chore(deps): Bump softprops/action-gh-release in the actions group

Bumps the actions group with 1 update: [softprops/action-gh-release](https://github.com/softprops/action-gh-release).


Updates `softprops/action-gh-release` from 2.0.8 to 2.0.9
- [Release notes](https://github.com/softprops/action-gh-release/releases)
- [Changelog](https://github.com/softprops/action-gh-release/blob/master/CHANGELOG.md)
- [Commits](c062e08bd5...e7a8f85e1c)

---
updated-dependencies:
- dependency-name: softprops/action-gh-release
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: actions
...

Signed-off-by: dependabot[bot] <support@github.com>

.github/actions/install-zig/action.yml

@@ -0,0 +1,59 @@
+name: 'install-zig'
+description: 'Install zig compiler and make it available in PATH.'
+
+runs:
+  using: "composite"
+  steps:
+    - name: Store zig version as local output
+      shell: bash
+      id: store
+      env:
+        ZIG_VERSION: '0.14.0-dev.1952+9f84f7f92'
+      run: |
+        echo "zig_version=${ZIG_VERSION}" >> "$GITHUB_OUTPUT"
+
+    - name: Create zig install folder
+      shell: bash
+      run: mkdir /usr/local/zig
+
+    # TODO: this is only needed because we are using a development version of zig,
+    # since we need https://github.com/ziglang/zig/pull/21253 to be included.
+    # Development versions of zig are not kept alive forever, but get overridden.
+    # We cache it to keep it alive.
+    - name: Download zig (cached)
+      id: cache-zig
+      uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2
+      with:
+        path: /usr/local/zig
+        key: zig-${{ runner.os }}-${{ runner.arch }}-${{ steps.store.outputs.zig_version }}
+
+    - name: Download zig
+      if: steps.cache-zig.outputs.cache-hit != 'true'
+      shell: bash
+      run: |
+        curl -L -o zig.tar.xz https://ziglang.org/builds/zig-linux-$(uname -m)-${{ steps.store.outputs.zig_version }}.tar.xz
+        tar -xvf zig.tar.xz
+
+        cat > zig-linux-$(uname -m)-${{ steps.store.outputs.zig_version }}/zig-cc <<EOF
+        #!/bin/bash
+        exec zig cc -target $(uname -m)-linux-gnu.2.17 -mcpu=baseline "\$@"
+        EOF
+        chmod +x zig-linux-$(uname -m)-${{ steps.store.outputs.zig_version }}/zig-cc
+
+        cat > zig-linux-$(uname -m)-${{ steps.store.outputs.zig_version }}/zig-c++ <<EOF
+        #!/bin/bash
+        exec zig c++ -target $(uname -m)-linux-gnu.2.17 -mcpu=baseline "\$@"
+        EOF
+        chmod +x zig-linux-$(uname -m)-${{ steps.store.outputs.zig_version }}/zig-c++
+
+        cp -R zig-linux-$(uname -m)-${{ steps.store.outputs.zig_version }}/* /usr/local/zig/
+
+    - name: Setup zig
+      shell: bash
+      id: zig
+      run: |
+        echo "/usr/local/zig" >> $GITHUB_PATH
+        echo "CC=zig-cc" >> $GITHUB_ENV
+        echo "CXX=zig-c++" >> $GITHUB_ENV
+        echo "AR=zig ar" >> $GITHUB_ENV
+        echo "RANLIB=zig ranlib" >> $GITHUB_ENV

.github/workflows/ci.yml

@@ -16,12 +16,12 @@ concurrency:
 jobs:
   build-libs-linux:
     name: build-libs-linux-${{ matrix.arch }} 😁 (${{ matrix.name }})
-    runs-on: ${{ (matrix.arch == 'arm64' && 'actuated-arm64-8cpu-16gb') || 'ubuntu-22.04' }}
+    runs-on: ${{ (matrix.arch == 'arm64' && 'github-arm64-2c-8gb') || 'ubuntu-22.04' }}
     strategy:
       fail-fast: false
       matrix:
         arch: [amd64, arm64]
-        name: [system_deps, bundled_deps, system_deps_minimal, sanitizers]
+        name: [system_deps, bundled_deps, system_deps_minimal, sanitizers, zig]
         include:
           - name: system_deps
             cmake_opts: -DBUILD_WARNINGS_AS_ERRORS=On -DBUILD_BPF=On -DUSE_BUNDLED_DEPS=False
@@ -31,6 +31,8 @@ jobs:
             cmake_opts: -DBUILD_WARNINGS_AS_ERRORS=On -DUSE_BUNDLED_DEPS=False -DMINIMAL_BUILD=True
           - name: sanitizers
             cmake_opts: -DUSE_ASAN=On -DUSE_UBSAN=On -DUSE_BUNDLED_DEPS=False
+          - name: zig
+            cmake_opts: -DUSE_BUNDLED_DEPS=True
     container:
       image: debian:buster
     steps:
@@ -47,7 +49,7 @@ jobs:
           rm -rf /tmp/cmake-3.22.5-linux-$(uname -m)/
 
       - name: Checkout Libs ⤵️
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           fetch-depth: 0
 
@@ -59,6 +61,10 @@ jobs:
         run: |
           git config --global --add safe.directory $GITHUB_WORKSPACE
 
+      - name: Install zig
+        if: matrix.name == 'zig'
+        uses: ./.github/actions/install-zig
+
       - name: Build and test 🏗️🧪
         env:
           UBSAN_OPTIONS: print_stacktrace=1
@@ -68,6 +74,19 @@ jobs:
           KERNELDIR=/lib/modules/$(ls /lib/modules)/build make -j4
           make run-unit-tests
 
+      # On zig, build also sinsp-example and check the glibc linked versions
+      # to make sure we are actually using the correct glibc version.
+      - name: Test zig build glibc version
+        if: matrix.name == 'zig'
+        run: |
+          cd build
+          objdump -T libsinsp/test/unit-test-libsinsp | grep -Eo 'GLIBC_\S+' | sort -u -t "." -k1,1n -k2,2n -k3,3n
+          linked_glibc=$(objdump -T libsinsp/test/unit-test-libsinsp | grep -Eo 'GLIBC_\S+' | sort -u -t "." -k1,1n -k2,2n -k3,3n | tail -n1 | tr -d ')')
+          if [ "$linked_glibc" != "GLIBC_2.17" ]; then
+            echo "Expected glibc 2.17; found $linked_glibc" 
+            exit 1
+          fi
+
   build-libs-linux-amd64-static:
     name: build-libs-linux-amd64-static 🎃
     runs-on: ubuntu-latest
@@ -79,7 +98,7 @@ jobs:
           apk add g++ gcc cmake make git bash perl linux-headers autoconf automake m4 libtool elfutils-dev libelf-static patch binutils bpftool clang
 
       - name: Checkout Libs ⤵️
-        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           fetch-depth: 0
 
@@ -98,7 +117,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout Libs ⤵️
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           fetch-depth: 0
 
@@ -148,7 +167,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
       - name: Checkout Libs ⤵️
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           fetch-depth: 0
 
@@ -163,7 +182,7 @@ jobs:
     runs-on: macos-latest
     steps:
       - name: Checkout Libs ⤵️
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           fetch-depth: 0
 
@@ -200,7 +219,7 @@ jobs:
     runs-on: ubuntu-22.04
     steps:
       - name: Checkout Libs ⤵️
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           fetch-depth: 0
 
@@ -280,15 +299,15 @@ jobs:
           sudo update-alternatives --install /usr/bin/llc llc /usr/bin/llc-14 90
 
       - name: Checkout Libs ⤵️
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           fetch-depth: 0
-          
+
       - name: Fix kernel mmap rnd bits
         # Asan in llvm 14 provided in ubuntu 22.04 is incompatible with
         # high-entropy ASLR in much newer kernels that GitHub runners are
         # using leading to random crashes: https://reviews.llvm.org/D148280
-        run: sudo sysctl vm.mmap_rnd_bits=28    
+        run: sudo sysctl vm.mmap_rnd_bits=28
 
       - name: Install deps ⛓️
         run: |
@@ -316,7 +335,7 @@ jobs:
           sudo -E ../test/e2e/scripts/run_tests.sh
 
       - name: Archive test reports
-        uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
+        uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
         if: failure()
         with:
           name: ${{ matrix.name }}_report
@@ -333,7 +352,7 @@ jobs:
           sudo apt install -y --no-install-recommends ca-certificates cmake build-essential clang-14 llvm-14 git pkg-config autoconf automake libtool libelf-dev libcap-dev linux-headers-$(uname -r) emscripten
 
       - name: Checkout Libs ⤵️
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           fetch-depth: 0
 

.github/workflows/create-comment-kernel-testing.yml

@@ -23,9 +23,14 @@ jobs:
                repo: context.repo.repo,
                run_id: ${{github.event.workflow_run.id }},
             });
-            var matchArtifact = artifacts.data.artifacts.filter((artifact) => {
+            var matchArtifacts = artifacts.data.artifacts.filter((artifact) => {
               return artifact.name == "pr-kernel-testing"
-            })[0];
+            });
+            if (!Array.isArray(matchArtifacts) || !matchArtifacts.length) {
+              var process = require('process');
+              process.exit();
+            }
+            var matchArtifact = matchArtifacts[0];
             var download = await github.rest.actions.downloadArtifact({
                owner: context.repo.owner,
                repo: context.repo.repo,
@@ -36,7 +41,10 @@ jobs:
             fs.writeFileSync('${{github.workspace}}/pr.zip', Buffer.from(download.data));
 
       - name: 'Unpack artifact'
-        run: unzip pr.zip
+        run: |
+          if [ -f pr.zip ]; then
+            unzip pr.zip
+          fi
 
       - name: 'Comment on PR'
         uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
@@ -45,16 +53,20 @@ jobs:
           # Taken from https://github.com/actions/github-script/blob/main/.github/workflows/pull-request-test.yml
           script: |
             var fs = require('fs');
+            if (!fs.existsSync('./NR')) {
+              var process = require('process');
+              process.exit();
+            }
             var issue_number = Number(fs.readFileSync('./NR'));
             var comment_body = fs.readFileSync('./COMMENT');
-            
+
             // Get the existing comments.
             const {data: comments} = await github.rest.issues.listComments({
               owner: context.repo.owner,
               repo: context.repo.repo,
               issue_number: issue_number,
             });
-            
+
             // Find any comment already made by the bot.
             const botComment = comments.find(comment => comment.user.id === 41898282 && comment.body.includes('# X64 kernel testing matrix'));
 

.github/workflows/create-comment-perf.yml

@@ -23,9 +23,14 @@ jobs:
                repo: context.repo.repo,
                run_id: ${{github.event.workflow_run.id }},
             });
-            var matchArtifact = artifacts.data.artifacts.filter((artifact) => {
+            var matchArtifacts = artifacts.data.artifacts.filter((artifact) => {
               return artifact.name == "pr-perf"
-            })[0];
+            });
+            if (!Array.isArray(matchArtifacts) || !matchArtifacts.length) {
+              var process = require('process');
+              process.exit();
+            }
+            var matchArtifact = matchArtifacts[0];
             var download = await github.rest.actions.downloadArtifact({
                owner: context.repo.owner,
                repo: context.repo.repo,
@@ -36,7 +41,10 @@ jobs:
             fs.writeFileSync('${{github.workspace}}/pr.zip', Buffer.from(download.data));
 
       - name: 'Unpack artifact'
-        run: unzip pr.zip
+        run: |
+          if [ -f pr.zip ]; then
+            unzip pr.zip
+          fi
 
       - name: 'Comment on PR'
         uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
@@ -45,6 +53,10 @@ jobs:
           # Taken from https://github.com/actions/github-script/blob/main/.github/workflows/pull-request-test.yml
           script: |
             var fs = require('fs');
+            if (!fs.existsSync('./NR')) {
+              var process = require('process');
+              process.exit();
+            }
             var issue_number = Number(fs.readFileSync('./NR'));
             var comment_body = fs.readFileSync('./COMMENT');
 

.github/workflows/driver-api-version.yml

@@ -12,7 +12,6 @@ on:
       - 'driver/ppm_events_public.h'
       - 'driver/bpf/maps.h'
       - 'driver/modern_bpf/maps/maps.h'
-      
 
 jobs:
   paths-filter:
@@ -20,8 +19,8 @@ jobs:
     outputs:
       driver_api_changed: ${{ steps.filter.outputs.driver_api }}
     steps:
-    - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
-    - uses: dorny/paths-filter@4512585405083f25c027a35db413c2b3b9006d50 # v2.11.1
+    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+    - uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3.0.2
       id: filter
       with:
         filters: |
@@ -36,7 +35,7 @@ jobs:
     if: needs.paths-filter.outputs.driver_api_changed == 'false'
     steps:
       - name: Check driver API_VERSION
-        uses: mshick/add-pr-comment@7c0890544fb33b0bdd2e59467fbacb62e028a096 # v2.8.1
+        uses: mshick/add-pr-comment@b8f338c590a895d50bcbfa6c5859251edc8952fc # v2.8.2
         with:
           message: |
             Please double check **driver/API_VERSION** file. See [versioning](https://github.com/falcosecurity/libs/blob/master/driver/README.VERSION.md#api-version-number).

.github/workflows/driver-schema-version.yml

@@ -19,8 +19,8 @@ jobs:
     outputs:
       driver_schema_changed: ${{ steps.filter.outputs.driver_schema }}
     steps:
-    - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
-    - uses: dorny/paths-filter@4512585405083f25c027a35db413c2b3b9006d50 # v2.11.1
+    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+    - uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3.0.2
       id: filter
       with:
         filters: |
@@ -34,14 +34,14 @@ jobs:
     needs: paths-filter
     if: needs.paths-filter.outputs.driver_schema_changed == 'false'
     steps:
-      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
       - name: Check driver SCHEMA_VERSION
-        uses: mshick/add-pr-comment@7c0890544fb33b0bdd2e59467fbacb62e028a096 # v2.8.1
+        uses: mshick/add-pr-comment@b8f338c590a895d50bcbfa6c5859251edc8952fc # v2.8.2
         with:
           message: |
             Please double check **driver/SCHEMA_VERSION** file. See [versioning](https://github.com/falcosecurity/libs/blob/master/driver/README.VERSION.md#schema-version-number).
-            
+
             /hold
 
       - name: Trigger failure

.github/workflows/driverkit.yml

@@ -37,7 +37,7 @@ jobs:
       - name: Test drivers build on ${{ matrix.name }}
         run: |
           driverkit docker --kernelrelease ${{ matrix.kernelrelease }} --target ${{ matrix.target }} --output-module /tmp/libs.ko --output-probe /tmp/libs.o --driverversion $GITHUB_SHA --loglevel debug --kernelurls ${{ matrix.kernelurls }}
-          
+
   build-drivers-arm64:
     strategy:
       matrix:

.github/workflows/drivers_ci.yml

@@ -24,8 +24,8 @@ jobs:
       libscap: ${{ steps.filter.outputs.libscap }}
       libpman: ${{ steps.filter.outputs.libpman }}
     steps:
-    - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
-    - uses: dorny/paths-filter@4512585405083f25c027a35db413c2b3b9006d50 # v2.11.1
+    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+    - uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3.0.2
       id: filter
       with:
         filters: |
@@ -39,7 +39,7 @@ jobs:
   # This job run all engine tests and scap-open
   test-scap:
     name: test-scap-${{ matrix.arch }} 😆 (bundled_deps)
-    runs-on: ${{ (matrix.arch == 'arm64' && 'actuated-arm64-8cpu-16gb') || 'ubuntu-22.04' }}
+    runs-on: ${{ (matrix.arch == 'arm64' && 'github-arm64-2c-8gb') || 'ubuntu-22.04' }}
     needs: paths-filter
     strategy:
       matrix:
@@ -48,14 +48,14 @@ jobs:
           - arch: amd64
             enable_gvisor: True
           - arch: amd64
-            enable_gvisor: False  
-      fail-fast: false  
+            enable_gvisor: False
+      fail-fast: false
     steps:
       - name: Checkout Libs ⤵️
         # We need to skip each step because of https://github.com/orgs/community/discussions/9141.
         # This avoids having a skipped job whose name is not the resolved matrix name, like "test-scap-${{ matrix.arch }} 😆 (bundled_deps)"
         if: needs.paths-filter.outputs.driver == 'true' || needs.paths-filter.outputs.libscap == 'true' || needs.paths-filter.outputs.libpman == 'true'
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           fetch-depth: 0
 
@@ -63,24 +63,12 @@ jobs:
         if: needs.paths-filter.outputs.driver == 'true' || needs.paths-filter.outputs.libscap == 'true' || needs.paths-filter.outputs.libpman == 'true'
         run: |
           sudo apt update
-          sudo apt install -y --no-install-recommends ca-certificates cmake build-essential clang-14 llvm-14 git pkg-config autoconf automake libtool libelf-dev libcap-dev
-          sudo update-alternatives --install /usr/bin/clang clang /usr/bin/clang-14 90
-          sudo update-alternatives --install /usr/bin/llvm-strip llvm-strip /usr/bin/llvm-strip-14 90
-          sudo update-alternatives --install /usr/bin/llc llc /usr/bin/llc-14 90
+          sudo apt install -y --no-install-recommends ca-certificates cmake build-essential clang llvm git pkg-config autoconf automake libtool libelf-dev libcap-dev linux-headers-$(uname -r)
           git clone https://github.com/libbpf/bpftool.git --branch v7.3.0 --single-branch
           cd bpftool
           git submodule update --init
           cd src && sudo make install
 
-      - name: Install kernel headers (actuated)
-        uses: self-actuated/get-kernel-sources@201eed7d915ac0a6021fb402cde5be7a6b945b59
-        if: (needs.paths-filter.outputs.driver == 'true' || needs.paths-filter.outputs.libscap == 'true' || needs.paths-filter.outputs.libpman == 'true') && matrix.arch == 'arm64'
-
-      - name: Install kernel headers
-        if: (needs.paths-filter.outputs.driver == 'true' || needs.paths-filter.outputs.libscap == 'true' || needs.paths-filter.outputs.libpman == 'true') && matrix.arch == 'amd64'
-        run: |
-          sudo apt install -y --no-install-recommends linux-headers-$(uname -r)
-          
       - name: Build scap-open and drivers 🏗️
         if: needs.paths-filter.outputs.driver == 'true' || needs.paths-filter.outputs.libscap == 'true' || needs.paths-filter.outputs.libpman == 'true'
         run: |
@@ -116,7 +104,7 @@ jobs:
 
   test-drivers:
     name: test-drivers-${{ matrix.arch }} 😇 (bundled_deps)
-    runs-on: ${{ (matrix.arch == 'arm64' && 'actuated-arm64-8cpu-16gb') || 'ubuntu-22.04' }}
+    runs-on: ${{ (matrix.arch == 'arm64' && 'github-arm64-2c-8gb') || 'ubuntu-22.04' }}
     needs: paths-filter
     strategy:
       matrix:
@@ -125,7 +113,7 @@ jobs:
     steps:
       - name: Checkout Libs ⤵️
         if: needs.paths-filter.outputs.driver == 'true' || needs.paths-filter.outputs.libscap == 'true' || needs.paths-filter.outputs.libpman == 'true'
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           fetch-depth: 0
 
@@ -133,23 +121,16 @@ jobs:
         if: needs.paths-filter.outputs.driver == 'true' || needs.paths-filter.outputs.libscap == 'true' || needs.paths-filter.outputs.libpman == 'true'
         run: |
           sudo apt update
-          sudo apt install -y --no-install-recommends ca-certificates cmake build-essential git pkg-config autoconf automake libelf-dev libcap-dev clang-14 llvm-14 libtool
-          sudo update-alternatives --install /usr/bin/clang clang /usr/bin/clang-14 90
-          sudo update-alternatives --install /usr/bin/llvm-strip llvm-strip /usr/bin/llvm-strip-14 90
-          sudo update-alternatives --install /usr/bin/llc llc /usr/bin/llc-14 90
+          sudo apt install -y --no-install-recommends ca-certificates cmake build-essential git pkg-config autoconf automake libelf-dev libcap-dev clang llvm libtool linux-headers-$(uname -r)
           git clone https://github.com/libbpf/bpftool.git --branch v7.3.0 --single-branch
           cd bpftool
           git submodule update --init
           cd src && sudo make install
 
-      - name: Install kernel headers (actuated)
-        uses: self-actuated/get-kernel-sources@201eed7d915ac0a6021fb402cde5be7a6b945b59
-        if: (needs.paths-filter.outputs.driver == 'true' || needs.paths-filter.outputs.libscap == 'true' || needs.paths-filter.outputs.libpman == 'true') && matrix.arch == 'arm64'
-
-      - name: Install kernel headers and gcc
+      - name: Install multilib compilers for ia32 tests
         if: (needs.paths-filter.outputs.driver == 'true' || needs.paths-filter.outputs.libscap == 'true' || needs.paths-filter.outputs.libpman == 'true') && matrix.arch == 'amd64'
         run: |
-          sudo apt install -y --no-install-recommends linux-headers-$(uname -r) gcc-multilib g++-multilib
+          sudo apt install -y --no-install-recommends gcc-multilib g++-multilib
 
       - name: Build drivers tests 🏗️
         if: needs.paths-filter.outputs.driver == 'true' || needs.paths-filter.outputs.libscap == 'true' || needs.paths-filter.outputs.libpman == 'true'
@@ -175,13 +156,13 @@ jobs:
         run: |
           cd build
           sudo ./test/drivers/drivers_test -k
-          
+
   test-drivers-ppc64le:
     name: test-drivers-ppc64le 😁 (system_deps,custom node)
     runs-on: ubuntu-22.04
     # Avoid running on forks since this job uses a private secret
     # not available on forks, leading to failures.
-    if: github.repository == 'falcosecurity/libs'
+    if: github.event_name == 'push' || github.event.pull_request.head.repo.full_name == 'falcosecurity/libs'
     needs: paths-filter
     steps:
       - name: Extract branch name
@@ -189,7 +170,7 @@ jobs:
 
       - name: Build and test drivers on ppc64le node via ssh
         if: needs.paths-filter.outputs.driver == 'true' || needs.paths-filter.outputs.libscap == 'true' || needs.paths-filter.outputs.libpman == 'true'
-        uses: appleboy/ssh-action@029f5b4aeeeb58fdfe1410a5d17f967dacf36262 # v1.0.3
+        uses: appleboy/ssh-action@25ce8cbbcb08177468c7ff7ec5cbfa236f9341e1 # v1.1.0
         with:
           host: ${{ secrets.PPC64LE_HOST }}
           username: ${{ secrets.PPC64LE_USERNAME }}
@@ -211,7 +192,7 @@ jobs:
             sudo ./test/drivers/drivers_test -k
             rc_kmod=$?
             exit $(($rc_modern + $rc_bpf +$rc_kmod))
-        
+
   build-drivers-s390x:
     name: build-drivers-s390x 😁 (system_deps)
     runs-on: ubuntu-22.04
@@ -219,11 +200,11 @@ jobs:
     steps:
       - name: Checkout Libs ⤵️
         if: needs.paths-filter.outputs.driver == 'true' || needs.paths-filter.outputs.libscap == 'true' || needs.paths-filter.outputs.libpman == 'true'
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           fetch-depth: 0
 
-      - uses: uraimo/run-on-arch-action@4ed76f16f09d12e83abd8a49e1ac1e5bf08784d4 # v2.5.1
+      - uses: uraimo/run-on-arch-action@5397f9e30a9b62422f302092631c99ae1effcd9e # v2.8.1
         name: Run s390x build 🏗️
         if: needs.paths-filter.outputs.driver == 'true' || needs.paths-filter.outputs.libscap == 'true' || needs.paths-filter.outputs.libpman == 'true'
         with:
@@ -232,7 +213,7 @@ jobs:
           githubToken: ${{ github.token }}
 
           install: |
-            apt update && apt install -y --no-install-recommends ca-certificates cmake build-essential clang llvm git pkg-config autoconf automake libtool libelf-dev wget libc-ares-dev libcurl4-openssl-dev libssl-dev libtbb-dev libjq-dev libjsoncpp-dev libgrpc++-dev protobuf-compiler-grpc libcap-dev libgtest-dev libprotobuf-dev linux-headers-generic            
+            apt update && apt install -y --no-install-recommends ca-certificates cmake build-essential clang llvm git pkg-config autoconf automake libtool libelf-dev wget libc-ares-dev libcurl4-openssl-dev libssl-dev libtbb-dev libjq-dev libjsoncpp-dev libgrpc++-dev protobuf-compiler-grpc libcap-dev libgtest-dev libprotobuf-dev linux-headers-generic
             git clone https://github.com/libbpf/bpftool.git --branch v7.3.0 --single-branch
             cd bpftool
             git submodule update --init
@@ -248,7 +229,7 @@ jobs:
             mkdir -p build
             cd build && cmake -DBUILD_WARNINGS_AS_ERRORS=On -DBUILD_BPF=On -DUSE_BUNDLED_DEPS=OFF -DMODERN_PROBE_INCLUDE="-I/usr/include/s390x-linux-gnu" -DBUILD_LIBSCAP_MODERN_BPF=ON -DMODERN_BPF_DEBUG_MODE=ON -DENABLE_DRIVERS_TESTS=On -DCREATE_TEST_TARGETS=On -DBUILD_LIBSCAP_GVISOR=OFF ../
             KERNELDIR=/lib/modules/$(ls /lib/modules)/build make driver bpf drivers_test -j6
-  
+
   build-modern-bpf-skeleton:
     needs: paths-filter
     # See https://github.com/actions/runner/issues/409#issuecomment-1158849936
@@ -262,7 +243,7 @@ jobs:
           dnf install -y bpftool ca-certificates cmake make automake gcc gcc-c++ kernel-devel clang git pkg-config autoconf automake libbpf-devel
 
       - name: Checkout
-        uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
       - name: Build modern BPF skeleton
         run: |
@@ -271,7 +252,7 @@ jobs:
           make ProbeSkeleton -j6
 
       - name: Upload skeleton
-        uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
+        uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
         with:
           name: bpf_probe_x86_64.skel.h
           path: skeleton-build/skel_dir/bpf_probe.skel.h
@@ -280,57 +261,30 @@ jobs:
   build-scap-open-w-extern-bpf-skeleton:
     env:
       ACTIONS_ALLOW_USE_UNSECURE_NODE_VERSION: true
-    needs: [paths-filter,build-modern-bpf-skeleton] 
-    # See https://github.com/actions/runner/issues/409#issuecomment-1158849936
+    needs: [paths-filter,build-modern-bpf-skeleton]
     runs-on: 'ubuntu-latest'
     if: needs.paths-filter.outputs.driver == 'true' || needs.paths-filter.outputs.libscap == 'true' || needs.paths-filter.outputs.libpman == 'true'
-    container: centos:7
     steps:
-      # Always install deps before invoking checkout action, to properly perform a full clone.
-      - name: Fix mirrors to use vault.centos.org
-        run: |
-          sed -i s/mirror.centos.org/vault.centos.org/g /etc/yum.repos.d/*.repo
-          sed -i s/^#.*baseurl=http/baseurl=https/g /etc/yum.repos.d/*.repo
-          sed -i s/^mirrorlist=http/#mirrorlist=https/g /etc/yum.repos.d/*.repo
-
-      - name: Install scl repos
-        run: |
-          yum -y install centos-release-scl
-
-      - name: Fix new mirrors to use vault.centos.org
-        run: |
-          sed -i s/mirror.centos.org/vault.centos.org/g /etc/yum.repos.d/*.repo
-          sed -i s/^#.*baseurl=http/baseurl=https/g /etc/yum.repos.d/*.repo
-          sed -i s/^mirrorlist=http/#mirrorlist=https/g /etc/yum.repos.d/*.repo
-
       - name: Install build dependencies
         run: |
-          yum -y install devtoolset-9-gcc devtoolset-9-gcc-c++
-          source /opt/rh/devtoolset-9/enable
-          yum install -y wget git make m4 rpm-build perl-IPC-Cmd
+          sudo apt update
+          sudo apt install -y --no-install-recommends ca-certificates cmake build-essential clang-14 llvm-14 git pkg-config autoconf automake libtool libelf-dev libcap-dev
+          sudo update-alternatives --install /usr/bin/clang clang /usr/bin/clang-14 90
+          sudo update-alternatives --install /usr/bin/llvm-strip llvm-strip /usr/bin/llvm-strip-14 90
+          sudo update-alternatives --install /usr/bin/llc llc /usr/bin/llc-14 90
 
       - name: Checkout
-        # It is not possible to upgrade the checkout action to versions >= v4.0.0 because of incompatibilities with centos 7's libc.
-        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
       - name: Download skeleton
-        uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
+        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
         with:
           name: bpf_probe_x86_64.skel.h
           path: /tmp
 
-      - name: Install updated cmake
-        run: |
-          curl -L -o /tmp/cmake.tar.gz https://github.com/Kitware/CMake/releases/download/v3.22.5/cmake-3.22.5-linux-$(uname -m).tar.gz
-          gzip -d /tmp/cmake.tar.gz
-          tar -xpf /tmp/cmake.tar --directory=/tmp
-          cp -R /tmp/cmake-3.22.5-linux-$(uname -m)/* /usr
-          rm -rf /tmp/cmake-3.22.5-linux-$(uname -m)
-
       - name: Prepare project
         run: |
           mkdir build && cd build
-          source /opt/rh/devtoolset-9/enable
           cmake \
               -DCMAKE_BUILD_TYPE=Release \
               -DUSE_BUNDLED_DEPS=On \
@@ -343,15 +297,14 @@ jobs:
       - name: Build project
         run: |
           cd build
-          source /opt/rh/devtoolset-9/enable
-          make scap-open -j6          
+          make scap-open -j6
 
   # Only runs on pull request since on master branch it is already triggered by pages CI.
   kernel-tests-dev:
     needs: paths-filter
     # Avoid running on forks since this job uses a private secret
     # not available on forks, leading to failures.
-    if: github.repository == 'falcosecurity/libs' && github.event_name == 'pull_request' && (needs.paths-filter.outputs.driver == 'true' || needs.paths-filter.outputs.libscap == 'true' || needs.paths-filter.outputs.libpman == 'true')
+    if: github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == 'falcosecurity/libs' && (needs.paths-filter.outputs.driver == 'true' || needs.paths-filter.outputs.libscap == 'true' || needs.paths-filter.outputs.libpman == 'true')
     uses: ./.github/workflows/reusable_kernel_tests.yaml
     with:
       # Use real branch's HEAD sha, not the merge commit
@@ -362,17 +315,17 @@ jobs:
     needs: kernel-tests-dev
     # Avoid running on forks since this job uses a private secret
     # not available on forks, leading to failures.
-    if: github.repository == 'falcosecurity/libs' && github.event_name == 'pull_request' && (needs.paths-filter.outputs.driver == 'true' || needs.paths-filter.outputs.libscap == 'true' || needs.paths-filter.outputs.libpman == 'true')
+    if: github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == 'falcosecurity/libs' && (needs.paths-filter.outputs.driver == 'true' || needs.paths-filter.outputs.libscap == 'true' || needs.paths-filter.outputs.libpman == 'true')
     runs-on: ubuntu-latest
     steps:
       - name: Download X64 matrix
-        uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
+        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
         with:
           name: matrix_X64
           path: matrix_X64
 
       - name: Download ARM64 matrix
-        uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
+        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
         with:
           name: matrix_ARM64
           path: matrix_ARM64
@@ -392,7 +345,7 @@ jobs:
           echo ""
 
       - name: Upload PR info as artifact
-        uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4
+        uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4
         with:
           name: pr-kernel-testing
           path: pr/

.github/workflows/e2e_ci.yml

@@ -15,14 +15,14 @@ concurrency:
 jobs:
   build-test-e2e:
     name: build-test-e2e-${{ matrix.arch }} 😇 (bundled_deps)
-    runs-on: ${{ (matrix.arch == 'arm64' && 'actuated-arm64-8cpu-16gb') || 'ubuntu-22.04' }}
+    runs-on: ${{ (matrix.arch == 'arm64' && 'github-arm64-2c-8gb') || 'ubuntu-22.04' }}
     strategy:
       matrix:
         arch: [amd64, arm64]
       fail-fast: false
     steps:
       - name: Checkout Libs ⤵️
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           fetch-depth: 0
 
@@ -32,7 +32,8 @@ jobs:
             ca-certificates \
             cmake \
             build-essential \
-            clang-14 llvm-14 \
+            clang \
+            llvm \
             git \
             clang \
             ccache \
@@ -54,27 +55,21 @@ jobs:
             libgrpc++-dev \
             protobuf-compiler-grpc \
             libgtest-dev \
-            libprotobuf-dev
-          sudo update-alternatives --install /usr/bin/clang clang /usr/bin/clang-14 90
-          sudo update-alternatives --install /usr/bin/llvm-strip llvm-strip /usr/bin/llvm-strip-14 90
-          sudo update-alternatives --install /usr/bin/llc llc /usr/bin/llc-14 90
+            libprotobuf-dev \
+            linux-headers-$(uname -r)
           sudo .github/install-deps.sh
           git clone https://github.com/libbpf/bpftool.git --branch v7.3.0 --single-branch
           cd bpftool
           git submodule update --init
           cd src && sudo make install
 
-      - name: Install kernel headers (actuated)
-        uses: self-actuated/get-kernel-sources@201eed7d915ac0a6021fb402cde5be7a6b945b59
-        if: matrix.arch == 'arm64'
-
-      - name: Install kernel headers and gcc
+      - name: Install multilib compilers for ia32 tests
         if: matrix.arch == 'amd64'
         run: |
-          sudo apt install -y --no-install-recommends linux-headers-$(uname -r) gcc-multilib g++-multilib
+          sudo apt install -y --no-install-recommends gcc-multilib g++-multilib
 
       - name: Run sccache-cache
-        uses: mozilla-actions/sccache-action@2e7f9ec7921547d4b46598398ca573513895d0bd # v0.0.4
+        uses: mozilla-actions/sccache-action@9e326ebed976843c9932b3aa0e021c6f50310eb4 # v0.0.6
 
       - name: Build e2e tests 🏗️
         env:
@@ -100,7 +95,7 @@ jobs:
           cd ..
 
       - name: Cache build
-        uses: actions/cache/save@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2
+        uses: actions/cache/save@6849a6489940f00c2f30c0fb92c6274307ccb58a # v4.1.2
         if: always()
         id: cache
         with:
@@ -110,7 +105,7 @@ jobs:
   test-e2e:
     name: test-e2e-${{ matrix.arch }}-${{ matrix.driver.name }} 😇 (bundled_deps)
     needs: [build-test-e2e]
-    runs-on: ${{ (matrix.arch == 'arm64' && 'actuated-arm64-8cpu-16gb') || 'ubuntu-22.04' }}
+    runs-on: ${{ (matrix.arch == 'arm64' && 'github-arm64-2c-8gb') || 'ubuntu-22.04' }}
     strategy:
       matrix:
         arch: [amd64, arm64]
@@ -118,18 +113,18 @@ jobs:
       fail-fast: false
     steps:
       - name: Checkout Libs ⤵️
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           fetch-depth: 0
 
       - name: Restore build
         id: cache
-        uses: actions/cache/restore@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2
+        uses: actions/cache/restore@6849a6489940f00c2f30c0fb92c6274307ccb58a # v4.1.2
         with:
           path: build
           key: build-e2e-${{ matrix.arch }}-${{ github.run_id }}
           restore-keys: build-e2e-
-          
+
       - name: Fix kernel mmap rnd bits
         # Asan in llvm 14 provided in ubuntu 22.04 is incompatible with
         # high-entropy ASLR in much newer kernels that GitHub runners are
@@ -140,23 +135,14 @@ jobs:
         run: |
           sudo apt update
 
-      - name: Install multilib
+      - name: Install multilib compilers for ia32 tests
         if: matrix.arch == 'amd64'
         run: |
           sudo apt install -y --no-install-recommends gcc-multilib g++-multilib
 
       - name: Install deps
         run: |
-          sudo apt install -y --no-install-recommends clang gcc llvm build-essential cmake python2
-
-      - name: Install kernel headers (actuated)
-        uses: self-actuated/get-kernel-sources@201eed7d915ac0a6021fb402cde5be7a6b945b59
-        if: matrix.arch == 'arm64'
-
-      - name: Install kernel headers and gcc
-        if: matrix.arch == 'amd64'
-        run: |
-          sudo apt install -y --no-install-recommends linux-headers-$(uname -r) gcc-multilib g++-multilib
+          sudo apt install -y --no-install-recommends clang gcc llvm build-essential cmake python3 quota linux-headers-$(uname -r)
 
         # We have no guarantees that the kernel version is the same for the
         # different workers, so we rebuild the drivers.
@@ -177,7 +163,7 @@ jobs:
           cd build/test/libsinsp_e2e/
           sudo -E ./libsinsp_e2e_tests ${{ matrix.driver.option }}
 
-        # the actuated arm64 workers doesn't have the CONFIG_QFMT_V2 flag
+        # the arm64 workers don't have the CONFIG_QFMT_V2 flag
         # which is needed for the quotactl_ok test (cmd=QQUOTA_ON + id=QFMT_VFS_V0).
       - name: Run e2e tests with ${{ matrix.driver.name }} 🏎️
         if: matrix.arch == 'arm64'
@@ -185,4 +171,4 @@ jobs:
           UBSAN_OPTIONS: print_stacktrace=1
         run: |
           cd build/test/libsinsp_e2e/
-          sudo -E ./libsinsp_e2e_tests ${{ matrix.driver.option }} --gtest_filter=-sys_call_test.quotactl_ok
+          sudo -E ./libsinsp_e2e_tests ${{ matrix.driver.option }} --gtest_filter=-sys_call_test.quotactl_ok

.github/workflows/format.yml

@@ -4,7 +4,7 @@ on:
   push:
     branches:
       - master
-      - 'release/**'
+      - "release/**"
 
 jobs:
   format:
@@ -12,7 +12,7 @@ jobs:
     runs-on: ubuntu-22.04
     steps:
       - name: Checkout repository 🎉
-        uses: actions/checkout@v3
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           fetch-depth: 0
 
@@ -24,7 +24,7 @@ jobs:
 
       - name: Run pre-commit ©️
         run: |
-          pre-commit run --all-files
+          pre-commit run --show-diff-on-failure --color=always --all-files
 
       - name: Generate the git-diff 🚒
         if: failure()
@@ -32,7 +32,7 @@ jobs:
 
       - name: Upload the git diff artifact 📦
         if: failure()
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
         with:
           name: format_diff.patch
           path: ./format_diff.patch

.github/workflows/latest-kernel.yml

@@ -11,26 +11,23 @@ on:
     - cron: '0 8 * * *' # every day at 8am
 
 jobs:
-  build-latest-kernel:
-    name: build-latest-kernel
-    runs-on: ubuntu-latest
-    container:
-      image: falcosecurity/driverkit:latest
+  compute-latest-version:
+    outputs:
+      latest_vers: ${{ steps.latest-version.outputs.latest_vers }}
+    runs-on: 'ubuntu-latest'
     steps:
       - name: Checkout Archlinux mainline package ⤵️
         run: |
-          apk update && apk add git
           git clone https://aur.archlinux.org/linux-mainline.git linux/
-    
+
       - name: Generate driverkit config
         id: latest-version
         # Note: in case we are building latest mainline,
         # we grep the linux-mainline aur PKGBUILD "_tag" line, that is made like: "_tag=v6.4-rc1"
         # We then need to extract the part after the "=" and finally remove the starting "v".
-        run: |    
+        run: |
           cd linux/
           echo "kernelversion: 1" > dk.yaml
-          echo "architecture: amd64" >> dk.yaml
           echo "driverversion: ${{ github.sha }}" >> dk.yaml
           echo "output:" >> dk.yaml
           echo "  module: mod.ko" >> dk.yaml
@@ -45,26 +42,74 @@ jobs:
             echo "target: arch" >> dk.yaml
           fi
           echo "latest_vers=$(grep kernelrelease dk.yaml | awk -F": " '{print $2}')" >> $GITHUB_OUTPUT
-      
+
       - name: Upload driverkit config
-        uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
+        uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
         with:
           name: driverkit_config.yaml
           path: linux/dk.yaml
-          
+
+  build-latest-kernel-amd64:
+    needs: 'compute-latest-version'
+    outputs:
+      build: ${{ steps.build.outcome }}
+    runs-on: 'ubuntu-latest'
+    steps:
+      - name: Download driverkit config
+        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
+        with:
+          name: driverkit_config.yaml
+
+      - name: Download latest driverkit artifact
+        uses: dawidd6/action-download-artifact@bf251b5aa9c2f7eeb574a96ee720e24f801b7c11 # v6
+        with:
+          name: driverkit-amd64
+          workflow: release.yml
+          repo: falcosecurity/driverkit
+
       - name: Test drivers build
         id: build
         run: |
-          echo "Testing build of drivers against: ${{ steps.latest-version.outputs.latest_vers }}"
-          driverkit docker -c linux/dk.yaml -l debug
-          
+          echo "Testing build of drivers against: ${{ needs.compute-latest-version.outputs.latest_vers }}"
+          chmod +x driverkit
+          ./driverkit docker -c dk.yaml -l debug --timeout 300
+
+  build-latest-kernel-arm64:
+    needs: 'compute-latest-version'
+    outputs:
+      build: ${{ steps.build.outcome }}
+    runs-on: 'github-arm64-2c-8gb'
+    steps:
+      - name: Download driverkit config
+        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
+        with:
+          name: driverkit_config.yaml
+
+      - name: Download latest driverkit artifact
+        uses: dawidd6/action-download-artifact@bf251b5aa9c2f7eeb574a96ee720e24f801b7c11 # v6
+        with:
+          name: driverkit-arm64
+          workflow: release.yml
+          repo: falcosecurity/driverkit
+
+      - name: Test drivers build
+        id: build
+        run: |
+          echo "Testing build of drivers against: ${{ needs.compute-latest-version.outputs.latest_vers }}"
+          chmod +x driverkit
+          ./driverkit docker -c dk.yaml -l debug --timeout 300
+
+  badge-latest-kernel:
+    if: always() && github.event_name == 'schedule'
+    runs-on: 'ubuntu-latest'
+    needs: [compute-latest-version,build-latest-kernel-amd64,build-latest-kernel-arm64]
+    steps:
       - name: Update README badge
         uses: schneegans/dynamic-badges-action@e9a478b16159b4d31420099ba146cdc50f134483 # v1.7.0
-        if: always() && github.event_name == 'schedule'
         with:
           auth: ${{ secrets.FEDEDP_GIST_SECRET }}
           gistID: 1cbc5d42edf8e3a02fb75e76625f1072
           filename: kernel.json
           label: Drivers build
-          message: ${{ steps.latest-version.outputs.latest_vers }}
-          color: ${{ steps.build.outcome != 'success' && 'red' || 'brightgreen' }}
+          message: ${{ needs.compute-latest-version.outputs.latest_vers }}
+          color: ${{ (needs.build-latest-kernel-amd64.outputs.build != 'success' || needs.build-latest-kernel-arm64.outputs.build != 'success') && 'red' || 'brightgreen' }}

.github/workflows/pages.yml

@@ -2,7 +2,7 @@ name: Deploy Github Pages
 on:
   push:
     branches: [master]
-      
+
 permissions:
   contents: read
   pages: write
@@ -21,14 +21,14 @@ jobs:
     runs-on: [ "self-hosted", "linux", "X64" ]
     steps:
       - name: Checkout Libs ⤵️
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
       - name: Run perf
         id: perf
         uses: ./.github/actions/composite-perf
 
       - name: Archive master perf report
-        uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
+        uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
         with:
           name: perf_report
           retention-days: 30 # 30 days because this is the artifact on master; we need to retain it to be able to properly diff it
@@ -41,7 +41,7 @@ jobs:
           if-no-files-found: error
 
       - name: Checkout Flamegraph ⤵️
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           repository: 'brendangregg/FlameGraph'
           path: flamegraph
@@ -72,7 +72,7 @@ jobs:
           rm -rf stacks.txt
 
       - name: Upload svg files
-        uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
+        uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
         with:
           name: perf_svg
           path: '*.svg'
@@ -85,31 +85,31 @@ jobs:
       url: ${{ steps.deployment.outputs.page_url }}
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
-      
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
       - name: Download matrix X64
-        uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
+        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
         with:
           name: matrix_X64
-      
+
       - name: Move X64 matrix under docs
         run: mv matrix.md docs/matrix_X64.md
-      
+
       - name: Download matrix ARM64
-        uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
+        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
         with:
           name: matrix_ARM64
-          
+
       - name: Move ARM64 matrix under docs
-        run: mv matrix.md docs/matrix_ARM64.md    
-      
+        run: mv matrix.md docs/matrix_ARM64.md
+
       - name: Disable Table Of Content for matrixes pages
         run: |
           sed -i '1s/^/---\nhide:\n- toc\n---\n\n/' docs/matrix_X64.md
           sed -i '1s/^/---\nhide:\n- toc\n---\n\n/' docs/matrix_ARM64.md
 
       - name: Download perf svg files
-        uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
+        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
         with:
           name: perf_svg
 
@@ -128,17 +128,17 @@ jobs:
           echo '<object data="../heaptrack_scap.svg" type="image/svg+xml" id="heaptrack_scap_file"></object>' > docs/heaptrack_scap_file.md
           sed -i '1s/^/---\nhide:\n- toc\n---\n\n/' docs/heaptrack_scap_file.md
 
-      - uses: actions/setup-python@65d7f2d534ac1bc67fcd62888c5f4f3d2cb2b236 # v4.7.1
+      - uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0
         with:
           python-version: 3.x
 
       - run: pip install mkdocs mkdocs-material
-      
+
       - run: mkdocs build
-      
-      - uses: actions/upload-pages-artifact@a753861a5debcf57bf8b404356158c8e1e33150c # v2.0.0
+
+      - uses: actions/upload-pages-artifact@56afc609e74202658d3ffba0e8f6dda462b719fa # v3.0.1
         with:
           path: 'site'
 
       - id: deployment
-        uses: actions/deploy-pages@9dbe3824824f8a1377b8e298bafde1a50ede43e5 # v2.0.4
+        uses: actions/deploy-pages@d6db90164ac5ed86f2b6aed7e0febac5b3c0c03e # v4.0.5

.github/workflows/perf.yml

@@ -13,10 +13,10 @@ jobs:
     runs-on: [ "self-hosted", "linux", "X64" ]
     steps:
       - name: Checkout Libs ⤵️
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
       - name: Checkout Google benchmark ⤵️
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           repository: 'google/benchmark'
           ref: 'v1.9.0'
@@ -40,7 +40,7 @@ jobs:
 
       - name: Diff from master - perf scap file
         run: |
-          sudo perf diff perf_scap.data ${{ steps.perf.outputs.perf_scap }} -d sinsp-example -b -o 1 --percentage relative -q &> perf_scap_diff.txt    
+          sudo perf diff perf_scap.data ${{ steps.perf.outputs.perf_scap }} -d sinsp-example -b -o 1 --percentage relative -q &> perf_scap_diff.txt
 
       - name: Diff from master - heaptrack unit tests
         run: |
@@ -56,7 +56,7 @@ jobs:
           python3 google-benchmark/tools/compare.py --no-color benchmarks gbench_data.json ${{ steps.perf.outputs.gbench_json }} &> gbench_diff.txt
 
       - name: Archive perf diff
-        uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
+        uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
         with:
           name: perf_diff
           path: '*_diff.txt'
@@ -96,7 +96,7 @@ jobs:
           echo ""
 
       - name: Upload PR info as artifact
-        uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4
+        uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4
         with:
           name: pr-perf
           path: pr/
@@ -105,11 +105,11 @@ jobs:
 
       # Check will fail if sum of all differences is >= 1%.
       # But we will always comment with the perf diff from master
-      - name: Check >= 1% threshold - perf unit tests
+      - name: Check >= 5% threshold - perf unit tests
         if: always()
         run: |
           sum=$(awk '{sum+=sprintf("%f",$2)}END{printf "%.6f\n",sum}' perf_tests_diff.txt | tr ',' '.')
-          if (( $(echo "$sum >= 1.0" | bc -l) )); then
+          if (( $(echo "$sum >= 5.0" | bc -l) )); then
             exit 1
           fi
 

.github/workflows/release-body.yml

@@ -43,13 +43,13 @@ jobs:
 
           # Safeguard: you need to both set "latest" in GH and not have suffixes to overwrite latest
           is_latest = '${{ steps.latest_release.outputs.release }}' == tag_name and not is_prerelease
-          
+
           is_driver = "+driver" in tag_name
 
           with open(os.environ['GITHUB_OUTPUT'], 'a') as ofp:
             print(f'is_latest={is_latest}'.lower(), file=ofp)
             print(f'is_driver={is_driver}'.lower(), file=ofp)
-            
+
   release-body-libs:
     needs: [release-settings]
     if: ${{ needs.release-settings.outputs.is_latest == 'true' && needs.release-settings.outputs.is_driver == 'false' }} # only for latest releases and not driver ones
@@ -58,12 +58,12 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Clone repo
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
-        
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
       - name: Create release body file
         run: |
           touch release-body.md
-          
+
       - name: Extract MIN_API version
         run: |
           MIN_API_VER=$(grep SCAP_MINIMUM_DRIVER_API_VERSION userspace/libscap/scap.h)
@@ -72,7 +72,7 @@ jobs:
           MIN_API_VER=$(echo $MIN_API_VER | tr -d "(" | tr -d ")")
           MIN_API_VER=$(echo $MIN_API_VER | sed -r 's/, /./g')
           echo '!'"[MIN_DRIVER_API](https://img.shields.io/badge/MIN_DRIVER_API-${MIN_API_VER}-yellow)" >> release-body.md
-          
+
       - name: Extract MIN_SCHEMA version
         run: |
           MIN_SCHEMA_VER=$(grep SCAP_MINIMUM_DRIVER_SCHEMA_VERSION userspace/libscap/scap.h)
@@ -82,36 +82,36 @@ jobs:
           MIN_SCHEMA_VER=$(echo $MIN_SCHEMA_VER | sed -r 's/, /./g')
           echo '!'"[MIN_DRIVER_SCHEMA](https://img.shields.io/badge/MIN_DRIVER_SCHEMA-${MIN_SCHEMA_VER}-yellow)" >> release-body.md
           echo "" >> release-body.md
-          
+
       - name: Generate release notes
         uses: leodido/rn2md@9c351d81278644c0e17b1ca68edbdba305276c73
         with:
           milestone: ${{ github.event.release.tag_name }}
           output: ./notes.md
-        
+
       - name: Merge release notes to pre existent body
         run: cat notes.md >> release-body.md
-        
+
       - name: Attach release creator to release body
         run: |
           echo "" >> release-body.md
           echo "#### Release Manager @${{ github.event.release.author.login }}" >> release-body.md
-        
+
       - name: Release
-        uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844 # v0.1.15
+        uses: softprops/action-gh-release@e7a8f85e1c67a31e6ed99a94b41bd0b71bbee6b8 # v2.0.9
         with:
           body_path: ./release-body.md
           tag_name: ${{ github.event.release.tag_name }}
-          name: ${{ github.event.release.name }}          
+          name: ${{ github.event.release.name }}
 
   kernel-tests-release:
     needs: [release-settings]
-    if: ${{ needs.release-settings.outputs.is_latest == 'true' && needs.release-settings.outputs.is_driver == 'true' }} # only for latest driver releases 
+    if: ${{ needs.release-settings.outputs.is_latest == 'true' && needs.release-settings.outputs.is_driver == 'true' }} # only for latest driver releases
     uses: ./.github/workflows/reusable_kernel_tests.yaml
     with:
       libsversion: ${{ github.event.release.tag_name }}
-    secrets: inherit            
-            
+    secrets: inherit
+
   release-body-driver:
     needs: [release-settings, kernel-tests-release]
     if: ${{ needs.release-settings.outputs.is_latest == 'true' && needs.release-settings.outputs.is_driver == 'true' }} # only for latest driver releases
@@ -120,12 +120,12 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Clone libs repo
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
-          
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
       - name: Create release body file
         run: |
-          touch release-body.md    
-          
+          touch release-body.md
+
       - name: Extract API and SCHEMA versions
         run: |
           touch release-body.md
@@ -134,20 +134,20 @@ jobs:
           echo '!'"[API](https://img.shields.io/badge/API-${API_VERS}-yellow)" >> release-body.md
           echo '!'"[SCHEMA](https://img.shields.io/badge/SCHEMA-${SCHEMA_VERS}-yellow)" >> release-body.md
           echo "" >> release-body.md
-      
+
       - name: Download matrix X64
-        uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
+        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
         with:
           name: matrix_X64
-      
+
       - name: Rename X64 matrix
         run: mv matrix.md matrix_X64.md
-      
+
       - name: Download matrix ARM64
-        uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
+        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
         with:
           name: matrix_ARM64
-          
+
       - name: Rename ARM64 matrix
         run: mv matrix.md matrix_ARM64.md
 
@@ -166,23 +166,23 @@ jobs:
           sed -i '1s/^/# Driver Testing Matrix amd64\n\n/' matrix_X64.md
           sed -i '1s/^/# Driver Testing Matrix arm64\n\n/' matrix_ARM64.md
           cat matrix_X64.md matrix_ARM64.md >> release-body.md
-          
+
       - name: Generate release notes
-        uses: leodido/rn2md@9c351d81278644c0e17b1ca68edbdba305276c73
+        uses: leodido/rn2md@9c351d81278644c0e17b1ca68edbdba305276c73 # main
         with:
           milestone: ${{ github.event.release.tag_name }}
           output: ./notes.md
-        
+
       - name: Merge release notes to pre existent body
         run: cat notes.md >> release-body.md
-        
+
       - name: Attach release creator to release body
         run: |
           echo "" >> release-body.md
-          echo "#### Release Manager @${{ github.event.release.author.login }}" >> release-body.md    
+          echo "#### Release Manager @${{ github.event.release.author.login }}" >> release-body.md
 
       - name: Release
-        uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844 # v0.1.15
+        uses: softprops/action-gh-release@e7a8f85e1c67a31e6ed99a94b41bd0b71bbee6b8 # v2.0.9
         with:
           body_path: ./release-body.md
           tag_name: ${{ github.event.release.tag_name }}

.github/workflows/reusable_kernel_tests.yaml

@@ -13,7 +13,7 @@ on:
         type: string
         required: false
         default: 'falcosecurity/libs'
-  workflow_call:    
+  workflow_call:
     inputs:
       libsversion:
         description: 'libs version to be tested, eg: master'
@@ -29,15 +29,17 @@ on:
 concurrency:
   group: kernel-tests
   cancel-in-progress: false
-        
+
 jobs:
   test-kernels:
     strategy:
       fail-fast: false
       matrix:
         architecture: [X64, ARM64]
-    runs-on: [ "self-hosted", "linux", "${{matrix.architecture}}" ]    
+    runs-on: [ "self-hosted", "linux", "${{matrix.architecture}}" ]
     steps:
+      # We need to use v0.3.2 instead of the hash because the tagname is 
+      # used by the action to download release tagged images.
       - uses: falcosecurity/kernel-testing@v0.3.2
         id: kernel_tests
         with:
@@ -45,12 +47,12 @@ jobs:
           libsrepo: ${{ inputs.libsrepo }}
           build_matrix: 'true'
 
-      - uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
+      - uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
         with:
           name: ansible_output_${{matrix.architecture}}
           path: ${{ steps.kernel_tests.outputs.ansible_output }}
-        
-      - uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
+
+      - uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
         with:
           name: matrix_${{matrix.architecture}}
           path: ${{ steps.kernel_tests.outputs.matrix_output }}

.github/workflows/semgrep_checks.yml

@@ -14,7 +14,7 @@ jobs:
       image: docker.io/semgrep/semgrep:1.85.0@sha256:b4c2272e0a2e59ca551ff96d3bbae657bd2b7356e339af557b27a96d9e751544
     steps:
       - name: Checkout Libs ⤵️
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           fetch-depth: 0
       - name: Scan PR for insecure API usage 🕵️
@@ -32,7 +32,7 @@ jobs:
       image: docker.io/semgrep/semgrep:1.85.0@sha256:b4c2272e0a2e59ca551ff96d3bbae657bd2b7356e339af557b27a96d9e751544
     steps:
       - name: Checkout Libs ⤵️
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           fetch-depth: 0
       - name: Scan PR for libs relateive include paths 🕵️

.github/workflows/test_coverage_ci.yml

@@ -27,7 +27,7 @@ jobs:
             gpg gpg-agent gcovr
 
       - name: Checkout Libs ⤵️
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           fetch-depth: 0
 
@@ -51,7 +51,7 @@ jobs:
           gcovr --xml -o ./libsinsp.coverage.xml
 
       - name: Upload to codecov
-        uses: codecov/codecov-action@79066c46f8dcdf8d7355f820dbac958c5b4cb9d3 # v4.5.0
+        uses: codecov/codecov-action@b9fd7d16f6d7d1b5d2bec1a2887e65ceed900238 # v4.6.0
         with:
           fail_ci_if_error: true
           files: ./libsinsp.coverage.xml

.github/workflows/update-syscalls.yml

@@ -13,18 +13,18 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           ref: master
           path: libs
 
       - name: Bump syscalls
-        uses: falcosecurity/syscalls-bumper@main
+        uses: falcosecurity/syscalls-bumper@main # should be pointing to main
         with:
           repo-root: ${{ github.workspace }}/libs
 
       - name: Create Pull Request
-        uses: peter-evans/create-pull-request@153407881ec5c347639a548ade7d8ad1d6740e38 # v5.0.2
+        uses: peter-evans/create-pull-request@5e914681df9dc83aa4e4905692ca88beb2f9e91f # v7.0.5
         with:
           path: libs
           signoff: true

driver/bpf/probe.c

@@ -254,7 +254,7 @@ BPF_PROBE("sched/", sched_switch, sched_switch_args) {
 
 	evt_type = PPME_SCHEDSWITCH_6_E;
 
-	call_filler(ctx, ctx, evt_type, 0, -1);
+	call_filler(ctx, ctx, evt_type, UF_ALWAYS_DROP, -1);
 	return 0;
 }
 

driver/configure/CLASS_CREATE_1/test.c

@@ -21,6 +21,7 @@ MODULE_AUTHOR("the Falco authors");
 
 static int class_create_test_init(void) {
 	struct class *g_ppm_class = class_create("test");
+	(void)g_ppm_class;
 	return 0;
 }
 

driver/main.c

@@ -2393,7 +2393,7 @@ TRACEPOINT_PROBE(sched_switch_probe,
 	 * handler calling printk() and potentially deadlocking the system.
 	 */
 	record_event_all_consumers(PPME_SCHEDSWITCH_6_E,
-	                           UF_USED | UF_ATOMIC,
+	                           UF_ALWAYS_DROP | UF_ATOMIC,
 	                           &event_data,
 	                           KMOD_PROG_SCHED_SWITCH);
 }

driver/modern_bpf/helpers/base/maps_getters.h

@@ -85,11 +85,6 @@ static __always_inline uint8_t maps__64bit_sampling_syscall_table(uint32_t sysca
 	return g_64bit_sampling_syscall_table[syscall_id & (SYSCALL_TABLE_SIZE - 1)];
 }
 
-static __always_inline uint8_t maps__64bit_sampling_tracepoint_table(uint32_t event_id) {
-	return g_64bit_sampling_tracepoint_table[event_id < PPM_EVENT_MAX ? event_id
-	                                                                  : PPM_EVENT_MAX - 1];
-}
-
 /*=============================== SAMPLING TABLES ===========================*/
 
 /*=============================== SYSCALL-64 INTERESTING TABLE ===========================*/

driver/modern_bpf/helpers/extract/extract_from_kernel.h

@@ -374,15 +374,15 @@ static __always_inline uint64_t extract__capability(struct task_struct *task,
 
 	switch(capability_type) {
 	case CAP_INHERITABLE:
-		READ_TASK_FIELD_INTO(&cap_struct, task, cred, cap_inheritable);
+		BPF_CORE_READ_INTO(&cap_struct, task, cred, cap_inheritable);
 		break;
 
 	case CAP_PERMITTED:
-		READ_TASK_FIELD_INTO(&cap_struct, task, cred, cap_permitted);
+		BPF_CORE_READ_INTO(&cap_struct, task, cred, cap_permitted);
 		break;
 
 	case CAP_EFFECTIVE:
-		READ_TASK_FIELD_INTO(&cap_struct, task, cred, cap_effective);
+		BPF_CORE_READ_INTO(&cap_struct, task, cred, cap_effective);
 		break;
 
 	default:
@@ -729,7 +729,7 @@ static __always_inline unsigned long extract__clone_flags(struct task_struct *ta
  */
 static __always_inline void extract__euid(struct task_struct *task, uint32_t *euid) {
 	*euid = UINT32_MAX;
-	READ_TASK_FIELD_INTO(euid, task, cred, euid.val);
+	BPF_CORE_READ_INTO(euid, task, cred, euid.val);
 }
 
 /**
@@ -739,7 +739,7 @@ static __always_inline void extract__euid(struct task_struct *task, uint32_t *eu
  * @param egid return value by reference
  */
 static __always_inline void extract__egid(struct task_struct *task, uint32_t *egid) {
-	READ_TASK_FIELD_INTO(egid, task, cred, egid.val);
+	BPF_CORE_READ_INTO(egid, task, cred, egid.val);
 }
 
 /////////////////////////
@@ -885,7 +885,7 @@ static __always_inline uint32_t bpf_map_id_up(struct uid_gid_map *map, uint32_t
 
 static __always_inline bool groups_search(struct task_struct *task, uint32_t grp) {
 	struct group_info *group_info = NULL;
-	READ_TASK_FIELD_INTO(&group_info, task, cred, group_info);
+	BPF_CORE_READ_INTO(&group_info, task, cred, group_info);
 	if(!group_info) {
 		return false;
 	}
@@ -934,8 +934,8 @@ static __always_inline bool extract__exe_writable(struct task_struct *task, stru
 
 	uint32_t fsuid;
 	uint32_t fsgid;
-	READ_TASK_FIELD_INTO(&fsuid, task, cred, fsuid.val);
-	READ_TASK_FIELD_INTO(&fsgid, task, cred, fsgid.val);
+	BPF_CORE_READ_INTO(&fsuid, task, cred, fsuid.val);
+	BPF_CORE_READ_INTO(&fsgid, task, cred, fsgid.val);
 
 	/* HAS_UNMAPPED_ID() */
 	if(i_uid == -1 || i_gid == -1) {
@@ -978,7 +978,7 @@ static __always_inline bool extract__exe_writable(struct task_struct *task, stru
 	}
 
 	struct user_namespace *ns;
-	READ_TASK_FIELD_INTO(&ns, task, cred, user_ns);
+	BPF_CORE_READ_INTO(&ns, task, cred, user_ns);
 	if(ns == NULL) {
 		return false;
 	}
@@ -986,7 +986,7 @@ static __always_inline bool extract__exe_writable(struct task_struct *task, stru
 	bool kgid_mapped = bpf_map_id_up(&ns->gid_map, i_gid) != (uint32_t)-1;
 
 	kernel_cap_t cap_struct = {0};
-	READ_TASK_FIELD_INTO(&cap_struct, task, cred, cap_effective);
+	BPF_CORE_READ_INTO(&cap_struct, task, cred, cap_effective);
 	// Kernel 6.3 changed the kernel_cap_struct type from uint32_t[2] to uint64_t.
 	// Luckily enough, it also changed field name from cap to val.
 	if(bpf_core_field_exists(((struct kernel_cap_struct *)0)->cap)) {

driver/modern_bpf/helpers/interfaces/attached_programs.h

@@ -10,17 +10,11 @@
 
 #include <helpers/base/maps_getters.h>
 
-/* This enum is used to tell if we are considering a syscall or a tracepoint */
-enum intrumentation_type {
-	MODERN_BPF_SYSCALL = 0,
-	MODERN_BPF_TRACEPOINT = 1,
-};
-
 /* The sampling logic is used by all BPF programs attached to the kernel.
  * We treat the syscalls tracepoints in a dedicated way because they could generate
  * more than one event (1 for each syscall) for this reason we need a dedicated table.
  */
-static __always_inline bool sampling_logic(void* ctx, uint32_t id, enum intrumentation_type type) {
+static __always_inline bool sampling_logic(void* ctx, uint32_t id) {
 	/* If dropping mode is not enabled we don't perform any sampling
 	 * false: means don't drop the syscall
 	 * true: means drop the syscall
@@ -29,16 +23,7 @@ static __always_inline bool sampling_logic(void* ctx, uint32_t id, enum intrumen
 		return false;
 	}
 
-	uint8_t sampling_flag = 0;
-
-	/* If we have a syscall we use the sampling_syscall_table otherwise
-	 * with tracepoints we use the sampling_tracepoint_table.
-	 */
-	if(type == MODERN_BPF_SYSCALL) {
-		sampling_flag = maps__64bit_sampling_syscall_table(id);
-	} else {
-		sampling_flag = maps__64bit_sampling_tracepoint_table(id);
-	}
+	uint8_t sampling_flag = maps__64bit_sampling_syscall_table(id);
 
 	if(sampling_flag == UF_NEVER_DROP) {
 		return false;
@@ -59,7 +44,7 @@ static __always_inline bool sampling_logic(void* ctx, uint32_t id, enum intrumen
 			 * an iteration we will synchronize again the next time the logic is enabled.
 			 */
 			maps__set_is_dropping(true);
-			bpf_tail_call(ctx, &extra_event_prog_tail_table, T1_DROP_E);
+			bpf_tail_call(ctx, &extra_syscall_calls, T1_DROP_E);
 			bpf_printk("unable to tail call into 'drop_e' prog");
 		}
 		return true;
@@ -67,7 +52,7 @@ static __always_inline bool sampling_logic(void* ctx, uint32_t id, enum intrumen
 
 	if(maps__get_is_dropping()) {
 		maps__set_is_dropping(false);
-		bpf_tail_call(ctx, &extra_event_prog_tail_table, T1_DROP_X);
+		bpf_tail_call(ctx, &extra_syscall_calls, T1_DROP_X);
 		bpf_printk("unable to tail call into 'drop_x' prog");
 	}
 

driver/modern_bpf/helpers/store/auxmap_store_params.h

@@ -117,13 +117,12 @@ static __always_inline void auxmap__finalize_event_header(struct auxiliary_map *
  * of events sent to userspace, otherwise we increment the dropped events.
  *
  * @param auxmap pointer to the auxmap in which we have already written the entire event.
- * @param ctx BPF prog context
  */
-static __always_inline void auxmap__submit_event(struct auxiliary_map *auxmap, void *ctx) {
+static __always_inline void auxmap__submit_event(struct auxiliary_map *auxmap) {
 	struct ringbuf_map *rb = maps__get_ringbuf_map();
 	if(!rb) {
-		bpf_tail_call(ctx, &extra_event_prog_tail_table, T1_HOTPLUG_E);
-		bpf_printk("failed to tail call into the 'hotplug' prog");
+		// this should never happen because we check it in sys_enter/sys_exit
+		bpf_printk("FAILURE: unable to obtain the ring buffer");
 		return;
 	}
 

driver/modern_bpf/helpers/store/ringbuf_store_params.h

@@ -90,18 +90,16 @@ struct ringbuf_struct {
  * to know the event dimension at compile time.
  *
  * @param ringbuf pointer to the `ringbuf_struct`
- * @param ctx BPF prog context
  * @param event_size exact size of the fixed-size event
  * @return `1` in case of success, `0` in case of failure.
  */
 static __always_inline uint32_t ringbuf__reserve_space(struct ringbuf_struct *ringbuf,
-                                                       void *ctx,
                                                        uint32_t event_size,
                                                        uint16_t event_type) {
 	struct ringbuf_map *rb = maps__get_ringbuf_map();
 	if(!rb) {
-		bpf_tail_call(ctx, &extra_event_prog_tail_table, T1_HOTPLUG_E);
-		bpf_printk("failed to tail call into the 'hotplug' prog");
+		// this should never happen because we check it in sys_enter/sys_exit
+		bpf_printk("FAILURE: unable to obtain the ring buffer");
 		return 0;
 	}
 

driver/modern_bpf/maps/maps.h

@@ -65,15 +65,6 @@ __weak bool g_64bit_interesting_syscalls_table[SYSCALL_TABLE_SIZE];
  */
 __weak uint8_t g_64bit_sampling_syscall_table[SYSCALL_TABLE_SIZE];
 
-/**
- * @brief Given the tracepoint enum returns:
- * - `UF_NEVER_DROP` if the syscall must not be dropped in the sampling logic.
- * - `UF_ALWAYS_DROP` if the syscall must always be dropped in the sampling logic.
- * - `UF_NONE` if we drop the syscall depends on the sampling ratio.
- */
-/// TOOD: we need to change the dimension! we need to create a dedicated enum for tracepoints!
-__weak uint8_t g_64bit_sampling_tracepoint_table[PPM_EVENT_MAX];
-
 /**
  * @brief Given the syscall id on 32-bit x86 arch returns
  * its x64 value. Used to support ia32 syscall emulation.
@@ -131,7 +122,7 @@ struct {
  * programs directly attached in the kernel (like page_faults,
  * context_switch, ...) and by syscall_events (like
  * ppme_syscall_execveat_x, ...).
- * Given a predefined tail-code (`extra_event_prog_code`), it calls
+ * Given a predefined tail-code (`extra_syscall_codes`), it calls
  * the right bpf program.
  */
 struct {
@@ -139,7 +130,7 @@ struct {
 	__uint(max_entries, TAIL_EXTRA_EVENT_PROG_MAX);
 	__type(key, uint32_t);
 	__type(value, uint32_t);
-} extra_event_prog_tail_table __weak SEC(".maps");
+} extra_syscall_calls __weak SEC(".maps");
 
 /*=============================== BPF_MAP_TYPE_PROG_ARRAY ===============================*/
 

driver/modern_bpf/programs/attached/dispatchers/syscall_enter.bpf.c

@@ -49,7 +49,7 @@ int BPF_PROG(sys_enter, struct pt_regs *regs, long syscall_id) {
 		return 0;
 	}
 
-	if(sampling_logic(ctx, syscall_id, MODERN_BPF_SYSCALL)) {
+	if(sampling_logic(ctx, syscall_id)) {
 		return 0;
 	}
 

driver/modern_bpf/programs/attached/dispatchers/syscall_exit.bpf.c

@@ -63,7 +63,7 @@ int BPF_PROG(sys_exit, struct pt_regs *regs, long ret) {
 		return 0;
 	}
 
-	if(sampling_logic(ctx, syscall_id, MODERN_BPF_SYSCALL)) {
+	if(sampling_logic(ctx, syscall_id)) {
 		return 0;
 	}
 
@@ -71,6 +71,16 @@ int BPF_PROG(sys_exit, struct pt_regs *regs, long ret) {
 		return 0;
 	}
 
+	// If we cannot find a ring buffer for this CPU we probably have an hotplug event. It's ok to
+	// check only in the exit path since we will always have at least one exit syscall enabled. If
+	// we change our architecture we may need to update this logic.
+	struct ringbuf_map *rb = maps__get_ringbuf_map();
+	if(!rb) {
+		bpf_tail_call(ctx, &extra_syscall_calls, T1_HOTPLUG_E);
+		bpf_printk("failed to tail call into the 'hotplug' prog");
+		return 0;
+	}
+
 	bpf_tail_call(ctx, &syscall_exit_tail_table, syscall_id);
 
 	return 0;

driver/modern_bpf/programs/attached/events/page_fault_kernel.bpf.c

@@ -16,12 +16,13 @@
 #ifdef CAPTURE_PAGE_FAULTS
 SEC("tp_btf/page_fault_kernel")
 int BPF_PROG(pf_kernel, unsigned long address, struct pt_regs *regs, unsigned long error_code) {
-	if(sampling_logic(ctx, PPME_PAGE_FAULT_E, MODERN_BPF_TRACEPOINT)) {
+	// In case of dropping mode we don't want this kind of events.
+	if(maps__get_dropping_mode()) {
 		return 0;
 	}
 
 	struct ringbuf_struct ringbuf;
-	if(!ringbuf__reserve_space(&ringbuf, ctx, PAGE_FAULT_SIZE, PPME_PAGE_FAULT_E)) {
+	if(!ringbuf__reserve_space(&ringbuf, PAGE_FAULT_SIZE, PPME_PAGE_FAULT_E)) {
 		return 0;
 	}
 

driver/modern_bpf/programs/attached/events/page_fault_user.bpf.c

@@ -16,12 +16,13 @@
 #ifdef CAPTURE_PAGE_FAULTS
 SEC("tp_btf/page_fault_user")
 int BPF_PROG(pf_user, unsigned long address, struct pt_regs *regs, unsigned long error_code) {
-	if(sampling_logic(ctx, PPME_PAGE_FAULT_E, MODERN_BPF_TRACEPOINT)) {
+	// In case of dropping mode we don't want this kind of events.
+	if(maps__get_dropping_mode()) {
 		return 0;
 	}
 
 	struct ringbuf_struct ringbuf;
-	if(!ringbuf__reserve_space(&ringbuf, ctx, PAGE_FAULT_SIZE, PPME_PAGE_FAULT_E)) {
+	if(!ringbuf__reserve_space(&ringbuf, PAGE_FAULT_SIZE, PPME_PAGE_FAULT_E)) {
 		return 0;
 	}
 

driver/modern_bpf/programs/attached/events/sched_process_exec.bpf.c

@@ -13,6 +13,37 @@
  *		 struct linux_binprm *bprm)
  */
 #ifdef CAPTURE_SCHED_PROC_EXEC
+
+enum extra_sched_proc_exec_codes {
+	T1_SCHED_PROC_EXEC,
+	T2_SCHED_PROC_EXEC,
+	// add more codes here.
+	T_SCHED_PROC_EXEC_MAX,
+};
+
+/*
+ * FORWARD DECLARATIONS:
+ * See the `BPF_PROG` macro in libbpf `libbpf/src/bpf_tracing.h`
+ * #define BPF_PROG(name, args...)		\
+ *    name(unsigned long long *ctx);	\
+ */
+int t1_sched_p_exec(unsigned long long *ctx);
+int t2_sched_p_exec(unsigned long long *ctx);
+
+struct {
+	__uint(type, BPF_MAP_TYPE_PROG_ARRAY);
+	__uint(max_entries, T_SCHED_PROC_EXEC_MAX);
+	__uint(key_size, sizeof(__u32));
+	__array(values, int(void *));
+} extra_sched_proc_exec_calls SEC(".maps") = {
+        .values =
+                {
+                        [T1_SCHED_PROC_EXEC] = (void *)&t1_sched_p_exec,
+                        [T2_SCHED_PROC_EXEC] = (void *)&t2_sched_p_exec,
+                        // add more tail calls here.
+                },
+};
+
 /* chose a short name for bpftool debugging*/
 SEC("tp_btf/sched_process_exec")
 int BPF_PROG(sched_p_exec, struct task_struct *p, pid_t old_pid, struct linux_binprm *bprm) {
@@ -114,7 +145,7 @@ int BPF_PROG(sched_p_exec, struct task_struct *p, pid_t old_pid, struct linux_bi
 
 	/*=============================== COLLECT PARAMETERS  ===========================*/
 
-	bpf_tail_call(ctx, &extra_event_prog_tail_table, T1_SCHED_PROC_EXEC);
+	bpf_tail_call(ctx, &extra_sched_proc_exec_calls, T1_SCHED_PROC_EXEC);
 	return 0;
 }
 
@@ -234,11 +265,11 @@ int BPF_PROG(t1_sched_p_exec, struct task_struct *p, pid_t old_pid, struct linux
 
 	/*=============================== COLLECT PARAMETERS  ===========================*/
 
-	bpf_tail_call(ctx, &extra_event_prog_tail_table, T2_SCHED_PROC_EXEC);
+	bpf_tail_call(ctx, &extra_sched_proc_exec_calls, T2_SCHED_PROC_EXEC);
 	return 0;
 }
 
-SEC("tp_btf/sys_exit")
+SEC("tp_btf/sched_process_exec")
 int BPF_PROG(t2_sched_p_exec, struct pt_regs *regs, long ret) {
 	struct auxiliary_map *auxmap = auxmap__get();
 	if(!auxmap) {
@@ -261,7 +292,7 @@ int BPF_PROG(t2_sched_p_exec, struct pt_regs *regs, long ret) {
 
 	auxmap__finalize_event_header(auxmap);
 
-	auxmap__submit_event(auxmap, ctx);
+	auxmap__submit_event(auxmap);
 	return 0;
 }
 

driver/modern_bpf/programs/attached/events/sched_process_exit.bpf.c

@@ -201,7 +201,7 @@ int BPF_PROG(sched_proc_exit, struct task_struct *task) {
 
 	auxmap__finalize_event_header(auxmap);
 
-	auxmap__submit_event(auxmap, ctx);
+	auxmap__submit_event(auxmap);
 
 	return 0;
 }

driver/modern_bpf/programs/attached/events/sched_process_fork.bpf.c

@@ -14,6 +14,37 @@
  */
 
 #ifdef CAPTURE_SCHED_PROC_FORK
+
+enum extra_sched_proc_fork_codes {
+	T1_SCHED_PROC_FORK,
+	T2_SCHED_PROC_FORK,
+	// add more codes here.
+	T_SCHED_PROC_FORK_MAX,
+};
+
+/*
+ * FORWARD DECLARATIONS:
+ * See the `BPF_PROG` macro in libbpf `libbpf/src/bpf_tracing.h`
+ * #define BPF_PROG(name, args...)		\
+ *    name(unsigned long long *ctx);	\
+ */
+int t1_sched_p_fork(unsigned long long *ctx);
+int t2_sched_p_fork(unsigned long long *ctx);
+
+struct {
+	__uint(type, BPF_MAP_TYPE_PROG_ARRAY);
+	__uint(max_entries, T_SCHED_PROC_FORK_MAX);
+	__uint(key_size, sizeof(__u32));
+	__array(values, int(void *));
+} extra_sched_proc_fork_calls SEC(".maps") = {
+        .values =
+                {
+                        [T1_SCHED_PROC_FORK] = (void *)&t1_sched_p_fork,
+                        [T2_SCHED_PROC_FORK] = (void *)&t2_sched_p_fork,
+                        // add more tail calls here.
+                },
+};
+
 /* chose a short name for bpftool debugging*/
 SEC("tp_btf/sched_process_fork")
 int BPF_PROG(sched_p_fork, struct task_struct *parent, struct task_struct *child) {
@@ -128,7 +159,7 @@ int BPF_PROG(sched_p_fork, struct task_struct *parent, struct task_struct *child
 
 	/*=============================== COLLECT PARAMETERS  ===========================*/
 
-	bpf_tail_call(ctx, &extra_event_prog_tail_table, T1_SCHED_PROC_FORK);
+	bpf_tail_call(ctx, &extra_sched_proc_fork_calls, T1_SCHED_PROC_FORK);
 	return 0;
 }
 
@@ -206,7 +237,7 @@ int BPF_PROG(t1_sched_p_fork, struct task_struct *parent, struct task_struct *ch
 	/* We have to split here the bpf program, otherwise, it is too large
 	 * for the verifier (limit 1000000 instructions).
 	 */
-	bpf_tail_call(ctx, &extra_event_prog_tail_table, T2_SCHED_PROC_FORK);
+	bpf_tail_call(ctx, &extra_sched_proc_fork_calls, T2_SCHED_PROC_FORK);
 	return 0;
 }
 
@@ -224,7 +255,7 @@ int BPF_PROG(t2_sched_p_fork, struct task_struct *parent, struct task_struct *ch
 
 	auxmap__finalize_event_header(auxmap);
 
-	auxmap__submit_event(auxmap, ctx);
+	auxmap__submit_event(auxmap);
 	return 0;
 }
 #endif /* CAPTURE_SCHED_PROC_EXEC */

driver/modern_bpf/programs/attached/events/sched_switch.bpf.c

@@ -15,14 +15,15 @@
  */
 SEC("tp_btf/sched_switch")
 int BPF_PROG(sched_switch, bool preempt, struct task_struct *prev, struct task_struct *next) {
-	if(sampling_logic(ctx, PPME_SCHEDSWITCH_6_E, MODERN_BPF_TRACEPOINT)) {
+	// In case of dropping mode we don't want this kind of events.
+	if(maps__get_dropping_mode()) {
 		return 0;
 	}
 
 	/// TODO: we could avoid switches from kernel threads to kernel threads (?).
 
 	struct ringbuf_struct ringbuf;
-	if(!ringbuf__reserve_space(&ringbuf, ctx, SCHED_SWITCH_SIZE, PPME_SCHEDSWITCH_6_E)) {
+	if(!ringbuf__reserve_space(&ringbuf, SCHED_SWITCH_SIZE, PPME_SCHEDSWITCH_6_E)) {
 		return 0;
 	}
 

driver/modern_bpf/programs/attached/events/signal_deliver.bpf.c

@@ -14,12 +14,13 @@
  */
 SEC("tp_btf/signal_deliver")
 int BPF_PROG(signal_deliver, int sig, struct kernel_siginfo *info, struct k_sigaction *ka) {
-	if(sampling_logic(ctx, PPME_SIGNALDELIVER_E, MODERN_BPF_TRACEPOINT)) {
+	// In case of dropping mode we don't want this kind of events.
+	if(maps__get_dropping_mode()) {
 		return 0;
 	}
 
 	struct ringbuf_struct ringbuf;
-	if(!ringbuf__reserve_space(&ringbuf, ctx, SIGNAL_DELIVER_SIZE, PPME_SIGNALDELIVER_E)) {
+	if(!ringbuf__reserve_space(&ringbuf, SIGNAL_DELIVER_SIZE, PPME_SIGNALDELIVER_E)) {
 		return 0;
 	}
 

driver/modern_bpf/programs/tail_called/events/custom_logic/drop.bpf.c

@@ -13,7 +13,7 @@
 SEC("tp_btf/sys_enter")
 int BPF_PROG(t1_drop_e) {
 	struct ringbuf_struct ringbuf;
-	if(!ringbuf__reserve_space(&ringbuf, ctx, DROP_E_SIZE, PPME_DROP_E)) {
+	if(!ringbuf__reserve_space(&ringbuf, DROP_E_SIZE, PPME_DROP_E)) {
 		return 0;
 	}
 
@@ -36,7 +36,7 @@ int BPF_PROG(t1_drop_e) {
 SEC("tp_btf/sys_exit")
 int BPF_PROG(t1_drop_x) {
 	struct ringbuf_struct ringbuf;
-	if(!ringbuf__reserve_space(&ringbuf, ctx, DROP_X_SIZE, PPME_DROP_X)) {
+	if(!ringbuf__reserve_space(&ringbuf, DROP_X_SIZE, PPME_DROP_X)) {
 		return 0;
 	}
 

driver/modern_bpf/programs/tail_called/events/custom_logic/hotplug.bpf.c

@@ -8,7 +8,7 @@
 
 #include <helpers/interfaces/fixed_size_event.h>
 
-SEC("tp_btf/sys_enter")
+SEC("tp_btf/sys_exit")
 int BPF_PROG(t1_hotplug_e) {
 	/* We assume that the ring buffer for CPU 0 is always there so we send the
 	 * HOT-PLUG event through this buffer.

driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/accept.bpf.c

@@ -14,7 +14,7 @@
 SEC("tp_btf/sys_enter")
 int BPF_PROG(accept_e, struct pt_regs *regs, long id) {
 	struct ringbuf_struct ringbuf;
-	if(!ringbuf__reserve_space(&ringbuf, ctx, ACCEPT_E_SIZE, PPME_SOCKET_ACCEPT_5_E)) {
+	if(!ringbuf__reserve_space(&ringbuf, ACCEPT_E_SIZE, PPME_SOCKET_ACCEPT_5_E)) {
 		return 0;
 	}
 
@@ -105,7 +105,7 @@ int BPF_PROG(accept_x, struct pt_regs *regs, long ret) {
 
 	auxmap__finalize_event_header(auxmap);
 
-	auxmap__submit_event(auxmap, ctx);
+	auxmap__submit_event(auxmap);
 
 	return 0;
 }

driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/accept4.bpf.c

@@ -14,7 +14,7 @@
 SEC("tp_btf/sys_enter")
 int BPF_PROG(accept4_e, struct pt_regs *regs, long id) {
 	struct ringbuf_struct ringbuf;
-	if(!ringbuf__reserve_space(&ringbuf, ctx, ACCEPT4_E_SIZE, PPME_SOCKET_ACCEPT4_6_E)) {
+	if(!ringbuf__reserve_space(&ringbuf, ACCEPT4_E_SIZE, PPME_SOCKET_ACCEPT4_6_E)) {
 		return 0;
 	}
 
@@ -109,7 +109,7 @@ int BPF_PROG(accept4_x, struct pt_regs *regs, long ret) {
 
 	auxmap__finalize_event_header(auxmap);
 
-	auxmap__submit_event(auxmap, ctx);
+	auxmap__submit_event(auxmap);
 
 	return 0;
 }

driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/access.bpf.c

@@ -14,7 +14,7 @@
 SEC("tp_btf/sys_enter")
 int BPF_PROG(access_e, struct pt_regs *regs, long id) {
 	struct ringbuf_struct ringbuf;
-	if(!ringbuf__reserve_space(&ringbuf, ctx, ACCESS_E_SIZE, PPME_SYSCALL_ACCESS_E)) {
+	if(!ringbuf__reserve_space(&ringbuf, ACCESS_E_SIZE, PPME_SYSCALL_ACCESS_E)) {
 		return 0;
 	}
 
@@ -59,7 +59,7 @@ int BPF_PROG(access_x, struct pt_regs *regs, long ret) {
 
 	auxmap__finalize_event_header(auxmap);
 
-	auxmap__submit_event(auxmap, ctx);
+	auxmap__submit_event(auxmap);
 
 	return 0;
 }

driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/bind.bpf.c

@@ -18,7 +18,7 @@ int BPF_PROG(bind_e, struct pt_regs *regs, long id) {
 	extract__network_args(&socket_fd, 1, regs);
 
 	struct ringbuf_struct ringbuf;
-	if(!ringbuf__reserve_space(&ringbuf, ctx, BIND_E_SIZE, PPME_SOCKET_BIND_E)) {
+	if(!ringbuf__reserve_space(&ringbuf, BIND_E_SIZE, PPME_SOCKET_BIND_E)) {
 		return 0;
 	}
 
@@ -70,7 +70,7 @@ int BPF_PROG(bind_x, struct pt_regs *regs, long ret) {
 
 	auxmap__finalize_event_header(auxmap);
 
-	auxmap__submit_event(auxmap, ctx);
+	auxmap__submit_event(auxmap);
 
 	return 0;
 }

driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/bpf.bpf.c

@@ -13,7 +13,7 @@
 SEC("tp_btf/sys_enter")
 int BPF_PROG(bpf_e, struct pt_regs *regs, long id) {
 	struct ringbuf_struct ringbuf;
-	if(!ringbuf__reserve_space(&ringbuf, ctx, BPF_E_SIZE, PPME_SYSCALL_BPF_2_E)) {
+	if(!ringbuf__reserve_space(&ringbuf, BPF_E_SIZE, PPME_SYSCALL_BPF_2_E)) {
 		return 0;
 	}
 
@@ -39,7 +39,7 @@ int BPF_PROG(bpf_e, struct pt_regs *regs, long id) {
 SEC("tp_btf/sys_exit")
 int BPF_PROG(bpf_x, struct pt_regs *regs, long ret) {
 	struct ringbuf_struct ringbuf;
-	if(!ringbuf__reserve_space(&ringbuf, ctx, BPF_X_SIZE, PPME_SYSCALL_BPF_2_X)) {
+	if(!ringbuf__reserve_space(&ringbuf, BPF_X_SIZE, PPME_SYSCALL_BPF_2_X)) {
 		return 0;
 	}
 

driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/brk.bpf.c

@@ -13,7 +13,7 @@
 SEC("tp_btf/sys_enter")
 int BPF_PROG(brk_e, struct pt_regs *regs, long id) {
 	struct ringbuf_struct ringbuf;
-	if(!ringbuf__reserve_space(&ringbuf, ctx, BRK_E_SIZE, PPME_SYSCALL_BRK_4_E)) {
+	if(!ringbuf__reserve_space(&ringbuf, BRK_E_SIZE, PPME_SYSCALL_BRK_4_E)) {
 		return 0;
 	}
 
@@ -39,7 +39,7 @@ int BPF_PROG(brk_e, struct pt_regs *regs, long id) {
 SEC("tp_btf/sys_exit")
 int BPF_PROG(brk_x, struct pt_regs *regs, long ret) {
 	struct ringbuf_struct ringbuf;
-	if(!ringbuf__reserve_space(&ringbuf, ctx, BRK_X_SIZE, PPME_SYSCALL_BRK_4_X)) {
+	if(!ringbuf__reserve_space(&ringbuf, BRK_X_SIZE, PPME_SYSCALL_BRK_4_X)) {
 		return 0;
 	}
 

driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/capset.bpf.c

@@ -13,7 +13,7 @@
 SEC("tp_btf/sys_enter")
 int BPF_PROG(capset_e, struct pt_regs *regs, long id) {
 	struct ringbuf_struct ringbuf;
-	if(!ringbuf__reserve_space(&ringbuf, ctx, CAPSET_E_SIZE, PPME_SYSCALL_CAPSET_E)) {
+	if(!ringbuf__reserve_space(&ringbuf, CAPSET_E_SIZE, PPME_SYSCALL_CAPSET_E)) {
 		return 0;
 	}
 
@@ -37,7 +37,7 @@ int BPF_PROG(capset_e, struct pt_regs *regs, long id) {
 SEC("tp_btf/sys_exit")
 int BPF_PROG(capset_x, struct pt_regs *regs, long ret) {
 	struct ringbuf_struct ringbuf;
-	if(!ringbuf__reserve_space(&ringbuf, ctx, CAPSET_X_SIZE, PPME_SYSCALL_CAPSET_X)) {
+	if(!ringbuf__reserve_space(&ringbuf, CAPSET_X_SIZE, PPME_SYSCALL_CAPSET_X)) {
 		return 0;
 	}
 

driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/chdir.bpf.c

@@ -14,7 +14,7 @@
 SEC("tp_btf/sys_enter")
 int BPF_PROG(chdir_e, struct pt_regs *regs, long id) {
 	struct ringbuf_struct ringbuf;
-	if(!ringbuf__reserve_space(&ringbuf, ctx, CHDIR_E_SIZE, PPME_SYSCALL_CHDIR_E)) {
+	if(!ringbuf__reserve_space(&ringbuf, CHDIR_E_SIZE, PPME_SYSCALL_CHDIR_E)) {
 		return 0;
 	}
 
@@ -57,7 +57,7 @@ int BPF_PROG(chdir_x, struct pt_regs *regs, long ret) {
 
 	auxmap__finalize_event_header(auxmap);
 
-	auxmap__submit_event(auxmap, ctx);
+	auxmap__submit_event(auxmap);
 
 	return 0;
 }

driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/chmod.bpf.c

@@ -14,7 +14,7 @@
 SEC("tp_btf/sys_enter")
 int BPF_PROG(chmod_e, struct pt_regs *regs, long id) {
 	struct ringbuf_struct ringbuf;
-	if(!ringbuf__reserve_space(&ringbuf, ctx, CHMOD_E_SIZE, PPME_SYSCALL_CHMOD_E)) {
+	if(!ringbuf__reserve_space(&ringbuf, CHMOD_E_SIZE, PPME_SYSCALL_CHMOD_E)) {
 		return 0;
 	}
 
@@ -61,7 +61,7 @@ int BPF_PROG(chmod_x, struct pt_regs *regs, long ret) {
 
 	auxmap__finalize_event_header(auxmap);
 
-	auxmap__submit_event(auxmap, ctx);
+	auxmap__submit_event(auxmap);
 
 	return 0;
 }

driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/chown.bpf.c

@@ -14,7 +14,7 @@
 SEC("tp_btf/sys_enter")
 int BPF_PROG(chown_e, struct pt_regs *regs, long id) {
 	struct ringbuf_struct ringbuf;
-	if(!ringbuf__reserve_space(&ringbuf, ctx, CHOWN_E_SIZE, PPME_SYSCALL_CHOWN_E)) {
+	if(!ringbuf__reserve_space(&ringbuf, CHOWN_E_SIZE, PPME_SYSCALL_CHOWN_E)) {
 		return 0;
 	}
 
@@ -65,7 +65,7 @@ int BPF_PROG(chown_x, struct pt_regs *regs, long ret) {
 
 	auxmap__finalize_event_header(auxmap);
 
-	auxmap__submit_event(auxmap, ctx);
+	auxmap__submit_event(auxmap);
 
 	return 0;
 }

driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/chroot.bpf.c

@@ -14,7 +14,7 @@
 SEC("tp_btf/sys_enter")
 int BPF_PROG(chroot_e, struct pt_regs *regs, long id) {
 	struct ringbuf_struct ringbuf;
-	if(!ringbuf__reserve_space(&ringbuf, ctx, CHROOT_E_SIZE, PPME_SYSCALL_CHROOT_E)) {
+	if(!ringbuf__reserve_space(&ringbuf, CHROOT_E_SIZE, PPME_SYSCALL_CHROOT_E)) {
 		return 0;
 	}
 
@@ -57,7 +57,7 @@ int BPF_PROG(chroot_x, struct pt_regs *regs, long ret) {
 
 	auxmap__finalize_event_header(auxmap);
 
-	auxmap__submit_event(auxmap, ctx);
+	auxmap__submit_event(auxmap);
 
 	return 0;
 }

driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/clone.bpf.c

@@ -14,7 +14,7 @@
 SEC("tp_btf/sys_enter")
 int BPF_PROG(clone_e, struct pt_regs *regs, long id) {
 	struct ringbuf_struct ringbuf;
-	if(!ringbuf__reserve_space(&ringbuf, ctx, CLONE_E_SIZE, PPME_SYSCALL_CLONE_20_E)) {
+	if(!ringbuf__reserve_space(&ringbuf, CLONE_E_SIZE, PPME_SYSCALL_CLONE_20_E)) {
 		return 0;
 	}
 
@@ -150,7 +150,7 @@ int BPF_PROG(clone_x, struct pt_regs *regs, long ret) {
 	/* We have to split here the bpf program, otherwise, it is too large
 	 * for the verifier (limit 1000000 instructions).
 	 */
-	bpf_tail_call(ctx, &extra_event_prog_tail_table, T1_CLONE_X);
+	bpf_tail_call(ctx, &extra_syscall_calls, T1_CLONE_X);
 	return 0;
 }
 
@@ -206,7 +206,7 @@ int BPF_PROG(t1_clone_x, struct pt_regs *regs, long ret) {
 	/* We have to split here the bpf program, otherwise, it is too large
 	 * for the verifier (limit 1000000 instructions).
 	 */
-	bpf_tail_call(ctx, &extra_event_prog_tail_table, T2_CLONE_X);
+	bpf_tail_call(ctx, &extra_syscall_calls, T2_CLONE_X);
 	return 0;
 }
 
@@ -228,7 +228,7 @@ int BPF_PROG(t2_clone_x, struct pt_regs *regs, long ret) {
 
 	auxmap__finalize_event_header(auxmap);
 
-	auxmap__submit_event(auxmap, ctx);
+	auxmap__submit_event(auxmap);
 	return 0;
 }
 

driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/clone3.bpf.c

@@ -14,7 +14,7 @@
 SEC("tp_btf/sys_enter")
 int BPF_PROG(clone3_e, struct pt_regs *regs, long id) {
 	struct ringbuf_struct ringbuf;
-	if(!ringbuf__reserve_space(&ringbuf, ctx, CLONE3_E_SIZE, PPME_SYSCALL_CLONE3_E)) {
+	if(!ringbuf__reserve_space(&ringbuf, CLONE3_E_SIZE, PPME_SYSCALL_CLONE3_E)) {
 		return 0;
 	}
 
@@ -150,7 +150,7 @@ int BPF_PROG(clone3_x, struct pt_regs *regs, long ret) {
 	/* We have to split here the bpf program, otherwise, it is too large
 	 * for the verifier (limit 1000000 instructions).
 	 */
-	bpf_tail_call(ctx, &extra_event_prog_tail_table, T1_CLONE3_X);
+	bpf_tail_call(ctx, &extra_syscall_calls, T1_CLONE3_X);
 	return 0;
 }
 
@@ -204,7 +204,7 @@ int BPF_PROG(t1_clone3_x, struct pt_regs *regs, long ret) {
 	/* We have to split here the bpf program, otherwise, it is too large
 	 * for the verifier (limit 1000000 instructions).
 	 */
-	bpf_tail_call(ctx, &extra_event_prog_tail_table, T2_CLONE3_X);
+	bpf_tail_call(ctx, &extra_syscall_calls, T2_CLONE3_X);
 	return 0;
 }
 
@@ -226,7 +226,7 @@ int BPF_PROG(t2_clone3_x, struct pt_regs *regs, long ret) {
 
 	auxmap__finalize_event_header(auxmap);
 
-	auxmap__submit_event(auxmap, ctx);
+	auxmap__submit_event(auxmap);
 	return 0;
 }
 

driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/close.bpf.c

@@ -42,7 +42,7 @@ int BPF_PROG(close_e, struct pt_regs *regs, long id) {
 	}
 
 	struct ringbuf_struct ringbuf;
-	if(!ringbuf__reserve_space(&ringbuf, ctx, CLOSE_E_SIZE, PPME_SYSCALL_CLOSE_E)) {
+	if(!ringbuf__reserve_space(&ringbuf, CLOSE_E_SIZE, PPME_SYSCALL_CLOSE_E)) {
 		return 0;
 	}
 
@@ -72,7 +72,7 @@ int BPF_PROG(close_x, struct pt_regs *regs, long ret) {
 	}
 
 	struct ringbuf_struct ringbuf;
-	if(!ringbuf__reserve_space(&ringbuf, ctx, CLOSE_X_SIZE, PPME_SYSCALL_CLOSE_X)) {
+	if(!ringbuf__reserve_space(&ringbuf, CLOSE_X_SIZE, PPME_SYSCALL_CLOSE_X)) {
 		return 0;
 	}
 

driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/connect.bpf.c

@@ -37,7 +37,7 @@ int BPF_PROG(connect_e, struct pt_regs *regs, long id) {
 
 	auxmap__finalize_event_header(auxmap);
 
-	auxmap__submit_event(auxmap, ctx);
+	auxmap__submit_event(auxmap);
 
 	return 0;
 }
@@ -81,7 +81,7 @@ int BPF_PROG(connect_x, struct pt_regs *regs, long ret) {
 
 	auxmap__finalize_event_header(auxmap);
 
-	auxmap__submit_event(auxmap, ctx);
+	auxmap__submit_event(auxmap);
 
 	return 0;
 }

driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/copy_file_range.bpf.c

@@ -14,7 +14,7 @@ SEC("tp_btf/sys_enter")
 int BPF_PROG(copy_file_range_e, struct pt_regs *regs, long id) {
 	struct ringbuf_struct ringbuf;
 	if(!ringbuf__reserve_space(&ringbuf,
-	                           ctx,
+
 	                           COPY_FILE_RANGE_E_SIZE,
 	                           PPME_SYSCALL_COPY_FILE_RANGE_E)) {
 		return 0;
@@ -50,10 +50,7 @@ int BPF_PROG(copy_file_range_e, struct pt_regs *regs, long id) {
 SEC("tp_btf/sys_exit")
 int BPF_PROG(copy_file_range_x, struct pt_regs *regs, long ret) {
 	struct ringbuf_struct ringbuf;
-	if(!ringbuf__reserve_space(&ringbuf,
-	                           ctx,
-	                           COPY_FILE_RANGE_X_SIZE,
-	                           PPME_SYSCALL_COPY_FILE_RANGE_X)) {
+	if(!ringbuf__reserve_space(&ringbuf, COPY_FILE_RANGE_X_SIZE, PPME_SYSCALL_COPY_FILE_RANGE_X)) {
 		return 0;
 	}
 

driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/creat.bpf.c

@@ -33,7 +33,7 @@ int BPF_PROG(creat_e, struct pt_regs *regs, long id) {
 
 	auxmap__finalize_event_header(auxmap);
 
-	auxmap__submit_event(auxmap, ctx);
+	auxmap__submit_event(auxmap);
 
 	return 0;
 }
@@ -90,7 +90,7 @@ int BPF_PROG(creat_x, struct pt_regs *regs, long ret) {
 
 	auxmap__finalize_event_header(auxmap);
 
-	auxmap__submit_event(auxmap, ctx);
+	auxmap__submit_event(auxmap);
 
 	return 0;
 }

driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/delete_module.bpf.c

@@ -14,7 +14,7 @@
 SEC("tp_btf/sys_enter")
 int BPF_PROG(delete_module_e, struct pt_regs *regs, long id) {
 	struct ringbuf_struct ringbuf;
-	if(!ringbuf__reserve_space(&ringbuf, ctx, DELETE_MODULE_E_SIZE, PPME_SYSCALL_DELETE_MODULE_E)) {
+	if(!ringbuf__reserve_space(&ringbuf, DELETE_MODULE_E_SIZE, PPME_SYSCALL_DELETE_MODULE_E)) {
 		return 0;
 	}
 
@@ -61,7 +61,7 @@ int BPF_PROG(delete_module_x, struct pt_regs *regs, long ret) {
 
 	auxmap__finalize_event_header(auxmap);
 
-	auxmap__submit_event(auxmap, ctx);
+	auxmap__submit_event(auxmap);
 
 	return 0;
 }

driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/dup.bpf.c

@@ -13,7 +13,7 @@
 SEC("tp_btf/sys_enter")
 int BPF_PROG(dup_e, struct pt_regs *regs, long id) {
 	struct ringbuf_struct ringbuf;
-	if(!ringbuf__reserve_space(&ringbuf, ctx, DUP_E_SIZE, PPME_SYSCALL_DUP_1_E)) {
+	if(!ringbuf__reserve_space(&ringbuf, DUP_E_SIZE, PPME_SYSCALL_DUP_1_E)) {
 		return 0;
 	}
 
@@ -39,7 +39,7 @@ int BPF_PROG(dup_e, struct pt_regs *regs, long id) {
 SEC("tp_btf/sys_exit")
 int BPF_PROG(dup_x, struct pt_regs *regs, long ret) {
 	struct ringbuf_struct ringbuf;
-	if(!ringbuf__reserve_space(&ringbuf, ctx, DUP_X_SIZE, PPME_SYSCALL_DUP_1_X)) {
+	if(!ringbuf__reserve_space(&ringbuf, DUP_X_SIZE, PPME_SYSCALL_DUP_1_X)) {
 		return 0;
 	}
 

driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/dup2.bpf.c

@@ -13,7 +13,7 @@
 SEC("tp_btf/sys_enter")
 int BPF_PROG(dup2_e, struct pt_regs *regs, long id) {
 	struct ringbuf_struct ringbuf;
-	if(!ringbuf__reserve_space(&ringbuf, ctx, DUP2_E_SIZE, PPME_SYSCALL_DUP2_E)) {
+	if(!ringbuf__reserve_space(&ringbuf, DUP2_E_SIZE, PPME_SYSCALL_DUP2_E)) {
 		return 0;
 	}
 
@@ -39,7 +39,7 @@ int BPF_PROG(dup2_e, struct pt_regs *regs, long id) {
 SEC("tp_btf/sys_exit")
 int BPF_PROG(dup2_x, struct pt_regs *regs, long ret) {
 	struct ringbuf_struct ringbuf;
-	if(!ringbuf__reserve_space(&ringbuf, ctx, DUP2_X_SIZE, PPME_SYSCALL_DUP2_X)) {
+	if(!ringbuf__reserve_space(&ringbuf, DUP2_X_SIZE, PPME_SYSCALL_DUP2_X)) {
 		return 0;
 	}
 

driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/dup3.bpf.c

@@ -13,7 +13,7 @@
 SEC("tp_btf/sys_enter")
 int BPF_PROG(dup3_e, struct pt_regs *regs, long id) {
 	struct ringbuf_struct ringbuf;
-	if(!ringbuf__reserve_space(&ringbuf, ctx, DUP3_E_SIZE, PPME_SYSCALL_DUP3_E)) {
+	if(!ringbuf__reserve_space(&ringbuf, DUP3_E_SIZE, PPME_SYSCALL_DUP3_E)) {
 		return 0;
 	}
 
@@ -39,7 +39,7 @@ int BPF_PROG(dup3_e, struct pt_regs *regs, long id) {
 SEC("tp_btf/sys_exit")
 int BPF_PROG(dup3_x, struct pt_regs *regs, long ret) {
 	struct ringbuf_struct ringbuf;
-	if(!ringbuf__reserve_space(&ringbuf, ctx, DUP3_X_SIZE, PPME_SYSCALL_DUP3_X)) {
+	if(!ringbuf__reserve_space(&ringbuf, DUP3_X_SIZE, PPME_SYSCALL_DUP3_X)) {
 		return 0;
 	}
 

driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/epoll_create.bpf.c

@@ -13,7 +13,7 @@
 SEC("tp_btf/sys_enter")
 int BPF_PROG(epoll_create_e, struct pt_regs *regs, long id) {
 	struct ringbuf_struct ringbuf;
-	if(!ringbuf__reserve_space(&ringbuf, ctx, EPOLL_CREATE_E_SIZE, PPME_SYSCALL_EPOLL_CREATE_E)) {
+	if(!ringbuf__reserve_space(&ringbuf, EPOLL_CREATE_E_SIZE, PPME_SYSCALL_EPOLL_CREATE_E)) {
 		return 0;
 	}
 
@@ -39,7 +39,7 @@ int BPF_PROG(epoll_create_e, struct pt_regs *regs, long id) {
 SEC("tp_btf/sys_exit")
 int BPF_PROG(epoll_create_x, struct pt_regs *regs, long ret) {
 	struct ringbuf_struct ringbuf;
-	if(!ringbuf__reserve_space(&ringbuf, ctx, EPOLL_CREATE_X_SIZE, PPME_SYSCALL_EPOLL_CREATE_X)) {
+	if(!ringbuf__reserve_space(&ringbuf, EPOLL_CREATE_X_SIZE, PPME_SYSCALL_EPOLL_CREATE_X)) {
 		return 0;
 	}
 

driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/epoll_create1.bpf.c

@@ -13,7 +13,7 @@
 SEC("tp_btf/sys_enter")
 int BPF_PROG(epoll_create1_e, struct pt_regs *regs, long id) {
 	struct ringbuf_struct ringbuf;
-	if(!ringbuf__reserve_space(&ringbuf, ctx, EPOLL_CREATE1_E_SIZE, PPME_SYSCALL_EPOLL_CREATE1_E)) {
+	if(!ringbuf__reserve_space(&ringbuf, EPOLL_CREATE1_E_SIZE, PPME_SYSCALL_EPOLL_CREATE1_E)) {
 		return 0;
 	}
 
@@ -39,7 +39,7 @@ int BPF_PROG(epoll_create1_e, struct pt_regs *regs, long id) {
 SEC("tp_btf/sys_exit")
 int BPF_PROG(epoll_create1_x, struct pt_regs *regs, long ret) {
 	struct ringbuf_struct ringbuf;
-	if(!ringbuf__reserve_space(&ringbuf, ctx, EPOLL_CREATE1_X_SIZE, PPME_SYSCALL_EPOLL_CREATE1_X)) {
+	if(!ringbuf__reserve_space(&ringbuf, EPOLL_CREATE1_X_SIZE, PPME_SYSCALL_EPOLL_CREATE1_X)) {
 		return 0;
 	}
 

driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/epoll_wait.bpf.c

@@ -13,7 +13,7 @@
 SEC("tp_btf/sys_enter")
 int BPF_PROG(epoll_wait_e, struct pt_regs *regs, long id) {
 	struct ringbuf_struct ringbuf;
-	if(!ringbuf__reserve_space(&ringbuf, ctx, EPOLL_WAIT_E_SIZE, PPME_SYSCALL_EPOLLWAIT_E)) {
+	if(!ringbuf__reserve_space(&ringbuf, EPOLL_WAIT_E_SIZE, PPME_SYSCALL_EPOLLWAIT_E)) {
 		return 0;
 	}
 
@@ -39,7 +39,7 @@ int BPF_PROG(epoll_wait_e, struct pt_regs *regs, long id) {
 SEC("tp_btf/sys_exit")
 int BPF_PROG(epoll_wait_x, struct pt_regs *regs, long ret) {
 	struct ringbuf_struct ringbuf;
-	if(!ringbuf__reserve_space(&ringbuf, ctx, EPOLL_WAIT_X_SIZE, PPME_SYSCALL_EPOLLWAIT_X)) {
+	if(!ringbuf__reserve_space(&ringbuf, EPOLL_WAIT_X_SIZE, PPME_SYSCALL_EPOLLWAIT_X)) {
 		return 0;
 	}
 

driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/eventfd.bpf.c

@@ -13,7 +13,7 @@
 SEC("tp_btf/sys_enter")
 int BPF_PROG(eventfd_e, struct pt_regs *regs, long id) {
 	struct ringbuf_struct ringbuf;
-	if(!ringbuf__reserve_space(&ringbuf, ctx, EVENTFD_E_SIZE, PPME_SYSCALL_EVENTFD_E)) {
+	if(!ringbuf__reserve_space(&ringbuf, EVENTFD_E_SIZE, PPME_SYSCALL_EVENTFD_E)) {
 		return 0;
 	}
 
@@ -45,7 +45,7 @@ int BPF_PROG(eventfd_e, struct pt_regs *regs, long id) {
 SEC("tp_btf/sys_exit")
 int BPF_PROG(eventfd_x, struct pt_regs *regs, long ret) {
 	struct ringbuf_struct ringbuf;
-	if(!ringbuf__reserve_space(&ringbuf, ctx, EVENTFD_X_SIZE, PPME_SYSCALL_EVENTFD_X)) {
+	if(!ringbuf__reserve_space(&ringbuf, EVENTFD_X_SIZE, PPME_SYSCALL_EVENTFD_X)) {
 		return 0;
 	}
 

driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/eventfd2.bpf.c

@@ -13,7 +13,7 @@
 SEC("tp_btf/sys_enter")
 int BPF_PROG(eventfd2_e, struct pt_regs *regs, long id) {
 	struct ringbuf_struct ringbuf;
-	if(!ringbuf__reserve_space(&ringbuf, ctx, EVENTFD2_E_SIZE, PPME_SYSCALL_EVENTFD2_E)) {
+	if(!ringbuf__reserve_space(&ringbuf, EVENTFD2_E_SIZE, PPME_SYSCALL_EVENTFD2_E)) {
 		return 0;
 	}
 
@@ -39,7 +39,7 @@ int BPF_PROG(eventfd2_e, struct pt_regs *regs, long id) {
 SEC("tp_btf/sys_exit")
 int BPF_PROG(eventfd2_x, struct pt_regs *regs, long ret) {
 	struct ringbuf_struct ringbuf;
-	if(!ringbuf__reserve_space(&ringbuf, ctx, EVENTFD2_X_SIZE, PPME_SYSCALL_EVENTFD2_X)) {
+	if(!ringbuf__reserve_space(&ringbuf, EVENTFD2_X_SIZE, PPME_SYSCALL_EVENTFD2_X)) {
 		return 0;
 	}
 

driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/execve.bpf.c

@@ -28,7 +28,7 @@ int BPF_PROG(execve_e, struct pt_regs *regs, long id) {
 
 	auxmap__finalize_event_header(auxmap);
 
-	auxmap__submit_event(auxmap, ctx);
+	auxmap__submit_event(auxmap);
 	return 0;
 }
 
@@ -155,7 +155,7 @@ int BPF_PROG(execve_x, struct pt_regs *regs, long ret) {
 	/* We have to split here the bpf program, otherwise, it is too large
 	 * for the verifier (limit 1000000 instructions).
 	 */
-	bpf_tail_call(ctx, &extra_event_prog_tail_table, T1_EXECVE_X);
+	bpf_tail_call(ctx, &extra_syscall_calls, T1_EXECVE_X);
 	return 0;
 }
 
@@ -284,7 +284,7 @@ int BPF_PROG(t1_execve_x, struct pt_regs *regs, long ret) {
 
 	/*=============================== COLLECT PARAMETERS  ===========================*/
 
-	bpf_tail_call(ctx, &extra_event_prog_tail_table, T2_EXECVE_X);
+	bpf_tail_call(ctx, &extra_syscall_calls, T2_EXECVE_X);
 	return 0;
 }
 
@@ -311,7 +311,7 @@ int BPF_PROG(t2_execve_x, struct pt_regs *regs, long ret) {
 
 	auxmap__finalize_event_header(auxmap);
 
-	auxmap__submit_event(auxmap, ctx);
+	auxmap__submit_event(auxmap);
 	return 0;
 }
 

driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/execveat.bpf.c

@@ -39,7 +39,7 @@ int BPF_PROG(execveat_e, struct pt_regs *regs, long id) {
 
 	auxmap__finalize_event_header(auxmap);
 
-	auxmap__submit_event(auxmap, ctx);
+	auxmap__submit_event(auxmap);
 	return 0;
 }
 
@@ -168,7 +168,7 @@ int BPF_PROG(execveat_x, struct pt_regs *regs, long ret) {
 	/* We have to split here the bpf program, otherwise it is too large
 	 * for the verifier (limit 1000000 instructions).
 	 */
-	bpf_tail_call(ctx, &extra_event_prog_tail_table, T1_EXECVEAT_X);
+	bpf_tail_call(ctx, &extra_syscall_calls, T1_EXECVEAT_X);
 	return 0;
 }
 
@@ -296,7 +296,7 @@ int BPF_PROG(t1_execveat_x, struct pt_regs *regs, long ret) {
 
 	/*=============================== COLLECT PARAMETERS  ===========================*/
 
-	bpf_tail_call(ctx, &extra_event_prog_tail_table, T2_EXECVEAT_X);
+	bpf_tail_call(ctx, &extra_syscall_calls, T2_EXECVEAT_X);
 	return 0;
 }
 
@@ -323,7 +323,7 @@ int BPF_PROG(t2_execveat_x, struct pt_regs *regs, long ret) {
 
 	auxmap__finalize_event_header(auxmap);
 
-	auxmap__submit_event(auxmap, ctx);
+	auxmap__submit_event(auxmap);
 	return 0;
 }
 

driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/fchdir.bpf.c

@@ -13,7 +13,7 @@
 SEC("tp_btf/sys_enter")
 int BPF_PROG(fchdir_e, struct pt_regs *regs, long id) {
 	struct ringbuf_struct ringbuf;
-	if(!ringbuf__reserve_space(&ringbuf, ctx, FCHDIR_E_SIZE, PPME_SYSCALL_FCHDIR_E)) {
+	if(!ringbuf__reserve_space(&ringbuf, FCHDIR_E_SIZE, PPME_SYSCALL_FCHDIR_E)) {
 		return 0;
 	}
 
@@ -39,7 +39,7 @@ int BPF_PROG(fchdir_e, struct pt_regs *regs, long id) {
 SEC("tp_btf/sys_exit")
 int BPF_PROG(fchdir_x, struct pt_regs *regs, long ret) {
 	struct ringbuf_struct ringbuf;
-	if(!ringbuf__reserve_space(&ringbuf, ctx, FCHDIR_X_SIZE, PPME_SYSCALL_FCHDIR_X)) {
+	if(!ringbuf__reserve_space(&ringbuf, FCHDIR_X_SIZE, PPME_SYSCALL_FCHDIR_X)) {
 		return 0;
 	}
 

driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/fchmod.bpf.c

@@ -13,7 +13,7 @@
 SEC("tp_btf/sys_enter")
 int BPF_PROG(fchmod_e, struct pt_regs *regs, long id) {
 	struct ringbuf_struct ringbuf;
-	if(!ringbuf__reserve_space(&ringbuf, ctx, FCHMOD_E_SIZE, PPME_SYSCALL_FCHMOD_E)) {
+	if(!ringbuf__reserve_space(&ringbuf, FCHMOD_E_SIZE, PPME_SYSCALL_FCHMOD_E)) {
 		return 0;
 	}
 
@@ -37,7 +37,7 @@ int BPF_PROG(fchmod_e, struct pt_regs *regs, long id) {
 SEC("tp_btf/sys_exit")
 int BPF_PROG(fchmod_x, struct pt_regs *regs, long ret) {
 	struct ringbuf_struct ringbuf;
-	if(!ringbuf__reserve_space(&ringbuf, ctx, FCHMOD_X_SIZE, PPME_SYSCALL_FCHMOD_X)) {
+	if(!ringbuf__reserve_space(&ringbuf, FCHMOD_X_SIZE, PPME_SYSCALL_FCHMOD_X)) {
 		return 0;
 	}
 

driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/fchmodat.bpf.c

@@ -14,7 +14,7 @@
 SEC("tp_btf/sys_enter")
 int BPF_PROG(fchmodat_e, struct pt_regs *regs, long id) {
 	struct ringbuf_struct ringbuf;
-	if(!ringbuf__reserve_space(&ringbuf, ctx, FCHMODAT_E_SIZE, PPME_SYSCALL_FCHMODAT_E)) {
+	if(!ringbuf__reserve_space(&ringbuf, FCHMODAT_E_SIZE, PPME_SYSCALL_FCHMODAT_E)) {
 		return 0;
 	}
 
@@ -68,7 +68,7 @@ int BPF_PROG(fchmodat_x, struct pt_regs *regs, long ret) {
 
 	auxmap__finalize_event_header(auxmap);
 
-	auxmap__submit_event(auxmap, ctx);
+	auxmap__submit_event(auxmap);
 
 	return 0;
 }

driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/fchown.bpf.c

@@ -13,7 +13,7 @@
 SEC("tp_btf/sys_enter")
 int BPF_PROG(fchown_e, struct pt_regs *regs, long id) {
 	struct ringbuf_struct ringbuf;
-	if(!ringbuf__reserve_space(&ringbuf, ctx, FCHOWN_E_SIZE, PPME_SYSCALL_FCHOWN_E)) {
+	if(!ringbuf__reserve_space(&ringbuf, FCHOWN_E_SIZE, PPME_SYSCALL_FCHOWN_E)) {
 		return 0;
 	}
 
@@ -37,7 +37,7 @@ int BPF_PROG(fchown_e, struct pt_regs *regs, long id) {
 SEC("tp_btf/sys_exit")
 int BPF_PROG(fchown_x, struct pt_regs *regs, long ret) {
 	struct ringbuf_struct ringbuf;
-	if(!ringbuf__reserve_space(&ringbuf, ctx, FCHOWN_X_SIZE, PPME_SYSCALL_FCHOWN_X)) {
+	if(!ringbuf__reserve_space(&ringbuf, FCHOWN_X_SIZE, PPME_SYSCALL_FCHOWN_X)) {
 		return 0;
 	}
 

driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/fchownat.bpf.c

@@ -14,7 +14,7 @@
 SEC("tp_btf/sys_enter")
 int BPF_PROG(fchownat_e, struct pt_regs *regs, long id) {
 	struct ringbuf_struct ringbuf;
-	if(!ringbuf__reserve_space(&ringbuf, ctx, FCHOWNAT_E_SIZE, PPME_SYSCALL_FCHOWNAT_E)) {
+	if(!ringbuf__reserve_space(&ringbuf, FCHOWNAT_E_SIZE, PPME_SYSCALL_FCHOWNAT_E)) {
 		return 0;
 	}
 
@@ -76,7 +76,7 @@ int BPF_PROG(fchownat_x, struct pt_regs *regs, long ret) {
 
 	auxmap__finalize_event_header(auxmap);
 
-	auxmap__submit_event(auxmap, ctx);
+	auxmap__submit_event(auxmap);
 
 	return 0;
 }

driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/fcntl.bpf.c

@@ -25,7 +25,7 @@ int BPF_PROG(fcntl_e, struct pt_regs *regs, long id) {
 	}
 
 	struct ringbuf_struct ringbuf;
-	if(!ringbuf__reserve_space(&ringbuf, ctx, FCNTL_E_SIZE, PPME_SYSCALL_FCNTL_E)) {
+	if(!ringbuf__reserve_space(&ringbuf, FCNTL_E_SIZE, PPME_SYSCALL_FCNTL_E)) {
 		return 0;
 	}
 
@@ -59,7 +59,7 @@ int BPF_PROG(fcntl_x, struct pt_regs *regs, long ret) {
 	}
 
 	struct ringbuf_struct ringbuf;
-	if(!ringbuf__reserve_space(&ringbuf, ctx, FCNTL_X_SIZE, PPME_SYSCALL_FCNTL_X)) {
+	if(!ringbuf__reserve_space(&ringbuf, FCNTL_X_SIZE, PPME_SYSCALL_FCNTL_X)) {
 		return 0;
 	}
 

driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/finit_module.bpf.c

@@ -14,7 +14,7 @@
 SEC("tp_btf/sys_enter")
 int BPF_PROG(finit_module_e, struct pt_regs *regs, long id) {
 	struct ringbuf_struct ringbuf;
-	if(!ringbuf__reserve_space(&ringbuf, ctx, FINIT_MODULE_E_SIZE, PPME_SYSCALL_FINIT_MODULE_E)) {
+	if(!ringbuf__reserve_space(&ringbuf, FINIT_MODULE_E_SIZE, PPME_SYSCALL_FINIT_MODULE_E)) {
 		return 0;
 	}
 
@@ -65,7 +65,7 @@ int BPF_PROG(finit_module_x, struct pt_regs *regs, long ret) {
 
 	auxmap__finalize_event_header(auxmap);
 
-	auxmap__submit_event(auxmap, ctx);
+	auxmap__submit_event(auxmap);
 
 	return 0;
 }

driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/flock.bpf.c

@@ -13,7 +13,7 @@
 SEC("tp_btf/sys_enter")
 int BPF_PROG(flock_e, struct pt_regs *regs, long id) {
 	struct ringbuf_struct ringbuf;
-	if(!ringbuf__reserve_space(&ringbuf, ctx, FLOCK_E_SIZE, PPME_SYSCALL_FLOCK_E)) {
+	if(!ringbuf__reserve_space(&ringbuf, FLOCK_E_SIZE, PPME_SYSCALL_FLOCK_E)) {
 		return 0;
 	}
 
@@ -43,7 +43,7 @@ int BPF_PROG(flock_e, struct pt_regs *regs, long id) {
 SEC("tp_btf/sys_exit")
 int BPF_PROG(flock_x, struct pt_regs *regs, long ret) {
 	struct ringbuf_struct ringbuf;
-	if(!ringbuf__reserve_space(&ringbuf, ctx, FLOCK_X_SIZE, PPME_SYSCALL_FLOCK_X)) {
+	if(!ringbuf__reserve_space(&ringbuf, FLOCK_X_SIZE, PPME_SYSCALL_FLOCK_X)) {
 		return 0;
 	}
 

driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/fork.bpf.c

@@ -14,7 +14,7 @@
 SEC("tp_btf/sys_enter")
 int BPF_PROG(fork_e, struct pt_regs *regs, long id) {
 	struct ringbuf_struct ringbuf;
-	if(!ringbuf__reserve_space(&ringbuf, ctx, FORK_E_SIZE, PPME_SYSCALL_FORK_20_E)) {
+	if(!ringbuf__reserve_space(&ringbuf, FORK_E_SIZE, PPME_SYSCALL_FORK_20_E)) {
 		return 0;
 	}
 
@@ -152,7 +152,7 @@ int BPF_PROG(fork_x, struct pt_regs *regs, long ret) {
 	/* We have to split here the bpf program, otherwise, it is too large
 	 * for the verifier (limit 1000000 instructions).
 	 */
-	bpf_tail_call(ctx, &extra_event_prog_tail_table, T1_FORK_X);
+	bpf_tail_call(ctx, &extra_syscall_calls, T1_FORK_X);
 	return 0;
 }
 
@@ -198,7 +198,7 @@ int BPF_PROG(t1_fork_x, struct pt_regs *regs, long ret) {
 	/* We have to split here the bpf program, otherwise, it is too large
 	 * for the verifier (limit 1000000 instructions).
 	 */
-	bpf_tail_call(ctx, &extra_event_prog_tail_table, T2_FORK_X);
+	bpf_tail_call(ctx, &extra_syscall_calls, T2_FORK_X);
 	return 0;
 }
 
@@ -220,7 +220,7 @@ int BPF_PROG(t2_fork_x, struct pt_regs *regs, long ret) {
 
 	auxmap__finalize_event_header(auxmap);
 
-	auxmap__submit_event(auxmap, ctx);
+	auxmap__submit_event(auxmap);
 	return 0;
 }
 

driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/fsconfig.bpf.c

@@ -14,7 +14,7 @@
 SEC("tp_btf/sys_enter")
 int BPF_PROG(fsconfig_e, struct pt_regs *regs, long id) {
 	struct ringbuf_struct ringbuf;
-	if(!ringbuf__reserve_space(&ringbuf, ctx, FSCONFIG_E_SIZE, PPME_SYSCALL_FSCONFIG_E)) {
+	if(!ringbuf__reserve_space(&ringbuf, FSCONFIG_E_SIZE, PPME_SYSCALL_FSCONFIG_E)) {
 		return 0;
 	}
 
@@ -136,7 +136,7 @@ int BPF_PROG(fsconfig_x, struct pt_regs *regs, long ret) {
 
 	auxmap__finalize_event_header(auxmap);
 
-	auxmap__submit_event(auxmap, ctx);
+	auxmap__submit_event(auxmap);
 
 	return 0;
 }

driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/fstat.bpf.c

@@ -13,7 +13,7 @@
 SEC("tp_btf/sys_enter")
 int BPF_PROG(fstat_e, struct pt_regs *regs, long id) {
 	struct ringbuf_struct ringbuf;
-	if(!ringbuf__reserve_space(&ringbuf, ctx, FSTAT_E_SIZE, PPME_SYSCALL_FSTAT_E)) {
+	if(!ringbuf__reserve_space(&ringbuf, FSTAT_E_SIZE, PPME_SYSCALL_FSTAT_E)) {
 		return 0;
 	}
 
@@ -39,7 +39,7 @@ int BPF_PROG(fstat_e, struct pt_regs *regs, long id) {
 SEC("tp_btf/sys_exit")
 int BPF_PROG(fstat_x, struct pt_regs *regs, long ret) {
 	struct ringbuf_struct ringbuf;
-	if(!ringbuf__reserve_space(&ringbuf, ctx, FSTAT_X_SIZE, PPME_SYSCALL_FSTAT_X)) {
+	if(!ringbuf__reserve_space(&ringbuf, FSTAT_X_SIZE, PPME_SYSCALL_FSTAT_X)) {
 		return 0;
 	}
 

driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/futex.bpf.c

@@ -13,7 +13,7 @@
 SEC("tp_btf/sys_enter")
 int BPF_PROG(futex_e, struct pt_regs *regs, long id) {
 	struct ringbuf_struct ringbuf;
-	if(!ringbuf__reserve_space(&ringbuf, ctx, FUTEX_E_SIZE, PPME_SYSCALL_FUTEX_E)) {
+	if(!ringbuf__reserve_space(&ringbuf, FUTEX_E_SIZE, PPME_SYSCALL_FUTEX_E)) {
 		return 0;
 	}
 
@@ -47,7 +47,7 @@ int BPF_PROG(futex_e, struct pt_regs *regs, long id) {
 SEC("tp_btf/sys_exit")
 int BPF_PROG(futex_x, struct pt_regs *regs, long ret) {
 	struct ringbuf_struct ringbuf;
-	if(!ringbuf__reserve_space(&ringbuf, ctx, FUTEX_X_SIZE, PPME_SYSCALL_FUTEX_X)) {
+	if(!ringbuf__reserve_space(&ringbuf, FUTEX_X_SIZE, PPME_SYSCALL_FUTEX_X)) {
 		return 0;
 	}
 

driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/generic.bpf.c

@@ -13,7 +13,7 @@
 SEC("tp_btf/sys_enter")
 int BPF_PROG(generic_e, struct pt_regs *regs, long id) {
 	struct ringbuf_struct ringbuf;
-	if(!ringbuf__reserve_space(&ringbuf, ctx, GENERIC_E_SIZE, PPME_GENERIC_E)) {
+	if(!ringbuf__reserve_space(&ringbuf, GENERIC_E_SIZE, PPME_GENERIC_E)) {
 		return 0;
 	}
 
@@ -52,7 +52,7 @@ int BPF_PROG(generic_e, struct pt_regs *regs, long id) {
 SEC("tp_btf/sys_exit")
 int BPF_PROG(generic_x, struct pt_regs *regs, long ret) {
 	struct ringbuf_struct ringbuf;
-	if(!ringbuf__reserve_space(&ringbuf, ctx, GENERIC_X_SIZE, PPME_GENERIC_X)) {
+	if(!ringbuf__reserve_space(&ringbuf, GENERIC_X_SIZE, PPME_GENERIC_X)) {
 		return 0;
 	}
 

driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/getcwd.bpf.c

@@ -14,7 +14,7 @@
 SEC("tp_btf/sys_enter")
 int BPF_PROG(getcwd_e, struct pt_regs *regs, long id) {
 	struct ringbuf_struct ringbuf;
-	if(!ringbuf__reserve_space(&ringbuf, ctx, GETCWD_E_SIZE, PPME_SYSCALL_GETCWD_E)) {
+	if(!ringbuf__reserve_space(&ringbuf, GETCWD_E_SIZE, PPME_SYSCALL_GETCWD_E)) {
 		return 0;
 	}
 
@@ -64,7 +64,7 @@ int BPF_PROG(getcwd_x, struct pt_regs *regs, long ret) {
 
 	auxmap__finalize_event_header(auxmap);
 
-	auxmap__submit_event(auxmap, ctx);
+	auxmap__submit_event(auxmap);
 
 	return 0;
 }

driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/getdents.bpf.c

@@ -13,7 +13,7 @@
 SEC("tp_btf/sys_enter")
 int BPF_PROG(getdents_e, struct pt_regs *regs, long id) {
 	struct ringbuf_struct ringbuf;
-	if(!ringbuf__reserve_space(&ringbuf, ctx, GETDENTS_E_SIZE, PPME_SYSCALL_GETDENTS_E)) {
+	if(!ringbuf__reserve_space(&ringbuf, GETDENTS_E_SIZE, PPME_SYSCALL_GETDENTS_E)) {
 		return 0;
 	}
 
@@ -39,7 +39,7 @@ int BPF_PROG(getdents_e, struct pt_regs *regs, long id) {
 SEC("tp_btf/sys_exit")
 int BPF_PROG(getdents_x, struct pt_regs *regs, long ret) {
 	struct ringbuf_struct ringbuf;
-	if(!ringbuf__reserve_space(&ringbuf, ctx, GETDENTS_X_SIZE, PPME_SYSCALL_GETDENTS_X)) {
+	if(!ringbuf__reserve_space(&ringbuf, GETDENTS_X_SIZE, PPME_SYSCALL_GETDENTS_X)) {
 		return 0;
 	}
 

driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/getdents64.bpf.c

@@ -13,7 +13,7 @@
 SEC("tp_btf/sys_enter")
 int BPF_PROG(getdents64_e, struct pt_regs *regs, long id) {
 	struct ringbuf_struct ringbuf;
-	if(!ringbuf__reserve_space(&ringbuf, ctx, GETDENTS64_E_SIZE, PPME_SYSCALL_GETDENTS64_E)) {
+	if(!ringbuf__reserve_space(&ringbuf, GETDENTS64_E_SIZE, PPME_SYSCALL_GETDENTS64_E)) {
 		return 0;
 	}
 
@@ -39,7 +39,7 @@ int BPF_PROG(getdents64_e, struct pt_regs *regs, long id) {
 SEC("tp_btf/sys_exit")
 int BPF_PROG(getdents64_x, struct pt_regs *regs, long ret) {
 	struct ringbuf_struct ringbuf;
-	if(!ringbuf__reserve_space(&ringbuf, ctx, GETDENTS64_X_SIZE, PPME_SYSCALL_GETDENTS64_X)) {
+	if(!ringbuf__reserve_space(&ringbuf, GETDENTS64_X_SIZE, PPME_SYSCALL_GETDENTS64_X)) {
 		return 0;
 	}
 

driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/getegid.bpf.c

@@ -13,7 +13,7 @@
 SEC("tp_btf/sys_enter")
 int BPF_PROG(getegid_e, struct pt_regs *regs, long id) {
 	struct ringbuf_struct ringbuf;
-	if(!ringbuf__reserve_space(&ringbuf, ctx, GETEGID_E_SIZE, PPME_SYSCALL_GETEGID_E)) {
+	if(!ringbuf__reserve_space(&ringbuf, GETEGID_E_SIZE, PPME_SYSCALL_GETEGID_E)) {
 		return 0;
 	}
 
@@ -35,7 +35,7 @@ int BPF_PROG(getegid_e, struct pt_regs *regs, long id) {
 SEC("tp_btf/sys_exit")
 int BPF_PROG(getegid_x, struct pt_regs *regs, long ret) {
 	struct ringbuf_struct ringbuf;
-	if(!ringbuf__reserve_space(&ringbuf, ctx, GETEGID_X_SIZE, PPME_SYSCALL_GETEGID_X)) {
+	if(!ringbuf__reserve_space(&ringbuf, GETEGID_X_SIZE, PPME_SYSCALL_GETEGID_X)) {
 		return 0;
 	}
 

driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/geteuid.bpf.c

@@ -13,7 +13,7 @@
 SEC("tp_btf/sys_enter")
 int BPF_PROG(geteuid_e, struct pt_regs *regs, long id) {
 	struct ringbuf_struct ringbuf;
-	if(!ringbuf__reserve_space(&ringbuf, ctx, GETEUID_E_SIZE, PPME_SYSCALL_GETEUID_E)) {
+	if(!ringbuf__reserve_space(&ringbuf, GETEUID_E_SIZE, PPME_SYSCALL_GETEUID_E)) {
 		return 0;
 	}
 
@@ -35,7 +35,7 @@ int BPF_PROG(geteuid_e, struct pt_regs *regs, long id) {
 SEC("tp_btf/sys_exit")
 int BPF_PROG(geteuid_x, struct pt_regs *regs, long ret) {
 	struct ringbuf_struct ringbuf;
-	if(!ringbuf__reserve_space(&ringbuf, ctx, GETEUID_X_SIZE, PPME_SYSCALL_GETEUID_X)) {
+	if(!ringbuf__reserve_space(&ringbuf, GETEUID_X_SIZE, PPME_SYSCALL_GETEUID_X)) {
 		return 0;
 	}
 

driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/getgid.bpf.c

@@ -13,7 +13,7 @@
 SEC("tp_btf/sys_enter")
 int BPF_PROG(getgid_e, struct pt_regs *regs, long id) {
 	struct ringbuf_struct ringbuf;
-	if(!ringbuf__reserve_space(&ringbuf, ctx, GETGID_E_SIZE, PPME_SYSCALL_GETGID_E)) {
+	if(!ringbuf__reserve_space(&ringbuf, GETGID_E_SIZE, PPME_SYSCALL_GETGID_E)) {
 		return 0;
 	}
 
@@ -35,7 +35,7 @@ int BPF_PROG(getgid_e, struct pt_regs *regs, long id) {
 SEC("tp_btf/sys_exit")
 int BPF_PROG(getgid_x, struct pt_regs *regs, long ret) {
 	struct ringbuf_struct ringbuf;
-	if(!ringbuf__reserve_space(&ringbuf, ctx, GETGID_X_SIZE, PPME_SYSCALL_GETGID_X)) {
+	if(!ringbuf__reserve_space(&ringbuf, GETGID_X_SIZE, PPME_SYSCALL_GETGID_X)) {
 		return 0;
 	}
 

driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/getpeername.bpf.c

@@ -13,7 +13,7 @@
 SEC("tp_btf/sys_enter")
 int BPF_PROG(getpeername_e, struct pt_regs *regs, long id) {
 	struct ringbuf_struct ringbuf;
-	if(!ringbuf__reserve_space(&ringbuf, ctx, GETPEERNAME_E_SIZE, PPME_SOCKET_GETPEERNAME_E)) {
+	if(!ringbuf__reserve_space(&ringbuf, GETPEERNAME_E_SIZE, PPME_SOCKET_GETPEERNAME_E)) {
 		return 0;
 	}
 
@@ -37,7 +37,7 @@ int BPF_PROG(getpeername_e, struct pt_regs *regs, long id) {
 SEC("tp_btf/sys_exit")
 int BPF_PROG(getpeername_x, struct pt_regs *regs, long ret) {
 	struct ringbuf_struct ringbuf;
-	if(!ringbuf__reserve_space(&ringbuf, ctx, GETPEERNAME_X_SIZE, PPME_SOCKET_GETPEERNAME_X)) {
+	if(!ringbuf__reserve_space(&ringbuf, GETPEERNAME_X_SIZE, PPME_SOCKET_GETPEERNAME_X)) {
 		return 0;
 	}
 

driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/getresgid.bpf.c

@@ -13,7 +13,7 @@
 SEC("tp_btf/sys_enter")
 int BPF_PROG(getresgid_e, struct pt_regs *regs, long id) {
 	struct ringbuf_struct ringbuf;
-	if(!ringbuf__reserve_space(&ringbuf, ctx, GETRESGID_E_SIZE, PPME_SYSCALL_GETRESGID_E)) {
+	if(!ringbuf__reserve_space(&ringbuf, GETRESGID_E_SIZE, PPME_SYSCALL_GETRESGID_E)) {
 		return 0;
 	}
 
@@ -35,7 +35,7 @@ int BPF_PROG(getresgid_e, struct pt_regs *regs, long id) {
 SEC("tp_btf/sys_exit")
 int BPF_PROG(getresgid_x, struct pt_regs *regs, long ret) {
 	struct ringbuf_struct ringbuf;
-	if(!ringbuf__reserve_space(&ringbuf, ctx, GETRESGID_X_SIZE, PPME_SYSCALL_GETRESGID_X)) {
+	if(!ringbuf__reserve_space(&ringbuf, GETRESGID_X_SIZE, PPME_SYSCALL_GETRESGID_X)) {
 		return 0;
 	}
 

driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/getresuid.bpf.c

@@ -13,7 +13,7 @@
 SEC("tp_btf/sys_enter")
 int BPF_PROG(getresuid_e, struct pt_regs *regs, long id) {
 	struct ringbuf_struct ringbuf;
-	if(!ringbuf__reserve_space(&ringbuf, ctx, GETRESUID_E_SIZE, PPME_SYSCALL_GETRESUID_E)) {
+	if(!ringbuf__reserve_space(&ringbuf, GETRESUID_E_SIZE, PPME_SYSCALL_GETRESUID_E)) {
 		return 0;
 	}
 
@@ -35,7 +35,7 @@ int BPF_PROG(getresuid_e, struct pt_regs *regs, long id) {
 SEC("tp_btf/sys_exit")
 int BPF_PROG(getresuid_x, struct pt_regs *regs, long ret) {
 	struct ringbuf_struct ringbuf;
-	if(!ringbuf__reserve_space(&ringbuf, ctx, GETRESUID_X_SIZE, PPME_SYSCALL_GETRESUID_X)) {
+	if(!ringbuf__reserve_space(&ringbuf, GETRESUID_X_SIZE, PPME_SYSCALL_GETRESUID_X)) {
 		return 0;
 	}
 

driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/getrlimit.bpf.c

@@ -15,7 +15,7 @@
 SEC("tp_btf/sys_enter")
 int BPF_PROG(getrlimit_e, struct pt_regs *regs, long id) {
 	struct ringbuf_struct ringbuf;
-	if(!ringbuf__reserve_space(&ringbuf, ctx, GETRLIMIT_E_SIZE, PPME_SYSCALL_GETRLIMIT_E)) {
+	if(!ringbuf__reserve_space(&ringbuf, GETRLIMIT_E_SIZE, PPME_SYSCALL_GETRLIMIT_E)) {
 		return 0;
 	}
 
@@ -41,7 +41,7 @@ int BPF_PROG(getrlimit_e, struct pt_regs *regs, long id) {
 SEC("tp_btf/sys_exit")
 int BPF_PROG(getrlimit_x, struct pt_regs *regs, long ret) {
 	struct ringbuf_struct ringbuf;
-	if(!ringbuf__reserve_space(&ringbuf, ctx, GETRLIMIT_X_SIZE, PPME_SYSCALL_GETRLIMIT_X)) {
+	if(!ringbuf__reserve_space(&ringbuf, GETRLIMIT_X_SIZE, PPME_SYSCALL_GETRLIMIT_X)) {
 		return 0;
 	}
 

driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/getsockname.bpf.c

@@ -13,7 +13,7 @@
 SEC("tp_btf/sys_enter")
 int BPF_PROG(getsockname_e, struct pt_regs *regs, long id) {
 	struct ringbuf_struct ringbuf;
-	if(!ringbuf__reserve_space(&ringbuf, ctx, GETSOCKNAME_E_SIZE, PPME_SOCKET_GETSOCKNAME_E)) {
+	if(!ringbuf__reserve_space(&ringbuf, GETSOCKNAME_E_SIZE, PPME_SOCKET_GETSOCKNAME_E)) {
 		return 0;
 	}
 
@@ -37,7 +37,7 @@ int BPF_PROG(getsockname_e, struct pt_regs *regs, long id) {
 SEC("tp_btf/sys_exit")
 int BPF_PROG(getsockname_x, struct pt_regs *regs, long ret) {
 	struct ringbuf_struct ringbuf;
-	if(!ringbuf__reserve_space(&ringbuf, ctx, GETSOCKNAME_X_SIZE, PPME_SOCKET_GETSOCKNAME_X)) {
+	if(!ringbuf__reserve_space(&ringbuf, GETSOCKNAME_X_SIZE, PPME_SOCKET_GETSOCKNAME_X)) {
 		return 0;
 	}
 

driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/getsockopt.bpf.c

@@ -14,7 +14,7 @@
 SEC("tp_btf/sys_enter")
 int BPF_PROG(getsockopt_e, struct pt_regs *regs, long id) {
 	struct ringbuf_struct ringbuf;
-	if(!ringbuf__reserve_space(&ringbuf, ctx, GETSOCKOPT_E_SIZE, PPME_SOCKET_GETSOCKOPT_E)) {
+	if(!ringbuf__reserve_space(&ringbuf, GETSOCKOPT_E_SIZE, PPME_SOCKET_GETSOCKOPT_E)) {
 		return 0;
 	}
 
@@ -83,7 +83,7 @@ int BPF_PROG(getsockopt_x, struct pt_regs *regs, long ret) {
 
 	auxmap__finalize_event_header(auxmap);
 
-	auxmap__submit_event(auxmap, ctx);
+	auxmap__submit_event(auxmap);
 
 	return 0;
 }

driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/getuid.bpf.c

@@ -13,7 +13,7 @@
 SEC("tp_btf/sys_enter")
 int BPF_PROG(getuid_e, struct pt_regs *regs, long id) {
 	struct ringbuf_struct ringbuf;
-	if(!ringbuf__reserve_space(&ringbuf, ctx, GETUID_E_SIZE, PPME_SYSCALL_GETUID_E)) {
+	if(!ringbuf__reserve_space(&ringbuf, GETUID_E_SIZE, PPME_SYSCALL_GETUID_E)) {
 		return 0;
 	}
 
@@ -35,7 +35,7 @@ int BPF_PROG(getuid_e, struct pt_regs *regs, long id) {
 SEC("tp_btf/sys_exit")
 int BPF_PROG(getuid_x, struct pt_regs *regs, long ret) {
 	struct ringbuf_struct ringbuf;
-	if(!ringbuf__reserve_space(&ringbuf, ctx, GETUID_X_SIZE, PPME_SYSCALL_GETUID_X)) {
+	if(!ringbuf__reserve_space(&ringbuf, GETUID_X_SIZE, PPME_SYSCALL_GETUID_X)) {
 		return 0;
 	}
 

driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/init_module.bpf.c

@@ -14,7 +14,7 @@
 SEC("tp_btf/sys_enter")
 int BPF_PROG(init_module_e, struct pt_regs *regs, long id) {
 	struct ringbuf_struct ringbuf;
-	if(!ringbuf__reserve_space(&ringbuf, ctx, INIT_MODULE_E_SIZE, PPME_SYSCALL_INIT_MODULE_E)) {
+	if(!ringbuf__reserve_space(&ringbuf, INIT_MODULE_E_SIZE, PPME_SYSCALL_INIT_MODULE_E)) {
 		return 0;
 	}
 
@@ -66,7 +66,7 @@ int BPF_PROG(init_module_x, struct pt_regs *regs, long ret) {
 
 	auxmap__finalize_event_header(auxmap);
 
-	auxmap__submit_event(auxmap, ctx);
+	auxmap__submit_event(auxmap);
 
 	return 0;
 }

driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/inotify_init.bpf.c

@@ -13,7 +13,7 @@
 SEC("tp_btf/sys_enter")
 int BPF_PROG(inotify_init_e, struct pt_regs *regs, long id) {
 	struct ringbuf_struct ringbuf;
-	if(!ringbuf__reserve_space(&ringbuf, ctx, INOTIFY_INIT_E_SIZE, PPME_SYSCALL_INOTIFY_INIT_E)) {
+	if(!ringbuf__reserve_space(&ringbuf, INOTIFY_INIT_E_SIZE, PPME_SYSCALL_INOTIFY_INIT_E)) {
 		return 0;
 	}
 
@@ -42,7 +42,7 @@ int BPF_PROG(inotify_init_e, struct pt_regs *regs, long id) {
 SEC("tp_btf/sys_exit")
 int BPF_PROG(inotify_init_x, struct pt_regs *regs, long ret) {
 	struct ringbuf_struct ringbuf;
-	if(!ringbuf__reserve_space(&ringbuf, ctx, INOTIFY_INIT_X_SIZE, PPME_SYSCALL_INOTIFY_INIT_X)) {
+	if(!ringbuf__reserve_space(&ringbuf, INOTIFY_INIT_X_SIZE, PPME_SYSCALL_INOTIFY_INIT_X)) {
 		return 0;
 	}
 

driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/inotify_init1.bpf.c

@@ -13,7 +13,7 @@
 SEC("tp_btf/sys_enter")
 int BPF_PROG(inotify_init1_e, struct pt_regs *regs, long id) {
 	struct ringbuf_struct ringbuf;
-	if(!ringbuf__reserve_space(&ringbuf, ctx, INOTIFY_INIT1_E_SIZE, PPME_SYSCALL_INOTIFY_INIT1_E)) {
+	if(!ringbuf__reserve_space(&ringbuf, INOTIFY_INIT1_E_SIZE, PPME_SYSCALL_INOTIFY_INIT1_E)) {
 		return 0;
 	}
 
@@ -37,7 +37,7 @@ int BPF_PROG(inotify_init1_e, struct pt_regs *regs, long id) {
 SEC("tp_btf/sys_exit")
 int BPF_PROG(inotify_init1_x, struct pt_regs *regs, long ret) {
 	struct ringbuf_struct ringbuf;
-	if(!ringbuf__reserve_space(&ringbuf, ctx, INOTIFY_INIT1_X_SIZE, PPME_SYSCALL_INOTIFY_INIT1_X)) {
+	if(!ringbuf__reserve_space(&ringbuf, INOTIFY_INIT1_X_SIZE, PPME_SYSCALL_INOTIFY_INIT1_X)) {
 		return 0;
 	}
 

driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/io_uring_enter.bpf.c

@@ -13,10 +13,7 @@
 SEC("tp_btf/sys_enter")
 int BPF_PROG(io_uring_enter_e, struct pt_regs *regs, long id) {
 	struct ringbuf_struct ringbuf;
-	if(!ringbuf__reserve_space(&ringbuf,
-	                           ctx,
-	                           IO_URING_ENTER_E_SIZE,
-	                           PPME_SYSCALL_IO_URING_ENTER_E)) {
+	if(!ringbuf__reserve_space(&ringbuf, IO_URING_ENTER_E_SIZE, PPME_SYSCALL_IO_URING_ENTER_E)) {
 		return 0;
 	}
 
@@ -40,10 +37,7 @@ int BPF_PROG(io_uring_enter_e, struct pt_regs *regs, long id) {
 SEC("tp_btf/sys_exit")
 int BPF_PROG(io_uring_enter_x, struct pt_regs *regs, long ret) {
 	struct ringbuf_struct ringbuf;
-	if(!ringbuf__reserve_space(&ringbuf,
-	                           ctx,
-	                           IO_URING_ENTER_X_SIZE,
-	                           PPME_SYSCALL_IO_URING_ENTER_X)) {
+	if(!ringbuf__reserve_space(&ringbuf, IO_URING_ENTER_X_SIZE, PPME_SYSCALL_IO_URING_ENTER_X)) {
 		return 0;
 	}
 

driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/io_uring_register.bpf.c

@@ -14,7 +14,6 @@ SEC("tp_btf/sys_enter")
 int BPF_PROG(io_uring_register_e, struct pt_regs *regs, long id) {
 	struct ringbuf_struct ringbuf;
 	if(!ringbuf__reserve_space(&ringbuf,
-	                           ctx,
 	                           IO_URING_REGISTER_E_SIZE,
 	                           PPME_SYSCALL_IO_URING_REGISTER_E)) {
 		return 0;
@@ -41,7 +40,6 @@ SEC("tp_btf/sys_exit")
 int BPF_PROG(io_uring_register_x, struct pt_regs *regs, long ret) {
 	struct ringbuf_struct ringbuf;
 	if(!ringbuf__reserve_space(&ringbuf,
-	                           ctx,
 	                           IO_URING_REGISTER_X_SIZE,
 	                           PPME_SYSCALL_IO_URING_REGISTER_X)) {
 		return 0;

driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/io_uring_setup.bpf.c

@@ -13,10 +13,7 @@
 SEC("tp_btf/sys_enter")
 int BPF_PROG(io_uring_setup_e, struct pt_regs *regs, long id) {
 	struct ringbuf_struct ringbuf;
-	if(!ringbuf__reserve_space(&ringbuf,
-	                           ctx,
-	                           IO_URING_SETUP_E_SIZE,
-	                           PPME_SYSCALL_IO_URING_SETUP_E)) {
+	if(!ringbuf__reserve_space(&ringbuf, IO_URING_SETUP_E_SIZE, PPME_SYSCALL_IO_URING_SETUP_E)) {
 		return 0;
 	}
 
@@ -40,10 +37,7 @@ int BPF_PROG(io_uring_setup_e, struct pt_regs *regs, long id) {
 SEC("tp_btf/sys_exit")
 int BPF_PROG(io_uring_setup_x, struct pt_regs *regs, long ret) {
 	struct ringbuf_struct ringbuf;
-	if(!ringbuf__reserve_space(&ringbuf,
-	                           ctx,
-	                           IO_URING_SETUP_X_SIZE,
-	                           PPME_SYSCALL_IO_URING_SETUP_X)) {
+	if(!ringbuf__reserve_space(&ringbuf, IO_URING_SETUP_X_SIZE, PPME_SYSCALL_IO_URING_SETUP_X)) {
 		return 0;
 	}
 

driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/ioctl.bpf.c

@@ -13,7 +13,7 @@
 SEC("tp_btf/sys_enter")
 int BPF_PROG(ioctl_e, struct pt_regs *regs, long id) {
 	struct ringbuf_struct ringbuf;
-	if(!ringbuf__reserve_space(&ringbuf, ctx, IOCTL_E_SIZE, PPME_SYSCALL_IOCTL_3_E)) {
+	if(!ringbuf__reserve_space(&ringbuf, IOCTL_E_SIZE, PPME_SYSCALL_IOCTL_3_E)) {
 		return 0;
 	}
 
@@ -47,7 +47,7 @@ int BPF_PROG(ioctl_e, struct pt_regs *regs, long id) {
 SEC("tp_btf/sys_exit")
 int BPF_PROG(ioctl_x, struct pt_regs *regs, long ret) {
 	struct ringbuf_struct ringbuf;
-	if(!ringbuf__reserve_space(&ringbuf, ctx, IOCTL_X_SIZE, PPME_SYSCALL_IOCTL_3_X)) {
+	if(!ringbuf__reserve_space(&ringbuf, IOCTL_X_SIZE, PPME_SYSCALL_IOCTL_3_X)) {
 		return 0;
 	}
 

driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/kill.bpf.c

@@ -13,7 +13,7 @@
 SEC("tp_btf/sys_enter")
 int BPF_PROG(kill_e, struct pt_regs *regs, long id) {
 	struct ringbuf_struct ringbuf;
-	if(!ringbuf__reserve_space(&ringbuf, ctx, KILL_E_SIZE, PPME_SYSCALL_KILL_E)) {
+	if(!ringbuf__reserve_space(&ringbuf, KILL_E_SIZE, PPME_SYSCALL_KILL_E)) {
 		return 0;
 	}
 
@@ -43,7 +43,7 @@ int BPF_PROG(kill_e, struct pt_regs *regs, long id) {
 SEC("tp_btf/sys_exit")
 int BPF_PROG(kill_x, struct pt_regs *regs, long ret) {
 	struct ringbuf_struct ringbuf;
-	if(!ringbuf__reserve_space(&ringbuf, ctx, KILL_X_SIZE, PPME_SYSCALL_KILL_X)) {
+	if(!ringbuf__reserve_space(&ringbuf, KILL_X_SIZE, PPME_SYSCALL_KILL_X)) {
 		return 0;
 	}