NOT GRPCXX_INCLUDE)
-			find_path(
-				GRPCPP_INCLUDE
-				NAMES grpcpp/grpcpp.h
-				PATHS ${GRPC_INCLUDE}
-			)
-			add_definitions(-DGRPC_INCLUDE_IS_GRPCPP=1)
-		endif()
-	else()
-		# Fallback to manually find libraries; Some distro, namely Ubuntu focal, do not install gRPC
-		# config cmake module
-		find_library(GPR_LIB NAMES gpr)
-		if(GPR_LIB)
-			message(STATUS "Found gpr lib: ${GPR_LIB}")
-		else()
-			message(FATAL_ERROR "Couldn't find system gpr")
-		endif()
-		find_path(GRPCXX_INCLUDE NAMES grpc++/grpc++.h)
-		if(GRPCXX_INCLUDE)
-			set(GRPC_INCLUDE ${GRPCXX_INCLUDE})
-		else()
-			find_path(GRPCPP_INCLUDE NAMES grpcpp/grpcpp.h)
-			set(GRPC_INCLUDE ${GRPCPP_INCLUDE})
-			add_definitions(-DGRPC_INCLUDE_IS_GRPCPP=1)
-		endif()
-		find_library(GRPC_LIB NAMES grpc)
-		find_library(GRPCPP_LIB NAMES grpc++)
-		if(GRPC_INCLUDE
-		   AND GRPC_LIB
-		   AND GRPCPP_LIB
-		)
-			message(
-				STATUS
-					"Found grpc: include: ${GRPC_INCLUDE}, C lib: ${GRPC_LIB}, C++ lib: ${GRPCPP_LIB}"
-			)
-		else()
-			message(FATAL_ERROR "Couldn't find system grpc")
-		endif()
-		find_program(GRPC_CPP_PLUGIN grpc_cpp_plugin)
-		if(NOT GRPC_CPP_PLUGIN)
-			message(FATAL_ERROR "System grpc_cpp_plugin not found")
-		endif()
-	endif()
-else()
-	include(cares)
-	include(protobuf)
-	include(zlib)
-	include(openssl)
-	if(BUILD_SHARED_LIBS)
-		set(GRPC_OPENSSL_STATIC_LIBS_OPTION FALSE)
-	else()
-		set(GRPC_OPENSSL_STATIC_LIBS_OPTION TRUE)
-	endif()
-	include(re2)
-	set(GRPC_SRC "${PROJECT_BINARY_DIR}/grpc-prefix/src/grpc")
-	set(GRPC_INSTALL_DIR "${GRPC_SRC}/target")
-	set(GRPC_INCLUDE "${GRPC_INSTALL_DIR}/include" "${GRPC_SRC}/third_party/abseil-cpp")
-	set(GPR_LIB "${GRPC_SRC}/libgpr.a")
-	set(GRPC_LIB "${GRPC_SRC}/libgrpc.a")
-	set(GRPCPP_LIB "${GRPC_SRC}/libgrpc++.a")
-	set(GRPC_CPP_PLUGIN "${GRPC_SRC}/grpc_cpp_plugin")
-	set(GRPC_MAIN_LIBS "")
-	list(
-		APPEND
-		GRPC_MAIN_LIBS
-		"${GPR_LIB}"
-		"${GRPC_LIB}"
-		"${GRPCPP_LIB}"
-		"${GRPC_SRC}/libgrpc++_alts.a"
-		"${GRPC_SRC}/libgrpc++_error_details.a"
-		"${GRPC_SRC}/libgrpc++_reflection.a"
-		"${GRPC_SRC}/libgrpc++_unsecure.a"
-		"${GRPC_SRC}/libgrpc_plugin_support.a"
-		"${GRPC_SRC}/libgrpc_unsecure.a"
-		"${GRPC_SRC}/libgrpcpp_channelz.a"
-	)
-
-	get_filename_component(PROTOC_DIR ${PROTOC} PATH)
-
-	if(NOT TARGET grpc)
-		message(STATUS "Using bundled grpc in '${GRPC_SRC}'")
-
-		# fixme(leogr): this workaround is required to inject the missing deps (built by gRCP
-		# cmakefiles) into target_link_libraries later note: the list below is manually generated
-		# starting from the output of pkg-config --libs grpc++
-		set(GRPC_LIBRARIES "")
-		list(
-			APPEND
-			GRPC_LIBRARIES
-			"${GRPC_SRC}/libaddress_sorting.a"
-			"${GRPC_SRC}/libupb.a"
-			"${GRPC_SRC}/third_party/abseil-cpp/absl/hash/libabsl_hash.a"
-			"${GRPC_SRC}/third_party/abseil-cpp/absl/hash/libabsl_city.a"
-			"${GRPC_SRC}/third_party/abseil-cpp/absl/hash/libabsl_low_level_hash.a"
-			"${GRPC_SRC}/third_party/abseil-cpp/absl/container/libabsl_raw_hash_set.a"
-			"${GRPC_SRC}/third_party/abseil-cpp/absl/container/libabsl_hashtablez_sampler.a"
-			"${GRPC_SRC}/third_party/abseil-cpp/absl/status/libabsl_statusor.a"
-			"${GRPC_SRC}/third_party/abseil-cpp/absl/status/libabsl_status.a"
-			"${GRPC_SRC}/third_party/abseil-cpp/absl/strings/libabsl_cord.a"
-			"${GRPC_SRC}/third_party/abseil-cpp/absl/strings/libabsl_cordz_functions.a"
-			"${GRPC_SRC}/third_party/abseil-cpp/absl/profiling/libabsl_exponential_biased.a"
-			"${GRPC_SRC}/third_party/abseil-cpp/absl/types/libabsl_bad_optional_access.a"
-			"${GRPC_SRC}/third_party/abseil-cpp/absl/types/libabsl_bad_variant_access.a"
-			"${GRPC_SRC}/third_party/abseil-cpp/absl/strings/libabsl_str_format_internal.a"
-			"${GRPC_SRC}/third_party/abseil-cpp/absl/synchronization/libabsl_synchronization.a"
-			"${GRPC_SRC}/third_party/abseil-cpp/absl/synchronization/libabsl_graphcycles_internal.a"
-			"${GRPC_SRC}/third_party/abseil-cpp/absl/debugging/libabsl_stacktrace.a"
-			"${GRPC_SRC}/third_party/abseil-cpp/absl/debugging/libabsl_symbolize.a"
-			"${GRPC_SRC}/third_party/abseil-cpp/absl/debugging/libabsl_debugging_internal.a"
-			"${GRPC_SRC}/third_party/abseil-cpp/absl/debugging/libabsl_demangle_internal.a"
-			"${GRPC_SRC}/third_party/abseil-cpp/absl/base/libabsl_malloc_internal.a"
-			"${GRPC_SRC}/third_party/abseil-cpp/absl/time/libabsl_time.a"
-			"${GRPC_SRC}/third_party/abseil-cpp/absl/time/libabsl_civil_time.a"
-			"${GRPC_SRC}/third_party/abseil-cpp/absl/strings/libabsl_strings.a"
-			"${GRPC_SRC}/third_party/abseil-cpp/absl/strings/libabsl_strings_internal.a"
-			"${GRPC_SRC}/third_party/abseil-cpp/absl/base/libabsl_base.a"
-			"${GRPC_SRC}/third_party/abseil-cpp/absl/base/libabsl_spinlock_wait.a"
-			"${GRPC_SRC}/third_party/abseil-cpp/absl/numeric/libabsl_int128.a"
-			"${GRPC_SRC}/third_party/abseil-cpp/absl/base/libabsl_throw_delegate.a"
-			"${GRPC_SRC}/third_party/abseil-cpp/absl/base/libabsl_raw_logging_internal.a"
-			"${GRPC_SRC}/third_party/abseil-cpp/absl/base/libabsl_log_severity.a"
-			"${GRPC_SRC}/third_party/abseil-cpp/absl/time/libabsl_time_zone.a"
-			"${GRPC_SRC}/third_party/abseil-cpp/absl/strings/libabsl_cord_internal.a"
-			"${GRPC_SRC}/third_party/abseil-cpp/absl/strings/libabsl_cordz_info.a"
-			"${GRPC_SRC}/third_party/abseil-cpp/absl/strings/libabsl_cordz_handle.a"
-			"${GRPC_SRC}/third_party/abseil-cpp/absl/random/libabsl_random_internal_pool_urbg.a"
-			"${GRPC_SRC}/third_party/abseil-cpp/absl/random/libabsl_random_internal_randen.a"
-			"${GRPC_SRC}/third_party/abseil-cpp/absl/random/libabsl_random_internal_randen_hwaes.a"
-			"${GRPC_SRC}/third_party/abseil-cpp/absl/random/libabsl_random_internal_randen_hwaes_impl.a"
-			"${GRPC_SRC}/third_party/abseil-cpp/absl/random/libabsl_random_internal_randen_slow.a"
-			"${GRPC_SRC}/third_party/abseil-cpp/absl/random/libabsl_random_internal_seed_material.a"
-			"${GRPC_SRC}/third_party/abseil-cpp/absl/random/libabsl_random_internal_platform.a"
-			"${GRPC_SRC}/third_party/abseil-cpp/absl/random/libabsl_random_seed_gen_exception.a"
-		)
-
-		# Make abseil-cpp build compatible with gcc-13 See
-		# https://patchwork.yoctoproject.org/project/oe/patch/20230518093301.2938164-1-Martin.Jansa@gmail.com/
-		# TO BE DROPPED once we finally upgrade grpc...
-		set(GRPC_PATCH_CMD
-			sh
-			-c
-			"sed -i '20s/^/#include <cstdint>/' ${GRPC_SRC}/third_party/abseil-cpp/absl/strings/internal/str_format/extension.h"
-		)
-
-		# Zig workaround: Add a PATCH_COMMAND to grpc cmake to fixup emitted -march by abseil-cpp
-		# cmake module, making it use a name understood by zig for arm64. See
-		# https://github.com/abseil/abseil-cpp/blob/master/absl/copts/GENERATED_AbseilCopts.cmake#L226.
-		if(CMAKE_C_COMPILER MATCHES "zig")
-			message(STATUS "Enabling zig workaround for abseil-cpp")
-			set(GRPC_PATCH_CMD
-				${GRPC_PATCH_CMD}
-				&&
-				sh
-				-c
-				"sed -i 's/armv8-a/cortex_a57/g' ${GRPC_SRC}/third_party/abseil-cpp/absl/copts/GENERATED_AbseilCopts.cmake"
-			)
-		endif()
-
-		ExternalProject_Add(
-			grpc
-			PREFIX "${PROJECT_BINARY_DIR}/grpc-prefix"
-			DEPENDS openssl protobuf c-ares zlib re2
-			GIT_REPOSITORY https://github.com/grpc/grpc.git
-			GIT_TAG v1.44.0
-			GIT_SUBMODULES "third_party/abseil-cpp"
-			CMAKE_CACHE_ARGS
-				-DCMAKE_INSTALL_PREFIX:PATH=${GRPC_INSTALL_DIR}
-				-DCMAKE_BUILD_TYPE:STRING=${CMAKE_BUILD_TYPE}
-				-DCMAKE_POSITION_INDEPENDENT_CODE:BOOL=${ENABLE_PIC}
-				-DgRPC_INSTALL:BOOL=OFF
-				# disable unused stuff
-				-DgRPC_BUILD_TESTS:BOOL=OFF
-				-DgRPC_BUILD_CSHARP_EXT:BOOL=OFF
-				-DgRPC_BUILD_GRPC_CSHARP_PLUGIN:BOOL=OFF
-				-DgRPC_BUILD_GRPC_NODE_PLUGIN:BOOL=OFF
-				-DgRPC_BUILD_GRPC_OBJECTIVE_C_PLUGIN:BOOL=OFF
-				-DgRPC_BUILD_GRPC_PHP_PLUGIN:BOOL=OFF
-				-DgRPC_BUILD_GRPC_PYTHON_PLUGIN:BOOL=OFF
-				-DgRPC_BUILD_GRPC_RUBY_PLUGIN:BOOL=OFF
-				# deps provided by us
-				# https://github.com/grpc/grpc/blob/v1.32.0/cmake/modules/Findc-ares.cmake
-				-DgRPC_CARES_PROVIDER:STRING=package
-				-Dc-ares_DIR:PATH=${CARES_SRC}
-				-Dc-ares_INCLUDE_DIR:PATH=${CARES_INCLUDE}
-				-Dc-ares_LIBRARY:PATH=${CARES_LIB}
-				# https://cmake.org/cmake/help/v3.6/module/FindProtobuf.html
-				-DgRPC_PROTOBUF_PROVIDER:STRING=package
-				-DCMAKE_CXX_FLAGS:STRING=-I${PROTOBUF_INCLUDE}
-				-DProtobuf_INCLUDE_DIR:PATH=${PROTOBUF_INCLUDE}
-				-DProtobuf_LIBRARY:PATH=${PROTOBUF_LIB}
-				-DProtobuf_PROTOC_LIBRARY:PATH=${PROTOC_LIB}
-				-DProtobuf_PROTOC_EXECUTABLE:PATH=${PROTOC}
-				# https://cmake.org/cmake/help/v3.6/module/FindOpenSSL.html
-				-DgRPC_SSL_PROVIDER:STRING=package
-				-DOPENSSL_ROOT_DIR:PATH=${OPENSSL_INSTALL_DIR}
-				-DOPENSSL_USE_STATIC_LIBS:BOOL=${GRPC_OPENSSL_STATIC_LIBS_OPTION}
-				# https://cmake.org/cmake/help/v3.6/module/FindZLIB.html
-				-DgRPC_ZLIB_PROVIDER:STRING=package
-				-DZLIB_ROOT:STRING=${ZLIB_SRC}
-				# RE2
-				-DgRPC_RE2_PROVIDER:STRING=package
-				-Dre2_DIR:PATH=${RE2_DIR}
-			BUILD_IN_SOURCE 1
-			BUILD_BYPRODUCTS ${GRPC_LIB} ${GRPCPP_LIB} ${GPR_LIB} ${GRPC_LIBRARIES}
-			# Keep installation files into the local ${GRPC_INSTALL_DIR} since here is the case when
-			# we are embedding gRPC
-			UPDATE_COMMAND ""
-			PATCH_COMMAND ${GRPC_PATCH_CMD}
-			INSTALL_COMMAND DESTDIR= ${CMAKE_MAKE_PROGRAM} install
-		)
-		install(
-			FILES ${GRPC_MAIN_LIBS}
-			DESTINATION "${CMAKE_INSTALL_LIBDIR}/${LIBS_PACKAGE_NAME}"
-			COMPONENT "libs-deps"
-		)
-		install(
-			FILES ${GRPC_LIBRARIES}
-			DESTINATION "${CMAKE_INSTALL_LIBDIR}/${LIBS_PACKAGE_NAME}"
-			COMPONENT "libs-deps"
-		)
-		install(
-			DIRECTORY "${GRPC_SRC}/target/include/"
-			DESTINATION "${CMAKE_INSTALL_INCLUDEDIR}/${LIBS_PACKAGE_NAME}"
-			COMPONENT "libs-deps"
-		)
-	endif()
-endif()
-
-if(NOT TARGET grpc)
-	add_custom_target(grpc)
-endif()
-
-include_directories("${GRPC_INCLUDE}")

cmake/modules/libbpf.cmake

@@ -15,12 +15,19 @@
 
 option(USE_BUNDLED_LIBBPF "Enable building of the bundled libbpf" ${USE_BUNDLED_DEPS})
 
-if(LIBBPF_INCLUDE)
+if(TARGET lbpf)
 	# we already have libbpf
 elseif(NOT USE_BUNDLED_LIBBPF)
+	include(zlib)
+	include(libelf)
 	find_path(LIBBPF_INCLUDE bpf/libbpf.h)
 	find_library(LIBBPF_LIB NAMES bpf)
 	if(LIBBPF_INCLUDE AND LIBBPF_LIB)
+		add_library(lbpf STATIC IMPORTED GLOBAL)
+		set_target_properties(lbpf PROPERTIES IMPORTED_LOCATION ${LIBBPF_LIB})
+		target_include_directories(lbpf INTERFACE $<BUILD_INTERFACE:${LIBBPF_INCLUDE}>)
+		target_link_libraries(lbpf INTERFACE elf ${ZLIB_LIB})
+
 		message(STATUS "Found libbpf: include: ${LIBBPF_INCLUDE}, lib: ${LIBBPF_LIB}")
 	else()
 		message(FATAL_ERROR "Couldn't find system libbpf")
@@ -32,23 +39,38 @@ else()
 	set(LIBBPF_BUILD_DIR "${LIBBPF_SRC}/libbpf-build")
 	set(LIBBPF_INCLUDE "${LIBBPF_BUILD_DIR}/root/usr/include")
 	set(LIBBPF_LIB "${LIBBPF_BUILD_DIR}/root/usr/lib64/libbpf.a")
+
+	get_target_property(LIBELF_INCLUDE_DIR elf INCLUDE_DIRECTORIES)
+
+	foreach(dir ${LIBELF_INCLUDE_DIR})
+		string(APPEND LIBELF_COMPILER_STRING "-I${dir} ")
+	endforeach()
+
 	ExternalProject_Add(
 		libbpf
 		PREFIX "${PROJECT_BINARY_DIR}/libbpf-prefix"
-		DEPENDS zlib libelf
+		DEPENDS zlib elf
 		URL "https://github.com/libbpf/libbpf/archive/refs/tags/v1.3.0.tar.gz"
 		URL_HASH "SHA256=11db86acd627e468bc48b7258c1130aba41a12c4d364f78e184fd2f5a913d861"
 		CONFIGURE_COMMAND mkdir -p build root
 		BUILD_COMMAND
 			make BUILD_STATIC_ONLY=y OBJDIR=${LIBBPF_BUILD_DIR}/build
 			DESTDIR=${LIBBPF_BUILD_DIR}/root NO_PKG_CONFIG=1
-			"EXTRA_CFLAGS=-fPIC -I${LIBELF_INCLUDE} -I${ZLIB_INCLUDE}" "LDFLAGS=-Wl,-Bstatic"
+			"EXTRA_CFLAGS=-fPIC ${LIBELF_COMPILER_STRING} -I${ZLIB_INCLUDE}" "LDFLAGS=-Wl,-Bstatic"
 			"EXTRA_LDFLAGS=-L${LIBELF_SRC}/libelf/libelf -L${ZLIB_SRC}" -C ${LIBBPF_SRC}/libbpf/src
 			install install_uapi_headers
 		INSTALL_COMMAND ""
 		UPDATE_COMMAND ""
 		BUILD_BYPRODUCTS ${LIBBPF_LIB}
 	)
+
+	add_library(lbpf STATIC IMPORTED GLOBAL)
+	set_target_properties(lbpf PROPERTIES IMPORTED_LOCATION ${LIBBPF_LIB})
+	file(MAKE_DIRECTORY ${LIBBPF_INCLUDE}) # necessary to make target_include_directories() work
+	target_include_directories(lbpf INTERFACE $<BUILD_INTERFACE:${LIBBPF_INCLUDE}>)
+	add_dependencies(lbpf libbpf)
+	target_link_libraries(lbpf INTERFACE elf ${ZLIB_LIB})
+
 	message(STATUS "Using bundled libbpf: include'${LIBBPF_INCLUDE}', lib: ${LIBBPF_LIB}")
 	install(
 		FILES "${LIBBPF_LIB}"
@@ -56,9 +78,3 @@ else()
 		COMPONENT "libs-deps"
 	)
 endif()
-
-if(NOT TARGET libbpf)
-	add_custom_target(libbpf)
-endif()
-
-include_directories(${LIBBPF_INCLUDE})

cmake/modules/libelf.cmake

@@ -13,11 +13,13 @@
 # the License.
 #
 
+include_guard()
+
 option(USE_BUNDLED_LIBELF "Enable building of the bundled libelf" ${USE_BUNDLED_DEPS})
 option(USE_SHARED_LIBELF "When not using bundled libelf, link it dynamically" ON)
 
-if(LIBELF_INCLUDE)
-	# we already have LIBELF
+if(TARGET elf)
+	# we already have libelf
 elseif(NOT USE_BUNDLED_LIBELF)
 	find_path(LIBELF_INCLUDE elf.h PATH_SUFFIXES elf)
 	if(BUILD_SHARED_LIBS OR USE_SHARED_LIBELF)
@@ -50,49 +52,24 @@ elseif(NOT USE_BUNDLED_LIBELF)
 	else()
 		message(FATAL_ERROR "Couldn't find system libelf")
 	endif()
-else()
-	if(BUILD_SHARED_LIBS)
-		set(LIBELF_LIB_SUFFIX ${CMAKE_SHARED_LIBRARY_SUFFIX})
+
+	if(BUILD_SHARED_LIBS OR USE_SHARED_LIBELF)
+		add_library(elf SHARED IMPORTED GLOBAL)
 	else()
-		set(LIBELF_LIB_SUFFIX ${CMAKE_STATIC_LIBRARY_SUFFIX})
+		add_library(elf STATIC IMPORTED GLOBAL)
 	endif()
-	set(LIBELF_CFLAGS "-I${ZLIB_INCLUDE}")
-	if(ENABLE_PIC)
-		set(LIBELF_CFLAGS "${LIBELF_CFLAGS} -fPIC")
-	endif()
-	get_filename_component(ZLIB_SRC ${ZLIB_LIB} DIRECTORY)
-	set(LIBELF_SRC "${PROJECT_BINARY_DIR}/libelf-prefix/src")
-	set(LIBELF_INCLUDE "${LIBELF_SRC}/libelf/libelf")
-	set(LIBELF_LIB "${LIBELF_SRC}/libelf/libelf/libelf${LIBELF_LIB_SUFFIX}")
-	ExternalProject_Add(
-		libelf
-		PREFIX "${PROJECT_BINARY_DIR}/libelf-prefix"
-		DEPENDS zlib
-		URL "https://sourceware.org/elfutils/ftp/0.189/elfutils-0.189.tar.bz2"
-		URL_HASH "SHA256=39bd8f1a338e2b7cd4abc3ff11a0eddc6e690f69578a57478d8179b4148708c8"
-		CONFIGURE_COMMAND
-			./configure LDFLAGS=-L${ZLIB_SRC} "CFLAGS=${LIBELF_CFLAGS}"
-			--enable-deterministic-archives --disable-debuginfod --disable-libdebuginfod
-			--without-zstd
-		BUILD_IN_SOURCE 1
-		BUILD_COMMAND make -C lib libeu.a
-		COMMAND make -C libelf libelf${LIBELF_LIB_SUFFIX}
-		INSTALL_COMMAND ""
-		UPDATE_COMMAND ""
-		BUILD_BYPRODUCTS ${LIBELF_LIB}
-	)
-	message(STATUS "Using bundled libelf: include'${LIBELF_INCLUDE}', lib: ${LIBELF_LIB}")
-	install(
-		FILES "${LIBELF_LIB}"
-		DESTINATION "${CMAKE_INSTALL_LIBDIR}/${LIBS_PACKAGE_NAME}"
-		COMPONENT "libs-deps"
-	)
-endif()
 
-# We add a custom target, in this way we can always depend on `libelf` without distinguishing
-# between "bundled" and "not-bundled" case
-if(NOT TARGET libelf)
-	add_custom_target(libelf)
-endif()
+	set_target_properties(elf PROPERTIES IMPORTED_LOCATION ${LIBELF_LIB})
+	target_include_directories(elf INTERFACE ${LIBELF_INCLUDE})
+else()
+	include(FetchContent)
+	FetchContent_Declare(
+		libelf_elftoolchain
+		URL https://github.com/falcosecurity/elftoolchain/releases/download/libelf-r4073-0/libelf-r4073-0.tar.gz
+		URL_HASH SHA256=adfeb3033c23ca579902f2bce7d9ffeec662f97d3846bb74e57fb65d70f6f056
+	)
+	FetchContent_MakeAvailable(libelf_elftoolchain)
+	get_target_property(LIBELF_INCLUDE elf INCLUDE_DIRECTORIES)
 
-include_directories(${LIBELF_INCLUDE})
+	message(STATUS "Using bundled libelf: include'${LIBELF_INCLUDE}'")
+endif()

cmake/modules/libscap.cmake

@@ -91,16 +91,6 @@ if(NOT HAVE_LIBSCAP)
 		endif()
 	endforeach()
 
-	set(libscap_link_flags)
-	set(libscap_link_libdirs "")
-	add_pkgconfig_dependency(libscap_link_libdirs libscap_link_flags scap "")
-
-	string(REPLACE ";" " " LIBSCAP_LINK_LIBRARIES_FLAGS "${libscap_link_flags}")
-	string(REPLACE ";" " " LIBSCAP_LINK_LIBDIRS_FLAGS "${libscap_link_libdirs}")
-	configure_file(
-		${LIBS_DIR}/userspace/libscap/libscap.pc.in ${PROJECT_BINARY_DIR}/libscap/libscap.pc @ONLY
-	)
-
 	install(
 		TARGETS ${LIBSCAP_INSTALL_LIBS}
 		ARCHIVE DESTINATION "${CMAKE_INSTALL_LIBDIR}"
@@ -132,6 +122,13 @@ if(NOT HAVE_LIBSCAP)
 		FILES_MATCHING
 		PATTERN "*.h"
 	)
+
+	if(USE_BUNDLED_UTHASH)
+		install(FILES ${UTHASH_INCLUDE}/uthash.h
+				DESTINATION ${CMAKE_INSTALL_INCLUDEDIR}/${LIBS_PACKAGE_NAME}/libscap
+		)
+	endif()
+
 	install(FILES ${PROJECT_BINARY_DIR}/libscap/scap_config.h
 			DESTINATION ${CMAKE_INSTALL_INCLUDEDIR}/${LIBS_PACKAGE_NAME}/libscap
 	)

cmake/modules/libsinsp.cmake

@@ -32,14 +32,6 @@ if(NOT HAVE_LIBSINSP)
 	if(NOT EMSCRIPTEN)
 		include(tbb)
 	endif()
-	if(NOT WIN32
-	   AND NOT APPLE
-	   AND NOT MINIMAL_BUILD
-	   AND NOT EMSCRIPTEN
-	)
-		include(cares)
-		include(curl)
-	endif()
 	include(jsoncpp)
 	include(valijson)
 	include(re2)
@@ -58,15 +50,6 @@ if(NOT HAVE_LIBSINSP)
 		list(APPEND LIBSINSP_INCLUDE_DIRS ${JSONCPP_INCLUDE})
 	endif()
 
-	if(NOT USE_BUNDLED_CURL
-	   AND NOT WIN32
-	   AND NOT APPLE
-	   AND NOT MINIMAL_BUILD
-	   AND NOT EMSCRIPTEN
-	)
-		list(APPEND LIBSINSP_INCLUDE_DIRS ${CURL_INCLUDE_DIRS})
-	endif()
-
 	function(set_sinsp_target_properties target)
 		set_target_properties(
 			${target} PROPERTIES VERSION ${FALCOSECURITY_SHARED_LIBS_VERSION}

cmake/modules/openssl.cmake

@@ -1,81 +0,0 @@
-# SPDX-License-Identifier: Apache-2.0
-#
-# Copyright (C) 2023 The Falco Authors.
-#
-# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except
-# in compliance with the License. You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software distributed under the License
-# is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express
-# or implied. See the License for the specific language governing permissions and limitations under
-# the License.
-#
-
-option(USE_BUNDLED_OPENSSL "Enable building of the bundled OpenSSL" ${USE_BUNDLED_DEPS})
-
-if(OPENSSL_INCLUDE_DIR)
-	# we already have openssl
-elseif(NOT USE_BUNDLED_OPENSSL)
-	find_package(OpenSSL REQUIRED)
-	message(STATUS "Found OpenSSL: include: ${OPENSSL_INCLUDE_DIR}, lib: ${OPENSSL_LIBRARIES}")
-else()
-	if(BUILD_SHARED_LIBS)
-		set(OPENSSL_LIB_SUFFIX ${CMAKE_SHARED_LIBRARY_SUFFIX})
-		set(OPENSSL_SHARED_OPTION shared)
-	else()
-		set(OPENSSL_LIB_SUFFIX ${CMAKE_STATIC_LIBRARY_SUFFIX})
-		set(OPENSSL_SHARED_OPTION no-shared)
-	endif()
-	set(OPENSSL_BUNDLE_DIR "${PROJECT_BINARY_DIR}/openssl-prefix/src/openssl")
-	set(OPENSSL_INSTALL_DIR "${OPENSSL_BUNDLE_DIR}/target")
-	set(OPENSSL_INCLUDE_DIR "${PROJECT_BINARY_DIR}/openssl-prefix/src/openssl/include/")
-	set(OPENSSL_LIBRARY_SSL "${OPENSSL_INSTALL_DIR}/lib/libssl${OPENSSL_LIB_SUFFIX}")
-	set(OPENSSL_LIBRARY_CRYPTO "${OPENSSL_INSTALL_DIR}/lib/libcrypto${OPENSSL_LIB_SUFFIX}")
-	set(OPENSSL_LIBRARIES ${OPENSSL_LIBRARY_SSL} ${OPENSSL_LIBRARY_CRYPTO})
-
-	if(NOT TARGET openssl)
-		if(NOT ENABLE_PIC)
-			set(OPENSSL_PIC_OPTION)
-		else()
-			set(OPENSSL_PIC_OPTION "-fPIC")
-		endif()
-
-		message(STATUS "Using bundled openssl in '${OPENSSL_BUNDLE_DIR}'")
-
-		ExternalProject_Add(
-			openssl
-			PREFIX "${PROJECT_BINARY_DIR}/openssl-prefix"
-			URL "https://github.com/openssl/openssl/releases/download/openssl-3.1.4/openssl-3.1.4.tar.gz"
-			URL_HASH "SHA256=840af5366ab9b522bde525826be3ef0fb0af81c6a9ebd84caa600fea1731eee3"
-			CONFIGURE_COMMAND ./config ${OPENSSL_SHARED_OPTION} ${OPENSSL_PIC_OPTION}
-							  --prefix=${OPENSSL_INSTALL_DIR} --libdir=lib
-			BUILD_COMMAND make
-			BUILD_IN_SOURCE 1
-			BUILD_BYPRODUCTS ${OPENSSL_LIBRARY_SSL} ${OPENSSL_LIBRARY_CRYPTO}
-			INSTALL_COMMAND make install_sw
-		)
-		install(
-			FILES "${OPENSSL_LIBRARY_SSL}"
-			DESTINATION "${CMAKE_INSTALL_LIBDIR}/${LIBS_PACKAGE_NAME}"
-			COMPONENT "libs-deps"
-		)
-		install(
-			FILES "${OPENSSL_LIBRARY_CRYPTO}"
-			DESTINATION "${CMAKE_INSTALL_LIBDIR}/${LIBS_PACKAGE_NAME}"
-			COMPONENT "libs-deps"
-		)
-		install(
-			DIRECTORY "${OPENSSL_INCLUDE_DIR}"
-			DESTINATION "${CMAKE_INSTALL_INCLUDEDIR}/${LIBS_PACKAGE_NAME}"
-			COMPONENT "libs-deps"
-		)
-	endif()
-endif()
-
-if(NOT TARGET openssl)
-	add_custom_target(openssl)
-endif()
-
-include_directories("${OPENSSL_INCLUDE_DIR}")

cmake/modules/protobuf.cmake

@@ -58,8 +58,9 @@ else()
 		else()
 			set(PROTOBUF_PIC_OPTION "--with-pic=yes")
 		endif()
-		if(CMAKE_BUILD_TYPE STREQUAL "Release")
-			set(PROTOBUF_CXXFLAGS "-O2 -std=c++11 -DNDEBUG")
+		# Match both release and relwithdebinfo builds
+		if(CMAKE_BUILD_TYPE MATCHES "[R,r]el*")
+			set(PROTOBUF_CXXFLAGS "-O3 -std=c++11 -DNDEBUG")
 		else()
 			set(PROTOBUF_CXXFLAGS "-g -std=c++11")
 		endif()
@@ -72,8 +73,8 @@ else()
 			URL_HASH "SHA256=e51cc8fc496f893e2a48beb417730ab6cbcb251142ad8b2cd1951faa5c76fe3d"
 			# TODO what if using system zlib?
 			CONFIGURE_COMMAND
-				CPPFLAGS=-I${ZLIB_INCLUDE} LDFLAGS=-L${ZLIB_SRC} ./configure
-				CXXFLAGS=${PROTOBUF_CXXFLAGS} --with-zlib ${PROTOBUF_CONFIGURE_FLAGS}
+				./configure CXXFLAGS=${PROTOBUF_CXXFLAGS} --with-zlib-include=${ZLIB_INCLUDE}
+				--with-zlib-lib=${ZLIB_SRC} --with-zlib ${PROTOBUF_CONFIGURE_FLAGS}
 				${PROTOBUF_PIC_OPTION} --prefix=${PROTOBUF_INSTALL_DIR}
 			BUILD_COMMAND make
 			BUILD_IN_SOURCE 1

cmake/modules/re2.cmake

@@ -55,6 +55,7 @@ else()
 						   -DRE2_BUILD_TESTING=OFF
 						   -DBUILD_SHARED_LIBS=${BUILD_SHARED_LIBS}
 						   -DCMAKE_INSTALL_PREFIX=${RE2_SRC}
+						   -DCMAKE_BUILD_TYPE=${CMAKE_BUILD_TYPE}
 			)
 		else()
 			# CMake 3.29.1 removed the support for the `PACKAGE_PREFIX_DIR` variable. The patch
@@ -74,6 +75,7 @@ else()
 						   -DRE2_BUILD_TESTING=OFF
 						   -DBUILD_SHARED_LIBS=${BUILD_SHARED_LIBS}
 						   -DCMAKE_INSTALL_PREFIX=${RE2_SRC}
+						   -DCMAKE_BUILD_TYPE=${CMAKE_BUILD_TYPE}
 			)
 		endif()
 	else()
@@ -95,6 +97,7 @@ else()
 						   -DRE2_BUILD_TESTING=OFF
 						   -DBUILD_SHARED_LIBS=${BUILD_SHARED_LIBS}
 						   -DCMAKE_INSTALL_PREFIX=${RE2_SRC}
+						   -DCMAKE_BUILD_TYPE=${CMAKE_BUILD_TYPE}
 			)
 		else()
 			ExternalProject_Add(
@@ -111,6 +114,7 @@ else()
 						   -DRE2_BUILD_TESTING=OFF
 						   -DBUILD_SHARED_LIBS=${BUILD_SHARED_LIBS}
 						   -DCMAKE_INSTALL_PREFIX=${RE2_SRC}
+						   -DCMAKE_BUILD_TYPE=${CMAKE_BUILD_TYPE}
 			)
 		endif()
 	endif()

cmake/modules/tbb.cmake

@@ -58,9 +58,9 @@ else()
 
 	if(NOT TARGET tbb)
 		message(STATUS "Using bundled tbb in '${TBB_SRC}'")
-		set(TBB_SRC_URL "https://github.com/oneapi-src/oneTBB/archive/refs/tags/v2022.0.0.tar.gz")
+		set(TBB_SRC_URL "https://github.com/oneapi-src/oneTBB/archive/refs/tags/v2022.1.0.tar.gz")
 		set(TBB_SRC_URL_HASH
-			"SHA256=e8e89c9c345415b17b30a2db3095ba9d47647611662073f7fbf54ad48b7f3c2a"
+			"SHA256=ed067603ece0dc832d2881ba5c516625ac2522c665d95f767ef6304e34f961b5"
 		)
 		set(TBB_FLAGS "")
 		if(CMAKE_CXX_COMPILER_ID STREQUAL "GNU")
@@ -89,6 +89,8 @@ else()
 						   -DCMAKE_CXX_COMPILER=${CMAKE_CXX_COMPILER}
 						   -DCMAKE_C_COMPILER=${CMAKE_C_COMPILER}
 						   -DEMSCRIPTEN=${TBB_EMSCRIPTEN}
+						   -DTBB_FILE_TRIM=Off
+						   -DTBB_INSTALL=Off
 				BUILD_BYPRODUCTS ${TBB_LIB}
 				INSTALL_COMMAND ""
 			)
@@ -110,6 +112,8 @@ else()
 							   -DTBB_OUTPUT_DIR_BASE=lib
 							   -DCMAKE_CXX_FLAGS="${TBB_FLAGS}"
 							   -DCMAKE_POSITION_INDEPENDENT_CODE=${ENABLE_PIC}
+							   -DTBB_FILE_TRIM=Off
+							   -DTBB_INSTALL=Off
 					BUILD_BYPRODUCTS ${TBB_LIB}
 					INSTALL_COMMAND ""
 				)
@@ -129,6 +133,8 @@ else()
 							   -DTBB_OUTPUT_DIR_BASE=lib
 							   -DCMAKE_CXX_FLAGS="${TBB_FLAGS}"
 							   -DCMAKE_POSITION_INDEPENDENT_CODE=${ENABLE_PIC}
+							   -DTBB_FILE_TRIM=Off
+							   -DTBB_INSTALL=Off
 					BUILD_BYPRODUCTS ${TBB_LIB}
 					INSTALL_COMMAND ""
 				)

cmake/modules/zlib.cmake

@@ -45,9 +45,14 @@ else()
 		"${ZLIB_INCLUDE}/zutil.h"
 	)
 	if(NOT TARGET zlib)
-		set(ZLIB_CFLAGS)
+		# Match both release and relwithdebinfo builds
+		if(CMAKE_BUILD_TYPE MATCHES "[R,r]el*")
+			set(ZLIB_CFLAGS "-O3")
+		else()
+			set(ZLIB_CFLAGS "-g")
+		endif()
 		if(ENABLE_PIC)
-			set(ZLIB_CFLAGS -fPIC)
+			set(ZLIB_CFLAGS "${ZLIB_CFLAGS} -fPIC")
 		endif()
 
 		message(STATUS "Using bundled zlib in '${ZLIB_SRC}'")

docs/report.md

@@ -116,6 +116,7 @@
 | gettimeofday            | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
 | getuid                  | 🟢        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
 | getxattr                | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| getxattrat              | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
 | init_module             | 🟢        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
 | inotify_add_watch       | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
 | inotify_init            | 🟢        | ppc64le,s390x,x86_64                             |
@@ -151,6 +152,7 @@
 | listen                  | 🟢        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
 | listmount               | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
 | listxattr               | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| listxattrat             | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
 | llistxattr              | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
 | lookup_dcookie          | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
 | lremovexattr            | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
@@ -211,6 +213,7 @@
 | open                    | 🟢        | ppc64le,s390x,x86_64                             |
 | open_by_handle_at       | 🟢        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
 | open_tree               | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| open_tree_attr          | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
 | openat                  | 🟢        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
 | openat2                 | 🟢        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
 | pause                   | 🟡        | ppc64le,s390x,x86_64                             |
@@ -259,6 +262,7 @@
 | recvmsg                 | 🟢        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
 | remap_file_pages        | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
 | removexattr             | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| removexattrat           | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
 | rename                  | 🟢        | ppc64le,s390x,x86_64                             |
 | renameat                | 🟢        | aarch64,ppc64le,s390x,x86_64                     |
 | renameat2               | 🟢        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
@@ -330,6 +334,7 @@
 | settimeofday            | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
 | setuid                  | 🟢        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
 | setxattr                | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| setxattrat              | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
 | sgetmask                | 🟡        | ppc64le                                          |
 | shmat                   | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
 | shmctl                  | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |

driver/API_VERSION

@@ -1 +1 @@
-8.0.3
+8.0.4

driver/CMakeLists.txt

@@ -158,6 +158,11 @@ set(DRIVER_SOURCES
 	ppm_consumer.h
 	capture_macro.h
 	socketcall_to_syscall.h
+	syscall_compat_loongarch64.h
+	syscall_compat_ppc64le.h
+	syscall_compat_riscv64.h
+	syscall_compat_s390x.h
+	syscall_compat_x86_64.h
 	syscall_ia32_64_map.c
 )
 

driver/Makefile.in

@@ -29,7 +29,7 @@ install: all
 
 else
 
-KERNELDIR 	?= $(CURDIR)
+KERNELDIR 	?= $(realpath $(objtree))
 #
 # Get the path of the module sources
 #

driver/SCHEMA_VERSION

@@ -1 +1 @@
-2.23.0
+3.69.0

driver/bpf/Makefile

@@ -28,7 +28,7 @@ clean:
 
 else
 
-KERNELDIR 	?= $(CURDIR)
+KERNELDIR 	?= $(realpath $(objtree))
 #
 # Get the path of the module sources
 #

driver/bpf/configure/0__SANITY/test.c

@@ -0,0 +1,23 @@
+// SPDX-License-Identifier: GPL-2.0-only OR MIT
+/*
+
+Copyright (C) 2024 The Falco Authors.
+
+This file is dual licensed under either the MIT or GPL 2. See MIT.txt
+or GPL2.txt for full copies of the license.
+
+*/
+
+/*
+ * Check that the build system is sane.
+ */
+
+#include "../../quirks.h"
+#include "../../ppm_events_public.h"
+#include "../../types.h"
+
+BPF_PROBE("sanity/", sanity, sanity_args) {
+	return 0;
+}
+
+char __license[] __bpf_section("license") = "Dual MIT/GPL";

driver/bpf/configure/KERNFS_NODE_PARENT/test.c

@@ -0,0 +1,32 @@
+// SPDX-License-Identifier: GPL-2.0-only OR MIT
+/*
+
+Copyright (C) 2025 The Falco Authors.
+
+This file is dual licensed under either the MIT or GPL 2. See MIT.txt
+or GPL2.txt for full copies of the license.
+
+*/
+
+/*
+ * Check that kernfs_node's field `parent` exists.
+ * See 6.15 kernel commit it is named __parent:
+ * https://github.com/torvalds/linux/commit/633488947ef66b194377411322dc9e12aab79b65
+ */
+
+#include "../../quirks.h"
+#include "../../ppm_events_public.h"
+#include "../../types.h"
+
+// struct kernfs_node declaration
+#include <linux/kernfs.h>
+
+BPF_PROBE("signal/", signal_deliver, signal_deliver_args) {
+	struct kernfs_node *parent;
+	struct kernfs_node node;
+
+	parent = node.parent;
+	return 0;
+}
+
+char __license[] __bpf_section("license") = "Dual MIT/GPL";

driver/bpf/configure/Makefile.inc.in

@@ -7,7 +7,17 @@ ifeq ($(HAS_@CONFIGURE_MODULE@),0)
 $(info [configure-bpf] Setting HAS_@CONFIGURE_MODULE@ flag)
 KBUILD_CPPFLAGS += -DHAS_@CONFIGURE_MODULE@
 else
-HAS_@CONFIGURE_MODULE@_OUT := $(shell cat $(MODULE_MAKEFILE_DIR)/build.log)
+HAS_@CONFIGURE_MODULE@_OUT1 := $(shell cat $(MODULE_MAKEFILE_DIR)/build.log | sed -n ':a;N;$$$!ba;s/\n/@@NEWLINE@@/g;P')
+HAS_@CONFIGURE_MODULE@_OUT := $(subst @@NEWLINE@@,$(newline),$(HAS_@CONFIGURE_MODULE@_OUT1))
 $(info [configure-bpf] Build output for HAS_@CONFIGURE_MODULE@:)
 $(info [configure-bpf] $(HAS_@CONFIGURE_MODULE@_OUT))
 endif
+
+ifeq ('@CONFIGURE_MODULE@','0__SANITY')
+    ifeq ($(HAS_@CONFIGURE_MODULE@),0)
+        $(info [configure-bpf] Build system is sane)
+    else
+        $(info [configure-bpf] Build system is broken, please see above errors)
+        $(error The build system is broken, please see above errors)
+    endif
+endif

driver/bpf/filler_helpers.h

@@ -425,10 +425,7 @@ static __always_inline bool bpf_getsockname(struct socket *sock,
 
 		u = (struct unix_sock *)sk;
 		addr = _READ(u->addr);
-		if(!addr) {
-			sunaddr->sun_family = AF_UNIX;
-			sunaddr->sun_path[0] = 0;
-		} else {
+		if(u && addr) {
 			unsigned int len = _READ(addr->len);
 
 			if(len > sizeof(struct sockaddr_storage))
@@ -440,6 +437,13 @@ static __always_inline bool bpf_getsockname(struct socket *sock,
 #else
 			bpf_probe_read_kernel(sunaddr, len, addr->name);
 #endif
+		} else {
+			sunaddr->sun_family = AF_UNIX;
+			sunaddr->sun_path[0] = 0;
+			// The first byte to 0 can be confused with an `abstract socket address` for this reason
+			// we put also the second byte to 0 to comunicate to the caller that the address is not
+			// valid.
+			sunaddr->sun_path[1] = 0;
 		}
 
 		break;
@@ -606,11 +610,9 @@ static __always_inline int unix_socket_path(char *dest, const char *user_ptr, si
 	 * specified length of the address structure.
 	 */
 	if(res == 1) {
-		dest[0] = '@';
-		res = bpf_probe_read_kernel_str(dest + 1,
+		res = bpf_probe_read_kernel_str(dest,
 		                                size - 1,  // account for '@'
 		                                user_ptr + 1);
-		res++;  // account for '@'
 	}
 	return res;
 }
@@ -882,7 +884,8 @@ static __always_inline long bpf_fd_to_socktuple(struct filler_data *data,
 		 */
 		struct unix_sock *us = (struct unix_sock *)sk;
 		struct sock *speer = _READ(us->peer);
-		char *us_name;
+		struct sockaddr_un *usrsockaddr_un;
+		char *us_name = NULL;
 
 		data->buf[data->state->tail_ctx.curoff & SCRATCH_SIZE_HALF] = socket_family_to_scap(family);
 
@@ -891,51 +894,23 @@ static __always_inline long bpf_fd_to_socktuple(struct filler_data *data,
 			memcpy(&data->buf[(data->state->tail_ctx.curoff + 1 + 8) & SCRATCH_SIZE_HALF],
 			       &speer,
 			       8);
+			us_name = ((struct sockaddr_un *)sock_address)->sun_path;
 		} else {
 			memcpy(&data->buf[(data->state->tail_ctx.curoff + 1) & SCRATCH_SIZE_HALF], &speer, 8);
 			memcpy(&data->buf[(data->state->tail_ctx.curoff + 1 + 8) & SCRATCH_SIZE_HALF], &us, 8);
-		}
-
-		/*
-		 * Pack the data into the target buffer
-		 */
-		size = 1 + 8 + 8;
-
-		if(!use_userdata) {
-			if(is_inbound) {
-				us_name = ((struct sockaddr_un *)sock_address)->sun_path;
-			} else {
-				bpf_getsockname(sock, peer_address, 1);
-				us_name = ((struct sockaddr_un *)peer_address)->sun_path;
-			}
-		} else {
-			/*
-			 * Map the user-provided address to a sockaddr_in
-			 */
-			struct sockaddr_un *usrsockaddr_un = (struct sockaddr_un *)usrsockaddr;
-
-			/*
-			 * Put a 0 at the end of struct sockaddr_un because
-			 * the user might not have considered it in the length
-			 */
-			if(ulen == sizeof(struct sockaddr_storage))
-				((char *)usrsockaddr_un)[(ulen - 1) & SCRATCH_SIZE_MAX] = 0;
-			else
-				((char *)usrsockaddr_un)[ulen & SCRATCH_SIZE_MAX] = 0;
-
-			if(is_inbound)
-				us_name = ((struct sockaddr_un *)sock_address)->sun_path;
-			else
+			bpf_getsockname(sock, peer_address, 1);
+			us_name = ((struct sockaddr_un *)peer_address)->sun_path;
+			if(us_name[0] == '\0' && us_name[1] == '\0' && usrsockaddr != NULL) {
+				usrsockaddr_un = (struct sockaddr_un *)usrsockaddr;
 				us_name = usrsockaddr_un->sun_path;
+			}
 		}
 
 		int res = unix_socket_path(
 		        &data->buf[(data->state->tail_ctx.curoff + 1 + 8 + 8) & SCRATCH_SIZE_HALF],
 		        us_name,
 		        UNIX_PATH_MAX);
-
-		size += res;
-
+		size = 1 + 8 + 8 + res;
 		break;
 	}
 	}
@@ -1432,3 +1407,15 @@ static __always_inline pid_t bpf_push_pgid(struct filler_data *data, struct task
 }
 
 #endif
+
+/* Legacy-probe-specific replacement for `socket_family_to_scap` helper. As encoding the socket
+ * family using the `socket_family_to_scap` helper breaks the verifier on old kernel versions, just
+ * send `PPM_AF_UNSPEC` if the user-provided socket family is negative, and leave it as is
+ * otherwise. This solution relies on the fact that `AF_*` and corresponding `PPM_AF_*` macros map
+ * to the same values. */
+static __always_inline uint8_t bpf_socket_family_to_scap(int8_t family) {
+	if(family < 0) {
+		family = PPM_AF_UNSPEC;
+	}
+	return (uint8_t)family;
+}

driver/bpf/types.h

@@ -143,6 +143,16 @@ struct sys_stash_args {
 #ifdef CAPTURE_SCHED_PROC_EXEC
 
 #ifndef BPF_SUPPORTS_RAW_TRACEPOINTS
+struct sched_process_exec_args {
+	unsigned short common_type;
+	unsigned char common_flags;
+	unsigned char common_preempt_count;
+	int common_pid;
+	__u32 filename;  // This is actually defined as "__data_loc char[] filename;".
+	pid_t pid;
+	pid_t old_pid;
+};
+#else
 /* TP_PROTO(struct task_struct *p, pid_t old_pid, struct linux_binprm *bprm)
  * Taken from `/include/trace/events/sched.h`
  */
@@ -151,16 +161,6 @@ struct sched_process_exec_args {
 	pid_t old_pid;
 	struct linux_binprm *bprm;
 };
-#else
-struct sched_process_exec_args {
-	unsigned short common_type;
-	unsigned char common_flags;
-	unsigned char common_preempt_count;
-	int common_pid;
-	int filename;
-	pid_t pid;
-	pid_t old_pid;
-};
 #endif /* BPF_SUPPORTS_RAW_TRACEPOINTS */
 
 #endif /* CAPTURE_SCHED_PROC_EXEC */

driver/configure/0__SANITY/test.c

@@ -0,0 +1,26 @@
+/*
+
+Copyright (C) 2023 The Falco Authors.
+
+This file is dual licensed under either the MIT or GPL 2. See MIT.txt
+or GPL2.txt for full copies of the license.
+
+*/
+
+/*
+ * Check that the build environment is sane
+ */
+
+#include <linux/module.h>
+
+MODULE_LICENSE("GPL");
+MODULE_AUTHOR("the Falco authors");
+
+static int empty_init(void) {
+	return 0;
+}
+
+static void empty_exit(void) {}
+
+module_init(empty_init);
+module_exit(empty_exit);

driver/configure/FS_MNT_IDMAP/test.c

@@ -0,0 +1,33 @@
+/*
+
+Copyright (C) 2025 The Falco Authors.
+
+This file is dual licensed under either the MIT or GPL 2. See MIT.txt
+or GPL2.txt for full copies of the license.
+
+*/
+
+/*
+ * Check that fs function wants mnt_idmap
+ * See linux 6.3 changes:
+ * - https://github.com/torvalds/linux/commit/abf08576afe3
+ * - https://github.com/torvalds/linux/commit/01beba7957a2
+ */
+
+#include <linux/module.h>
+#include <linux/fs.h>
+
+MODULE_LICENSE("GPL");
+MODULE_AUTHOR("the Falco authors");
+
+static int fs_mnt_idmap_init(void) {
+	struct mnt_idmap *idmap = NULL;
+	const struct inode *inode = NULL;
+	inode_owner_or_capable(idmap, inode);
+	return 0;
+}
+
+static void fs_mnt_idmap_exit(void) {}
+
+module_init(fs_mnt_idmap_init);
+module_exit(fs_mnt_idmap_exit);

driver/configure/Makefile.inc.in

@@ -9,7 +9,17 @@ ifeq ($(HAS_@CONFIGURE_MODULE@),0)
 $(info [configure-kmod] Setting HAS_@CONFIGURE_MODULE@ flag)
 ccflags-y += -DHAS_@CONFIGURE_MODULE@
 else
-HAS_@CONFIGURE_MODULE@_OUT := $(shell cat $(MODULE_MAKEFILE_DIR)/build.log)
+HAS_@CONFIGURE_MODULE@_OUT1 := $(shell cat $(MODULE_MAKEFILE_DIR)/build.log | sed -n ':a;N;$$$!ba;s/\n/@@NEWLINE@@/g;P')
+HAS_@CONFIGURE_MODULE@_OUT := $(subst @@NEWLINE@@,$(newline),$(HAS_@CONFIGURE_MODULE@_OUT1))
 $(info [configure-kmod] Build output for HAS_@CONFIGURE_MODULE@:)
 $(info [configure-kmod] $(HAS_@CONFIGURE_MODULE@_OUT))
 endif
+
+ifeq ('@CONFIGURE_MODULE@','0__SANITY')
+    ifeq ($(HAS_@CONFIGURE_MODULE@),0)
+        $(info [configure-kmod] Build system is sane)
+    else
+        $(info [configure-kmod] Build system is broken, please see above errors)
+        $(error The build system is broken, please see above errors)
+    endif
+endif

driver/fillers_table.c

@@ -20,8 +20,6 @@ or GPL2.txt for full copies of the license.
 #define FILLER_REF(x) 0, PPM_FILLER_##x
 #endif /* __KERNEL__ */
 
-#define f_sys_socket_x f_sys_single_x
-
 #pragma GCC diagnostic push
 #pragma GCC diagnostic ignored "-Wmissing-field-initializers"
 const struct ppm_event_entry g_ppm_events[PPM_EVENT_MAX] = {
@@ -43,17 +41,17 @@ const struct ppm_event_entry g_ppm_events[PPM_EVENT_MAX] = {
         [PPME_SOCKET_CONNECT_E] = {FILLER_REF(sys_connect_e)},
         [PPME_SOCKET_CONNECT_X] = {FILLER_REF(sys_connect_x)},
         [PPME_SOCKET_LISTEN_E] = {FILLER_REF(sys_listen_e)},
-        [PPME_SOCKET_LISTEN_X] = {FILLER_REF(sys_single_x)},
+        [PPME_SOCKET_LISTEN_X] = {FILLER_REF(sys_listen_x)},
         [PPME_SOCKET_SEND_E] = {FILLER_REF(sys_send_e)},
         [PPME_SOCKET_SEND_X] = {FILLER_REF(sys_send_x)},
         [PPME_SOCKET_SENDTO_E] = {FILLER_REF(sys_sendto_e)},
-        [PPME_SOCKET_SENDTO_X] = {FILLER_REF(sys_send_x)},
+        [PPME_SOCKET_SENDTO_X] = {FILLER_REF(sys_sendto_x)},
         [PPME_SOCKET_RECV_E] = {FILLER_REF(sys_autofill), 2, APT_SOCK, {{0}, {2}}},
         [PPME_SOCKET_RECV_X] = {FILLER_REF(sys_recv_x)},
         [PPME_SOCKET_RECVFROM_E] = {FILLER_REF(sys_recvfrom_e)},
         [PPME_SOCKET_RECVFROM_X] = {FILLER_REF(sys_recvfrom_x)},
         [PPME_SOCKET_SHUTDOWN_E] = {FILLER_REF(sys_shutdown_e)},
-        [PPME_SOCKET_SHUTDOWN_X] = {FILLER_REF(sys_single_x)},
+        [PPME_SOCKET_SHUTDOWN_X] = {FILLER_REF(sys_shutdown_x)},
         [PPME_SOCKET_GETSOCKNAME_E] = {FILLER_REF(sys_empty)},
         [PPME_SOCKET_GETSOCKNAME_X] = {FILLER_REF(sys_empty)},
         [PPME_SOCKET_GETPEERNAME_E] = {FILLER_REF(sys_empty)},
@@ -67,25 +65,25 @@ const struct ppm_event_entry g_ppm_events[PPM_EVENT_MAX] = {
         [PPME_SOCKET_SENDMSG_E] = {FILLER_REF(sys_sendmsg_e)},
         [PPME_SOCKET_SENDMSG_X] = {FILLER_REF(sys_sendmsg_x)},
         [PPME_SOCKET_SENDMMSG_E] = {FILLER_REF(sys_empty)},
-        [PPME_SOCKET_SENDMMSG_X] = {FILLER_REF(sys_empty)},
+        [PPME_SOCKET_SENDMMSG_X] = {FILLER_REF(sys_sendmmsg_x)},
         [PPME_SOCKET_RECVMSG_E] = {FILLER_REF(sys_recvmsg_e)},
         [PPME_SOCKET_RECVMSG_X] = {FILLER_REF(sys_recvmsg_x)},
         [PPME_SOCKET_RECVMMSG_E] = {FILLER_REF(sys_empty)},
-        [PPME_SOCKET_RECVMMSG_X] = {FILLER_REF(sys_empty)},
+        [PPME_SOCKET_RECVMMSG_X] = {FILLER_REF(sys_recvmmsg_x)},
         [PPME_SYSCALL_CREAT_E] = {FILLER_REF(sys_creat_e)},
         [PPME_SYSCALL_CREAT_X] = {FILLER_REF(sys_creat_x)},
         [PPME_SYSCALL_PIPE_E] = {FILLER_REF(sys_empty)},
         [PPME_SYSCALL_PIPE_X] = {FILLER_REF(sys_pipe_x)},
         [PPME_SYSCALL_EVENTFD_E] = {FILLER_REF(sys_eventfd_e)},
-        [PPME_SYSCALL_EVENTFD_X] = {FILLER_REF(sys_single_x)},
+        [PPME_SYSCALL_EVENTFD_X] = {FILLER_REF(sys_eventfd_x)},
         [PPME_SYSCALL_FUTEX_E] = {FILLER_REF(sys_futex_e)},
-        [PPME_SYSCALL_FUTEX_X] = {FILLER_REF(sys_single_x)},
+        [PPME_SYSCALL_FUTEX_X] = {FILLER_REF(sys_futex_x)},
         [PPME_SYSCALL_STAT_E] = {FILLER_REF(sys_empty)},
         [PPME_SYSCALL_STAT_X] = {FILLER_REF(sys_autofill), 2, APT_REG, {{AF_ID_RETVAL}, {0}}},
         [PPME_SYSCALL_LSTAT_E] = {FILLER_REF(sys_empty)},
         [PPME_SYSCALL_LSTAT_X] = {FILLER_REF(sys_autofill), 2, APT_REG, {{AF_ID_RETVAL}, {0}}},
         [PPME_SYSCALL_FSTAT_E] = {FILLER_REF(sys_fstat_e)},
-        [PPME_SYSCALL_FSTAT_X] = {FILLER_REF(sys_single_x)},
+        [PPME_SYSCALL_FSTAT_X] = {FILLER_REF(sys_fstat_x)},
         [PPME_SYSCALL_STAT64_E] = {FILLER_REF(sys_empty)},
         [PPME_SYSCALL_STAT64_X] = {FILLER_REF(sys_autofill), 2, APT_REG, {{AF_ID_RETVAL}, {0}}},
         [PPME_SYSCALL_LSTAT64_E] = {FILLER_REF(sys_empty)},
@@ -93,7 +91,7 @@ const struct ppm_event_entry g_ppm_events[PPM_EVENT_MAX] = {
         [PPME_SYSCALL_FSTAT64_E] = {FILLER_REF(sys_single)},
         [PPME_SYSCALL_FSTAT64_X] = {FILLER_REF(sys_single_x)},
         [PPME_SYSCALL_EPOLLWAIT_E] = {FILLER_REF(sys_autofill), 1, APT_REG, {{2}}},
-        [PPME_SYSCALL_EPOLLWAIT_X] = {FILLER_REF(sys_single_x)},
+        [PPME_SYSCALL_EPOLLWAIT_X] = {FILLER_REF(sys_epoll_wait_x)},
         [PPME_SYSCALL_POLL_E] = {FILLER_REF(sys_poll_e)},
         [PPME_SYSCALL_POLL_X] = {FILLER_REF(sys_poll_x)},
         [PPME_SYSCALL_SELECT_E] = {FILLER_REF(sys_empty)},
@@ -101,7 +99,7 @@ const struct ppm_event_entry g_ppm_events[PPM_EVENT_MAX] = {
         [PPME_SYSCALL_NEWSELECT_E] = {FILLER_REF(sys_empty)},
         [PPME_SYSCALL_NEWSELECT_X] = {FILLER_REF(sys_single_x)},
         [PPME_SYSCALL_LSEEK_E] = {FILLER_REF(sys_lseek_e)},
-        [PPME_SYSCALL_LSEEK_X] = {FILLER_REF(sys_single_x)},
+        [PPME_SYSCALL_LSEEK_X] = {FILLER_REF(sys_lseek_x)},
         [PPME_SYSCALL_LLSEEK_E] = {FILLER_REF(sys_llseek_e)},
         [PPME_SYSCALL_LLSEEK_X] = {FILLER_REF(sys_single_x)},
         [PPME_SYSCALL_GETCWD_E] = {FILLER_REF(sys_empty)},
@@ -115,17 +113,17 @@ const struct ppm_event_entry g_ppm_events[PPM_EVENT_MAX] = {
         [PPME_SYSCALL_UNLINKAT_E] = {FILLER_REF(sys_autofill), 2, APT_REG, {{0}, {1}}},
         [PPME_SYSCALL_UNLINKAT_X] = {FILLER_REF(sys_single_x)},
         [PPME_SYSCALL_PREAD_E] = {FILLER_REF(sys_pread64_e)},
-        [PPME_SYSCALL_PREAD_X] = {FILLER_REF(sys_read_x)},
+        [PPME_SYSCALL_PREAD_X] = {FILLER_REF(sys_pread64_x)},
         [PPME_SYSCALL_PWRITE_E] = {FILLER_REF(sys_pwrite64_e)},
-        [PPME_SYSCALL_PWRITE_X] = {FILLER_REF(sys_write_x)},
+        [PPME_SYSCALL_PWRITE_X] = {FILLER_REF(sys_pwrite64_x)},
         [PPME_SYSCALL_READV_E] = {FILLER_REF(sys_readv_e)},
-        [PPME_SYSCALL_READV_X] = {FILLER_REF(sys_readv_preadv_x)},
+        [PPME_SYSCALL_READV_X] = {FILLER_REF(sys_readv_x)},
         [PPME_SYSCALL_WRITEV_E] = {FILLER_REF(sys_writev_e)},
-        [PPME_SYSCALL_WRITEV_X] = {FILLER_REF(sys_writev_pwritev_x)},
+        [PPME_SYSCALL_WRITEV_X] = {FILLER_REF(sys_writev_x)},
         [PPME_SYSCALL_PREADV_E] = {FILLER_REF(sys_preadv_e)},
-        [PPME_SYSCALL_PREADV_X] = {FILLER_REF(sys_readv_preadv_x)},
+        [PPME_SYSCALL_PREADV_X] = {FILLER_REF(sys_preadv_x)},
         [PPME_SYSCALL_PWRITEV_E] = {FILLER_REF(sys_pwritev_e)},
-        [PPME_SYSCALL_PWRITEV_X] = {FILLER_REF(sys_writev_pwritev_x)},
+        [PPME_SYSCALL_PWRITEV_X] = {FILLER_REF(sys_pwritev_x)},
         [PPME_SYSCALL_DUP_1_E] = {FILLER_REF(sys_dup_e)},
         [PPME_SYSCALL_DUP_1_X] = {FILLER_REF(sys_dup_x)},
         [PPME_SYSCALL_DUP2_E] = {FILLER_REF(sys_dup2_e)},
@@ -133,22 +131,22 @@ const struct ppm_event_entry g_ppm_events[PPM_EVENT_MAX] = {
         [PPME_SYSCALL_DUP3_E] = {FILLER_REF(sys_dup3_e)},
         [PPME_SYSCALL_DUP3_X] = {FILLER_REF(sys_dup3_x)},
         [PPME_SYSCALL_SIGNALFD_E] = {FILLER_REF(sys_signalfd_e)},
-        [PPME_SYSCALL_SIGNALFD_X] = {FILLER_REF(sys_single_x)},
+        [PPME_SYSCALL_SIGNALFD_X] = {FILLER_REF(sys_signalfd_x)},
         [PPME_SYSCALL_KILL_E] = {FILLER_REF(sys_autofill), 2, APT_REG, {{0}, {1}}},
-        [PPME_SYSCALL_KILL_X] = {FILLER_REF(sys_single_x)},
+        [PPME_SYSCALL_KILL_X] = {FILLER_REF(sys_kill_x)},
         [PPME_SYSCALL_TKILL_E] = {FILLER_REF(sys_autofill), 2, APT_REG, {{0}, {1}}},
-        [PPME_SYSCALL_TKILL_X] = {FILLER_REF(sys_single_x)},
+        [PPME_SYSCALL_TKILL_X] = {FILLER_REF(sys_tkill_x)},
         [PPME_SYSCALL_TGKILL_E] = {FILLER_REF(sys_autofill), 3, APT_REG, {{0}, {1}, {2}}},
-        [PPME_SYSCALL_TGKILL_X] = {FILLER_REF(sys_single_x)},
+        [PPME_SYSCALL_TGKILL_X] = {FILLER_REF(sys_tgkill_x)},
         [PPME_SYSCALL_NANOSLEEP_E] = {FILLER_REF(sys_nanosleep_e)},
-        [PPME_SYSCALL_NANOSLEEP_X] = {FILLER_REF(sys_single_x)},
+        [PPME_SYSCALL_NANOSLEEP_X] = {FILLER_REF(sys_nanosleep_x)},
         [PPME_SYSCALL_TIMERFD_CREATE_E] = {FILLER_REF(sys_autofill),
                                            2,
                                            APT_REG,
                                            {{AF_ID_USEDEFAULT, 0}, {AF_ID_USEDEFAULT, 0}}},
-        [PPME_SYSCALL_TIMERFD_CREATE_X] = {FILLER_REF(sys_single_x)},
+        [PPME_SYSCALL_TIMERFD_CREATE_X] = {FILLER_REF(sys_timerfd_create_x)},
         [PPME_SYSCALL_INOTIFY_INIT_E] = {FILLER_REF(sys_inotify_init_e)},
-        [PPME_SYSCALL_INOTIFY_INIT_X] = {FILLER_REF(sys_single_x)},
+        [PPME_SYSCALL_INOTIFY_INIT_X] = {FILLER_REF(sys_inotify_init_x)},
         [PPME_SYSCALL_GETRLIMIT_E] = {FILLER_REF(sys_getrlimit_setrlimit_e)},
         [PPME_SYSCALL_GETRLIMIT_X] = {FILLER_REF(sys_getrlimit_x)},
         [PPME_SYSCALL_SETRLIMIT_E] = {FILLER_REF(sys_getrlimit_setrlimit_e)},
@@ -163,19 +161,19 @@ const struct ppm_event_entry g_ppm_events[PPM_EVENT_MAX] = {
         [PPME_SCHEDSWITCH_6_E] = {FILLER_REF(sched_switch_e)},
 #endif
         [PPME_SYSCALL_BRK_4_E] = {FILLER_REF(sys_autofill), 1, APT_REG, {{0}}},
-        [PPME_SYSCALL_BRK_4_X] = {FILLER_REF(sys_brk_munmap_mmap_x)},
+        [PPME_SYSCALL_BRK_4_X] = {FILLER_REF(sys_brk_x)},
         [PPME_SYSCALL_MMAP_E] = {FILLER_REF(sys_mmap_e)},
-        [PPME_SYSCALL_MMAP_X] = {FILLER_REF(sys_brk_munmap_mmap_x)},
+        [PPME_SYSCALL_MMAP_X] = {FILLER_REF(sys_mmap_x)},
         [PPME_SYSCALL_MMAP2_E] = {FILLER_REF(sys_mmap_e)},
-        [PPME_SYSCALL_MMAP2_X] = {FILLER_REF(sys_brk_munmap_mmap_x)},
+        [PPME_SYSCALL_MMAP2_X] = {FILLER_REF(sys_mmap2_x)},
         [PPME_SYSCALL_MUNMAP_E] = {FILLER_REF(sys_autofill), 2, APT_REG, {{0}, {1}}},
-        [PPME_SYSCALL_MUNMAP_X] = {FILLER_REF(sys_brk_munmap_mmap_x)},
+        [PPME_SYSCALL_MUNMAP_X] = {FILLER_REF(sys_munmap_x)},
         [PPME_SYSCALL_SPLICE_E] = {FILLER_REF(sys_splice_e)},
-        [PPME_SYSCALL_SPLICE_X] = {FILLER_REF(sys_autofill), 1, APT_REG, {{AF_ID_RETVAL}}},
+        [PPME_SYSCALL_SPLICE_X] = {FILLER_REF(sys_splice_x)},
         [PPME_SYSCALL_PTRACE_E] = {FILLER_REF(sys_ptrace_e)},
         [PPME_SYSCALL_PTRACE_X] = {FILLER_REF(sys_ptrace_x)},
         [PPME_SYSCALL_IOCTL_3_E] = {FILLER_REF(sys_ioctl_e)},
-        [PPME_SYSCALL_IOCTL_3_X] = {FILLER_REF(sys_single_x)},
+        [PPME_SYSCALL_IOCTL_3_X] = {FILLER_REF(sys_ioctl_x)},
         [PPME_SYSCALL_RENAME_E] = {FILLER_REF(sys_empty)},
         [PPME_SYSCALL_RENAME_X] = {FILLER_REF(sys_autofill),
                                    3,
@@ -195,14 +193,14 @@ const struct ppm_event_entry g_ppm_events[PPM_EVENT_MAX] = {
         [PPME_SYSCALL_QUOTACTL_E] = {FILLER_REF(sys_quotactl_e)},
         [PPME_SYSCALL_QUOTACTL_X] = {FILLER_REF(sys_quotactl_x)},
         [PPME_SYSCALL_SETRESUID_E] = {FILLER_REF(sys_autofill), 3, APT_REG, {{0}, {1}, {2}}},
-        [PPME_SYSCALL_SETRESUID_X] = {FILLER_REF(sys_autofill), 1, APT_REG, {{AF_ID_RETVAL}}},
+        [PPME_SYSCALL_SETRESUID_X] = {FILLER_REF(sys_setresuid_x)},
         [PPME_SYSCALL_SETRESGID_E] = {FILLER_REF(sys_autofill), 3, APT_REG, {{0}, {1}, {2}}},
-        [PPME_SYSCALL_SETRESGID_X] = {FILLER_REF(sys_autofill), 1, APT_REG, {{AF_ID_RETVAL}}},
+        [PPME_SYSCALL_SETRESGID_X] = {FILLER_REF(sys_setresgid_x)},
         [PPME_SCAPEVENT_E] = {FILLER_REF(sys_scapevent_e)},
         [PPME_SYSCALL_SETUID_E] = {FILLER_REF(sys_autofill), 1, APT_REG, {{0}}},
-        [PPME_SYSCALL_SETUID_X] = {FILLER_REF(sys_autofill), 1, APT_REG, {{AF_ID_RETVAL}}},
+        [PPME_SYSCALL_SETUID_X] = {FILLER_REF(sys_setuid_x)},
         [PPME_SYSCALL_SETGID_E] = {FILLER_REF(sys_autofill), 1, APT_REG, {{0}}},
-        [PPME_SYSCALL_SETGID_X] = {FILLER_REF(sys_autofill), 1, APT_REG, {{AF_ID_RETVAL}}},
+        [PPME_SYSCALL_SETGID_X] = {FILLER_REF(sys_setgid_x)},
         [PPME_SYSCALL_GETUID_E] = {FILLER_REF(sys_empty)},
         [PPME_SYSCALL_GETUID_X] = {FILLER_REF(sys_autofill), 1, APT_REG, {{AF_ID_RETVAL}}},
         [PPME_SYSCALL_GETEUID_E] = {FILLER_REF(sys_empty)},
@@ -225,43 +223,43 @@ const struct ppm_event_entry g_ppm_events[PPM_EVENT_MAX] = {
         [PPME_SIGNALDELIVER_E] = {FILLER_REF(sys_signaldeliver_e)},
 #endif
         [PPME_SYSCALL_GETDENTS_E] = {FILLER_REF(sys_getdents_e)},
-        [PPME_SYSCALL_GETDENTS_X] = {FILLER_REF(sys_single_x)},
+        [PPME_SYSCALL_GETDENTS_X] = {FILLER_REF(sys_getdents_x)},
         [PPME_SYSCALL_GETDENTS64_E] = {FILLER_REF(sys_getdents64_e)},
-        [PPME_SYSCALL_GETDENTS64_X] = {FILLER_REF(sys_single_x)},
+        [PPME_SYSCALL_GETDENTS64_X] = {FILLER_REF(sys_getdents64_x)},
         [PPME_SYSCALL_SETNS_E] = {FILLER_REF(sys_setns_e)},
-        [PPME_SYSCALL_SETNS_X] = {FILLER_REF(sys_autofill), 1, APT_REG, {{AF_ID_RETVAL}}},
+        [PPME_SYSCALL_SETNS_X] = {FILLER_REF(sys_setns_x)},
         [PPME_SYSCALL_FLOCK_E] = {FILLER_REF(sys_flock_e)},
-        [PPME_SYSCALL_FLOCK_X] = {FILLER_REF(sys_autofill), 1, APT_REG, {{AF_ID_RETVAL}}},
+        [PPME_SYSCALL_FLOCK_X] = {FILLER_REF(sys_flock_x)},
         [PPME_CPU_HOTPLUG_E] = {FILLER_REF(cpu_hotplug_e)},
         [PPME_SOCKET_ACCEPT_5_E] = {FILLER_REF(sys_empty)},
         [PPME_SOCKET_ACCEPT_5_X] = {FILLER_REF(sys_accept_x)},
         [PPME_SYSCALL_SEMOP_E] = {FILLER_REF(sys_single)},
         [PPME_SYSCALL_SEMOP_X] = {FILLER_REF(sys_semop_x)},
         [PPME_SYSCALL_SEMCTL_E] = {FILLER_REF(sys_semctl_e)},
-        [PPME_SYSCALL_SEMCTL_X] = {FILLER_REF(sys_single_x)},
+        [PPME_SYSCALL_SEMCTL_X] = {FILLER_REF(sys_semctl_x)},
         [PPME_SYSCALL_PPOLL_E] = {FILLER_REF(sys_ppoll_e)},
-        [PPME_SYSCALL_PPOLL_X] = {FILLER_REF(sys_poll_x)}, /* exit same for poll() and ppoll() */
+        [PPME_SYSCALL_PPOLL_X] = {FILLER_REF(sys_ppoll_x)},
         [PPME_SYSCALL_MOUNT_E] = {FILLER_REF(sys_mount_e)},
-        [PPME_SYSCALL_MOUNT_X] = {FILLER_REF(sys_autofill),
+        [PPME_SYSCALL_MOUNT_X] = {FILLER_REF(sys_mount_x),
                                   4,
                                   APT_REG,
                                   {{AF_ID_RETVAL}, {0}, {1}, {2}}},
         [PPME_SYSCALL_SEMGET_E] = {FILLER_REF(sys_semget_e)},
-        [PPME_SYSCALL_SEMGET_X] = {FILLER_REF(sys_single_x)},
+        [PPME_SYSCALL_SEMGET_X] = {FILLER_REF(sys_semget_x)},
         [PPME_SYSCALL_ACCESS_E] = {FILLER_REF(sys_access_e)},
-        [PPME_SYSCALL_ACCESS_X] = {FILLER_REF(sys_autofill), 2, APT_REG, {{AF_ID_RETVAL}, {0}}},
+        [PPME_SYSCALL_ACCESS_X] = {FILLER_REF(sys_access_x)},
         [PPME_SYSCALL_CHROOT_E] = {FILLER_REF(sys_empty)},
         [PPME_SYSCALL_CHROOT_X] = {FILLER_REF(sys_autofill), 2, APT_REG, {{AF_ID_RETVAL}, {0}}},
         [PPME_SYSCALL_SETSID_E] = {FILLER_REF(sys_empty)},
         [PPME_SYSCALL_SETSID_X] = {FILLER_REF(sys_autofill), 1, APT_REG, {{AF_ID_RETVAL}}},
         [PPME_SYSCALL_SETPGID_E] = {FILLER_REF(sys_setpgid_e)},
-        [PPME_SYSCALL_SETPGID_X] = {FILLER_REF(sys_autofill), 1, APT_REG, {{AF_ID_RETVAL}}},
+        [PPME_SYSCALL_SETPGID_X] = {FILLER_REF(sys_setpgid_x)},
         [PPME_SYSCALL_MKDIR_2_E] = {FILLER_REF(sys_mkdir_e)},
-        [PPME_SYSCALL_MKDIR_2_X] = {FILLER_REF(sys_autofill), 2, APT_REG, {{AF_ID_RETVAL}, {0}}},
+        [PPME_SYSCALL_MKDIR_2_X] = {FILLER_REF(sys_mkdir_x)},
         [PPME_SYSCALL_RMDIR_2_E] = {FILLER_REF(sys_empty)},
         [PPME_SYSCALL_RMDIR_2_X] = {FILLER_REF(sys_autofill), 2, APT_REG, {{AF_ID_RETVAL}, {0}}},
         [PPME_SYSCALL_UNSHARE_E] = {FILLER_REF(sys_unshare_e)},
-        [PPME_SYSCALL_UNSHARE_X] = {FILLER_REF(sys_autofill), 1, APT_REG, {{AF_ID_RETVAL}}},
+        [PPME_SYSCALL_UNSHARE_X] = {FILLER_REF(sys_unshare_x)},
         [PPME_SYSCALL_EXECVE_19_E] = {FILLER_REF(sys_execve_e)},
         [PPME_SYSCALL_EXECVE_19_X] = {FILLER_REF(proc_startupdate)},
 #ifdef CAPTURE_PAGE_FAULTS
@@ -270,7 +268,7 @@ const struct ppm_event_entry g_ppm_events[PPM_EVENT_MAX] = {
         [PPME_SYSCALL_BPF_2_E] = {FILLER_REF(sys_bpf_e)},
         [PPME_SYSCALL_BPF_2_X] = {FILLER_REF(sys_bpf_x)},
         [PPME_SYSCALL_SECCOMP_E] = {FILLER_REF(sys_autofill), 2, APT_REG, {{0}, {1}}},
-        [PPME_SYSCALL_SECCOMP_X] = {FILLER_REF(sys_autofill), 1, APT_REG, {{AF_ID_RETVAL}}},
+        [PPME_SYSCALL_SECCOMP_X] = {FILLER_REF(sys_seccomp_x)},
         [PPME_SYSCALL_UNLINK_2_E] = {FILLER_REF(sys_empty)},
         [PPME_SYSCALL_UNLINK_2_X] = {FILLER_REF(sys_autofill), 2, APT_REG, {{AF_ID_RETVAL}, {0}}},
         [PPME_SYSCALL_UNLINKAT_2_E] = {FILLER_REF(sys_empty)},
@@ -346,7 +344,7 @@ const struct ppm_event_entry g_ppm_events[PPM_EVENT_MAX] = {
         [PPME_SYSCALL_UMOUNT_1_E] = {FILLER_REF(sys_empty)},
         [PPME_SYSCALL_UMOUNT_1_X] = {FILLER_REF(sys_umount_x)},
         [PPME_SOCKET_ACCEPT4_6_E] = {FILLER_REF(sys_accept4_e)},
-        [PPME_SOCKET_ACCEPT4_6_X] = {FILLER_REF(sys_accept_x)},
+        [PPME_SOCKET_ACCEPT4_6_X] = {FILLER_REF(sys_accept4_x)},
         [PPME_SYSCALL_UMOUNT2_E] = {FILLER_REF(sys_umount2_e)},
         [PPME_SYSCALL_UMOUNT2_X] = {FILLER_REF(sys_umount2_x)},
         [PPME_SYSCALL_PIPE2_E] = {FILLER_REF(sys_empty)},

driver/main.c

@@ -106,6 +106,10 @@ struct event_data_t {
 		struct {
 			struct pt_regs *regs;
 			long id;
+			struct {
+				long index;
+				long count;
+			} mmsg;
 		} syscall_data;
 
 		struct {
@@ -273,10 +277,6 @@ static bool verbose = 0;
 
 static unsigned int max_consumers = 5;
 
-#if(LINUX_VERSION_CODE >= KERNEL_VERSION(4, 10, 0))
-static enum cpuhp_state hp_state = 0;
-#endif
-
 #define vpr_info(fmt, ...)               \
 	do {                                 \
 		if(verbose)                      \
@@ -442,6 +442,7 @@ static int ppm_open(struct inode *inode, struct file *filp) {
 		consumer->consumer_id = consumer_id;
 		consumer->buffer_bytes_dim = g_buffer_bytes_dim;
 		consumer->tracepoints_attached = 0; /* Start with no tracepoints */
+		consumer->hotplug_cpu = -1;
 
 		/*
 		 * Initialize the ring buffers array
@@ -472,14 +473,6 @@ static int ppm_open(struct inode *inode, struct file *filp) {
 			ring->info = NULL;
 		}
 
-		/*
-		 * If a cpu is offline when the consumer is first created, we
-		 * will never get events for that cpu even if it later comes
-		 * online via hotplug. We could allocate these rings on-demand
-		 * later in this function if needed for hotplug, but that
-		 * requires the consumer to know to call open again, and that is
-		 * not supported.
-		 */
 		for_each_online_cpu(cpu) {
 			ring = per_cpu_ptr(consumer->ring_buffers, cpu);
 
@@ -1788,6 +1781,10 @@ static int record_event_consumer(struct ppm_consumer_t *consumer,
 		if(unlikely(preload_params(&args, event_datap->extract_socketcall_params) == -1)) {
 			return res;
 		}
+
+		if(event_type == PPME_SOCKET_SENDMMSG_X || event_type == PPME_SOCKET_RECVMMSG_X) {
+			args.mmsg.index = event_datap->event_info.syscall_data.mmsg.index;
+		}
 	}
 
 	if(event_type != PPME_DROP_E && event_type != PPME_DROP_X) {
@@ -1812,6 +1809,27 @@ static int record_event_consumer(struct ppm_consumer_t *consumer,
 	ASSERT(ring);
 
 	ring_info = ring->info;
+	if(!ring_info) {
+		// If we haven't got the ring info, it means
+		// the event was generated by a CPU that was not
+		// online when the ring buffers were initialized.
+		// Store info about hotplugged CPU here to later
+		// send hotplug events on cpu0.
+		consumer->hotplug_cpu = cpu;
+		put_cpu();
+		return res;
+	}
+
+	// Manage hotplug on cpu 0
+	if(consumer->hotplug_cpu != -1 && cpu == 0) {
+		event_type = PPME_CPU_HOTPLUG_E;
+		drop_flags = UF_NEVER_DROP;
+		tp_type = INTERNAL_EVENTS;
+		event_datap->category = PPMC_CONTEXT_SWITCH;
+		event_datap->event_info.context_data.sched_prev = (void *)(long)consumer->hotplug_cpu;
+		event_datap->event_info.context_data.sched_next = (void *)(long)0;
+	}
+
 	if(event_datap->category == PPMC_CONTEXT_SWITCH &&
 	   event_datap->event_info.context_data.sched_prev != NULL) {
 		if(event_type != PPME_SCAPEVENT_E && event_type != PPME_CPU_HOTPLUG_E) {
@@ -2006,6 +2024,12 @@ static int record_event_consumer(struct ppm_consumer_t *consumer,
 				ASSERT(0);
 			}
 		}
+
+		if(event_datap->category == PPMC_SYSCALL &&
+		   (event_type == PPME_SOCKET_SENDMMSG_X || event_type == PPME_SOCKET_RECVMMSG_X)) {
+			// Communicate the number of total messages to the caller
+			event_datap->event_info.syscall_data.mmsg.count = args.mmsg.count;
+		}
 	}
 
 	if(likely(!drop)) {
@@ -2317,6 +2341,27 @@ TRACEPOINT_PROBE(syscall_exit_probe, struct pt_regs *regs, long ret) {
 		return;
 #endif
 
+	if(event_pair->exit_event_type == PPME_SOCKET_SENDMMSG_X ||
+	   event_pair->exit_event_type == PPME_SOCKET_RECVMMSG_X) {
+		int i;
+
+		// We don't know how many messages the syscall actually handled until
+		// we call the filler the first time, so we set it to the max for the
+		// first call.
+		//
+		// If the syscall failed, the count value will be negative, so we
+		// immediately exit after sending a failure event.
+		event_data.event_info.syscall_data.mmsg.count = 1024;
+
+		for(i = 0; i < event_data.event_info.syscall_data.mmsg.count; i++) {
+			event_data.event_info.syscall_data.mmsg.index = i;
+			record_event_all_consumers(event_pair->exit_event_type,
+			                           event_pair->flags,
+			                           &event_data,
+			                           KMOD_PROG_SYS_EXIT);
+		}
+	}
+
 	if(event_pair->flags & UF_USED)
 		record_event_all_consumers(event_pair->exit_event_type,
 		                           event_pair->flags,
@@ -2736,96 +2781,12 @@ static char *ppm_devnode(struct device *dev, mode_t *mode)
 }
 #endif /* LINUX_VERSION_CODE > KERNEL_VERSION(2, 6, 20) */
 
-static int do_cpu_callback(unsigned long cpu, long sd_action) {
-	struct ppm_ring_buffer_context *ring;
-	struct ppm_consumer_t *consumer;
-	struct event_data_t event_data;
-
-	if(sd_action != 0) {
-		rcu_read_lock();
-
-		list_for_each_entry_rcu(consumer, &g_consumer_list, node) {
-			ring = per_cpu_ptr(consumer->ring_buffers, cpu);
-			if(sd_action == 1) {
-				/*
-				 * If the cpu was offline when the consumer was created,
-				 * this won't do anything because we never created a ring
-				 * buffer. We can't safely create one here because we're
-				 * in atomic context, and the consumer needs to call open
-				 * on this device anyways, so do it in ppm_open.
-				 */
-				ring->cpu_online = true;
-			} else if(sd_action == 2) {
-				ring->cpu_online = false;
-			}
-		}
-
-		rcu_read_unlock();
-
-		event_data.category = PPMC_CONTEXT_SWITCH;
-		event_data.event_info.context_data.sched_prev = (void *)cpu;
-		event_data.event_info.context_data.sched_next = (void *)sd_action;
-		record_event_all_consumers(PPME_CPU_HOTPLUG_E, UF_NEVER_DROP, &event_data, INTERNAL_EVENTS);
-	}
-	return 0;
-}
-
-#if(LINUX_VERSION_CODE >= KERNEL_VERSION(4, 10, 0))
-static int scap_cpu_online(unsigned int cpu) {
-	vpr_info("scap_cpu_online on cpu %d\n", cpu);
-	return do_cpu_callback(cpu, 1);
-}
-
-static int scap_cpu_offline(unsigned int cpu) {
-	vpr_info("scap_cpu_offline on cpu %d\n", cpu);
-	return do_cpu_callback(cpu, 2);
-}
-#else /* LINUX_VERSION_CODE < KERNEL_VERSION(4, 10, 0)) */
-/*
- * This gets called every time a CPU is added or removed
- */
-static int cpu_callback(struct notifier_block *self, unsigned long action, void *hcpu) {
-	unsigned long cpu = (unsigned long)hcpu;
-	long sd_action = 0;
-
-	switch(action) {
-	case CPU_UP_PREPARE:
-#if LINUX_VERSION_CODE > KERNEL_VERSION(2, 6, 20)
-	case CPU_UP_PREPARE_FROZEN:
-#endif
-		sd_action = 1;
-		break;
-	case CPU_DOWN_PREPARE:
-#if LINUX_VERSION_CODE > KERNEL_VERSION(2, 6, 20)
-	case CPU_DOWN_PREPARE_FROZEN:
-#endif
-		sd_action = 2;
-		break;
-	default:
-		break;
-	}
-
-	if(do_cpu_callback(cpu, sd_action) < 0)
-		return NOTIFY_BAD;
-	else
-		return NOTIFY_OK;
-}
-
-static struct notifier_block cpu_notifier = {
-        .notifier_call = &cpu_callback,
-        .next = NULL,
-};
-#endif /* LINUX_VERSION_CODE >= KERNEL_VERSION(4, 10, 0) */
-
 static int scap_init(void) {
 	dev_t dev;
 	unsigned int cpu;
 	unsigned int num_cpus;
 	int ret;
 	int acrret = 0;
-#if(LINUX_VERSION_CODE >= KERNEL_VERSION(4, 10, 0))
-	int hp_ret;
-#endif
 	int j;
 	int n_created_devices = 0;
 #if LINUX_VERSION_CODE > KERNEL_VERSION(2, 6, 20)
@@ -2929,25 +2890,6 @@ static int scap_init(void) {
 		goto init_module_err;
 	}
 
-	/*
-	 * Set up our callback in case we get a hotplug even while we are
-	 * initializing the cpu structures
-	 */
-#if(LINUX_VERSION_CODE >= KERNEL_VERSION(4, 10, 0))
-	hp_ret = cpuhp_setup_state_nocalls(CPUHP_AP_ONLINE_DYN,
-	                                   DRIVER_NAME "/driver:online",
-	                                   scap_cpu_online,
-	                                   scap_cpu_offline);
-	if(hp_ret <= 0) {
-		pr_err("error registering cpu hotplug callback\n");
-		ret = hp_ret;
-		goto init_module_err;
-	}
-	hp_state = hp_ret;
-#else
-	register_cpu_notifier(&cpu_notifier);
-#endif
-
 	// Initialize globals
 	g_tracepoints_attached = 0;
 	for(j = 0; j < KMOD_PROG_ATTACHED_MAX; j++) {
@@ -3006,13 +2948,6 @@ static void scap_exit(void) {
 #if LINUX_VERSION_CODE > KERNEL_VERSION(2, 6, 20)
 	tracepoint_synchronize_unregister();
 #endif
-
-#if(LINUX_VERSION_CODE >= KERNEL_VERSION(4, 10, 0))
-	if(hp_state > 0)
-		cpuhp_remove_state_nocalls(hp_state);
-#else
-	unregister_cpu_notifier(&cpu_notifier);
-#endif
 }
 
 module_init(scap_init);

driver/modern_bpf/CMakeLists.txt

@@ -222,6 +222,14 @@ list(APPEND MODERN_PROBE_INCLUDE "-I${CMAKE_CURRENT_SOURCE_DIR}")
 # inside `driver` and the `libbpf` includes.
 set(PPM_INCLUDE ${LIBS_DIR})
 
+include(libbpf)
+
+# Get libbpf include
+get_target_property(LIBBPF_INTERFACE_INCLUDE_DIRS lbpf INTERFACE_INCLUDE_DIRECTORIES)
+foreach(dir ${LIBBPF_INTERFACE_INCLUDE_DIRS})
+	list(APPEND LIBBPF_INTERFACE_INCLUDE "-I${dir}")
+endforeach()
+
 # Set CLANG FLAGS
 set(CLANG_FLAGS "")
 list(
@@ -234,7 +242,7 @@ list(
 	-D__${DEBUG}__
 	-D__TARGET_ARCH_${ARCH} # Match libbpf usage in `/libbpf/src/bpf_tracing.h`
 	-D__USE_VMLINUX__ # Used to compile without kernel headers.
-	-I${LIBBPF_INCLUDE}
+	${LIBBPF_INTERFACE_INCLUDE}
 	${MODERN_PROBE_INCLUDE}
 	-I${PPM_INCLUDE}
 	-isystem
@@ -248,6 +256,32 @@ file(GLOB_RECURSE BPF_H_FILES ${CMAKE_CURRENT_SOURCE_DIR}/*.h)
 # Search all bpf.c files
 file(GLOB_RECURSE BPF_C_FILES ${CMAKE_CURRENT_SOURCE_DIR}/*.bpf.c)
 
+# ##################################################################################################
+# Generate the events dimensions file generator executable.
+# ##################################################################################################
+
+add_executable(
+	events_dimensions_generator ${CMAKE_CURRENT_SOURCE_DIR}/definitions/generator/generator.cpp
+)
+target_link_libraries(events_dimensions_generator PRIVATE scap_event_schema)
+add_dependencies(events_dimensions_generator scap_event_schema)
+
+# ##################################################################################################
+# Generate the events dimensions file.
+# ##################################################################################################
+
+set(BPF_EVENTS_DIMENSIONS_FILE ${CMAKE_CURRENT_SOURCE_DIR}/definitions/events_dimensions.h)
+add_custom_command(
+	OUTPUT ${BPF_EVENTS_DIMENSIONS_FILE}
+	COMMAND events_dimensions_generator ${BPF_EVENTS_DIMENSIONS_FILE}
+	VERBATIM
+	DEPENDS events_dimensions_generator ${CMAKE_CURRENT_SOURCE_DIR}/../event_table.c
+	COMMENT
+		"${MODERN_BPF_LOG_PREFIX} Building events dimensions file: ${BPF_EVENTS_DIMENSIONS_FILE}"
+)
+
+add_custom_target(EventsDimensions ALL DEPENDS ${BPF_EVENTS_DIMENSIONS_FILE})
+
 # ##################################################################################################
 # Generate an `bpf.o` file for every `bpf.c`
 # ##################################################################################################
@@ -269,8 +303,8 @@ foreach(BPF_C_FILE ${BPF_C_FILES})
 		COMMAND ${MODERN_CLANG_EXE} ${CLANG_FLAGS} ${CLANG_SYSTEM_INCLUDES} -c ${BPF_C_FILE} -o
 				${BPF_O_FILE}
 		VERBATIM
-		DEPENDS libbpf
-		DEPENDS ${BPF_C_FILE} ${BPF_H_FILES}
+		DEPENDS lbpf
+		DEPENDS ${BPF_C_FILE} ${BPF_H_FILES} EventsDimensions
 		COMMENT "${MODERN_BPF_LOG_PREFIX} Building BPF object: ${BPF_O_FILE}"
 	)
 

driver/modern_bpf/bpfvalidator_config.yaml

@@ -0,0 +1,8 @@
+parallel: 2
+kernel_versions:
+    - v5.10.237
+    - v5.15.184
+    - v6.1.140
+    - v6.6.92
+    - v6.12.30
+    - v6.15

driver/modern_bpf/definitions/aarch64/vmlinux.h

@@ -7538,7 +7538,38 @@ enum bpf_func_id {
 	BPF_FUNC_ktime_get_coarse_ns = 160,
 	BPF_FUNC_ima_inode_hash = 161,
 	BPF_FUNC_sock_from_file = 162,
-	__BPF_FUNC_MAX_ID = 163,
+	BPF_FUNC_check_mtu = 163,
+	BPF_FUNC_for_each_map_elem = 164,
+	BPF_FUNC_snprintf = 165,
+	BPF_FUNC_sys_bpf = 166,
+	BPF_FUNC_btf_find_by_name_kind = 167,
+	BPF_FUNC_sys_close = 168,
+	BPF_FUNC_timer_init = 169,
+	BPF_FUNC_timer_set_callback = 170,
+	BPF_FUNC_timer_start = 171,
+	BPF_FUNC_timer_cancel = 172,
+	BPF_FUNC_get_func_ip = 173,
+	BPF_FUNC_get_attach_cookie = 174,
+	BPF_FUNC_task_pt_regs = 175,
+	BPF_FUNC_get_branch_snapshot = 176,
+	BPF_FUNC_trace_vprintk = 177,
+	BPF_FUNC_skc_to_unix_sock = 178,
+	BPF_FUNC_kallsyms_lookup_name = 179,
+	BPF_FUNC_find_vma = 180,
+	BPF_FUNC_loop = 181,
+	BPF_FUNC_strncmp = 182,
+	BPF_FUNC_get_func_arg = 183,
+	BPF_FUNC_get_func_ret = 184,
+	BPF_FUNC_get_func_arg_cnt = 185,
+	BPF_FUNC_get_retval = 186,
+	BPF_FUNC_set_retval = 187,
+	BPF_FUNC_xdp_get_buff_len = 188,
+	BPF_FUNC_xdp_load_bytes = 189,
+	BPF_FUNC_xdp_store_bytes = 190,
+	BPF_FUNC_copy_from_user_task = 191,
+	BPF_FUNC_skb_set_tstamp = 192,
+	BPF_FUNC_ima_file_hash = 193,
+	__BPF_FUNC_MAX_ID = 194,
 };
 
 struct bpf_func_info {

driver/modern_bpf/definitions/events_dimensions.h

@@ -1,6 +1,6 @@
 // SPDX-License-Identifier: GPL-2.0-only OR MIT
 /*
- * Copyright (C) 2023 The Falco Authors.
+ * Copyright (C) 2025 The Falco Authors.
  *
  * This file is dual licensed under either the MIT or GPL 2. See MIT.txt
  * or GPL2.txt for full copies of the license.
@@ -21,245 +21,239 @@
 /// want to touch scap tables.
 
 /* Syscall events */
-#define GENERIC_E_SIZE HEADER_LEN + sizeof(uint16_t) * 2 + PARAM_LEN * 2
-#define GENERIC_X_SIZE HEADER_LEN + sizeof(uint16_t) + PARAM_LEN
-#define GETCWD_E_SIZE HEADER_LEN
-#define GETDENTS_E_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
-#define GETDENTS_X_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
-#define GETDENTS64_E_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
-#define GETDENTS64_X_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
-#define EPOLL_WAIT_E_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
-#define EPOLL_WAIT_X_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
-#define GETPEERNAME_E_SIZE HEADER_LEN
-#define GETPEERNAME_X_SIZE HEADER_LEN
+#define SYSCALL_E_SIZE HEADER_LEN + sizeof(uint16_t) * 2 + PARAM_LEN * 2
+#define SYSCALL_X_SIZE HEADER_LEN + sizeof(uint16_t) + PARAM_LEN
+#define CLOSE_E_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
+#define CLOSE_X_SIZE HEADER_LEN + sizeof(int64_t) * 2 + PARAM_LEN * 2
+#define READ_E_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint32_t) + PARAM_LEN * 2
+#define WRITE_E_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint32_t) + PARAM_LEN * 2
+#define SOCKET_E_SIZE HEADER_LEN + sizeof(uint32_t) * 3 + PARAM_LEN * 3
+#define SOCKET_X_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint32_t) * 3 + PARAM_LEN * 4
+#define BIND_E_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
+#define LISTEN_E_SIZE HEADER_LEN + sizeof(int32_t) + sizeof(int64_t) + PARAM_LEN * 2
+#define LISTEN_X_SIZE HEADER_LEN + sizeof(int32_t) + sizeof(int64_t) * 2 + PARAM_LEN * 3
+#define SEND_E_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint32_t) + PARAM_LEN * 2
+#define RECV_E_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint32_t) + PARAM_LEN * 2
+#define RECVFROM_E_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint32_t) + PARAM_LEN * 2
+#define SHUTDOWN_E_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint8_t) + PARAM_LEN * 2
+#define SHUTDOWN_X_SIZE HEADER_LEN + sizeof(int64_t) * 2 + sizeof(uint8_t) + PARAM_LEN * 3
 #define GETSOCKNAME_E_SIZE HEADER_LEN
 #define GETSOCKNAME_X_SIZE HEADER_LEN
-#define MKDIR_E_SIZE HEADER_LEN + sizeof(uint32_t) + PARAM_LEN
-#define MMAP_E_SIZE \
-	HEADER_LEN + sizeof(uint64_t) * 3 + sizeof(int64_t) + sizeof(uint32_t) * 2 + PARAM_LEN * 6
-#define MMAP_X_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint32_t) * 3 + PARAM_LEN * 4
-#define MUNMAP_E_SIZE HEADER_LEN + sizeof(uint64_t) * 2 + PARAM_LEN * 2
-#define MUNMAP_X_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint32_t) * 3 + PARAM_LEN * 4
-#define OPEN_BY_HANDLE_AT_E_SIZE HEADER_LEN
-#define CLOSE_E_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
-#define CLOSE_X_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
-#define COPY_FILE_RANGE_E_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint64_t) * 2 + PARAM_LEN * 3
-#define COPY_FILE_RANGE_X_SIZE HEADER_LEN + sizeof(int64_t) * 2 + sizeof(uint64_t) + PARAM_LEN * 3
-#define DUP_E_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
-#define DUP_X_SIZE HEADER_LEN + sizeof(int64_t) * 2 + PARAM_LEN * 2
-#define DUP2_E_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
-#define DUP2_X_SIZE HEADER_LEN + sizeof(int64_t) * 3 + PARAM_LEN * 3
-#define DUP3_E_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
-#define DUP3_X_SIZE HEADER_LEN + sizeof(int64_t) * 3 + sizeof(uint32_t) + PARAM_LEN * 4
-#define CHDIR_E_SIZE HEADER_LEN
-#define CHMOD_E_SIZE HEADER_LEN
-#define CHOWN_E_SIZE HEADER_LEN
-#define LCHOWN_E_SIZE HEADER_LEN
-#define CHROOT_E_SIZE HEADER_LEN
-#define FCHDIR_E_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
-#define FCHDIR_X_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
-#define FCHMOD_E_SIZE HEADER_LEN
-#define FCHMOD_X_SIZE HEADER_LEN + sizeof(int64_t) * 2 + sizeof(uint32_t) + PARAM_LEN * 3
-#define FCHMODAT_E_SIZE HEADER_LEN
-#define FCHOWN_E_SIZE HEADER_LEN
-#define FCHOWN_X_SIZE HEADER_LEN + sizeof(int64_t) * 2 + sizeof(uint32_t) * 2 + PARAM_LEN * 4
-#define FCHOWNAT_E_SIZE HEADER_LEN
-#define MKDIRAT_E_SIZE HEADER_LEN
-#define RMDIR_E_SIZE HEADER_LEN
-#define EVENTFD_E_SIZE HEADER_LEN + sizeof(uint64_t) + sizeof(uint32_t) + PARAM_LEN * 2
-#define EVENTFD_X_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
-#define INOTIFY_INIT_E_SIZE HEADER_LEN + sizeof(uint8_t) + PARAM_LEN
-#define INOTIFY_INIT_X_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
-#define TIMERFD_CREATE_E_SIZE HEADER_LEN + sizeof(uint8_t) * 2 + PARAM_LEN * 2
-#define TIMERFD_CREATE_X_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
-#define USERFAULTFD_E_SIZE HEADER_LEN
-#define USERFAULTFD_X_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint32_t) + PARAM_LEN * 2
-#define SIGNALFD_E_SIZE \
-	HEADER_LEN + sizeof(int64_t) + sizeof(uint32_t) + sizeof(uint8_t) + PARAM_LEN * 3
-#define SIGNALFD_X_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
-#define KILL_E_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint8_t) + PARAM_LEN * 2
-#define KILL_X_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
-#define TGKILL_E_SIZE HEADER_LEN + sizeof(int64_t) * 2 + sizeof(uint8_t) + PARAM_LEN * 3
-#define TGKILL_X_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
-#define TKILL_E_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint8_t) + PARAM_LEN * 2
-#define TKILL_X_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
-#define SECCOMP_E_SIZE HEADER_LEN + sizeof(uint64_t) * 2 + PARAM_LEN * 2
-#define SECCOMP_X_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
-#define PTRACE_E_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint16_t) + PARAM_LEN * 2
-#define CAPSET_E_SIZE HEADER_LEN
-#define CAPSET_X_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint64_t) * 3 + PARAM_LEN * 4
-#define SOCKET_E_SIZE HEADER_LEN + sizeof(uint32_t) * 3 + PARAM_LEN * 3
-#define SOCKET_X_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
+#define GETPEERNAME_E_SIZE HEADER_LEN
+#define GETPEERNAME_X_SIZE HEADER_LEN
 #define SOCKETPAIR_E_SIZE HEADER_LEN + sizeof(uint32_t) * 3 + PARAM_LEN * 3
-#define SOCKETPAIR_X_SIZE HEADER_LEN + sizeof(int64_t) * 3 + sizeof(uint64_t) * 2 + PARAM_LEN * 5
-#define ACCEPT_E_SIZE HEADER_LEN
-#define ACCEPT4_E_SIZE HEADER_LEN + sizeof(uint32_t) + PARAM_LEN
-#define BIND_E_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
-#define LISTEN_E_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(int32_t) + PARAM_LEN * 2
-#define LISTEN_X_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
-#define CLONE_E_SIZE HEADER_LEN
-#define CLONE3_E_SIZE HEADER_LEN
-#define FORK_E_SIZE HEADER_LEN
-#define VFORK_E_SIZE HEADER_LEN
-#define RENAME_E_SIZE HEADER_LEN
-#define RENAMEAT_E_SIZE HEADER_LEN
-#define RENAMEAT2_E_SIZE HEADER_LEN
+#define SOCKETPAIR_X_SIZE HEADER_LEN + sizeof(int64_t) * 3 + sizeof(uint32_t) * 3 + sizeof(uint64_t) * 2 + PARAM_LEN * 8
+#define SETSOCKOPT_E_SIZE HEADER_LEN
+#define GETSOCKOPT_E_SIZE HEADER_LEN
+#define SENDMMSG_E_SIZE HEADER_LEN
+#define RECVMSG_E_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
+#define RECVMMSG_E_SIZE HEADER_LEN
 #define PIPE_E_SIZE HEADER_LEN
 #define PIPE_X_SIZE HEADER_LEN + sizeof(int64_t) * 3 + sizeof(uint64_t) + PARAM_LEN * 4
-#define BPF_E_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
-#define BPF_X_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(int32_t) + PARAM_LEN * 2
-#define FLOCK_E_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint32_t) + PARAM_LEN * 2
-#define FLOCK_X_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
-#define IOCTL_E_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint64_t) * 2 + PARAM_LEN * 3
-#define IOCTL_X_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
-#define QUOTACTL_E_SIZE \
-	HEADER_LEN + sizeof(uint16_t) + sizeof(uint8_t) * 2 + sizeof(uint32_t) + PARAM_LEN * 4
-#define UNSHARE_E_SIZE HEADER_LEN + sizeof(uint32_t) + PARAM_LEN
-#define UNSHARE_X_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
-#define MOUNT_E_SIZE HEADER_LEN + sizeof(uint32_t) + PARAM_LEN
-#define UMOUNT2_E_SIZE HEADER_LEN + sizeof(uint32_t) + PARAM_LEN
-#define UMOUNT_E_SIZE HEADER_LEN
-#define LINK_E_SIZE HEADER_LEN
-#define LINKAT_E_SIZE HEADER_LEN
-#define SYMLINK_E_SIZE HEADER_LEN
-#define SYMLINKAT_E_SIZE HEADER_LEN
-#define UNLINK_E_SIZE HEADER_LEN
-#define UNLINKAT_E_SIZE HEADER_LEN
-#define SETGID_E_SIZE HEADER_LEN + sizeof(uint32_t) + PARAM_LEN
-#define SETGID_X_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
-#define SETUID_E_SIZE HEADER_LEN + sizeof(uint32_t) + PARAM_LEN
-#define SETUID_X_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
-#define SETNS_E_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint32_t) + PARAM_LEN * 2
-#define SETNS_X_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
-#define SETPGID_E_SIZE HEADER_LEN + sizeof(int64_t) * 2 + PARAM_LEN * 2
-#define SETPGID_X_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
-#define SETRESGID_E_SIZE HEADER_LEN + sizeof(uint32_t) * 3 + PARAM_LEN * 3
-#define SETRESGID_X_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
-#define SETRESUID_E_SIZE HEADER_LEN + sizeof(uint32_t) * 3 + PARAM_LEN * 3
-#define SETRESUID_X_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
-#define SETSID_E_SIZE HEADER_LEN
-#define SETSID_X_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
+#define EVENTFD_E_SIZE HEADER_LEN + sizeof(uint32_t) + sizeof(uint64_t) + PARAM_LEN * 2
+#define EVENTFD_X_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint32_t) + sizeof(uint64_t) + PARAM_LEN * 3
+#define FUTEX_E_SIZE HEADER_LEN + sizeof(uint16_t) + sizeof(uint64_t) * 2 + PARAM_LEN * 3
+#define FUTEX_X_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint16_t) + sizeof(uint64_t) * 2 + PARAM_LEN * 4
+#define STAT_E_SIZE HEADER_LEN
+#define LSTAT_E_SIZE HEADER_LEN
+#define FSTAT_E_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
+#define FSTAT_X_SIZE HEADER_LEN + sizeof(int64_t) * 2 + PARAM_LEN * 2
+#define STAT64_E_SIZE HEADER_LEN
+#define LSTAT64_E_SIZE HEADER_LEN
+#define FSTAT64_E_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
+#define FSTAT64_X_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
+#define EPOLL_WAIT_E_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
+#define EPOLL_WAIT_X_SIZE HEADER_LEN + sizeof(int64_t) * 2 + PARAM_LEN * 2
+#define SELECT_E_SIZE HEADER_LEN
+#define SELECT_X_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
+#define LSEEK_E_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint64_t) + sizeof(uint8_t) + PARAM_LEN * 3
+#define LSEEK_X_SIZE HEADER_LEN + sizeof(int64_t) * 2 + sizeof(uint64_t) + sizeof(uint8_t) + PARAM_LEN * 4
+#define LLSEEK_E_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint64_t) + sizeof(uint8_t) + PARAM_LEN * 3
+#define LLSEEK_X_SIZE HEADER_LEN + sizeof(int64_t) * 2 + sizeof(uint64_t) + sizeof(uint8_t) + PARAM_LEN * 4
+#define GETCWD_E_SIZE HEADER_LEN
+#define CHDIR_E_SIZE HEADER_LEN
+#define FCHDIR_E_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
+#define FCHDIR_X_SIZE HEADER_LEN + sizeof(int64_t) * 2 + PARAM_LEN * 2
+#define PREAD_E_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint32_t) + sizeof(uint64_t) + PARAM_LEN * 3
+#define PWRITE_E_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint32_t) + sizeof(uint64_t) + PARAM_LEN * 3
+#define READV_E_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
+#define WRITEV_E_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint32_t) + PARAM_LEN * 2
+#define PREADV_E_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint64_t) + PARAM_LEN * 2
+#define PWRITEV_E_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint32_t) + sizeof(uint64_t) + PARAM_LEN * 3
+#define SIGNALFD_E_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint32_t) + sizeof(uint8_t) + PARAM_LEN * 3
+#define SIGNALFD_X_SIZE HEADER_LEN + sizeof(int64_t) * 2 + sizeof(uint32_t) + sizeof(uint8_t) + PARAM_LEN * 4
+#define KILL_E_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint8_t) + PARAM_LEN * 2
+#define KILL_X_SIZE HEADER_LEN + sizeof(int64_t) * 2 + sizeof(uint8_t) + PARAM_LEN * 3
+#define TKILL_E_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint8_t) + PARAM_LEN * 2
+#define TKILL_X_SIZE HEADER_LEN + sizeof(int64_t) * 2 + sizeof(uint8_t) + PARAM_LEN * 3
+#define TGKILL_E_SIZE HEADER_LEN + sizeof(int64_t) * 2 + sizeof(uint8_t) + PARAM_LEN * 3
+#define TGKILL_X_SIZE HEADER_LEN + sizeof(int64_t) * 3 + sizeof(uint8_t) + PARAM_LEN * 4
+#define NANOSLEEP_E_SIZE HEADER_LEN + sizeof(uint64_t) + PARAM_LEN
+#define NANOSLEEP_X_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint64_t) + PARAM_LEN * 2
+#define TIMERFD_CREATE_E_SIZE HEADER_LEN + sizeof(uint8_t) * 2 + PARAM_LEN * 2
+#define TIMERFD_CREATE_X_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint8_t) * 2 + PARAM_LEN * 3
+#define INOTIFY_INIT_E_SIZE HEADER_LEN + sizeof(uint8_t) + PARAM_LEN
+#define INOTIFY_INIT_X_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint8_t) + PARAM_LEN * 2
+#define GETRLIMIT_E_SIZE HEADER_LEN + sizeof(uint8_t) + PARAM_LEN
+#define GETRLIMIT_X_SIZE HEADER_LEN + sizeof(int64_t) * 3 + sizeof(uint8_t) + PARAM_LEN * 4
 #define SETRLIMIT_E_SIZE HEADER_LEN + sizeof(uint8_t) + PARAM_LEN
 #define SETRLIMIT_X_SIZE HEADER_LEN + sizeof(int64_t) * 3 + sizeof(uint8_t) + PARAM_LEN * 4
-#define PRLIMIT64_E_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint8_t) + PARAM_LEN * 2
-#define PRLIMIT64_X_SIZE HEADER_LEN + sizeof(int64_t) * 6 + sizeof(uint8_t) + PARAM_LEN * 7
-#define GETSOCKOPT_E_SIZE HEADER_LEN
-#define SETSOCKOPT_E_SIZE HEADER_LEN
-#define RECVMSG_E_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
-#define READV_E_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
-#define PREADV_E_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint64_t) + PARAM_LEN * 2
-#define PREAD64_E_SIZE \
-	HEADER_LEN + sizeof(int64_t) + sizeof(uint32_t) + sizeof(uint64_t) + PARAM_LEN * 3
-#define RECVFROM_E_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint32_t) + PARAM_LEN * 2
+#define PRLIMIT_E_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint8_t) + PARAM_LEN * 2
+#define PRLIMIT_X_SIZE HEADER_LEN + sizeof(int64_t) * 6 + sizeof(uint8_t) + PARAM_LEN * 7
+#define DROP_E_SIZE HEADER_LEN + sizeof(uint32_t) + PARAM_LEN
+#define DROP_X_SIZE HEADER_LEN + sizeof(uint32_t) + PARAM_LEN
 #define FCNTL_E_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint8_t) + PARAM_LEN * 2
-#define FCNTL_X_SIZE \
-	HEADER_LEN + sizeof(int64_t) + sizeof(int64_t) + sizeof(uint8_t) + PARAM_LEN * 3
-#define SHUTDOWN_E_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint8_t) + PARAM_LEN * 2
-#define SHUTDOWN_X_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
-#define FSCONFIG_E_SIZE HEADER_LEN
-#define EPOLL_CREATE_E_SIZE HEADER_LEN + sizeof(int32_t) + PARAM_LEN
-#define EPOLL_CREATE_X_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
-#define EPOLL_CREATE1_E_SIZE HEADER_LEN + sizeof(uint32_t) + PARAM_LEN
-#define EPOLL_CREATE1_X_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
-#define ACCESS_E_SIZE HEADER_LEN + sizeof(uint32_t) + PARAM_LEN
-#define MPROTECT_E_SIZE HEADER_LEN + sizeof(uint64_t) * 2 + sizeof(uint32_t) + PARAM_LEN * 3
-#define MPROTECT_X_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
+#define FCNTL_X_SIZE HEADER_LEN + sizeof(int64_t) * 2 + sizeof(uint8_t) + PARAM_LEN * 3
+#define SWITCH_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint32_t) * 3 + sizeof(uint64_t) * 2 + PARAM_LEN * 6
+#define BRK_E_SIZE HEADER_LEN + sizeof(uint64_t) + PARAM_LEN
+#define BRK_X_SIZE HEADER_LEN + sizeof(uint32_t) * 3 + sizeof(uint64_t) * 2 + PARAM_LEN * 5
+#define MMAP_E_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint32_t) * 2 + sizeof(uint64_t) * 3 + PARAM_LEN * 6
+#define MMAP_X_SIZE HEADER_LEN + sizeof(int64_t) * 2 + sizeof(uint32_t) * 5 + sizeof(uint64_t) * 3 + PARAM_LEN * 10
+#define MMAP2_E_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint32_t) * 2 + sizeof(uint64_t) * 3 + PARAM_LEN * 6
+#define MMAP2_X_SIZE HEADER_LEN + sizeof(int64_t) * 2 + sizeof(uint32_t) * 5 + sizeof(uint64_t) * 3 + PARAM_LEN * 10
+#define MUNMAP_E_SIZE HEADER_LEN + sizeof(uint64_t) * 2 + PARAM_LEN * 2
+#define MUNMAP_X_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint32_t) * 3 + sizeof(uint64_t) * 2 + PARAM_LEN * 6
+#define SPLICE_E_SIZE HEADER_LEN + sizeof(int64_t) * 2 + sizeof(uint32_t) + sizeof(uint64_t) + PARAM_LEN * 4
+#define SPLICE_X_SIZE HEADER_LEN + sizeof(int64_t) * 3 + sizeof(uint32_t) + sizeof(uint64_t) + PARAM_LEN * 5
+#define PTRACE_E_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint16_t) + PARAM_LEN * 2
+#define IOCTL_E_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint64_t) * 2 + PARAM_LEN * 3
+#define IOCTL_X_SIZE HEADER_LEN + sizeof(int64_t) * 2 + sizeof(uint64_t) * 2 + PARAM_LEN * 4
+#define RENAME_E_SIZE HEADER_LEN
+#define RENAMEAT_E_SIZE HEADER_LEN
+#define SYMLINK_E_SIZE HEADER_LEN
+#define SYMLINKAT_E_SIZE HEADER_LEN
+#define PROCEXIT_SIZE HEADER_LEN + sizeof(int64_t) * 3 + sizeof(uint8_t) * 2 + PARAM_LEN * 5
+#define SENDFILE_E_SIZE HEADER_LEN + sizeof(int64_t) * 2 + sizeof(uint64_t) * 2 + PARAM_LEN * 4
+#define SENDFILE_X_SIZE HEADER_LEN + sizeof(int64_t) * 3 + sizeof(uint64_t) * 2 + PARAM_LEN * 5
+#define QUOTACTL_E_SIZE HEADER_LEN + sizeof(uint16_t) + sizeof(uint32_t) + sizeof(uint8_t) * 2 + PARAM_LEN * 4
+#define SETRESUID_E_SIZE HEADER_LEN + sizeof(uint32_t) * 3 + PARAM_LEN * 3
+#define SETRESUID_X_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint32_t) * 3 + PARAM_LEN * 4
+#define SETRESGID_E_SIZE HEADER_LEN + sizeof(uint32_t) * 3 + PARAM_LEN * 3
+#define SETRESGID_X_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint32_t) * 3 + PARAM_LEN * 4
+#define SCAPEVENT_E_SIZE HEADER_LEN + sizeof(uint32_t) + sizeof(uint64_t) + PARAM_LEN * 2
+#define SCAPEVENT_X_SIZE HEADER_LEN
+#define SETUID_E_SIZE HEADER_LEN + sizeof(uint32_t) + PARAM_LEN
+#define SETUID_X_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint32_t) + PARAM_LEN * 2
+#define SETGID_E_SIZE HEADER_LEN + sizeof(uint32_t) + PARAM_LEN
+#define SETGID_X_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint32_t) + PARAM_LEN * 2
 #define GETUID_E_SIZE HEADER_LEN
 #define GETUID_X_SIZE HEADER_LEN + sizeof(uint32_t) + PARAM_LEN
-#define GETGID_E_SIZE HEADER_LEN
-#define GETGID_X_SIZE HEADER_LEN + sizeof(uint32_t) + PARAM_LEN
 #define GETEUID_E_SIZE HEADER_LEN
 #define GETEUID_X_SIZE HEADER_LEN + sizeof(uint32_t) + PARAM_LEN
+#define GETGID_E_SIZE HEADER_LEN
+#define GETGID_X_SIZE HEADER_LEN + sizeof(uint32_t) + PARAM_LEN
 #define GETEGID_E_SIZE HEADER_LEN
 #define GETEGID_X_SIZE HEADER_LEN + sizeof(uint32_t) + PARAM_LEN
+#define GETRESUID_E_SIZE HEADER_LEN
+#define GETRESUID_X_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint32_t) * 3 + PARAM_LEN * 4
+#define GETRESGID_E_SIZE HEADER_LEN
+#define GETRESGID_X_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint32_t) * 3 + PARAM_LEN * 4
+#define CLONE_E_SIZE HEADER_LEN
+#define FORK_E_SIZE HEADER_LEN
+#define VFORK_E_SIZE HEADER_LEN
+#define SIGNALDELIVER_SIZE HEADER_LEN + sizeof(int64_t) * 2 + sizeof(uint8_t) + PARAM_LEN * 3
+#define PROCINFO_E_SIZE HEADER_LEN + sizeof(uint64_t) * 2 + PARAM_LEN * 2
+#define GETDENTS_E_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
+#define GETDENTS_X_SIZE HEADER_LEN + sizeof(int64_t) * 2 + PARAM_LEN * 2
+#define GETDENTS64_E_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
+#define GETDENTS64_X_SIZE HEADER_LEN + sizeof(int64_t) * 2 + PARAM_LEN * 2
+#define SETNS_E_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint32_t) + PARAM_LEN * 2
+#define SETNS_X_SIZE HEADER_LEN + sizeof(int64_t) * 2 + sizeof(uint32_t) + PARAM_LEN * 3
+#define FLOCK_E_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint32_t) + PARAM_LEN * 2
+#define FLOCK_X_SIZE HEADER_LEN + sizeof(int64_t) * 2 + sizeof(uint32_t) + PARAM_LEN * 3
+#define CPU_HOTPLUG_E_SIZE HEADER_LEN + sizeof(uint32_t) * 2 + PARAM_LEN * 2
+#define ACCEPT_E_SIZE HEADER_LEN
+#define SEMOP_E_SIZE HEADER_LEN + sizeof(int32_t) + PARAM_LEN
+#define SEMOP_X_SIZE HEADER_LEN + sizeof(int16_t) * 2 + sizeof(int32_t) + sizeof(int64_t) + sizeof(uint16_t) * 4 + sizeof(uint32_t) + PARAM_LEN * 9
+#define SEMCTL_E_SIZE HEADER_LEN + sizeof(int32_t) * 3 + sizeof(uint16_t) + PARAM_LEN * 4
+#define SEMCTL_X_SIZE HEADER_LEN + sizeof(int32_t) * 3 + sizeof(int64_t) + sizeof(uint16_t) + PARAM_LEN * 5
+#define MOUNT_E_SIZE HEADER_LEN + sizeof(uint32_t) + PARAM_LEN
+#define SEMGET_E_SIZE HEADER_LEN + sizeof(int32_t) * 2 + sizeof(uint32_t) + PARAM_LEN * 3
+#define SEMGET_X_SIZE HEADER_LEN + sizeof(int32_t) * 2 + sizeof(int64_t) + sizeof(uint32_t) + PARAM_LEN * 4
+#define ACCESS_E_SIZE HEADER_LEN + sizeof(uint32_t) + PARAM_LEN
+#define CHROOT_E_SIZE HEADER_LEN
+#define SETSID_E_SIZE HEADER_LEN
+#define SETSID_X_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
+#define MKDIR_E_SIZE HEADER_LEN + sizeof(uint32_t) + PARAM_LEN
+#define RMDIR_E_SIZE HEADER_LEN
+#define UNSHARE_E_SIZE HEADER_LEN + sizeof(uint32_t) + PARAM_LEN
+#define UNSHARE_X_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint32_t) + PARAM_LEN * 2
+#define PAGE_FAULT_SIZE HEADER_LEN + sizeof(uint32_t) + sizeof(uint64_t) * 2 + PARAM_LEN * 3
+#define SETPGID_E_SIZE HEADER_LEN + sizeof(int64_t) * 2 + PARAM_LEN * 2
+#define SETPGID_X_SIZE HEADER_LEN + sizeof(int64_t) * 3 + PARAM_LEN * 3
+#define SECCOMP_E_SIZE HEADER_LEN + sizeof(uint64_t) * 2 + PARAM_LEN * 2
+#define SECCOMP_X_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint64_t) * 2 + PARAM_LEN * 3
+#define UNLINK_E_SIZE HEADER_LEN
+#define UNLINKAT_E_SIZE HEADER_LEN
+#define MKDIRAT_E_SIZE HEADER_LEN
+#define LINK_E_SIZE HEADER_LEN
+#define LINKAT_E_SIZE HEADER_LEN
+#define FCHMODAT_E_SIZE HEADER_LEN
+#define CHMOD_E_SIZE HEADER_LEN
+#define FCHMOD_E_SIZE HEADER_LEN
+#define FCHMOD_X_SIZE HEADER_LEN + sizeof(int64_t) * 2 + sizeof(uint32_t) + PARAM_LEN * 3
+#define RENAMEAT2_E_SIZE HEADER_LEN
+#define USERFAULTFD_E_SIZE HEADER_LEN
+#define USERFAULTFD_X_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint32_t) + PARAM_LEN * 2
+#define MPROTECT_E_SIZE HEADER_LEN + sizeof(uint32_t) + sizeof(uint64_t) * 2 + PARAM_LEN * 3
+#define MPROTECT_X_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint32_t) + sizeof(uint64_t) * 2 + PARAM_LEN * 4
+#define COPY_FILE_RANGE_E_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint64_t) * 2 + PARAM_LEN * 3
+#define COPY_FILE_RANGE_X_SIZE HEADER_LEN + sizeof(int64_t) * 3 + sizeof(uint64_t) * 3 + PARAM_LEN * 6
+#define CLONE3_E_SIZE HEADER_LEN
+#define OPEN_BY_HANDLE_AT_E_SIZE HEADER_LEN
+#define IO_URING_SETUP_E_SIZE HEADER_LEN
+#define IO_URING_SETUP_X_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint32_t) * 7 + PARAM_LEN * 8
+#define IO_URING_ENTER_E_SIZE HEADER_LEN
+#define IO_URING_ENTER_X_SIZE HEADER_LEN + sizeof(int64_t) * 2 + sizeof(uint32_t) * 4 + PARAM_LEN * 6
+#define IO_URING_REGISTER_E_SIZE HEADER_LEN
+#define IO_URING_REGISTER_X_SIZE HEADER_LEN + sizeof(int64_t) * 2 + sizeof(uint16_t) + sizeof(uint32_t) + sizeof(uint64_t) + PARAM_LEN * 5
 #define MLOCK_E_SIZE HEADER_LEN
 #define MLOCK_X_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint64_t) * 2 + PARAM_LEN * 3
-#define MLOCK2_E_SIZE HEADER_LEN
-#define MLOCK2_X_SIZE \
-	HEADER_LEN + sizeof(int64_t) + sizeof(uint32_t) + sizeof(uint64_t) * 2 + PARAM_LEN * 4
 #define MUNLOCK_E_SIZE HEADER_LEN
 #define MUNLOCK_X_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint64_t) * 2 + PARAM_LEN * 3
 #define MLOCKALL_E_SIZE HEADER_LEN
 #define MLOCKALL_X_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint32_t) + PARAM_LEN * 2
 #define MUNLOCKALL_E_SIZE HEADER_LEN
 #define MUNLOCKALL_X_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
-#define READ_E_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint32_t) + PARAM_LEN * 2
-#define IO_URING_ENTER_E_SIZE HEADER_LEN
-#define IO_URING_ENTER_X_SIZE \
-	HEADER_LEN + sizeof(int64_t) * 2 + sizeof(uint32_t) * 4 + PARAM_LEN * 6
-#define IO_URING_REGISTER_E_SIZE HEADER_LEN
-#define IO_URING_REGISTER_X_SIZE                                                                \
-	HEADER_LEN + sizeof(int64_t) * 2 + sizeof(uint16_t) + sizeof(uint64_t) + sizeof(uint32_t) + \
-	        PARAM_LEN * 5
-#define IO_URING_SETUP_E_SIZE HEADER_LEN
-#define IO_URING_SETUP_X_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint32_t) * 7 + PARAM_LEN * 8
-#define MMAP2_E_SIZE \
-	HEADER_LEN + sizeof(uint64_t) * 3 + sizeof(int64_t) + sizeof(uint32_t) * 2 + PARAM_LEN * 6
-#define MMAP2_X_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint32_t) * 3 + PARAM_LEN * 4
-#define SEMGET_E_SIZE HEADER_LEN + sizeof(int32_t) * 2 + sizeof(uint32_t) + PARAM_LEN * 3
-#define SEMGET_X_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
-#define SEMCTL_E_SIZE HEADER_LEN + sizeof(int32_t) * 3 + sizeof(uint16_t) + PARAM_LEN * 4
-#define SEMCTL_X_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
-#define SELECT_E_SIZE HEADER_LEN
-#define SELECT_X_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
-#define SPLICE_E_SIZE \
-	HEADER_LEN + sizeof(int64_t) * 2 + sizeof(uint64_t) + sizeof(uint32_t) + PARAM_LEN * 4
-#define SPLICE_X_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
-#define RECVMMSG_E_SIZE HEADER_LEN
-#define RECVMMSG_X_SIZE HEADER_LEN
-#define SENDMMSG_E_SIZE HEADER_LEN
-#define SENDMMSG_X_SIZE HEADER_LEN
-#define SEMOP_E_SIZE HEADER_LEN + sizeof(int32_t) + PARAM_LEN
-#define SEMOP_X_SIZE                                                                               \
-	HEADER_LEN + sizeof(int64_t) + sizeof(uint32_t) + sizeof(uint16_t) * 4 + sizeof(int16_t) * 2 + \
-	        PARAM_LEN * 8
-#define GETRESUID_E_SIZE HEADER_LEN
-#define GETRESUID_X_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint32_t) * 3 + PARAM_LEN * 4
-#define SENDFILE_E_SIZE HEADER_LEN + sizeof(int64_t) * 2 + sizeof(uint64_t) * 2 + PARAM_LEN * 4
-#define SENDFILE_X_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint64_t) + PARAM_LEN * 2
-#define FUTEX_E_SIZE HEADER_LEN + sizeof(uint64_t) * 2 + sizeof(uint16_t) + PARAM_LEN * 3
-#define FUTEX_X_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
-#define STAT_E_SIZE HEADER_LEN
-#define LSTAT_E_SIZE HEADER_LEN
-#define FSTAT_E_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
-#define FSTAT_X_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
-#define LSEEK_E_SIZE \
-	HEADER_LEN + sizeof(int64_t) + sizeof(uint64_t) + sizeof(uint8_t) + 3 * PARAM_LEN
-#define LSEEK_X_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
-#define LLSEEK_E_SIZE \
-	HEADER_LEN + sizeof(int64_t) + sizeof(uint64_t) + sizeof(uint8_t) + 3 * PARAM_LEN
-#define LLSEEK_X_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
-#define WRITE_E_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint32_t) + PARAM_LEN * 2
-#define WRITEV_E_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint32_t) + PARAM_LEN * 2
-#define PWRITEV_E_SIZE \
-	HEADER_LEN + sizeof(int64_t) + sizeof(uint32_t) + sizeof(uint64_t) + PARAM_LEN * 3
-#define PWRITE64_E_SIZE \
-	HEADER_LEN + sizeof(int64_t) + sizeof(uint32_t) + sizeof(uint64_t) + PARAM_LEN * 3
-#define GETRESGID_E_SIZE HEADER_LEN
-#define GETRESGID_X_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint32_t) * 3 + PARAM_LEN * 4
-#define BRK_E_SIZE HEADER_LEN + sizeof(uint64_t) + PARAM_LEN
-#define BRK_X_SIZE HEADER_LEN + sizeof(uint64_t) + sizeof(uint32_t) * 3 + PARAM_LEN * 4
-#define GETRLIMIT_E_SIZE HEADER_LEN + sizeof(uint8_t) + PARAM_LEN
-#define GETRLIMIT_X_SIZE HEADER_LEN + sizeof(int64_t) * 3 + PARAM_LEN * 3
-#define SEND_E_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint32_t) + PARAM_LEN * 2
-#define RECV_E_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint32_t) + PARAM_LEN * 2
-#define NANOSLEEP_E_SIZE HEADER_LEN + sizeof(uint64_t) + PARAM_LEN
-#define NANOSLEEP_X_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
+#define CAPSET_E_SIZE HEADER_LEN
+#define CAPSET_X_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint64_t) * 3 + PARAM_LEN * 4
+#define DUP2_E_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
+#define DUP2_X_SIZE HEADER_LEN + sizeof(int64_t) * 3 + PARAM_LEN * 3
+#define DUP3_E_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
+#define DUP3_X_SIZE HEADER_LEN + sizeof(int64_t) * 3 + sizeof(uint32_t) + PARAM_LEN * 4
+#define DUP_E_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
+#define DUP_X_SIZE HEADER_LEN + sizeof(int64_t) * 2 + PARAM_LEN * 2
+#define BPF_E_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
+#define BPF_X_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint32_t) + PARAM_LEN * 2
+#define MLOCK2_E_SIZE HEADER_LEN
+#define MLOCK2_X_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint32_t) + sizeof(uint64_t) * 2 + PARAM_LEN * 4
+#define FSCONFIG_E_SIZE HEADER_LEN
+#define EPOLL_CREATE_E_SIZE HEADER_LEN + sizeof(int32_t) + PARAM_LEN
+#define EPOLL_CREATE_X_SIZE HEADER_LEN + sizeof(int32_t) + sizeof(int64_t) + PARAM_LEN * 2
+#define EPOLL_CREATE1_E_SIZE HEADER_LEN + sizeof(uint32_t) + PARAM_LEN
+#define EPOLL_CREATE1_X_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint32_t) + PARAM_LEN * 2
+#define CHOWN_E_SIZE HEADER_LEN
+#define LCHOWN_E_SIZE HEADER_LEN
+#define FCHOWN_E_SIZE HEADER_LEN
+#define FCHOWN_X_SIZE HEADER_LEN + sizeof(int64_t) * 2 + sizeof(uint32_t) * 2 + PARAM_LEN * 4
+#define FCHOWNAT_E_SIZE HEADER_LEN
+#define UMOUNT_E_SIZE HEADER_LEN
+#define ACCEPT4_E_SIZE HEADER_LEN + sizeof(int32_t) + PARAM_LEN
+#define UMOUNT2_E_SIZE HEADER_LEN + sizeof(uint32_t) + PARAM_LEN
 #define PIPE2_E_SIZE HEADER_LEN
-#define PIPE2_X_SIZE \
-	HEADER_LEN + sizeof(int64_t) * 3 + sizeof(uint64_t) + sizeof(uint32_t) + PARAM_LEN * 5
+#define PIPE2_X_SIZE HEADER_LEN + sizeof(int64_t) * 3 + sizeof(uint32_t) + sizeof(uint64_t) + PARAM_LEN * 5
 #define INOTIFY_INIT1_E_SIZE HEADER_LEN
-#define INOTIFY_INIT1_X_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint16_t) + 2 * PARAM_LEN
+#define INOTIFY_INIT1_X_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint16_t) + PARAM_LEN * 2
 #define EVENTFD2_E_SIZE HEADER_LEN + sizeof(uint64_t) + PARAM_LEN
-#define EVENTFD2_X_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint16_t) + 2 * PARAM_LEN
-#define SIGNALFD4_E_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint32_t) + 2 * PARAM_LEN
-#define SIGNALFD4_X_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint16_t) + 2 * PARAM_LEN
+#define EVENTFD2_X_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint16_t) + sizeof(uint64_t) + PARAM_LEN * 3
+#define SIGNALFD4_E_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint32_t) + PARAM_LEN * 2
+#define SIGNALFD4_X_SIZE HEADER_LEN + sizeof(int64_t) * 2 + sizeof(uint16_t) + sizeof(uint32_t) + PARAM_LEN * 4
 #define PRCTL_E_SIZE HEADER_LEN
 #define MEMFD_CREATE_E_SIZE HEADER_LEN
 #define PIDFD_GETFD_E_SIZE HEADER_LEN
-#define PIDFD_GETFD_X_SIZE HEADER_LEN + sizeof(int64_t) * 3 + sizeof(uint32_t) + 4 * PARAM_LEN
+#define PIDFD_GETFD_X_SIZE HEADER_LEN + sizeof(int64_t) * 3 + sizeof(uint32_t) + PARAM_LEN * 4
 #define PIDFD_OPEN_E_SIZE HEADER_LEN
-#define PIDFD_OPEN_X_SIZE HEADER_LEN + sizeof(int64_t) * 2 + sizeof(uint32_t) + 3 * PARAM_LEN
+#define PIDFD_OPEN_X_SIZE HEADER_LEN + sizeof(int64_t) * 2 + sizeof(uint32_t) + PARAM_LEN * 3
 #define INIT_MODULE_E_SIZE HEADER_LEN
 #define FINIT_MODULE_E_SIZE HEADER_LEN
 #define MKNOD_E_SIZE HEADER_LEN
@@ -269,19 +263,8 @@
 #define PROCESS_VM_WRITEV_E_SIZE HEADER_LEN
 #define DELETE_MODULE_E_SIZE HEADER_LEN
 #define SETREUID_E_SIZE HEADER_LEN
-#define SETREUID_X_SIZE HEADER_LEN + sizeof(uint32_t) * 2 + sizeof(int64_t) + 3 * PARAM_LEN
+#define SETREUID_X_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint32_t) * 2 + PARAM_LEN * 3
 #define SETREGID_E_SIZE HEADER_LEN
-#define SETREGID_X_SIZE HEADER_LEN + sizeof(uint32_t) * 2 + sizeof(int64_t) + 3 * PARAM_LEN
-
-/* Generic tracepoints events. */
-#define SCHED_SWITCH_SIZE \
-	HEADER_LEN + sizeof(int64_t) + sizeof(uint64_t) * 2 + sizeof(uint32_t) * 3 + PARAM_LEN * 6
-#define PAGE_FAULT_SIZE HEADER_LEN + sizeof(uint64_t) * 2 + sizeof(uint32_t) + PARAM_LEN * 3
-#define SIGNAL_DELIVER_SIZE HEADER_LEN + sizeof(int64_t) * 2 + sizeof(uint8_t) + PARAM_LEN * 3
-
-/* Special internal events */
-#define DROP_E_SIZE HEADER_LEN + sizeof(uint32_t) + PARAM_LEN
-#define DROP_X_SIZE HEADER_LEN + sizeof(uint32_t) + PARAM_LEN
-#define HOTPLUG_E_SIZE HEADER_LEN + sizeof(uint32_t) * 2 + PARAM_LEN * 2
+#define SETREGID_X_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint32_t) * 2 + PARAM_LEN * 3
 
 #endif /* __EVENT_DIMENSIONS_H__ */

driver/modern_bpf/definitions/generator/generator.cpp

@@ -0,0 +1,234 @@
+#include <functional>
+#include <iostream>
+#include <map>
+#include <sstream>
+#include <fstream>
+#include <algorithm>
+
+#include "driver/ppm_events_public.h"
+
+extern const struct ppm_event_info g_event_info[];
+
+auto PREFACE = R"(// SPDX-License-Identifier: GPL-2.0-only OR MIT
+/*
+ * Copyright (C) 2025 The Falco Authors.
+ *
+ * This file is dual licensed under either the MIT or GPL 2. See MIT.txt
+ * or GPL2.txt for full copies of the license.
+ */
+
+#ifndef __EVENT_DIMENSIONS_H__
+#define __EVENT_DIMENSIONS_H__
+
+#include "vmlinux.h"
+
+/* Here we have all the dimensions for fixed-size events.
+ */
+
+#define PARAM_LEN 2
+#define HEADER_LEN sizeof(struct ppm_evt_hdr)
+
+/// TODO: We have to move these in the event_table.c. Right now we don't
+/// want to touch scap tables.
+
+/* Syscall events */
+)";
+
+auto POSTFACE = R"(
+#endif /* __EVENT_DIMENSIONS_H__ */
+)";
+
+// Use the following macro to get the stringified version of the C expression retrieving the type
+// size (e.g.: SIZE_OF_EXPR(uint8_t) is resolved in "sizeof(uint8_t)").
+#define SIZE_OF_EXPR(type) SIZE_OF_EXPR_##type
+
+// Generate the "sizeof" stringified expression for the listed types. New handled types must be
+// appended to the list.
+#define SIZE_OF_EXPR_DECL_LIST_GEN(FN) \
+	FN(int8_t)                         \
+	FN(int16_t)                        \
+	FN(int32_t)                        \
+	FN(int64_t)                        \
+	FN(uint8_t)                        \
+	FN(uint16_t)                       \
+	FN(uint32_t)                       \
+	FN(uint64_t)
+#define SIZE_OF_EXPR_DECL(type) char SIZE_OF_EXPR(type)[] = "sizeof(" #type ")";
+SIZE_OF_EXPR_DECL_LIST_GEN(SIZE_OF_EXPR_DECL)
+#undef SIZE_OF_EXPR_DECL
+#undef SIZE_OF_EXPR_DECL_LIST_GEN
+
+// Special expressions denoting variable size or unused parameter types.
+char SIZE_OF_EXPR_VARIABLE_SIZE[] = "<variable_size>", SIZE_OF_EXPR_UNUSED[] = "<unused>";
+
+// Table containing the mapping between parameter types and the corresponding stringified "sizeof"
+// expression.
+std::map<long long, char *> type_to_size_expr{
+        {PT_NONE, SIZE_OF_EXPR_UNUSED},
+        {PT_INT8, SIZE_OF_EXPR(int8_t)},
+        {PT_INT16, SIZE_OF_EXPR(int16_t)},
+        {PT_INT32, SIZE_OF_EXPR(int32_t)},
+        {PT_INT64, SIZE_OF_EXPR(int64_t)},
+        {PT_UINT8, SIZE_OF_EXPR(uint8_t)},
+        {PT_UINT16, SIZE_OF_EXPR(uint16_t)},
+        {PT_UINT32, SIZE_OF_EXPR(uint32_t)},
+        {PT_UINT64, SIZE_OF_EXPR(uint64_t)},
+        {PT_CHARBUF, SIZE_OF_EXPR_VARIABLE_SIZE},
+        {PT_BYTEBUF, SIZE_OF_EXPR_VARIABLE_SIZE},
+        {PT_ERRNO, SIZE_OF_EXPR(int64_t)},
+        {PT_SOCKADDR, SIZE_OF_EXPR_VARIABLE_SIZE},
+        {PT_SOCKTUPLE, SIZE_OF_EXPR_VARIABLE_SIZE},
+        {PT_FD, SIZE_OF_EXPR(int64_t)},
+        {PT_PID, SIZE_OF_EXPR(int64_t)},
+        {PT_FDLIST, SIZE_OF_EXPR_VARIABLE_SIZE},
+        {PT_FSPATH, SIZE_OF_EXPR_VARIABLE_SIZE},
+        {PT_SYSCALLID, SIZE_OF_EXPR(uint16_t)},
+        {PT_SIGTYPE, SIZE_OF_EXPR(uint8_t)},
+        {PT_RELTIME, SIZE_OF_EXPR(uint64_t)},
+        {PT_ABSTIME, SIZE_OF_EXPR(uint64_t)},
+        {PT_PORT, SIZE_OF_EXPR_UNUSED},
+        {PT_L4PROTO, SIZE_OF_EXPR_UNUSED},
+        {PT_SOCKFAMILY, SIZE_OF_EXPR_UNUSED},
+        {PT_BOOL, SIZE_OF_EXPR_UNUSED},
+        {PT_IPV4ADDR, SIZE_OF_EXPR_UNUSED},
+        {PT_DYN, SIZE_OF_EXPR_VARIABLE_SIZE},
+        {PT_FLAGS8, SIZE_OF_EXPR(uint8_t)},
+        {PT_FLAGS16, SIZE_OF_EXPR(uint16_t)},
+        {PT_FLAGS32, SIZE_OF_EXPR(uint32_t)},
+        {PT_UID, SIZE_OF_EXPR(uint32_t)},
+        {PT_GID, SIZE_OF_EXPR(uint32_t)},
+        {PT_DOUBLE, SIZE_OF_EXPR_UNUSED},
+        {PT_SIGSET, SIZE_OF_EXPR(uint32_t)},
+        {PT_CHARBUFARRAY, SIZE_OF_EXPR_VARIABLE_SIZE},
+        {PT_CHARBUF_PAIR_ARRAY, SIZE_OF_EXPR_VARIABLE_SIZE},
+        {PT_IPV4NET, SIZE_OF_EXPR_UNUSED},
+        {PT_IPV6ADDR, SIZE_OF_EXPR_UNUSED},
+        {PT_IPV6NET, SIZE_OF_EXPR_UNUSED},
+        {PT_IPADDR, SIZE_OF_EXPR_UNUSED},
+        {PT_IPNET, SIZE_OF_EXPR_UNUSED},
+        {PT_MODE, SIZE_OF_EXPR(uint32_t)},
+        {PT_FSRELPATH, SIZE_OF_EXPR_VARIABLE_SIZE},
+        {PT_ENUMFLAGS8, SIZE_OF_EXPR(uint8_t)},
+        {PT_ENUMFLAGS16, SIZE_OF_EXPR(uint16_t)},
+        {PT_ENUMFLAGS32, SIZE_OF_EXPR(uint32_t)},
+};
+
+// is_fixed_size_event determines if the provided event has a fixed size or not.
+bool is_fixed_size_event(struct ppm_event_info const *const evt) {
+	for(uint32_t i = 0; i < evt->nparams; i++) {
+		auto &param = evt->params[i];
+		auto const param_type = param.type;
+
+		auto it = type_to_size_expr.find(param_type);
+		if(it == type_to_size_expr.end()) {
+			throw std::runtime_error("Unknown event parameter type: " + std::to_string(param_type));
+		}
+
+		auto const size_expr = it->second;
+		// Just compare pointers is enough.
+		if(size_expr == SIZE_OF_EXPR_UNUSED) {
+			throw std::runtime_error("Unexpected unused event parameter type: " +
+			                         std::to_string(param_type));
+		}
+		if(size_expr == SIZE_OF_EXPR_VARIABLE_SIZE) {
+			return false;
+		}
+	}
+	return true;
+}
+
+// get_vent_size_expr_counts returns, given the provided event and the resulting size expression of
+// its parameters, a map containing, for each size expression, the number of occurrences.
+std::map<std::string, size_t> get_event_size_expr_counts(struct ppm_event_info const *const evt) {
+	std::map<std::string, size_t> size_expr_counts;
+	for(uint32_t i = 0; i < evt->nparams; i++) {
+		auto const &param = evt->params[i];
+		auto const param_type = param.type;
+		auto const it = type_to_size_expr.find(param_type);
+		if(it == type_to_size_expr.end()) {
+			throw std::runtime_error("Unknown event parameter type: " + std::to_string(param_type));
+		}
+		auto const size_expr = it->second;
+		size_expr_counts[size_expr]++;
+	}
+	return size_expr_counts;
+}
+
+// output_event_size outputs the event size macro for the provided event into the provided output
+// stream.
+void output_event_size(std::ostream &os,
+                       struct ppm_event_info const *const evt,
+                       bool const is_enter_evt) {
+	// Exclude old versions.
+	if(evt->flags & EF_OLD_VERSION) {
+		return;
+	}
+
+	std::string name{evt->name};
+	// Ignore events without name.
+	if(name == "NA") {
+		return;
+	}
+
+	// Exclude events not having a fixed size.
+	if(!is_fixed_size_event(evt)) {
+		return;
+	}
+
+	// Generate the complete event size macro name.
+	std::transform(name.cbegin(), name.cend(), name.begin(), toupper);
+	if((evt->category & EC_TRACEPOINT) == 0) {
+		name += is_enter_evt ? "_E" : "_X";
+	}
+	name += "_SIZE";
+
+	// The event contains at least the header.
+	os << "#define " << name << " HEADER_LEN";
+
+	auto const params_num = evt->nparams;
+
+	// Count the number of occurrences for each size expression.
+	auto size_expr_counts = get_event_size_expr_counts(evt);
+
+	// Output "size expression" * "number of occurrences of size expression", for each size
+	// expression.
+	for(auto const &[size_expr, count] : size_expr_counts) {
+		os << " + " << size_expr;
+		if(count != 1) {
+			os << " * " << count;
+		}
+	}
+
+	// Add "number of parameters" * PARAM_LEN, to account the size of each parameter length.
+	if(params_num != 0) {
+		os << " + PARAM_LEN";
+		if(params_num != 1) {
+			os << " * " << params_num;
+		}
+	}
+	os << '\n';
+}
+
+int main(int argc, char *argv[]) {
+	if(argc != 2) {
+		std::cerr << "Usage: " << argv[0] << " <filepath>\n";
+		std::exit(EXIT_FAILURE);
+	}
+
+	std::string filepath{argv[1]};
+
+	// Build file content.
+	std::ostringstream oss;
+	oss << PREFACE;
+	for(int i = 0; i < PPM_EVENT_MAX; i++) {
+		output_event_size(oss, &g_event_info[i], i % 2 == 0);
+	}
+	oss << POSTFACE;
+
+	// Write content to file.
+	std::ofstream f{filepath, std::fstream::out | std::fstream::trunc};
+	f << oss.str();
+	f.close();
+
+	return 0;
+}

driver/modern_bpf/definitions/struct_flavors.h

@@ -59,6 +59,10 @@ struct inode___v6_11 {
 	uint32_t i_ctime_nsec;
 };
 
+struct kernfs_node___v6_15 {
+	struct kernfs_node *__parent;
+};
+
 #ifndef BPF_NO_PRESERVE_ACCESS_INDEX
 #pragma clang attribute pop
 #endif

driver/modern_bpf/definitions/x86_64/vmlinux.h

@@ -39754,7 +39754,38 @@ enum bpf_func_id {
 	BPF_FUNC_ktime_get_coarse_ns = 160,
 	BPF_FUNC_ima_inode_hash = 161,
 	BPF_FUNC_sock_from_file = 162,
-	__BPF_FUNC_MAX_ID = 163,
+	BPF_FUNC_check_mtu = 163,
+	BPF_FUNC_for_each_map_elem = 164,
+	BPF_FUNC_snprintf = 165,
+	BPF_FUNC_sys_bpf = 166,
+	BPF_FUNC_btf_find_by_name_kind = 167,
+	BPF_FUNC_sys_close = 168,
+	BPF_FUNC_timer_init = 169,
+	BPF_FUNC_timer_set_callback = 170,
+	BPF_FUNC_timer_start = 171,
+	BPF_FUNC_timer_cancel = 172,
+	BPF_FUNC_get_func_ip = 173,
+	BPF_FUNC_get_attach_cookie = 174,
+	BPF_FUNC_task_pt_regs = 175,
+	BPF_FUNC_get_branch_snapshot = 176,
+	BPF_FUNC_trace_vprintk = 177,
+	BPF_FUNC_skc_to_unix_sock = 178,
+	BPF_FUNC_kallsyms_lookup_name = 179,
+	BPF_FUNC_find_vma = 180,
+	BPF_FUNC_loop = 181,
+	BPF_FUNC_strncmp = 182,
+	BPF_FUNC_get_func_arg = 183,
+	BPF_FUNC_get_func_ret = 184,
+	BPF_FUNC_get_func_arg_cnt = 185,
+	BPF_FUNC_get_retval = 186,
+	BPF_FUNC_set_retval = 187,
+	BPF_FUNC_xdp_get_buff_len = 188,
+	BPF_FUNC_xdp_load_bytes = 189,
+	BPF_FUNC_xdp_store_bytes = 190,
+	BPF_FUNC_copy_from_user_task = 191,
+	BPF_FUNC_skb_set_tstamp = 192,
+	BPF_FUNC_ima_file_hash = 193,
+	__BPF_FUNC_MAX_ID = 194,
 };
 
 enum {

driver/modern_bpf/helpers/base/maps_getters.h

@@ -17,44 +17,99 @@
 
 /*=============================== SETTINGS ===========================*/
 
+static __always_inline struct capture_settings *maps__get_capture_settings() {
+	uint32_t key = 0;
+	return bpf_map_lookup_elem(&capture_settings, &key);
+}
+
 static __always_inline uint64_t maps__get_boot_time() {
-	return g_settings.boot_time;
+	struct capture_settings *settings = maps__get_capture_settings();
+	if(settings == NULL) {
+		return 0;
+	}
+
+	return settings->boot_time;
 }
 
 static __always_inline uint32_t maps__get_snaplen() {
-	return g_settings.snaplen;
+	struct capture_settings *settings = maps__get_capture_settings();
+	if(settings == NULL) {
+		return 0;
+	}
+
+	return settings->snaplen;
 }
 
 static __always_inline bool maps__get_dropping_mode() {
-	return g_settings.dropping_mode;
+	struct capture_settings *settings = maps__get_capture_settings();
+	if(settings == NULL) {
+		return 0;
+	}
+
+	return settings->dropping_mode;
 }
 
 static __always_inline uint32_t maps__get_sampling_ratio() {
-	return g_settings.sampling_ratio;
+	struct capture_settings *settings = maps__get_capture_settings();
+	if(settings == NULL) {
+		return 0;
+	}
+
+	return settings->sampling_ratio;
 }
 
 static __always_inline bool maps__get_drop_failed() {
-	return g_settings.drop_failed;
+	struct capture_settings *settings = maps__get_capture_settings();
+	if(settings == NULL) {
+		return 0;
+	}
+
+	return settings->drop_failed;
 }
 
 static __always_inline bool maps__get_do_dynamic_snaplen() {
-	return g_settings.do_dynamic_snaplen;
+	struct capture_settings *settings = maps__get_capture_settings();
+	if(settings == NULL) {
+		return 0;
+	}
+
+	return settings->do_dynamic_snaplen;
 }
 
 static __always_inline uint16_t maps__get_fullcapture_port_range_start() {
-	return g_settings.fullcapture_port_range_start;
+	struct capture_settings *settings = maps__get_capture_settings();
+	if(settings == NULL) {
+		return 0;
+	}
+
+	return settings->fullcapture_port_range_start;
 }
 
 static __always_inline uint16_t maps__get_fullcapture_port_range_end() {
-	return g_settings.fullcapture_port_range_end;
+	struct capture_settings *settings = maps__get_capture_settings();
+	if(settings == NULL) {
+		return 0;
+	}
+
+	return settings->fullcapture_port_range_end;
 }
 
 static __always_inline uint16_t maps__get_statsd_port() {
-	return g_settings.statsd_port;
+	struct capture_settings *settings = maps__get_capture_settings();
+	if(settings == NULL) {
+		return 0;
+	}
+
+	return settings->statsd_port;
 }
 
 static __always_inline int32_t maps__get_scap_tid() {
-	return g_settings.scap_tid;
+	struct capture_settings *settings = maps__get_capture_settings();
+	if(settings == NULL) {
+		return 0;
+	}
+
+	return settings->scap_tid;
 }
 
 /*=============================== SETTINGS ===========================*/
@@ -89,8 +144,12 @@ static __always_inline uint8_t maps__64bit_sampling_syscall_table(uint32_t sysca
 
 /*=============================== SYSCALL-64 INTERESTING TABLE ===========================*/
 
-static __always_inline bool maps__64bit_interesting_syscall(uint32_t syscall_id) {
-	return g_64bit_interesting_syscalls_table[syscall_id & (SYSCALL_TABLE_SIZE - 1)];
+static __always_inline bool maps__interesting_syscall_64bit(uint32_t syscall_id) {
+	bool *ret = bpf_map_lookup_elem(&interesting_syscalls_table_64bit, &syscall_id);
+	if(ret == NULL) {
+		return false;
+	}
+	return *ret;
 }
 
 /*=============================== SYSCALL-64 INTERESTING TABLE ===========================*/

driver/modern_bpf/helpers/base/shared_size.h

@@ -26,6 +26,9 @@
 /* Maximum number of `iovec` structures that we can analyze. */
 #define MAX_IOVCNT 32
 
+/* Maximum number of supported sendmmsg/recvmmsg loops with bpf_loop helper */
+#define MAX_SENDMMSG_RECVMMSG_SIZE 16
+
 /* Maximum number of `pollfd` structures that we can analyze. */
 #define MAX_POLLFD 16
 

driver/modern_bpf/helpers/extract/extract_from_kernel.h

@@ -10,6 +10,7 @@
 
 #include <helpers/base/maps_getters.h>
 #include <helpers/base/read_from_task.h>
+#include <helpers/base/shared_size.h>
 #include <driver/ppm_flag_helpers.h>
 
 #if __has_include(<sys/syscall.h>)
@@ -1031,3 +1032,47 @@ static __always_inline struct socket *get_sock_from_file(struct file *file) {
 	}
 	return (struct socket *)BPF_CORE_READ(file, private_data);
 }
+
+///////////////////////////
+// EXTRACT FROM MSGHDR
+///////////////////////////
+
+/**
+ * @brief Read the msghdr pointed by `msghdr_pointer` and store it in `msghdr` location.
+ * @param msghdr pointer to the user_msghdr struct used to store the read msghdr.
+ * @param msghdr_pointer pointer to the msghdr to be read.
+ * @return 0 on success, or a negative error in case of failure.
+ */
+static __always_inline long extract__msghdr(struct user_msghdr *msghdr,
+                                            unsigned long msghdr_pointer) {
+	return bpf_probe_read_user((void *)msghdr,
+	                           bpf_core_type_size(struct user_msghdr),
+	                           (void *)msghdr_pointer);
+}
+
+/**
+ * @brief Extract the size of a message extracted from an `iovec` struct array.
+ * @param scratch_space pointer the scratch space on which iovecs are read.
+ * @param scratch_space_size scratch space total size.
+ * @param iov_pointer pointer to `iovec` struct array.
+ * @param iov_cnt number of `iovec` structs.
+ * @return the size of the message on success, or 0 in case of failure.
+ */
+static __always_inline uint32_t extract__iovec_size(void *scratch_space,
+                                                    uint32_t scratch_space_size,
+                                                    unsigned long iov_pointer,
+                                                    unsigned long iov_cnt) {
+	if(bpf_probe_read_user(scratch_space, scratch_space_size, (void *)iov_pointer)) {
+		return 0;
+	}
+
+	uint32_t total_size_to_read = 0;
+	const struct iovec *iovec = (const struct iovec *)scratch_space;
+	for(int i = 0; i < MAX_IOVCNT; i++) {
+		if(i == iov_cnt) {
+			break;
+		}
+		total_size_to_read += iovec[i].iov_len;
+	}
+	return total_size_to_read;
+}

driver/modern_bpf/helpers/interfaces/attached_programs.h

@@ -1,60 +0,0 @@
-// SPDX-License-Identifier: GPL-2.0-only OR MIT
-/*
- * Copyright (C) 2023 The Falco Authors.
- *
- * This file is dual licensed under either the MIT or GPL 2. See MIT.txt
- * or GPL2.txt for full copies of the license.
- */
-
-#pragma once
-
-#include <helpers/base/maps_getters.h>
-
-/* The sampling logic is used by all BPF programs attached to the kernel.
- * We treat the syscalls tracepoints in a dedicated way because they could generate
- * more than one event (1 for each syscall) for this reason we need a dedicated table.
- */
-static __always_inline bool sampling_logic(void* ctx, uint32_t id) {
-	/* If dropping mode is not enabled we don't perform any sampling
-	 * false: means don't drop the syscall
-	 * true: means drop the syscall
-	 */
-	if(!maps__get_dropping_mode()) {
-		return false;
-	}
-
-	uint8_t sampling_flag = maps__64bit_sampling_syscall_table(id);
-
-	if(sampling_flag == UF_NEVER_DROP) {
-		return false;
-	}
-
-	if(sampling_flag == UF_ALWAYS_DROP) {
-		return true;
-	}
-
-	if((bpf_ktime_get_boot_ns() % SECOND_TO_NS) >= (SECOND_TO_NS / maps__get_sampling_ratio())) {
-		/* If we are starting the dropping phase we need to notify the userspace, otherwise, we
-		 * simply drop our event.
-		 * PLEASE NOTE: this logic is not per-CPU so it is best effort!
-		 */
-		if(!maps__get_is_dropping()) {
-			/* Here we are not sure we can send the drop_e event to userspace
-			 * if the buffer is full, but this is not essential even if we lose
-			 * an iteration we will synchronize again the next time the logic is enabled.
-			 */
-			maps__set_is_dropping(true);
-			bpf_tail_call(ctx, &extra_syscall_calls, T1_DROP_E);
-			bpf_printk("unable to tail call into 'drop_e' prog");
-		}
-		return true;
-	}
-
-	if(maps__get_is_dropping()) {
-		maps__set_is_dropping(false);
-		bpf_tail_call(ctx, &extra_syscall_calls, T1_DROP_X);
-		bpf_printk("unable to tail call into 'drop_x' prog");
-	}
-
-	return false;
-}

driver/modern_bpf/helpers/interfaces/syscalls_dispatcher.h

@@ -14,7 +14,7 @@
 #include <helpers/extract/extract_from_kernel.h>
 
 static __always_inline bool syscalls_dispatcher__64bit_interesting_syscall(uint32_t syscall_id) {
-	return maps__64bit_interesting_syscall(syscall_id);
+	return maps__interesting_syscall_64bit(syscall_id);
 }
 
 static __always_inline long convert_network_syscalls(struct pt_regs *regs) {

driver/modern_bpf/helpers/store/auxmap_store_params.h

@@ -113,7 +113,7 @@ static __always_inline void auxmap__finalize_event_header(struct auxiliary_map *
 
 /**
  * @brief Copy the entire event from the auxiliary map to bpf ringbuf.
- * If the event is correctly copied in the ringbuf we increments the number
+ * If the event is correctly copied in the ringbuf we increment the number
  * of events sent to userspace, otherwise we increment the dropped events.
  *
  * @param auxmap pointer to the auxmap in which we have already written the entire event.
@@ -776,7 +776,8 @@ static __always_inline void auxmap__store_socktuple_param(struct auxiliary_map *
 
 	case AF_UNIX: {
 		struct unix_sock *socket_local = (struct unix_sock *)sk;
-		struct unix_sock *socket_remote = (struct unix_sock *)BPF_CORE_READ(socket_local, peer);
+		struct unix_sock *socket_peer = (struct unix_sock *)BPF_CORE_READ(socket_local, peer);
+		struct sockaddr_un usrsockaddr_un = {};
 		char *path = NULL;
 
 		/* Pack the tuple info:
@@ -787,18 +788,23 @@ static __always_inline void auxmap__store_socktuple_param(struct auxiliary_map *
 		 */
 		push__u8(auxmap->data, &auxmap->payload_pos, socket_family_to_scap(socket_family));
 		if(direction == OUTBOUND) {
-			push__u64(auxmap->data, &auxmap->payload_pos, (uint64_t)socket_remote);
+			push__u64(auxmap->data, &auxmap->payload_pos, (uint64_t)socket_peer);
 			push__u64(auxmap->data, &auxmap->payload_pos, (uint64_t)socket_local);
-			path = BPF_CORE_READ(socket_remote, addr, name[0].sun_path);
+			if(socket_peer == NULL && usrsockaddr != NULL) {
+				bpf_probe_read_user(&usrsockaddr_un,
+				                    bpf_core_type_size(struct sockaddr_un),
+				                    (void *)usrsockaddr);
+				path = usrsockaddr_un.sun_path;
+			} else {
+				path = BPF_CORE_READ(socket_peer, addr, name[0].sun_path);
+			}
 		} else {
 			push__u64(auxmap->data, &auxmap->payload_pos, (uint64_t)socket_local);
-			push__u64(auxmap->data, &auxmap->payload_pos, (uint64_t)socket_remote);
+			push__u64(auxmap->data, &auxmap->payload_pos, (uint64_t)socket_peer);
 			path = BPF_CORE_READ(socket_local, addr, name[0].sun_path);
 		}
 
-		unsigned long start_reading_point;
-		char first_path_byte = *(char *)path;
-		if(first_path_byte == '\0') {
+		if(path[0] == '\0') {
 			/* Please note exceptions in the `sun_path`:
 			 * Taken from: https://man7.org/linux/man-pages/man7/unix.7.html
 			 *
@@ -808,14 +814,12 @@ static __always_inline void auxmap__store_socktuple_param(struct auxiliary_map *
 			 *
 			 * So in this case, we need to skip the initial `\0`.
 			 */
-			start_reading_point = (unsigned long)path + 1;
-		} else {
-			start_reading_point = (unsigned long)path;
+			path++;
 		}
 
 		uint16_t written_bytes = push__charbuf(auxmap->data,
 		                                       &auxmap->payload_pos,
-		                                       start_reading_point,
+		                                       (unsigned long)path,
 		                                       MAX_UNIX_SOCKET_PATH,
 		                                       KERNEL);
 		final_param_len = FAMILY_SIZE + KERNEL_POINTER + KERNEL_POINTER + written_bytes;
@@ -1117,9 +1121,7 @@ static __always_inline void auxmap__store_msghdr_size_param(struct auxiliary_map
 	 * we return 0.
 	 */
 	struct user_msghdr msghdr = {0};
-	if(bpf_probe_read_user((void *)&msghdr,
-	                       bpf_core_type_size(struct user_msghdr),
-	                       (void *)msghdr_pointer)) {
+	if(extract__msghdr(&msghdr, msghdr_pointer)) {
 		auxmap__store_u32_param(auxmap, 0);
 		return;
 	}
@@ -1144,9 +1146,7 @@ static __always_inline struct user_msghdr auxmap__store_msghdr_data_param(
 	 * we return an empty param.
 	 */
 	struct user_msghdr msghdr = {0};
-	if(bpf_probe_read_user((void *)&msghdr,
-	                       bpf_core_type_size(struct user_msghdr),
-	                       (void *)msghdr_pointer)) {
+	if(extract__msghdr(&msghdr, msghdr_pointer)) {
 		/* in case of NULL msghdr we return an empty param */
 		push__param_len(auxmap->data, &auxmap->lengths_pos, 0);
 		return msghdr;
@@ -1292,7 +1292,12 @@ static __always_inline uint16_t store_cgroup_subsys(struct auxiliary_map *auxmap
 		}
 		path_components++;
 		BPF_CORE_READ_INTO(&cgroup_path_pointers[k], kn, name);
-		BPF_CORE_READ_INTO(&kn, kn, parent);
+		if(bpf_core_field_exists(kn->parent)) {
+			BPF_CORE_READ_INTO(&kn, kn, parent);
+		} else {
+			struct kernfs_node___v6_15 *kn_v6_15 = (void *)kn;
+			BPF_CORE_READ_INTO(&kn, kn_v6_15, __parent);
+		}
 	}
 
 	/* Reconstruct the path in reverse, using previously collected pointers.
@@ -1499,10 +1504,17 @@ static __always_inline void auxmap__store_fdlist_param(struct auxiliary_map *aux
 	                sizeof(uint16_t) + (num_pairs * (sizeof(int64_t) + sizeof(int16_t))));
 }
 
+typedef struct {
+	bool only_port_range;
+	ppm_event_code evt_type;
+	long mmsg_index;         // Only used by sendmmsg/recvmmsg to pass the current message index
+	unsigned long *mm_args;  // Only used by sendmmsg/recvmmsg to reduce stack size to avoid
+	                         // verifier issues
+} dynamic_snaplen_args;
+
 static __always_inline void apply_dynamic_snaplen(struct pt_regs *regs,
                                                   uint16_t *snaplen,
-                                                  bool only_port_range,
-                                                  ppm_event_code evt_type) {
+                                                  const dynamic_snaplen_args *input_args) {
 	if(!maps__get_do_dynamic_snaplen()) {
 		return;
 	}
@@ -1519,7 +1531,9 @@ static __always_inline void apply_dynamic_snaplen(struct pt_regs *regs,
 	 *  - writev
 	 *  - pwritev
 	 *  - recvmsg
+	 *  - recvmmsg
 	 *  - sendmsg
+	 *  - sendmmsg
 	 *  - send
 	 *  - recv
 	 *  - recvfrom
@@ -1539,12 +1553,20 @@ static __always_inline void apply_dynamic_snaplen(struct pt_regs *regs,
 	 *  - writev
 	 *  - pwritev
 	 *  - recvmsg
+	 *  - recvmmsg
 	 *  - sendmsg
+	 *  - sendmmsg
 	 */
 	unsigned long args[5] = {0};
 	struct sockaddr *sockaddr = NULL;
+	union {
+		struct compat_msghdr compat_mh;
+		struct user_msghdr mh;
+		struct compat_mmsghdr compat_mmh;
+		struct mmsghdr mmh;
+	} msg_mh = {};
 
-	switch(evt_type) {
+	switch(input_args->evt_type) {
 	case PPME_SOCKET_SENDTO_X:
 	case PPME_SOCKET_RECVFROM_X:
 		extract__network_args(args, 5, regs);
@@ -1555,19 +1577,41 @@ static __always_inline void apply_dynamic_snaplen(struct pt_regs *regs,
 	case PPME_SOCKET_SENDMSG_X: {
 		extract__network_args(args, 3, regs);
 		if(bpf_in_ia32_syscall()) {
-			struct compat_msghdr compat_mh = {};
-			if(likely(bpf_probe_read_user(&compat_mh,
+			if(likely(bpf_probe_read_user(&msg_mh.compat_mh,
 			                              bpf_core_type_size(struct compat_msghdr),
 			                              (void *)args[1]) == 0)) {
-				sockaddr = (struct sockaddr *)(unsigned long)(compat_mh.msg_name);
+				sockaddr = (struct sockaddr *)(unsigned long)(msg_mh.compat_mh.msg_name);
 			}
 			// in any case we break the switch.
 			break;
 		}
+		if(extract__msghdr(&msg_mh.mh, args[1]) == 0) {
+			sockaddr = (struct sockaddr *)msg_mh.mh.msg_name;
+		}
+	} break;
 
-		struct user_msghdr mh = {};
-		if(bpf_probe_read_user(&mh, bpf_core_type_size(struct user_msghdr), (void *)args[1]) == 0) {
-			sockaddr = (struct sockaddr *)mh.msg_name;
+	case PPME_SOCKET_RECVMMSG_X:
+	case PPME_SOCKET_SENDMMSG_X: {
+		// To avoid verifier stack size issues, sendmmsg and recvmmsg directly pass args
+		// in dynamic_snaplen_args.
+		// This also gives a small perf boost while using `bpf_loop` because we don't need
+		// to re-fetch first 3 syscall args at every iteration.
+		__builtin_memcpy(args, input_args->mm_args, 3 * sizeof(unsigned long));
+		if(bpf_in_ia32_syscall()) {
+			struct compat_mmsghdr *mmh_ptr = (struct compat_mmsghdr *)args[1];
+			if(likely(bpf_probe_read_user(&msg_mh.compat_mmh,
+			                              bpf_core_type_size(struct compat_mmsghdr),
+			                              (void *)(mmh_ptr + input_args->mmsg_index)) == 0)) {
+				sockaddr = (struct sockaddr *)(unsigned long)(msg_mh.compat_mmh.msg_hdr.msg_name);
+			}
+			// in any case we break the switch.
+			break;
+		}
+		struct mmsghdr *mmh_ptr = (struct mmsghdr *)args[1];
+		if(bpf_probe_read_user(&msg_mh.mmh,
+		                       bpf_core_type_size(struct mmsghdr),
+		                       (void *)(mmh_ptr + input_args->mmsg_index)) == 0) {
+			sockaddr = (struct sockaddr *)msg_mh.mmh.msg_hdr.msg_name;
 		}
 	} break;
 
@@ -1605,16 +1649,20 @@ static __always_inline void apply_dynamic_snaplen(struct pt_regs *regs,
 		port_remote = ntohs(port_remote);
 
 		if(port_remote == 0 && sockaddr != NULL) {
+			union {
+				struct sockaddr_in sockaddr_in;
+				struct sockaddr_in6 sockaddr_in6;
+			} saddr_in = {};
 			if(socket_family == AF_INET) {
-				struct sockaddr_in sockaddr_in = {};
-				bpf_probe_read_user(&sockaddr_in, bpf_core_type_size(struct sockaddr_in), sockaddr);
-				port_remote = ntohs(sockaddr_in.sin_port);
+				bpf_probe_read_user(&saddr_in.sockaddr_in,
+				                    bpf_core_type_size(struct sockaddr_in),
+				                    sockaddr);
+				port_remote = ntohs(saddr_in.sockaddr_in.sin_port);
 			} else {
-				struct sockaddr_in6 sockaddr_in6 = {};
-				bpf_probe_read_user(&sockaddr_in6,
+				bpf_probe_read_user(&saddr_in.sockaddr_in6,
 				                    bpf_core_type_size(struct sockaddr_in6),
 				                    sockaddr);
-				port_remote = ntohs(sockaddr_in6.sin6_port);
+				port_remote = ntohs(saddr_in.sockaddr_in6.sin6_port);
 			}
 		}
 	}
@@ -1639,7 +1687,7 @@ static __always_inline void apply_dynamic_snaplen(struct pt_regs *regs,
 	}
 
 	/* If we check only port range without reading syscall data we can stop here */
-	if(only_port_range) {
+	if(input_args->only_port_range) {
 		return;
 	}
 

driver/modern_bpf/maps/maps.h

@@ -47,35 +47,23 @@ __weak const volatile uint64_t probe_api_ver = PPM_API_CURRENT_VERSION;
  */
 __weak const volatile uint64_t probe_schema_var = PPM_SCHEMA_CURRENT_VERSION;
 
-/*=============================== BPF READ-ONLY GLOBAL VARIABLES ===============================*/
-
-/*=============================== BPF GLOBAL VARIABLES ===============================*/
-
-/**
- * @brief Given the syscall id on 64-bit-architectures returns if
- * the syscall must be filtered out according to the simple consumer logic.
- */
-__weak bool g_64bit_interesting_syscalls_table[SYSCALL_TABLE_SIZE];
-
 /**
  * @brief Given the syscall id on 64-bit-architectures returns:
  * - `UF_NEVER_DROP` if the syscall must not be dropped in the sampling logic.
  * - `UF_ALWAYS_DROP` if the syscall must always be dropped in the sampling logic.
  * - `UF_NONE` if we drop the syscall depends on the sampling ratio.
  */
-__weak uint8_t g_64bit_sampling_syscall_table[SYSCALL_TABLE_SIZE];
+__weak const volatile uint8_t g_64bit_sampling_syscall_table[SYSCALL_TABLE_SIZE];
 
 /**
  * @brief Given the syscall id on 32-bit x86 arch returns
  * its x64 value. Used to support ia32 syscall emulation.
  */
-__weak uint32_t g_ia32_to_64_table[SYSCALL_TABLE_SIZE];
+__weak const volatile uint32_t g_ia32_to_64_table[SYSCALL_TABLE_SIZE];
 
-/**
- * @brief Global capture settings shared between userspace and
- * bpf programs.
- */
-__weak struct capture_settings g_settings;
+/*=============================== BPF READ-ONLY GLOBAL VARIABLES ===============================*/
+
+/*=============================== BPF GLOBAL VARIABLES ===============================*/
 
 /**
  * @brief Variable used only kernel side to understand when we need to send
@@ -117,25 +105,44 @@ struct {
 } syscall_exit_tail_table __weak SEC(".maps");
 
 /**
- * @brief This tail table is used when a bpf program needs another program
- * to complete its execution flow. This table could be used both by
- * programs directly attached in the kernel (like page_faults,
- * context_switch, ...) and by syscall_events (like
- * ppme_syscall_execveat_x, ...).
- * Given a predefined tail-code (`extra_syscall_codes`), it calls
+ * @brief This tail table is used when a sys exit bpf program needs another program
+ * to complete its execution flow.
+ * Given a predefined tail-code (`sys_exit_extra_code`), it calls
  * the right bpf program.
  */
 struct {
 	__uint(type, BPF_MAP_TYPE_PROG_ARRAY);
-	__uint(max_entries, TAIL_EXTRA_EVENT_PROG_MAX);
+	__uint(max_entries, SYS_EXIT_EXTRA_CODE_MAX);
 	__type(key, uint32_t);
 	__type(value, uint32_t);
-} extra_syscall_calls __weak SEC(".maps");
+} syscall_exit_extra_tail_table __weak SEC(".maps");
 
 /*=============================== BPF_MAP_TYPE_PROG_ARRAY ===============================*/
 
 /*=============================== BPF_MAP_TYPE_ARRAY ===============================*/
 
+/**
+ * @brief This table is used to keep track of which syscalls must be filtered out
+ * according to the simple consumer logic.
+ */
+struct {
+	__uint(type, BPF_MAP_TYPE_ARRAY);
+	__uint(max_entries, SYSCALL_TABLE_SIZE);
+	__type(key, uint32_t);
+	__type(value, bool);
+} interesting_syscalls_table_64bit __weak SEC(".maps");
+
+/**
+ * @brief Global capture settings shared between userspace and
+ * bpf programs.
+ */
+struct {
+	__uint(type, BPF_MAP_TYPE_ARRAY);
+	__uint(max_entries, 1);
+	__type(key, uint32_t);
+	__type(value, struct capture_settings);
+} capture_settings __weak SEC(".maps");
+
 /* These maps have one entry for each CPU.
  *
  * PLEASE NOTE:

driver/modern_bpf/programs/attached/dispatchers/syscall_enter.bpf.c

@@ -7,13 +7,42 @@
  */
 
 #include <helpers/interfaces/syscalls_dispatcher.h>
-#include <helpers/interfaces/attached_programs.h>
+
+// We don't want to send DROP_E/DROP_X events from the enter tracepoint because it would requires us
+// to create a dedicated tail table for the enter. It is enough to send DROP_E/DROP_X events from
+// the exit tracepoint.
+static __always_inline bool sampling_logic_enter(void* ctx, uint32_t id) {
+	/* If dropping mode is not enabled we don't perform any sampling
+	 * false: means don't drop the syscall
+	 * true: means drop the syscall
+	 */
+	if(!maps__get_dropping_mode()) {
+		return false;
+	}
+
+	uint8_t sampling_flag = maps__64bit_sampling_syscall_table(id);
+
+	if(sampling_flag == UF_NEVER_DROP) {
+		return false;
+	}
+
+	if(sampling_flag == UF_ALWAYS_DROP) {
+		return true;
+	}
+
+	// If we are in the sampling period we drop the event
+	if((bpf_ktime_get_boot_ns() % SECOND_TO_NS) >= (SECOND_TO_NS / maps__get_sampling_ratio())) {
+		return true;
+	}
+
+	return false;
+}
 
 /* From linux tree: /include/trace/events/syscall.h
  * TP_PROTO(struct pt_regs *regs, long id),
  */
 SEC("tp_btf/sys_enter")
-int BPF_PROG(sys_enter, struct pt_regs *regs, long syscall_id) {
+int BPF_PROG(sys_enter, struct pt_regs* regs, long syscall_id) {
 	int socketcall_syscall_id = -1;
 
 	if(bpf_in_ia32_syscall()) {
@@ -49,7 +78,7 @@ int BPF_PROG(sys_enter, struct pt_regs *regs, long syscall_id) {
 		return 0;
 	}
 
-	if(sampling_logic(ctx, syscall_id)) {
+	if(sampling_logic_enter(ctx, syscall_id)) {
 		return 0;
 	}
 

driver/modern_bpf/programs/attached/dispatchers/syscall_exit.bpf.c

@@ -7,8 +7,165 @@
  */
 
 #include <helpers/interfaces/syscalls_dispatcher.h>
-#include <helpers/interfaces/attached_programs.h>
 #include <bpf/bpf_helpers.h>
+#include <helpers/interfaces/fixed_size_event.h>
+
+SEC("tp_btf/sys_exit")
+int BPF_PROG(t_hotplug) {
+	/* We assume that the ring buffer for CPU 0 is always there so we send the
+	 * HOT-PLUG event through this buffer.
+	 */
+	uint32_t cpu_0 = 0;
+	struct ringbuf_map *rb = bpf_map_lookup_elem(&ringbuf_maps, &cpu_0);
+	if(!rb) {
+		bpf_printk("unable to obtain the ring buffer for CPU 0");
+		return 0;
+	}
+
+	struct counter_map *counter = bpf_map_lookup_elem(&counter_maps, &cpu_0);
+	if(!counter) {
+		bpf_printk("unable to obtain the counter map for CPU 0");
+		return 0;
+	}
+
+	/* This counts the event seen by the drivers even if they are dropped because the buffer is
+	 * full. */
+	counter->n_evts++;
+
+	/* If we are not able to reserve space we stop here
+	 * the event collection.
+	 */
+	struct ringbuf_struct ringbuf;
+	ringbuf.reserved_event_size = CPU_HOTPLUG_E_SIZE;
+	ringbuf.event_type = PPME_CPU_HOTPLUG_E;
+	ringbuf.data = bpf_ringbuf_reserve(rb, CPU_HOTPLUG_E_SIZE, 0);
+	if(!ringbuf.data) {
+		counter->n_drops_buffer++;
+		return 0;
+	}
+
+	ringbuf__store_event_header(&ringbuf);
+
+	/*=============================== COLLECT PARAMETERS ===========================*/
+
+	/* Parameter 1: cpu (type: PT_UINT32) */
+	uint32_t current_cpu_id = (uint32_t)bpf_get_smp_processor_id();
+	ringbuf__store_u32(&ringbuf, current_cpu_id);
+
+	/* Parameter 2: action (type: PT_UINT32) */
+	/* Right now we don't have actions we always send 0 */
+	ringbuf__store_u32(&ringbuf, 0);
+
+	/*=============================== COLLECT PARAMETERS ===========================*/
+
+	ringbuf__submit_event(&ringbuf);
+	return 0;
+}
+
+SEC("tp_btf/sys_exit")
+int BPF_PROG(t_drop_e) {
+	struct ringbuf_struct ringbuf;
+	if(!ringbuf__reserve_space(&ringbuf, DROP_E_SIZE, PPME_DROP_E)) {
+		return 0;
+	}
+
+	ringbuf__store_event_header(&ringbuf);
+
+	/*=============================== COLLECT PARAMETERS ===========================*/
+
+	ringbuf__store_u32(&ringbuf, maps__get_sampling_ratio());
+
+	/*=============================== COLLECT PARAMETERS ===========================*/
+
+	ringbuf__submit_event(&ringbuf);
+	return 0;
+}
+
+SEC("tp_btf/sys_exit")
+int BPF_PROG(t_drop_x) {
+	struct ringbuf_struct ringbuf;
+	if(!ringbuf__reserve_space(&ringbuf, DROP_X_SIZE, PPME_DROP_X)) {
+		return 0;
+	}
+
+	ringbuf__store_event_header(&ringbuf);
+
+	/*=============================== COLLECT PARAMETERS ===========================*/
+
+	ringbuf__store_u32(&ringbuf, maps__get_sampling_ratio());
+
+	/*=============================== COLLECT PARAMETERS ===========================*/
+
+	ringbuf__submit_event(&ringbuf);
+	return 0;
+}
+
+enum custom_sys_exit_logic_codes {
+	T_HOTPLUG,
+	T_DROP_E,
+	T_DROP_X,
+	// add more codes here.
+	T_CUSTOM_MAX,
+};
+
+struct {
+	__uint(type, BPF_MAP_TYPE_PROG_ARRAY);
+	__uint(max_entries, T_CUSTOM_MAX);
+	__uint(key_size, sizeof(__u32));
+	__array(values, int(void *));
+} custom_sys_exit_calls SEC(".maps") = {
+        .values =
+                {
+                        [T_HOTPLUG] = (void *)&t_hotplug,
+                        [T_DROP_E] = (void *)&t_drop_e,
+                        [T_DROP_X] = (void *)&t_drop_x,
+                },
+};
+
+static __always_inline bool sampling_logic_exit(void *ctx, uint32_t id) {
+	/* If dropping mode is not enabled we don't perform any sampling
+	 * false: means don't drop the syscall
+	 * true: means drop the syscall
+	 */
+	if(!maps__get_dropping_mode()) {
+		return false;
+	}
+
+	uint8_t sampling_flag = maps__64bit_sampling_syscall_table(id);
+
+	if(sampling_flag == UF_NEVER_DROP) {
+		return false;
+	}
+
+	if(sampling_flag == UF_ALWAYS_DROP) {
+		return true;
+	}
+
+	if((bpf_ktime_get_boot_ns() % SECOND_TO_NS) >= (SECOND_TO_NS / maps__get_sampling_ratio())) {
+		/* If we are starting the dropping phase we need to notify the userspace, otherwise, we
+		 * simply drop our event.
+		 * PLEASE NOTE: this logic is not per-CPU so it is best effort!
+		 */
+		if(!maps__get_is_dropping()) {
+			/* Here we are not sure we can send the drop_e event to userspace
+			 * if the buffer is full, but this is not essential even if we lose
+			 * an iteration we will synchronize again the next time the logic is enabled.
+			 */
+			maps__set_is_dropping(true);
+			bpf_tail_call(ctx, &custom_sys_exit_calls, T_DROP_E);
+			bpf_printk("unable to tail call into 'drop_e' prog");
+		}
+		return true;
+	}
+
+	if(maps__get_is_dropping()) {
+		maps__set_is_dropping(false);
+		bpf_tail_call(ctx, &custom_sys_exit_calls, T_DROP_X);
+		bpf_printk("unable to tail call into 'drop_x' prog");
+	}
+
+	return false;
+}
 
 #define X86_64_NR_EXECVE 59
 #define X86_64_NR_EXECVEAT 322
@@ -63,7 +220,7 @@ int BPF_PROG(sys_exit, struct pt_regs *regs, long ret) {
 		return 0;
 	}
 
-	if(sampling_logic(ctx, syscall_id)) {
+	if(sampling_logic_exit(ctx, syscall_id)) {
 		return 0;
 	}
 
@@ -76,7 +233,7 @@ int BPF_PROG(sys_exit, struct pt_regs *regs, long ret) {
 	// we change our architecture we may need to update this logic.
 	struct ringbuf_map *rb = maps__get_ringbuf_map();
 	if(!rb) {
-		bpf_tail_call(ctx, &extra_syscall_calls, T1_HOTPLUG_E);
+		bpf_tail_call(ctx, &custom_sys_exit_calls, T_HOTPLUG);
 		bpf_printk("failed to tail call into the 'hotplug' prog");
 		return 0;
 	}

driver/modern_bpf/programs/attached/events/page_fault_kernel.bpf.c

@@ -7,7 +7,6 @@
  */
 
 #include <helpers/interfaces/fixed_size_event.h>
-#include <helpers/interfaces/attached_programs.h>
 
 /* From linux tree: `/arch/x86/include/asm/trace/exceptions.h`
  *	 TP_PROTO(unsigned long address, struct pt_regs *regs,

driver/modern_bpf/programs/attached/events/page_fault_user.bpf.c

@@ -7,7 +7,6 @@
  */
 
 #include <helpers/interfaces/fixed_size_event.h>
-#include <helpers/interfaces/attached_programs.h>
 
 /* From linux tree: `/arch/x86/include/asm/trace/exceptions.h`
  *	 TP_PROTO(unsigned long address, struct pt_regs *regs,

driver/modern_bpf/programs/attached/events/sched_process_exec.bpf.c

@@ -179,9 +179,9 @@ int BPF_PROG(t1_sched_p_exec, struct task_struct *p, pid_t old_pid, struct linux
 	uint32_t tty = exctract__tty(task);
 	auxmap__store_u32_param(auxmap, (uint32_t)tty);
 
-	/* Parameter 18: pgid (type: PT_PID) */
-	pid_t pgid = extract__task_xid_vnr(task, PIDTYPE_PGID);
-	auxmap__store_s64_param(auxmap, (int64_t)pgid);
+	/* Parameter 18: vpgid (type: PT_PID) */
+	pid_t vpgid = extract__task_xid_vnr(task, PIDTYPE_PGID);
+	auxmap__store_s64_param(auxmap, (int64_t)vpgid);
 
 	/* Parameter 19: loginuid (type: PT_UID) */
 	uint32_t loginuid;
@@ -288,9 +288,14 @@ int BPF_PROG(t2_sched_p_exec, struct pt_regs *regs, long ret) {
 		auxmap__store_empty_param(auxmap);
 	}
 
-	/* Parameter 29: pgid (type: PT_UID) */
+	/* Parameter 29: pgid (type: PT_PID) */
 	auxmap__store_pgid(auxmap, task);
 
+	/* Parameter 30: egid (type: PT_GID) */
+	uint32_t egid;
+	extract__egid(task, &egid);
+	auxmap__store_u32_param(auxmap, egid);
+
 	/*=============================== COLLECT PARAMETERS  ===========================*/
 
 	auxmap__finalize_event_header(auxmap);

driver/modern_bpf/programs/attached/events/sched_process_exit.bpf.c

@@ -8,7 +8,6 @@
 
 #include <helpers/interfaces/variable_size_event.h>
 #include <driver/systype_compat.h>
-#include <helpers/interfaces/attached_programs.h>
 
 /* The instruction limit is 1000000, so we shouldn't have issues */
 #define MAX_THREADS_GROUPS 30

driver/modern_bpf/programs/attached/events/sched_switch.bpf.c

@@ -7,7 +7,6 @@
  */
 
 #include <helpers/interfaces/fixed_size_event.h>
-#include <helpers/interfaces/attached_programs.h>
 
 /* From linux tree: /include/linux/events/sched.h
  * TP_PROTO(bool preempt, struct task_struct *prev,
@@ -23,7 +22,7 @@ int BPF_PROG(sched_switch, bool preempt, struct task_struct *prev, struct task_s
 	/// TODO: we could avoid switches from kernel threads to kernel threads (?).
 
 	struct ringbuf_struct ringbuf;
-	if(!ringbuf__reserve_space(&ringbuf, SCHED_SWITCH_SIZE, PPME_SCHEDSWITCH_6_E)) {
+	if(!ringbuf__reserve_space(&ringbuf, SWITCH_SIZE, PPME_SCHEDSWITCH_6_E)) {
 		return 0;
 	}
 

driver/modern_bpf/programs/attached/events/signal_deliver.bpf.c

@@ -7,7 +7,6 @@
  */
 
 #include <helpers/interfaces/fixed_size_event.h>
-#include <helpers/interfaces/attached_programs.h>
 
 /* From linux tree: `/include/trace/events/signal.h`
  *	 TP_PROTO(int sig, struct kernel_siginfo *info, struct k_sigaction *ka)
@@ -20,7 +19,7 @@ int BPF_PROG(signal_deliver, int sig, struct kernel_siginfo *info, struct k_siga
 	}
 
 	struct ringbuf_struct ringbuf;
-	if(!ringbuf__reserve_space(&ringbuf, SIGNAL_DELIVER_SIZE, PPME_SIGNALDELIVER_E)) {
+	if(!ringbuf__reserve_space(&ringbuf, SIGNALDELIVER_SIZE, PPME_SIGNALDELIVER_E)) {
 		return 0;
 	}
 

driver/modern_bpf/programs/tail_called/events/custom_logic/drop.bpf.c

@@ -1,55 +0,0 @@
-// SPDX-License-Identifier: GPL-2.0-only OR MIT
-/*
- * Copyright (C) 2023 The Falco Authors.
- *
- * This file is dual licensed under either the MIT or GPL 2. See MIT.txt
- * or GPL2.txt for full copies of the license.
- */
-
-#include <helpers/interfaces/fixed_size_event.h>
-
-/*=============================== ENTER EVENT ===========================*/
-
-SEC("tp_btf/sys_enter")
-int BPF_PROG(t1_drop_e) {
-	struct ringbuf_struct ringbuf;
-	if(!ringbuf__reserve_space(&ringbuf, DROP_E_SIZE, PPME_DROP_E)) {
-		return 0;
-	}
-
-	ringbuf__store_event_header(&ringbuf);
-
-	/*=============================== COLLECT PARAMETERS ===========================*/
-
-	ringbuf__store_u32(&ringbuf, maps__get_sampling_ratio());
-
-	/*=============================== COLLECT PARAMETERS ===========================*/
-
-	ringbuf__submit_event(&ringbuf);
-	return 0;
-}
-
-/*=============================== ENTER EVENT ===========================*/
-
-/*=============================== EXIT EVENT ===========================*/
-
-SEC("tp_btf/sys_exit")
-int BPF_PROG(t1_drop_x) {
-	struct ringbuf_struct ringbuf;
-	if(!ringbuf__reserve_space(&ringbuf, DROP_X_SIZE, PPME_DROP_X)) {
-		return 0;
-	}
-
-	ringbuf__store_event_header(&ringbuf);
-
-	/*=============================== COLLECT PARAMETERS ===========================*/
-
-	ringbuf__store_u32(&ringbuf, maps__get_sampling_ratio());
-
-	/*=============================== COLLECT PARAMETERS ===========================*/
-
-	ringbuf__submit_event(&ringbuf);
-	return 0;
-}
-
-/*=============================== EXIT EVENT ===========================*/

driver/modern_bpf/programs/tail_called/events/custom_logic/hotplug.bpf.c

@@ -1,61 +0,0 @@
-// SPDX-License-Identifier: GPL-2.0-only OR MIT
-/*
- * Copyright (C) 2023 The Falco Authors.
- *
- * This file is dual licensed under either the MIT or GPL 2. See MIT.txt
- * or GPL2.txt for full copies of the license.
- */
-
-#include <helpers/interfaces/fixed_size_event.h>
-
-SEC("tp_btf/sys_exit")
-int BPF_PROG(t1_hotplug_e) {
-	/* We assume that the ring buffer for CPU 0 is always there so we send the
-	 * HOT-PLUG event through this buffer.
-	 */
-	uint32_t cpu_0 = 0;
-	struct ringbuf_map *rb = bpf_map_lookup_elem(&ringbuf_maps, &cpu_0);
-	if(!rb) {
-		bpf_printk("unable to obtain the ring buffer for CPU 0");
-		return 0;
-	}
-
-	struct counter_map *counter = bpf_map_lookup_elem(&counter_maps, &cpu_0);
-	if(!counter) {
-		bpf_printk("unable to obtain the counter map for CPU 0");
-		return 0;
-	}
-
-	/* This counts the event seen by the drivers even if they are dropped because the buffer is
-	 * full. */
-	counter->n_evts++;
-
-	/* If we are not able to reserve space we stop here
-	 * the event collection.
-	 */
-	struct ringbuf_struct ringbuf;
-	ringbuf.reserved_event_size = HOTPLUG_E_SIZE;
-	ringbuf.event_type = PPME_CPU_HOTPLUG_E;
-	ringbuf.data = bpf_ringbuf_reserve(rb, HOTPLUG_E_SIZE, 0);
-	if(!ringbuf.data) {
-		counter->n_drops_buffer++;
-		return 0;
-	}
-
-	ringbuf__store_event_header(&ringbuf);
-
-	/*=============================== COLLECT PARAMETERS ===========================*/
-
-	/* Parameter 1: cpu (type: PT_UINT32) */
-	uint32_t current_cpu_id = (uint32_t)bpf_get_smp_processor_id();
-	ringbuf__store_u32(&ringbuf, current_cpu_id);
-
-	/* Parameter 2: action (type: PT_UINT32) */
-	/* Right now we don't have actions we always send 0 */
-	ringbuf__store_u32(&ringbuf, 0);
-
-	/*=============================== COLLECT PARAMETERS ===========================*/
-
-	ringbuf__submit_event(&ringbuf);
-	return 0;
-}

driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/accept4.bpf.c

@@ -105,6 +105,12 @@ int BPF_PROG(accept4_x, struct pt_regs *regs, long ret) {
 	/* Parameter 5: queuemax (type: PT_UINT32) */
 	auxmap__store_u32_param(auxmap, queuemax);
 
+	/* Parameter 6: flags (type: PT_FLAGS32) */
+	/// TODO: we don't support flags yet and so we just return zero.
+	///    If implemented, special handling for SYS_ACCEPT socketcall is needed.
+	uint32_t flags = 0;
+	auxmap__store_u32_param(auxmap, flags);
+
 	/*=============================== COLLECT PARAMETERS  ===========================*/
 
 	auxmap__finalize_event_header(auxmap);

driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/access.bpf.c

@@ -51,10 +51,14 @@ int BPF_PROG(access_x, struct pt_regs *regs, long ret) {
 	/* Parameter 1: res (type: PT_ERRNO) */
 	auxmap__store_s64_param(auxmap, ret);
 
-	/* Parameter 2: pathname (type: PT_FSPATH) */
+	/* Parameter 2: name (type: PT_FSPATH) */
 	unsigned long path_pointer = extract__syscall_argument(regs, 0);
 	auxmap__store_charbuf_param(auxmap, path_pointer, MAX_PATH, USER);
 
+	/* Parameter 3: mode (type: PT_UINT32) */
+	int mode = (int)extract__syscall_argument(regs, 1);
+	auxmap__store_u32_param(auxmap, (uint32_t)access_flags_to_scap(mode));
+
 	/*=============================== COLLECT PARAMETERS  ===========================*/
 
 	auxmap__finalize_event_header(auxmap);

driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/bind.bpf.c

@@ -13,7 +13,9 @@
 
 SEC("tp_btf/sys_enter")
 int BPF_PROG(bind_e, struct pt_regs *regs, long id) {
-	/* Collect parameters at the beginning to easily manage socketcalls */
+	/* We need to keep this at the beginning of the program because otherwise we alter the state of
+	 * the ebpf registers causing a verifier issue.
+	 */
 	unsigned long socket_fd = 0;
 	extract__network_args(&socket_fd, 1, regs);
 
@@ -66,6 +68,9 @@ int BPF_PROG(bind_x, struct pt_regs *regs, long ret) {
 	uint16_t addrlen = (uint16_t)args[2];
 	auxmap__store_sockaddr_param(auxmap, sockaddr_ptr, addrlen);
 
+	/* Parameter 3: fd (type: PT_FD) */
+	auxmap__store_s64_param(auxmap, (int64_t)(int32_t)args[0]);
+
 	/*=============================== COLLECT PARAMETERS  ===========================*/
 
 	auxmap__finalize_event_header(auxmap);

driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/brk.bpf.c

@@ -22,7 +22,7 @@ int BPF_PROG(brk_e, struct pt_regs *regs, long id) {
 	/*=============================== COLLECT PARAMETERS  ===========================*/
 
 	/* Parameter 1: addr (type: PT_UINT64) */
-	unsigned long addr = extract__syscall_argument(regs, 0);
+	uint64_t addr = extract__syscall_argument(regs, 0);
 	ringbuf__store_u64(&ringbuf, addr);
 
 	/*=============================== COLLECT PARAMETERS  ===========================*/
@@ -68,6 +68,10 @@ int BPF_PROG(brk_x, struct pt_regs *regs, long ret) {
 	/* Parameter 4: vm_swap (type: PT_UINT32) */
 	ringbuf__store_u32(&ringbuf, swap_size);
 
+	/* Parameter 5: addr (type: PT_UINT64) */
+	uint64_t addr = extract__syscall_argument(regs, 0);
+	ringbuf__store_u64(&ringbuf, addr);
+
 	/*=============================== COLLECT PARAMETERS  ===========================*/
 
 	ringbuf__submit_event(&ringbuf);

driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/clone.bpf.c

@@ -150,7 +150,7 @@ int BPF_PROG(clone_x, struct pt_regs *regs, long ret) {
 	/* We have to split here the bpf program, otherwise, it is too large
 	 * for the verifier (limit 1000000 instructions).
 	 */
-	bpf_tail_call(ctx, &extra_syscall_calls, T1_CLONE_X);
+	bpf_tail_call(ctx, &syscall_exit_extra_tail_table, T1_CLONE_X);
 	return 0;
 }
 
@@ -206,7 +206,7 @@ int BPF_PROG(t1_clone_x, struct pt_regs *regs, long ret) {
 	/* We have to split here the bpf program, otherwise, it is too large
 	 * for the verifier (limit 1000000 instructions).
 	 */
-	bpf_tail_call(ctx, &extra_syscall_calls, T2_CLONE_X);
+	bpf_tail_call(ctx, &syscall_exit_extra_tail_table, T2_CLONE_X);
 	return 0;
 }
 

driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/clone3.bpf.c

@@ -150,7 +150,7 @@ int BPF_PROG(clone3_x, struct pt_regs *regs, long ret) {
 	/* We have to split here the bpf program, otherwise, it is too large
 	 * for the verifier (limit 1000000 instructions).
 	 */
-	bpf_tail_call(ctx, &extra_syscall_calls, T1_CLONE3_X);
+	bpf_tail_call(ctx, &syscall_exit_extra_tail_table, T1_CLONE3_X);
 	return 0;
 }
 
@@ -204,7 +204,7 @@ int BPF_PROG(t1_clone3_x, struct pt_regs *regs, long ret) {
 	/* We have to split here the bpf program, otherwise, it is too large
 	 * for the verifier (limit 1000000 instructions).
 	 */
-	bpf_tail_call(ctx, &extra_syscall_calls, T2_CLONE3_X);
+	bpf_tail_call(ctx, &syscall_exit_extra_tail_table, T2_CLONE3_X);
 	return 0;
 }
 

driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/close.bpf.c

@@ -50,9 +50,9 @@ int BPF_PROG(close_e, struct pt_regs *regs, long id) {
 
 	/*=============================== COLLECT PARAMETERS  ===========================*/
 
-	/* Parameter 1: fd (type: PT_FD)*/
-	int32_t fd = (int32_t)extract__syscall_argument(regs, 0);
-	ringbuf__store_s64(&ringbuf, (int64_t)fd);
+	/* Parameter 1: fd (type: PT_FD) */
+	int64_t fd = (int64_t)(int32_t)extract__syscall_argument(regs, 0);
+	ringbuf__store_s64(&ringbuf, fd);
 
 	/*=============================== COLLECT PARAMETERS  ===========================*/
 
@@ -80,9 +80,13 @@ int BPF_PROG(close_x, struct pt_regs *regs, long ret) {
 
 	/*=============================== COLLECT PARAMETERS  ===========================*/
 
-	/* Parameter 1: res (type: PT_ERRNO)*/
+	/* Parameter 1: res (type: PT_ERRNO) */
 	ringbuf__store_s64(&ringbuf, ret);
 
+	/* Parameter 2: fd (type: PT_FD) */
+	int64_t fd = (int64_t)(int32_t)extract__syscall_argument(regs, 0);
+	ringbuf__store_s64(&ringbuf, fd);
+
 	/*=============================== COLLECT PARAMETERS  ===========================*/
 
 	ringbuf__submit_event(&ringbuf);

driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/connect.bpf.c

@@ -24,14 +24,14 @@ int BPF_PROG(connect_e, struct pt_regs *regs, long id) {
 	unsigned long args[3] = {0};
 	extract__network_args(args, 3, regs);
 
-	/* Parameter 1: fd (type: PT_FD)*/
-	int32_t socket_fd = (int32_t)args[0];
-	auxmap__store_s64_param(auxmap, (int64_t)socket_fd);
+	/* Parameter 1: fd (type: PT_FD) */
+	int64_t socket_fd = (int64_t)(int32_t)args[0];
+	auxmap__store_s64_param(auxmap, socket_fd);
 
-	/* Parameter 2: addr (type: PT_SOCKADDR)*/
-	unsigned long sockaddr_ptr = args[1];
-	uint16_t addrlen = (uint16_t)args[2];
-	auxmap__store_sockaddr_param(auxmap, sockaddr_ptr, addrlen);
+	/* Parameter 2: addr (type: PT_SOCKADDR) */
+	unsigned long usrsockaddr = args[1];
+	uint16_t usrsockaddr_len = (uint16_t)args[2];
+	auxmap__store_sockaddr_param(auxmap, usrsockaddr, usrsockaddr_len);
 
 	/*=============================== COLLECT PARAMETERS  ===========================*/
 
@@ -57,25 +57,30 @@ int BPF_PROG(connect_x, struct pt_regs *regs, long ret) {
 
 	/*=============================== COLLECT PARAMETERS  ===========================*/
 
-	unsigned long socket_fd = 0;
-	extract__network_args(&socket_fd, 1, regs);
+	unsigned long args[3] = {0};
+	extract__network_args(args, 3, regs);
+	int64_t socket_fd = (int64_t)(int32_t)args[0];
 
 	/* Parameter 1: res (type: PT_ERRNO) */
 	auxmap__store_s64_param(auxmap, ret);
 
+	struct sockaddr *usrsockaddr = (struct sockaddr *)args[1];
+
 	/* Parameter 2: tuple (type: PT_SOCKTUPLE) */
-	/* We need a valid sockfd to extract source data.*/
 	if(ret == 0 || ret == -EINPROGRESS) {
-		auxmap__store_socktuple_param(auxmap, (int32_t)socket_fd, OUTBOUND, NULL);
+		/* Notice: the following will push an empty parameter if
+		 * something goes wrong (e.g.: fd not valid). */
+		auxmap__store_socktuple_param(auxmap, (int32_t)socket_fd, OUTBOUND, usrsockaddr);
 	} else {
 		auxmap__store_empty_param(auxmap);
 	}
 
-	/* Parameter 3: fd (type: PT_FD)*/
-	/* We need the double cast to extract the first 4 bytes and then
-	 * convert them to a signed integer on 64-bit
-	 */
-	auxmap__store_s64_param(auxmap, (int64_t)(int32_t)socket_fd);
+	/* Parameter 3: fd (type: PT_FD) */
+	auxmap__store_s64_param(auxmap, socket_fd);
+
+	/* Parameter 4: addr (type: PT_SOCKADDR) */
+	uint16_t usrsockaddr_len = (uint16_t)args[2];
+	auxmap__store_sockaddr_param(auxmap, (unsigned long)usrsockaddr, usrsockaddr_len);
 
 	/*=============================== COLLECT PARAMETERS  ===========================*/
 

driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/copy_file_range.bpf.c

@@ -25,8 +25,8 @@ int BPF_PROG(copy_file_range_e, struct pt_regs *regs, long id) {
 	/*=============================== COLLECT PARAMETERS  ===========================*/
 
 	/* Parameter 1: fdin (type: PT_FD) */
-	int32_t fdin = (int32_t)extract__syscall_argument(regs, 0);
-	ringbuf__store_s64(&ringbuf, (int64_t)fdin);
+	int64_t fdin = (int64_t)(int32_t)extract__syscall_argument(regs, 0);
+	ringbuf__store_s64(&ringbuf, fdin);
 
 	/* Parameter 2: offin (type: PT_UINT64) */
 	uint64_t offin = extract__syscall_argument(regs, 1);
@@ -58,17 +58,29 @@ int BPF_PROG(copy_file_range_x, struct pt_regs *regs, long ret) {
 
 	/*=============================== COLLECT PARAMETERS  ===========================*/
 
-	/* Parameter 1: res (type: PT_ERRNO)*/
+	/* Parameter 1: res (type: PT_ERRNO) */
 	ringbuf__store_s64(&ringbuf, ret);
 
 	/* Parameter 2: fdout (type: PT_FD) */
-	int32_t fdout = (int32_t)extract__syscall_argument(regs, 2);
-	ringbuf__store_s64(&ringbuf, (int64_t)fdout);
+	int64_t fdout = (int64_t)(int32_t)extract__syscall_argument(regs, 2);
+	ringbuf__store_s64(&ringbuf, fdout);
 
 	/* Parameter 3: offout (type: PT_UINT64) */
 	uint64_t offout = extract__syscall_argument(regs, 3);
 	ringbuf__store_u64(&ringbuf, offout);
 
+	/* Parameter 4: fdin (type: PT_FD) */
+	int64_t fdin = (int64_t)(int32_t)extract__syscall_argument(regs, 0);
+	ringbuf__store_s64(&ringbuf, fdin);
+
+	/* Parameter 5: offin (type: PT_UINT64) */
+	uint64_t offin = extract__syscall_argument(regs, 1);
+	ringbuf__store_u64(&ringbuf, offin);
+
+	/* Parameter 6: len (type: PT_UINT64) */
+	uint64_t len = extract__syscall_argument(regs, 4);
+	ringbuf__store_u64(&ringbuf, len);
+
 	/*=============================== COLLECT PARAMETERS  ===========================*/
 
 	ringbuf__submit_event(&ringbuf);

driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/dup.bpf.c

@@ -21,9 +21,9 @@ int BPF_PROG(dup_e, struct pt_regs *regs, long id) {
 
 	/*=============================== COLLECT PARAMETERS  ===========================*/
 
-	/* Parameter 1: oldfd (type: PT_FD) */
-	int32_t oldfd = (int32_t)extract__syscall_argument(regs, 0);
-	ringbuf__store_s64(&ringbuf, (int64_t)oldfd);
+	/* Parameter 1: fd (type: PT_FD) */
+	int64_t oldfd = (int64_t)(int32_t)extract__syscall_argument(regs, 0);
+	ringbuf__store_s64(&ringbuf, oldfd);
 
 	/*=============================== COLLECT PARAMETERS  ===========================*/
 
@@ -47,12 +47,12 @@ int BPF_PROG(dup_x, struct pt_regs *regs, long ret) {
 
 	/*=============================== COLLECT PARAMETERS  ===========================*/
 
-	/* Parameter 1: res (type: PT_FD)*/
-	ringbuf__store_s64(&ringbuf, ret);
+	/* Parameter 1: res (type: PT_FD) */
+	ringbuf__store_s64(&ringbuf, (int64_t)(int32_t)ret);
 
 	/* Parameter 2: oldfd (type: PT_FD) */
-	int32_t oldfd = (int32_t)extract__syscall_argument(regs, 0);
-	ringbuf__store_s64(&ringbuf, (int64_t)oldfd);
+	int64_t oldfd = (int64_t)(int32_t)extract__syscall_argument(regs, 0);
+	ringbuf__store_s64(&ringbuf, oldfd);
 
 	/*=============================== COLLECT PARAMETERS  ===========================*/
 

driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/dup2.bpf.c

@@ -21,9 +21,9 @@ int BPF_PROG(dup2_e, struct pt_regs *regs, long id) {
 
 	/*=============================== COLLECT PARAMETERS  ===========================*/
 
-	/* Parameter 1: oldfd (type: PT_FD) */
-	int32_t oldfd = (int32_t)extract__syscall_argument(regs, 0);
-	ringbuf__store_s64(&ringbuf, (int64_t)oldfd);
+	/* Parameter 1: fd (type: PT_FD) */
+	int64_t oldfd = (int64_t)(int32_t)extract__syscall_argument(regs, 0);
+	ringbuf__store_s64(&ringbuf, oldfd);
 
 	/*=============================== COLLECT PARAMETERS  ===========================*/
 
@@ -47,16 +47,16 @@ int BPF_PROG(dup2_x, struct pt_regs *regs, long ret) {
 
 	/*=============================== COLLECT PARAMETERS  ===========================*/
 
-	/* Parameter 1: res (type: PT_FD)*/
-	ringbuf__store_s64(&ringbuf, ret);
+	/* Parameter 1: res (type: PT_FD) */
+	ringbuf__store_s64(&ringbuf, (int64_t)(int32_t)ret);
 
 	/* Parameter 2: oldfd (type: PT_FD) */
-	int32_t oldfd = (int32_t)extract__syscall_argument(regs, 0);
-	ringbuf__store_s64(&ringbuf, (int64_t)oldfd);
+	int64_t oldfd = (int64_t)(int32_t)extract__syscall_argument(regs, 0);
+	ringbuf__store_s64(&ringbuf, oldfd);
 
 	/* Parameter 3: newfd (type: PT_FD) */
-	int32_t newfd = (int32_t)extract__syscall_argument(regs, 1);
-	ringbuf__store_s64(&ringbuf, (int64_t)newfd);
+	int64_t newfd = (int64_t)(int32_t)extract__syscall_argument(regs, 1);
+	ringbuf__store_s64(&ringbuf, newfd);
 
 	/*=============================== COLLECT PARAMETERS  ===========================*/
 

driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/dup3.bpf.c

@@ -21,9 +21,9 @@ int BPF_PROG(dup3_e, struct pt_regs *regs, long id) {
 
 	/*=============================== COLLECT PARAMETERS  ===========================*/
 
-	/* Parameter 1: oldfd (type: PT_FD) */
-	int32_t oldfd = (int32_t)extract__syscall_argument(regs, 0);
-	ringbuf__store_s64(&ringbuf, (int64_t)oldfd);
+	/* Parameter 1: fd (type: PT_FD) */
+	int64_t oldfd = (int64_t)(int32_t)extract__syscall_argument(regs, 0);
+	ringbuf__store_s64(&ringbuf, oldfd);
 
 	/*=============================== COLLECT PARAMETERS  ===========================*/
 
@@ -47,16 +47,16 @@ int BPF_PROG(dup3_x, struct pt_regs *regs, long ret) {
 
 	/*=============================== COLLECT PARAMETERS  ===========================*/
 
-	/* Parameter 1: res (type: PT_FD)*/
-	ringbuf__store_s64(&ringbuf, ret);
+	/* Parameter 1: res (type: PT_FD) */
+	ringbuf__store_s64(&ringbuf, (int64_t)(int32_t)ret);
 
 	/* Parameter 2: oldfd (type: PT_FD) */
-	int32_t oldfd = (int32_t)extract__syscall_argument(regs, 0);
-	ringbuf__store_s64(&ringbuf, (int64_t)oldfd);
+	int64_t oldfd = (int64_t)(int32_t)extract__syscall_argument(regs, 0);
+	ringbuf__store_s64(&ringbuf, oldfd);
 
 	/* Parameter 3: newfd (type: PT_FD) */
-	int32_t newfd = (int32_t)extract__syscall_argument(regs, 1);
-	ringbuf__store_s64(&ringbuf, (int64_t)newfd);
+	int64_t newfd = (int64_t)(int32_t)extract__syscall_argument(regs, 1);
+	ringbuf__store_s64(&ringbuf, newfd);
 
 	/* Parameter 4: flags (type: PT_FLAGS32) */
 	int32_t flags = extract__syscall_argument(regs, 2);

driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/epoll_create.bpf.c

@@ -47,9 +47,13 @@ int BPF_PROG(epoll_create_x, struct pt_regs *regs, long ret) {
 
 	/*=============================== COLLECT PARAMETERS  ===========================*/
 
-	/* Parameter 1: res (type: PT_ERRNO)*/
+	/* Parameter 1: res (type: PT_ERRNO) */
 	ringbuf__store_s64(&ringbuf, ret);
 
+	/* Parameter 2: size (type: PT_INT32) */
+	int32_t size = (int32_t)extract__syscall_argument(regs, 0);
+	ringbuf__store_s32(&ringbuf, size);
+
 	/*=============================== COLLECT PARAMETERS  ===========================*/
 
 	ringbuf__submit_event(&ringbuf);

driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/epoll_create1.bpf.c

@@ -47,9 +47,13 @@ int BPF_PROG(epoll_create1_x, struct pt_regs *regs, long ret) {
 
 	/*=============================== COLLECT PARAMETERS  ===========================*/
 
-	/* Parameter 1: res (type: PT_ERRNO)*/
+	/* Parameter 1: res (type: PT_ERRNO) */
 	ringbuf__store_s64(&ringbuf, ret);
 
+	/* Parameter 2: flags (type: PT_FLAGS32) */
+	int32_t flags = (int32_t)extract__syscall_argument(regs, 0);
+	ringbuf__store_u32(&ringbuf, epoll_create1_flags_to_scap(flags));
+
 	/*=============================== COLLECT PARAMETERS  ===========================*/
 
 	ringbuf__submit_event(&ringbuf);

driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/epoll_wait.bpf.c

@@ -50,6 +50,10 @@ int BPF_PROG(epoll_wait_x, struct pt_regs *regs, long ret) {
 	/* Parameter 1: res (type: PT_ERRNO) */
 	ringbuf__store_s64(&ringbuf, ret);
 
+	/* Parameter 2: maxevents (type: PT_ERRNO) */
+	int maxevents = (int)extract__syscall_argument(regs, 2);
+	ringbuf__store_s64(&ringbuf, (int64_t)maxevents);
+
 	/*=============================== COLLECT PARAMETERS  ===========================*/
 
 	ringbuf__submit_event(&ringbuf);

driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/eventfd.bpf.c

@@ -22,8 +22,8 @@ int BPF_PROG(eventfd_e, struct pt_regs *regs, long id) {
 	/*=============================== COLLECT PARAMETERS  ===========================*/
 
 	/* Parameter 1: initval (type: PT_UINT64) */
-	uint32_t initval = (uint32_t)extract__syscall_argument(regs, 0);
-	ringbuf__store_u64(&ringbuf, (uint64_t)initval);
+	uint64_t initval = (uint64_t)extract__syscall_argument(regs, 0);
+	ringbuf__store_u64(&ringbuf, initval);
 
 	/* Parameter 2: flags (type: PT_UINT32) */
 	/* The syscall eventfd has no flags! only `eventfd2` has the `flags` param.
@@ -53,9 +53,19 @@ int BPF_PROG(eventfd_x, struct pt_regs *regs, long ret) {
 
 	/*=============================== COLLECT PARAMETERS  ===========================*/
 
-	/* Parameter 1: res (type: PT_FD)*/
+	/* Parameter 1: res (type: PT_FD) */
 	ringbuf__store_s64(&ringbuf, ret);
 
+	/* Parameter 2: initval (type: PT_UINT64) */
+	uint64_t initval = (uint64_t)extract__syscall_argument(regs, 0);
+	ringbuf__store_u64(&ringbuf, initval);
+
+	/* Parameter 3: flags (type: PT_UINT32) */
+	/* The syscall eventfd has no flags! only `eventfd2` has the `flags` param.
+	 * For compatibility with the event definition here we send `0` as flags.
+	 */
+	ringbuf__store_u32(&ringbuf, 0);
+
 	/*=============================== COLLECT PARAMETERS  ===========================*/
 
 	ringbuf__submit_event(&ringbuf);

driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/eventfd2.bpf.c

@@ -47,13 +47,17 @@ int BPF_PROG(eventfd2_x, struct pt_regs *regs, long ret) {
 
 	/*=============================== COLLECT PARAMETERS  ===========================*/
 
-	/* Parameter 1: res (type: PT_FD)*/
+	/* Parameter 1: res (type: PT_FD) */
 	ringbuf__store_s64(&ringbuf, ret);
 
 	/* Parameter 2: flags (type: PT_FLAGS16) */
 	int32_t flags = (int32_t)extract__syscall_argument(regs, 1);
 	ringbuf__store_u16(&ringbuf, eventfd2_flags_to_scap(flags));
 
+	/* Parameter 3: initval (type: PT_UINT64) */
+	uint32_t initval = (uint32_t)extract__syscall_argument(regs, 0);
+	ringbuf__store_u64(&ringbuf, (uint64_t)initval);
+
 	/*=============================== COLLECT PARAMETERS  ===========================*/
 
 	ringbuf__submit_event(&ringbuf);

driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/execve.bpf.c

@@ -155,7 +155,7 @@ int BPF_PROG(execve_x, struct pt_regs *regs, long ret) {
 	/* We have to split here the bpf program, otherwise, it is too large
 	 * for the verifier (limit 1000000 instructions).
 	 */
-	bpf_tail_call(ctx, &extra_syscall_calls, T1_EXECVE_X);
+	bpf_tail_call(ctx, &syscall_exit_extra_tail_table, T1_EXECVE_X);
 	return 0;
 }
 
@@ -198,9 +198,9 @@ int BPF_PROG(t1_execve_x, struct pt_regs *regs, long ret) {
 	uint32_t tty = exctract__tty(task);
 	auxmap__store_u32_param(auxmap, (uint32_t)tty);
 
-	/* Parameter 18: pgid (type: PT_PID) */
-	pid_t pgid = extract__task_xid_vnr(task, PIDTYPE_PGID);
-	auxmap__store_s64_param(auxmap, (int64_t)pgid);
+	/* Parameter 18: vpgid (type: PT_PID) */
+	pid_t vpgid = extract__task_xid_vnr(task, PIDTYPE_PGID);
+	auxmap__store_s64_param(auxmap, (int64_t)vpgid);
 
 	/* Parameter 19: loginuid (type: PT_UID) */
 	uint32_t loginuid;
@@ -284,7 +284,7 @@ int BPF_PROG(t1_execve_x, struct pt_regs *regs, long ret) {
 
 	/*=============================== COLLECT PARAMETERS  ===========================*/
 
-	bpf_tail_call(ctx, &extra_syscall_calls, T2_EXECVE_X);
+	bpf_tail_call(ctx, &syscall_exit_extra_tail_table, T2_EXECVE_X);
 	return 0;
 }
 
@@ -307,9 +307,14 @@ int BPF_PROG(t2_execve_x, struct pt_regs *regs, long ret) {
 		auxmap__store_empty_param(auxmap);
 	}
 
-	/* Parameter 29: pgid (type: PT_UID) */
+	/* Parameter 29: pgid (type: PT_PID) */
 	auxmap__store_pgid(auxmap, task);
 
+	/* Parameter 30: egid (type: PT_GID) */
+	uint32_t egid;
+	extract__egid(task, &egid);
+	auxmap__store_u32_param(auxmap, egid);
+
 	/*=============================== COLLECT PARAMETERS  ===========================*/
 
 	auxmap__finalize_event_header(auxmap);