fix(userspace/libsinsp): sinsp_filter_check_user::extract_single return-stack-address

Address the following warning (we build with -Werror...): ``` /__w/libs/libs/userspace/libsinsp/sinsp_filtercheck_user.cpp:104:26: warning: address of stack memory associated with local variable 'user' returned [-Wreturn-stack-address] 104 | RETURN_EXTRACT_STRING(user); | ^~~~ /__w/libs/libs/userspace/libsinsp/sinsp_filtercheck_user.cpp:34:21: note: expanded from macro 'RETURN_EXTRACT_STRING' 34 | return (uint8_t*)(x).c_str(); \ | ^ ``` Signed-off-by: Angelo Puglisi <angelopuglisi86@gmail.com>
fix(libsinsp): use proper INET6_ADDRSTRLEN buffer size for inet_ntop
2025-08-06 16:39:05 +02:00 · 2025-08-04 12:16:49 +02:00 · 2025-08-04 10:00:48 +02:00 · 2025-08-04 10:00:48 +02:00 · 2025-08-04 09:46:48 +02:00 · 2025-08-04 09:46:48 +02:00
708 changed files with 46235 additions and 37126 deletions
--- a/.clang-format-ignore
+++ b/.clang-format-ignore
@ -3,6 +3,8 @@ driver/modern_bpf/definitions/aarch64/vmlinux.h
 driver/modern_bpf/definitions/ppc64le/vmlinux.h
 driver/modern_bpf/definitions/s390x/vmlinux.h
 driver/modern_bpf/definitions/x86_64/vmlinux.h
+# Autogenerated events dimensions file for modern probe is not formatted
+driver/modern_bpf/definitions/events_dimensions.h
 # All syscall_compat autogenerated headers are not formatted
 driver/syscall_compat_aarch64.h
 driver/syscall_compat_loongarch64.h
--- a/.github/PULL_REQUEST_TEMPLATE.md
+++ b/.github/PULL_REQUEST_TEMPLATE.md
@ -20,6 +20,8 @@

 > /kind failing-test

+> /kind test
+
 > /kind feature

 <!--
--- a/.github/actions/composite-perf/action.yml
+++ b/.github/actions/composite-perf/action.yml
@ -24,7 +24,7 @@ runs:
    - name: Install deps ⛓️
      shell: bash
      run: |
-        sudo apt update && sudo apt install -y --no-install-recommends ca-certificates cmake build-essential git clang llvm pkg-config autoconf automake libtool libelf-dev wget libc-ares-dev libcurl4-openssl-dev libssl-dev libtbb-dev libjq-dev libjsoncpp-dev libgrpc++-dev protobuf-compiler-grpc libgtest-dev libprotobuf-dev linux-tools-common linux-tools-generic linux-tools-`uname -r` heaptrack coreutils util-linux
+        sudo apt update && sudo apt install -y --no-install-recommends ca-certificates cmake build-essential git clang llvm pkg-config autoconf automake libtool libelf-dev wget libtbb-dev libjq-dev libjsoncpp-dev protobuf-compiler libgtest-dev libprotobuf-dev linux-tools-common linux-tools-generic linux-tools-`uname -r` heaptrack coreutils util-linux
        sudo .github/install-deps.sh

    - name: Build
--- a/.github/actions/install-zig/action.yml
+++ b/.github/actions/install-zig/action.yml
@ -8,41 +8,29 @@ runs:
      shell: bash
      id: store
      env:
-        ZIG_VERSION: '0.14.0-dev.2591+5333d2443'
+        ZIG_VERSION: '0.14.1'
      run: |
        echo "zig_version=${ZIG_VERSION}" >> "$GITHUB_OUTPUT"

-    # TODO: this is only needed because we are using a development version of zig,
-    # since we need https://github.com/ziglang/zig/pull/21253 to be included.
-    # Development versions of zig are not kept alive forever, but get overridden.
-    # We cache it to keep it alive.
-    - name: Download zig (cached)
-      id: cache-zig
-      uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2
-      with:
-        path: zig
-        key: zig-${{ runner.os }}-${{ runner.arch }}-${{ steps.store.outputs.zig_version }}
-
    - name: Download zig
-      if: steps.cache-zig.outputs.cache-hit != 'true'
      shell: bash
      run: |
-        curl -L -o zig.tar.xz https://ziglang.org/builds/zig-linux-$(uname -m)-${{ steps.store.outputs.zig_version }}.tar.xz
+        curl -L -o zig.tar.xz https://ziglang.org/download/${{ steps.store.outputs.zig_version }}/zig-$(uname -m)-linux-${{ steps.store.outputs.zig_version }}.tar.xz
        tar -xvf zig.tar.xz

-        cat > zig-linux-$(uname -m)-${{ steps.store.outputs.zig_version }}/zig-cc <<EOF
+        cat > zig-$(uname -m)-linux-${{ steps.store.outputs.zig_version }}/zig-cc <<EOF
        #!/bin/bash
        exec zig cc -target $(uname -m)-linux-gnu.2.17 -mcpu=baseline "\$@"
        EOF
-        chmod +x zig-linux-$(uname -m)-${{ steps.store.outputs.zig_version }}/zig-cc
+        chmod +x zig-$(uname -m)-linux-${{ steps.store.outputs.zig_version }}/zig-cc

-        cat > zig-linux-$(uname -m)-${{ steps.store.outputs.zig_version }}/zig-c++ <<EOF
+        cat > zig-$(uname -m)-linux-${{ steps.store.outputs.zig_version }}/zig-c++ <<EOF
        #!/bin/bash
        exec zig c++ -target $(uname -m)-linux-gnu.2.17 -mcpu=baseline "\$@"
        EOF
-        chmod +x zig-linux-$(uname -m)-${{ steps.store.outputs.zig_version }}/zig-c++
+        chmod +x zig-$(uname -m)-linux-${{ steps.store.outputs.zig_version }}/zig-c++

-        mv zig-linux-$(uname -m)-${{ steps.store.outputs.zig_version }}/ zig
+        mv zig-$(uname -m)-linux-${{ steps.store.outputs.zig_version }}/ zig

    - name: Setup zig
      shell: bash
@ -52,4 +40,4 @@ runs:
        echo "CC=zig-cc" >> $GITHUB_ENV
        echo "CXX=zig-c++" >> $GITHUB_ENV
        echo "AR=zig ar" >> $GITHUB_ENV
-        echo "RANLIB=zig ranlib" >> $GITHUB_ENV
+        echo "RANLIB=zig ranlib" >> $GITHUB_ENV
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@ -16,19 +16,17 @@ concurrency:
 jobs:
  build-libs-linux:
    name: build-libs-linux-${{ matrix.arch }} 😁 (${{ matrix.name }})
-    runs-on: ${{ (matrix.arch == 'arm64' && 'github-arm64-2c-8gb') || 'ubuntu-22.04' }}
+    runs-on: ${{ (matrix.arch == 'arm64' && 'ubuntu-22.04-arm') || 'ubuntu-22.04' }}
    strategy:
      fail-fast: false
      matrix:
        arch: [amd64, arm64]
-        name: [system_deps, bundled_deps, system_deps_minimal, sanitizers, zig]
+        name: [system_deps, bundled_deps, sanitizers, zig]
        include:
          - name: system_deps
            cmake_opts: -DBUILD_WARNINGS_AS_ERRORS=On -DBUILD_BPF=On -DUSE_BUNDLED_DEPS=False
          - name: bundled_deps
            cmake_opts: -DBUILD_WARNINGS_AS_ERRORS=On -DBUILD_BPF=On -DUSE_BUNDLED_DEPS=True
-          - name: system_deps_minimal
-            cmake_opts: -DBUILD_WARNINGS_AS_ERRORS=On -DUSE_BUNDLED_DEPS=False -DMINIMAL_BUILD=True
          - name: sanitizers
            cmake_opts: -DUSE_ASAN=On -DUSE_UBSAN=On -DUSE_BUNDLED_DEPS=False
          - name: zig
@ -38,7 +36,9 @@ jobs:
    steps:
      - name: Install deps ⛓️
        run: |
-          apt update && apt install -y --no-install-recommends curl ca-certificates build-essential git clang llvm pkg-config autoconf automake libtool libelf-dev wget libc-ares-dev libcurl4-openssl-dev libssl-dev libtbb-dev libjq-dev libjsoncpp-dev libgrpc++-dev protobuf-compiler-grpc libgtest-dev libprotobuf-dev linux-headers-${{ matrix.arch }}
+          # Use 20250630T203427Z debian apt snapshot as it still contains support for buster.
+          printf "deb http://snapshot.debian.org/archive/debian/20250630T203427Z buster main\ndeb http://snapshot.debian.org/archive/debian-security/20250630T203427Z buster/updates main\ndeb http://snapshot.debian.org/archive/debian/20250630T203427Z buster-updates main" > /etc/apt/sources.list
+          apt update && apt install -y --no-install-recommends curl ca-certificates build-essential git clang llvm pkg-config autoconf automake libtool libelf-dev wget libtbb-dev libjq-dev libjsoncpp-dev protobuf-compiler libgtest-dev libprotobuf-dev linux-headers-${{ matrix.arch }}

      - name: Install a recent version of CMake ⛓️
        run: |
@ -74,6 +74,13 @@ jobs:
          KERNELDIR=/lib/modules/$(ls /lib/modules)/build make -j4
          make run-unit-tests

+      - name: Test sinsp-example and .scap files
+        run: |
+          cd build && make sinsp-example
+          libsinsp/examples/sinsp-example -s ../test/libsinsp_e2e/resources/captures/curl_google.scap | grep --extended-regexp --invert-match '^(Time spent|Events/ms): ' > /tmp/curl_google.txt
+          libsinsp/examples/sinsp-example -s ../test/libsinsp_e2e/resources/captures/curl_google_comments.scap | grep --extended-regexp --invert-match '^(Time spent|Events/ms): ' > /tmp/curl_google_comments.txt
+          diff -u /tmp/curl_google.txt /tmp/curl_google_comments.txt
+
      # On zig, build also sinsp-example and check the glibc linked versions
      # to make sure we are actually using the correct glibc version.
      - name: Test zig build glibc version
@ -128,13 +135,13 @@ jobs:
      - name: Install deps ⛓️
        run: |
          sudo apt update
-          sudo apt install -y --no-install-recommends ca-certificates cmake build-essential git clang llvm pkg-config autoconf automake libtool libelf-dev wget libc-ares-dev libcurl4-openssl-dev libssl-dev libre2-dev libtbb-dev libjq-dev libjsoncpp-dev libgrpc++-dev protobuf-compiler-grpc libgtest-dev libprotobuf-dev linux-headers-$(uname -r)
+          sudo apt install -y --no-install-recommends ca-certificates cmake build-essential git clang llvm pkg-config autoconf automake libtool libelf-dev wget libre2-dev libtbb-dev libjq-dev libjsoncpp-dev protobuf-compiler libgtest-dev libprotobuf-dev linux-headers-$(uname -r)
          sudo .github/install-deps.sh

      - name: Build and test 🏗️🧪
        run: |
          mkdir -p build
-          cd build && cmake -DBUILD_SHARED_LIBS=True -DUSE_BUNDLED_DEPS=False -DMINIMAL_BUILD=True -DCMAKE_INSTALL_PREFIX=/tmp/libs-test -DENABLE_THREAD_POOL=ON ../
+          cd build && cmake -DBUILD_SHARED_LIBS=True -DUSE_BUNDLED_DEPS=False -DCMAKE_INSTALL_PREFIX=/tmp/libs-test -DENABLE_THREAD_POOL=ON ../
          make -j4
          make run-unit-tests

@ -147,7 +154,7 @@ jobs:
        run: |
          cd userspace/libsinsp/examples
          export PKG_CONFIG_PATH=/tmp/libs-test/lib/pkgconfig
-          g++ -o sinsp-example test.cpp util.cpp $(pkg-config --cflags --libs libsinsp)
+          g++ -o sinsp-example *.cpp $(pkg-config --cflags --libs libsinsp)

      - name: Test sinsp-example runtime linker
        run: |
@ -174,7 +181,7 @@ jobs:
      - name: Build and test 🏗️🧪
        run: |
          mkdir -p build
-          cd build && cmake -DUSE_BUNDLED_DEPS=ON -DCMAKE_BUILD_TYPE=Release -DCMAKE_MSVC_RUNTIME_LIBRARY=${{ matrix.crt }} -DCREATE_TEST_TARGETS=ON -DMINIMAL_BUILD=ON -DENABLE_THREAD_POOL=ON ..
+          cd build && cmake -DUSE_BUNDLED_DEPS=ON -DCMAKE_BUILD_TYPE=Release -DCMAKE_MSVC_RUNTIME_LIBRARY=${{ matrix.crt }} -DCREATE_TEST_TARGETS=ON -DENABLE_THREAD_POOL=ON ..
          cmake --build . --config Release --parallel 4 && make run-unit-tests || libsinsp\test\Release\unit-test-libsinsp.exe

  build-shared-libs-macos-amd64:
@ -193,7 +200,7 @@ jobs:
      - name: Build 🏗️
        run: |
          mkdir -p build
-          cd build && cmake -DBUILD_SHARED_LIBS=True -DUSE_BUNDLED_DEPS=False -DUSE_BUNDLED_VALIJSON=ON -DUSE_BUNDLED_BS_THREADPOOL=ON -DENABLE_THREAD_POOL=ON -DCMAKE_BUILD_TYPE=Release -DCREATE_TEST_TARGETS=OFF -DMINIMAL_BUILD=ON -DCMAKE_INSTALL_PREFIX=/tmp/libs-test ..
+          cd build && cmake -DBUILD_SHARED_LIBS=True -DUSE_BUNDLED_DEPS=False -DUSE_BUNDLED_VALIJSON=ON -DUSE_BUNDLED_BS_THREADPOOL=ON -DENABLE_THREAD_POOL=ON -DCMAKE_BUILD_TYPE=Release -DCREATE_TEST_TARGETS=OFF -DCMAKE_INSTALL_PREFIX=/tmp/libs-test ..
          cmake --build . --config Release --parallel $(getconf _NPROCESSORS_ONLN)

      - name: Install
@ -251,92 +258,11 @@ jobs:
          diff -u expected_ldd_out.txt ldd_out.txt

  run-e2e-tests-amd64:
-    name: run-e2e-tests-amd64
-    strategy:
-      fail-fast: false
-      matrix:
-        name: [system_deps, bundled_deps, asan]
-        include:
-          - name: system_deps
-            cmake_opts: -DUSE_BUNDLED_DEPS=False
-          - name: bundled_deps
-            cmake_opts: -DUSE_BUNDLED_DEPS=True
-          - name: asan
-            cmake_opts: -DUSE_BUNDLED_DEPS=True -DCMAKE_C_FLAGS=-fsanitize=address -DCMAKE_CXX_FLAGS=-fsanitize=address
-    runs-on: ubuntu-22.04
-    steps:
-      - name: Install deps ⛓️
-        run: |
-          sudo apt-get update && sudo apt-get install -y --no-install-recommends \
-            ca-certificates \
-            cmake \
-            build-essential \
-            clang-14 llvm-14 \
-            git \
-            clang \
-            llvm \
-            pkg-config \
-            autoconf \
-            automake \
-            libtool \
-            libelf-dev \
-            wget \
-            libc-ares-dev \
-            libbpf-dev \
-            libcap-dev \
-            libcurl4-openssl-dev \
-            libssl-dev \
-            libtbb-dev \
-            libjq-dev \
-            libjsoncpp-dev \
-            libgrpc++-dev \
-            protobuf-compiler-grpc \
-            libgtest-dev \
-            libprotobuf-dev \
-            "linux-headers-$(uname -r)"
-          sudo update-alternatives --install /usr/bin/clang clang /usr/bin/clang-14 90
-          sudo update-alternatives --install /usr/bin/llvm-strip llvm-strip /usr/bin/llvm-strip-14 90
-          sudo update-alternatives --install /usr/bin/llc llc /usr/bin/llc-14 90
+    uses: ./.github/workflows/reusable_e2e_tests.yaml
+    with:
+      libsversion: ${{ github.sha }}
+    secrets: inherit

-      - name: Checkout Libs ⤵️
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-        with:
-          fetch-depth: 0
-
-      - name: Fix kernel mmap rnd bits
-        # Asan in llvm 14 provided in ubuntu 22.04 is incompatible with
-        # high-entropy ASLR in much newer kernels that GitHub runners are
-        # using leading to random crashes: https://reviews.llvm.org/D148280
-        run: sudo sysctl vm.mmap_rnd_bits=28
-
-      - name: Install deps ⛓️
-        run: |
-          sudo .github/install-deps.sh
-
-      - name: Build and test 🏗️🧪
-        env:
-          # This avoids random failures on CI.
-          # (https://github.com/google/sanitizers/issues/1322#issuecomment-699946942)
-          ASAN_OPTIONS: intercept_tls_get_addr=0
-        run: |
-          mkdir -p build && cd build
-          cmake -DBUILD_BPF=ON \
-                -DBUILD_LIBSCAP_MODERN_BPF=ON \
-                -DBUILD_LIBSCAP_GVISOR=OFF \
-                ${{ matrix.cmake_opts }} \
-                -DUSE_BUNDLED_LIBBPF=ON \
-                ..
-          make -j$(nproc) sinsp-example driver bpf
-          sudo -E make e2e-install-deps
-          sudo -E ../test/e2e/scripts/run_tests.sh
-
-      - name: Archive test reports
-        uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
-        if: failure()
-        with:
-          name: ${{ matrix.name }}_report
-          path: |
-            /tmp/report/

  build-libs-emscripten:
    name: build-libs-emscripten 🧐
--- a/.github/workflows/driverkit.yml
+++ b/.github/workflows/driverkit.yml
@ -55,7 +55,7 @@ jobs:
            kernelrelease: 6.4.1-1.el9.elrepo.aarch64
            target: centos
            kernelurls: https://download.falco.org/fixtures/libs/kernel-ml-devel-6.4.1-1.el9.elrepo.aarch64.rpm
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04-arm
    container:
      image: falcosecurity/driverkit:latest
    steps:
--- a/.github/workflows/drivers_ci.yml
+++ b/.github/workflows/drivers_ci.yml
@ -39,7 +39,7 @@ jobs:
  # This job run all engine tests and scap-open
  test-scap:
    name: test-scap-${{ matrix.arch }} 😆 (bundled_deps)
-    runs-on: ${{ (matrix.arch == 'arm64' && 'github-arm64-2c-8gb') || 'ubuntu-22.04' }}
+    runs-on: ${{ (matrix.arch == 'arm64' && 'ubuntu-24.04-arm') || 'ubuntu-24.04' }}
    needs: paths-filter
    strategy:
      matrix:
@ -73,7 +73,7 @@ jobs:
        if: needs.paths-filter.outputs.driver == 'true' || needs.paths-filter.outputs.libscap == 'true' || needs.paths-filter.outputs.libpman == 'true'
        run: |
          mkdir -p build
-          cd build && cmake -DBUILD_WARNINGS_AS_ERRORS=On -DUSE_BUNDLED_DEPS=On -DBUILD_DRIVER=ON -DBUILD_LIBSCAP_MODERN_BPF=ON -DBUILD_BPF=On -DBUILD_LIBSCAP_GVISOR=${{ matrix.enable_gvisor }} -DCREATE_TEST_TARGETS=On -DENABLE_LIBSCAP_TESTS=On ../
+          cd build && cmake -DBUILD_WARNINGS_AS_ERRORS=On -DUSE_BUNDLED_DEPS=On -DBUILD_DRIVER=ON -DBUILD_LIBSCAP_MODERN_BPF=ON -DBUILD_BPF=On -DBUILD_LIBSCAP_GVISOR=${{ matrix.enable_gvisor }} -DCREATE_TEST_TARGETS=On -DENABLE_LIBSCAP_TESTS=On -DUSE_ASAN=On -DUSE_UBSAN=On ../
          make scap-open driver bpf libscap_test -j6

      - name: Run scap-open with modern bpf 🏎️
@ -102,9 +102,16 @@ jobs:
          cd build
          sudo ./test/libscap/libscap_test

+      - name: Validate scap-open with modern bpf
+        if: needs.paths-filter.outputs.driver == 'true' || needs.paths-filter.outputs.libscap == 'true' || needs.paths-filter.outputs.libpman == 'true'
+        uses: Andreagit97/bpfvalidator@v0.3.0
+        with:
+          args: |
+            --config=$GITHUB_WORKSPACE/driver/modern_bpf/bpfvalidator_config.yaml --cmd="$GITHUB_WORKSPACE/build/libscap/examples/01-open/scap-open --modern_bpf --num_events 10"
+
  test-drivers:
    name: test-drivers-${{ matrix.arch }} 😇 (bundled_deps)
-    runs-on: ${{ (matrix.arch == 'arm64' && 'github-arm64-2c-8gb') || 'ubuntu-22.04' }}
+    runs-on: ${{ (matrix.arch == 'arm64' && 'ubuntu-22.04-arm') || 'ubuntu-22.04' }}
    needs: paths-filter
    strategy:
      matrix:
@ -170,7 +177,7 @@ jobs:

      - name: Build and test drivers on ppc64le node via ssh
        if: needs.paths-filter.outputs.driver == 'true' || needs.paths-filter.outputs.libscap == 'true' || needs.paths-filter.outputs.libpman == 'true'
-        uses: appleboy/ssh-action@7eaf76671a0d7eec5d98ee897acda4f968735a17 # v1.2.0
+        uses: appleboy/ssh-action@2ead5e36573f08b82fbfce1504f1a4b05a647c6f # v1.2.2
        with:
          host: ${{ secrets.PPC64LE_HOST }}
          username: ${{ secrets.PPC64LE_USERNAME }}
@ -180,10 +187,12 @@ jobs:
          command_timeout: 60m
          script: |
            sudo dnf install -y bpftool ca-certificates cmake make automake gcc gcc-c++ kernel-devel clang git pkg-config autoconf automake libbpf-devel
+            # Remove, if present, any libs clone created by a previous job run.
+            rm -rf libs
            git clone -b $GIT_BRANCH $GITHUB_SERVER_URL/$GITHUB_REPOSITORY.git libs
            cd libs
            mkdir -p build
-            cd build && cmake -DBUILD_WARNINGS_AS_ERRORS=On -DUSE_BUNDLED_DEPS=ON -DENABLE_DRIVERS_TESTS=ON -DBUILD_LIBSCAP_MODERN_BPF=ON -DMODERN_BPF_DEBUG_MODE=ON -DBUILD_BPF=True -DBUILD_LIBSCAP_GVISOR=OFF ../
+            cd build && cmake -DBUILD_WARNINGS_AS_ERRORS=On -DUSE_BUNDLED_DEPS=ON -DENABLE_DRIVERS_TESTS=ON -DBUILD_LIBSCAP_MODERN_BPF=ON -DMODERN_BPF_DEBUG_MODE=ON -DBUILD_BPF=True -DBUILD_LIBSCAP_GVISOR=OFF -DUSE_BUNDLED_LIBELF=OFF ../
            make drivers_test driver bpf -j6
            sudo ./test/drivers/drivers_test -m
            rc_modern=$?
@ -204,7 +213,7 @@ jobs:
        with:
          fetch-depth: 0

-      - uses: uraimo/run-on-arch-action@5397f9e30a9b62422f302092631c99ae1effcd9e # v2.8.1
+      - uses: uraimo/run-on-arch-action@d94c13912ea685de38fccc1109385b83fd79427d # v3.0.1
        name: Run s390x build 🏗️
        if: needs.paths-filter.outputs.driver == 'true' || needs.paths-filter.outputs.libscap == 'true' || needs.paths-filter.outputs.libpman == 'true'
        with:
@ -213,15 +222,16 @@ jobs:
          githubToken: ${{ github.token }}

          install: |
-            apt update && apt install -y --no-install-recommends ca-certificates cmake build-essential clang llvm git pkg-config autoconf automake libtool libelf-dev wget libc-ares-dev libcurl4-openssl-dev libssl-dev libtbb-dev libjq-dev libjsoncpp-dev libgrpc++-dev protobuf-compiler-grpc libcap-dev libgtest-dev libprotobuf-dev linux-headers-generic
+            apt update && apt install -y --no-install-recommends ca-certificates cmake build-essential clang llvm git pkg-config autoconf automake libtool libelf-dev wget libtbb-dev libjq-dev libjsoncpp-dev libcap-dev protobuf-compiler libgtest-dev libprotobuf-dev linux-headers-generic
            git clone https://github.com/libbpf/bpftool.git --branch v7.3.0 --single-branch
            cd bpftool
            git submodule update --init
            cd src && make install
            cd ../../
            git clone https://github.com/libbpf/libbpf.git --branch v1.3.0 --single-branch
-            cd libbpf/src && BUILD_STATIC_ONLY=y DESTDIR=/ make install
+            cd libbpf/src && BUILD_STATIC_ONLY=y DESTDIR=/ make install install_uapi_headers 
            ln -s /usr/lib64/libbpf.a /usr/lib/s390x-linux-gnu/
+            ln -s /usr/include/bpf /usr/include/s390x-linux-gnu/
          # Please note: we cannot inject the BPF probe inside QEMU, so right now, we only build it
          run: |
            git config --global --add safe.directory $GITHUB_WORKSPACE
@ -235,7 +245,7 @@ jobs:
    # See https://github.com/actions/runner/issues/409#issuecomment-1158849936
    runs-on: 'ubuntu-latest'
    if: needs.paths-filter.outputs.driver == 'true' || needs.paths-filter.outputs.libscap == 'true' || needs.paths-filter.outputs.libpman == 'true'
-    container: fedora:latest
+    container: fedora:41
    steps:
      # Always install deps before invoking checkout action, to properly perform a full clone.
      - name: Install build dependencies
@ -252,7 +262,7 @@ jobs:
          make ProbeSkeleton -j6

      - name: Upload skeleton
-        uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
        with:
          name: bpf_probe_x86_64.skel.h
          path: skeleton-build/skel_dir/bpf_probe.skel.h
@ -277,7 +287,7 @@ jobs:
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

      - name: Download skeleton
-        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
+        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
        with:
          name: bpf_probe_x86_64.skel.h
          path: /tmp
@ -319,13 +329,13 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Download X64 matrix
-        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
+        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
        with:
          name: matrix_X64
          path: matrix_X64

      - name: Download ARM64 matrix
-        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
+        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
        with:
          name: matrix_ARM64
          path: matrix_ARM64
@ -345,7 +355,7 @@ jobs:
          echo ""

      - name: Upload PR info as artifact
-        uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
        with:
          name: pr-kernel-testing
          path: pr/
--- a/.github/workflows/e2e_ci.yml
+++ b/.github/workflows/e2e_ci.yml
@ -15,7 +15,7 @@ concurrency:
 jobs:
  build-test-e2e:
    name: build-test-e2e-${{ matrix.arch }} 😇 (bundled_deps)
-    runs-on: ${{ (matrix.arch == 'arm64' && 'github-arm64-2c-8gb') || 'ubuntu-22.04' }}
+    runs-on: ${{ (matrix.arch == 'arm64' && 'ubuntu-22.04-arm') || 'ubuntu-22.04' }}
    strategy:
      matrix:
        arch: [amd64, arm64]
@ -35,7 +35,6 @@ jobs:
            clang \
            llvm \
            git \
-            clang \
            ccache \
            llvm \
            pkg-config \
@ -44,18 +43,14 @@ jobs:
            libtool \
            libelf-dev \
            wget \
-            libc-ares-dev \
            libbpf-dev \
            libcap-dev \
-            libcurl4-openssl-dev \
-            libssl-dev \
            libtbb-dev \
            libjq-dev \
            libjsoncpp-dev \
-            libgrpc++-dev \
-            protobuf-compiler-grpc \
            libgtest-dev \
            libprotobuf-dev \
+            protobuf-compiler \
            linux-headers-$(uname -r)
          sudo .github/install-deps.sh
          git clone https://github.com/libbpf/bpftool.git --branch v7.3.0 --single-branch
@ -69,7 +64,7 @@ jobs:
          sudo apt install -y --no-install-recommends gcc-multilib g++-multilib

      - name: Run sccache-cache
-        uses: mozilla-actions/sccache-action@054db53350805f83040bf3e6e9b8cf5a139aa7c9 # v0.0.7
+        uses: mozilla-actions/sccache-action@7d986dd989559c6ecdb630a3fd2557667be217ad # v0.0.9

      - name: Build e2e tests 🏗️
        env:
@ -95,7 +90,7 @@ jobs:
          cd ..

      - name: Cache build
-        uses: actions/cache/save@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
+        uses: actions/cache/save@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3
        if: always()
        id: cache
        with:
@ -105,7 +100,7 @@ jobs:
  test-e2e:
    name: test-e2e-${{ matrix.arch }}-${{ matrix.driver.name }} 😇 (bundled_deps)
    needs: [build-test-e2e]
-    runs-on: ${{ (matrix.arch == 'arm64' && 'github-arm64-2c-8gb') || 'ubuntu-22.04' }}
+    runs-on: ${{ (matrix.arch == 'arm64' && 'ubuntu-22.04-arm') || 'ubuntu-22.04' }}
    strategy:
      matrix:
        arch: [amd64, arm64]
@ -119,7 +114,7 @@ jobs:

      - name: Restore build
        id: cache
-        uses: actions/cache/restore@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
+        uses: actions/cache/restore@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3
        with:
          path: build
          key: build-e2e-${{ matrix.arch }}-${{ github.run_id }}
@ -171,4 +166,4 @@ jobs:
          UBSAN_OPTIONS: print_stacktrace=1
        run: |
          cd build/test/libsinsp_e2e/
-          sudo -E ./libsinsp_e2e_tests ${{ matrix.driver.option }} --gtest_filter=-sys_call_test.quotactl_ok
+          sudo -E ./libsinsp_e2e_tests ${{ matrix.driver.option }} --gtest_filter=-sys_call_test.quotactl_ok
--- a/.github/workflows/format.yml
+++ b/.github/workflows/format.yml
@ -32,7 +32,7 @@ jobs:

      - name: Upload the git diff artifact 📦
        if: failure()
-        uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
        with:
          name: format_diff.patch
          path: ./format_diff.patch
--- a/.github/workflows/latest-kernel.yml
+++ b/.github/workflows/latest-kernel.yml
@ -44,7 +44,7 @@ jobs:
          echo "latest_vers=$(grep kernelrelease dk.yaml | awk -F": " '{print $2}')" >> $GITHUB_OUTPUT

      - name: Upload driverkit config
-        uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
        with:
          name: driverkit_config.yaml
          path: linux/dk.yaml
@ -56,16 +56,19 @@ jobs:
    runs-on: 'ubuntu-latest'
    steps:
      - name: Download driverkit config
-        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
+        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
        with:
          name: driverkit_config.yaml

      - name: Download latest driverkit artifact
-        uses: dawidd6/action-download-artifact@80620a5d27ce0ae443b965134db88467fc607b43 # v7
+        uses: robinraju/release-downloader@daf26c55d821e836577a15f77d86ddc078948b05 # v1.12
        with:
-          name: driverkit-amd64
-          workflow: release.yml
-          repo: falcosecurity/driverkit
+          fileName: driverkit_*_linux_amd64.tar.gz
+          latest: true
+          repository: falcosecurity/driverkit
+          tarBall: false
+          zipBall: false
+          extract: true

      - name: Test drivers build
        id: build
@ -78,19 +81,22 @@ jobs:
    needs: 'compute-latest-version'
    outputs:
      build: ${{ steps.build.outcome }}
-    runs-on: 'github-arm64-2c-8gb'
+    runs-on: 'ubuntu-22.04-arm'
    steps:
      - name: Download driverkit config
-        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
+        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
        with:
          name: driverkit_config.yaml

      - name: Download latest driverkit artifact
-        uses: dawidd6/action-download-artifact@80620a5d27ce0ae443b965134db88467fc607b43 # v7
+        uses: robinraju/release-downloader@daf26c55d821e836577a15f77d86ddc078948b05 # v1.12
        with:
-          name: driverkit-arm64
-          workflow: release.yml
-          repo: falcosecurity/driverkit
+          fileName:  driverkit_*_linux_arm64.tar.gz
+          latest: true
+          repository: falcosecurity/driverkit
+          tarBall: false
+          zipBall: false
+          extract: true

      - name: Test drivers build
        id: build
--- a/.github/workflows/pages.yml
+++ b/.github/workflows/pages.yml
@ -28,7 +28,7 @@ jobs:
        uses: ./.github/actions/composite-perf

      - name: Archive master perf report
-        uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
        with:
          name: perf_report
          retention-days: 30 # 30 days because this is the artifact on master; we need to retain it to be able to properly diff it
@ -72,7 +72,7 @@ jobs:
          rm -rf stacks.txt

      - name: Upload svg files
-        uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
        with:
          name: perf_svg
          path: '*.svg'
@ -88,7 +88,7 @@ jobs:
      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

      - name: Download matrix X64
-        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
+        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
        with:
          name: matrix_X64

@ -96,7 +96,7 @@ jobs:
        run: mv matrix.md docs/matrix_X64.md

      - name: Download matrix ARM64
-        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
+        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
        with:
          name: matrix_ARM64

@ -109,7 +109,7 @@ jobs:
          sed -i '1s/^/---\nhide:\n- toc\n---\n\n/' docs/matrix_ARM64.md

      - name: Download perf svg files
-        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
+        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
        with:
          name: perf_svg

@ -128,7 +128,7 @@ jobs:
          echo '<object data="../heaptrack_scap.svg" type="image/svg+xml" id="heaptrack_scap_file"></object>' > docs/heaptrack_scap_file.md
          sed -i '1s/^/---\nhide:\n- toc\n---\n\n/' docs/heaptrack_scap_file.md

-      - uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0
+      - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
        with:
          python-version: 3.x

--- a/.github/workflows/perf.yml
+++ b/.github/workflows/perf.yml
@ -27,7 +27,7 @@ jobs:
        uses: ./.github/actions/composite-perf

      - name: Download latest master report
-        uses: dawidd6/action-download-artifact@80620a5d27ce0ae443b965134db88467fc607b43 # v7
+        uses: dawidd6/action-download-artifact@ac66b43f0e6a346234dd65d4d0c8fbb31cb316e5 # v11
        with:
          branch: master
          event: push
@ -56,7 +56,7 @@ jobs:
          python3 google-benchmark/tools/compare.py --no-color benchmarks gbench_data.json ${{ steps.perf.outputs.gbench_json }} &> gbench_diff.txt

      - name: Archive perf diff
-        uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
        with:
          name: perf_diff
          path: '*_diff.txt'
@ -96,7 +96,7 @@ jobs:
          echo ""

      - name: Upload PR info as artifact
-        uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
        with:
          name: pr-perf
          path: pr/
--- a/.github/workflows/release-body.yml
+++ b/.github/workflows/release-body.yml
@ -98,7 +98,7 @@ jobs:
          echo "#### Release Manager @${{ github.event.release.author.login }}" >> release-body.md

      - name: Release
-        uses: softprops/action-gh-release@7b4da11513bf3f43f9999e90eabced41ab8bb048 # v2.2.0
+        uses: softprops/action-gh-release@72f2c25fcb47643c292f7107632f7a47c1df5cd8 # v2.3.2
        with:
          body_path: ./release-body.md
          tag_name: ${{ github.event.release.tag_name }}
@ -135,8 +135,29 @@ jobs:
          echo '!'"[SCHEMA](https://img.shields.io/badge/SCHEMA-${SCHEMA_VERS}-yellow)" >> release-body.md
          echo "" >> release-body.md

+      - name: Push badge to latest kernel release
+        run: |
+          wget https://gist.githubusercontent.com/FedeDP/1cbc5d42edf8e3a02fb75e76625f1072/raw/kernel.json
+          # 6.15-rc2 -> 6.15
+          # 6.10.6 -> 6.10
+          # 6.10 -> 6.10
+          KVER=$(cat kernel.json | jq '.message' | tr -d '"' | grep -oE -- '[0-9]+.[0-9]+')
+          SUCCESS=$(cat kernel.json | jq '.color' | tr -d '"')
+          # If latest run was not successful,
+          # revert back to previous kernel release.
+          # Of course, the fallback logic is bugged in case minor is 0,
+          # as we cannot know which was the previous version.
+          # It should not matter until kernel 7.0 :P
+          if [[ "$SUCCESS" = "red" ]]; then
+            n=${KVER//[!0-9]/ }
+            a=(${n//\./ })
+            KVER=$(echo "${a[0]}.$((a[1] - 1))")
+          fi
+          echo '!'"[Latest Compatible Kernel](https://img.shields.io/badge/KERNEL-${KVER}-brightgreen)" >> release-body.md
+          echo "" >> release-body.md
+
      - name: Download matrix X64
-        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
+        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
        with:
          name: matrix_X64

@ -144,7 +165,7 @@ jobs:
        run: mv matrix.md matrix_X64.md

      - name: Download matrix ARM64
-        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
+        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
        with:
          name: matrix_ARM64

@ -182,7 +203,7 @@ jobs:
          echo "#### Release Manager @${{ github.event.release.author.login }}" >> release-body.md

      - name: Release
-        uses: softprops/action-gh-release@7b4da11513bf3f43f9999e90eabced41ab8bb048 # v2.2.0
+        uses: softprops/action-gh-release@72f2c25fcb47643c292f7107632f7a47c1df5cd8 # v2.3.2
        with:
          body_path: ./release-body.md
          tag_name: ${{ github.event.release.tag_name }}
--- a/.github/workflows/reusable_e2e_tests.yaml
+++ b/.github/workflows/reusable_e2e_tests.yaml
@ -0,0 +1,137 @@
+name: Run libs e2e tests python framework
+
+on:
+  workflow_call:
+    inputs:
+      container_plugin_artifact_name:
+        description: 'use a previously built custom container plugin; artifact name to be downloaded, or empty'
+        type: string
+        required: false
+        default: ''
+      test-docker:
+        description: "Whether to run tests with docker socket"
+        type: boolean
+        required: false
+        default: true
+      test-podman:
+        description: "Whether to run tests with podman socket"
+        type: boolean
+        required: false
+        default: true
+      libsversion:
+        description: 'libs version to be tested, eg: master'
+        type: string
+        required: false
+        default: 'master'
+      libsrepo:
+        description: 'libs repo to be tested, eg: falcosecurity/libs'
+        type: string
+        required: false
+        default: 'falcosecurity/libs'
+
+jobs:
+  test-e2e:
+    if: inputs.test-docker || inputs.test-podman
+    strategy:
+      fail-fast: false
+      matrix:
+        name: [ system_deps, bundled_deps, asan ]
+        include:
+          - name: system_deps
+            cmake_opts: -DUSE_BUNDLED_DEPS=False
+          - name: bundled_deps
+            cmake_opts: -DUSE_BUNDLED_DEPS=True
+          - name: asan
+            cmake_opts: -DUSE_BUNDLED_DEPS=True -DCMAKE_C_FLAGS=-fsanitize=address -DCMAKE_CXX_FLAGS=-fsanitize=address
+    runs-on: ubuntu-24.04
+    steps:
+      - name: Install deps ⛓️
+        run: |
+          sudo apt-get update && sudo apt-get install -y --no-install-recommends \
+            ca-certificates \
+            cmake \
+            build-essential \
+            git \
+            clang \
+            llvm \
+            pkg-config \
+            autoconf \
+            automake \
+            libtool \
+            libelf-dev \
+            wget \
+            libbpf-dev \
+            libcap-dev \
+            libtbb-dev \
+            libjq-dev \
+            libjsoncpp-dev \
+            libgtest-dev \
+            libprotobuf-dev \
+            protobuf-compiler \
+            "linux-headers-$(uname -r)"
+
+      - name: Checkout Libs ⤵️
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          fetch-depth: 0
+          repository: ${{ inputs.libsrepo }}
+          ref: ${{ inputs.libsversion }}
+
+      - name: Install deps ⛓️
+        run: |
+          sudo .github/install-deps.sh
+
+      - name: Build tests 🏗️
+        run: |
+          mkdir -p build && cd build
+          cmake -DBUILD_BPF=ON \
+                -DBUILD_LIBSCAP_MODERN_BPF=ON \
+                -DBUILD_LIBSCAP_GVISOR=OFF \
+                -DENABLE_E2E_TESTS=ON \
+                ${{ matrix.cmake_opts }} \
+                -DUSE_BUNDLED_LIBBPF=ON \
+                ..
+          make -j$(nproc) sinsp-example driver bpf container_plugin
+          sudo -E make e2e-install-deps
+
+      - name: Download overriding custom container plugin
+        if: inputs.container_plugin_artifact_name != ''
+        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
+        with:
+          name: ${{ inputs.container_plugin_artifact_name }}
+          path: build/test/e2e/container_plugin-prefix/src/container_plugin/
+
+      - name: Run tests - docker 🧪
+        if: inputs.test-docker
+        working-directory: build
+        run: |
+          sudo -E ../test/e2e/scripts/run_tests.sh
+
+      - name: Archive test reports - docker
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+        if: inputs.test-docker && failure()
+        with:
+          name: ${{ matrix.name }}_docker_report
+          path: |
+            /tmp/report/
+
+      - name: Run tests - podman 🧪
+        if: inputs.test-podman && always()
+        working-directory: build
+        env:
+          # Set DOCKER_HOST pointing to podman socket
+          DOCKER_HOST: unix://run/podman/podman.sock
+        run: |
+          # Cleanup docker tests generated report folder
+          sudo rm -rf /tmp/report
+          # Podman tests require podman socket
+          sudo systemctl start podman
+          sudo -E ../test/e2e/scripts/run_tests.sh
+
+      - name: Archive test reports - podman
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+        if: inputs.test-podman && failure()
+        with:
+          name: ${{ matrix.name }}_podman_report
+          path: |
+            /tmp/report/
--- a/.github/workflows/reusable_kernel_tests.yaml
+++ b/.github/workflows/reusable_kernel_tests.yaml
@ -47,12 +47,12 @@ jobs:
          libsrepo: ${{ inputs.libsrepo }}
          build_matrix: 'true'

-      - uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
+      - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
        with:
          name: ansible_output_${{matrix.architecture}}
          path: ${{ steps.kernel_tests.outputs.ansible_output }}

-      - uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
+      - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
        with:
          name: matrix_${{matrix.architecture}}
          path: ${{ steps.kernel_tests.outputs.matrix_output }}
--- a/.github/workflows/test_coverage_ci.yml
+++ b/.github/workflows/test_coverage_ci.yml
@ -22,7 +22,7 @@ jobs:

      - name: Install deps ⛓️
        run: |
-          sudo apt-get update && sudo apt install -y --no-install-recommends ca-certificates cmake build-essential git clang llvm pkg-config autoconf automake libtool libelf-dev wget libc-ares-dev libcurl4-openssl-dev libssl-dev libre2-dev libtbb-dev libjq-dev libjsoncpp-dev libgrpc++-dev protobuf-compiler-grpc libgtest-dev libprotobuf-dev linux-headers-$(uname -r) gpg gpg-agent gcovr
+          sudo apt-get update && sudo apt install -y --no-install-recommends ca-certificates cmake build-essential git clang llvm pkg-config autoconf automake libtool libelf-dev wget libre2-dev libtbb-dev libjq-dev libjsoncpp-dev protobuf-compiler libgtest-dev libprotobuf-dev linux-headers-$(uname -r) gpg gpg-agent gcovr
          sudo .github/install-deps.sh

      - name: Build and test 🏗️🧪
@ -37,7 +37,7 @@ jobs:
          gcovr --xml -o ./libsinsp.coverage.xml

      - name: Upload to codecov
-        uses: codecov/codecov-action@7f8b4b4bde536c465e797be725718b88c5d95e0e # v5.1.1
+        uses: codecov/codecov-action@18283e04ce6e62d37312384ff67231eb8fd56d24 # v5.4.3
        with:
          fail_ci_if_error: true
          files: ./libsinsp.coverage.xml
--- a/.github/workflows/update-syscalls.yml
+++ b/.github/workflows/update-syscalls.yml
@ -24,7 +24,7 @@ jobs:
          repo-root: ${{ github.workspace }}/libs

      - name: Create Pull Request
-        uses: peter-evans/create-pull-request@5e914681df9dc83aa4e4905692ca88beb2f9e91f # v7.0.5
+        uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7.0.8
        with:
          path: libs
          signoff: true
--- a/.gitignore
+++ b/.gitignore
@ -28,3 +28,4 @@ cscope.out
 tags
 third_party
 *.vagrant*
+.DS_Store
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@ -53,18 +53,15 @@ endif()
 project(falcosecurity-libs)

 option(USE_BUNDLED_DEPS "Enable bundled dependencies instead of using the system ones" ON)
-option(MINIMAL_BUILD
-	   "Produce a minimal build with only the essential features (no container metadata)" OFF
-)
 option(MUSL_OPTIMIZED_BUILD "Enable if you want a musl optimized build" OFF)
 option(USE_BUNDLED_DRIVER
 	   "Use the driver/ subdirectory in the build process (only available in Linux)" ON
 )
+option(ENABLE_E2E_TESTS "Enable e2e tests" OFF)
 option(ENABLE_DRIVERS_TESTS "Enable driver tests (bpf, kernel module, modern bpf)" OFF)
 option(ENABLE_LIBSCAP_TESTS "Enable libscap unit tests" OFF)
 option(ENABLE_LIBSINSP_E2E_TESTS "Enable libsinsp e2e tests" OFF)
 option(BUILD_SHARED_LIBS "Build libscap and libsinsp as shared libraries" OFF)
-option(ENABLE_VM_TESTS "Enable driver sanity tests" OFF)
 option(USE_ASAN "Build with AddressSanitizer" OFF)
 option(USE_UBSAN "Build with UndefinedBehaviorSanitizer" OFF)
 option(USE_TSAN "Build with ThreadSanitizer" OFF)
@ -129,7 +126,9 @@ if(CREATE_TEST_TARGETS)
 	# ctest's add_test because it will build the code and output to stdout.
 	add_custom_target(run-unit-tests COMMAND ${CMAKE_MAKE_PROGRAM} run-unit-test-libsinsp)

-	add_subdirectory(test/e2e)
+	if(ENABLE_E2E_TESTS)
+		add_subdirectory(test/e2e)
+	endif()

 	if(ENABLE_DRIVERS_TESTS)
 		add_subdirectory(test/drivers)
@ -145,10 +144,6 @@ if(CREATE_TEST_TARGETS)
 		add_subdirectory(test/libsinsp_e2e/resources)
 	endif()

-	if(ENABLE_VM_TESTS)
-		add_subdirectory(test/vm)
-	endif()
-
 endif()

 option(ENABLE_BENCHMARKS "Enable Benchmarks" OFF)
--- a/CMakePresets.json
+++ b/CMakePresets.json
@ -33,13 +33,13 @@
 		{
 			"name": "sinsp-minimal",
 			"inherits": "base",
-			"displayName": "Build sinsp in minimal build",
-			"description": "Build sinsp in minimal build with its tests",
+			"displayName": "Build minimal sinsp",
+			"description": "Build sinsp without gvisor and protobuf deps",
 			"binaryDir": "${sourceDir}/build-sinsp-minimal",
 			"cacheVariables": {
 				"USE_BUNDLED_DEPS": "ON",
+				"BUILD_LIBSCAP_GVISOR": "OFF",
 				"CREATE_TEST_TARGETS": "ON",
-				"MINIMAL_BUILD": "ON",
 				"SCAP_FILES_SUITE_ENABLE": "OFF"
 			}
 		}
--- a/3
+++ b/3
@ -7,10 +7,11 @@ approvers:
  - molter73
  - lucaguerra
  - jasondellaluce
-  - incertum
+  - ekoops
 reviewers:
  - hbrueckner
 emeritus_approvers:
  - fntlnz
  - leodido
  - ldegio
+  - incertum
--- a/README.md
+++ b/README.md
@ -11,7 +11,7 @@ This repository contains **libsinsp**, **libscap**, the **kernel module** and th

 These components are at the foundation of [Falco](https://github.com/falcosecurity/falco) and other projects that work with the same kind of data.

-This component stack mainly operates on syscall events. We monitor syscalls using either a kernel module or an eBPF probe, which we call *drivers*. On top of the drivers, `libscap` manages the data capture process, while `libsinsp` enriches the data, and provides a rich set of API to consume the data. Furthermore, these two libraries also implement a [plugin](https://github.com/falcosecurity/plugins) framework that extends this stack to potentially any other data sources. For further details, please refer to the [official documentation](https://falco.org/docs/).
+This component stack mainly operates on syscall events. We monitor syscalls using either a kernel module or an eBPF probe, which we call *drivers*. On top of the drivers, `libscap` manages the data capture process, while `libsinsp` enriches the data, and provides a rich set of API to consume the data. Furthermore, these two libraries also implement a [plugin](https://github.com/falcosecurity/plugins) framework that extends this stack to potentially any other data sources. For further details, please refer to Falco's [official documentation](https://falco.org/docs/).

 An image is worth a thousand words, they say:

@ -104,13 +104,13 @@ If you are building this project outside of a Git working directory, or if you w
 <details>
 	<summary>Expand Build Instructions</summary>

-For your convenience, we have included the instructions for building the `libs` modules here, in addition to the information available in the [official documentation](https://falco.org/docs/install-operate/source/). These instructions are designed for building and testing `libs` on your own Linux development machine. However, if you intend to adopt CI or build within containers, there are additional considerations to take into account. The official [website]((https://falco.org/docs/install-operate/source/)) continually extends its guidance in this respect.
+For your convenience, we have included the instructions for building the `libs` modules here, in addition to the information available in Falco's [official documentation](https://falco.org/docs/install-operate/source/). These instructions are designed for building and testing `libs` on your own Linux development machine. However, if you intend to adopt CI or build within containers, there are additional considerations to take into account. The official [website]((https://falco.org/docs/install-operate/source/)) continually extends its guidance in this respect.

 The project utilizes the `cmake` build system, and the key `make` targets are as follows: 

 * `driver` -> build the kmod
-* `bpf` -> build the eBPF probe
-* `scap` -> build libscap (`modern_bpf` driver will be bundled into `scap` if enabled)
+* `bpf` -> build the legacy `ebpf` probe
+* `scap` -> build libscap (`modern_ebpf` driver will be bundled into `scap` if enabled)
 * `sinsp` -> build libsinsp (depends upon `scap` target)
 * `scap-open` -> build a small example binary for `libscap` to test the drivers (dependent on `scap`)
 * `sinsp-example` -> build a small example binary for `libsinsp` to test the drivers and/or `libsinsp` functionality (dependent on `scap` and `sinsp`)
@ -135,7 +135,7 @@ make sinsp

 ### Build userspace using system deps

-To build using the system deps instead, first, make sure to have all the needed packages installed. Refer to the [official documentation](https://falco.org/docs/install-operate/source/).
+To build using the system deps instead, first, make sure to have all the needed packages installed. Refer to Falco's [official documentation](https://falco.org/docs/install-operate/source/).

 ```bash
 cmake -DUSE_BUNDLED_DEPS=OFF ../;
@ -146,29 +146,27 @@ make sinsp

 ### Build driver - kmod

-To build the kmod driver, you need your kernel headers installed. Check out the [official documentation](https://falco.org/docs/install-operate/source/).
+To build the kmod driver, you need your kernel headers installed. Check out Falco's [official documentation](https://falco.org/docs/install-operate/source/).

 ```bash
 make driver
-# Verify the kmod object code was created, uses `.ko` extension.
+# Verify the kmod binary object file was created, uses `.ko` extension.
 ls -l driver/src/scap.ko;
 ```

 ### Build driver - eBPF probe

-To build the eBPF probe, you need `clang` and `llvm` packages and you also need your kernel headers installed. Check out the [official documentation](https://falco.org/docs/install-operate/source/).
+To build the eBPF probe, you need `clang` and `llvm` packages and you also need your kernel headers installed. Check out Falco's [official documentation](https://falco.org/docs/install-operate/source/).

 ```bash
 cmake -DBUILD_BPF=ON ../;
 make bpf
-# Verify the eBPF object code was created, uses `.o` extension.
+# Verify the eBPF bytecode file was created, uses `.o` extension.
 ls -l driver/bpf/probe.o;
 ```

 >__WARNING__: **clang-7** is the oldest supported version to build our BPF probe.

-Initial guidance for CI and building within containers: To build either the kmod or eBPF probe in a container, you will need to make the extracted kernel headers available. The [test/vm](test/vm/) directory contains example [scripts](test/vm/scripts/compile_drivers.sh) demonstrating how to pass them to the `make` command using the argument `KERNELDIR=${EXTRACTED_KERNEL_HEADERS_DIR}`. You can also use the [falcosecurity/driverkit](https://github.com/falcosecurity/driverkit) or explore the scripts within the driverkit repository. The mentioned resources also provide candidate builder containers.
-
 ### Build driver - modern eBPF probe

 To build the modern eBPF probe, further prerequisites are necessary:
@ -193,13 +191,13 @@ To build the modern eBPF probe, further prerequisites are necessary:

 > __NOTE:__ These are not the requirements to use the modern BPF probe, but rather for building it from source.

-Regarding the previously discussed bpf drivers, they create a kernel-specific object code (`driver/bpf/probe.o`) for your machine's kernel release (`uname -r`). This object code is then used as an argument for testing with `scap-open` and `sinsp-example` binaries.
+Regarding the previously discussed legacy eBPF driver, it generates kernel-specific bytecode (`driver/bpf/probe.o`) tailored to your machine's kernel release (`uname -r`). The location of the bytecode file can then be passed as an argument for testing with the `scap-open` and `sinsp-example` binaries.

-However, the modern BPF driver operates differently. It doesn't require kernel headers, and its build isn't tied to your kernel release. This is enabled by the CO-RE (Compile Once - Run Everywhere) feature of the modern BPF driver. CO-RE allows the driver to work on kernels with backported BTF (BPF Type Format) support or kernel versions >= 5.8.
+However, the modern eBPF driver build process doesn't require kernel headers, and it isn't tied to your kernel release. This is enabled by the CO-RE (Compile Once - Run Everywhere) feature of the modern eBPF driver.

-To comprehend how the driver understands kernel data structures without knowledge of the kernel it runs on, there's no black magic involved. We maintain a [vmlinux.h](driver/modern_bpf/definitions/vmlinux.h) file in our project containing all necessary kernel data structure definitions. Additionally, we sometimes rely on macros or functions typically found in system header files, which we redefine in [struct_flavors.h](driver/modern_bpf/definitions/struct_flavors.h).
+CO-RE allows the driver to work on kernels with backported BTF (BPF Type Format) support or kernel versions >= 5.8. The way the driver interprets kernel data structures without direct knowledge of the running kernel is not magic — it leverages predefined type information and BTF-based relocations. We maintain a [vmlinux.h](driver/modern_bpf/definitions/vmlinux.h) file containing essential kernel data structure definitions, allowing the eBPF program to reference fields dynamically. Additionally, for cases where macros or functions from system headers are required, we redefine them in [struct_flavors.h](driver/modern_bpf/definitions/struct_flavors.h). Combined with CO-RE (Compile Once, Run Everywhere), this enables the driver to remain portable across different kernel versions.
 
-That being said, the modern BPF driver still produces an object file, which you can create using the target below. Nevertheless, we ultimately include it in `scap` regardless. Hence, when modern BPF is enabled, building `scap` will already cover this step for you.
+The modern eBPF driver build process produces an eBPF header skeleton file using `bpftool`. The skeleton file is a C header file that embeds the compiled eBPF program as bytecode.

 ```bash
 cmake \
@ -207,13 +205,15 @@ cmake \
 -DBUILD_LIBSCAP_MODERN_BPF=ON ../;

 make ProbeSkeleton
-# Verify the modern eBPF object code / final composed header file including all `.o` modern_bpf files was created, uses `.h` extension.
+# Verify the modern eBPF bytecode / final composed header file including all `.o` modern_ebpf files was created, uses `.h` extension.
 ls -l skel_dir/bpf_probe.skel.h;
 # Now includes skel_dir/bpf_probe.skel.h in `scap` during the linking process.
 make scap
 ```

-Initial guidance for CI and building within containers: The Falco Project, for instance, compiles the final Falco userspace binary within older centos7 [falco-builder](https://falco.org/docs/install-operate/source/#build-using-falco-builder-container) containers with bundled dependencies. This ensures compatibility across supported systems, mainly due to GLIBC versions and other intricacies. However, you won't be able to compile the modern BPF driver on such old systems or builder containers. One solution is to build `skel_dir/bpf_probe.skel.h` in a more recent builder container. For example, you can refer to this [container](test/vm/containers/ubuntu2310.Dockerfile) as a guide. Subsequently, you can provide the modern BPF header file as an artifact to `scap` during building in an older builder container. As an illustrative example, we use `/tmp/skel-dir` containing the `bpf_probe.skel.h` file.
+Since modern eBPF is included in `scap`, running `make scap` automatically covers the `make ProbeSkeleton` build step.
+
+You can also split the build process and specify the directory containing the `bpf_probe.skel.h` file.

 ```bash
 cmake \
@ -243,7 +243,7 @@ This repository includes convenient test example binaries for both `scap` and `s

 When developing new features, you would run either one depending on what you're working on, in order to test and validate your changes.

-> __NOTE:__ When you're working on driver development, it can be quite useful to make use of the kernel's built-in `printk` functionality. However, for the traditional bpf driver, you'll need to uncomment a line in the [bpf Makefile](driver/bpf/Makefile) first and use a dedicated build flag `BPF_DEBUG`. For modern BPF, use the build flag `MODERN_BPF_DEBUG_MODE`. Any logs generated by `bpf_printk()` will be written to `/sys/kernel/debug/tracing/trace_pipe`. Just make sure you have the right permissions set up for this.
+> __NOTE:__ When you're working on driver development, it can be quite useful to make use of the kernel's built-in `printk` functionality. However, for the traditional bpf driver, you'll need to uncomment a line in the [bpf Makefile](driver/bpf/Makefile) first and use a dedicated build flag `BPF_DEBUG`. For modern eBPF, use the build flag `MODERN_BPF_DEBUG_MODE`. Any logs generated by `bpf_printk()` will be written to `/sys/kernel/debug/tracing/trace_pipe`. Just make sure you have the right permissions set up for this.

 Here's an example of a `cmake` command that will enable everything you need for all tests and components. By default, the following flags are disabled, with the exception of `USE_BUNDLED_DEPS` and `CREATE_TEST_TARGETS` (they are enabled by default).

@ -259,8 +259,7 @@ cmake \
 -DCREATE_TEST_TARGETS=ON \
 -DENABLE_LIBSCAP_TESTS=ON \
 -DENABLE_DRIVERS_TESTS=ON \
-DENABLE_LIBSINSP_E2E_TESTS=ON \
-DENABLE_VM_TESTS=ON ../;
+-DENABLE_LIBSINSP_E2E_TESTS=ON ../;
 ```

 > __NOTE:__ The `ENABLE_LIBSINSP_E2E_TESTS` flag enables the new e2e tests for libsinsp. Please keep in mind these tests are currently in heavy development and need some extra steps (see in the section below) to run correctly.
@ -302,9 +301,10 @@ sudo ./test/drivers/drivers_test -m;
 The tests mentioned below expand beyond the scope of "unit tests". In this context as well, we are dedicated to making sure they run smoothly on your `localhost` for pre-PR testing, to the best of our ability:

 - [test/e2e](test/e2e) - enforced by our CI
- [test/vm](test/vm) - our CI includes comparable tests, but it employs a distinct framework. For current status reports on Falco drivers kernel testing, please visit this [page](https://falcosecurity.github.io/libs/).

-As mentioned earlier, The Falco Project's `libs` repository includes numerous CI-powered checks. For the most current information, please refer to the CI definitions under the [workflows](.github/workflows/) directory.
+For current status reports on the CI powered Falco drivers kernel testing, please visit this [page](https://falcosecurity.github.io/libs/).
+
+In general, The Falco Project's `libs` repository includes numerous CI-powered checks. For the most current information, please refer to the CI definitions under the [workflows](.github/workflows/) directory.

 ### [EXPERIMENTAL] Run libsinsp e2e tests

--- a/benchmark/libsinsp/utils.cpp
+++ b/benchmark/libsinsp/utils.cpp
@ -53,19 +53,3 @@ static void BM_sinsp_concatenate_paths_absolute_path(benchmark::State& state) {
 	}
 }
 BENCHMARK(BM_sinsp_concatenate_paths_absolute_path);
-
-static void BM_sinsp_split_container_image(benchmark::State& state) {
-	for(auto _ : state) {
-		std::string container_image =
-		        "localhost:12345/library/"
-		        "busybox:1.27.2@sha256:da39a3ee5e6b4b0d3255bfef95601890afd80709";
-		std::string hostname, port, name, tag, digest;
-		sinsp_utils::split_container_image(container_image, hostname, port, name, tag, digest);
-		benchmark::DoNotOptimize(hostname);
-		benchmark::DoNotOptimize(port);
-		benchmark::DoNotOptimize(name);
-		benchmark::DoNotOptimize(tag);
-		benchmark::DoNotOptimize(digest);
-	}
-}
-BENCHMARK(BM_sinsp_split_container_image);
--- a/cmake/modules/BuildPkgConfigDependencies.cmake
+++ b/cmake/modules/BuildPkgConfigDependencies.cmake
@ -3,6 +3,7 @@
 # libsinsp.pc (which requires libscap.pc and pulls them in that way)
 function(add_pkgconfig_library LIBDIRS_VAR LIBS_VAR lib ignored)

+	message(DEBUG "[add_pkgconfig_library] processing lib \"${lib}\"")
 	# if it's not a target, it doesn't have dependencies we know or care about
 	if(NOT TARGET ${lib})
 		return()
@ -14,14 +15,26 @@ function(add_pkgconfig_library LIBDIRS_VAR LIBS_VAR lib ignored)
 		return()
 	endif()

+	message(DEBUG "[add_pkgconfig_library] LINK_LIBRARIES property: \"${PKGCONFIG_LIBRARIES}\"")
+
 	get_property(
 		target_type
 		TARGET ${lib}
 		PROPERTY TYPE
 	)
+	message(DEBUG "[add_pkgconfig_library] ignored list: \"${ignored}\"")
 	foreach(dep ${PKGCONFIG_LIBRARIES})
-		# ignore dependencies in the list ${ignored}
-		if(${dep} IN_LIST "${ignored}")
+		# XXX: We use a (very) loose match as we are potentially comparing absolute library file
+		# names (dep) to pkg-config library names to be ignored.  The only alternative I can think
+		# of would be to maintain a map associating pkg-config names to their library file name.
+		get_filename_component(dep_base ${dep} NAME_WE)
+		string(REGEX REPLACE "^lib" "" dep_name ${dep_base})
+		# For CMake imported targets, keep only the suffix, e.g. gRPC::grpc -> grpc.
+		string(REGEX REPLACE "[^:]*::" "" dep_name ${dep_base})
+		message(DEBUG "[add_pkgconfig_library] processing dep ${dep}")
+		string(FIND "${ignored}" "${dep_name}" find_result)
+		if(NOT ${find_result} EQUAL -1)
+			message(DEBUG "[add_pkgconfig_library] \"${dep}\" ignored")
 			continue()
 		endif()

@ -34,7 +47,7 @@ function(add_pkgconfig_library LIBDIRS_VAR LIBS_VAR lib ignored)
 					TARGET ${dep}
 					PROPERTY TYPE
 				)
-				if(${dep_target_type} STREQUAL "STATIC_LIBRARY")
+				if(NOT ${dep_target_type} STREQUAL "SHARED_LIBRARY")
 					continue()
 				endif()
 			else()
@ -52,6 +65,27 @@ function(add_pkgconfig_library LIBDIRS_VAR LIBS_VAR lib ignored)
 			if(NOT TARGET ${dep})
 				get_filename_component(filename ${dep} NAME)
 				set(dep "\${libdir}/${LIBS_PACKAGE_NAME}/${filename}")
+			else()
+				get_property(
+					dep_target_type
+					TARGET ${dep}
+					PROPERTY TYPE
+				)
+				if(${dep_target_type} STREQUAL "OBJECT_LIBRARY")
+					# skip object libraries
+					continue()
+				endif()
+
+				# if the library is imported, use the IMPORTED_LOCATION instead
+				get_property(
+					dep_imported_location
+					TARGET ${dep}
+					PROPERTY IMPORTED_LOCATION
+				)
+				if(NOT ${dep_imported_location} STREQUAL "")
+					get_filename_component(filename ${dep_imported_location} NAME)
+					set(dep "\${libdir}/${LIBS_PACKAGE_NAME}/${filename}")
+				endif()
 			endif()
 		endif()

--- a/cmake/modules/CompilerFlags.cmake
+++ b/cmake/modules/CompilerFlags.cmake
@ -33,11 +33,6 @@ if(NOT MSVC)
 	set(FALCOSECURITY_LIBS_COMMON_FLAGS "-Wall -ggdb")
 	set(FALCOSECURITY_LIBS_DEBUG_FLAGS "-Og -D_DEBUG")
 	set(FALCOSECURITY_LIBS_RELEASE_FLAGS "-O3 -fno-strict-aliasing -DNDEBUG")
-
-	if(MINIMAL_BUILD)
-		set(FALCOSECURITY_LIBS_COMMON_FLAGS "${FALCOSECURITY_LIBS_COMMON_FLAGS} -DMINIMAL_BUILD")
-	endif()
-
 	if(MUSL_OPTIMIZED_BUILD)
 		set(FALCOSECURITY_LIBS_COMMON_FLAGS "${FALCOSECURITY_LIBS_COMMON_FLAGS} -static -Os")
 	endif()
@ -121,10 +116,8 @@ if(NOT MSVC)
 	add_definitions(-D__STDC_FORMAT_MACROS)

 else() # MSVC
-	set(MINIMAL_BUILD ON)
-
 	set(FALCOSECURITY_LIBS_COMMON_FLAGS
-		"-D_CRT_SECURE_NO_WARNINGS -DWIN32 -DMINIMAL_BUILD /EHsc /W3 /Zi /std:c++17"
+		"-D_CRT_SECURE_NO_WARNINGS -DWIN32 /EHsc /W3 /Zi /std:c++17"
 	)
 	if(CMAKE_VERSION VERSION_LESS 3.15.0)
 		set(FALCOSECURITY_LIBS_DEBUG_FLAGS "/MTd /Od")
--- a/cmake/modules/cares.cmake
+++ b/cmake/modules/cares.cmake
@ -1,76 +0,0 @@
-# SPDX-License-Identifier: Apache-2.0
-#
-# Copyright (C) 2023 The Falco Authors.
-#
-# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except
-# in compliance with the License. You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software distributed under the License
-# is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express
-# or implied. See the License for the specific language governing permissions and limitations under
-# the License.
-#
-
-option(USE_BUNDLED_CARES "Enable building of the bundled c-ares" ${USE_BUNDLED_DEPS})
-
-if(CARES_INCLUDE)
-	# we already have c-ares
-elseif(NOT USE_BUNDLED_CARES)
-	find_path(CARES_INCLUDE NAMES cares/ares.h ares.h)
-	find_library(CARES_LIB NAMES cares)
-	if(CARES_INCLUDE AND CARES_LIB)
-		message(STATUS "Found c-ares: include: ${CARES_INCLUDE}, lib: ${CARES_LIB}")
-	else()
-		message(FATAL_ERROR "Couldn't find system c-ares")
-	endif()
-else()
-	if(BUILD_SHARED_LIBS)
-		set(CARES_LIB_SUFFIX ${CMAKE_SHARED_LIBRARY_SUFFIX})
-		set(CARES_STATIC_OPTION "Off")
-	else()
-		set(CARES_LIB_SUFFIX ${CMAKE_STATIC_LIBRARY_SUFFIX})
-		set(CARES_STATIC_OPTION "On")
-	endif()
-	set(CARES_SRC "${PROJECT_BINARY_DIR}/c-ares-prefix/src/c-ares")
-	set(CARES_INCLUDE "${CARES_SRC}/include/")
-	set(CARES_LIB "${CARES_SRC}/lib/libcares${CARES_LIB_SUFFIX}")
-
-	if(NOT TARGET c-ares)
-		message(STATUS "Using bundled c-ares in '${CARES_SRC}'")
-		ExternalProject_Add(
-			c-ares
-			PREFIX "${PROJECT_BINARY_DIR}/c-ares-prefix"
-			URL "https://github.com/c-ares/c-ares/releases/download/v1.33.1/c-ares-1.33.1.tar.gz"
-			URL_HASH "SHA256=06869824094745872fa26efd4c48e622b9bd82a89ef0ce693dc682a23604f415"
-			BUILD_IN_SOURCE 1
-			CMAKE_ARGS -DCMAKE_POLICY_DEFAULT_CMP0091:STRING=NEW
-					   -DCMAKE_MSVC_RUNTIME_LIBRARY=${CMAKE_MSVC_RUNTIME_LIBRARY}
-					   -DCARES_SHARED=${BUILD_SHARED_LIBS}
-					   -DCARES_STATIC=${CARES_STATIC_OPTION}
-					   -DCARES_STATIC_PIC=${ENABLE_PIC}
-					   -DCARES_BUILD_TOOLS=Off
-					   -DCARES_INSTALL=Off
-			BUILD_BYPRODUCTS ${CARES_INCLUDE} ${CARES_LIB}
-			INSTALL_COMMAND ""
-		)
-		install(
-			FILES "${CARES_LIB}"
-			DESTINATION "${CMAKE_INSTALL_LIBDIR}/${LIBS_PACKAGE_NAME}"
-			COMPONENT "libs-deps"
-		)
-		install(
-			DIRECTORY "${CARES_INCLUDE}"
-			DESTINATION "${CMAKE_INSTALL_INCLUDEDIR}/${LIBS_PACKAGE_NAME}"
-			COMPONENT "libs-deps"
-		)
-	endif()
-
-endif()
-
-if(NOT TARGET c-ares)
-	add_custom_target(c-ares)
-endif()
-
-include_directories("${CARES_INCLUDE}")
--- a/cmake/modules/container_plugin.cmake
+++ b/cmake/modules/container_plugin.cmake
@ -0,0 +1,44 @@
+# SPDX-License-Identifier: Apache-2.0
+#
+# Copyright (C) 2025 The Falco Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except
+# in compliance with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed under the License
+# is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express
+# or implied. See the License for the specific language governing permissions and limitations under
+# the License.
+#
+
+include(ExternalProject)
+
+string(TOLOWER ${CMAKE_HOST_SYSTEM_NAME} PLUGINS_SYSTEM_NAME)
+
+set(CONTAINER_LIBRARY
+	"${CMAKE_CURRENT_BINARY_DIR}/container_plugin-prefix/src/container_plugin/libcontainer.so"
+)
+
+if(NOT CONTAINER_VERSION)
+	set(CONTAINER_VERSION "0.3.4")
+endif()
+if(NOT CONTAINER_HASH)
+	if(${CMAKE_HOST_SYSTEM_PROCESSOR} STREQUAL "x86_64")
+		set(CONTAINER_HASH "658f96c4b4a56d1bf945a788d60571076f808ae1bcc877c4ba3625b0fd752d8d")
+	else() # arm64
+		set(CONTAINER_HASH "34a153aca0164843a169193aba092a3063b24bca9ef80fd4f1d1f1919aba3bde")
+	endif()
+endif()
+if(NOT TARGET container_plugin)
+	message(STATUS "Fetching container plugin ${CONTAINER_VERSION} in '${CONTAINER_LIBRARY}'")
+	ExternalProject_Add(
+		container_plugin
+		URL "https://download.falco.org/plugins/stable/container-${CONTAINER_VERSION}-${PLUGINS_SYSTEM_NAME}-${CMAKE_HOST_SYSTEM_PROCESSOR}.tar.gz"
+		URL_HASH "SHA256=${CONTAINER_HASH}"
+		CONFIGURE_COMMAND ""
+		BUILD_COMMAND ""
+		INSTALL_COMMAND ""
+	)
+endif()
--- a/cmake/modules/curl.cmake
+++ b/cmake/modules/curl.cmake
@ -1,100 +0,0 @@
-# SPDX-License-Identifier: Apache-2.0
-#
-# Copyright (C) 2023 The Falco Authors.
-#
-# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except
-# in compliance with the License. You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software distributed under the License
-# is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express
-# or implied. See the License for the specific language governing permissions and limitations under
-# the License.
-#
-
-option(USE_BUNDLED_CURL "Enable building of the bundled curl" ${USE_BUNDLED_DEPS})
-
-include(openssl)
-include(zlib)
-
-if(CURL_INCLUDE_DIRS)
-	# we already have curl
-elseif(NOT USE_BUNDLED_CURL)
-	find_package(CURL REQUIRED)
-	message(STATUS "Found CURL: include: ${CURL_INCLUDE_DIRS}, lib: ${CURL_LIBRARIES}")
-else()
-	if(BUILD_SHARED_LIBS)
-		set(CURL_LIB_SUFFIX ${CMAKE_SHARED_LIBRARY_SUFFIX})
-		set(CURL_STATIC_OPTION)
-	else()
-		set(CURL_LIB_SUFFIX ${CMAKE_STATIC_LIBRARY_SUFFIX})
-		set(CURL_STATIC_OPTION --disable-shared)
-	endif()
-	set(CURL_BUNDLE_DIR "${PROJECT_BINARY_DIR}/curl-prefix/src/curl")
-	set(CURL_INCLUDE_DIRS "${CURL_BUNDLE_DIR}/include/")
-	set(CURL_LIBRARIES "${CURL_BUNDLE_DIR}/lib/.libs/libcurl${CURL_LIB_SUFFIX}")
-
-	if(NOT USE_BUNDLED_OPENSSL)
-		set(CURL_SSL_OPTION "--with-ssl")
-	else()
-		set(CURL_SSL_OPTION "--with-ssl=${OPENSSL_INSTALL_DIR}")
-		message(STATUS "Using SSL for curl in '${OPENSSL_INSTALL_DIR}'")
-	endif()
-
-	if(NOT USE_BUNDLED_ZLIB)
-		set(CURL_ZLIB_OPTION "--with-zlib")
-	else()
-		set(CURL_ZLIB_OPTION "--with-zlib=${ZLIB_SRC}")
-		message(STATUS "Using zlib for curl in '${ZLIB_SRC}'")
-	endif()
-	message(STATUS "Using bundled curl in '${CURL_BUNDLE_DIR}'")
-
-	if(NOT ENABLE_PIC)
-		set(CURL_PIC_OPTION)
-	else()
-		set(CURL_PIC_OPTION "--with-pic")
-	endif()
-
-	if(NOT TARGET curl)
-		ExternalProject_Add(
-			curl
-			PREFIX "${PROJECT_BINARY_DIR}/curl-prefix"
-			DEPENDS openssl zlib
-			URL "https://github.com/curl/curl/releases/download/curl-8_7_1/curl-8.7.1.tar.bz2"
-			URL_HASH "SHA256=05bbd2b698e9cfbab477c33aa5e99b4975501835a41b7ca6ca71de03d8849e76"
-			CONFIGURE_COMMAND
-				./configure ${CURL_SSL_OPTION} ${CURL_ZLIB_OPTION} ${CURL_STATIC_OPTION}
-				${CURL_PIC_OPTION} --enable-optimize --disable-curldebug --disable-rt --enable-http
-				--disable-ftp --disable-file --disable-ldap --disable-ldaps --disable-rtsp
-				--disable-telnet --disable-tftp --disable-pop3 --disable-imap --disable-smb
-				--disable-smtp --disable-gopher --disable-sspi --disable-ntlm-wb --disable-tls-srp
-				--without-winssl --without-polarssl --without-cyassl --without-nss --without-axtls
-				--without-librtmp --without-winidn --without-libidn2 --without-libpsl
-				--without-nghttp2 --without-libssh2 --with-ca-path=/etc/ssl/certs/
-				--disable-threaded-resolver --without-brotli --without-zstd
-			BUILD_COMMAND make
-			BUILD_IN_SOURCE 1
-			BUILD_BYPRODUCTS ${CURL_LIBRARIES}
-			INSTALL_COMMAND ""
-		)
-		install(
-			FILES "${CURL_LIBRARIES}"
-			DESTINATION "${CMAKE_INSTALL_LIBDIR}/${LIBS_PACKAGE_NAME}"
-			COMPONENT "libs-deps"
-		)
-		install(
-			DIRECTORY "${CURL_INCLUDE_DIRS}curl"
-			DESTINATION "${CMAKE_INSTALL_INCLUDEDIR}/${LIBS_PACKAGE_NAME}"
-			COMPONENT "libs-deps"
-			FILES_MATCHING
-			PATTERN "*.h"
-		)
-	endif()
-endif()
-
-if(NOT TARGET curl)
-	add_custom_target(curl)
-endif()
-
-include_directories("${CURL_INCLUDE_DIRS}")
--- a/cmake/modules/engine_config.cmake
+++ b/cmake/modules/engine_config.cmake
@ -23,10 +23,7 @@ if(CMAKE_SYSTEM_NAME MATCHES "Linux")
 endif()

 # gVisor is currently only supported on Linux x86_64
-if(CMAKE_SYSTEM_PROCESSOR STREQUAL "x86_64"
-   AND CMAKE_SYSTEM_NAME MATCHES "Linux"
-   AND NOT MINIMAL_BUILD
-)
+if(CMAKE_SYSTEM_PROCESSOR STREQUAL "x86_64" AND CMAKE_SYSTEM_NAME MATCHES "Linux")
 	option(BUILD_LIBSCAP_GVISOR "Build gVisor support" ON)
 	if(BUILD_LIBSCAP_GVISOR)
 		set(HAS_ENGINE_GVISOR On)
--- a/cmake/modules/grpc.cmake
+++ b/cmake/modules/grpc.cmake
@ -1,274 +0,0 @@
-# SPDX-License-Identifier: Apache-2.0
-#
-# Copyright (C) 2023 The Falco Authors.
-#
-# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except
-# in compliance with the License. You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software distributed under the License
-# is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express
-# or implied. See the License for the specific language governing permissions and limitations under
-# the License.
-#
-
-option(USE_BUNDLED_GRPC "Enable building of the bundled grpc" ${USE_BUNDLED_DEPS})
-
-if(GRPC_INCLUDE)
-	# we already have grpc
-elseif(NOT USE_BUNDLED_GRPC)
-	# gRPC
-	find_package(gRPC CONFIG)
-	if(gRPC_FOUND)
-		message(STATUS "Using gRPC ${gRPC_VERSION}")
-		set(GPR_LIB gRPC::gpr)
-		set(GRPC_LIB gRPC::grpc)
-		set(GRPCPP_LIB gRPC::grpc++)
-
-		# gRPC C++ plugin
-		get_target_property(GRPC_CPP_PLUGIN gRPC::grpc_cpp_plugin LOCATION)
-		if(NOT GRPC_CPP_PLUGIN)
-			message(FATAL_ERROR "System grpc_cpp_plugin not found")
-		endif()
-
-		# gRPC include dir + properly handle grpc{++,pp}
-		get_target_property(GRPC_INCLUDE gRPC::grpc++ INTERFACE_INCLUDE_DIRECTORIES)
-		find_path(
-			GRPCXX_INCLUDE
-			NAMES grpc++/grpc++.h
-			PATHS ${GRPC_INCLUDE}
-		)
-		if(NOT GRPCXX_INCLUDE)
-			find_path(
-				GRPCPP_INCLUDE
-				NAMES grpcpp/grpcpp.h
-				PATHS ${GRPC_INCLUDE}
-			)
-			add_definitions(-DGRPC_INCLUDE_IS_GRPCPP=1)
-		endif()
-	else()
-		# Fallback to manually find libraries; Some distro, namely Ubuntu focal, do not install gRPC
-		# config cmake module
-		find_library(GPR_LIB NAMES gpr)
-		if(GPR_LIB)
-			message(STATUS "Found gpr lib: ${GPR_LIB}")
-		else()
-			message(FATAL_ERROR "Couldn't find system gpr")
-		endif()
-		find_path(GRPCXX_INCLUDE NAMES grpc++/grpc++.h)
-		if(GRPCXX_INCLUDE)
-			set(GRPC_INCLUDE ${GRPCXX_INCLUDE})
-		else()
-			find_path(GRPCPP_INCLUDE NAMES grpcpp/grpcpp.h)
-			set(GRPC_INCLUDE ${GRPCPP_INCLUDE})
-			add_definitions(-DGRPC_INCLUDE_IS_GRPCPP=1)
-		endif()
-		find_library(GRPC_LIB NAMES grpc)
-		find_library(GRPCPP_LIB NAMES grpc++)
-		if(GRPC_INCLUDE
-		   AND GRPC_LIB
-		   AND GRPCPP_LIB
-		)
-			message(
-				STATUS
-					"Found grpc: include: ${GRPC_INCLUDE}, C lib: ${GRPC_LIB}, C++ lib: ${GRPCPP_LIB}"
-			)
-		else()
-			message(FATAL_ERROR "Couldn't find system grpc")
-		endif()
-		find_program(GRPC_CPP_PLUGIN grpc_cpp_plugin)
-		if(NOT GRPC_CPP_PLUGIN)
-			message(FATAL_ERROR "System grpc_cpp_plugin not found")
-		endif()
-	endif()
-else()
-	include(cares)
-	include(protobuf)
-	include(zlib)
-	include(openssl)
-	if(BUILD_SHARED_LIBS)
-		set(GRPC_OPENSSL_STATIC_LIBS_OPTION FALSE)
-	else()
-		set(GRPC_OPENSSL_STATIC_LIBS_OPTION TRUE)
-	endif()
-	include(re2)
-	set(GRPC_SRC "${PROJECT_BINARY_DIR}/grpc-prefix/src/grpc")
-	set(GRPC_INSTALL_DIR "${GRPC_SRC}/target")
-	set(GRPC_INCLUDE "${GRPC_INSTALL_DIR}/include" "${GRPC_SRC}/third_party/abseil-cpp")
-	set(GPR_LIB "${GRPC_SRC}/libgpr.a")
-	set(GRPC_LIB "${GRPC_SRC}/libgrpc.a")
-	set(GRPCPP_LIB "${GRPC_SRC}/libgrpc++.a")
-	set(GRPC_CPP_PLUGIN "${GRPC_SRC}/grpc_cpp_plugin")
-	set(GRPC_MAIN_LIBS "")
-	list(
-		APPEND
-		GRPC_MAIN_LIBS
-		"${GPR_LIB}"
-		"${GRPC_LIB}"
-		"${GRPCPP_LIB}"
-		"${GRPC_SRC}/libgrpc++_alts.a"
-		"${GRPC_SRC}/libgrpc++_error_details.a"
-		"${GRPC_SRC}/libgrpc++_reflection.a"
-		"${GRPC_SRC}/libgrpc++_unsecure.a"
-		"${GRPC_SRC}/libgrpc_plugin_support.a"
-		"${GRPC_SRC}/libgrpc_unsecure.a"
-		"${GRPC_SRC}/libgrpcpp_channelz.a"
-	)
-
-	get_filename_component(PROTOC_DIR ${PROTOC} PATH)
-
-	if(NOT TARGET grpc)
-		message(STATUS "Using bundled grpc in '${GRPC_SRC}'")
-
-		# fixme(leogr): this workaround is required to inject the missing deps (built by gRCP
-		# cmakefiles) into target_link_libraries later note: the list below is manually generated
-		# starting from the output of pkg-config --libs grpc++
-		set(GRPC_LIBRARIES "")
-		list(
-			APPEND
-			GRPC_LIBRARIES
-			"${GRPC_SRC}/libaddress_sorting.a"
-			"${GRPC_SRC}/libupb.a"
-			"${GRPC_SRC}/third_party/abseil-cpp/absl/hash/libabsl_hash.a"
-			"${GRPC_SRC}/third_party/abseil-cpp/absl/hash/libabsl_city.a"
-			"${GRPC_SRC}/third_party/abseil-cpp/absl/hash/libabsl_low_level_hash.a"
-			"${GRPC_SRC}/third_party/abseil-cpp/absl/container/libabsl_raw_hash_set.a"
-			"${GRPC_SRC}/third_party/abseil-cpp/absl/container/libabsl_hashtablez_sampler.a"
-			"${GRPC_SRC}/third_party/abseil-cpp/absl/status/libabsl_statusor.a"
-			"${GRPC_SRC}/third_party/abseil-cpp/absl/status/libabsl_status.a"
-			"${GRPC_SRC}/third_party/abseil-cpp/absl/strings/libabsl_cord.a"
-			"${GRPC_SRC}/third_party/abseil-cpp/absl/strings/libabsl_cordz_functions.a"
-			"${GRPC_SRC}/third_party/abseil-cpp/absl/profiling/libabsl_exponential_biased.a"
-			"${GRPC_SRC}/third_party/abseil-cpp/absl/types/libabsl_bad_optional_access.a"
-			"${GRPC_SRC}/third_party/abseil-cpp/absl/types/libabsl_bad_variant_access.a"
-			"${GRPC_SRC}/third_party/abseil-cpp/absl/strings/libabsl_str_format_internal.a"
-			"${GRPC_SRC}/third_party/abseil-cpp/absl/synchronization/libabsl_synchronization.a"
-			"${GRPC_SRC}/third_party/abseil-cpp/absl/synchronization/libabsl_graphcycles_internal.a"
-			"${GRPC_SRC}/third_party/abseil-cpp/absl/debugging/libabsl_stacktrace.a"
-			"${GRPC_SRC}/third_party/abseil-cpp/absl/debugging/libabsl_symbolize.a"
-			"${GRPC_SRC}/third_party/abseil-cpp/absl/debugging/libabsl_debugging_internal.a"
-			"${GRPC_SRC}/third_party/abseil-cpp/absl/debugging/libabsl_demangle_internal.a"
-			"${GRPC_SRC}/third_party/abseil-cpp/absl/base/libabsl_malloc_internal.a"
-			"${GRPC_SRC}/third_party/abseil-cpp/absl/time/libabsl_time.a"
-			"${GRPC_SRC}/third_party/abseil-cpp/absl/time/libabsl_civil_time.a"
-			"${GRPC_SRC}/third_party/abseil-cpp/absl/strings/libabsl_strings.a"
-			"${GRPC_SRC}/third_party/abseil-cpp/absl/strings/libabsl_strings_internal.a"
-			"${GRPC_SRC}/third_party/abseil-cpp/absl/base/libabsl_base.a"
-			"${GRPC_SRC}/third_party/abseil-cpp/absl/base/libabsl_spinlock_wait.a"
-			"${GRPC_SRC}/third_party/abseil-cpp/absl/numeric/libabsl_int128.a"
-			"${GRPC_SRC}/third_party/abseil-cpp/absl/base/libabsl_throw_delegate.a"
-			"${GRPC_SRC}/third_party/abseil-cpp/absl/base/libabsl_raw_logging_internal.a"
-			"${GRPC_SRC}/third_party/abseil-cpp/absl/base/libabsl_log_severity.a"
-			"${GRPC_SRC}/third_party/abseil-cpp/absl/time/libabsl_time_zone.a"
-			"${GRPC_SRC}/third_party/abseil-cpp/absl/strings/libabsl_cord_internal.a"
-			"${GRPC_SRC}/third_party/abseil-cpp/absl/strings/libabsl_cordz_info.a"
-			"${GRPC_SRC}/third_party/abseil-cpp/absl/strings/libabsl_cordz_handle.a"
-			"${GRPC_SRC}/third_party/abseil-cpp/absl/random/libabsl_random_internal_pool_urbg.a"
-			"${GRPC_SRC}/third_party/abseil-cpp/absl/random/libabsl_random_internal_randen.a"
-			"${GRPC_SRC}/third_party/abseil-cpp/absl/random/libabsl_random_internal_randen_hwaes.a"
-			"${GRPC_SRC}/third_party/abseil-cpp/absl/random/libabsl_random_internal_randen_hwaes_impl.a"
-			"${GRPC_SRC}/third_party/abseil-cpp/absl/random/libabsl_random_internal_randen_slow.a"
-			"${GRPC_SRC}/third_party/abseil-cpp/absl/random/libabsl_random_internal_seed_material.a"
-			"${GRPC_SRC}/third_party/abseil-cpp/absl/random/libabsl_random_internal_platform.a"
-			"${GRPC_SRC}/third_party/abseil-cpp/absl/random/libabsl_random_seed_gen_exception.a"
-		)
-
-		# Make abseil-cpp build compatible with gcc-13 See
-		# https://patchwork.yoctoproject.org/project/oe/patch/20230518093301.2938164-1-Martin.Jansa@gmail.com/
-		# TO BE DROPPED once we finally upgrade grpc...
-		set(GRPC_PATCH_CMD
-			sh
-			-c
-			"sed -i '20s/^/#include <cstdint>/' ${GRPC_SRC}/third_party/abseil-cpp/absl/strings/internal/str_format/extension.h"
-		)
-
-		# Zig workaround: Add a PATCH_COMMAND to grpc cmake to fixup emitted -march by abseil-cpp
-		# cmake module, making it use a name understood by zig for arm64. See
-		# https://github.com/abseil/abseil-cpp/blob/master/absl/copts/GENERATED_AbseilCopts.cmake#L226.
-		if(CMAKE_C_COMPILER MATCHES "zig")
-			message(STATUS "Enabling zig workaround for abseil-cpp")
-			set(GRPC_PATCH_CMD
-				${GRPC_PATCH_CMD}
-				&&
-				sh
-				-c
-				"sed -i 's/armv8-a/cortex_a57/g' ${GRPC_SRC}/third_party/abseil-cpp/absl/copts/GENERATED_AbseilCopts.cmake"
-			)
-		endif()
-
-		ExternalProject_Add(
-			grpc
-			PREFIX "${PROJECT_BINARY_DIR}/grpc-prefix"
-			DEPENDS openssl protobuf c-ares zlib re2
-			GIT_REPOSITORY https://github.com/grpc/grpc.git
-			GIT_TAG v1.44.0
-			GIT_SUBMODULES "third_party/abseil-cpp"
-			CMAKE_CACHE_ARGS
-				-DCMAKE_INSTALL_PREFIX:PATH=${GRPC_INSTALL_DIR}
-				-DCMAKE_BUILD_TYPE:STRING=${CMAKE_BUILD_TYPE}
-				-DCMAKE_POSITION_INDEPENDENT_CODE:BOOL=${ENABLE_PIC}
-				-DgRPC_INSTALL:BOOL=OFF
-				# disable unused stuff
-				-DgRPC_BUILD_TESTS:BOOL=OFF
-				-DgRPC_BUILD_CSHARP_EXT:BOOL=OFF
-				-DgRPC_BUILD_GRPC_CSHARP_PLUGIN:BOOL=OFF
-				-DgRPC_BUILD_GRPC_NODE_PLUGIN:BOOL=OFF
-				-DgRPC_BUILD_GRPC_OBJECTIVE_C_PLUGIN:BOOL=OFF
-				-DgRPC_BUILD_GRPC_PHP_PLUGIN:BOOL=OFF
-				-DgRPC_BUILD_GRPC_PYTHON_PLUGIN:BOOL=OFF
-				-DgRPC_BUILD_GRPC_RUBY_PLUGIN:BOOL=OFF
-				# deps provided by us
-				# https://github.com/grpc/grpc/blob/v1.32.0/cmake/modules/Findc-ares.cmake
-				-DgRPC_CARES_PROVIDER:STRING=package
-				-Dc-ares_DIR:PATH=${CARES_SRC}
-				-Dc-ares_INCLUDE_DIR:PATH=${CARES_INCLUDE}
-				-Dc-ares_LIBRARY:PATH=${CARES_LIB}
-				# https://cmake.org/cmake/help/v3.6/module/FindProtobuf.html
-				-DgRPC_PROTOBUF_PROVIDER:STRING=package
-				-DCMAKE_CXX_FLAGS:STRING=-I${PROTOBUF_INCLUDE}
-				-DProtobuf_INCLUDE_DIR:PATH=${PROTOBUF_INCLUDE}
-				-DProtobuf_LIBRARY:PATH=${PROTOBUF_LIB}
-				-DProtobuf_PROTOC_LIBRARY:PATH=${PROTOC_LIB}
-				-DProtobuf_PROTOC_EXECUTABLE:PATH=${PROTOC}
-				# https://cmake.org/cmake/help/v3.6/module/FindOpenSSL.html
-				-DgRPC_SSL_PROVIDER:STRING=package
-				-DOPENSSL_ROOT_DIR:PATH=${OPENSSL_INSTALL_DIR}
-				-DOPENSSL_USE_STATIC_LIBS:BOOL=${GRPC_OPENSSL_STATIC_LIBS_OPTION}
-				# https://cmake.org/cmake/help/v3.6/module/FindZLIB.html
-				-DgRPC_ZLIB_PROVIDER:STRING=package
-				-DZLIB_ROOT:STRING=${ZLIB_SRC}
-				# RE2
-				-DgRPC_RE2_PROVIDER:STRING=package
-				-Dre2_DIR:PATH=${RE2_DIR}
-			BUILD_IN_SOURCE 1
-			BUILD_BYPRODUCTS ${GRPC_LIB} ${GRPCPP_LIB} ${GPR_LIB} ${GRPC_LIBRARIES}
-			# Keep installation files into the local ${GRPC_INSTALL_DIR} since here is the case when
-			# we are embedding gRPC
-			UPDATE_COMMAND ""
-			PATCH_COMMAND ${GRPC_PATCH_CMD}
-			INSTALL_COMMAND DESTDIR= ${CMAKE_MAKE_PROGRAM} install
-		)
-		install(
-			FILES ${GRPC_MAIN_LIBS}
-			DESTINATION "${CMAKE_INSTALL_LIBDIR}/${LIBS_PACKAGE_NAME}"
-			COMPONENT "libs-deps"
-		)
-		install(
-			FILES ${GRPC_LIBRARIES}
-			DESTINATION "${CMAKE_INSTALL_LIBDIR}/${LIBS_PACKAGE_NAME}"
-			COMPONENT "libs-deps"
-		)
-		install(
-			DIRECTORY "${GRPC_SRC}/target/include/"
-			DESTINATION "${CMAKE_INSTALL_INCLUDEDIR}/${LIBS_PACKAGE_NAME}"
-			COMPONENT "libs-deps"
-		)
-	endif()
-endif()
-
-if(NOT TARGET grpc)
-	add_custom_target(grpc)
-endif()
-
-include_directories("${GRPC_INCLUDE}")
--- a/cmake/modules/libbpf.cmake
+++ b/cmake/modules/libbpf.cmake
@ -23,7 +23,7 @@ elseif(NOT USE_BUNDLED_LIBBPF)
 	find_path(LIBBPF_INCLUDE bpf/libbpf.h)
 	find_library(LIBBPF_LIB NAMES bpf)
 	if(LIBBPF_INCLUDE AND LIBBPF_LIB)
-		add_library(lbpf STATIC IMPORTED)
+		add_library(lbpf STATIC IMPORTED GLOBAL)
 		set_target_properties(lbpf PROPERTIES IMPORTED_LOCATION ${LIBBPF_LIB})
 		target_include_directories(lbpf INTERFACE $<BUILD_INTERFACE:${LIBBPF_INCLUDE}>)
 		target_link_libraries(lbpf INTERFACE elf ${ZLIB_LIB})
@ -64,7 +64,7 @@ else()
 		BUILD_BYPRODUCTS ${LIBBPF_LIB}
 	)

-	add_library(lbpf STATIC IMPORTED)
+	add_library(lbpf STATIC IMPORTED GLOBAL)
 	set_target_properties(lbpf PROPERTIES IMPORTED_LOCATION ${LIBBPF_LIB})
 	file(MAKE_DIRECTORY ${LIBBPF_INCLUDE}) # necessary to make target_include_directories() work
 	target_include_directories(lbpf INTERFACE $<BUILD_INTERFACE:${LIBBPF_INCLUDE}>)
--- a/cmake/modules/libelf.cmake
+++ b/cmake/modules/libelf.cmake
@ -54,9 +54,9 @@ elseif(NOT USE_BUNDLED_LIBELF)
 	endif()

 	if(BUILD_SHARED_LIBS OR USE_SHARED_LIBELF)
-		add_library(elf SHARED IMPORTED)
+		add_library(elf SHARED IMPORTED GLOBAL)
 	else()
-		add_library(elf STATIC IMPORTED)
+		add_library(elf STATIC IMPORTED GLOBAL)
 	endif()

 	set_target_properties(elf PROPERTIES IMPORTED_LOCATION ${LIBELF_LIB})
--- a/cmake/modules/libscap.cmake
+++ b/cmake/modules/libscap.cmake
@ -91,16 +91,6 @@ if(NOT HAVE_LIBSCAP)
 		endif()
 	endforeach()

-	set(libscap_link_flags)
-	set(libscap_link_libdirs "")
-	add_pkgconfig_dependency(libscap_link_libdirs libscap_link_flags scap "")
-
-	string(REPLACE ";" " " LIBSCAP_LINK_LIBRARIES_FLAGS "${libscap_link_flags}")
-	string(REPLACE ";" " " LIBSCAP_LINK_LIBDIRS_FLAGS "${libscap_link_libdirs}")
-	configure_file(
-		${LIBS_DIR}/userspace/libscap/libscap.pc.in ${PROJECT_BINARY_DIR}/libscap/libscap.pc @ONLY
-	)
-
 	install(
 		TARGETS ${LIBSCAP_INSTALL_LIBS}
 		ARCHIVE DESTINATION "${CMAKE_INSTALL_LIBDIR}"
@ -132,6 +122,13 @@ if(NOT HAVE_LIBSCAP)
 		FILES_MATCHING
 		PATTERN "*.h"
 	)
+
+	if(USE_BUNDLED_UTHASH)
+		install(FILES ${UTHASH_INCLUDE}/uthash.h
+				DESTINATION ${CMAKE_INSTALL_INCLUDEDIR}/${LIBS_PACKAGE_NAME}/libscap
+		)
+	endif()
+
 	install(FILES ${PROJECT_BINARY_DIR}/libscap/scap_config.h
 			DESTINATION ${CMAKE_INSTALL_INCLUDEDIR}/${LIBS_PACKAGE_NAME}/libscap
 	)
--- a/cmake/modules/libsinsp.cmake
+++ b/cmake/modules/libsinsp.cmake
@ -32,14 +32,6 @@ if(NOT HAVE_LIBSINSP)
 	if(NOT EMSCRIPTEN)
 		include(tbb)
 	endif()
-	if(NOT WIN32
-	   AND NOT APPLE
-	   AND NOT MINIMAL_BUILD
-	   AND NOT EMSCRIPTEN
-	)
-		include(cares)
-		include(curl)
-	endif()
 	include(jsoncpp)
 	include(valijson)
 	include(re2)
@ -58,15 +50,6 @@ if(NOT HAVE_LIBSINSP)
 		list(APPEND LIBSINSP_INCLUDE_DIRS ${JSONCPP_INCLUDE})
 	endif()

-	if(NOT USE_BUNDLED_CURL
-	   AND NOT WIN32
-	   AND NOT APPLE
-	   AND NOT MINIMAL_BUILD
-	   AND NOT EMSCRIPTEN
-	)
-		list(APPEND LIBSINSP_INCLUDE_DIRS ${CURL_INCLUDE_DIRS})
-	endif()
-
 	function(set_sinsp_target_properties target)
 		set_target_properties(
 			${target} PROPERTIES VERSION ${FALCOSECURITY_SHARED_LIBS_VERSION}
--- a/cmake/modules/openssl.cmake
+++ b/cmake/modules/openssl.cmake
@ -1,81 +0,0 @@
-# SPDX-License-Identifier: Apache-2.0
-#
-# Copyright (C) 2023 The Falco Authors.
-#
-# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except
-# in compliance with the License. You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software distributed under the License
-# is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express
-# or implied. See the License for the specific language governing permissions and limitations under
-# the License.
-#
-
-option(USE_BUNDLED_OPENSSL "Enable building of the bundled OpenSSL" ${USE_BUNDLED_DEPS})
-
-if(OPENSSL_INCLUDE_DIR)
-	# we already have openssl
-elseif(NOT USE_BUNDLED_OPENSSL)
-	find_package(OpenSSL REQUIRED)
-	message(STATUS "Found OpenSSL: include: ${OPENSSL_INCLUDE_DIR}, lib: ${OPENSSL_LIBRARIES}")
-else()
-	if(BUILD_SHARED_LIBS)
-		set(OPENSSL_LIB_SUFFIX ${CMAKE_SHARED_LIBRARY_SUFFIX})
-		set(OPENSSL_SHARED_OPTION shared)
-	else()
-		set(OPENSSL_LIB_SUFFIX ${CMAKE_STATIC_LIBRARY_SUFFIX})
-		set(OPENSSL_SHARED_OPTION no-shared)
-	endif()
-	set(OPENSSL_BUNDLE_DIR "${PROJECT_BINARY_DIR}/openssl-prefix/src/openssl")
-	set(OPENSSL_INSTALL_DIR "${OPENSSL_BUNDLE_DIR}/target")
-	set(OPENSSL_INCLUDE_DIR "${PROJECT_BINARY_DIR}/openssl-prefix/src/openssl/include/")
-	set(OPENSSL_LIBRARY_SSL "${OPENSSL_INSTALL_DIR}/lib/libssl${OPENSSL_LIB_SUFFIX}")
-	set(OPENSSL_LIBRARY_CRYPTO "${OPENSSL_INSTALL_DIR}/lib/libcrypto${OPENSSL_LIB_SUFFIX}")
-	set(OPENSSL_LIBRARIES ${OPENSSL_LIBRARY_SSL} ${OPENSSL_LIBRARY_CRYPTO})
-
-	if(NOT TARGET openssl)
-		if(NOT ENABLE_PIC)
-			set(OPENSSL_PIC_OPTION)
-		else()
-			set(OPENSSL_PIC_OPTION "-fPIC")
-		endif()
-
-		message(STATUS "Using bundled openssl in '${OPENSSL_BUNDLE_DIR}'")
-
-		ExternalProject_Add(
-			openssl
-			PREFIX "${PROJECT_BINARY_DIR}/openssl-prefix"
-			URL "https://github.com/openssl/openssl/releases/download/openssl-3.1.4/openssl-3.1.4.tar.gz"
-			URL_HASH "SHA256=840af5366ab9b522bde525826be3ef0fb0af81c6a9ebd84caa600fea1731eee3"
-			CONFIGURE_COMMAND ./config ${OPENSSL_SHARED_OPTION} ${OPENSSL_PIC_OPTION}
-							  --prefix=${OPENSSL_INSTALL_DIR} --libdir=lib
-			BUILD_COMMAND make
-			BUILD_IN_SOURCE 1
-			BUILD_BYPRODUCTS ${OPENSSL_LIBRARY_SSL} ${OPENSSL_LIBRARY_CRYPTO}
-			INSTALL_COMMAND make install_sw
-		)
-		install(
-			FILES "${OPENSSL_LIBRARY_SSL}"
-			DESTINATION "${CMAKE_INSTALL_LIBDIR}/${LIBS_PACKAGE_NAME}"
-			COMPONENT "libs-deps"
-		)
-		install(
-			FILES "${OPENSSL_LIBRARY_CRYPTO}"
-			DESTINATION "${CMAKE_INSTALL_LIBDIR}/${LIBS_PACKAGE_NAME}"
-			COMPONENT "libs-deps"
-		)
-		install(
-			DIRECTORY "${OPENSSL_INCLUDE_DIR}"
-			DESTINATION "${CMAKE_INSTALL_INCLUDEDIR}/${LIBS_PACKAGE_NAME}"
-			COMPONENT "libs-deps"
-		)
-	endif()
-endif()
-
-if(NOT TARGET openssl)
-	add_custom_target(openssl)
-endif()
-
-include_directories("${OPENSSL_INCLUDE_DIR}")
--- a/cmake/modules/protobuf.cmake
+++ b/cmake/modules/protobuf.cmake
@ -58,8 +58,9 @@ else()
 		else()
 			set(PROTOBUF_PIC_OPTION "--with-pic=yes")
 		endif()
-		if(CMAKE_BUILD_TYPE STREQUAL "Release")
-			set(PROTOBUF_CXXFLAGS "-O2 -std=c++11 -DNDEBUG")
+		# Match both release and relwithdebinfo builds
+		if(CMAKE_BUILD_TYPE MATCHES "[R,r]el*")
+			set(PROTOBUF_CXXFLAGS "-O3 -std=c++11 -DNDEBUG")
 		else()
 			set(PROTOBUF_CXXFLAGS "-g -std=c++11")
 		endif()
@ -72,8 +73,8 @@ else()
 			URL_HASH "SHA256=e51cc8fc496f893e2a48beb417730ab6cbcb251142ad8b2cd1951faa5c76fe3d"
 			# TODO what if using system zlib?
 			CONFIGURE_COMMAND
-				CPPFLAGS=-I${ZLIB_INCLUDE} LDFLAGS=-L${ZLIB_SRC} ./configure
-				CXXFLAGS=${PROTOBUF_CXXFLAGS} --with-zlib ${PROTOBUF_CONFIGURE_FLAGS}
+				./configure CXXFLAGS=${PROTOBUF_CXXFLAGS} --with-zlib-include=${ZLIB_INCLUDE}
+				--with-zlib-lib=${ZLIB_SRC} --with-zlib ${PROTOBUF_CONFIGURE_FLAGS}
 				${PROTOBUF_PIC_OPTION} --prefix=${PROTOBUF_INSTALL_DIR}
 			BUILD_COMMAND make
 			BUILD_IN_SOURCE 1
--- a/cmake/modules/re2.cmake
+++ b/cmake/modules/re2.cmake
@ -55,6 +55,7 @@ else()
 						   -DRE2_BUILD_TESTING=OFF
 						   -DBUILD_SHARED_LIBS=${BUILD_SHARED_LIBS}
 						   -DCMAKE_INSTALL_PREFIX=${RE2_SRC}
+						   -DCMAKE_BUILD_TYPE=${CMAKE_BUILD_TYPE}
 			)
 		else()
 			# CMake 3.29.1 removed the support for the `PACKAGE_PREFIX_DIR` variable. The patch
@ -74,6 +75,7 @@ else()
 						   -DRE2_BUILD_TESTING=OFF
 						   -DBUILD_SHARED_LIBS=${BUILD_SHARED_LIBS}
 						   -DCMAKE_INSTALL_PREFIX=${RE2_SRC}
+						   -DCMAKE_BUILD_TYPE=${CMAKE_BUILD_TYPE}
 			)
 		endif()
 	else()
@ -95,6 +97,7 @@ else()
 						   -DRE2_BUILD_TESTING=OFF
 						   -DBUILD_SHARED_LIBS=${BUILD_SHARED_LIBS}
 						   -DCMAKE_INSTALL_PREFIX=${RE2_SRC}
+						   -DCMAKE_BUILD_TYPE=${CMAKE_BUILD_TYPE}
 			)
 		else()
 			ExternalProject_Add(
@ -111,6 +114,7 @@ else()
 						   -DRE2_BUILD_TESTING=OFF
 						   -DBUILD_SHARED_LIBS=${BUILD_SHARED_LIBS}
 						   -DCMAKE_INSTALL_PREFIX=${RE2_SRC}
+						   -DCMAKE_BUILD_TYPE=${CMAKE_BUILD_TYPE}
 			)
 		endif()
 	endif()
--- a/cmake/modules/tbb.cmake
+++ b/cmake/modules/tbb.cmake
@ -58,9 +58,9 @@ else()

 	if(NOT TARGET tbb)
 		message(STATUS "Using bundled tbb in '${TBB_SRC}'")
-		set(TBB_SRC_URL "https://github.com/oneapi-src/oneTBB/archive/refs/tags/v2022.0.0.tar.gz")
+		set(TBB_SRC_URL "https://github.com/oneapi-src/oneTBB/archive/refs/tags/v2022.1.0.tar.gz")
 		set(TBB_SRC_URL_HASH
-			"SHA256=e8e89c9c345415b17b30a2db3095ba9d47647611662073f7fbf54ad48b7f3c2a"
+			"SHA256=ed067603ece0dc832d2881ba5c516625ac2522c665d95f767ef6304e34f961b5"
 		)
 		set(TBB_FLAGS "")
 		if(CMAKE_CXX_COMPILER_ID STREQUAL "GNU")
@ -89,6 +89,8 @@ else()
 						   -DCMAKE_CXX_COMPILER=${CMAKE_CXX_COMPILER}
 						   -DCMAKE_C_COMPILER=${CMAKE_C_COMPILER}
 						   -DEMSCRIPTEN=${TBB_EMSCRIPTEN}
+						   -DTBB_FILE_TRIM=Off
+						   -DTBB_INSTALL=Off
 				BUILD_BYPRODUCTS ${TBB_LIB}
 				INSTALL_COMMAND ""
 			)
@ -110,6 +112,8 @@ else()
 							   -DTBB_OUTPUT_DIR_BASE=lib
 							   -DCMAKE_CXX_FLAGS="${TBB_FLAGS}"
 							   -DCMAKE_POSITION_INDEPENDENT_CODE=${ENABLE_PIC}
+							   -DTBB_FILE_TRIM=Off
+							   -DTBB_INSTALL=Off
 					BUILD_BYPRODUCTS ${TBB_LIB}
 					INSTALL_COMMAND ""
 				)
@ -129,6 +133,8 @@ else()
 							   -DTBB_OUTPUT_DIR_BASE=lib
 							   -DCMAKE_CXX_FLAGS="${TBB_FLAGS}"
 							   -DCMAKE_POSITION_INDEPENDENT_CODE=${ENABLE_PIC}
+							   -DTBB_FILE_TRIM=Off
+							   -DTBB_INSTALL=Off
 					BUILD_BYPRODUCTS ${TBB_LIB}
 					INSTALL_COMMAND ""
 				)
--- a/cmake/modules/zlib.cmake
+++ b/cmake/modules/zlib.cmake
@ -45,9 +45,14 @@ else()
 		"${ZLIB_INCLUDE}/zutil.h"
 	)
 	if(NOT TARGET zlib)
-		set(ZLIB_CFLAGS)
+		# Match both release and relwithdebinfo builds
+		if(CMAKE_BUILD_TYPE MATCHES "[R,r]el*")
+			set(ZLIB_CFLAGS "-O3")
+		else()
+			set(ZLIB_CFLAGS "-g")
+		endif()
 		if(ENABLE_PIC)
-			set(ZLIB_CFLAGS -fPIC)
+			set(ZLIB_CFLAGS "${ZLIB_CFLAGS} -fPIC")
 		endif()

 		message(STATUS "Using bundled zlib in '${ZLIB_SRC}'")
--- a/docs/report.md
+++ b/docs/report.md
@ -213,6 +213,7 @@
 | open                    | 🟢        | ppc64le,s390x,x86_64                             |
 | open_by_handle_at       | 🟢        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
 | open_tree               | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
+| open_tree_attr          | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
 | openat                  | 🟢        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
 | openat2                 | 🟢        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
 | pause                   | 🟡        | ppc64le,s390x,x86_64                             |
--- a/driver/API_VERSION
+++ b/driver/API_VERSION
@ -1 +1 @@
-8.0.3
+8.0.4
--- a/driver/CMakeLists.txt
+++ b/driver/CMakeLists.txt
@ -158,6 +158,11 @@ set(DRIVER_SOURCES
 	ppm_consumer.h
 	capture_macro.h
 	socketcall_to_syscall.h
+	syscall_compat_loongarch64.h
+	syscall_compat_ppc64le.h
+	syscall_compat_riscv64.h
+	syscall_compat_s390x.h
+	syscall_compat_x86_64.h
 	syscall_ia32_64_map.c
 )

--- a/driver/Makefile.in
+++ b/driver/Makefile.in
@ -29,7 +29,7 @@ install: all

 else

-KERNELDIR 	?= $(CURDIR)
+KERNELDIR 	?= $(realpath $(objtree))
 #
 # Get the path of the module sources
 #
--- a/driver/SCHEMA_VERSION
+++ b/driver/SCHEMA_VERSION
@ -1 +1 @@
-3.5.0
+3.69.0
--- a/driver/bpf/Makefile
+++ b/driver/bpf/Makefile
@ -28,7 +28,7 @@ clean:

 else

-KERNELDIR 	?= $(CURDIR)
+KERNELDIR 	?= $(realpath $(objtree))
 #
 # Get the path of the module sources
 #
--- a/driver/bpf/configure/0__SANITY/test.c
+++ b/driver/bpf/configure/0__SANITY/test.c
@ -0,0 +1,23 @@
+// SPDX-License-Identifier: GPL-2.0-only OR MIT
+/*
+
+Copyright (C) 2024 The Falco Authors.
+
+This file is dual licensed under either the MIT or GPL 2. See MIT.txt
+or GPL2.txt for full copies of the license.
+
+*/
+
+/*
+ * Check that the build system is sane.
+ */
+
+#include "../../quirks.h"
+#include "../../ppm_events_public.h"
+#include "../../types.h"
+
+BPF_PROBE("sanity/", sanity, sanity_args) {
+	return 0;
+}
+
+char __license[] __bpf_section("license") = "Dual MIT/GPL";
--- a/driver/bpf/configure/KERNFS_NODE_PARENT/test.c
+++ b/driver/bpf/configure/KERNFS_NODE_PARENT/test.c
@ -0,0 +1,32 @@
+// SPDX-License-Identifier: GPL-2.0-only OR MIT
+/*
+
+Copyright (C) 2025 The Falco Authors.
+
+This file is dual licensed under either the MIT or GPL 2. See MIT.txt
+or GPL2.txt for full copies of the license.
+
+*/
+
+/*
+ * Check that kernfs_node's field `parent` exists.
+ * See 6.15 kernel commit it is named __parent:
+ * https://github.com/torvalds/linux/commit/633488947ef66b194377411322dc9e12aab79b65
+ */
+
+#include "../../quirks.h"
+#include "../../ppm_events_public.h"
+#include "../../types.h"
+
+// struct kernfs_node declaration
+#include <linux/kernfs.h>
+
+BPF_PROBE("signal/", signal_deliver, signal_deliver_args) {
+	struct kernfs_node *parent;
+	struct kernfs_node node;
+
+	parent = node.parent;
+	return 0;
+}
+
+char __license[] __bpf_section("license") = "Dual MIT/GPL";
--- a/driver/bpf/configure/Makefile.inc.in
+++ b/driver/bpf/configure/Makefile.inc.in
@ -7,7 +7,17 @@ ifeq ($(HAS_@CONFIGURE_MODULE@),0)
 $(info [configure-bpf] Setting HAS_@CONFIGURE_MODULE@ flag)
 KBUILD_CPPFLAGS += -DHAS_@CONFIGURE_MODULE@
 else
-HAS_@CONFIGURE_MODULE@_OUT := $(shell cat $(MODULE_MAKEFILE_DIR)/build.log)
+HAS_@CONFIGURE_MODULE@_OUT1 := $(shell cat $(MODULE_MAKEFILE_DIR)/build.log | sed -n ':a;N;$$$!ba;s/\n/@@NEWLINE@@/g;P')
+HAS_@CONFIGURE_MODULE@_OUT := $(subst @@NEWLINE@@,$(newline),$(HAS_@CONFIGURE_MODULE@_OUT1))
 $(info [configure-bpf] Build output for HAS_@CONFIGURE_MODULE@:)
 $(info [configure-bpf] $(HAS_@CONFIGURE_MODULE@_OUT))
 endif
+
+ifeq ('@CONFIGURE_MODULE@','0__SANITY')
+    ifeq ($(HAS_@CONFIGURE_MODULE@),0)
+        $(info [configure-bpf] Build system is sane)
+    else
+        $(info [configure-bpf] Build system is broken, please see above errors)
+        $(error The build system is broken, please see above errors)
+    endif
+endif
--- a/driver/bpf/filler_helpers.h
+++ b/driver/bpf/filler_helpers.h
@ -1407,3 +1407,15 @@ static __always_inline pid_t bpf_push_pgid(struct filler_data *data, struct task
 }

 #endif
+
+/* Legacy-probe-specific replacement for `socket_family_to_scap` helper. As encoding the socket
+ * family using the `socket_family_to_scap` helper breaks the verifier on old kernel versions, just
+ * send `PPM_AF_UNSPEC` if the user-provided socket family is negative, and leave it as is
+ * otherwise. This solution relies on the fact that `AF_*` and corresponding `PPM_AF_*` macros map
+ * to the same values. */
+static __always_inline uint8_t bpf_socket_family_to_scap(int8_t family) {
+	if(family < 0) {
+		family = PPM_AF_UNSPEC;
+	}
+	return (uint8_t)family;
+}
--- a/driver/bpf/fillers.h
+++ b/driver/bpf/fillers.h
--- a/driver/bpf/types.h
+++ b/driver/bpf/types.h
@ -143,6 +143,16 @@ struct sys_stash_args {
 #ifdef CAPTURE_SCHED_PROC_EXEC

 #ifndef BPF_SUPPORTS_RAW_TRACEPOINTS
+struct sched_process_exec_args {
+	unsigned short common_type;
+	unsigned char common_flags;
+	unsigned char common_preempt_count;
+	int common_pid;
+	__u32 filename;  // This is actually defined as "__data_loc char[] filename;".
+	pid_t pid;
+	pid_t old_pid;
+};
+#else
 /* TP_PROTO(struct task_struct *p, pid_t old_pid, struct linux_binprm *bprm)
 * Taken from `/include/trace/events/sched.h`
 */
@ -151,16 +161,6 @@ struct sched_process_exec_args {
 	pid_t old_pid;
 	struct linux_binprm *bprm;
 };
-#else
-struct sched_process_exec_args {
-	unsigned short common_type;
-	unsigned char common_flags;
-	unsigned char common_preempt_count;
-	int common_pid;
-	int filename;
-	pid_t pid;
-	pid_t old_pid;
-};
 #endif /* BPF_SUPPORTS_RAW_TRACEPOINTS */

 #endif /* CAPTURE_SCHED_PROC_EXEC */
--- a/driver/configure/0__SANITY/test.c
+++ b/driver/configure/0__SANITY/test.c
@ -0,0 +1,26 @@
+/*
+
+Copyright (C) 2023 The Falco Authors.
+
+This file is dual licensed under either the MIT or GPL 2. See MIT.txt
+or GPL2.txt for full copies of the license.
+
+*/
+
+/*
+ * Check that the build environment is sane
+ */
+
+#include <linux/module.h>
+
+MODULE_LICENSE("GPL");
+MODULE_AUTHOR("the Falco authors");
+
+static int empty_init(void) {
+	return 0;
+}
+
+static void empty_exit(void) {}
+
+module_init(empty_init);
+module_exit(empty_exit);
--- a/driver/configure/FS_MNT_IDMAP/test.c
+++ b/driver/configure/FS_MNT_IDMAP/test.c
@ -0,0 +1,33 @@
+/*
+
+Copyright (C) 2025 The Falco Authors.
+
+This file is dual licensed under either the MIT or GPL 2. See MIT.txt
+or GPL2.txt for full copies of the license.
+
+*/
+
+/*
+ * Check that fs function wants mnt_idmap
+ * See linux 6.3 changes:
+ * - https://github.com/torvalds/linux/commit/abf08576afe3
+ * - https://github.com/torvalds/linux/commit/01beba7957a2
+ */
+
+#include <linux/module.h>
+#include <linux/fs.h>
+
+MODULE_LICENSE("GPL");
+MODULE_AUTHOR("the Falco authors");
+
+static int fs_mnt_idmap_init(void) {
+	struct mnt_idmap *idmap = NULL;
+	const struct inode *inode = NULL;
+	inode_owner_or_capable(idmap, inode);
+	return 0;
+}
+
+static void fs_mnt_idmap_exit(void) {}
+
+module_init(fs_mnt_idmap_init);
+module_exit(fs_mnt_idmap_exit);
--- a/driver/configure/Makefile.inc.in
+++ b/driver/configure/Makefile.inc.in
@ -9,7 +9,17 @@ ifeq ($(HAS_@CONFIGURE_MODULE@),0)
 $(info [configure-kmod] Setting HAS_@CONFIGURE_MODULE@ flag)
 ccflags-y += -DHAS_@CONFIGURE_MODULE@
 else
-HAS_@CONFIGURE_MODULE@_OUT := $(shell cat $(MODULE_MAKEFILE_DIR)/build.log)
+HAS_@CONFIGURE_MODULE@_OUT1 := $(shell cat $(MODULE_MAKEFILE_DIR)/build.log | sed -n ':a;N;$$$!ba;s/\n/@@NEWLINE@@/g;P')
+HAS_@CONFIGURE_MODULE@_OUT := $(subst @@NEWLINE@@,$(newline),$(HAS_@CONFIGURE_MODULE@_OUT1))
 $(info [configure-kmod] Build output for HAS_@CONFIGURE_MODULE@:)
 $(info [configure-kmod] $(HAS_@CONFIGURE_MODULE@_OUT))
 endif
+
+ifeq ('@CONFIGURE_MODULE@','0__SANITY')
+    ifeq ($(HAS_@CONFIGURE_MODULE@),0)
+        $(info [configure-kmod] Build system is sane)
+    else
+        $(info [configure-kmod] Build system is broken, please see above errors)
+        $(error The build system is broken, please see above errors)
+    endif
+endif
--- a/driver/event_table.c
+++ b/driver/event_table.c
--- a/driver/fillers_table.c
+++ b/driver/fillers_table.c
@ -45,13 +45,13 @@ const struct ppm_event_entry g_ppm_events[PPM_EVENT_MAX] = {
        [PPME_SOCKET_SEND_E] = {FILLER_REF(sys_send_e)},
        [PPME_SOCKET_SEND_X] = {FILLER_REF(sys_send_x)},
        [PPME_SOCKET_SENDTO_E] = {FILLER_REF(sys_sendto_e)},
-        [PPME_SOCKET_SENDTO_X] = {FILLER_REF(sys_send_x)},
+        [PPME_SOCKET_SENDTO_X] = {FILLER_REF(sys_sendto_x)},
        [PPME_SOCKET_RECV_E] = {FILLER_REF(sys_autofill), 2, APT_SOCK, {{0}, {2}}},
        [PPME_SOCKET_RECV_X] = {FILLER_REF(sys_recv_x)},
        [PPME_SOCKET_RECVFROM_E] = {FILLER_REF(sys_recvfrom_e)},
        [PPME_SOCKET_RECVFROM_X] = {FILLER_REF(sys_recvfrom_x)},
        [PPME_SOCKET_SHUTDOWN_E] = {FILLER_REF(sys_shutdown_e)},
-        [PPME_SOCKET_SHUTDOWN_X] = {FILLER_REF(sys_single_x)},
+        [PPME_SOCKET_SHUTDOWN_X] = {FILLER_REF(sys_shutdown_x)},
        [PPME_SOCKET_GETSOCKNAME_E] = {FILLER_REF(sys_empty)},
        [PPME_SOCKET_GETSOCKNAME_X] = {FILLER_REF(sys_empty)},
        [PPME_SOCKET_GETPEERNAME_E] = {FILLER_REF(sys_empty)},
@ -75,15 +75,15 @@ const struct ppm_event_entry g_ppm_events[PPM_EVENT_MAX] = {
        [PPME_SYSCALL_PIPE_E] = {FILLER_REF(sys_empty)},
        [PPME_SYSCALL_PIPE_X] = {FILLER_REF(sys_pipe_x)},
        [PPME_SYSCALL_EVENTFD_E] = {FILLER_REF(sys_eventfd_e)},
-        [PPME_SYSCALL_EVENTFD_X] = {FILLER_REF(sys_single_x)},
+        [PPME_SYSCALL_EVENTFD_X] = {FILLER_REF(sys_eventfd_x)},
        [PPME_SYSCALL_FUTEX_E] = {FILLER_REF(sys_futex_e)},
-        [PPME_SYSCALL_FUTEX_X] = {FILLER_REF(sys_single_x)},
+        [PPME_SYSCALL_FUTEX_X] = {FILLER_REF(sys_futex_x)},
        [PPME_SYSCALL_STAT_E] = {FILLER_REF(sys_empty)},
        [PPME_SYSCALL_STAT_X] = {FILLER_REF(sys_autofill), 2, APT_REG, {{AF_ID_RETVAL}, {0}}},
        [PPME_SYSCALL_LSTAT_E] = {FILLER_REF(sys_empty)},
        [PPME_SYSCALL_LSTAT_X] = {FILLER_REF(sys_autofill), 2, APT_REG, {{AF_ID_RETVAL}, {0}}},
        [PPME_SYSCALL_FSTAT_E] = {FILLER_REF(sys_fstat_e)},
-        [PPME_SYSCALL_FSTAT_X] = {FILLER_REF(sys_single_x)},
+        [PPME_SYSCALL_FSTAT_X] = {FILLER_REF(sys_fstat_x)},
        [PPME_SYSCALL_STAT64_E] = {FILLER_REF(sys_empty)},
        [PPME_SYSCALL_STAT64_X] = {FILLER_REF(sys_autofill), 2, APT_REG, {{AF_ID_RETVAL}, {0}}},
        [PPME_SYSCALL_LSTAT64_E] = {FILLER_REF(sys_empty)},
@ -91,7 +91,7 @@ const struct ppm_event_entry g_ppm_events[PPM_EVENT_MAX] = {
        [PPME_SYSCALL_FSTAT64_E] = {FILLER_REF(sys_single)},
        [PPME_SYSCALL_FSTAT64_X] = {FILLER_REF(sys_single_x)},
        [PPME_SYSCALL_EPOLLWAIT_E] = {FILLER_REF(sys_autofill), 1, APT_REG, {{2}}},
-        [PPME_SYSCALL_EPOLLWAIT_X] = {FILLER_REF(sys_single_x)},
+        [PPME_SYSCALL_EPOLLWAIT_X] = {FILLER_REF(sys_epoll_wait_x)},
        [PPME_SYSCALL_POLL_E] = {FILLER_REF(sys_poll_e)},
        [PPME_SYSCALL_POLL_X] = {FILLER_REF(sys_poll_x)},
        [PPME_SYSCALL_SELECT_E] = {FILLER_REF(sys_empty)},
@ -99,7 +99,7 @@ const struct ppm_event_entry g_ppm_events[PPM_EVENT_MAX] = {
        [PPME_SYSCALL_NEWSELECT_E] = {FILLER_REF(sys_empty)},
        [PPME_SYSCALL_NEWSELECT_X] = {FILLER_REF(sys_single_x)},
        [PPME_SYSCALL_LSEEK_E] = {FILLER_REF(sys_lseek_e)},
-        [PPME_SYSCALL_LSEEK_X] = {FILLER_REF(sys_single_x)},
+        [PPME_SYSCALL_LSEEK_X] = {FILLER_REF(sys_lseek_x)},
        [PPME_SYSCALL_LLSEEK_E] = {FILLER_REF(sys_llseek_e)},
        [PPME_SYSCALL_LLSEEK_X] = {FILLER_REF(sys_single_x)},
        [PPME_SYSCALL_GETCWD_E] = {FILLER_REF(sys_empty)},
@ -115,15 +115,15 @@ const struct ppm_event_entry g_ppm_events[PPM_EVENT_MAX] = {
        [PPME_SYSCALL_PREAD_E] = {FILLER_REF(sys_pread64_e)},
        [PPME_SYSCALL_PREAD_X] = {FILLER_REF(sys_pread64_x)},
        [PPME_SYSCALL_PWRITE_E] = {FILLER_REF(sys_pwrite64_e)},
-        [PPME_SYSCALL_PWRITE_X] = {FILLER_REF(sys_write_x)},
+        [PPME_SYSCALL_PWRITE_X] = {FILLER_REF(sys_pwrite64_x)},
        [PPME_SYSCALL_READV_E] = {FILLER_REF(sys_readv_e)},
-        [PPME_SYSCALL_READV_X] = {FILLER_REF(sys_readv_preadv_x)},
+        [PPME_SYSCALL_READV_X] = {FILLER_REF(sys_readv_x)},
        [PPME_SYSCALL_WRITEV_E] = {FILLER_REF(sys_writev_e)},
-        [PPME_SYSCALL_WRITEV_X] = {FILLER_REF(sys_writev_pwritev_x)},
+        [PPME_SYSCALL_WRITEV_X] = {FILLER_REF(sys_writev_x)},
        [PPME_SYSCALL_PREADV_E] = {FILLER_REF(sys_preadv_e)},
-        [PPME_SYSCALL_PREADV_X] = {FILLER_REF(sys_readv_preadv_x)},
+        [PPME_SYSCALL_PREADV_X] = {FILLER_REF(sys_preadv_x)},
        [PPME_SYSCALL_PWRITEV_E] = {FILLER_REF(sys_pwritev_e)},
-        [PPME_SYSCALL_PWRITEV_X] = {FILLER_REF(sys_writev_pwritev_x)},
+        [PPME_SYSCALL_PWRITEV_X] = {FILLER_REF(sys_pwritev_x)},
        [PPME_SYSCALL_DUP_1_E] = {FILLER_REF(sys_dup_e)},
        [PPME_SYSCALL_DUP_1_X] = {FILLER_REF(sys_dup_x)},
        [PPME_SYSCALL_DUP2_E] = {FILLER_REF(sys_dup2_e)},
@ -131,22 +131,22 @@ const struct ppm_event_entry g_ppm_events[PPM_EVENT_MAX] = {
        [PPME_SYSCALL_DUP3_E] = {FILLER_REF(sys_dup3_e)},
        [PPME_SYSCALL_DUP3_X] = {FILLER_REF(sys_dup3_x)},
        [PPME_SYSCALL_SIGNALFD_E] = {FILLER_REF(sys_signalfd_e)},
-        [PPME_SYSCALL_SIGNALFD_X] = {FILLER_REF(sys_single_x)},
+        [PPME_SYSCALL_SIGNALFD_X] = {FILLER_REF(sys_signalfd_x)},
        [PPME_SYSCALL_KILL_E] = {FILLER_REF(sys_autofill), 2, APT_REG, {{0}, {1}}},
-        [PPME_SYSCALL_KILL_X] = {FILLER_REF(sys_single_x)},
+        [PPME_SYSCALL_KILL_X] = {FILLER_REF(sys_kill_x)},
        [PPME_SYSCALL_TKILL_E] = {FILLER_REF(sys_autofill), 2, APT_REG, {{0}, {1}}},
-        [PPME_SYSCALL_TKILL_X] = {FILLER_REF(sys_single_x)},
+        [PPME_SYSCALL_TKILL_X] = {FILLER_REF(sys_tkill_x)},
        [PPME_SYSCALL_TGKILL_E] = {FILLER_REF(sys_autofill), 3, APT_REG, {{0}, {1}, {2}}},
-        [PPME_SYSCALL_TGKILL_X] = {FILLER_REF(sys_single_x)},
+        [PPME_SYSCALL_TGKILL_X] = {FILLER_REF(sys_tgkill_x)},
        [PPME_SYSCALL_NANOSLEEP_E] = {FILLER_REF(sys_nanosleep_e)},
-        [PPME_SYSCALL_NANOSLEEP_X] = {FILLER_REF(sys_single_x)},
+        [PPME_SYSCALL_NANOSLEEP_X] = {FILLER_REF(sys_nanosleep_x)},
        [PPME_SYSCALL_TIMERFD_CREATE_E] = {FILLER_REF(sys_autofill),
                                           2,
                                           APT_REG,
                                           {{AF_ID_USEDEFAULT, 0}, {AF_ID_USEDEFAULT, 0}}},
-        [PPME_SYSCALL_TIMERFD_CREATE_X] = {FILLER_REF(sys_single_x)},
+        [PPME_SYSCALL_TIMERFD_CREATE_X] = {FILLER_REF(sys_timerfd_create_x)},
        [PPME_SYSCALL_INOTIFY_INIT_E] = {FILLER_REF(sys_inotify_init_e)},
-        [PPME_SYSCALL_INOTIFY_INIT_X] = {FILLER_REF(sys_single_x)},
+        [PPME_SYSCALL_INOTIFY_INIT_X] = {FILLER_REF(sys_inotify_init_x)},
        [PPME_SYSCALL_GETRLIMIT_E] = {FILLER_REF(sys_getrlimit_setrlimit_e)},
        [PPME_SYSCALL_GETRLIMIT_X] = {FILLER_REF(sys_getrlimit_x)},
        [PPME_SYSCALL_SETRLIMIT_E] = {FILLER_REF(sys_getrlimit_setrlimit_e)},
@ -161,19 +161,19 @@ const struct ppm_event_entry g_ppm_events[PPM_EVENT_MAX] = {
        [PPME_SCHEDSWITCH_6_E] = {FILLER_REF(sched_switch_e)},
 #endif
        [PPME_SYSCALL_BRK_4_E] = {FILLER_REF(sys_autofill), 1, APT_REG, {{0}}},
-        [PPME_SYSCALL_BRK_4_X] = {FILLER_REF(sys_brk_munmap_mmap_x)},
+        [PPME_SYSCALL_BRK_4_X] = {FILLER_REF(sys_brk_x)},
        [PPME_SYSCALL_MMAP_E] = {FILLER_REF(sys_mmap_e)},
-        [PPME_SYSCALL_MMAP_X] = {FILLER_REF(sys_brk_munmap_mmap_x)},
+        [PPME_SYSCALL_MMAP_X] = {FILLER_REF(sys_mmap_x)},
        [PPME_SYSCALL_MMAP2_E] = {FILLER_REF(sys_mmap_e)},
-        [PPME_SYSCALL_MMAP2_X] = {FILLER_REF(sys_brk_munmap_mmap_x)},
+        [PPME_SYSCALL_MMAP2_X] = {FILLER_REF(sys_mmap2_x)},
        [PPME_SYSCALL_MUNMAP_E] = {FILLER_REF(sys_autofill), 2, APT_REG, {{0}, {1}}},
-        [PPME_SYSCALL_MUNMAP_X] = {FILLER_REF(sys_brk_munmap_mmap_x)},
+        [PPME_SYSCALL_MUNMAP_X] = {FILLER_REF(sys_munmap_x)},
        [PPME_SYSCALL_SPLICE_E] = {FILLER_REF(sys_splice_e)},
-        [PPME_SYSCALL_SPLICE_X] = {FILLER_REF(sys_autofill), 1, APT_REG, {{AF_ID_RETVAL}}},
+        [PPME_SYSCALL_SPLICE_X] = {FILLER_REF(sys_splice_x)},
        [PPME_SYSCALL_PTRACE_E] = {FILLER_REF(sys_ptrace_e)},
        [PPME_SYSCALL_PTRACE_X] = {FILLER_REF(sys_ptrace_x)},
        [PPME_SYSCALL_IOCTL_3_E] = {FILLER_REF(sys_ioctl_e)},
-        [PPME_SYSCALL_IOCTL_3_X] = {FILLER_REF(sys_single_x)},
+        [PPME_SYSCALL_IOCTL_3_X] = {FILLER_REF(sys_ioctl_x)},
        [PPME_SYSCALL_RENAME_E] = {FILLER_REF(sys_empty)},
        [PPME_SYSCALL_RENAME_X] = {FILLER_REF(sys_autofill),
                                   3,
@ -193,14 +193,14 @@ const struct ppm_event_entry g_ppm_events[PPM_EVENT_MAX] = {
        [PPME_SYSCALL_QUOTACTL_E] = {FILLER_REF(sys_quotactl_e)},
        [PPME_SYSCALL_QUOTACTL_X] = {FILLER_REF(sys_quotactl_x)},
        [PPME_SYSCALL_SETRESUID_E] = {FILLER_REF(sys_autofill), 3, APT_REG, {{0}, {1}, {2}}},
-        [PPME_SYSCALL_SETRESUID_X] = {FILLER_REF(sys_autofill), 1, APT_REG, {{AF_ID_RETVAL}}},
+        [PPME_SYSCALL_SETRESUID_X] = {FILLER_REF(sys_setresuid_x)},
        [PPME_SYSCALL_SETRESGID_E] = {FILLER_REF(sys_autofill), 3, APT_REG, {{0}, {1}, {2}}},
-        [PPME_SYSCALL_SETRESGID_X] = {FILLER_REF(sys_autofill), 1, APT_REG, {{AF_ID_RETVAL}}},
+        [PPME_SYSCALL_SETRESGID_X] = {FILLER_REF(sys_setresgid_x)},
        [PPME_SCAPEVENT_E] = {FILLER_REF(sys_scapevent_e)},
        [PPME_SYSCALL_SETUID_E] = {FILLER_REF(sys_autofill), 1, APT_REG, {{0}}},
-        [PPME_SYSCALL_SETUID_X] = {FILLER_REF(sys_autofill), 1, APT_REG, {{AF_ID_RETVAL}}},
+        [PPME_SYSCALL_SETUID_X] = {FILLER_REF(sys_setuid_x)},
        [PPME_SYSCALL_SETGID_E] = {FILLER_REF(sys_autofill), 1, APT_REG, {{0}}},
-        [PPME_SYSCALL_SETGID_X] = {FILLER_REF(sys_autofill), 1, APT_REG, {{AF_ID_RETVAL}}},
+        [PPME_SYSCALL_SETGID_X] = {FILLER_REF(sys_setgid_x)},
        [PPME_SYSCALL_GETUID_E] = {FILLER_REF(sys_empty)},
        [PPME_SYSCALL_GETUID_X] = {FILLER_REF(sys_autofill), 1, APT_REG, {{AF_ID_RETVAL}}},
        [PPME_SYSCALL_GETEUID_E] = {FILLER_REF(sys_empty)},
@ -223,43 +223,43 @@ const struct ppm_event_entry g_ppm_events[PPM_EVENT_MAX] = {
        [PPME_SIGNALDELIVER_E] = {FILLER_REF(sys_signaldeliver_e)},
 #endif
        [PPME_SYSCALL_GETDENTS_E] = {FILLER_REF(sys_getdents_e)},
-        [PPME_SYSCALL_GETDENTS_X] = {FILLER_REF(sys_single_x)},
+        [PPME_SYSCALL_GETDENTS_X] = {FILLER_REF(sys_getdents_x)},
        [PPME_SYSCALL_GETDENTS64_E] = {FILLER_REF(sys_getdents64_e)},
-        [PPME_SYSCALL_GETDENTS64_X] = {FILLER_REF(sys_single_x)},
+        [PPME_SYSCALL_GETDENTS64_X] = {FILLER_REF(sys_getdents64_x)},
        [PPME_SYSCALL_SETNS_E] = {FILLER_REF(sys_setns_e)},
-        [PPME_SYSCALL_SETNS_X] = {FILLER_REF(sys_autofill), 1, APT_REG, {{AF_ID_RETVAL}}},
+        [PPME_SYSCALL_SETNS_X] = {FILLER_REF(sys_setns_x)},
        [PPME_SYSCALL_FLOCK_E] = {FILLER_REF(sys_flock_e)},
-        [PPME_SYSCALL_FLOCK_X] = {FILLER_REF(sys_autofill), 1, APT_REG, {{AF_ID_RETVAL}}},
+        [PPME_SYSCALL_FLOCK_X] = {FILLER_REF(sys_flock_x)},
        [PPME_CPU_HOTPLUG_E] = {FILLER_REF(cpu_hotplug_e)},
        [PPME_SOCKET_ACCEPT_5_E] = {FILLER_REF(sys_empty)},
        [PPME_SOCKET_ACCEPT_5_X] = {FILLER_REF(sys_accept_x)},
        [PPME_SYSCALL_SEMOP_E] = {FILLER_REF(sys_single)},
        [PPME_SYSCALL_SEMOP_X] = {FILLER_REF(sys_semop_x)},
        [PPME_SYSCALL_SEMCTL_E] = {FILLER_REF(sys_semctl_e)},
-        [PPME_SYSCALL_SEMCTL_X] = {FILLER_REF(sys_single_x)},
+        [PPME_SYSCALL_SEMCTL_X] = {FILLER_REF(sys_semctl_x)},
        [PPME_SYSCALL_PPOLL_E] = {FILLER_REF(sys_ppoll_e)},
-        [PPME_SYSCALL_PPOLL_X] = {FILLER_REF(sys_poll_x)}, /* exit same for poll() and ppoll() */
+        [PPME_SYSCALL_PPOLL_X] = {FILLER_REF(sys_ppoll_x)},
        [PPME_SYSCALL_MOUNT_E] = {FILLER_REF(sys_mount_e)},
-        [PPME_SYSCALL_MOUNT_X] = {FILLER_REF(sys_autofill),
+        [PPME_SYSCALL_MOUNT_X] = {FILLER_REF(sys_mount_x),
                                  4,
                                  APT_REG,
                                  {{AF_ID_RETVAL}, {0}, {1}, {2}}},
        [PPME_SYSCALL_SEMGET_E] = {FILLER_REF(sys_semget_e)},
-        [PPME_SYSCALL_SEMGET_X] = {FILLER_REF(sys_single_x)},
+        [PPME_SYSCALL_SEMGET_X] = {FILLER_REF(sys_semget_x)},
        [PPME_SYSCALL_ACCESS_E] = {FILLER_REF(sys_access_e)},
-        [PPME_SYSCALL_ACCESS_X] = {FILLER_REF(sys_autofill), 2, APT_REG, {{AF_ID_RETVAL}, {0}}},
+        [PPME_SYSCALL_ACCESS_X] = {FILLER_REF(sys_access_x)},
        [PPME_SYSCALL_CHROOT_E] = {FILLER_REF(sys_empty)},
        [PPME_SYSCALL_CHROOT_X] = {FILLER_REF(sys_autofill), 2, APT_REG, {{AF_ID_RETVAL}, {0}}},
        [PPME_SYSCALL_SETSID_E] = {FILLER_REF(sys_empty)},
        [PPME_SYSCALL_SETSID_X] = {FILLER_REF(sys_autofill), 1, APT_REG, {{AF_ID_RETVAL}}},
        [PPME_SYSCALL_SETPGID_E] = {FILLER_REF(sys_setpgid_e)},
-        [PPME_SYSCALL_SETPGID_X] = {FILLER_REF(sys_autofill), 1, APT_REG, {{AF_ID_RETVAL}}},
+        [PPME_SYSCALL_SETPGID_X] = {FILLER_REF(sys_setpgid_x)},
        [PPME_SYSCALL_MKDIR_2_E] = {FILLER_REF(sys_mkdir_e)},
-        [PPME_SYSCALL_MKDIR_2_X] = {FILLER_REF(sys_autofill), 2, APT_REG, {{AF_ID_RETVAL}, {0}}},
+        [PPME_SYSCALL_MKDIR_2_X] = {FILLER_REF(sys_mkdir_x)},
        [PPME_SYSCALL_RMDIR_2_E] = {FILLER_REF(sys_empty)},
        [PPME_SYSCALL_RMDIR_2_X] = {FILLER_REF(sys_autofill), 2, APT_REG, {{AF_ID_RETVAL}, {0}}},
        [PPME_SYSCALL_UNSHARE_E] = {FILLER_REF(sys_unshare_e)},
-        [PPME_SYSCALL_UNSHARE_X] = {FILLER_REF(sys_autofill), 1, APT_REG, {{AF_ID_RETVAL}}},
+        [PPME_SYSCALL_UNSHARE_X] = {FILLER_REF(sys_unshare_x)},
        [PPME_SYSCALL_EXECVE_19_E] = {FILLER_REF(sys_execve_e)},
        [PPME_SYSCALL_EXECVE_19_X] = {FILLER_REF(proc_startupdate)},
 #ifdef CAPTURE_PAGE_FAULTS
@ -268,7 +268,7 @@ const struct ppm_event_entry g_ppm_events[PPM_EVENT_MAX] = {
        [PPME_SYSCALL_BPF_2_E] = {FILLER_REF(sys_bpf_e)},
        [PPME_SYSCALL_BPF_2_X] = {FILLER_REF(sys_bpf_x)},
        [PPME_SYSCALL_SECCOMP_E] = {FILLER_REF(sys_autofill), 2, APT_REG, {{0}, {1}}},
-        [PPME_SYSCALL_SECCOMP_X] = {FILLER_REF(sys_autofill), 1, APT_REG, {{AF_ID_RETVAL}}},
+        [PPME_SYSCALL_SECCOMP_X] = {FILLER_REF(sys_seccomp_x)},
        [PPME_SYSCALL_UNLINK_2_E] = {FILLER_REF(sys_empty)},
        [PPME_SYSCALL_UNLINK_2_X] = {FILLER_REF(sys_autofill), 2, APT_REG, {{AF_ID_RETVAL}, {0}}},
        [PPME_SYSCALL_UNLINKAT_2_E] = {FILLER_REF(sys_empty)},
@ -344,7 +344,7 @@ const struct ppm_event_entry g_ppm_events[PPM_EVENT_MAX] = {
        [PPME_SYSCALL_UMOUNT_1_E] = {FILLER_REF(sys_empty)},
        [PPME_SYSCALL_UMOUNT_1_X] = {FILLER_REF(sys_umount_x)},
        [PPME_SOCKET_ACCEPT4_6_E] = {FILLER_REF(sys_accept4_e)},
-        [PPME_SOCKET_ACCEPT4_6_X] = {FILLER_REF(sys_accept_x)},
+        [PPME_SOCKET_ACCEPT4_6_X] = {FILLER_REF(sys_accept4_x)},
        [PPME_SYSCALL_UMOUNT2_E] = {FILLER_REF(sys_umount2_e)},
        [PPME_SYSCALL_UMOUNT2_X] = {FILLER_REF(sys_umount2_x)},
        [PPME_SYSCALL_PIPE2_E] = {FILLER_REF(sys_empty)},
--- a/driver/main.c
+++ b/driver/main.c
@ -277,10 +277,6 @@ static bool verbose = 0;

 static unsigned int max_consumers = 5;

-#if(LINUX_VERSION_CODE >= KERNEL_VERSION(4, 10, 0))
-static enum cpuhp_state hp_state = 0;
-#endif
-
 #define vpr_info(fmt, ...)               \
 	do {                                 \
 		if(verbose)                      \
@ -446,6 +442,7 @@ static int ppm_open(struct inode *inode, struct file *filp) {
 		consumer->consumer_id = consumer_id;
 		consumer->buffer_bytes_dim = g_buffer_bytes_dim;
 		consumer->tracepoints_attached = 0; /* Start with no tracepoints */
+		consumer->hotplug_cpu = -1;

 		/*
 		 * Initialize the ring buffers array
@ -476,14 +473,6 @@ static int ppm_open(struct inode *inode, struct file *filp) {
 			ring->info = NULL;
 		}

-		/*
-		 * If a cpu is offline when the consumer is first created, we
-		 * will never get events for that cpu even if it later comes
-		 * online via hotplug. We could allocate these rings on-demand
-		 * later in this function if needed for hotplug, but that
-		 * requires the consumer to know to call open again, and that is
-		 * not supported.
-		 */
 		for_each_online_cpu(cpu) {
 			ring = per_cpu_ptr(consumer->ring_buffers, cpu);

@ -1820,6 +1809,27 @@ static int record_event_consumer(struct ppm_consumer_t *consumer,
 	ASSERT(ring);

 	ring_info = ring->info;
+	if(!ring_info) {
+		// If we haven't got the ring info, it means
+		// the event was generated by a CPU that was not
+		// online when the ring buffers were initialized.
+		// Store info about hotplugged CPU here to later
+		// send hotplug events on cpu0.
+		consumer->hotplug_cpu = cpu;
+		put_cpu();
+		return res;
+	}
+
+	// Manage hotplug on cpu 0
+	if(consumer->hotplug_cpu != -1 && cpu == 0) {
+		event_type = PPME_CPU_HOTPLUG_E;
+		drop_flags = UF_NEVER_DROP;
+		tp_type = INTERNAL_EVENTS;
+		event_datap->category = PPMC_CONTEXT_SWITCH;
+		event_datap->event_info.context_data.sched_prev = (void *)(long)consumer->hotplug_cpu;
+		event_datap->event_info.context_data.sched_next = (void *)(long)0;
+	}
+
 	if(event_datap->category == PPMC_CONTEXT_SWITCH &&
 	   event_datap->event_info.context_data.sched_prev != NULL) {
 		if(event_type != PPME_SCAPEVENT_E && event_type != PPME_CPU_HOTPLUG_E) {
@ -2771,96 +2781,12 @@ static char *ppm_devnode(struct device *dev, mode_t *mode)
 }
 #endif /* LINUX_VERSION_CODE > KERNEL_VERSION(2, 6, 20) */

-static int do_cpu_callback(unsigned long cpu, long sd_action) {
-	struct ppm_ring_buffer_context *ring;
-	struct ppm_consumer_t *consumer;
-	struct event_data_t event_data;
-
-	if(sd_action != 0) {
-		rcu_read_lock();
-
-		list_for_each_entry_rcu(consumer, &g_consumer_list, node) {
-			ring = per_cpu_ptr(consumer->ring_buffers, cpu);
-			if(sd_action == 1) {
-				/*
-				 * If the cpu was offline when the consumer was created,
-				 * this won't do anything because we never created a ring
-				 * buffer. We can't safely create one here because we're
-				 * in atomic context, and the consumer needs to call open
-				 * on this device anyways, so do it in ppm_open.
-				 */
-				ring->cpu_online = true;
-			} else if(sd_action == 2) {
-				ring->cpu_online = false;
-			}
-		}
-
-		rcu_read_unlock();
-
-		event_data.category = PPMC_CONTEXT_SWITCH;
-		event_data.event_info.context_data.sched_prev = (void *)cpu;
-		event_data.event_info.context_data.sched_next = (void *)sd_action;
-		record_event_all_consumers(PPME_CPU_HOTPLUG_E, UF_NEVER_DROP, &event_data, INTERNAL_EVENTS);
-	}
-	return 0;
-}
-
-#if(LINUX_VERSION_CODE >= KERNEL_VERSION(4, 10, 0))
-static int scap_cpu_online(unsigned int cpu) {
-	vpr_info("scap_cpu_online on cpu %d\n", cpu);
-	return do_cpu_callback(cpu, 1);
-}
-
-static int scap_cpu_offline(unsigned int cpu) {
-	vpr_info("scap_cpu_offline on cpu %d\n", cpu);
-	return do_cpu_callback(cpu, 2);
-}
-#else /* LINUX_VERSION_CODE < KERNEL_VERSION(4, 10, 0)) */
-/*
- * This gets called every time a CPU is added or removed
- */
-static int cpu_callback(struct notifier_block *self, unsigned long action, void *hcpu) {
-	unsigned long cpu = (unsigned long)hcpu;
-	long sd_action = 0;
-
-	switch(action) {
-	case CPU_UP_PREPARE:
-#if LINUX_VERSION_CODE > KERNEL_VERSION(2, 6, 20)
-	case CPU_UP_PREPARE_FROZEN:
-#endif
-		sd_action = 1;
-		break;
-	case CPU_DOWN_PREPARE:
-#if LINUX_VERSION_CODE > KERNEL_VERSION(2, 6, 20)
-	case CPU_DOWN_PREPARE_FROZEN:
-#endif
-		sd_action = 2;
-		break;
-	default:
-		break;
-	}
-
-	if(do_cpu_callback(cpu, sd_action) < 0)
-		return NOTIFY_BAD;
-	else
-		return NOTIFY_OK;
-}
-
-static struct notifier_block cpu_notifier = {
-        .notifier_call = &cpu_callback,
-        .next = NULL,
-};
-#endif /* LINUX_VERSION_CODE >= KERNEL_VERSION(4, 10, 0) */
-
 static int scap_init(void) {
 	dev_t dev;
 	unsigned int cpu;
 	unsigned int num_cpus;
 	int ret;
 	int acrret = 0;
-#if(LINUX_VERSION_CODE >= KERNEL_VERSION(4, 10, 0))
-	int hp_ret;
-#endif
 	int j;
 	int n_created_devices = 0;
 #if LINUX_VERSION_CODE > KERNEL_VERSION(2, 6, 20)
@ -2964,25 +2890,6 @@ static int scap_init(void) {
 		goto init_module_err;
 	}

-	/*
-	 * Set up our callback in case we get a hotplug even while we are
-	 * initializing the cpu structures
-	 */
-#if(LINUX_VERSION_CODE >= KERNEL_VERSION(4, 10, 0))
-	hp_ret = cpuhp_setup_state_nocalls(CPUHP_AP_ONLINE_DYN,
-	                                   DRIVER_NAME "/driver:online",
-	                                   scap_cpu_online,
-	                                   scap_cpu_offline);
-	if(hp_ret <= 0) {
-		pr_err("error registering cpu hotplug callback\n");
-		ret = hp_ret;
-		goto init_module_err;
-	}
-	hp_state = hp_ret;
-#else
-	register_cpu_notifier(&cpu_notifier);
-#endif
-
 	// Initialize globals
 	g_tracepoints_attached = 0;
 	for(j = 0; j < KMOD_PROG_ATTACHED_MAX; j++) {
@ -3041,13 +2948,6 @@ static void scap_exit(void) {
 #if LINUX_VERSION_CODE > KERNEL_VERSION(2, 6, 20)
 	tracepoint_synchronize_unregister();
 #endif
-
-#if(LINUX_VERSION_CODE >= KERNEL_VERSION(4, 10, 0))
-	if(hp_state > 0)
-		cpuhp_remove_state_nocalls(hp_state);
-#else
-	unregister_cpu_notifier(&cpu_notifier);
-#endif
 }

 module_init(scap_init);
--- a/driver/modern_bpf/CMakeLists.txt
+++ b/driver/modern_bpf/CMakeLists.txt
@ -256,6 +256,32 @@ file(GLOB_RECURSE BPF_H_FILES ${CMAKE_CURRENT_SOURCE_DIR}/*.h)
 # Search all bpf.c files
 file(GLOB_RECURSE BPF_C_FILES ${CMAKE_CURRENT_SOURCE_DIR}/*.bpf.c)

+# ##################################################################################################
+# Generate the events dimensions file generator executable.
+# ##################################################################################################
+
+add_executable(
+	events_dimensions_generator ${CMAKE_CURRENT_SOURCE_DIR}/definitions/generator/generator.cpp
+)
+target_link_libraries(events_dimensions_generator PRIVATE scap_event_schema)
+add_dependencies(events_dimensions_generator scap_event_schema)
+
+# ##################################################################################################
+# Generate the events dimensions file.
+# ##################################################################################################
+
+set(BPF_EVENTS_DIMENSIONS_FILE ${CMAKE_CURRENT_SOURCE_DIR}/definitions/events_dimensions.h)
+add_custom_command(
+	OUTPUT ${BPF_EVENTS_DIMENSIONS_FILE}
+	COMMAND events_dimensions_generator ${BPF_EVENTS_DIMENSIONS_FILE}
+	VERBATIM
+	DEPENDS events_dimensions_generator ${CMAKE_CURRENT_SOURCE_DIR}/../event_table.c
+	COMMENT
+		"${MODERN_BPF_LOG_PREFIX} Building events dimensions file: ${BPF_EVENTS_DIMENSIONS_FILE}"
+)
+
+add_custom_target(EventsDimensions ALL DEPENDS ${BPF_EVENTS_DIMENSIONS_FILE})
+
 # ##################################################################################################
 # Generate an `bpf.o` file for every `bpf.c`
 # ##################################################################################################
@ -278,7 +304,7 @@ foreach(BPF_C_FILE ${BPF_C_FILES})
 				${BPF_O_FILE}
 		VERBATIM
 		DEPENDS lbpf
-		DEPENDS ${BPF_C_FILE} ${BPF_H_FILES}
+		DEPENDS ${BPF_C_FILE} ${BPF_H_FILES} EventsDimensions
 		COMMENT "${MODERN_BPF_LOG_PREFIX} Building BPF object: ${BPF_O_FILE}"
 	)

--- a/driver/modern_bpf/bpfvalidator_config.yaml
+++ b/driver/modern_bpf/bpfvalidator_config.yaml
@ -0,0 +1,8 @@
+parallel: 2
+kernel_versions:
+    - v5.10.237
+    - v5.15.184
+    - v6.1.140
+    - v6.6.92
+    - v6.12.30
+    - v6.15
--- a/driver/modern_bpf/definitions/events_dimensions.h
+++ b/driver/modern_bpf/definitions/events_dimensions.h
@ -1,6 +1,6 @@
 // SPDX-License-Identifier: GPL-2.0-only OR MIT
 /*
- * Copyright (C) 2023 The Falco Authors.
+ * Copyright (C) 2025 The Falco Authors.
 *
 * This file is dual licensed under either the MIT or GPL 2. See MIT.txt
 * or GPL2.txt for full copies of the license.
@ -21,243 +21,239 @@
 /// want to touch scap tables.

 /* Syscall events */
-#define GENERIC_E_SIZE HEADER_LEN + sizeof(uint16_t) * 2 + PARAM_LEN * 2
-#define GENERIC_X_SIZE HEADER_LEN + sizeof(uint16_t) + PARAM_LEN
-#define GETCWD_E_SIZE HEADER_LEN
-#define GETDENTS_E_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
-#define GETDENTS_X_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
-#define GETDENTS64_E_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
-#define GETDENTS64_X_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
-#define EPOLL_WAIT_E_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
-#define EPOLL_WAIT_X_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
-#define GETPEERNAME_E_SIZE HEADER_LEN
-#define GETPEERNAME_X_SIZE HEADER_LEN
-#define GETSOCKNAME_E_SIZE HEADER_LEN
-#define GETSOCKNAME_X_SIZE HEADER_LEN
-#define MKDIR_E_SIZE HEADER_LEN + sizeof(uint32_t) + PARAM_LEN
-#define MMAP_E_SIZE \
-	HEADER_LEN + sizeof(uint64_t) * 3 + sizeof(int64_t) + sizeof(uint32_t) * 2 + PARAM_LEN * 6
-#define MMAP_X_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint32_t) * 3 + PARAM_LEN * 4
-#define MUNMAP_E_SIZE HEADER_LEN + sizeof(uint64_t) * 2 + PARAM_LEN * 2
-#define MUNMAP_X_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint32_t) * 3 + PARAM_LEN * 4
-#define OPEN_BY_HANDLE_AT_E_SIZE HEADER_LEN
+#define SYSCALL_E_SIZE HEADER_LEN + sizeof(uint16_t) * 2 + PARAM_LEN * 2
+#define SYSCALL_X_SIZE HEADER_LEN + sizeof(uint16_t) + PARAM_LEN
 #define CLOSE_E_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
-#define CLOSE_X_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
-#define COPY_FILE_RANGE_E_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint64_t) * 2 + PARAM_LEN * 3
-#define COPY_FILE_RANGE_X_SIZE HEADER_LEN + sizeof(int64_t) * 2 + sizeof(uint64_t) + PARAM_LEN * 3
-#define DUP_E_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
-#define DUP_X_SIZE HEADER_LEN + sizeof(int64_t) * 2 + PARAM_LEN * 2
-#define DUP2_E_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
-#define DUP2_X_SIZE HEADER_LEN + sizeof(int64_t) * 3 + PARAM_LEN * 3
-#define DUP3_E_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
-#define DUP3_X_SIZE HEADER_LEN + sizeof(int64_t) * 3 + sizeof(uint32_t) + PARAM_LEN * 4
-#define CHDIR_E_SIZE HEADER_LEN
-#define CHMOD_E_SIZE HEADER_LEN
-#define CHOWN_E_SIZE HEADER_LEN
-#define LCHOWN_E_SIZE HEADER_LEN
-#define CHROOT_E_SIZE HEADER_LEN
-#define FCHDIR_E_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
-#define FCHDIR_X_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
-#define FCHMOD_E_SIZE HEADER_LEN
-#define FCHMOD_X_SIZE HEADER_LEN + sizeof(int64_t) * 2 + sizeof(uint32_t) + PARAM_LEN * 3
-#define FCHMODAT_E_SIZE HEADER_LEN
-#define FCHOWN_E_SIZE HEADER_LEN
-#define FCHOWN_X_SIZE HEADER_LEN + sizeof(int64_t) * 2 + sizeof(uint32_t) * 2 + PARAM_LEN * 4
-#define FCHOWNAT_E_SIZE HEADER_LEN
-#define MKDIRAT_E_SIZE HEADER_LEN
-#define RMDIR_E_SIZE HEADER_LEN
-#define EVENTFD_E_SIZE HEADER_LEN + sizeof(uint64_t) + sizeof(uint32_t) + PARAM_LEN * 2
-#define EVENTFD_X_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
-#define INOTIFY_INIT_E_SIZE HEADER_LEN + sizeof(uint8_t) + PARAM_LEN
-#define INOTIFY_INIT_X_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
-#define TIMERFD_CREATE_E_SIZE HEADER_LEN + sizeof(uint8_t) * 2 + PARAM_LEN * 2
-#define TIMERFD_CREATE_X_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
-#define USERFAULTFD_E_SIZE HEADER_LEN
-#define USERFAULTFD_X_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint32_t) + PARAM_LEN * 2
-#define SIGNALFD_E_SIZE \
-	HEADER_LEN + sizeof(int64_t) + sizeof(uint32_t) + sizeof(uint8_t) + PARAM_LEN * 3
-#define SIGNALFD_X_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
-#define KILL_E_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint8_t) + PARAM_LEN * 2
-#define KILL_X_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
-#define TGKILL_E_SIZE HEADER_LEN + sizeof(int64_t) * 2 + sizeof(uint8_t) + PARAM_LEN * 3
-#define TGKILL_X_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
-#define TKILL_E_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint8_t) + PARAM_LEN * 2
-#define TKILL_X_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
-#define SECCOMP_E_SIZE HEADER_LEN + sizeof(uint64_t) * 2 + PARAM_LEN * 2
-#define SECCOMP_X_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
-#define PTRACE_E_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint16_t) + PARAM_LEN * 2
-#define CAPSET_E_SIZE HEADER_LEN
-#define CAPSET_X_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint64_t) * 3 + PARAM_LEN * 4
+#define CLOSE_X_SIZE HEADER_LEN + sizeof(int64_t) * 2 + PARAM_LEN * 2
+#define READ_E_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint32_t) + PARAM_LEN * 2
+#define WRITE_E_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint32_t) + PARAM_LEN * 2
 #define SOCKET_E_SIZE HEADER_LEN + sizeof(uint32_t) * 3 + PARAM_LEN * 3
 #define SOCKET_X_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint32_t) * 3 + PARAM_LEN * 4
-#define SOCKETPAIR_E_SIZE HEADER_LEN + sizeof(uint32_t) * 3 + PARAM_LEN * 3
-#define SOCKETPAIR_X_SIZE HEADER_LEN + sizeof(int64_t) * 3 + sizeof(uint64_t) * 2 + PARAM_LEN * 5
-#define ACCEPT_E_SIZE HEADER_LEN
-#define ACCEPT4_E_SIZE HEADER_LEN + sizeof(uint32_t) + PARAM_LEN
 #define BIND_E_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
-#define LISTEN_E_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(int32_t) + PARAM_LEN * 2
-#define LISTEN_X_SIZE HEADER_LEN + sizeof(int64_t) * 2 + sizeof(int32_t) + PARAM_LEN * 3
-#define CLONE_E_SIZE HEADER_LEN
-#define CLONE3_E_SIZE HEADER_LEN
-#define FORK_E_SIZE HEADER_LEN
-#define VFORK_E_SIZE HEADER_LEN
-#define RENAME_E_SIZE HEADER_LEN
-#define RENAMEAT_E_SIZE HEADER_LEN
-#define RENAMEAT2_E_SIZE HEADER_LEN
+#define LISTEN_E_SIZE HEADER_LEN + sizeof(int32_t) + sizeof(int64_t) + PARAM_LEN * 2
+#define LISTEN_X_SIZE HEADER_LEN + sizeof(int32_t) + sizeof(int64_t) * 2 + PARAM_LEN * 3
+#define SEND_E_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint32_t) + PARAM_LEN * 2
+#define RECV_E_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint32_t) + PARAM_LEN * 2
+#define RECVFROM_E_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint32_t) + PARAM_LEN * 2
+#define SHUTDOWN_E_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint8_t) + PARAM_LEN * 2
+#define SHUTDOWN_X_SIZE HEADER_LEN + sizeof(int64_t) * 2 + sizeof(uint8_t) + PARAM_LEN * 3
+#define GETSOCKNAME_E_SIZE HEADER_LEN
+#define GETSOCKNAME_X_SIZE HEADER_LEN
+#define GETPEERNAME_E_SIZE HEADER_LEN
+#define GETPEERNAME_X_SIZE HEADER_LEN
+#define SOCKETPAIR_E_SIZE HEADER_LEN + sizeof(uint32_t) * 3 + PARAM_LEN * 3
+#define SOCKETPAIR_X_SIZE HEADER_LEN + sizeof(int64_t) * 3 + sizeof(uint32_t) * 3 + sizeof(uint64_t) * 2 + PARAM_LEN * 8
+#define SETSOCKOPT_E_SIZE HEADER_LEN
+#define GETSOCKOPT_E_SIZE HEADER_LEN
+#define SENDMMSG_E_SIZE HEADER_LEN
+#define RECVMSG_E_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
+#define RECVMMSG_E_SIZE HEADER_LEN
 #define PIPE_E_SIZE HEADER_LEN
 #define PIPE_X_SIZE HEADER_LEN + sizeof(int64_t) * 3 + sizeof(uint64_t) + PARAM_LEN * 4
-#define BPF_E_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
-#define BPF_X_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(int32_t) + PARAM_LEN * 2
-#define FLOCK_E_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint32_t) + PARAM_LEN * 2
-#define FLOCK_X_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
-#define IOCTL_E_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint64_t) * 2 + PARAM_LEN * 3
-#define IOCTL_X_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
-#define QUOTACTL_E_SIZE \
-	HEADER_LEN + sizeof(uint16_t) + sizeof(uint8_t) * 2 + sizeof(uint32_t) + PARAM_LEN * 4
-#define UNSHARE_E_SIZE HEADER_LEN + sizeof(uint32_t) + PARAM_LEN
-#define UNSHARE_X_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
-#define MOUNT_E_SIZE HEADER_LEN + sizeof(uint32_t) + PARAM_LEN
-#define UMOUNT2_E_SIZE HEADER_LEN + sizeof(uint32_t) + PARAM_LEN
-#define UMOUNT_E_SIZE HEADER_LEN
-#define LINK_E_SIZE HEADER_LEN
-#define LINKAT_E_SIZE HEADER_LEN
-#define SYMLINK_E_SIZE HEADER_LEN
-#define SYMLINKAT_E_SIZE HEADER_LEN
-#define UNLINK_E_SIZE HEADER_LEN
-#define UNLINKAT_E_SIZE HEADER_LEN
-#define SETGID_E_SIZE HEADER_LEN + sizeof(uint32_t) + PARAM_LEN
-#define SETGID_X_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
-#define SETUID_E_SIZE HEADER_LEN + sizeof(uint32_t) + PARAM_LEN
-#define SETUID_X_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
-#define SETNS_E_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint32_t) + PARAM_LEN * 2
-#define SETNS_X_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
-#define SETPGID_E_SIZE HEADER_LEN + sizeof(int64_t) * 2 + PARAM_LEN * 2
-#define SETPGID_X_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
-#define SETRESGID_E_SIZE HEADER_LEN + sizeof(uint32_t) * 3 + PARAM_LEN * 3
-#define SETRESGID_X_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
-#define SETRESUID_E_SIZE HEADER_LEN + sizeof(uint32_t) * 3 + PARAM_LEN * 3
-#define SETRESUID_X_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
-#define SETSID_E_SIZE HEADER_LEN
-#define SETSID_X_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
+#define EVENTFD_E_SIZE HEADER_LEN + sizeof(uint32_t) + sizeof(uint64_t) + PARAM_LEN * 2
+#define EVENTFD_X_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint32_t) + sizeof(uint64_t) + PARAM_LEN * 3
+#define FUTEX_E_SIZE HEADER_LEN + sizeof(uint16_t) + sizeof(uint64_t) * 2 + PARAM_LEN * 3
+#define FUTEX_X_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint16_t) + sizeof(uint64_t) * 2 + PARAM_LEN * 4
+#define STAT_E_SIZE HEADER_LEN
+#define LSTAT_E_SIZE HEADER_LEN
+#define FSTAT_E_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
+#define FSTAT_X_SIZE HEADER_LEN + sizeof(int64_t) * 2 + PARAM_LEN * 2
+#define STAT64_E_SIZE HEADER_LEN
+#define LSTAT64_E_SIZE HEADER_LEN
+#define FSTAT64_E_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
+#define FSTAT64_X_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
+#define EPOLL_WAIT_E_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
+#define EPOLL_WAIT_X_SIZE HEADER_LEN + sizeof(int64_t) * 2 + PARAM_LEN * 2
+#define SELECT_E_SIZE HEADER_LEN
+#define SELECT_X_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
+#define LSEEK_E_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint64_t) + sizeof(uint8_t) + PARAM_LEN * 3
+#define LSEEK_X_SIZE HEADER_LEN + sizeof(int64_t) * 2 + sizeof(uint64_t) + sizeof(uint8_t) + PARAM_LEN * 4
+#define LLSEEK_E_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint64_t) + sizeof(uint8_t) + PARAM_LEN * 3
+#define LLSEEK_X_SIZE HEADER_LEN + sizeof(int64_t) * 2 + sizeof(uint64_t) + sizeof(uint8_t) + PARAM_LEN * 4
+#define GETCWD_E_SIZE HEADER_LEN
+#define CHDIR_E_SIZE HEADER_LEN
+#define FCHDIR_E_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
+#define FCHDIR_X_SIZE HEADER_LEN + sizeof(int64_t) * 2 + PARAM_LEN * 2
+#define PREAD_E_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint32_t) + sizeof(uint64_t) + PARAM_LEN * 3
+#define PWRITE_E_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint32_t) + sizeof(uint64_t) + PARAM_LEN * 3
+#define READV_E_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
+#define WRITEV_E_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint32_t) + PARAM_LEN * 2
+#define PREADV_E_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint64_t) + PARAM_LEN * 2
+#define PWRITEV_E_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint32_t) + sizeof(uint64_t) + PARAM_LEN * 3
+#define SIGNALFD_E_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint32_t) + sizeof(uint8_t) + PARAM_LEN * 3
+#define SIGNALFD_X_SIZE HEADER_LEN + sizeof(int64_t) * 2 + sizeof(uint32_t) + sizeof(uint8_t) + PARAM_LEN * 4
+#define KILL_E_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint8_t) + PARAM_LEN * 2
+#define KILL_X_SIZE HEADER_LEN + sizeof(int64_t) * 2 + sizeof(uint8_t) + PARAM_LEN * 3
+#define TKILL_E_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint8_t) + PARAM_LEN * 2
+#define TKILL_X_SIZE HEADER_LEN + sizeof(int64_t) * 2 + sizeof(uint8_t) + PARAM_LEN * 3
+#define TGKILL_E_SIZE HEADER_LEN + sizeof(int64_t) * 2 + sizeof(uint8_t) + PARAM_LEN * 3
+#define TGKILL_X_SIZE HEADER_LEN + sizeof(int64_t) * 3 + sizeof(uint8_t) + PARAM_LEN * 4
+#define NANOSLEEP_E_SIZE HEADER_LEN + sizeof(uint64_t) + PARAM_LEN
+#define NANOSLEEP_X_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint64_t) + PARAM_LEN * 2
+#define TIMERFD_CREATE_E_SIZE HEADER_LEN + sizeof(uint8_t) * 2 + PARAM_LEN * 2
+#define TIMERFD_CREATE_X_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint8_t) * 2 + PARAM_LEN * 3
+#define INOTIFY_INIT_E_SIZE HEADER_LEN + sizeof(uint8_t) + PARAM_LEN
+#define INOTIFY_INIT_X_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint8_t) + PARAM_LEN * 2
+#define GETRLIMIT_E_SIZE HEADER_LEN + sizeof(uint8_t) + PARAM_LEN
+#define GETRLIMIT_X_SIZE HEADER_LEN + sizeof(int64_t) * 3 + sizeof(uint8_t) + PARAM_LEN * 4
 #define SETRLIMIT_E_SIZE HEADER_LEN + sizeof(uint8_t) + PARAM_LEN
 #define SETRLIMIT_X_SIZE HEADER_LEN + sizeof(int64_t) * 3 + sizeof(uint8_t) + PARAM_LEN * 4
-#define PRLIMIT64_E_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint8_t) + PARAM_LEN * 2
-#define PRLIMIT64_X_SIZE HEADER_LEN + sizeof(int64_t) * 6 + sizeof(uint8_t) + PARAM_LEN * 7
-#define GETSOCKOPT_E_SIZE HEADER_LEN
-#define SETSOCKOPT_E_SIZE HEADER_LEN
-#define RECVMSG_E_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
-#define READV_E_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
-#define PREADV_E_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint64_t) + PARAM_LEN * 2
-#define PREAD64_E_SIZE \
-	HEADER_LEN + sizeof(int64_t) + sizeof(uint32_t) + sizeof(uint64_t) + PARAM_LEN * 3
-#define RECVFROM_E_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint32_t) + PARAM_LEN * 2
+#define PRLIMIT_E_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint8_t) + PARAM_LEN * 2
+#define PRLIMIT_X_SIZE HEADER_LEN + sizeof(int64_t) * 6 + sizeof(uint8_t) + PARAM_LEN * 7
+#define DROP_E_SIZE HEADER_LEN + sizeof(uint32_t) + PARAM_LEN
+#define DROP_X_SIZE HEADER_LEN + sizeof(uint32_t) + PARAM_LEN
 #define FCNTL_E_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint8_t) + PARAM_LEN * 2
-#define FCNTL_X_SIZE \
-	HEADER_LEN + sizeof(int64_t) + sizeof(int64_t) + sizeof(uint8_t) + PARAM_LEN * 3
-#define SHUTDOWN_E_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint8_t) + PARAM_LEN * 2
-#define SHUTDOWN_X_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
-#define FSCONFIG_E_SIZE HEADER_LEN
-#define EPOLL_CREATE_E_SIZE HEADER_LEN + sizeof(int32_t) + PARAM_LEN
-#define EPOLL_CREATE_X_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
-#define EPOLL_CREATE1_E_SIZE HEADER_LEN + sizeof(uint32_t) + PARAM_LEN
-#define EPOLL_CREATE1_X_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
-#define ACCESS_E_SIZE HEADER_LEN + sizeof(uint32_t) + PARAM_LEN
-#define MPROTECT_E_SIZE HEADER_LEN + sizeof(uint64_t) * 2 + sizeof(uint32_t) + PARAM_LEN * 3
-#define MPROTECT_X_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
+#define FCNTL_X_SIZE HEADER_LEN + sizeof(int64_t) * 2 + sizeof(uint8_t) + PARAM_LEN * 3
+#define SWITCH_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint32_t) * 3 + sizeof(uint64_t) * 2 + PARAM_LEN * 6
+#define BRK_E_SIZE HEADER_LEN + sizeof(uint64_t) + PARAM_LEN
+#define BRK_X_SIZE HEADER_LEN + sizeof(uint32_t) * 3 + sizeof(uint64_t) * 2 + PARAM_LEN * 5
+#define MMAP_E_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint32_t) * 2 + sizeof(uint64_t) * 3 + PARAM_LEN * 6
+#define MMAP_X_SIZE HEADER_LEN + sizeof(int64_t) * 2 + sizeof(uint32_t) * 5 + sizeof(uint64_t) * 3 + PARAM_LEN * 10
+#define MMAP2_E_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint32_t) * 2 + sizeof(uint64_t) * 3 + PARAM_LEN * 6
+#define MMAP2_X_SIZE HEADER_LEN + sizeof(int64_t) * 2 + sizeof(uint32_t) * 5 + sizeof(uint64_t) * 3 + PARAM_LEN * 10
+#define MUNMAP_E_SIZE HEADER_LEN + sizeof(uint64_t) * 2 + PARAM_LEN * 2
+#define MUNMAP_X_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint32_t) * 3 + sizeof(uint64_t) * 2 + PARAM_LEN * 6
+#define SPLICE_E_SIZE HEADER_LEN + sizeof(int64_t) * 2 + sizeof(uint32_t) + sizeof(uint64_t) + PARAM_LEN * 4
+#define SPLICE_X_SIZE HEADER_LEN + sizeof(int64_t) * 3 + sizeof(uint32_t) + sizeof(uint64_t) + PARAM_LEN * 5
+#define PTRACE_E_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint16_t) + PARAM_LEN * 2
+#define IOCTL_E_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint64_t) * 2 + PARAM_LEN * 3
+#define IOCTL_X_SIZE HEADER_LEN + sizeof(int64_t) * 2 + sizeof(uint64_t) * 2 + PARAM_LEN * 4
+#define RENAME_E_SIZE HEADER_LEN
+#define RENAMEAT_E_SIZE HEADER_LEN
+#define SYMLINK_E_SIZE HEADER_LEN
+#define SYMLINKAT_E_SIZE HEADER_LEN
+#define PROCEXIT_SIZE HEADER_LEN + sizeof(int64_t) * 3 + sizeof(uint8_t) * 2 + PARAM_LEN * 5
+#define SENDFILE_E_SIZE HEADER_LEN + sizeof(int64_t) * 2 + sizeof(uint64_t) * 2 + PARAM_LEN * 4
+#define SENDFILE_X_SIZE HEADER_LEN + sizeof(int64_t) * 3 + sizeof(uint64_t) * 2 + PARAM_LEN * 5
+#define QUOTACTL_E_SIZE HEADER_LEN + sizeof(uint16_t) + sizeof(uint32_t) + sizeof(uint8_t) * 2 + PARAM_LEN * 4
+#define SETRESUID_E_SIZE HEADER_LEN + sizeof(uint32_t) * 3 + PARAM_LEN * 3
+#define SETRESUID_X_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint32_t) * 3 + PARAM_LEN * 4
+#define SETRESGID_E_SIZE HEADER_LEN + sizeof(uint32_t) * 3 + PARAM_LEN * 3
+#define SETRESGID_X_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint32_t) * 3 + PARAM_LEN * 4
+#define SCAPEVENT_E_SIZE HEADER_LEN + sizeof(uint32_t) + sizeof(uint64_t) + PARAM_LEN * 2
+#define SCAPEVENT_X_SIZE HEADER_LEN
+#define SETUID_E_SIZE HEADER_LEN + sizeof(uint32_t) + PARAM_LEN
+#define SETUID_X_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint32_t) + PARAM_LEN * 2
+#define SETGID_E_SIZE HEADER_LEN + sizeof(uint32_t) + PARAM_LEN
+#define SETGID_X_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint32_t) + PARAM_LEN * 2
 #define GETUID_E_SIZE HEADER_LEN
 #define GETUID_X_SIZE HEADER_LEN + sizeof(uint32_t) + PARAM_LEN
-#define GETGID_E_SIZE HEADER_LEN
-#define GETGID_X_SIZE HEADER_LEN + sizeof(uint32_t) + PARAM_LEN
 #define GETEUID_E_SIZE HEADER_LEN
 #define GETEUID_X_SIZE HEADER_LEN + sizeof(uint32_t) + PARAM_LEN
+#define GETGID_E_SIZE HEADER_LEN
+#define GETGID_X_SIZE HEADER_LEN + sizeof(uint32_t) + PARAM_LEN
 #define GETEGID_E_SIZE HEADER_LEN
 #define GETEGID_X_SIZE HEADER_LEN + sizeof(uint32_t) + PARAM_LEN
+#define GETRESUID_E_SIZE HEADER_LEN
+#define GETRESUID_X_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint32_t) * 3 + PARAM_LEN * 4
+#define GETRESGID_E_SIZE HEADER_LEN
+#define GETRESGID_X_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint32_t) * 3 + PARAM_LEN * 4
+#define CLONE_E_SIZE HEADER_LEN
+#define FORK_E_SIZE HEADER_LEN
+#define VFORK_E_SIZE HEADER_LEN
+#define SIGNALDELIVER_SIZE HEADER_LEN + sizeof(int64_t) * 2 + sizeof(uint8_t) + PARAM_LEN * 3
+#define PROCINFO_E_SIZE HEADER_LEN + sizeof(uint64_t) * 2 + PARAM_LEN * 2
+#define GETDENTS_E_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
+#define GETDENTS_X_SIZE HEADER_LEN + sizeof(int64_t) * 2 + PARAM_LEN * 2
+#define GETDENTS64_E_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
+#define GETDENTS64_X_SIZE HEADER_LEN + sizeof(int64_t) * 2 + PARAM_LEN * 2
+#define SETNS_E_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint32_t) + PARAM_LEN * 2
+#define SETNS_X_SIZE HEADER_LEN + sizeof(int64_t) * 2 + sizeof(uint32_t) + PARAM_LEN * 3
+#define FLOCK_E_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint32_t) + PARAM_LEN * 2
+#define FLOCK_X_SIZE HEADER_LEN + sizeof(int64_t) * 2 + sizeof(uint32_t) + PARAM_LEN * 3
+#define CPU_HOTPLUG_E_SIZE HEADER_LEN + sizeof(uint32_t) * 2 + PARAM_LEN * 2
+#define ACCEPT_E_SIZE HEADER_LEN
+#define SEMOP_E_SIZE HEADER_LEN + sizeof(int32_t) + PARAM_LEN
+#define SEMOP_X_SIZE HEADER_LEN + sizeof(int16_t) * 2 + sizeof(int32_t) + sizeof(int64_t) + sizeof(uint16_t) * 4 + sizeof(uint32_t) + PARAM_LEN * 9
+#define SEMCTL_E_SIZE HEADER_LEN + sizeof(int32_t) * 3 + sizeof(uint16_t) + PARAM_LEN * 4
+#define SEMCTL_X_SIZE HEADER_LEN + sizeof(int32_t) * 3 + sizeof(int64_t) + sizeof(uint16_t) + PARAM_LEN * 5
+#define MOUNT_E_SIZE HEADER_LEN + sizeof(uint32_t) + PARAM_LEN
+#define SEMGET_E_SIZE HEADER_LEN + sizeof(int32_t) * 2 + sizeof(uint32_t) + PARAM_LEN * 3
+#define SEMGET_X_SIZE HEADER_LEN + sizeof(int32_t) * 2 + sizeof(int64_t) + sizeof(uint32_t) + PARAM_LEN * 4
+#define ACCESS_E_SIZE HEADER_LEN + sizeof(uint32_t) + PARAM_LEN
+#define CHROOT_E_SIZE HEADER_LEN
+#define SETSID_E_SIZE HEADER_LEN
+#define SETSID_X_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
+#define MKDIR_E_SIZE HEADER_LEN + sizeof(uint32_t) + PARAM_LEN
+#define RMDIR_E_SIZE HEADER_LEN
+#define UNSHARE_E_SIZE HEADER_LEN + sizeof(uint32_t) + PARAM_LEN
+#define UNSHARE_X_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint32_t) + PARAM_LEN * 2
+#define PAGE_FAULT_SIZE HEADER_LEN + sizeof(uint32_t) + sizeof(uint64_t) * 2 + PARAM_LEN * 3
+#define SETPGID_E_SIZE HEADER_LEN + sizeof(int64_t) * 2 + PARAM_LEN * 2
+#define SETPGID_X_SIZE HEADER_LEN + sizeof(int64_t) * 3 + PARAM_LEN * 3
+#define SECCOMP_E_SIZE HEADER_LEN + sizeof(uint64_t) * 2 + PARAM_LEN * 2
+#define SECCOMP_X_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint64_t) * 2 + PARAM_LEN * 3
+#define UNLINK_E_SIZE HEADER_LEN
+#define UNLINKAT_E_SIZE HEADER_LEN
+#define MKDIRAT_E_SIZE HEADER_LEN
+#define LINK_E_SIZE HEADER_LEN
+#define LINKAT_E_SIZE HEADER_LEN
+#define FCHMODAT_E_SIZE HEADER_LEN
+#define CHMOD_E_SIZE HEADER_LEN
+#define FCHMOD_E_SIZE HEADER_LEN
+#define FCHMOD_X_SIZE HEADER_LEN + sizeof(int64_t) * 2 + sizeof(uint32_t) + PARAM_LEN * 3
+#define RENAMEAT2_E_SIZE HEADER_LEN
+#define USERFAULTFD_E_SIZE HEADER_LEN
+#define USERFAULTFD_X_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint32_t) + PARAM_LEN * 2
+#define MPROTECT_E_SIZE HEADER_LEN + sizeof(uint32_t) + sizeof(uint64_t) * 2 + PARAM_LEN * 3
+#define MPROTECT_X_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint32_t) + sizeof(uint64_t) * 2 + PARAM_LEN * 4
+#define COPY_FILE_RANGE_E_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint64_t) * 2 + PARAM_LEN * 3
+#define COPY_FILE_RANGE_X_SIZE HEADER_LEN + sizeof(int64_t) * 3 + sizeof(uint64_t) * 3 + PARAM_LEN * 6
+#define CLONE3_E_SIZE HEADER_LEN
+#define OPEN_BY_HANDLE_AT_E_SIZE HEADER_LEN
+#define IO_URING_SETUP_E_SIZE HEADER_LEN
+#define IO_URING_SETUP_X_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint32_t) * 7 + PARAM_LEN * 8
+#define IO_URING_ENTER_E_SIZE HEADER_LEN
+#define IO_URING_ENTER_X_SIZE HEADER_LEN + sizeof(int64_t) * 2 + sizeof(uint32_t) * 4 + PARAM_LEN * 6
+#define IO_URING_REGISTER_E_SIZE HEADER_LEN
+#define IO_URING_REGISTER_X_SIZE HEADER_LEN + sizeof(int64_t) * 2 + sizeof(uint16_t) + sizeof(uint32_t) + sizeof(uint64_t) + PARAM_LEN * 5
 #define MLOCK_E_SIZE HEADER_LEN
 #define MLOCK_X_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint64_t) * 2 + PARAM_LEN * 3
-#define MLOCK2_E_SIZE HEADER_LEN
-#define MLOCK2_X_SIZE \
-	HEADER_LEN + sizeof(int64_t) + sizeof(uint32_t) + sizeof(uint64_t) * 2 + PARAM_LEN * 4
 #define MUNLOCK_E_SIZE HEADER_LEN
 #define MUNLOCK_X_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint64_t) * 2 + PARAM_LEN * 3
 #define MLOCKALL_E_SIZE HEADER_LEN
 #define MLOCKALL_X_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint32_t) + PARAM_LEN * 2
 #define MUNLOCKALL_E_SIZE HEADER_LEN
 #define MUNLOCKALL_X_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
-#define READ_E_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint32_t) + PARAM_LEN * 2
-#define IO_URING_ENTER_E_SIZE HEADER_LEN
-#define IO_URING_ENTER_X_SIZE \
-	HEADER_LEN + sizeof(int64_t) * 2 + sizeof(uint32_t) * 4 + PARAM_LEN * 6
-#define IO_URING_REGISTER_E_SIZE HEADER_LEN
-#define IO_URING_REGISTER_X_SIZE                                                                \
-	HEADER_LEN + sizeof(int64_t) * 2 + sizeof(uint16_t) + sizeof(uint64_t) + sizeof(uint32_t) + \
-	        PARAM_LEN * 5
-#define IO_URING_SETUP_E_SIZE HEADER_LEN
-#define IO_URING_SETUP_X_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint32_t) * 7 + PARAM_LEN * 8
-#define MMAP2_E_SIZE \
-	HEADER_LEN + sizeof(uint64_t) * 3 + sizeof(int64_t) + sizeof(uint32_t) * 2 + PARAM_LEN * 6
-#define MMAP2_X_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint32_t) * 3 + PARAM_LEN * 4
-#define SEMGET_E_SIZE HEADER_LEN + sizeof(int32_t) * 2 + sizeof(uint32_t) + PARAM_LEN * 3
-#define SEMGET_X_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
-#define SEMCTL_E_SIZE HEADER_LEN + sizeof(int32_t) * 3 + sizeof(uint16_t) + PARAM_LEN * 4
-#define SEMCTL_X_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
-#define SELECT_E_SIZE HEADER_LEN
-#define SELECT_X_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
-#define SPLICE_E_SIZE \
-	HEADER_LEN + sizeof(int64_t) * 2 + sizeof(uint64_t) + sizeof(uint32_t) + PARAM_LEN * 4
-#define SPLICE_X_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
-#define RECVMMSG_E_SIZE HEADER_LEN
-#define SENDMMSG_E_SIZE HEADER_LEN
-#define SEMOP_E_SIZE HEADER_LEN + sizeof(int32_t) + PARAM_LEN
-#define SEMOP_X_SIZE                                                                               \
-	HEADER_LEN + sizeof(int64_t) + sizeof(uint32_t) + sizeof(uint16_t) * 4 + sizeof(int16_t) * 2 + \
-	        PARAM_LEN * 8
-#define GETRESUID_E_SIZE HEADER_LEN
-#define GETRESUID_X_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint32_t) * 3 + PARAM_LEN * 4
-#define SENDFILE_E_SIZE HEADER_LEN + sizeof(int64_t) * 2 + sizeof(uint64_t) * 2 + PARAM_LEN * 4
-#define SENDFILE_X_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint64_t) + PARAM_LEN * 2
-#define FUTEX_E_SIZE HEADER_LEN + sizeof(uint64_t) * 2 + sizeof(uint16_t) + PARAM_LEN * 3
-#define FUTEX_X_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
-#define STAT_E_SIZE HEADER_LEN
-#define LSTAT_E_SIZE HEADER_LEN
-#define FSTAT_E_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
-#define FSTAT_X_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
-#define LSEEK_E_SIZE \
-	HEADER_LEN + sizeof(int64_t) + sizeof(uint64_t) + sizeof(uint8_t) + 3 * PARAM_LEN
-#define LSEEK_X_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
-#define LLSEEK_E_SIZE \
-	HEADER_LEN + sizeof(int64_t) + sizeof(uint64_t) + sizeof(uint8_t) + 3 * PARAM_LEN
-#define LLSEEK_X_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
-#define WRITE_E_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint32_t) + PARAM_LEN * 2
-#define WRITEV_E_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint32_t) + PARAM_LEN * 2
-#define PWRITEV_E_SIZE \
-	HEADER_LEN + sizeof(int64_t) + sizeof(uint32_t) + sizeof(uint64_t) + PARAM_LEN * 3
-#define PWRITE64_E_SIZE \
-	HEADER_LEN + sizeof(int64_t) + sizeof(uint32_t) + sizeof(uint64_t) + PARAM_LEN * 3
-#define GETRESGID_E_SIZE HEADER_LEN
-#define GETRESGID_X_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint32_t) * 3 + PARAM_LEN * 4
-#define BRK_E_SIZE HEADER_LEN + sizeof(uint64_t) + PARAM_LEN
-#define BRK_X_SIZE HEADER_LEN + sizeof(uint64_t) + sizeof(uint32_t) * 3 + PARAM_LEN * 4
-#define GETRLIMIT_E_SIZE HEADER_LEN + sizeof(uint8_t) + PARAM_LEN
-#define GETRLIMIT_X_SIZE HEADER_LEN + sizeof(int64_t) * 3 + PARAM_LEN * 3
-#define SEND_E_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint32_t) + PARAM_LEN * 2
-#define RECV_E_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint32_t) + PARAM_LEN * 2
-#define NANOSLEEP_E_SIZE HEADER_LEN + sizeof(uint64_t) + PARAM_LEN
-#define NANOSLEEP_X_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
+#define CAPSET_E_SIZE HEADER_LEN
+#define CAPSET_X_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint64_t) * 3 + PARAM_LEN * 4
+#define DUP2_E_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
+#define DUP2_X_SIZE HEADER_LEN + sizeof(int64_t) * 3 + PARAM_LEN * 3
+#define DUP3_E_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
+#define DUP3_X_SIZE HEADER_LEN + sizeof(int64_t) * 3 + sizeof(uint32_t) + PARAM_LEN * 4
+#define DUP_E_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
+#define DUP_X_SIZE HEADER_LEN + sizeof(int64_t) * 2 + PARAM_LEN * 2
+#define BPF_E_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
+#define BPF_X_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint32_t) + PARAM_LEN * 2
+#define MLOCK2_E_SIZE HEADER_LEN
+#define MLOCK2_X_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint32_t) + sizeof(uint64_t) * 2 + PARAM_LEN * 4
+#define FSCONFIG_E_SIZE HEADER_LEN
+#define EPOLL_CREATE_E_SIZE HEADER_LEN + sizeof(int32_t) + PARAM_LEN
+#define EPOLL_CREATE_X_SIZE HEADER_LEN + sizeof(int32_t) + sizeof(int64_t) + PARAM_LEN * 2
+#define EPOLL_CREATE1_E_SIZE HEADER_LEN + sizeof(uint32_t) + PARAM_LEN
+#define EPOLL_CREATE1_X_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint32_t) + PARAM_LEN * 2
+#define CHOWN_E_SIZE HEADER_LEN
+#define LCHOWN_E_SIZE HEADER_LEN
+#define FCHOWN_E_SIZE HEADER_LEN
+#define FCHOWN_X_SIZE HEADER_LEN + sizeof(int64_t) * 2 + sizeof(uint32_t) * 2 + PARAM_LEN * 4
+#define FCHOWNAT_E_SIZE HEADER_LEN
+#define UMOUNT_E_SIZE HEADER_LEN
+#define ACCEPT4_E_SIZE HEADER_LEN + sizeof(int32_t) + PARAM_LEN
+#define UMOUNT2_E_SIZE HEADER_LEN + sizeof(uint32_t) + PARAM_LEN
 #define PIPE2_E_SIZE HEADER_LEN
-#define PIPE2_X_SIZE \
-	HEADER_LEN + sizeof(int64_t) * 3 + sizeof(uint64_t) + sizeof(uint32_t) + PARAM_LEN * 5
+#define PIPE2_X_SIZE HEADER_LEN + sizeof(int64_t) * 3 + sizeof(uint32_t) + sizeof(uint64_t) + PARAM_LEN * 5
 #define INOTIFY_INIT1_E_SIZE HEADER_LEN
-#define INOTIFY_INIT1_X_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint16_t) + 2 * PARAM_LEN
+#define INOTIFY_INIT1_X_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint16_t) + PARAM_LEN * 2
 #define EVENTFD2_E_SIZE HEADER_LEN + sizeof(uint64_t) + PARAM_LEN
-#define EVENTFD2_X_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint16_t) + 2 * PARAM_LEN
-#define SIGNALFD4_E_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint32_t) + 2 * PARAM_LEN
-#define SIGNALFD4_X_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint16_t) + 2 * PARAM_LEN
+#define EVENTFD2_X_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint16_t) + sizeof(uint64_t) + PARAM_LEN * 3
+#define SIGNALFD4_E_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint32_t) + PARAM_LEN * 2
+#define SIGNALFD4_X_SIZE HEADER_LEN + sizeof(int64_t) * 2 + sizeof(uint16_t) + sizeof(uint32_t) + PARAM_LEN * 4
 #define PRCTL_E_SIZE HEADER_LEN
 #define MEMFD_CREATE_E_SIZE HEADER_LEN
 #define PIDFD_GETFD_E_SIZE HEADER_LEN
-#define PIDFD_GETFD_X_SIZE HEADER_LEN + sizeof(int64_t) * 3 + sizeof(uint32_t) + 4 * PARAM_LEN
+#define PIDFD_GETFD_X_SIZE HEADER_LEN + sizeof(int64_t) * 3 + sizeof(uint32_t) + PARAM_LEN * 4
 #define PIDFD_OPEN_E_SIZE HEADER_LEN
-#define PIDFD_OPEN_X_SIZE HEADER_LEN + sizeof(int64_t) * 2 + sizeof(uint32_t) + 3 * PARAM_LEN
+#define PIDFD_OPEN_X_SIZE HEADER_LEN + sizeof(int64_t) * 2 + sizeof(uint32_t) + PARAM_LEN * 3
 #define INIT_MODULE_E_SIZE HEADER_LEN
 #define FINIT_MODULE_E_SIZE HEADER_LEN
 #define MKNOD_E_SIZE HEADER_LEN
@ -267,19 +263,8 @@
 #define PROCESS_VM_WRITEV_E_SIZE HEADER_LEN
 #define DELETE_MODULE_E_SIZE HEADER_LEN
 #define SETREUID_E_SIZE HEADER_LEN
-#define SETREUID_X_SIZE HEADER_LEN + sizeof(uint32_t) * 2 + sizeof(int64_t) + 3 * PARAM_LEN
+#define SETREUID_X_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint32_t) * 2 + PARAM_LEN * 3
 #define SETREGID_E_SIZE HEADER_LEN
-#define SETREGID_X_SIZE HEADER_LEN + sizeof(uint32_t) * 2 + sizeof(int64_t) + 3 * PARAM_LEN
-
-/* Generic tracepoints events. */
-#define SCHED_SWITCH_SIZE \
-	HEADER_LEN + sizeof(int64_t) + sizeof(uint64_t) * 2 + sizeof(uint32_t) * 3 + PARAM_LEN * 6
-#define PAGE_FAULT_SIZE HEADER_LEN + sizeof(uint64_t) * 2 + sizeof(uint32_t) + PARAM_LEN * 3
-#define SIGNAL_DELIVER_SIZE HEADER_LEN + sizeof(int64_t) * 2 + sizeof(uint8_t) + PARAM_LEN * 3
-
-/* Special internal events */
-#define DROP_E_SIZE HEADER_LEN + sizeof(uint32_t) + PARAM_LEN
-#define DROP_X_SIZE HEADER_LEN + sizeof(uint32_t) + PARAM_LEN
-#define HOTPLUG_E_SIZE HEADER_LEN + sizeof(uint32_t) * 2 + PARAM_LEN * 2
+#define SETREGID_X_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint32_t) * 2 + PARAM_LEN * 3

 #endif /* __EVENT_DIMENSIONS_H__ */
--- a/driver/modern_bpf/definitions/generator/generator.cpp
+++ b/driver/modern_bpf/definitions/generator/generator.cpp
@ -0,0 +1,234 @@
+#include <functional>
+#include <iostream>
+#include <map>
+#include <sstream>
+#include <fstream>
+#include <algorithm>
+
+#include "driver/ppm_events_public.h"
+
+extern const struct ppm_event_info g_event_info[];
+
+auto PREFACE = R"(// SPDX-License-Identifier: GPL-2.0-only OR MIT
+/*
+ * Copyright (C) 2025 The Falco Authors.
+ *
+ * This file is dual licensed under either the MIT or GPL 2. See MIT.txt
+ * or GPL2.txt for full copies of the license.
+ */
+
+#ifndef __EVENT_DIMENSIONS_H__
+#define __EVENT_DIMENSIONS_H__
+
+#include "vmlinux.h"
+
+/* Here we have all the dimensions for fixed-size events.
+ */
+
+#define PARAM_LEN 2
+#define HEADER_LEN sizeof(struct ppm_evt_hdr)
+
+/// TODO: We have to move these in the event_table.c. Right now we don't
+/// want to touch scap tables.
+
+/* Syscall events */
+)";
+
+auto POSTFACE = R"(
+#endif /* __EVENT_DIMENSIONS_H__ */
+)";
+
+// Use the following macro to get the stringified version of the C expression retrieving the type
+// size (e.g.: SIZE_OF_EXPR(uint8_t) is resolved in "sizeof(uint8_t)").
+#define SIZE_OF_EXPR(type) SIZE_OF_EXPR_##type
+
+// Generate the "sizeof" stringified expression for the listed types. New handled types must be
+// appended to the list.
+#define SIZE_OF_EXPR_DECL_LIST_GEN(FN) \
+	FN(int8_t)                         \
+	FN(int16_t)                        \
+	FN(int32_t)                        \
+	FN(int64_t)                        \
+	FN(uint8_t)                        \
+	FN(uint16_t)                       \
+	FN(uint32_t)                       \
+	FN(uint64_t)
+#define SIZE_OF_EXPR_DECL(type) char SIZE_OF_EXPR(type)[] = "sizeof(" #type ")";
+SIZE_OF_EXPR_DECL_LIST_GEN(SIZE_OF_EXPR_DECL)
+#undef SIZE_OF_EXPR_DECL
+#undef SIZE_OF_EXPR_DECL_LIST_GEN
+
+// Special expressions denoting variable size or unused parameter types.
+char SIZE_OF_EXPR_VARIABLE_SIZE[] = "<variable_size>", SIZE_OF_EXPR_UNUSED[] = "<unused>";
+
+// Table containing the mapping between parameter types and the corresponding stringified "sizeof"
+// expression.
+std::map<long long, char *> type_to_size_expr{
+        {PT_NONE, SIZE_OF_EXPR_UNUSED},
+        {PT_INT8, SIZE_OF_EXPR(int8_t)},
+        {PT_INT16, SIZE_OF_EXPR(int16_t)},
+        {PT_INT32, SIZE_OF_EXPR(int32_t)},
+        {PT_INT64, SIZE_OF_EXPR(int64_t)},
+        {PT_UINT8, SIZE_OF_EXPR(uint8_t)},
+        {PT_UINT16, SIZE_OF_EXPR(uint16_t)},
+        {PT_UINT32, SIZE_OF_EXPR(uint32_t)},
+        {PT_UINT64, SIZE_OF_EXPR(uint64_t)},
+        {PT_CHARBUF, SIZE_OF_EXPR_VARIABLE_SIZE},
+        {PT_BYTEBUF, SIZE_OF_EXPR_VARIABLE_SIZE},
+        {PT_ERRNO, SIZE_OF_EXPR(int64_t)},
+        {PT_SOCKADDR, SIZE_OF_EXPR_VARIABLE_SIZE},
+        {PT_SOCKTUPLE, SIZE_OF_EXPR_VARIABLE_SIZE},
+        {PT_FD, SIZE_OF_EXPR(int64_t)},
+        {PT_PID, SIZE_OF_EXPR(int64_t)},
+        {PT_FDLIST, SIZE_OF_EXPR_VARIABLE_SIZE},
+        {PT_FSPATH, SIZE_OF_EXPR_VARIABLE_SIZE},
+        {PT_SYSCALLID, SIZE_OF_EXPR(uint16_t)},
+        {PT_SIGTYPE, SIZE_OF_EXPR(uint8_t)},
+        {PT_RELTIME, SIZE_OF_EXPR(uint64_t)},
+        {PT_ABSTIME, SIZE_OF_EXPR(uint64_t)},
+        {PT_PORT, SIZE_OF_EXPR_UNUSED},
+        {PT_L4PROTO, SIZE_OF_EXPR_UNUSED},
+        {PT_SOCKFAMILY, SIZE_OF_EXPR_UNUSED},
+        {PT_BOOL, SIZE_OF_EXPR_UNUSED},
+        {PT_IPV4ADDR, SIZE_OF_EXPR_UNUSED},
+        {PT_DYN, SIZE_OF_EXPR_VARIABLE_SIZE},
+        {PT_FLAGS8, SIZE_OF_EXPR(uint8_t)},
+        {PT_FLAGS16, SIZE_OF_EXPR(uint16_t)},
+        {PT_FLAGS32, SIZE_OF_EXPR(uint32_t)},
+        {PT_UID, SIZE_OF_EXPR(uint32_t)},
+        {PT_GID, SIZE_OF_EXPR(uint32_t)},
+        {PT_DOUBLE, SIZE_OF_EXPR_UNUSED},
+        {PT_SIGSET, SIZE_OF_EXPR(uint32_t)},
+        {PT_CHARBUFARRAY, SIZE_OF_EXPR_VARIABLE_SIZE},
+        {PT_CHARBUF_PAIR_ARRAY, SIZE_OF_EXPR_VARIABLE_SIZE},
+        {PT_IPV4NET, SIZE_OF_EXPR_UNUSED},
+        {PT_IPV6ADDR, SIZE_OF_EXPR_UNUSED},
+        {PT_IPV6NET, SIZE_OF_EXPR_UNUSED},
+        {PT_IPADDR, SIZE_OF_EXPR_UNUSED},
+        {PT_IPNET, SIZE_OF_EXPR_UNUSED},
+        {PT_MODE, SIZE_OF_EXPR(uint32_t)},
+        {PT_FSRELPATH, SIZE_OF_EXPR_VARIABLE_SIZE},
+        {PT_ENUMFLAGS8, SIZE_OF_EXPR(uint8_t)},
+        {PT_ENUMFLAGS16, SIZE_OF_EXPR(uint16_t)},
+        {PT_ENUMFLAGS32, SIZE_OF_EXPR(uint32_t)},
+};
+
+// is_fixed_size_event determines if the provided event has a fixed size or not.
+bool is_fixed_size_event(struct ppm_event_info const *const evt) {
+	for(uint32_t i = 0; i < evt->nparams; i++) {
+		auto &param = evt->params[i];
+		auto const param_type = param.type;
+
+		auto it = type_to_size_expr.find(param_type);
+		if(it == type_to_size_expr.end()) {
+			throw std::runtime_error("Unknown event parameter type: " + std::to_string(param_type));
+		}
+
+		auto const size_expr = it->second;
+		// Just compare pointers is enough.
+		if(size_expr == SIZE_OF_EXPR_UNUSED) {
+			throw std::runtime_error("Unexpected unused event parameter type: " +
+			                         std::to_string(param_type));
+		}
+		if(size_expr == SIZE_OF_EXPR_VARIABLE_SIZE) {
+			return false;
+		}
+	}
+	return true;
+}
+
+// get_vent_size_expr_counts returns, given the provided event and the resulting size expression of
+// its parameters, a map containing, for each size expression, the number of occurrences.
+std::map<std::string, size_t> get_event_size_expr_counts(struct ppm_event_info const *const evt) {
+	std::map<std::string, size_t> size_expr_counts;
+	for(uint32_t i = 0; i < evt->nparams; i++) {
+		auto const &param = evt->params[i];
+		auto const param_type = param.type;
+		auto const it = type_to_size_expr.find(param_type);
+		if(it == type_to_size_expr.end()) {
+			throw std::runtime_error("Unknown event parameter type: " + std::to_string(param_type));
+		}
+		auto const size_expr = it->second;
+		size_expr_counts[size_expr]++;
+	}
+	return size_expr_counts;
+}
+
+// output_event_size outputs the event size macro for the provided event into the provided output
+// stream.
+void output_event_size(std::ostream &os,
+                       struct ppm_event_info const *const evt,
+                       bool const is_enter_evt) {
+	// Exclude old versions.
+	if(evt->flags & EF_OLD_VERSION) {
+		return;
+	}
+
+	std::string name{evt->name};
+	// Ignore events without name.
+	if(name == "NA") {
+		return;
+	}
+
+	// Exclude events not having a fixed size.
+	if(!is_fixed_size_event(evt)) {
+		return;
+	}
+
+	// Generate the complete event size macro name.
+	std::transform(name.cbegin(), name.cend(), name.begin(), toupper);
+	if((evt->category & EC_TRACEPOINT) == 0) {
+		name += is_enter_evt ? "_E" : "_X";
+	}
+	name += "_SIZE";
+
+	// The event contains at least the header.
+	os << "#define " << name << " HEADER_LEN";
+
+	auto const params_num = evt->nparams;
+
+	// Count the number of occurrences for each size expression.
+	auto size_expr_counts = get_event_size_expr_counts(evt);
+
+	// Output "size expression" * "number of occurrences of size expression", for each size
+	// expression.
+	for(auto const &[size_expr, count] : size_expr_counts) {
+		os << " + " << size_expr;
+		if(count != 1) {
+			os << " * " << count;
+		}
+	}
+
+	// Add "number of parameters" * PARAM_LEN, to account the size of each parameter length.
+	if(params_num != 0) {
+		os << " + PARAM_LEN";
+		if(params_num != 1) {
+			os << " * " << params_num;
+		}
+	}
+	os << '\n';
+}
+
+int main(int argc, char *argv[]) {
+	if(argc != 2) {
+		std::cerr << "Usage: " << argv[0] << " <filepath>\n";
+		std::exit(EXIT_FAILURE);
+	}
+
+	std::string filepath{argv[1]};
+
+	// Build file content.
+	std::ostringstream oss;
+	oss << PREFACE;
+	for(int i = 0; i < PPM_EVENT_MAX; i++) {
+		output_event_size(oss, &g_event_info[i], i % 2 == 0);
+	}
+	oss << POSTFACE;
+
+	// Write content to file.
+	std::ofstream f{filepath, std::fstream::out | std::fstream::trunc};
+	f << oss.str();
+	f.close();
+
+	return 0;
+}
--- a/driver/modern_bpf/definitions/struct_flavors.h
+++ b/driver/modern_bpf/definitions/struct_flavors.h
@ -59,6 +59,10 @@ struct inode___v6_11 {
 	uint32_t i_ctime_nsec;
 };

+struct kernfs_node___v6_15 {
+	struct kernfs_node *__parent;
+};
+
 #ifndef BPF_NO_PRESERVE_ACCESS_INDEX
 #pragma clang attribute pop
 #endif
--- a/driver/modern_bpf/helpers/base/maps_getters.h
+++ b/driver/modern_bpf/helpers/base/maps_getters.h
@ -17,44 +17,99 @@

 /*=============================== SETTINGS ===========================*/

+static __always_inline struct capture_settings *maps__get_capture_settings() {
+	uint32_t key = 0;
+	return bpf_map_lookup_elem(&capture_settings, &key);
+}
+
 static __always_inline uint64_t maps__get_boot_time() {
-	return g_settings.boot_time;
+	struct capture_settings *settings = maps__get_capture_settings();
+	if(settings == NULL) {
+		return 0;
+	}
+
+	return settings->boot_time;
 }

 static __always_inline uint32_t maps__get_snaplen() {
-	return g_settings.snaplen;
+	struct capture_settings *settings = maps__get_capture_settings();
+	if(settings == NULL) {
+		return 0;
+	}
+
+	return settings->snaplen;
 }

 static __always_inline bool maps__get_dropping_mode() {
-	return g_settings.dropping_mode;
+	struct capture_settings *settings = maps__get_capture_settings();
+	if(settings == NULL) {
+		return 0;
+	}
+
+	return settings->dropping_mode;
 }

 static __always_inline uint32_t maps__get_sampling_ratio() {
-	return g_settings.sampling_ratio;
+	struct capture_settings *settings = maps__get_capture_settings();
+	if(settings == NULL) {
+		return 0;
+	}
+
+	return settings->sampling_ratio;
 }

 static __always_inline bool maps__get_drop_failed() {
-	return g_settings.drop_failed;
+	struct capture_settings *settings = maps__get_capture_settings();
+	if(settings == NULL) {
+		return 0;
+	}
+
+	return settings->drop_failed;
 }

 static __always_inline bool maps__get_do_dynamic_snaplen() {
-	return g_settings.do_dynamic_snaplen;
+	struct capture_settings *settings = maps__get_capture_settings();
+	if(settings == NULL) {
+		return 0;
+	}
+
+	return settings->do_dynamic_snaplen;
 }

 static __always_inline uint16_t maps__get_fullcapture_port_range_start() {
-	return g_settings.fullcapture_port_range_start;
+	struct capture_settings *settings = maps__get_capture_settings();
+	if(settings == NULL) {
+		return 0;
+	}
+
+	return settings->fullcapture_port_range_start;
 }

 static __always_inline uint16_t maps__get_fullcapture_port_range_end() {
-	return g_settings.fullcapture_port_range_end;
+	struct capture_settings *settings = maps__get_capture_settings();
+	if(settings == NULL) {
+		return 0;
+	}
+
+	return settings->fullcapture_port_range_end;
 }

 static __always_inline uint16_t maps__get_statsd_port() {
-	return g_settings.statsd_port;
+	struct capture_settings *settings = maps__get_capture_settings();
+	if(settings == NULL) {
+		return 0;
+	}
+
+	return settings->statsd_port;
 }

 static __always_inline int32_t maps__get_scap_tid() {
-	return g_settings.scap_tid;
+	struct capture_settings *settings = maps__get_capture_settings();
+	if(settings == NULL) {
+		return 0;
+	}
+
+	return settings->scap_tid;
 }

 /*=============================== SETTINGS ===========================*/
@ -89,8 +144,12 @@ static __always_inline uint8_t maps__64bit_sampling_syscall_table(uint32_t sysca

 /*=============================== SYSCALL-64 INTERESTING TABLE ===========================*/

-static __always_inline bool maps__64bit_interesting_syscall(uint32_t syscall_id) {
-	return g_64bit_interesting_syscalls_table[syscall_id & (SYSCALL_TABLE_SIZE - 1)];
+static __always_inline bool maps__interesting_syscall_64bit(uint32_t syscall_id) {
+	bool *ret = bpf_map_lookup_elem(&interesting_syscalls_table_64bit, &syscall_id);
+	if(ret == NULL) {
+		return false;
+	}
+	return *ret;
 }

 /*=============================== SYSCALL-64 INTERESTING TABLE ===========================*/
--- a/driver/modern_bpf/helpers/base/shared_size.h
+++ b/driver/modern_bpf/helpers/base/shared_size.h
@ -26,8 +26,8 @@
 /* Maximum number of `iovec` structures that we can analyze. */
 #define MAX_IOVCNT 32

-/* Maximum number of supported sendmmsg/recvmmsg messages */
-#define MAX_SENDMMSG_RECVMMSG_SIZE 8
+/* Maximum number of supported sendmmsg/recvmmsg loops with bpf_loop helper */
+#define MAX_SENDMMSG_RECVMMSG_SIZE 16

 /* Maximum number of `pollfd` structures that we can analyze. */
 #define MAX_POLLFD 16
--- a/driver/modern_bpf/helpers/extract/extract_from_kernel.h
+++ b/driver/modern_bpf/helpers/extract/extract_from_kernel.h
@ -10,6 +10,7 @@

 #include <helpers/base/maps_getters.h>
 #include <helpers/base/read_from_task.h>
+#include <helpers/base/shared_size.h>
 #include <driver/ppm_flag_helpers.h>

 #if __has_include(<sys/syscall.h>)
@ -1031,3 +1032,47 @@ static __always_inline struct socket *get_sock_from_file(struct file *file) {
 	}
 	return (struct socket *)BPF_CORE_READ(file, private_data);
 }
+
+///////////////////////////
+// EXTRACT FROM MSGHDR
+///////////////////////////
+
+/**
+ * @brief Read the msghdr pointed by `msghdr_pointer` and store it in `msghdr` location.
+ * @param msghdr pointer to the user_msghdr struct used to store the read msghdr.
+ * @param msghdr_pointer pointer to the msghdr to be read.
+ * @return 0 on success, or a negative error in case of failure.
+ */
+static __always_inline long extract__msghdr(struct user_msghdr *msghdr,
+                                            unsigned long msghdr_pointer) {
+	return bpf_probe_read_user((void *)msghdr,
+	                           bpf_core_type_size(struct user_msghdr),
+	                           (void *)msghdr_pointer);
+}
+
+/**
+ * @brief Extract the size of a message extracted from an `iovec` struct array.
+ * @param scratch_space pointer the scratch space on which iovecs are read.
+ * @param scratch_space_size scratch space total size.
+ * @param iov_pointer pointer to `iovec` struct array.
+ * @param iov_cnt number of `iovec` structs.
+ * @return the size of the message on success, or 0 in case of failure.
+ */
+static __always_inline uint32_t extract__iovec_size(void *scratch_space,
+                                                    uint32_t scratch_space_size,
+                                                    unsigned long iov_pointer,
+                                                    unsigned long iov_cnt) {
+	if(bpf_probe_read_user(scratch_space, scratch_space_size, (void *)iov_pointer)) {
+		return 0;
+	}
+
+	uint32_t total_size_to_read = 0;
+	const struct iovec *iovec = (const struct iovec *)scratch_space;
+	for(int i = 0; i < MAX_IOVCNT; i++) {
+		if(i == iov_cnt) {
+			break;
+		}
+		total_size_to_read += iovec[i].iov_len;
+	}
+	return total_size_to_read;
+}
--- a/driver/modern_bpf/helpers/interfaces/syscalls_dispatcher.h
+++ b/driver/modern_bpf/helpers/interfaces/syscalls_dispatcher.h
@ -14,7 +14,7 @@
 #include <helpers/extract/extract_from_kernel.h>

 static __always_inline bool syscalls_dispatcher__64bit_interesting_syscall(uint32_t syscall_id) {
-	return maps__64bit_interesting_syscall(syscall_id);
+	return maps__interesting_syscall_64bit(syscall_id);
 }

 static __always_inline long convert_network_syscalls(struct pt_regs *regs) {
--- a/driver/modern_bpf/helpers/store/auxmap_store_params.h
+++ b/driver/modern_bpf/helpers/store/auxmap_store_params.h
@ -1121,9 +1121,7 @@ static __always_inline void auxmap__store_msghdr_size_param(struct auxiliary_map
 	 * we return 0.
 	 */
 	struct user_msghdr msghdr = {0};
-	if(bpf_probe_read_user((void *)&msghdr,
-	                       bpf_core_type_size(struct user_msghdr),
-	                       (void *)msghdr_pointer)) {
+	if(extract__msghdr(&msghdr, msghdr_pointer)) {
 		auxmap__store_u32_param(auxmap, 0);
 		return;
 	}
@ -1148,9 +1146,7 @@ static __always_inline struct user_msghdr auxmap__store_msghdr_data_param(
 	 * we return an empty param.
 	 */
 	struct user_msghdr msghdr = {0};
-	if(bpf_probe_read_user((void *)&msghdr,
-	                       bpf_core_type_size(struct user_msghdr),
-	                       (void *)msghdr_pointer)) {
+	if(extract__msghdr(&msghdr, msghdr_pointer)) {
 		/* in case of NULL msghdr we return an empty param */
 		push__param_len(auxmap->data, &auxmap->lengths_pos, 0);
 		return msghdr;
@ -1296,7 +1292,12 @@ static __always_inline uint16_t store_cgroup_subsys(struct auxiliary_map *auxmap
 		}
 		path_components++;
 		BPF_CORE_READ_INTO(&cgroup_path_pointers[k], kn, name);
-		BPF_CORE_READ_INTO(&kn, kn, parent);
+		if(bpf_core_field_exists(kn->parent)) {
+			BPF_CORE_READ_INTO(&kn, kn, parent);
+		} else {
+			struct kernfs_node___v6_15 *kn_v6_15 = (void *)kn;
+			BPF_CORE_READ_INTO(&kn, kn_v6_15, __parent);
+		}
 	}

 	/* Reconstruct the path in reverse, using previously collected pointers.
@ -1506,7 +1507,9 @@ static __always_inline void auxmap__store_fdlist_param(struct auxiliary_map *aux
 typedef struct {
 	bool only_port_range;
 	ppm_event_code evt_type;
-	long mmsg_index;
+	long mmsg_index;         // Only used by sendmmsg/recvmmsg to pass the current message index
+	unsigned long *mm_args;  // Only used by sendmmsg/recvmmsg to reduce stack size to avoid
+	                         // verifier issues
 } dynamic_snaplen_args;

 static __always_inline void apply_dynamic_snaplen(struct pt_regs *regs,
@ -1556,6 +1559,12 @@ static __always_inline void apply_dynamic_snaplen(struct pt_regs *regs,
 	 */
 	unsigned long args[5] = {0};
 	struct sockaddr *sockaddr = NULL;
+	union {
+		struct compat_msghdr compat_mh;
+		struct user_msghdr mh;
+		struct compat_mmsghdr compat_mmh;
+		struct mmsghdr mmh;
+	} msg_mh = {};

 	switch(input_args->evt_type) {
 	case PPME_SOCKET_SENDTO_X:
@ -1568,43 +1577,41 @@ static __always_inline void apply_dynamic_snaplen(struct pt_regs *regs,
 	case PPME_SOCKET_SENDMSG_X: {
 		extract__network_args(args, 3, regs);
 		if(bpf_in_ia32_syscall()) {
-			struct compat_msghdr compat_mh = {};
-			if(likely(bpf_probe_read_user(&compat_mh,
+			if(likely(bpf_probe_read_user(&msg_mh.compat_mh,
 			                              bpf_core_type_size(struct compat_msghdr),
 			                              (void *)args[1]) == 0)) {
-				sockaddr = (struct sockaddr *)(unsigned long)(compat_mh.msg_name);
+				sockaddr = (struct sockaddr *)(unsigned long)(msg_mh.compat_mh.msg_name);
 			}
 			// in any case we break the switch.
 			break;
 		}
-
-		struct user_msghdr mh = {};
-		if(bpf_probe_read_user(&mh, bpf_core_type_size(struct user_msghdr), (void *)args[1]) == 0) {
-			sockaddr = (struct sockaddr *)mh.msg_name;
+		if(extract__msghdr(&msg_mh.mh, args[1]) == 0) {
+			sockaddr = (struct sockaddr *)msg_mh.mh.msg_name;
 		}
 	} break;

 	case PPME_SOCKET_RECVMMSG_X:
 	case PPME_SOCKET_SENDMMSG_X: {
-		extract__network_args(args, 3, regs);
+		// To avoid verifier stack size issues, sendmmsg and recvmmsg directly pass args
+		// in dynamic_snaplen_args.
+		// This also gives a small perf boost while using `bpf_loop` because we don't need
+		// to re-fetch first 3 syscall args at every iteration.
+		__builtin_memcpy(args, input_args->mm_args, 3 * sizeof(unsigned long));
 		if(bpf_in_ia32_syscall()) {
-			struct compat_mmsghdr compat_mmh = {};
 			struct compat_mmsghdr *mmh_ptr = (struct compat_mmsghdr *)args[1];
-			if(likely(bpf_probe_read_user(&compat_mmh,
+			if(likely(bpf_probe_read_user(&msg_mh.compat_mmh,
 			                              bpf_core_type_size(struct compat_mmsghdr),
 			                              (void *)(mmh_ptr + input_args->mmsg_index)) == 0)) {
-				sockaddr = (struct sockaddr *)(unsigned long)(compat_mmh.msg_hdr.msg_name);
+				sockaddr = (struct sockaddr *)(unsigned long)(msg_mh.compat_mmh.msg_hdr.msg_name);
 			}
 			// in any case we break the switch.
 			break;
 		}
-
-		struct mmsghdr mmh = {};
 		struct mmsghdr *mmh_ptr = (struct mmsghdr *)args[1];
-		if(bpf_probe_read_user(&mmh,
+		if(bpf_probe_read_user(&msg_mh.mmh,
 		                       bpf_core_type_size(struct mmsghdr),
 		                       (void *)(mmh_ptr + input_args->mmsg_index)) == 0) {
-			sockaddr = (struct sockaddr *)mmh.msg_hdr.msg_name;
+			sockaddr = (struct sockaddr *)msg_mh.mmh.msg_hdr.msg_name;
 		}
 	} break;

@ -1642,16 +1649,20 @@ static __always_inline void apply_dynamic_snaplen(struct pt_regs *regs,
 		port_remote = ntohs(port_remote);

 		if(port_remote == 0 && sockaddr != NULL) {
+			union {
+				struct sockaddr_in sockaddr_in;
+				struct sockaddr_in6 sockaddr_in6;
+			} saddr_in = {};
 			if(socket_family == AF_INET) {
-				struct sockaddr_in sockaddr_in = {};
-				bpf_probe_read_user(&sockaddr_in, bpf_core_type_size(struct sockaddr_in), sockaddr);
-				port_remote = ntohs(sockaddr_in.sin_port);
+				bpf_probe_read_user(&saddr_in.sockaddr_in,
+				                    bpf_core_type_size(struct sockaddr_in),
+				                    sockaddr);
+				port_remote = ntohs(saddr_in.sockaddr_in.sin_port);
 			} else {
-				struct sockaddr_in6 sockaddr_in6 = {};
-				bpf_probe_read_user(&sockaddr_in6,
+				bpf_probe_read_user(&saddr_in.sockaddr_in6,
 				                    bpf_core_type_size(struct sockaddr_in6),
 				                    sockaddr);
-				port_remote = ntohs(sockaddr_in6.sin6_port);
+				port_remote = ntohs(saddr_in.sockaddr_in6.sin6_port);
 			}
 		}
 	}
--- a/driver/modern_bpf/maps/maps.h
+++ b/driver/modern_bpf/maps/maps.h
@ -47,35 +47,23 @@ __weak const volatile uint64_t probe_api_ver = PPM_API_CURRENT_VERSION;
 */
 __weak const volatile uint64_t probe_schema_var = PPM_SCHEMA_CURRENT_VERSION;

-/*=============================== BPF READ-ONLY GLOBAL VARIABLES ===============================*/
-
-/*=============================== BPF GLOBAL VARIABLES ===============================*/
-
-/**
- * @brief Given the syscall id on 64-bit-architectures returns if
- * the syscall must be filtered out according to the simple consumer logic.
- */
-__weak bool g_64bit_interesting_syscalls_table[SYSCALL_TABLE_SIZE];
-
 /**
 * @brief Given the syscall id on 64-bit-architectures returns:
 * - `UF_NEVER_DROP` if the syscall must not be dropped in the sampling logic.
 * - `UF_ALWAYS_DROP` if the syscall must always be dropped in the sampling logic.
 * - `UF_NONE` if we drop the syscall depends on the sampling ratio.
 */
-__weak uint8_t g_64bit_sampling_syscall_table[SYSCALL_TABLE_SIZE];
+__weak const volatile uint8_t g_64bit_sampling_syscall_table[SYSCALL_TABLE_SIZE];

 /**
 * @brief Given the syscall id on 32-bit x86 arch returns
 * its x64 value. Used to support ia32 syscall emulation.
 */
-__weak uint32_t g_ia32_to_64_table[SYSCALL_TABLE_SIZE];
+__weak const volatile uint32_t g_ia32_to_64_table[SYSCALL_TABLE_SIZE];

-/**
- * @brief Global capture settings shared between userspace and
- * bpf programs.
- */
-__weak struct capture_settings g_settings;
+/*=============================== BPF READ-ONLY GLOBAL VARIABLES ===============================*/
+
+/*=============================== BPF GLOBAL VARIABLES ===============================*/

 /**
 * @brief Variable used only kernel side to understand when we need to send
@ -133,6 +121,28 @@ struct {

 /*=============================== BPF_MAP_TYPE_ARRAY ===============================*/

+/**
+ * @brief This table is used to keep track of which syscalls must be filtered out
+ * according to the simple consumer logic.
+ */
+struct {
+	__uint(type, BPF_MAP_TYPE_ARRAY);
+	__uint(max_entries, SYSCALL_TABLE_SIZE);
+	__type(key, uint32_t);
+	__type(value, bool);
+} interesting_syscalls_table_64bit __weak SEC(".maps");
+
+/**
+ * @brief Global capture settings shared between userspace and
+ * bpf programs.
+ */
+struct {
+	__uint(type, BPF_MAP_TYPE_ARRAY);
+	__uint(max_entries, 1);
+	__type(key, uint32_t);
+	__type(value, struct capture_settings);
+} capture_settings __weak SEC(".maps");
+
 /* These maps have one entry for each CPU.
 *
 * PLEASE NOTE:
--- a/driver/modern_bpf/programs/attached/dispatchers/syscall_exit.bpf.c
+++ b/driver/modern_bpf/programs/attached/dispatchers/syscall_exit.bpf.c
@ -36,9 +36,9 @@ int BPF_PROG(t_hotplug) {
 	 * the event collection.
 	 */
 	struct ringbuf_struct ringbuf;
-	ringbuf.reserved_event_size = HOTPLUG_E_SIZE;
+	ringbuf.reserved_event_size = CPU_HOTPLUG_E_SIZE;
 	ringbuf.event_type = PPME_CPU_HOTPLUG_E;
-	ringbuf.data = bpf_ringbuf_reserve(rb, HOTPLUG_E_SIZE, 0);
+	ringbuf.data = bpf_ringbuf_reserve(rb, CPU_HOTPLUG_E_SIZE, 0);
 	if(!ringbuf.data) {
 		counter->n_drops_buffer++;
 		return 0;
--- a/driver/modern_bpf/programs/attached/events/sched_process_exec.bpf.c
+++ b/driver/modern_bpf/programs/attached/events/sched_process_exec.bpf.c
@ -179,9 +179,9 @@ int BPF_PROG(t1_sched_p_exec, struct task_struct *p, pid_t old_pid, struct linux
 	uint32_t tty = exctract__tty(task);
 	auxmap__store_u32_param(auxmap, (uint32_t)tty);

-	/* Parameter 18: pgid (type: PT_PID) */
-	pid_t pgid = extract__task_xid_vnr(task, PIDTYPE_PGID);
-	auxmap__store_s64_param(auxmap, (int64_t)pgid);
+	/* Parameter 18: vpgid (type: PT_PID) */
+	pid_t vpgid = extract__task_xid_vnr(task, PIDTYPE_PGID);
+	auxmap__store_s64_param(auxmap, (int64_t)vpgid);

 	/* Parameter 19: loginuid (type: PT_UID) */
 	uint32_t loginuid;
--- a/driver/modern_bpf/programs/attached/events/sched_switch.bpf.c
+++ b/driver/modern_bpf/programs/attached/events/sched_switch.bpf.c
@ -22,7 +22,7 @@ int BPF_PROG(sched_switch, bool preempt, struct task_struct *prev, struct task_s
 	/// TODO: we could avoid switches from kernel threads to kernel threads (?).

 	struct ringbuf_struct ringbuf;
-	if(!ringbuf__reserve_space(&ringbuf, SCHED_SWITCH_SIZE, PPME_SCHEDSWITCH_6_E)) {
+	if(!ringbuf__reserve_space(&ringbuf, SWITCH_SIZE, PPME_SCHEDSWITCH_6_E)) {
 		return 0;
 	}

--- a/driver/modern_bpf/programs/attached/events/signal_deliver.bpf.c
+++ b/driver/modern_bpf/programs/attached/events/signal_deliver.bpf.c
@ -19,7 +19,7 @@ int BPF_PROG(signal_deliver, int sig, struct kernel_siginfo *info, struct k_siga
 	}

 	struct ringbuf_struct ringbuf;
-	if(!ringbuf__reserve_space(&ringbuf, SIGNAL_DELIVER_SIZE, PPME_SIGNALDELIVER_E)) {
+	if(!ringbuf__reserve_space(&ringbuf, SIGNALDELIVER_SIZE, PPME_SIGNALDELIVER_E)) {
 		return 0;
 	}

--- a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/accept4.bpf.c
+++ b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/accept4.bpf.c
@ -105,6 +105,12 @@ int BPF_PROG(accept4_x, struct pt_regs *regs, long ret) {
 	/* Parameter 5: queuemax (type: PT_UINT32) */
 	auxmap__store_u32_param(auxmap, queuemax);

+	/* Parameter 6: flags (type: PT_FLAGS32) */
+	/// TODO: we don't support flags yet and so we just return zero.
+	///    If implemented, special handling for SYS_ACCEPT socketcall is needed.
+	uint32_t flags = 0;
+	auxmap__store_u32_param(auxmap, flags);
+
 	/*=============================== COLLECT PARAMETERS  ===========================*/

 	auxmap__finalize_event_header(auxmap);
--- a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/access.bpf.c
+++ b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/access.bpf.c
@ -51,10 +51,14 @@ int BPF_PROG(access_x, struct pt_regs *regs, long ret) {
 	/* Parameter 1: res (type: PT_ERRNO) */
 	auxmap__store_s64_param(auxmap, ret);

-	/* Parameter 2: pathname (type: PT_FSPATH) */
+	/* Parameter 2: name (type: PT_FSPATH) */
 	unsigned long path_pointer = extract__syscall_argument(regs, 0);
 	auxmap__store_charbuf_param(auxmap, path_pointer, MAX_PATH, USER);

+	/* Parameter 3: mode (type: PT_UINT32) */
+	int mode = (int)extract__syscall_argument(regs, 1);
+	auxmap__store_u32_param(auxmap, (uint32_t)access_flags_to_scap(mode));
+
 	/*=============================== COLLECT PARAMETERS  ===========================*/

 	auxmap__finalize_event_header(auxmap);
--- a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/brk.bpf.c
+++ b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/brk.bpf.c
@ -22,7 +22,7 @@ int BPF_PROG(brk_e, struct pt_regs *regs, long id) {
 	/*=============================== COLLECT PARAMETERS  ===========================*/

 	/* Parameter 1: addr (type: PT_UINT64) */
-	unsigned long addr = extract__syscall_argument(regs, 0);
+	uint64_t addr = extract__syscall_argument(regs, 0);
 	ringbuf__store_u64(&ringbuf, addr);

 	/*=============================== COLLECT PARAMETERS  ===========================*/
@ -68,6 +68,10 @@ int BPF_PROG(brk_x, struct pt_regs *regs, long ret) {
 	/* Parameter 4: vm_swap (type: PT_UINT32) */
 	ringbuf__store_u32(&ringbuf, swap_size);

+	/* Parameter 5: addr (type: PT_UINT64) */
+	uint64_t addr = extract__syscall_argument(regs, 0);
+	ringbuf__store_u64(&ringbuf, addr);
+
 	/*=============================== COLLECT PARAMETERS  ===========================*/

 	ringbuf__submit_event(&ringbuf);
--- a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/close.bpf.c
+++ b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/close.bpf.c
@ -50,9 +50,9 @@ int BPF_PROG(close_e, struct pt_regs *regs, long id) {

 	/*=============================== COLLECT PARAMETERS  ===========================*/

-	/* Parameter 1: fd (type: PT_FD)*/
-	int32_t fd = (int32_t)extract__syscall_argument(regs, 0);
-	ringbuf__store_s64(&ringbuf, (int64_t)fd);
+	/* Parameter 1: fd (type: PT_FD) */
+	int64_t fd = (int64_t)(int32_t)extract__syscall_argument(regs, 0);
+	ringbuf__store_s64(&ringbuf, fd);

 	/*=============================== COLLECT PARAMETERS  ===========================*/

@ -80,9 +80,13 @@ int BPF_PROG(close_x, struct pt_regs *regs, long ret) {

 	/*=============================== COLLECT PARAMETERS  ===========================*/

-	/* Parameter 1: res (type: PT_ERRNO)*/
+	/* Parameter 1: res (type: PT_ERRNO) */
 	ringbuf__store_s64(&ringbuf, ret);

+	/* Parameter 2: fd (type: PT_FD) */
+	int64_t fd = (int64_t)(int32_t)extract__syscall_argument(regs, 0);
+	ringbuf__store_s64(&ringbuf, fd);
+
 	/*=============================== COLLECT PARAMETERS  ===========================*/

 	ringbuf__submit_event(&ringbuf);
--- a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/connect.bpf.c
+++ b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/connect.bpf.c
@ -24,14 +24,14 @@ int BPF_PROG(connect_e, struct pt_regs *regs, long id) {
 	unsigned long args[3] = {0};
 	extract__network_args(args, 3, regs);

-	/* Parameter 1: fd (type: PT_FD)*/
-	int32_t socket_fd = (int32_t)args[0];
-	auxmap__store_s64_param(auxmap, (int64_t)socket_fd);
+	/* Parameter 1: fd (type: PT_FD) */
+	int64_t socket_fd = (int64_t)(int32_t)args[0];
+	auxmap__store_s64_param(auxmap, socket_fd);

-	/* Parameter 2: addr (type: PT_SOCKADDR)*/
-	unsigned long sockaddr_ptr = args[1];
-	uint16_t addrlen = (uint16_t)args[2];
-	auxmap__store_sockaddr_param(auxmap, sockaddr_ptr, addrlen);
+	/* Parameter 2: addr (type: PT_SOCKADDR) */
+	unsigned long usrsockaddr = args[1];
+	uint16_t usrsockaddr_len = (uint16_t)args[2];
+	auxmap__store_sockaddr_param(auxmap, usrsockaddr, usrsockaddr_len);

 	/*=============================== COLLECT PARAMETERS  ===========================*/

@ -57,25 +57,30 @@ int BPF_PROG(connect_x, struct pt_regs *regs, long ret) {

 	/*=============================== COLLECT PARAMETERS  ===========================*/

-	unsigned long socket_fd = 0;
-	extract__network_args(&socket_fd, 1, regs);
+	unsigned long args[3] = {0};
+	extract__network_args(args, 3, regs);
+	int64_t socket_fd = (int64_t)(int32_t)args[0];

 	/* Parameter 1: res (type: PT_ERRNO) */
 	auxmap__store_s64_param(auxmap, ret);

+	struct sockaddr *usrsockaddr = (struct sockaddr *)args[1];
+
 	/* Parameter 2: tuple (type: PT_SOCKTUPLE) */
-	/* We need a valid sockfd to extract source data.*/
 	if(ret == 0 || ret == -EINPROGRESS) {
-		auxmap__store_socktuple_param(auxmap, (int32_t)socket_fd, OUTBOUND, NULL);
+		/* Notice: the following will push an empty parameter if
+		 * something goes wrong (e.g.: fd not valid). */
+		auxmap__store_socktuple_param(auxmap, (int32_t)socket_fd, OUTBOUND, usrsockaddr);
 	} else {
 		auxmap__store_empty_param(auxmap);
 	}

-	/* Parameter 3: fd (type: PT_FD)*/
-	/* We need the double cast to extract the first 4 bytes and then
-	 * convert them to a signed integer on 64-bit
-	 */
-	auxmap__store_s64_param(auxmap, (int64_t)(int32_t)socket_fd);
+	/* Parameter 3: fd (type: PT_FD) */
+	auxmap__store_s64_param(auxmap, socket_fd);
+
+	/* Parameter 4: addr (type: PT_SOCKADDR) */
+	uint16_t usrsockaddr_len = (uint16_t)args[2];
+	auxmap__store_sockaddr_param(auxmap, (unsigned long)usrsockaddr, usrsockaddr_len);

 	/*=============================== COLLECT PARAMETERS  ===========================*/

--- a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/copy_file_range.bpf.c
+++ b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/copy_file_range.bpf.c
@ -25,8 +25,8 @@ int BPF_PROG(copy_file_range_e, struct pt_regs *regs, long id) {
 	/*=============================== COLLECT PARAMETERS  ===========================*/

 	/* Parameter 1: fdin (type: PT_FD) */
-	int32_t fdin = (int32_t)extract__syscall_argument(regs, 0);
-	ringbuf__store_s64(&ringbuf, (int64_t)fdin);
+	int64_t fdin = (int64_t)(int32_t)extract__syscall_argument(regs, 0);
+	ringbuf__store_s64(&ringbuf, fdin);

 	/* Parameter 2: offin (type: PT_UINT64) */
 	uint64_t offin = extract__syscall_argument(regs, 1);
@ -58,17 +58,29 @@ int BPF_PROG(copy_file_range_x, struct pt_regs *regs, long ret) {

 	/*=============================== COLLECT PARAMETERS  ===========================*/

-	/* Parameter 1: res (type: PT_ERRNO)*/
+	/* Parameter 1: res (type: PT_ERRNO) */
 	ringbuf__store_s64(&ringbuf, ret);

 	/* Parameter 2: fdout (type: PT_FD) */
-	int32_t fdout = (int32_t)extract__syscall_argument(regs, 2);
-	ringbuf__store_s64(&ringbuf, (int64_t)fdout);
+	int64_t fdout = (int64_t)(int32_t)extract__syscall_argument(regs, 2);
+	ringbuf__store_s64(&ringbuf, fdout);

 	/* Parameter 3: offout (type: PT_UINT64) */
 	uint64_t offout = extract__syscall_argument(regs, 3);
 	ringbuf__store_u64(&ringbuf, offout);

+	/* Parameter 4: fdin (type: PT_FD) */
+	int64_t fdin = (int64_t)(int32_t)extract__syscall_argument(regs, 0);
+	ringbuf__store_s64(&ringbuf, fdin);
+
+	/* Parameter 5: offin (type: PT_UINT64) */
+	uint64_t offin = extract__syscall_argument(regs, 1);
+	ringbuf__store_u64(&ringbuf, offin);
+
+	/* Parameter 6: len (type: PT_UINT64) */
+	uint64_t len = extract__syscall_argument(regs, 4);
+	ringbuf__store_u64(&ringbuf, len);
+
 	/*=============================== COLLECT PARAMETERS  ===========================*/

 	ringbuf__submit_event(&ringbuf);
--- a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/dup.bpf.c
+++ b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/dup.bpf.c
@ -21,9 +21,9 @@ int BPF_PROG(dup_e, struct pt_regs *regs, long id) {

 	/*=============================== COLLECT PARAMETERS  ===========================*/

-	/* Parameter 1: oldfd (type: PT_FD) */
-	int32_t oldfd = (int32_t)extract__syscall_argument(regs, 0);
-	ringbuf__store_s64(&ringbuf, (int64_t)oldfd);
+	/* Parameter 1: fd (type: PT_FD) */
+	int64_t oldfd = (int64_t)(int32_t)extract__syscall_argument(regs, 0);
+	ringbuf__store_s64(&ringbuf, oldfd);

 	/*=============================== COLLECT PARAMETERS  ===========================*/

@ -47,12 +47,12 @@ int BPF_PROG(dup_x, struct pt_regs *regs, long ret) {

 	/*=============================== COLLECT PARAMETERS  ===========================*/

-	/* Parameter 1: res (type: PT_FD)*/
-	ringbuf__store_s64(&ringbuf, ret);
+	/* Parameter 1: res (type: PT_FD) */
+	ringbuf__store_s64(&ringbuf, (int64_t)(int32_t)ret);

 	/* Parameter 2: oldfd (type: PT_FD) */
-	int32_t oldfd = (int32_t)extract__syscall_argument(regs, 0);
-	ringbuf__store_s64(&ringbuf, (int64_t)oldfd);
+	int64_t oldfd = (int64_t)(int32_t)extract__syscall_argument(regs, 0);
+	ringbuf__store_s64(&ringbuf, oldfd);

 	/*=============================== COLLECT PARAMETERS  ===========================*/

--- a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/dup2.bpf.c
+++ b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/dup2.bpf.c
@ -21,9 +21,9 @@ int BPF_PROG(dup2_e, struct pt_regs *regs, long id) {

 	/*=============================== COLLECT PARAMETERS  ===========================*/

-	/* Parameter 1: oldfd (type: PT_FD) */
-	int32_t oldfd = (int32_t)extract__syscall_argument(regs, 0);
-	ringbuf__store_s64(&ringbuf, (int64_t)oldfd);
+	/* Parameter 1: fd (type: PT_FD) */
+	int64_t oldfd = (int64_t)(int32_t)extract__syscall_argument(regs, 0);
+	ringbuf__store_s64(&ringbuf, oldfd);

 	/*=============================== COLLECT PARAMETERS  ===========================*/

@ -47,16 +47,16 @@ int BPF_PROG(dup2_x, struct pt_regs *regs, long ret) {

 	/*=============================== COLLECT PARAMETERS  ===========================*/

-	/* Parameter 1: res (type: PT_FD)*/
-	ringbuf__store_s64(&ringbuf, ret);
+	/* Parameter 1: res (type: PT_FD) */
+	ringbuf__store_s64(&ringbuf, (int64_t)(int32_t)ret);

 	/* Parameter 2: oldfd (type: PT_FD) */
-	int32_t oldfd = (int32_t)extract__syscall_argument(regs, 0);
-	ringbuf__store_s64(&ringbuf, (int64_t)oldfd);
+	int64_t oldfd = (int64_t)(int32_t)extract__syscall_argument(regs, 0);
+	ringbuf__store_s64(&ringbuf, oldfd);

 	/* Parameter 3: newfd (type: PT_FD) */
-	int32_t newfd = (int32_t)extract__syscall_argument(regs, 1);
-	ringbuf__store_s64(&ringbuf, (int64_t)newfd);
+	int64_t newfd = (int64_t)(int32_t)extract__syscall_argument(regs, 1);
+	ringbuf__store_s64(&ringbuf, newfd);

 	/*=============================== COLLECT PARAMETERS  ===========================*/

--- a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/dup3.bpf.c
+++ b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/dup3.bpf.c
@ -21,9 +21,9 @@ int BPF_PROG(dup3_e, struct pt_regs *regs, long id) {

 	/*=============================== COLLECT PARAMETERS  ===========================*/

-	/* Parameter 1: oldfd (type: PT_FD) */
-	int32_t oldfd = (int32_t)extract__syscall_argument(regs, 0);
-	ringbuf__store_s64(&ringbuf, (int64_t)oldfd);
+	/* Parameter 1: fd (type: PT_FD) */
+	int64_t oldfd = (int64_t)(int32_t)extract__syscall_argument(regs, 0);
+	ringbuf__store_s64(&ringbuf, oldfd);

 	/*=============================== COLLECT PARAMETERS  ===========================*/

@ -47,16 +47,16 @@ int BPF_PROG(dup3_x, struct pt_regs *regs, long ret) {

 	/*=============================== COLLECT PARAMETERS  ===========================*/

-	/* Parameter 1: res (type: PT_FD)*/
-	ringbuf__store_s64(&ringbuf, ret);
+	/* Parameter 1: res (type: PT_FD) */
+	ringbuf__store_s64(&ringbuf, (int64_t)(int32_t)ret);

 	/* Parameter 2: oldfd (type: PT_FD) */
-	int32_t oldfd = (int32_t)extract__syscall_argument(regs, 0);
-	ringbuf__store_s64(&ringbuf, (int64_t)oldfd);
+	int64_t oldfd = (int64_t)(int32_t)extract__syscall_argument(regs, 0);
+	ringbuf__store_s64(&ringbuf, oldfd);

 	/* Parameter 3: newfd (type: PT_FD) */
-	int32_t newfd = (int32_t)extract__syscall_argument(regs, 1);
-	ringbuf__store_s64(&ringbuf, (int64_t)newfd);
+	int64_t newfd = (int64_t)(int32_t)extract__syscall_argument(regs, 1);
+	ringbuf__store_s64(&ringbuf, newfd);

 	/* Parameter 4: flags (type: PT_FLAGS32) */
 	int32_t flags = extract__syscall_argument(regs, 2);
--- a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/epoll_create.bpf.c
+++ b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/epoll_create.bpf.c
@ -47,9 +47,13 @@ int BPF_PROG(epoll_create_x, struct pt_regs *regs, long ret) {

 	/*=============================== COLLECT PARAMETERS  ===========================*/

-	/* Parameter 1: res (type: PT_ERRNO)*/
+	/* Parameter 1: res (type: PT_ERRNO) */
 	ringbuf__store_s64(&ringbuf, ret);

+	/* Parameter 2: size (type: PT_INT32) */
+	int32_t size = (int32_t)extract__syscall_argument(regs, 0);
+	ringbuf__store_s32(&ringbuf, size);
+
 	/*=============================== COLLECT PARAMETERS  ===========================*/

 	ringbuf__submit_event(&ringbuf);
--- a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/epoll_create1.bpf.c
+++ b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/epoll_create1.bpf.c
@ -47,9 +47,13 @@ int BPF_PROG(epoll_create1_x, struct pt_regs *regs, long ret) {

 	/*=============================== COLLECT PARAMETERS  ===========================*/

-	/* Parameter 1: res (type: PT_ERRNO)*/
+	/* Parameter 1: res (type: PT_ERRNO) */
 	ringbuf__store_s64(&ringbuf, ret);

+	/* Parameter 2: flags (type: PT_FLAGS32) */
+	int32_t flags = (int32_t)extract__syscall_argument(regs, 0);
+	ringbuf__store_u32(&ringbuf, epoll_create1_flags_to_scap(flags));
+
 	/*=============================== COLLECT PARAMETERS  ===========================*/

 	ringbuf__submit_event(&ringbuf);
--- a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/epoll_wait.bpf.c
+++ b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/epoll_wait.bpf.c
@ -50,6 +50,10 @@ int BPF_PROG(epoll_wait_x, struct pt_regs *regs, long ret) {
 	/* Parameter 1: res (type: PT_ERRNO) */
 	ringbuf__store_s64(&ringbuf, ret);

+	/* Parameter 2: maxevents (type: PT_ERRNO) */
+	int maxevents = (int)extract__syscall_argument(regs, 2);
+	ringbuf__store_s64(&ringbuf, (int64_t)maxevents);
+
 	/*=============================== COLLECT PARAMETERS  ===========================*/

 	ringbuf__submit_event(&ringbuf);
--- a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/eventfd.bpf.c
+++ b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/eventfd.bpf.c
@ -22,8 +22,8 @@ int BPF_PROG(eventfd_e, struct pt_regs *regs, long id) {
 	/*=============================== COLLECT PARAMETERS  ===========================*/

 	/* Parameter 1: initval (type: PT_UINT64) */
-	uint32_t initval = (uint32_t)extract__syscall_argument(regs, 0);
-	ringbuf__store_u64(&ringbuf, (uint64_t)initval);
+	uint64_t initval = (uint64_t)extract__syscall_argument(regs, 0);
+	ringbuf__store_u64(&ringbuf, initval);

 	/* Parameter 2: flags (type: PT_UINT32) */
 	/* The syscall eventfd has no flags! only `eventfd2` has the `flags` param.
@ -53,9 +53,19 @@ int BPF_PROG(eventfd_x, struct pt_regs *regs, long ret) {

 	/*=============================== COLLECT PARAMETERS  ===========================*/

-	/* Parameter 1: res (type: PT_FD)*/
+	/* Parameter 1: res (type: PT_FD) */
 	ringbuf__store_s64(&ringbuf, ret);

+	/* Parameter 2: initval (type: PT_UINT64) */
+	uint64_t initval = (uint64_t)extract__syscall_argument(regs, 0);
+	ringbuf__store_u64(&ringbuf, initval);
+
+	/* Parameter 3: flags (type: PT_UINT32) */
+	/* The syscall eventfd has no flags! only `eventfd2` has the `flags` param.
+	 * For compatibility with the event definition here we send `0` as flags.
+	 */
+	ringbuf__store_u32(&ringbuf, 0);
+
 	/*=============================== COLLECT PARAMETERS  ===========================*/

 	ringbuf__submit_event(&ringbuf);
--- a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/eventfd2.bpf.c
+++ b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/eventfd2.bpf.c
@ -47,13 +47,17 @@ int BPF_PROG(eventfd2_x, struct pt_regs *regs, long ret) {

 	/*=============================== COLLECT PARAMETERS  ===========================*/

-	/* Parameter 1: res (type: PT_FD)*/
+	/* Parameter 1: res (type: PT_FD) */
 	ringbuf__store_s64(&ringbuf, ret);

 	/* Parameter 2: flags (type: PT_FLAGS16) */
 	int32_t flags = (int32_t)extract__syscall_argument(regs, 1);
 	ringbuf__store_u16(&ringbuf, eventfd2_flags_to_scap(flags));

+	/* Parameter 3: initval (type: PT_UINT64) */
+	uint32_t initval = (uint32_t)extract__syscall_argument(regs, 0);
+	ringbuf__store_u64(&ringbuf, (uint64_t)initval);
+
 	/*=============================== COLLECT PARAMETERS  ===========================*/

 	ringbuf__submit_event(&ringbuf);
--- a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/execve.bpf.c
+++ b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/execve.bpf.c
@ -198,9 +198,9 @@ int BPF_PROG(t1_execve_x, struct pt_regs *regs, long ret) {
 	uint32_t tty = exctract__tty(task);
 	auxmap__store_u32_param(auxmap, (uint32_t)tty);

-	/* Parameter 18: pgid (type: PT_PID) */
-	pid_t pgid = extract__task_xid_vnr(task, PIDTYPE_PGID);
-	auxmap__store_s64_param(auxmap, (int64_t)pgid);
+	/* Parameter 18: vpgid (type: PT_PID) */
+	pid_t vpgid = extract__task_xid_vnr(task, PIDTYPE_PGID);
+	auxmap__store_s64_param(auxmap, (int64_t)vpgid);

 	/* Parameter 19: loginuid (type: PT_UID) */
 	uint32_t loginuid;
--- a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/fchdir.bpf.c
+++ b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/fchdir.bpf.c
@ -50,6 +50,10 @@ int BPF_PROG(fchdir_x, struct pt_regs *regs, long ret) {
 	/* Parameter 1: res (type: PT_ERRNO)*/
 	ringbuf__store_s64(&ringbuf, ret);

+	/* Parameter 2: fd (type: PT_FD) */
+	int32_t fd = (int32_t)extract__syscall_argument(regs, 0);
+	ringbuf__store_s64(&ringbuf, (int64_t)fd);
+
 	/*=============================== COLLECT PARAMETERS  ===========================*/

 	ringbuf__submit_event(&ringbuf);
--- a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/flock.bpf.c
+++ b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/flock.bpf.c
@ -22,8 +22,8 @@ int BPF_PROG(flock_e, struct pt_regs *regs, long id) {
 	/*=============================== COLLECT PARAMETERS  ===========================*/

 	/* Parameter 1: fd (type: PT_FD) */
-	int32_t fd = (int32_t)extract__syscall_argument(regs, 0);
-	ringbuf__store_s64(&ringbuf, (int64_t)fd);
+	int64_t fd = (int64_t)(int32_t)extract__syscall_argument(regs, 0);
+	ringbuf__store_s64(&ringbuf, fd);

 	/* Parameter 2: operation (type: PT_FLAGS32) */
 	unsigned long operation = extract__syscall_argument(regs, 1);
@ -51,9 +51,17 @@ int BPF_PROG(flock_x, struct pt_regs *regs, long ret) {

 	/*=============================== COLLECT PARAMETERS  ===========================*/

-	/* Parameter 1: res (type: PT_ERRNO)*/
+	/* Parameter 1: res (type: PT_ERRNO) */
 	ringbuf__store_s64(&ringbuf, ret);

+	/* Parameter 2: fd (type: PT_FD) */
+	int64_t fd = (int64_t)(int32_t)extract__syscall_argument(regs, 0);
+	ringbuf__store_s64(&ringbuf, fd);
+
+	/* Parameter 3: operation (type: PT_FLAGS32) */
+	unsigned long operation = extract__syscall_argument(regs, 1);
+	ringbuf__store_u32(&ringbuf, flock_flags_to_scap((int)operation));
+
 	/*=============================== COLLECT PARAMETERS  ===========================*/

 	ringbuf__submit_event(&ringbuf);
--- a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/fstat.bpf.c
+++ b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/fstat.bpf.c
@ -50,6 +50,10 @@ int BPF_PROG(fstat_x, struct pt_regs *regs, long ret) {
 	/* Parameter 1: res (type: PT_ERRNO) */
 	ringbuf__store_s64(&ringbuf, ret);

+	/* Parameter 2: fd (type: PT_FD) */
+	int32_t fd = (int32_t)extract__syscall_argument(regs, 0);
+	ringbuf__store_s64(&ringbuf, (int64_t)fd);
+
 	/*=============================== COLLECT PARAMETERS  ===========================*/

 	ringbuf__submit_event(&ringbuf);
--- a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/futex.bpf.c
+++ b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/futex.bpf.c
@ -58,6 +58,18 @@ int BPF_PROG(futex_x, struct pt_regs *regs, long ret) {
 	/* Parameter 1: res (type: PT_ERRNO) */
 	ringbuf__store_s64(&ringbuf, (int64_t)ret);

+	/* Parameter 2: addr (type: PT_UINT64) */
+	uint64_t addr = extract__syscall_argument(regs, 0);
+	ringbuf__store_u64(&ringbuf, addr);
+
+	/* Parameter 3: op (type: PT_ENUMFLAGS16) */
+	int32_t op = (int32_t)extract__syscall_argument(regs, 1);
+	ringbuf__store_u16(&ringbuf, futex_op_to_scap((unsigned long)op));
+
+	/* Parameter 4: val (type: PT_UINT64) */
+	uint64_t val = extract__syscall_argument(regs, 2);
+	ringbuf__store_u64(&ringbuf, val);
+
 	/*=============================== COLLECT PARAMETERS  ===========================*/

 	ringbuf__submit_event(&ringbuf);
--- a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/generic.bpf.c
+++ b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/generic.bpf.c
@ -13,7 +13,7 @@
 SEC("tp_btf/sys_enter")
 int BPF_PROG(generic_e, struct pt_regs *regs, long id) {
 	struct ringbuf_struct ringbuf;
-	if(!ringbuf__reserve_space(&ringbuf, GENERIC_E_SIZE, PPME_GENERIC_E)) {
+	if(!ringbuf__reserve_space(&ringbuf, SYSCALL_E_SIZE, PPME_GENERIC_E)) {
 		return 0;
 	}

@ -52,7 +52,7 @@ int BPF_PROG(generic_e, struct pt_regs *regs, long id) {
 SEC("tp_btf/sys_exit")
 int BPF_PROG(generic_x, struct pt_regs *regs, long ret) {
 	struct ringbuf_struct ringbuf;
-	if(!ringbuf__reserve_space(&ringbuf, GENERIC_X_SIZE, PPME_GENERIC_X)) {
+	if(!ringbuf__reserve_space(&ringbuf, SYSCALL_X_SIZE, PPME_GENERIC_X)) {
 		return 0;
 	}

--- a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/getdents.bpf.c
+++ b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/getdents.bpf.c
@ -21,9 +21,9 @@ int BPF_PROG(getdents_e, struct pt_regs *regs, long id) {

 	/*=============================== COLLECT PARAMETERS  ===========================*/

-	/* Parameter 1: fd (type: PT_FD)*/
-	int32_t fd = (int32_t)extract__syscall_argument(regs, 0);
-	ringbuf__store_s64(&ringbuf, (int64_t)fd);
+	/* Parameter 1: fd (type: PT_FD) */
+	int64_t fd = (int64_t)(int32_t)extract__syscall_argument(regs, 0);
+	ringbuf__store_s64(&ringbuf, fd);

 	/*=============================== COLLECT PARAMETERS  ===========================*/

@ -47,9 +47,13 @@ int BPF_PROG(getdents_x, struct pt_regs *regs, long ret) {

 	/*=============================== COLLECT PARAMETERS  ===========================*/

-	/* Parameter 1: res (type: PT_ERRNO)*/
+	/* Parameter 1: res (type: PT_ERRNO) */
 	ringbuf__store_s64(&ringbuf, ret);

+	/* Parameter 2: fd (type: PT_FD) */
+	int64_t fd = (int64_t)(int32_t)extract__syscall_argument(regs, 0);
+	ringbuf__store_s64(&ringbuf, fd);
+
 	/*=============================== COLLECT PARAMETERS  ===========================*/

 	ringbuf__submit_event(&ringbuf);
--- a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/getdents64.bpf.c
+++ b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/getdents64.bpf.c
@ -21,9 +21,9 @@ int BPF_PROG(getdents64_e, struct pt_regs *regs, long id) {

 	/*=============================== COLLECT PARAMETERS  ===========================*/

-	/* Parameter 1: fd (type: PT_FD)*/
-	int32_t fd = (int32_t)extract__syscall_argument(regs, 0);
-	ringbuf__store_s64(&ringbuf, (int64_t)fd);
+	/* Parameter 1: fd (type: PT_FD) */
+	int64_t fd = (int64_t)(int32_t)extract__syscall_argument(regs, 0);
+	ringbuf__store_s64(&ringbuf, fd);

 	/*=============================== COLLECT PARAMETERS  ===========================*/

@ -47,9 +47,13 @@ int BPF_PROG(getdents64_x, struct pt_regs *regs, long ret) {

 	/*=============================== COLLECT PARAMETERS  ===========================*/

-	/* Parameter 1: res (type: PT_ERRNO)*/
+	/* Parameter 1: res (type: PT_ERRNO) */
 	ringbuf__store_s64(&ringbuf, ret);

+	/* Parameter 2: fd (type: PT_FD) */
+	int64_t fd = (int64_t)(int32_t)extract__syscall_argument(regs, 0);
+	ringbuf__store_s64(&ringbuf, fd);
+
 	/*=============================== COLLECT PARAMETERS  ===========================*/

 	ringbuf__submit_event(&ringbuf);
--- a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/getrlimit.bpf.c
+++ b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/getrlimit.bpf.c
@ -71,6 +71,10 @@ int BPF_PROG(getrlimit_x, struct pt_regs *regs, long ret) {
 		ringbuf__store_s64(&ringbuf, -1);
 	}

+	/* Parameter 4: resource (type: PT_ENUMFLAGS8) */
+	unsigned long resource = extract__syscall_argument(regs, 0);
+	ringbuf__store_u8(&ringbuf, rlimit_resource_to_scap(resource));
+
 	/*=============================== COLLECT PARAMETERS  ===========================*/

 	ringbuf__submit_event(&ringbuf);
--- a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/inotify_init.bpf.c
+++ b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/inotify_init.bpf.c
@ -53,6 +53,11 @@ int BPF_PROG(inotify_init_x, struct pt_regs *regs, long ret) {
 	/* Parameter 1: res (type: PT_FD) */
 	ringbuf__store_s64(&ringbuf, ret);

+	/* Parameter 2: flags (type: PT_UINT8) */
+	/* Send `0` to unify handling with inotify_init1. */
+	uint8_t flags = 0;
+	ringbuf__store_u8(&ringbuf, flags);
+
 	/*=============================== COLLECT PARAMETERS  ===========================*/

 	ringbuf__submit_event(&ringbuf);
--- a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/ioctl.bpf.c
+++ b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/ioctl.bpf.c
@ -55,9 +55,21 @@ int BPF_PROG(ioctl_x, struct pt_regs *regs, long ret) {

 	/*=============================== COLLECT PARAMETERS  ===========================*/

-	/* Parameter 1: res (type: PT_ERRNO)*/
+	/* Parameter 1: res (type: PT_ERRNO) */
 	ringbuf__store_s64(&ringbuf, ret);

+	/* Parameter 2: fd (type: PT_FD) */
+	int32_t fd = (int32_t)extract__syscall_argument(regs, 0);
+	ringbuf__store_s64(&ringbuf, (int64_t)fd);
+
+	/* Parameter 3: request (type: PT_UINT64) */
+	uint64_t request = extract__syscall_argument(regs, 1);
+	ringbuf__store_u64(&ringbuf, request);
+
+	/* Parameter 4: argument (type: PT_UINT64) */
+	uint64_t argument = extract__syscall_argument(regs, 2);
+	ringbuf__store_u64(&ringbuf, argument);
+
 	/*=============================== COLLECT PARAMETERS  ===========================*/

 	ringbuf__submit_event(&ringbuf);
--- a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/kill.bpf.c
+++ b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/kill.bpf.c
@ -51,9 +51,17 @@ int BPF_PROG(kill_x, struct pt_regs *regs, long ret) {

 	/*=============================== COLLECT PARAMETERS  ===========================*/

-	/* Parameter 1: res (type: PT_ERRNO)*/
+	/* Parameter 1: res (type: PT_ERRNO) */
 	ringbuf__store_s64(&ringbuf, ret);

+	/* Parameter 2: pid (type: PT_PID) */
+	pid_t pid = (int32_t)extract__syscall_argument(regs, 0);
+	ringbuf__store_s64(&ringbuf, (int64_t)pid);
+
+	/* Parameter 3: sig (type: PT_SIGTYPE) */
+	uint8_t sig = (uint8_t)extract__syscall_argument(regs, 1);
+	ringbuf__store_u8(&ringbuf, sig);
+
 	/*=============================== COLLECT PARAMETERS  ===========================*/

 	ringbuf__submit_event(&ringbuf);
--- a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/llseek.bpf.c
+++ b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/llseek.bpf.c
@ -58,6 +58,20 @@ int BPF_PROG(llseek_x, struct pt_regs *regs, long ret) {
 	/* Parameter 1: res (type: PT_ERRNO) */
 	ringbuf__store_s64(&ringbuf, (int64_t)ret);

+	/* Parameter 2: fd (type: PT_FD) */
+	int32_t fd = (int32_t)extract__syscall_argument(regs, 0);
+	ringbuf__store_s64(&ringbuf, (int64_t)fd);
+
+	/* Parameter 3: offset (type: PT_UINT64) */
+	unsigned long oh = extract__syscall_argument(regs, 1);
+	unsigned long ol = extract__syscall_argument(regs, 2);
+	unsigned long offset = (oh << 32) + ol;
+	ringbuf__store_u64(&ringbuf, offset);
+
+	/* Parameter 4: whence (type: PT_ENUMFLAGS8) */
+	unsigned long whence = extract__syscall_argument(regs, 3);
+	ringbuf__store_u8(&ringbuf, lseek_whence_to_scap(whence));
+
 	/*=============================== COLLECT PARAMETERS  ===========================*/

 	ringbuf__submit_event(&ringbuf);
--- a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/lseek.bpf.c
+++ b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/lseek.bpf.c
@ -22,8 +22,8 @@ int BPF_PROG(lseek_e, struct pt_regs *regs, long id) {
 	/*=============================== COLLECT PARAMETERS  ===========================*/

 	/* Parameter 1: fd (type: PT_FD) */
-	int32_t fd = (int32_t)extract__syscall_argument(regs, 0);
-	ringbuf__store_s64(&ringbuf, (int64_t)fd);
+	int64_t fd = (int64_t)(int32_t)extract__syscall_argument(regs, 0);
+	ringbuf__store_s64(&ringbuf, fd);

 	/* Parameter 2: offset (type: PT_UINT64) */
 	unsigned long offset = extract__syscall_argument(regs, 1);
@ -56,6 +56,18 @@ int BPF_PROG(lseek_x, struct pt_regs *regs, long ret) {
 	/* Parameter 1: res (type: PT_ERRNO) */
 	ringbuf__store_s64(&ringbuf, (int64_t)ret);

+	/* Parameter 2: fd (type: PT_FD) */
+	int64_t fd = (int64_t)(int32_t)extract__syscall_argument(regs, 0);
+	ringbuf__store_s64(&ringbuf, fd);
+
+	/* Parameter 3: offset (type: PT_UINT64) */
+	unsigned long offset = extract__syscall_argument(regs, 1);
+	ringbuf__store_u64(&ringbuf, offset);
+
+	/* Parameter 4: whence (type: PT_ENUMFLAGS8) */
+	unsigned long whence = extract__syscall_argument(regs, 2);
+	ringbuf__store_u8(&ringbuf, lseek_whence_to_scap(whence));
+
 	/*=============================== COLLECT PARAMETERS  ===========================*/

 	ringbuf__submit_event(&ringbuf);
--- a/Show More
+++ b/Show More
 @ -1 +1 @@
 .0.3
 .0.4
 @ -1 +1 @@
 .5.0
 .69.0