chore(deps): Bump softprops/action-gh-release in the actions group

Bumps the actions group with 1 update: [softprops/action-gh-release](https://github.com/softprops/action-gh-release). Updates `softprops/action-gh-release` from 2.0.8 to 2.0.9 - [Release notes](https://github.com/softprops/action-gh-release/releases) - [Changelog](https://github.com/softprops/action-gh-release/blob/master/CHANGELOG.md) - [Commits](c062e08bd5...e7a8f85e1c) --- updated-dependencies: - dependency-name: softprops/action-gh-release dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions ... Signed-off-by: dependabot[bot] <support@github.com>
chore(deps): Bump softprops/action-gh-release from 1 to 2
2024-11-20 10:36:18 +01:00 · 2024-11-20 10:36:18 +01:00 · 2024-11-20 10:36:18 +01:00 · 2024-11-20 10:36:18 +01:00 · 2024-11-20 10:36:18 +01:00 · 2024-11-20 10:36:18 +01:00
777 changed files with 37532 additions and 58282 deletions
--- a/.clang-format-ignore
+++ b/.clang-format-ignore
@ -3,8 +3,6 @@ driver/modern_bpf/definitions/aarch64/vmlinux.h
 driver/modern_bpf/definitions/ppc64le/vmlinux.h
 driver/modern_bpf/definitions/s390x/vmlinux.h
 driver/modern_bpf/definitions/x86_64/vmlinux.h
-# Autogenerated events dimensions file for modern probe is not formatted
-driver/modern_bpf/definitions/events_dimensions.h
 # All syscall_compat autogenerated headers are not formatted
 driver/syscall_compat_aarch64.h
 driver/syscall_compat_loongarch64.h
--- a/.clang-tidy
+++ b/.clang-tidy
@ -1,16 +0,0 @@
-Checks:
-  - clang-diagnostic-*
-  - clang-analyzer-*
-  - clang-analyzer-core.*
-  - clang-analyzer-cplusplus.*
-  - clang-analyzer-nullability.*
-  - clang-analyzer-unix.*
-  - performance-*
-  - bugprone-use-after-move
-  - bugprone-move-forwarding-reference
-  - cppcoreguidelines-rvalue-reference-param-not-moved
-  - misc-unused-parameters
-WarningsAsErrors: 'bugprone-use-after-move'
-# UseColor true causes sarif conversion and reviewdog fail
-UseColor: false
-ExtraArgsBefore: ['-Wno-unknown-warning-option']
--- a/.git-blame-ignore-revs
+++ b/.git-blame-ignore-revs
@ -1,14 +1,3 @@
-# These commits altered the blame only to change types
-89ec22f38ce06145a10d52fd9be2cb1b872bfd11
-4dd9c8a2517dcda5aab0fc7a26197e74bf557fd6
-9326b1dd23efd095908a723a1d94acbe91032cab
-c8b971ecbff766003c736f01c0455e73dbd0efb3
-a5730f7a18e2e81b270105c2f81cf6c6a0201feb
-56b6e591cf8bf6849c27adfccc1557835daa1529
-93240ff1106f54add1e620e861bdfe890cf99108
-5c9b3cd3eb485ff8e4a3c364383f246d79146194
-0736581e22da38f260e01b64a9c73a4d66c7c02a
-2bea7ba762ed916eaf283066b20ad989b77276a6
 # This commit formatted the libs code for the first time.
 215db2d9de0cb15061873a2e3bea33f731a54cab
 # This commit has completely rewritten the history of file `userspace/libscap/engine/savefile/scap_savefile.c`. 
--- a/.github/PULL_REQUEST_TEMPLATE.md
+++ b/.github/PULL_REQUEST_TEMPLATE.md
@ -20,8 +20,6 @@

 > /kind failing-test

-> /kind test
-
 > /kind feature

 <!--
--- a/.github/actions/composite-perf/action.yml
+++ b/.github/actions/composite-perf/action.yml
@ -24,7 +24,7 @@ runs:
    - name: Install deps ⛓️
      shell: bash
      run: |
-        sudo apt update && sudo apt install -y --no-install-recommends ca-certificates cmake build-essential git clang llvm pkg-config autoconf automake libtool libelf-dev wget libtbb-dev libjq-dev libjsoncpp-dev protobuf-compiler libgtest-dev libprotobuf-dev linux-tools-common linux-tools-generic linux-tools-`uname -r` heaptrack coreutils util-linux
+        sudo apt update && sudo apt install -y --no-install-recommends ca-certificates cmake build-essential git clang llvm pkg-config autoconf automake libtool libelf-dev wget libc-ares-dev libcurl4-openssl-dev libssl-dev libtbb-dev libjq-dev libjsoncpp-dev libgrpc++-dev protobuf-compiler-grpc libgtest-dev libprotobuf-dev linux-tools-common linux-tools-generic linux-tools-`uname -r` heaptrack coreutils util-linux
        sudo .github/install-deps.sh

    - name: Build
--- a/.github/actions/install-zig/action.yml
+++ b/.github/actions/install-zig/action.yml
@ -8,36 +8,52 @@ runs:
      shell: bash
      id: store
      env:
-        ZIG_VERSION: '0.14.1'
+        ZIG_VERSION: '0.14.0-dev.1952+9f84f7f92'
      run: |
        echo "zig_version=${ZIG_VERSION}" >> "$GITHUB_OUTPUT"

+    - name: Create zig install folder
+      shell: bash
+      run: mkdir /usr/local/zig
+
+    # TODO: this is only needed because we are using a development version of zig,
+    # since we need https://github.com/ziglang/zig/pull/21253 to be included.
+    # Development versions of zig are not kept alive forever, but get overridden.
+    # We cache it to keep it alive.
+    - name: Download zig (cached)
+      id: cache-zig
+      uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2
+      with:
+        path: /usr/local/zig
+        key: zig-${{ runner.os }}-${{ runner.arch }}-${{ steps.store.outputs.zig_version }}
+
    - name: Download zig
+      if: steps.cache-zig.outputs.cache-hit != 'true'
      shell: bash
      run: |
-        curl -L -o zig.tar.xz https://ziglang.org/download/${{ steps.store.outputs.zig_version }}/zig-$(uname -m)-linux-${{ steps.store.outputs.zig_version }}.tar.xz
+        curl -L -o zig.tar.xz https://ziglang.org/builds/zig-linux-$(uname -m)-${{ steps.store.outputs.zig_version }}.tar.xz
        tar -xvf zig.tar.xz

-        cat > zig-$(uname -m)-linux-${{ steps.store.outputs.zig_version }}/zig-cc <<EOF
+        cat > zig-linux-$(uname -m)-${{ steps.store.outputs.zig_version }}/zig-cc <<EOF
        #!/bin/bash
        exec zig cc -target $(uname -m)-linux-gnu.2.17 -mcpu=baseline "\$@"
        EOF
-        chmod +x zig-$(uname -m)-linux-${{ steps.store.outputs.zig_version }}/zig-cc
+        chmod +x zig-linux-$(uname -m)-${{ steps.store.outputs.zig_version }}/zig-cc

-        cat > zig-$(uname -m)-linux-${{ steps.store.outputs.zig_version }}/zig-c++ <<EOF
+        cat > zig-linux-$(uname -m)-${{ steps.store.outputs.zig_version }}/zig-c++ <<EOF
        #!/bin/bash
        exec zig c++ -target $(uname -m)-linux-gnu.2.17 -mcpu=baseline "\$@"
        EOF
-        chmod +x zig-$(uname -m)-linux-${{ steps.store.outputs.zig_version }}/zig-c++
+        chmod +x zig-linux-$(uname -m)-${{ steps.store.outputs.zig_version }}/zig-c++

-        mv zig-$(uname -m)-linux-${{ steps.store.outputs.zig_version }}/ zig
+        cp -R zig-linux-$(uname -m)-${{ steps.store.outputs.zig_version }}/* /usr/local/zig/

    - name: Setup zig
      shell: bash
      id: zig
      run: |
-        echo "$(pwd)/zig" >> $GITHUB_PATH
+        echo "/usr/local/zig" >> $GITHUB_PATH
        echo "CC=zig-cc" >> $GITHUB_ENV
        echo "CXX=zig-c++" >> $GITHUB_ENV
        echo "AR=zig ar" >> $GITHUB_ENV
-        echo "RANLIB=zig ranlib" >> $GITHUB_ENV
+        echo "RANLIB=zig ranlib" >> $GITHUB_ENV
--- a/.github/dependabot.yaml
+++ b/.github/dependabot.yaml
@ -1,12 +0,0 @@
-version: 2
-updates:
-  - package-ecosystem: "github-actions"
-    directory: "/"
-    schedule:
-      interval: "weekly"
-    open-pull-requests-limit: 10
-    groups:
-      actions:
-        update-types:
-          - "minor"
-          - "patch"
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@ -16,17 +16,19 @@ concurrency:
 jobs:
  build-libs-linux:
    name: build-libs-linux-${{ matrix.arch }} 😁 (${{ matrix.name }})
-    runs-on: ${{ (matrix.arch == 'arm64' && 'ubuntu-22.04-arm') || 'ubuntu-22.04' }}
+    runs-on: ${{ (matrix.arch == 'arm64' && 'github-arm64-2c-8gb') || 'ubuntu-22.04' }}
    strategy:
      fail-fast: false
      matrix:
        arch: [amd64, arm64]
-        name: [system_deps, bundled_deps, sanitizers, zig]
+        name: [system_deps, bundled_deps, system_deps_minimal, sanitizers, zig]
        include:
          - name: system_deps
            cmake_opts: -DBUILD_WARNINGS_AS_ERRORS=On -DBUILD_BPF=On -DUSE_BUNDLED_DEPS=False
          - name: bundled_deps
            cmake_opts: -DBUILD_WARNINGS_AS_ERRORS=On -DBUILD_BPF=On -DUSE_BUNDLED_DEPS=True
+          - name: system_deps_minimal
+            cmake_opts: -DBUILD_WARNINGS_AS_ERRORS=On -DUSE_BUNDLED_DEPS=False -DMINIMAL_BUILD=True
          - name: sanitizers
            cmake_opts: -DUSE_ASAN=On -DUSE_UBSAN=On -DUSE_BUNDLED_DEPS=False
          - name: zig
@ -36,9 +38,7 @@ jobs:
    steps:
      - name: Install deps ⛓️
        run: |
-          # Use 20250630T203427Z debian apt snapshot as it still contains support for buster.
-          printf "deb http://snapshot.debian.org/archive/debian/20250630T203427Z buster main\ndeb http://snapshot.debian.org/archive/debian-security/20250630T203427Z buster/updates main\ndeb http://snapshot.debian.org/archive/debian/20250630T203427Z buster-updates main" > /etc/apt/sources.list
-          apt update && apt install -y --no-install-recommends curl ca-certificates build-essential git clang llvm pkg-config autoconf automake libtool libelf-dev wget libtbb-dev libjq-dev libjsoncpp-dev protobuf-compiler libgtest-dev libprotobuf-dev linux-headers-${{ matrix.arch }}
+          apt update && apt install -y --no-install-recommends curl ca-certificates build-essential git clang llvm pkg-config autoconf automake libtool libelf-dev wget libc-ares-dev libcurl4-openssl-dev libssl-dev libtbb-dev libjq-dev libjsoncpp-dev libgrpc++-dev protobuf-compiler-grpc libgtest-dev libprotobuf-dev linux-headers-${{ matrix.arch }}

      - name: Install a recent version of CMake ⛓️
        run: |
@ -74,13 +74,6 @@ jobs:
          KERNELDIR=/lib/modules/$(ls /lib/modules)/build make -j4
          make run-unit-tests

-      - name: Test sinsp-example and .scap files
-        run: |
-          cd build && make sinsp-example
-          libsinsp/examples/sinsp-example -s ../test/libsinsp_e2e/resources/captures/curl_google.scap | grep --extended-regexp --invert-match '^(Time spent|Events/ms): ' > /tmp/curl_google.txt
-          libsinsp/examples/sinsp-example -s ../test/libsinsp_e2e/resources/captures/curl_google_comments.scap | grep --extended-regexp --invert-match '^(Time spent|Events/ms): ' > /tmp/curl_google_comments.txt
-          diff -u /tmp/curl_google.txt /tmp/curl_google_comments.txt
-
      # On zig, build also sinsp-example and check the glibc linked versions
      # to make sure we are actually using the correct glibc version.
      - name: Test zig build glibc version
@ -102,11 +95,7 @@ jobs:
    steps:
      - name: Install deps ⛓️
        run: |
-          apk add g++ gcc cmake make git bash perl linux-headers autoconf automake m4 libtool elfutils-dev libelf-static patch binutils clang llvm
-          git clone https://github.com/libbpf/bpftool.git --branch v7.3.0 --single-branch
-          cd bpftool
-          git submodule update --init
-          cd src && make install
+          apk add g++ gcc cmake make git bash perl linux-headers autoconf automake m4 libtool elfutils-dev libelf-static patch binutils bpftool clang

      - name: Checkout Libs ⤵️
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
@ -125,23 +114,27 @@ jobs:

  build-shared-libs-linux-amd64:
    name: build-shared-libs-linux-amd64 🧐
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-latest
    steps:
      - name: Checkout Libs ⤵️
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          fetch-depth: 0

+      - name: Git safe directory
+        run: |
+          git config --global --add safe.directory $GITHUB_WORKSPACE
+
      - name: Install deps ⛓️
        run: |
          sudo apt update
-          sudo apt install -y --no-install-recommends ca-certificates cmake build-essential git clang llvm pkg-config autoconf automake libtool libelf-dev wget libre2-dev libtbb-dev libjq-dev libjsoncpp-dev protobuf-compiler libgtest-dev libprotobuf-dev linux-headers-$(uname -r)
+          sudo apt install -y --no-install-recommends ca-certificates cmake build-essential git clang llvm pkg-config autoconf automake libtool libelf-dev wget libc-ares-dev libcurl4-openssl-dev libssl-dev libre2-dev libtbb-dev libjq-dev libjsoncpp-dev libgrpc++-dev protobuf-compiler-grpc libgtest-dev libprotobuf-dev linux-headers-$(uname -r)
          sudo .github/install-deps.sh

      - name: Build and test 🏗️🧪
        run: |
          mkdir -p build
-          cd build && cmake -DBUILD_SHARED_LIBS=True -DUSE_BUNDLED_DEPS=False -DCMAKE_INSTALL_PREFIX=/tmp/libs-test -DENABLE_THREAD_POOL=ON ../
+          cd build && cmake -DBUILD_SHARED_LIBS=True -DUSE_BUNDLED_DEPS=False -DMINIMAL_BUILD=True -DCMAKE_INSTALL_PREFIX=/tmp/libs-test -DENABLE_THREAD_POOL=ON ../
          make -j4
          make run-unit-tests

@ -154,7 +147,7 @@ jobs:
        run: |
          cd userspace/libsinsp/examples
          export PKG_CONFIG_PATH=/tmp/libs-test/lib/pkgconfig
-          g++ -o sinsp-example *.cpp $(pkg-config --cflags --libs libsinsp)
+          g++ -o sinsp-example test.cpp util.cpp $(pkg-config --cflags --libs libsinsp)

      - name: Test sinsp-example runtime linker
        run: |
@ -181,7 +174,7 @@ jobs:
      - name: Build and test 🏗️🧪
        run: |
          mkdir -p build
-          cd build && cmake -DUSE_BUNDLED_DEPS=ON -DCMAKE_BUILD_TYPE=Release -DCMAKE_MSVC_RUNTIME_LIBRARY=${{ matrix.crt }} -DCREATE_TEST_TARGETS=ON -DENABLE_THREAD_POOL=ON ..
+          cd build && cmake -DUSE_BUNDLED_DEPS=ON -DCMAKE_BUILD_TYPE=Release -DCMAKE_MSVC_RUNTIME_LIBRARY=${{ matrix.crt }} -DCREATE_TEST_TARGETS=ON -DMINIMAL_BUILD=ON -DENABLE_THREAD_POOL=ON ..
          cmake --build . --config Release --parallel 4 && make run-unit-tests || libsinsp\test\Release\unit-test-libsinsp.exe

  build-shared-libs-macos-amd64:
@ -200,7 +193,7 @@ jobs:
      - name: Build 🏗️
        run: |
          mkdir -p build
-          cd build && cmake -DBUILD_SHARED_LIBS=True -DUSE_BUNDLED_DEPS=False -DUSE_BUNDLED_VALIJSON=ON -DUSE_BUNDLED_BS_THREADPOOL=ON -DENABLE_THREAD_POOL=ON -DCMAKE_BUILD_TYPE=Release -DCREATE_TEST_TARGETS=OFF -DCMAKE_INSTALL_PREFIX=/tmp/libs-test ..
+          cd build && cmake -DBUILD_SHARED_LIBS=True -DUSE_BUNDLED_DEPS=False -DUSE_BUNDLED_VALIJSON=ON -DUSE_BUNDLED_BS_THREADPOOL=ON -DENABLE_THREAD_POOL=ON -DCMAKE_BUILD_TYPE=Release -DCREATE_TEST_TARGETS=OFF -DMINIMAL_BUILD=ON -DCMAKE_INSTALL_PREFIX=/tmp/libs-test ..
          cmake --build . --config Release --parallel $(getconf _NPROCESSORS_ONLN)

      - name: Install
@ -258,15 +251,100 @@ jobs:
          diff -u expected_ldd_out.txt ldd_out.txt

  run-e2e-tests-amd64:
-    uses: ./.github/workflows/reusable_e2e_tests.yaml
-    with:
-      libsversion: ${{ github.sha }}
-    secrets: inherit
+    name: run-e2e-tests-amd64
+    strategy:
+      fail-fast: false
+      matrix:
+        name: [system_deps, bundled_deps, asan]
+        include:
+          - name: system_deps
+            cmake_opts: -DUSE_BUNDLED_DEPS=False
+          - name: bundled_deps
+            cmake_opts: -DUSE_BUNDLED_DEPS=True
+          - name: asan
+            cmake_opts: -DUSE_BUNDLED_DEPS=True -DCMAKE_C_FLAGS=-fsanitize=address -DCMAKE_CXX_FLAGS=-fsanitize=address
+    runs-on: ubuntu-22.04
+    steps:
+      - name: Install deps ⛓️
+        run: |
+          sudo apt-get update && sudo apt-get install -y --no-install-recommends \
+            ca-certificates \
+            cmake \
+            build-essential \
+            clang-14 llvm-14 \
+            git \
+            clang \
+            llvm \
+            pkg-config \
+            autoconf \
+            automake \
+            libtool \
+            libelf-dev \
+            wget \
+            libc-ares-dev \
+            libbpf-dev \
+            libcap-dev \
+            libcurl4-openssl-dev \
+            libssl-dev \
+            libtbb-dev \
+            libjq-dev \
+            libjsoncpp-dev \
+            libgrpc++-dev \
+            protobuf-compiler-grpc \
+            libgtest-dev \
+            libprotobuf-dev \
+            "linux-headers-$(uname -r)"
+          sudo update-alternatives --install /usr/bin/clang clang /usr/bin/clang-14 90
+          sudo update-alternatives --install /usr/bin/llvm-strip llvm-strip /usr/bin/llvm-strip-14 90
+          sudo update-alternatives --install /usr/bin/llc llc /usr/bin/llc-14 90

+      - name: Checkout Libs ⤵️
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          fetch-depth: 0
+
+      - name: Fix kernel mmap rnd bits
+        # Asan in llvm 14 provided in ubuntu 22.04 is incompatible with
+        # high-entropy ASLR in much newer kernels that GitHub runners are
+        # using leading to random crashes: https://reviews.llvm.org/D148280
+        run: sudo sysctl vm.mmap_rnd_bits=28
+
+      - name: Install deps ⛓️
+        run: |
+          sudo .github/install-deps.sh
+
+      - name: Git safe directory
+        run: |
+          git config --global --add safe.directory $GITHUB_WORKSPACE
+
+      - name: Build and test 🏗️🧪
+        env:
+          # This avoids random failures on CI.
+          # (https://github.com/google/sanitizers/issues/1322#issuecomment-699946942)
+          ASAN_OPTIONS: intercept_tls_get_addr=0
+        run: |
+          mkdir -p build && cd build
+          cmake -DBUILD_BPF=ON \
+                -DBUILD_LIBSCAP_MODERN_BPF=ON \
+                -DBUILD_LIBSCAP_GVISOR=OFF \
+                ${{ matrix.cmake_opts }} \
+                -DUSE_BUNDLED_LIBBPF=ON \
+                ..
+          make -j$(nproc) sinsp-example driver bpf
+          sudo -E make e2e-install-deps
+          sudo -E ../test/e2e/scripts/run_tests.sh
+
+      - name: Archive test reports
+        uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
+        if: failure()
+        with:
+          name: ${{ matrix.name }}_report
+          path: |
+            /tmp/report/

  build-libs-emscripten:
    name: build-libs-emscripten 🧐
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-latest
    steps:
      - name: Install deps ⛓️
        run: |
@ -278,6 +356,10 @@ jobs:
        with:
          fetch-depth: 0

+      - name: Git safe directory
+        run: |
+          git config --global --add safe.directory $GITHUB_WORKSPACE
+
      - name: Build and test 🏗️🧪
        run: |
          mkdir -p build
--- a/.github/workflows/driverkit.yml
+++ b/.github/workflows/driverkit.yml
@ -55,7 +55,7 @@ jobs:
            kernelrelease: 6.4.1-1.el9.elrepo.aarch64
            target: centos
            kernelurls: https://download.falco.org/fixtures/libs/kernel-ml-devel-6.4.1-1.el9.elrepo.aarch64.rpm
-    runs-on: ubuntu-24.04-arm
+    runs-on: ubuntu-latest
    container:
      image: falcosecurity/driverkit:latest
    steps:
--- a/.github/workflows/drivers_ci.yml
+++ b/.github/workflows/drivers_ci.yml
@ -39,7 +39,7 @@ jobs:
  # This job run all engine tests and scap-open
  test-scap:
    name: test-scap-${{ matrix.arch }} 😆 (bundled_deps)
-    runs-on: ${{ (matrix.arch == 'arm64' && 'ubuntu-24.04-arm') || 'ubuntu-24.04' }}
+    runs-on: ${{ (matrix.arch == 'arm64' && 'github-arm64-2c-8gb') || 'ubuntu-22.04' }}
    needs: paths-filter
    strategy:
      matrix:
@ -73,7 +73,7 @@ jobs:
        if: needs.paths-filter.outputs.driver == 'true' || needs.paths-filter.outputs.libscap == 'true' || needs.paths-filter.outputs.libpman == 'true'
        run: |
          mkdir -p build
-          cd build && cmake -DBUILD_WARNINGS_AS_ERRORS=On -DUSE_BUNDLED_DEPS=On -DBUILD_DRIVER=ON -DBUILD_LIBSCAP_MODERN_BPF=ON -DBUILD_BPF=On -DBUILD_LIBSCAP_GVISOR=${{ matrix.enable_gvisor }} -DCREATE_TEST_TARGETS=On -DENABLE_LIBSCAP_TESTS=On -DUSE_ASAN=On -DUSE_UBSAN=On ../
+          cd build && cmake -DBUILD_WARNINGS_AS_ERRORS=On -DUSE_BUNDLED_DEPS=On -DBUILD_DRIVER=ON -DBUILD_LIBSCAP_MODERN_BPF=ON -DBUILD_BPF=On -DBUILD_LIBSCAP_GVISOR=${{ matrix.enable_gvisor }} -DCREATE_TEST_TARGETS=On -DENABLE_LIBSCAP_TESTS=On ../
          make scap-open driver bpf libscap_test -j6

      - name: Run scap-open with modern bpf 🏎️
@ -102,16 +102,9 @@ jobs:
          cd build
          sudo ./test/libscap/libscap_test

-      - name: Validate scap-open with modern bpf
-        if: needs.paths-filter.outputs.driver == 'true' || needs.paths-filter.outputs.libscap == 'true' || needs.paths-filter.outputs.libpman == 'true'
-        uses: Andreagit97/bpfvalidator@v0.3.0
-        with:
-          args: |
-            --config=$GITHUB_WORKSPACE/driver/modern_bpf/bpfvalidator_config.yaml --cmd="$GITHUB_WORKSPACE/build/libscap/examples/01-open/scap-open --modern_bpf --num_events 10"
-
  test-drivers:
    name: test-drivers-${{ matrix.arch }} 😇 (bundled_deps)
-    runs-on: ${{ (matrix.arch == 'arm64' && 'ubuntu-22.04-arm') || 'ubuntu-22.04' }}
+    runs-on: ${{ (matrix.arch == 'arm64' && 'github-arm64-2c-8gb') || 'ubuntu-22.04' }}
    needs: paths-filter
    strategy:
      matrix:
@ -177,7 +170,7 @@ jobs:

      - name: Build and test drivers on ppc64le node via ssh
        if: needs.paths-filter.outputs.driver == 'true' || needs.paths-filter.outputs.libscap == 'true' || needs.paths-filter.outputs.libpman == 'true'
-        uses: appleboy/ssh-action@2ead5e36573f08b82fbfce1504f1a4b05a647c6f # v1.2.2
+        uses: appleboy/ssh-action@25ce8cbbcb08177468c7ff7ec5cbfa236f9341e1 # v1.1.0
        with:
          host: ${{ secrets.PPC64LE_HOST }}
          username: ${{ secrets.PPC64LE_USERNAME }}
@ -187,12 +180,10 @@ jobs:
          command_timeout: 60m
          script: |
            sudo dnf install -y bpftool ca-certificates cmake make automake gcc gcc-c++ kernel-devel clang git pkg-config autoconf automake libbpf-devel
-            # Remove, if present, any libs clone created by a previous job run.
-            rm -rf libs
            git clone -b $GIT_BRANCH $GITHUB_SERVER_URL/$GITHUB_REPOSITORY.git libs
            cd libs
            mkdir -p build
-            cd build && cmake -DBUILD_WARNINGS_AS_ERRORS=On -DUSE_BUNDLED_DEPS=ON -DENABLE_DRIVERS_TESTS=ON -DBUILD_LIBSCAP_MODERN_BPF=ON -DMODERN_BPF_DEBUG_MODE=ON -DBUILD_BPF=True -DBUILD_LIBSCAP_GVISOR=OFF -DUSE_BUNDLED_LIBELF=OFF ../
+            cd build && cmake -DBUILD_WARNINGS_AS_ERRORS=On -DUSE_BUNDLED_DEPS=ON -DENABLE_DRIVERS_TESTS=ON -DBUILD_LIBSCAP_MODERN_BPF=ON -DMODERN_BPF_DEBUG_MODE=ON -DBUILD_BPF=True -DBUILD_LIBSCAP_GVISOR=OFF ../
            make drivers_test driver bpf -j6
            sudo ./test/drivers/drivers_test -m
            rc_modern=$?
@ -213,7 +204,7 @@ jobs:
        with:
          fetch-depth: 0

-      - uses: uraimo/run-on-arch-action@d94c13912ea685de38fccc1109385b83fd79427d # v3.0.1
+      - uses: uraimo/run-on-arch-action@5397f9e30a9b62422f302092631c99ae1effcd9e # v2.8.1
        name: Run s390x build 🏗️
        if: needs.paths-filter.outputs.driver == 'true' || needs.paths-filter.outputs.libscap == 'true' || needs.paths-filter.outputs.libpman == 'true'
        with:
@ -222,16 +213,15 @@ jobs:
          githubToken: ${{ github.token }}

          install: |
-            apt update && apt install -y --no-install-recommends ca-certificates cmake build-essential clang llvm git pkg-config autoconf automake libtool libelf-dev wget libtbb-dev libjq-dev libjsoncpp-dev libcap-dev protobuf-compiler libgtest-dev libprotobuf-dev linux-headers-generic
+            apt update && apt install -y --no-install-recommends ca-certificates cmake build-essential clang llvm git pkg-config autoconf automake libtool libelf-dev wget libc-ares-dev libcurl4-openssl-dev libssl-dev libtbb-dev libjq-dev libjsoncpp-dev libgrpc++-dev protobuf-compiler-grpc libcap-dev libgtest-dev libprotobuf-dev linux-headers-generic
            git clone https://github.com/libbpf/bpftool.git --branch v7.3.0 --single-branch
            cd bpftool
            git submodule update --init
            cd src && make install
            cd ../../
            git clone https://github.com/libbpf/libbpf.git --branch v1.3.0 --single-branch
-            cd libbpf/src && BUILD_STATIC_ONLY=y DESTDIR=/ make install install_uapi_headers 
+            cd libbpf/src && BUILD_STATIC_ONLY=y DESTDIR=/ make install
            ln -s /usr/lib64/libbpf.a /usr/lib/s390x-linux-gnu/
-            ln -s /usr/include/bpf /usr/include/s390x-linux-gnu/
          # Please note: we cannot inject the BPF probe inside QEMU, so right now, we only build it
          run: |
            git config --global --add safe.directory $GITHUB_WORKSPACE
@ -245,7 +235,7 @@ jobs:
    # See https://github.com/actions/runner/issues/409#issuecomment-1158849936
    runs-on: 'ubuntu-latest'
    if: needs.paths-filter.outputs.driver == 'true' || needs.paths-filter.outputs.libscap == 'true' || needs.paths-filter.outputs.libpman == 'true'
-    container: fedora:41
+    container: fedora:latest
    steps:
      # Always install deps before invoking checkout action, to properly perform a full clone.
      - name: Install build dependencies
@ -262,7 +252,7 @@ jobs:
          make ProbeSkeleton -j6

      - name: Upload skeleton
-        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+        uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
        with:
          name: bpf_probe_x86_64.skel.h
          path: skeleton-build/skel_dir/bpf_probe.skel.h
@ -287,7 +277,7 @@ jobs:
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

      - name: Download skeleton
-        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
+        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
        with:
          name: bpf_probe_x86_64.skel.h
          path: /tmp
@ -329,13 +319,13 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Download X64 matrix
-        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
+        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
        with:
          name: matrix_X64
          path: matrix_X64

      - name: Download ARM64 matrix
-        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
+        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
        with:
          name: matrix_ARM64
          path: matrix_ARM64
@ -355,7 +345,7 @@ jobs:
          echo ""

      - name: Upload PR info as artifact
-        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
+        uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4
        with:
          name: pr-kernel-testing
          path: pr/
--- a/.github/workflows/e2e_ci.yml
+++ b/.github/workflows/e2e_ci.yml
@ -15,7 +15,7 @@ concurrency:
 jobs:
  build-test-e2e:
    name: build-test-e2e-${{ matrix.arch }} 😇 (bundled_deps)
-    runs-on: ${{ (matrix.arch == 'arm64' && 'ubuntu-22.04-arm') || 'ubuntu-22.04' }}
+    runs-on: ${{ (matrix.arch == 'arm64' && 'github-arm64-2c-8gb') || 'ubuntu-22.04' }}
    strategy:
      matrix:
        arch: [amd64, arm64]
@ -35,6 +35,7 @@ jobs:
            clang \
            llvm \
            git \
+            clang \
            ccache \
            llvm \
            pkg-config \
@ -43,14 +44,18 @@ jobs:
            libtool \
            libelf-dev \
            wget \
+            libc-ares-dev \
            libbpf-dev \
            libcap-dev \
+            libcurl4-openssl-dev \
+            libssl-dev \
            libtbb-dev \
            libjq-dev \
            libjsoncpp-dev \
+            libgrpc++-dev \
+            protobuf-compiler-grpc \
            libgtest-dev \
            libprotobuf-dev \
-            protobuf-compiler \
            linux-headers-$(uname -r)
          sudo .github/install-deps.sh
          git clone https://github.com/libbpf/bpftool.git --branch v7.3.0 --single-branch
@ -64,7 +69,7 @@ jobs:
          sudo apt install -y --no-install-recommends gcc-multilib g++-multilib

      - name: Run sccache-cache
-        uses: mozilla-actions/sccache-action@7d986dd989559c6ecdb630a3fd2557667be217ad # v0.0.9
+        uses: mozilla-actions/sccache-action@9e326ebed976843c9932b3aa0e021c6f50310eb4 # v0.0.6

      - name: Build e2e tests 🏗️
        env:
@ -90,7 +95,7 @@ jobs:
          cd ..

      - name: Cache build
-        uses: actions/cache/save@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3
+        uses: actions/cache/save@6849a6489940f00c2f30c0fb92c6274307ccb58a # v4.1.2
        if: always()
        id: cache
        with:
@ -100,7 +105,7 @@ jobs:
  test-e2e:
    name: test-e2e-${{ matrix.arch }}-${{ matrix.driver.name }} 😇 (bundled_deps)
    needs: [build-test-e2e]
-    runs-on: ${{ (matrix.arch == 'arm64' && 'ubuntu-22.04-arm') || 'ubuntu-22.04' }}
+    runs-on: ${{ (matrix.arch == 'arm64' && 'github-arm64-2c-8gb') || 'ubuntu-22.04' }}
    strategy:
      matrix:
        arch: [amd64, arm64]
@ -114,7 +119,7 @@ jobs:

      - name: Restore build
        id: cache
-        uses: actions/cache/restore@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3
+        uses: actions/cache/restore@6849a6489940f00c2f30c0fb92c6274307ccb58a # v4.1.2
        with:
          path: build
          key: build-e2e-${{ matrix.arch }}-${{ github.run_id }}
@ -166,4 +171,4 @@ jobs:
          UBSAN_OPTIONS: print_stacktrace=1
        run: |
          cd build/test/libsinsp_e2e/
-          sudo -E ./libsinsp_e2e_tests ${{ matrix.driver.option }} --gtest_filter=-sys_call_test.quotactl_ok
+          sudo -E ./libsinsp_e2e_tests ${{ matrix.driver.option }} --gtest_filter=-sys_call_test.quotactl_ok
--- a/.github/workflows/format.yml
+++ b/.github/workflows/format.yml
@ -32,7 +32,7 @@ jobs:

      - name: Upload the git diff artifact 📦
        if: failure()
-        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+        uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
        with:
          name: format_diff.patch
          path: ./format_diff.patch
--- a/.github/workflows/latest-kernel.yml
+++ b/.github/workflows/latest-kernel.yml
@ -44,7 +44,7 @@ jobs:
          echo "latest_vers=$(grep kernelrelease dk.yaml | awk -F": " '{print $2}')" >> $GITHUB_OUTPUT

      - name: Upload driverkit config
-        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+        uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
        with:
          name: driverkit_config.yaml
          path: linux/dk.yaml
@ -56,19 +56,16 @@ jobs:
    runs-on: 'ubuntu-latest'
    steps:
      - name: Download driverkit config
-        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
+        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
        with:
          name: driverkit_config.yaml

      - name: Download latest driverkit artifact
-        uses: robinraju/release-downloader@daf26c55d821e836577a15f77d86ddc078948b05 # v1.12
+        uses: dawidd6/action-download-artifact@bf251b5aa9c2f7eeb574a96ee720e24f801b7c11 # v6
        with:
-          fileName: driverkit_*_linux_amd64.tar.gz
-          latest: true
-          repository: falcosecurity/driverkit
-          tarBall: false
-          zipBall: false
-          extract: true
+          name: driverkit-amd64
+          workflow: release.yml
+          repo: falcosecurity/driverkit

      - name: Test drivers build
        id: build
@ -81,22 +78,19 @@ jobs:
    needs: 'compute-latest-version'
    outputs:
      build: ${{ steps.build.outcome }}
-    runs-on: 'ubuntu-22.04-arm'
+    runs-on: 'github-arm64-2c-8gb'
    steps:
      - name: Download driverkit config
-        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
+        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
        with:
          name: driverkit_config.yaml

      - name: Download latest driverkit artifact
-        uses: robinraju/release-downloader@daf26c55d821e836577a15f77d86ddc078948b05 # v1.12
+        uses: dawidd6/action-download-artifact@bf251b5aa9c2f7eeb574a96ee720e24f801b7c11 # v6
        with:
-          fileName:  driverkit_*_linux_arm64.tar.gz
-          latest: true
-          repository: falcosecurity/driverkit
-          tarBall: false
-          zipBall: false
-          extract: true
+          name: driverkit-arm64
+          workflow: release.yml
+          repo: falcosecurity/driverkit

      - name: Test drivers build
        id: build
--- a/.github/workflows/pages.yml
+++ b/.github/workflows/pages.yml
@ -28,7 +28,7 @@ jobs:
        uses: ./.github/actions/composite-perf

      - name: Archive master perf report
-        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+        uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
        with:
          name: perf_report
          retention-days: 30 # 30 days because this is the artifact on master; we need to retain it to be able to properly diff it
@ -72,7 +72,7 @@ jobs:
          rm -rf stacks.txt

      - name: Upload svg files
-        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+        uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
        with:
          name: perf_svg
          path: '*.svg'
@ -88,7 +88,7 @@ jobs:
      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

      - name: Download matrix X64
-        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
+        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
        with:
          name: matrix_X64

@ -96,7 +96,7 @@ jobs:
        run: mv matrix.md docs/matrix_X64.md

      - name: Download matrix ARM64
-        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
+        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
        with:
          name: matrix_ARM64

@ -109,7 +109,7 @@ jobs:
          sed -i '1s/^/---\nhide:\n- toc\n---\n\n/' docs/matrix_ARM64.md

      - name: Download perf svg files
-        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
+        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
        with:
          name: perf_svg

@ -128,7 +128,7 @@ jobs:
          echo '<object data="../heaptrack_scap.svg" type="image/svg+xml" id="heaptrack_scap_file"></object>' > docs/heaptrack_scap_file.md
          sed -i '1s/^/---\nhide:\n- toc\n---\n\n/' docs/heaptrack_scap_file.md

-      - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
+      - uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0
        with:
          python-version: 3.x

--- a/.github/workflows/perf.yml
+++ b/.github/workflows/perf.yml
@ -27,7 +27,7 @@ jobs:
        uses: ./.github/actions/composite-perf

      - name: Download latest master report
-        uses: dawidd6/action-download-artifact@ac66b43f0e6a346234dd65d4d0c8fbb31cb316e5 # v11
+        uses: dawidd6/action-download-artifact@bf251b5aa9c2f7eeb574a96ee720e24f801b7c11 # v6
        with:
          branch: master
          event: push
@ -56,7 +56,7 @@ jobs:
          python3 google-benchmark/tools/compare.py --no-color benchmarks gbench_data.json ${{ steps.perf.outputs.gbench_json }} &> gbench_diff.txt

      - name: Archive perf diff
-        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+        uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
        with:
          name: perf_diff
          path: '*_diff.txt'
@ -96,7 +96,7 @@ jobs:
          echo ""

      - name: Upload PR info as artifact
-        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
+        uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4
        with:
          name: pr-perf
          path: pr/
--- a/.github/workflows/release-body.yml
+++ b/.github/workflows/release-body.yml
@ -98,7 +98,7 @@ jobs:
          echo "#### Release Manager @${{ github.event.release.author.login }}" >> release-body.md

      - name: Release
-        uses: softprops/action-gh-release@72f2c25fcb47643c292f7107632f7a47c1df5cd8 # v2.3.2
+        uses: softprops/action-gh-release@e7a8f85e1c67a31e6ed99a94b41bd0b71bbee6b8 # v2.0.9
        with:
          body_path: ./release-body.md
          tag_name: ${{ github.event.release.tag_name }}
@ -135,29 +135,8 @@ jobs:
          echo '!'"[SCHEMA](https://img.shields.io/badge/SCHEMA-${SCHEMA_VERS}-yellow)" >> release-body.md
          echo "" >> release-body.md

-      - name: Push badge to latest kernel release
-        run: |
-          wget https://gist.githubusercontent.com/FedeDP/1cbc5d42edf8e3a02fb75e76625f1072/raw/kernel.json
-          # 6.15-rc2 -> 6.15
-          # 6.10.6 -> 6.10
-          # 6.10 -> 6.10
-          KVER=$(cat kernel.json | jq '.message' | tr -d '"' | grep -oE -- '[0-9]+.[0-9]+')
-          SUCCESS=$(cat kernel.json | jq '.color' | tr -d '"')
-          # If latest run was not successful,
-          # revert back to previous kernel release.
-          # Of course, the fallback logic is bugged in case minor is 0,
-          # as we cannot know which was the previous version.
-          # It should not matter until kernel 7.0 :P
-          if [[ "$SUCCESS" = "red" ]]; then
-            n=${KVER//[!0-9]/ }
-            a=(${n//\./ })
-            KVER=$(echo "${a[0]}.$((a[1] - 1))")
-          fi
-          echo '!'"[Latest Compatible Kernel](https://img.shields.io/badge/KERNEL-${KVER}-brightgreen)" >> release-body.md
-          echo "" >> release-body.md
-
      - name: Download matrix X64
-        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
+        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
        with:
          name: matrix_X64

@ -165,7 +144,7 @@ jobs:
        run: mv matrix.md matrix_X64.md

      - name: Download matrix ARM64
-        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
+        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
        with:
          name: matrix_ARM64

@ -203,7 +182,7 @@ jobs:
          echo "#### Release Manager @${{ github.event.release.author.login }}" >> release-body.md

      - name: Release
-        uses: softprops/action-gh-release@72f2c25fcb47643c292f7107632f7a47c1df5cd8 # v2.3.2
+        uses: softprops/action-gh-release@e7a8f85e1c67a31e6ed99a94b41bd0b71bbee6b8 # v2.0.9
        with:
          body_path: ./release-body.md
          tag_name: ${{ github.event.release.tag_name }}
--- a/.github/workflows/reusable_e2e_tests.yaml
+++ b/.github/workflows/reusable_e2e_tests.yaml
@ -1,137 +0,0 @@
-name: Run libs e2e tests python framework
-
-on:
-  workflow_call:
-    inputs:
-      container_plugin_artifact_name:
-        description: 'use a previously built custom container plugin; artifact name to be downloaded, or empty'
-        type: string
-        required: false
-        default: ''
-      test-docker:
-        description: "Whether to run tests with docker socket"
-        type: boolean
-        required: false
-        default: true
-      test-podman:
-        description: "Whether to run tests with podman socket"
-        type: boolean
-        required: false
-        default: true
-      libsversion:
-        description: 'libs version to be tested, eg: master'
-        type: string
-        required: false
-        default: 'master'
-      libsrepo:
-        description: 'libs repo to be tested, eg: falcosecurity/libs'
-        type: string
-        required: false
-        default: 'falcosecurity/libs'
-
-jobs:
-  test-e2e:
-    if: inputs.test-docker || inputs.test-podman
-    strategy:
-      fail-fast: false
-      matrix:
-        name: [ system_deps, bundled_deps, asan ]
-        include:
-          - name: system_deps
-            cmake_opts: -DUSE_BUNDLED_DEPS=False
-          - name: bundled_deps
-            cmake_opts: -DUSE_BUNDLED_DEPS=True
-          - name: asan
-            cmake_opts: -DUSE_BUNDLED_DEPS=True -DCMAKE_C_FLAGS=-fsanitize=address -DCMAKE_CXX_FLAGS=-fsanitize=address
-    runs-on: ubuntu-24.04
-    steps:
-      - name: Install deps ⛓️
-        run: |
-          sudo apt-get update && sudo apt-get install -y --no-install-recommends \
-            ca-certificates \
-            cmake \
-            build-essential \
-            git \
-            clang \
-            llvm \
-            pkg-config \
-            autoconf \
-            automake \
-            libtool \
-            libelf-dev \
-            wget \
-            libbpf-dev \
-            libcap-dev \
-            libtbb-dev \
-            libjq-dev \
-            libjsoncpp-dev \
-            libgtest-dev \
-            libprotobuf-dev \
-            protobuf-compiler \
-            "linux-headers-$(uname -r)"
-
-      - name: Checkout Libs ⤵️
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-        with:
-          fetch-depth: 0
-          repository: ${{ inputs.libsrepo }}
-          ref: ${{ inputs.libsversion }}
-
-      - name: Install deps ⛓️
-        run: |
-          sudo .github/install-deps.sh
-
-      - name: Build tests 🏗️
-        run: |
-          mkdir -p build && cd build
-          cmake -DBUILD_BPF=ON \
-                -DBUILD_LIBSCAP_MODERN_BPF=ON \
-                -DBUILD_LIBSCAP_GVISOR=OFF \
-                -DENABLE_E2E_TESTS=ON \
-                ${{ matrix.cmake_opts }} \
-                -DUSE_BUNDLED_LIBBPF=ON \
-                ..
-          make -j$(nproc) sinsp-example driver bpf container_plugin
-          sudo -E make e2e-install-deps
-
-      - name: Download overriding custom container plugin
-        if: inputs.container_plugin_artifact_name != ''
-        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
-        with:
-          name: ${{ inputs.container_plugin_artifact_name }}
-          path: build/test/e2e/container_plugin-prefix/src/container_plugin/
-
-      - name: Run tests - docker 🧪
-        if: inputs.test-docker
-        working-directory: build
-        run: |
-          sudo -E ../test/e2e/scripts/run_tests.sh
-
-      - name: Archive test reports - docker
-        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
-        if: inputs.test-docker && failure()
-        with:
-          name: ${{ matrix.name }}_docker_report
-          path: |
-            /tmp/report/
-
-      - name: Run tests - podman 🧪
-        if: inputs.test-podman && always()
-        working-directory: build
-        env:
-          # Set DOCKER_HOST pointing to podman socket
-          DOCKER_HOST: unix://run/podman/podman.sock
-        run: |
-          # Cleanup docker tests generated report folder
-          sudo rm -rf /tmp/report
-          # Podman tests require podman socket
-          sudo systemctl start podman
-          sudo -E ../test/e2e/scripts/run_tests.sh
-
-      - name: Archive test reports - podman
-        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
-        if: inputs.test-podman && failure()
-        with:
-          name: ${{ matrix.name }}_podman_report
-          path: |
-            /tmp/report/
--- a/.github/workflows/reusable_kernel_tests.yaml
+++ b/.github/workflows/reusable_kernel_tests.yaml
@ -47,12 +47,12 @@ jobs:
          libsrepo: ${{ inputs.libsrepo }}
          build_matrix: 'true'

-      - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+      - uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
        with:
          name: ansible_output_${{matrix.architecture}}
          path: ${{ steps.kernel_tests.outputs.ansible_output }}

-      - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+      - uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
        with:
          name: matrix_${{matrix.architecture}}
          path: ${{ steps.kernel_tests.outputs.matrix_output }}
--- a/.github/workflows/test_coverage_ci.yml
+++ b/.github/workflows/test_coverage_ci.yml
@ -14,7 +14,18 @@ jobs:
  unit-test-libsinsp-coverage:
    name: unit-test-libsinsp-coverage 🧐
    runs-on: 'ubuntu-22.04'
+    container:
+      image: debian:bookworm
    steps:
+      - name: Install deps ⛓️
+        run: |
+          apt update && apt install -y --no-install-recommends ca-certificates \
+            cmake build-essential git clang llvm pkg-config autoconf automake \
+            libtool libelf-dev wget libc-ares-dev libcurl4-openssl-dev libssl-dev \
+            libtbb-dev libjq-dev libjsoncpp-dev libgrpc++-dev protobuf-compiler-grpc \
+            libgtest-dev libprotobuf-dev linux-headers-amd64 \
+            gpg gpg-agent gcovr
+
      - name: Checkout Libs ⤵️
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
@ -22,8 +33,11 @@ jobs:

      - name: Install deps ⛓️
        run: |
-          sudo apt-get update && sudo apt install -y --no-install-recommends ca-certificates cmake build-essential git clang llvm pkg-config autoconf automake libtool libelf-dev wget libre2-dev libtbb-dev libjq-dev libjsoncpp-dev protobuf-compiler libgtest-dev libprotobuf-dev linux-headers-$(uname -r) gpg gpg-agent gcovr
-          sudo .github/install-deps.sh
+          .github/install-deps.sh
+
+      - name: Git safe directory
+        run: |
+          git config --global --add safe.directory $GITHUB_WORKSPACE

      - name: Build and test 🏗️🧪
        run: |
@ -37,7 +51,7 @@ jobs:
          gcovr --xml -o ./libsinsp.coverage.xml

      - name: Upload to codecov
-        uses: codecov/codecov-action@18283e04ce6e62d37312384ff67231eb8fd56d24 # v5.4.3
+        uses: codecov/codecov-action@b9fd7d16f6d7d1b5d2bec1a2887e65ceed900238 # v4.6.0
        with:
          fail_ci_if_error: true
          files: ./libsinsp.coverage.xml
--- a/.github/workflows/update-syscalls.yml
+++ b/.github/workflows/update-syscalls.yml
@ -24,7 +24,7 @@ jobs:
          repo-root: ${{ github.workspace }}/libs

      - name: Create Pull Request
-        uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7.0.8
+        uses: peter-evans/create-pull-request@5e914681df9dc83aa4e4905692ca88beb2f9e91f # v7.0.5
        with:
          path: libs
          signoff: true
--- a/.gitignore
+++ b/.gitignore
@ -28,4 +28,3 @@ cscope.out
 tags
 third_party
 *.vagrant*
-.DS_Store
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@ -7,13 +7,13 @@ repos:
  rev: v0.6.13
  hooks:
  - id: cmake-format
-    stages: [pre-commit]
+    stages: [commit]
 - repo: https://github.com/pre-commit/mirrors-clang-format
  rev: v18.1.8
  hooks:
  - id: clang-format
    types_or: [c++, c]
-    stages: [pre-commit]
+    stages: [commit]
 - repo: local
  hooks:
  - id: dco-hook-local
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@ -53,15 +53,18 @@ endif()
 project(falcosecurity-libs)

 option(USE_BUNDLED_DEPS "Enable bundled dependencies instead of using the system ones" ON)
+option(MINIMAL_BUILD
+	   "Produce a minimal build with only the essential features (no container metadata)" OFF
+)
 option(MUSL_OPTIMIZED_BUILD "Enable if you want a musl optimized build" OFF)
 option(USE_BUNDLED_DRIVER
 	   "Use the driver/ subdirectory in the build process (only available in Linux)" ON
 )
-option(ENABLE_E2E_TESTS "Enable e2e tests" OFF)
 option(ENABLE_DRIVERS_TESTS "Enable driver tests (bpf, kernel module, modern bpf)" OFF)
 option(ENABLE_LIBSCAP_TESTS "Enable libscap unit tests" OFF)
 option(ENABLE_LIBSINSP_E2E_TESTS "Enable libsinsp e2e tests" OFF)
 option(BUILD_SHARED_LIBS "Build libscap and libsinsp as shared libraries" OFF)
+option(ENABLE_VM_TESTS "Enable driver sanity tests" OFF)
 option(USE_ASAN "Build with AddressSanitizer" OFF)
 option(USE_UBSAN "Build with UndefinedBehaviorSanitizer" OFF)
 option(USE_TSAN "Build with ThreadSanitizer" OFF)
@ -126,9 +129,7 @@ if(CREATE_TEST_TARGETS)
 	# ctest's add_test because it will build the code and output to stdout.
 	add_custom_target(run-unit-tests COMMAND ${CMAKE_MAKE_PROGRAM} run-unit-test-libsinsp)

-	if(ENABLE_E2E_TESTS)
-		add_subdirectory(test/e2e)
-	endif()
+	add_subdirectory(test/e2e)

 	if(ENABLE_DRIVERS_TESTS)
 		add_subdirectory(test/drivers)
@ -144,6 +145,10 @@ if(CREATE_TEST_TARGETS)
 		add_subdirectory(test/libsinsp_e2e/resources)
 	endif()

+	if(ENABLE_VM_TESTS)
+		add_subdirectory(test/vm)
+	endif()
+
 endif()

 option(ENABLE_BENCHMARKS "Enable Benchmarks" OFF)
--- a/CMakePresets.json
+++ b/CMakePresets.json
@ -1,47 +1,41 @@
 {
-	"version": 3,
-	"configurePresets": [
-		{
-			"name": "base",
-			"hidden": true,
-			"generator": "Unix Makefiles",
-			"cacheVariables": {
-				"CMAKE_BUILD_TYPE": "Release",
-				"CMAKE_EXPORT_COMPILE_COMMANDS": "ON",
-				"BUILD_DRIVER": "ON",
-				"BUILD_BPF": "ON",
-				"BUILD_WARNINGS_AS_ERRORS": "ON"
-			}
-		},
-		{
-			"name": "scap-drivers",
-			"inherits": "base",
-			"displayName": "Build scap drivers and their tests",
-			"description": "Build all scap drivers (modern eBPF, legacy eBPF, kmod) and their tests",
-			"binaryDir": "${sourceDir}/build-scap-drivers",
-			"cacheVariables": {
-				"USE_BUNDLED_DEPS": "ON",
-				"ENABLE_DRIVERS_TESTS": "ON",
-				"MODERN_BPF_DEBUG_MODE": "ON",
-				"BUILD_LIBSCAP_MODERN_BPF": "ON",
-				"BUILD_LIBSCAP_GVISOR": "OFF",
-				"CREATE_TEST_TARGETS": "ON",
-				"ENABLE_LIBSCAP_TESTS": "ON",
-				"SCAP_FILES_SUITE_ENABLE": "OFF"
-			}
-		},
-		{
-			"name": "sinsp-minimal",
-			"inherits": "base",
-			"displayName": "Build minimal sinsp",
-			"description": "Build sinsp without gvisor and protobuf deps",
-			"binaryDir": "${sourceDir}/build-sinsp-minimal",
-			"cacheVariables": {
-				"USE_BUNDLED_DEPS": "ON",
-				"BUILD_LIBSCAP_GVISOR": "OFF",
-				"CREATE_TEST_TARGETS": "ON",
-				"SCAP_FILES_SUITE_ENABLE": "OFF"
-			}
-		}
-	]
+    "version": 3,
+    "configurePresets": [
+        {
+            "name": "scap-drivers",
+            "displayName": "Build scap drivers and their tests",
+            "description": "Build all scap drivers (modern eBPF, legacy eBPF, kmod) and their tests",
+            "generator": "Unix Makefiles",
+            "binaryDir": "${sourceDir}/build-scap-drivers",
+            "cacheVariables": {
+                "CMAKE_BUILD_TYPE": "Release",
+                "BUILD_BPF": "ON",
+                "BUILD_DRIVER": "ON",
+                "USE_BUNDLED_DEPS": "ON",
+                "ENABLE_DRIVERS_TESTS": "ON",
+                "MODERN_BPF_DEBUG_MODE": "ON",
+                "BUILD_LIBSCAP_MODERN_BPF": "ON",
+                "BUILD_LIBSCAP_GVISOR": "OFF",
+                "CREATE_TEST_TARGETS": "ON",
+                "ENABLE_LIBSCAP_TESTS": "ON",
+                "SCAP_FILES_SUITE_ENABLE": "OFF"
+            }
+        },
+        {
+            "name": "sinsp-minimal",
+            "displayName": "Build sinsp in minimal build",
+            "description": "Build sinsp in minimal build with its tests",
+            "generator": "Unix Makefiles",
+            "binaryDir": "${sourceDir}/build-sinsp-minimal",
+            "cacheVariables": {
+                "CMAKE_BUILD_TYPE": "Release",
+                "BUILD_DRIVER": "ON",
+                "BUILD_BPF": "ON",
+                "USE_BUNDLED_DEPS": "ON",
+                "CREATE_TEST_TARGETS": "ON",
+                "MINIMAL_BUILD": "ON",
+                "SCAP_FILES_SUITE_ENABLE": "OFF"
+            }
+        }
+    ]
 }
--- a/3
+++ b/3
@ -7,11 +7,10 @@ approvers:
  - molter73
  - lucaguerra
  - jasondellaluce
-  - ekoops
+  - incertum
 reviewers:
  - hbrueckner
 emeritus_approvers:
  - fntlnz
  - leodido
  - ldegio
-  - incertum
--- a/README.md
+++ b/README.md
@ -11,7 +11,7 @@ This repository contains **libsinsp**, **libscap**, the **kernel module** and th

 These components are at the foundation of [Falco](https://github.com/falcosecurity/falco) and other projects that work with the same kind of data.

-This component stack mainly operates on syscall events. We monitor syscalls using either a kernel module or an eBPF probe, which we call *drivers*. On top of the drivers, `libscap` manages the data capture process, while `libsinsp` enriches the data, and provides a rich set of API to consume the data. Furthermore, these two libraries also implement a [plugin](https://github.com/falcosecurity/plugins) framework that extends this stack to potentially any other data sources. For further details, please refer to Falco's [official documentation](https://falco.org/docs/).
+This component stack mainly operates on syscall events. We monitor syscalls using either a kernel module or an eBPF probe, which we call *drivers*. On top of the drivers, `libscap` manages the data capture process, while `libsinsp` enriches the data, and provides a rich set of API to consume the data. Furthermore, these two libraries also implement a [plugin](https://github.com/falcosecurity/plugins) framework that extends this stack to potentially any other data sources. For further details, please refer to the [official documentation](https://falco.org/docs/).

 An image is worth a thousand words, they say:

@ -104,13 +104,13 @@ If you are building this project outside of a Git working directory, or if you w
 <details>
 	<summary>Expand Build Instructions</summary>

-For your convenience, we have included the instructions for building the `libs` modules here, in addition to the information available in Falco's [official documentation](https://falco.org/docs/install-operate/source/). These instructions are designed for building and testing `libs` on your own Linux development machine. However, if you intend to adopt CI or build within containers, there are additional considerations to take into account. The official [website]((https://falco.org/docs/install-operate/source/)) continually extends its guidance in this respect.
+For your convenience, we have included the instructions for building the `libs` modules here, in addition to the information available in the [official documentation](https://falco.org/docs/install-operate/source/). These instructions are designed for building and testing `libs` on your own Linux development machine. However, if you intend to adopt CI or build within containers, there are additional considerations to take into account. The official [website]((https://falco.org/docs/install-operate/source/)) continually extends its guidance in this respect.

 The project utilizes the `cmake` build system, and the key `make` targets are as follows: 

 * `driver` -> build the kmod
-* `bpf` -> build the legacy `ebpf` probe
-* `scap` -> build libscap (`modern_ebpf` driver will be bundled into `scap` if enabled)
+* `bpf` -> build the eBPF probe
+* `scap` -> build libscap (`modern_bpf` driver will be bundled into `scap` if enabled)
 * `sinsp` -> build libsinsp (depends upon `scap` target)
 * `scap-open` -> build a small example binary for `libscap` to test the drivers (dependent on `scap`)
 * `sinsp-example` -> build a small example binary for `libsinsp` to test the drivers and/or `libsinsp` functionality (dependent on `scap` and `sinsp`)
@ -135,7 +135,7 @@ make sinsp

 ### Build userspace using system deps

-To build using the system deps instead, first, make sure to have all the needed packages installed. Refer to Falco's [official documentation](https://falco.org/docs/install-operate/source/).
+To build using the system deps instead, first, make sure to have all the needed packages installed. Refer to the [official documentation](https://falco.org/docs/install-operate/source/).

 ```bash
 cmake -DUSE_BUNDLED_DEPS=OFF ../;
@ -146,27 +146,29 @@ make sinsp

 ### Build driver - kmod

-To build the kmod driver, you need your kernel headers installed. Check out Falco's [official documentation](https://falco.org/docs/install-operate/source/).
+To build the kmod driver, you need your kernel headers installed. Check out the [official documentation](https://falco.org/docs/install-operate/source/).

 ```bash
 make driver
-# Verify the kmod binary object file was created, uses `.ko` extension.
+# Verify the kmod object code was created, uses `.ko` extension.
 ls -l driver/src/scap.ko;
 ```

 ### Build driver - eBPF probe

-To build the eBPF probe, you need `clang` and `llvm` packages and you also need your kernel headers installed. Check out Falco's [official documentation](https://falco.org/docs/install-operate/source/).
+To build the eBPF probe, you need `clang` and `llvm` packages and you also need your kernel headers installed. Check out the [official documentation](https://falco.org/docs/install-operate/source/).

 ```bash
 cmake -DBUILD_BPF=ON ../;
 make bpf
-# Verify the eBPF bytecode file was created, uses `.o` extension.
+# Verify the eBPF object code was created, uses `.o` extension.
 ls -l driver/bpf/probe.o;
 ```

 >__WARNING__: **clang-7** is the oldest supported version to build our BPF probe.

+Initial guidance for CI and building within containers: To build either the kmod or eBPF probe in a container, you will need to make the extracted kernel headers available. The [test/vm](test/vm/) directory contains example [scripts](test/vm/scripts/compile_drivers.sh) demonstrating how to pass them to the `make` command using the argument `KERNELDIR=${EXTRACTED_KERNEL_HEADERS_DIR}`. You can also use the [falcosecurity/driverkit](https://github.com/falcosecurity/driverkit) or explore the scripts within the driverkit repository. The mentioned resources also provide candidate builder containers.
+
 ### Build driver - modern eBPF probe

 To build the modern eBPF probe, further prerequisites are necessary:
@ -191,13 +193,13 @@ To build the modern eBPF probe, further prerequisites are necessary:

 > __NOTE:__ These are not the requirements to use the modern BPF probe, but rather for building it from source.

-Regarding the previously discussed legacy eBPF driver, it generates kernel-specific bytecode (`driver/bpf/probe.o`) tailored to your machine's kernel release (`uname -r`). The location of the bytecode file can then be passed as an argument for testing with the `scap-open` and `sinsp-example` binaries.
+Regarding the previously discussed bpf drivers, they create a kernel-specific object code (`driver/bpf/probe.o`) for your machine's kernel release (`uname -r`). This object code is then used as an argument for testing with `scap-open` and `sinsp-example` binaries.

-However, the modern eBPF driver build process doesn't require kernel headers, and it isn't tied to your kernel release. This is enabled by the CO-RE (Compile Once - Run Everywhere) feature of the modern eBPF driver.
+However, the modern BPF driver operates differently. It doesn't require kernel headers, and its build isn't tied to your kernel release. This is enabled by the CO-RE (Compile Once - Run Everywhere) feature of the modern BPF driver. CO-RE allows the driver to work on kernels with backported BTF (BPF Type Format) support or kernel versions >= 5.8.

-CO-RE allows the driver to work on kernels with backported BTF (BPF Type Format) support or kernel versions >= 5.8. The way the driver interprets kernel data structures without direct knowledge of the running kernel is not magic — it leverages predefined type information and BTF-based relocations. We maintain a [vmlinux.h](driver/modern_bpf/definitions/vmlinux.h) file containing essential kernel data structure definitions, allowing the eBPF program to reference fields dynamically. Additionally, for cases where macros or functions from system headers are required, we redefine them in [struct_flavors.h](driver/modern_bpf/definitions/struct_flavors.h). Combined with CO-RE (Compile Once, Run Everywhere), this enables the driver to remain portable across different kernel versions.
+To comprehend how the driver understands kernel data structures without knowledge of the kernel it runs on, there's no black magic involved. We maintain a [vmlinux.h](driver/modern_bpf/definitions/vmlinux.h) file in our project containing all necessary kernel data structure definitions. Additionally, we sometimes rely on macros or functions typically found in system header files, which we redefine in [struct_flavors.h](driver/modern_bpf/definitions/struct_flavors.h).
 
-The modern eBPF driver build process produces an eBPF header skeleton file using `bpftool`. The skeleton file is a C header file that embeds the compiled eBPF program as bytecode.
+That being said, the modern BPF driver still produces an object file, which you can create using the target below. Nevertheless, we ultimately include it in `scap` regardless. Hence, when modern BPF is enabled, building `scap` will already cover this step for you.

 ```bash
 cmake \
@ -205,15 +207,13 @@ cmake \
 -DBUILD_LIBSCAP_MODERN_BPF=ON ../;

 make ProbeSkeleton
-# Verify the modern eBPF bytecode / final composed header file including all `.o` modern_ebpf files was created, uses `.h` extension.
+# Verify the modern eBPF object code / final composed header file including all `.o` modern_bpf files was created, uses `.h` extension.
 ls -l skel_dir/bpf_probe.skel.h;
 # Now includes skel_dir/bpf_probe.skel.h in `scap` during the linking process.
 make scap
 ```

-Since modern eBPF is included in `scap`, running `make scap` automatically covers the `make ProbeSkeleton` build step.
-
-You can also split the build process and specify the directory containing the `bpf_probe.skel.h` file.
+Initial guidance for CI and building within containers: The Falco Project, for instance, compiles the final Falco userspace binary within older centos7 [falco-builder](https://falco.org/docs/install-operate/source/#build-using-falco-builder-container) containers with bundled dependencies. This ensures compatibility across supported systems, mainly due to GLIBC versions and other intricacies. However, you won't be able to compile the modern BPF driver on such old systems or builder containers. One solution is to build `skel_dir/bpf_probe.skel.h` in a more recent builder container. For example, you can refer to this [container](test/vm/containers/ubuntu2310.Dockerfile) as a guide. Subsequently, you can provide the modern BPF header file as an artifact to `scap` during building in an older builder container. As an illustrative example, we use `/tmp/skel-dir` containing the `bpf_probe.skel.h` file.

 ```bash
 cmake \
@ -243,7 +243,7 @@ This repository includes convenient test example binaries for both `scap` and `s

 When developing new features, you would run either one depending on what you're working on, in order to test and validate your changes.

-> __NOTE:__ When you're working on driver development, it can be quite useful to make use of the kernel's built-in `printk` functionality. However, for the traditional bpf driver, you'll need to uncomment a line in the [bpf Makefile](driver/bpf/Makefile) first and use a dedicated build flag `BPF_DEBUG`. For modern eBPF, use the build flag `MODERN_BPF_DEBUG_MODE`. Any logs generated by `bpf_printk()` will be written to `/sys/kernel/debug/tracing/trace_pipe`. Just make sure you have the right permissions set up for this.
+> __NOTE:__ When you're working on driver development, it can be quite useful to make use of the kernel's built-in `printk` functionality. However, for the traditional bpf driver, you'll need to uncomment a line in the [bpf Makefile](driver/bpf/Makefile) first and use a dedicated build flag `BPF_DEBUG`. For modern BPF, use the build flag `MODERN_BPF_DEBUG_MODE`. Any logs generated by `bpf_printk()` will be written to `/sys/kernel/debug/tracing/trace_pipe`. Just make sure you have the right permissions set up for this.

 Here's an example of a `cmake` command that will enable everything you need for all tests and components. By default, the following flags are disabled, with the exception of `USE_BUNDLED_DEPS` and `CREATE_TEST_TARGETS` (they are enabled by default).

@ -259,7 +259,8 @@ cmake \
 -DCREATE_TEST_TARGETS=ON \
 -DENABLE_LIBSCAP_TESTS=ON \
 -DENABLE_DRIVERS_TESTS=ON \
-DENABLE_LIBSINSP_E2E_TESTS=ON ../;
+-DENABLE_LIBSINSP_E2E_TESTS=ON \
+-DENABLE_VM_TESTS=ON ../;
 ```

 > __NOTE:__ The `ENABLE_LIBSINSP_E2E_TESTS` flag enables the new e2e tests for libsinsp. Please keep in mind these tests are currently in heavy development and need some extra steps (see in the section below) to run correctly.
@ -301,10 +302,9 @@ sudo ./test/drivers/drivers_test -m;
 The tests mentioned below expand beyond the scope of "unit tests". In this context as well, we are dedicated to making sure they run smoothly on your `localhost` for pre-PR testing, to the best of our ability:

 - [test/e2e](test/e2e) - enforced by our CI
+- [test/vm](test/vm) - our CI includes comparable tests, but it employs a distinct framework. For current status reports on Falco drivers kernel testing, please visit this [page](https://falcosecurity.github.io/libs/).

-For current status reports on the CI powered Falco drivers kernel testing, please visit this [page](https://falcosecurity.github.io/libs/).
-
-In general, The Falco Project's `libs` repository includes numerous CI-powered checks. For the most current information, please refer to the CI definitions under the [workflows](.github/workflows/) directory.
+As mentioned earlier, The Falco Project's `libs` repository includes numerous CI-powered checks. For the most current information, please refer to the CI definitions under the [workflows](.github/workflows/) directory.

 ### [EXPERIMENTAL] Run libsinsp e2e tests

--- a/benchmark/libsinsp/utils.cpp
+++ b/benchmark/libsinsp/utils.cpp
@ -20,36 +20,47 @@ limitations under the License.
 #include <benchmark/benchmark.h>

 static void BM_sinsp_split(benchmark::State& state) {
+	std::string str = "hello,world,";
 	for(auto _ : state) {
-		std::string str = "hello,world,";
-		benchmark::DoNotOptimize(sinsp_split(str, ','));
+		sinsp_split(str, ',');
 	}
 }
 BENCHMARK(BM_sinsp_split);

 static void BM_sinsp_concatenate_paths_relative_path(benchmark::State& state) {
+	std::string path1 = "/tmp/";
+	std::string path2 = "foo/bar";
 	for(auto _ : state) {
-		std::string path1 = "/tmp/";
-		std::string path2 = "foo/bar";
-		benchmark::DoNotOptimize(sinsp_utils::concatenate_paths(path1, path2));
+		sinsp_utils::concatenate_paths(path1, path2);
 	}
 }
 BENCHMARK(BM_sinsp_concatenate_paths_relative_path);

 static void BM_sinsp_concatenate_paths_empty_path(benchmark::State& state) {
+	std::string path1 = "/tmp/";
+	std::string path2 = "";
 	for(auto _ : state) {
-		std::string path1 = "/tmp/";
-		std::string path2 = "";
-		benchmark::DoNotOptimize(sinsp_utils::concatenate_paths(path1, path2));
+		sinsp_utils::concatenate_paths(path1, path2);
 	}
 }
 BENCHMARK(BM_sinsp_concatenate_paths_empty_path);

 static void BM_sinsp_concatenate_paths_absolute_path(benchmark::State& state) {
+	std::string path1 = "/tmp/";
+	std::string path2 = "/foo/bar";
 	for(auto _ : state) {
-		std::string path1 = "/tmp/";
-		std::string path2 = "/foo/bar";
-		benchmark::DoNotOptimize(sinsp_utils::concatenate_paths(path1, path2));
+		sinsp_utils::concatenate_paths(path1, path2);
 	}
 }
 BENCHMARK(BM_sinsp_concatenate_paths_absolute_path);
+
+static void BM_sinsp_split_container_image(benchmark::State& state) {
+	std::string container_image =
+	        "localhost:12345/library/"
+	        "busybox:1.27.2@sha256:da39a3ee5e6b4b0d3255bfef95601890afd80709";
+	std::string hostname, port, name, tag, digest;
+	for(auto _ : state) {
+		sinsp_utils::split_container_image(container_image, hostname, port, name, tag, digest);
+	}
+}
+BENCHMARK(BM_sinsp_split_container_image);
--- a/cmake/modules/BuildPkgConfigDependencies.cmake
+++ b/cmake/modules/BuildPkgConfigDependencies.cmake
@ -1,138 +0,0 @@
-# Get all dependencies for ${lib} and add them to ${LIBDIRS_VAR} and ${LIBS_VAR}. Ignore any
-# dependencies in the list ${ignored} to: - avoid infinite recursion - avoid libscap dependencies in
-# libsinsp.pc (which requires libscap.pc and pulls them in that way)
-function(add_pkgconfig_library LIBDIRS_VAR LIBS_VAR lib ignored)
-
-	message(DEBUG "[add_pkgconfig_library] processing lib \"${lib}\"")
-	# if it's not a target, it doesn't have dependencies we know or care about
-	if(NOT TARGET ${lib})
-		return()
-	endif()
-
-	# get the libraries that ${lib} links to
-	get_target_property(PKGCONFIG_LIBRARIES ${lib} LINK_LIBRARIES)
-	if("${PKGCONFIG_LIBRARIES}" STREQUAL "PKGCONFIG_LIBRARIES-NOTFOUND")
-		return()
-	endif()
-
-	message(DEBUG "[add_pkgconfig_library] LINK_LIBRARIES property: \"${PKGCONFIG_LIBRARIES}\"")
-
-	get_property(
-		target_type
-		TARGET ${lib}
-		PROPERTY TYPE
-	)
-	message(DEBUG "[add_pkgconfig_library] ignored list: \"${ignored}\"")
-	foreach(dep ${PKGCONFIG_LIBRARIES})
-		# XXX: We use a (very) loose match as we are potentially comparing absolute library file
-		# names (dep) to pkg-config library names to be ignored.  The only alternative I can think
-		# of would be to maintain a map associating pkg-config names to their library file name.
-		get_filename_component(dep_base ${dep} NAME_WE)
-		string(REGEX REPLACE "^lib" "" dep_name ${dep_base})
-		# For CMake imported targets, keep only the suffix, e.g. gRPC::grpc -> grpc.
-		string(REGEX REPLACE "[^:]*::" "" dep_name ${dep_base})
-		message(DEBUG "[add_pkgconfig_library] processing dep ${dep}")
-		string(FIND "${ignored}" "${dep_name}" find_result)
-		if(NOT ${find_result} EQUAL -1)
-			message(DEBUG "[add_pkgconfig_library] \"${dep}\" ignored")
-			continue()
-		endif()
-
-		if(${target_type} STREQUAL "SHARED_LIBRARY")
-			# for shared libraries, do not add static libraries as dependencies
-			if(TARGET ${dep})
-				# skip static libraries which are CMake targets
-				get_property(
-					dep_target_type
-					TARGET ${dep}
-					PROPERTY TYPE
-				)
-				if(NOT ${dep_target_type} STREQUAL "SHARED_LIBRARY")
-					continue()
-				endif()
-			else()
-				# skip static libraries which are just file paths
-				get_filename_component(ext ${dep} LAST_EXT)
-				if("${ext}" STREQUAL "${CMAKE_STATIC_LIBRARY_SUFFIX}")
-					continue()
-				endif()
-			endif()
-		elseif(${target_type} STREQUAL "STATIC_LIBRARY")
-			# for static libraries which are not CMake targets, redirect them to
-			# ${libdir}/${LIBS_PACKAGE_NAME} note that ${libdir} is not a CMake variable, but a
-			# pkgconfig variable, so we quote it and end up with a literal ${libdir} in the
-			# pkgconfig file
-			if(NOT TARGET ${dep})
-				get_filename_component(filename ${dep} NAME)
-				set(dep "\${libdir}/${LIBS_PACKAGE_NAME}/${filename}")
-			else()
-				get_property(
-					dep_target_type
-					TARGET ${dep}
-					PROPERTY TYPE
-				)
-				if(${dep_target_type} STREQUAL "OBJECT_LIBRARY")
-					# skip object libraries
-					continue()
-				endif()
-
-				# if the library is imported, use the IMPORTED_LOCATION instead
-				get_property(
-					dep_imported_location
-					TARGET ${dep}
-					PROPERTY IMPORTED_LOCATION
-				)
-				if(NOT ${dep_imported_location} STREQUAL "")
-					get_filename_component(filename ${dep_imported_location} NAME)
-					set(dep "\${libdir}/${LIBS_PACKAGE_NAME}/${filename}")
-				endif()
-			endif()
-		endif()
-
-		add_pkgconfig_dependency(${LIBDIRS_VAR} ${LIBS_VAR} ${dep} "${ignored}")
-	endforeach()
-
-	# Remove duplicate search paths. We cannot remove duplicates from ${LIBS_VAR} because the order
-	# of libraries is important.
-	list(REMOVE_DUPLICATES ${LIBDIRS_VAR})
-
-	set(${LIBS_VAR}
-		${${LIBS_VAR}}
-		PARENT_SCOPE
-	)
-	set(${LIBDIRS_VAR}
-		${${LIBDIRS_VAR}}
-		PARENT_SCOPE
-	)
-endfunction()
-
-function(add_pkgconfig_dependency LIBDIRS_VAR LIBS_VAR lib ignored)
-	if(${lib} IN_LIST ignored)
-		# already processed, avoid infinite recursion
-	elseif(${lib} MATCHES "^-")
-		# We have a flag. Pass it through unchanged.
-		list(APPEND ${LIBS_VAR} ${lib})
-	elseif(${lib} MATCHES "/")
-		# We have a path. Convert it to -L<dir> + -l<lib>.
-		get_filename_component(lib_dir ${lib} DIRECTORY)
-		list(APPEND ${LIBDIRS_VAR} -L${lib_dir})
-		get_filename_component(lib_base ${lib} NAME_WE)
-		string(REGEX REPLACE "^lib" "" lib_base ${lib_base})
-		list(APPEND ${LIBS_VAR} -l${lib_base})
-	else()
-		# Assume we have a plain library name. Prefix it with "-l". Then recurse into its
-		# dependencies but ignore the library itself, so we don't end up in an infinite loop with
-		# cyclic dependencies
-		list(APPEND ${LIBS_VAR} -l${lib})
-		list(APPEND ignored ${lib})
-		add_pkgconfig_library(${LIBDIRS_VAR} ${LIBS_VAR} ${lib} "${ignored}")
-	endif()
-	set(${LIBS_VAR}
-		${${LIBS_VAR}}
-		PARENT_SCOPE
-	)
-	set(${LIBDIRS_VAR}
-		${${LIBDIRS_VAR}}
-		PARENT_SCOPE
-	)
-endfunction()
--- a/cmake/modules/CompilerFlags.cmake
+++ b/cmake/modules/CompilerFlags.cmake
@ -33,6 +33,11 @@ if(NOT MSVC)
 	set(FALCOSECURITY_LIBS_COMMON_FLAGS "-Wall -ggdb")
 	set(FALCOSECURITY_LIBS_DEBUG_FLAGS "-Og -D_DEBUG")
 	set(FALCOSECURITY_LIBS_RELEASE_FLAGS "-O3 -fno-strict-aliasing -DNDEBUG")
+
+	if(MINIMAL_BUILD)
+		set(FALCOSECURITY_LIBS_COMMON_FLAGS "${FALCOSECURITY_LIBS_COMMON_FLAGS} -DMINIMAL_BUILD")
+	endif()
+
 	if(MUSL_OPTIMIZED_BUILD)
 		set(FALCOSECURITY_LIBS_COMMON_FLAGS "${FALCOSECURITY_LIBS_COMMON_FLAGS} -static -Os")
 	endif()
@ -40,7 +45,7 @@ if(NOT MSVC)
 	if(BUILD_WARNINGS_AS_ERRORS)
 		set(CMAKE_COMPILE_WARNING_AS_ERROR ON)
 		set(CMAKE_SUPPRESSED_WARNINGS
-			"-Wno-unused-parameter -Wno-sign-compare -Wno-implicit-fallthrough -Wno-format-truncation -Wno-deprecated-declarations"
+			"-Wno-unused-parameter -Wno-sign-compare -Wno-implicit-fallthrough -Wno-format-truncation"
 		)
 		if(CMAKE_CXX_COMPILER_ID STREQUAL "Clang")
 			# Clang needs these for suppressing these warnings: - C++20 array designators used with
@ -116,8 +121,10 @@ if(NOT MSVC)
 	add_definitions(-D__STDC_FORMAT_MACROS)

 else() # MSVC
+	set(MINIMAL_BUILD ON)
+
 	set(FALCOSECURITY_LIBS_COMMON_FLAGS
-		"-D_CRT_SECURE_NO_WARNINGS -DWIN32 /EHsc /W3 /Zi /std:c++17"
+		"-D_CRT_SECURE_NO_WARNINGS -DWIN32 -DMINIMAL_BUILD /EHsc /W3 /Zi /std:c++17"
 	)
 	if(CMAKE_VERSION VERSION_LESS 3.15.0)
 		set(FALCOSECURITY_LIBS_DEBUG_FLAGS "/MTd /Od")
@ -137,8 +144,8 @@ else() # MSVC
 	set(CMAKE_CXX_FLAGS_RELEASE "${FALCOSECURITY_LIBS_RELEASE_FLAGS}")

 	# "_DISABLE_CONSTEXPR_MUTEX_CONSTRUCTOR" enables a workaround for windows GH runner issue, see
-	# https://github.com/actions/runner-images/issues/10004 Also, define NOMINMAX globally.
+	# https://github.com/actions/runner-images/issues/10004
 	add_compile_definitions(
-		_HAS_STD_BYTE=0 WIN32_LEAN_AND_MEAN _DISABLE_CONSTEXPR_MUTEX_CONSTRUCTOR NOMINMAX
+		_HAS_STD_BYTE=0 WIN32_LEAN_AND_MEAN _DISABLE_CONSTEXPR_MUTEX_CONSTRUCTOR
 	)
 endif()
--- a/cmake/modules/cares.cmake
+++ b/cmake/modules/cares.cmake
@ -0,0 +1,81 @@
+# SPDX-License-Identifier: Apache-2.0
+#
+# Copyright (C) 2023 The Falco Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except
+# in compliance with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed under the License
+# is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express
+# or implied. See the License for the specific language governing permissions and limitations under
+# the License.
+#
+
+option(USE_BUNDLED_CARES "Enable building of the bundled c-ares" ${USE_BUNDLED_DEPS})
+
+if(CARES_INCLUDE)
+	# we already have c-ares
+elseif(NOT USE_BUNDLED_CARES)
+	find_path(CARES_INCLUDE NAMES cares/ares.h ares.h)
+	find_library(CARES_LIB NAMES cares)
+	if(CARES_INCLUDE AND CARES_LIB)
+		message(STATUS "Found c-ares: include: ${CARES_INCLUDE}, lib: ${CARES_LIB}")
+	else()
+		message(FATAL_ERROR "Couldn't find system c-ares")
+	endif()
+else()
+	if(BUILD_SHARED_LIBS)
+		set(CARES_LIB_SUFFIX ${CMAKE_SHARED_LIBRARY_SUFFIX})
+		set(CARES_CPPFLAGS)
+		set(CARES_STATIC_OPTION)
+	else()
+		set(CARES_LIB_SUFFIX ${CMAKE_STATIC_LIBRARY_SUFFIX})
+		set(CARES_CPPFLAGS -DCARES_STATICLIB)
+		set(CARES_STATIC_OPTION --disable-shared)
+	endif()
+	set(CARES_SRC "${PROJECT_BINARY_DIR}/c-ares-prefix/src/c-ares")
+	set(CARES_INCLUDE "${CARES_SRC}/target/include/")
+	set(CARES_LIB "${CARES_SRC}/target/lib/libcares${CARES_LIB_SUFFIX}")
+	set(CARES_INSTALL_DIR "${CARES_SRC}/target")
+
+	if(NOT TARGET c-ares)
+		if(NOT ENABLE_PIC)
+			set(CARES_PIC_OPTION)
+		else()
+			set(CARES_PIC_OPTION "--with-pic=yes")
+		endif()
+
+		message(STATUS "Using bundled c-ares in '${CARES_SRC}'")
+		ExternalProject_Add(
+			c-ares
+			PREFIX "${PROJECT_BINARY_DIR}/c-ares-prefix"
+			URL "https://github.com/c-ares/c-ares/releases/download/v1.30.0/c-ares-1.30.0.tar.gz"
+			URL_HASH "SHA256=4fea312112021bcef081203b1ea020109842feb58cd8a36a3d3f7e0d8bc1138c"
+			CONFIGURE_COMMAND CPPFLAGS=${CARES_CPPFLAGS} ./configure ${CARES_STATIC_OPTION}
+							  ${CARES_PIC_OPTION} --prefix=${CARES_INSTALL_DIR}
+			BUILD_COMMAND make
+			BUILD_IN_SOURCE 1
+			BUILD_BYPRODUCTS ${CARES_INCLUDE} ${CARES_LIB}
+			INSTALL_COMMAND make install
+		)
+		install(
+			FILES "${CARES_LIB}"
+			DESTINATION "${CMAKE_INSTALL_LIBDIR}/${LIBS_PACKAGE_NAME}"
+			COMPONENT "libs-deps"
+		)
+		install(
+			DIRECTORY "${CARES_INCLUDE}"
+			DESTINATION "${CMAKE_INSTALL_INCLUDEDIR}/${LIBS_PACKAGE_NAME}"
+			COMPONENT "libs-deps"
+		)
+	endif()
+
+endif()
+
+if(NOT TARGET c-ares)
+	add_custom_target(c-ares)
+endif()
+
+include_directories("${CARES_INCLUDE}")
--- a/cmake/modules/container_plugin.cmake
+++ b/cmake/modules/container_plugin.cmake
@ -1,44 +0,0 @@
-# SPDX-License-Identifier: Apache-2.0
-#
-# Copyright (C) 2025 The Falco Authors.
-#
-# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except
-# in compliance with the License. You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software distributed under the License
-# is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express
-# or implied. See the License for the specific language governing permissions and limitations under
-# the License.
-#
-
-include(ExternalProject)
-
-string(TOLOWER ${CMAKE_HOST_SYSTEM_NAME} PLUGINS_SYSTEM_NAME)
-
-set(CONTAINER_LIBRARY
-	"${CMAKE_CURRENT_BINARY_DIR}/container_plugin-prefix/src/container_plugin/libcontainer.so"
-)
-
-if(NOT CONTAINER_VERSION)
-	set(CONTAINER_VERSION "0.3.4")
-endif()
-if(NOT CONTAINER_HASH)
-	if(${CMAKE_HOST_SYSTEM_PROCESSOR} STREQUAL "x86_64")
-		set(CONTAINER_HASH "658f96c4b4a56d1bf945a788d60571076f808ae1bcc877c4ba3625b0fd752d8d")
-	else() # arm64
-		set(CONTAINER_HASH "34a153aca0164843a169193aba092a3063b24bca9ef80fd4f1d1f1919aba3bde")
-	endif()
-endif()
-if(NOT TARGET container_plugin)
-	message(STATUS "Fetching container plugin ${CONTAINER_VERSION} in '${CONTAINER_LIBRARY}'")
-	ExternalProject_Add(
-		container_plugin
-		URL "https://download.falco.org/plugins/stable/container-${CONTAINER_VERSION}-${PLUGINS_SYSTEM_NAME}-${CMAKE_HOST_SYSTEM_PROCESSOR}.tar.gz"
-		URL_HASH "SHA256=${CONTAINER_HASH}"
-		CONFIGURE_COMMAND ""
-		BUILD_COMMAND ""
-		INSTALL_COMMAND ""
-	)
-endif()
--- a/cmake/modules/curl.cmake
+++ b/cmake/modules/curl.cmake
@ -0,0 +1,100 @@
+# SPDX-License-Identifier: Apache-2.0
+#
+# Copyright (C) 2023 The Falco Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except
+# in compliance with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed under the License
+# is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express
+# or implied. See the License for the specific language governing permissions and limitations under
+# the License.
+#
+
+option(USE_BUNDLED_CURL "Enable building of the bundled curl" ${USE_BUNDLED_DEPS})
+
+include(openssl)
+include(zlib)
+
+if(CURL_INCLUDE_DIRS)
+	# we already have curl
+elseif(NOT USE_BUNDLED_CURL)
+	find_package(CURL REQUIRED)
+	message(STATUS "Found CURL: include: ${CURL_INCLUDE_DIRS}, lib: ${CURL_LIBRARIES}")
+else()
+	if(BUILD_SHARED_LIBS)
+		set(CURL_LIB_SUFFIX ${CMAKE_SHARED_LIBRARY_SUFFIX})
+		set(CURL_STATIC_OPTION)
+	else()
+		set(CURL_LIB_SUFFIX ${CMAKE_STATIC_LIBRARY_SUFFIX})
+		set(CURL_STATIC_OPTION --disable-shared)
+	endif()
+	set(CURL_BUNDLE_DIR "${PROJECT_BINARY_DIR}/curl-prefix/src/curl")
+	set(CURL_INCLUDE_DIRS "${CURL_BUNDLE_DIR}/include/")
+	set(CURL_LIBRARIES "${CURL_BUNDLE_DIR}/lib/.libs/libcurl${CURL_LIB_SUFFIX}")
+
+	if(NOT USE_BUNDLED_OPENSSL)
+		set(CURL_SSL_OPTION "--with-ssl")
+	else()
+		set(CURL_SSL_OPTION "--with-ssl=${OPENSSL_INSTALL_DIR}")
+		message(STATUS "Using SSL for curl in '${OPENSSL_INSTALL_DIR}'")
+	endif()
+
+	if(NOT USE_BUNDLED_ZLIB)
+		set(CURL_ZLIB_OPTION "--with-zlib")
+	else()
+		set(CURL_ZLIB_OPTION "--with-zlib=${ZLIB_SRC}")
+		message(STATUS "Using zlib for curl in '${ZLIB_SRC}'")
+	endif()
+	message(STATUS "Using bundled curl in '${CURL_BUNDLE_DIR}'")
+
+	if(NOT ENABLE_PIC)
+		set(CURL_PIC_OPTION)
+	else()
+		set(CURL_PIC_OPTION "--with-pic")
+	endif()
+
+	if(NOT TARGET curl)
+		ExternalProject_Add(
+			curl
+			PREFIX "${PROJECT_BINARY_DIR}/curl-prefix"
+			DEPENDS openssl zlib
+			URL "https://github.com/curl/curl/releases/download/curl-8_7_1/curl-8.7.1.tar.bz2"
+			URL_HASH "SHA256=05bbd2b698e9cfbab477c33aa5e99b4975501835a41b7ca6ca71de03d8849e76"
+			CONFIGURE_COMMAND
+				./configure ${CURL_SSL_OPTION} ${CURL_ZLIB_OPTION} ${CURL_STATIC_OPTION}
+				${CURL_PIC_OPTION} --enable-optimize --disable-curldebug --disable-rt --enable-http
+				--disable-ftp --disable-file --disable-ldap --disable-ldaps --disable-rtsp
+				--disable-telnet --disable-tftp --disable-pop3 --disable-imap --disable-smb
+				--disable-smtp --disable-gopher --disable-sspi --disable-ntlm-wb --disable-tls-srp
+				--without-winssl --without-polarssl --without-cyassl --without-nss --without-axtls
+				--without-librtmp --without-winidn --without-libidn2 --without-libpsl
+				--without-nghttp2 --without-libssh2 --with-ca-path=/etc/ssl/certs/
+				--disable-threaded-resolver --without-brotli --without-zstd
+			BUILD_COMMAND make
+			BUILD_IN_SOURCE 1
+			BUILD_BYPRODUCTS ${CURL_LIBRARIES}
+			INSTALL_COMMAND ""
+		)
+		install(
+			FILES "${CURL_LIBRARIES}"
+			DESTINATION "${CMAKE_INSTALL_LIBDIR}/${LIBS_PACKAGE_NAME}"
+			COMPONENT "libs-deps"
+		)
+		install(
+			DIRECTORY "${CURL_INCLUDE_DIRS}curl"
+			DESTINATION "${CMAKE_INSTALL_INCLUDEDIR}/${LIBS_PACKAGE_NAME}"
+			COMPONENT "libs-deps"
+			FILES_MATCHING
+			PATTERN "*.h"
+		)
+	endif()
+endif()
+
+if(NOT TARGET curl)
+	add_custom_target(curl)
+endif()
+
+include_directories("${CURL_INCLUDE_DIRS}")
--- a/cmake/modules/engine_config.cmake
+++ b/cmake/modules/engine_config.cmake
@ -23,7 +23,10 @@ if(CMAKE_SYSTEM_NAME MATCHES "Linux")
 endif()

 # gVisor is currently only supported on Linux x86_64
-if(CMAKE_SYSTEM_PROCESSOR STREQUAL "x86_64" AND CMAKE_SYSTEM_NAME MATCHES "Linux")
+if(CMAKE_SYSTEM_PROCESSOR STREQUAL "x86_64"
+   AND CMAKE_SYSTEM_NAME MATCHES "Linux"
+   AND NOT MINIMAL_BUILD
+)
 	option(BUILD_LIBSCAP_GVISOR "Build gVisor support" ON)
 	if(BUILD_LIBSCAP_GVISOR)
 		set(HAS_ENGINE_GVISOR On)
--- a/cmake/modules/grpc.cmake
+++ b/cmake/modules/grpc.cmake
@ -0,0 +1,250 @@
+# SPDX-License-Identifier: Apache-2.0
+#
+# Copyright (C) 2023 The Falco Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except
+# in compliance with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed under the License
+# is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express
+# or implied. See the License for the specific language governing permissions and limitations under
+# the License.
+#
+
+option(USE_BUNDLED_GRPC "Enable building of the bundled grpc" ${USE_BUNDLED_DEPS})
+
+if(GRPC_INCLUDE)
+	# we already have grpc
+elseif(NOT USE_BUNDLED_GRPC)
+	# gRPC
+	find_package(gRPC CONFIG)
+	if(gRPC_FOUND)
+		message(STATUS "Using gRPC ${gRPC_VERSION}")
+		set(GPR_LIB gRPC::gpr)
+		set(GRPC_LIB gRPC::grpc)
+		set(GRPCPP_LIB gRPC::grpc++)
+
+		# gRPC C++ plugin
+		get_target_property(GRPC_CPP_PLUGIN gRPC::grpc_cpp_plugin LOCATION)
+		if(NOT GRPC_CPP_PLUGIN)
+			message(FATAL_ERROR "System grpc_cpp_plugin not found")
+		endif()
+
+		# gRPC include dir + properly handle grpc{++,pp}
+		get_target_property(GRPC_INCLUDE gRPC::grpc++ INTERFACE_INCLUDE_DIRECTORIES)
+		find_path(
+			GRPCXX_INCLUDE
+			NAMES grpc++/grpc++.h
+			PATHS ${GRPC_INCLUDE}
+		)
+		if(NOT GRPCXX_INCLUDE)
+			find_path(
+				GRPCPP_INCLUDE
+				NAMES grpcpp/grpcpp.h
+				PATHS ${GRPC_INCLUDE}
+			)
+			add_definitions(-DGRPC_INCLUDE_IS_GRPCPP=1)
+		endif()
+	else()
+		# Fallback to manually find libraries; Some distro, namely Ubuntu focal, do not install gRPC
+		# config cmake module
+		find_library(GPR_LIB NAMES gpr)
+		if(GPR_LIB)
+			message(STATUS "Found gpr lib: ${GPR_LIB}")
+		else()
+			message(FATAL_ERROR "Couldn't find system gpr")
+		endif()
+		find_path(GRPCXX_INCLUDE NAMES grpc++/grpc++.h)
+		if(GRPCXX_INCLUDE)
+			set(GRPC_INCLUDE ${GRPCXX_INCLUDE})
+		else()
+			find_path(GRPCPP_INCLUDE NAMES grpcpp/grpcpp.h)
+			set(GRPC_INCLUDE ${GRPCPP_INCLUDE})
+			add_definitions(-DGRPC_INCLUDE_IS_GRPCPP=1)
+		endif()
+		find_library(GRPC_LIB NAMES grpc)
+		find_library(GRPCPP_LIB NAMES grpc++)
+		if(GRPC_INCLUDE
+		   AND GRPC_LIB
+		   AND GRPCPP_LIB
+		)
+			message(
+				STATUS
+					"Found grpc: include: ${GRPC_INCLUDE}, C lib: ${GRPC_LIB}, C++ lib: ${GRPCPP_LIB}"
+			)
+		else()
+			message(FATAL_ERROR "Couldn't find system grpc")
+		endif()
+		find_program(GRPC_CPP_PLUGIN grpc_cpp_plugin)
+		if(NOT GRPC_CPP_PLUGIN)
+			message(FATAL_ERROR "System grpc_cpp_plugin not found")
+		endif()
+	endif()
+else()
+	include(cares)
+	include(protobuf)
+	include(zlib)
+	include(openssl)
+	if(BUILD_SHARED_LIBS)
+		set(GRPC_OPENSSL_STATIC_LIBS_OPTION FALSE)
+	else()
+		set(GRPC_OPENSSL_STATIC_LIBS_OPTION TRUE)
+	endif()
+	include(re2)
+	set(GRPC_SRC "${PROJECT_BINARY_DIR}/grpc-prefix/src/grpc")
+	set(GRPC_INSTALL_DIR "${GRPC_SRC}/target")
+	set(GRPC_INCLUDE "${GRPC_INSTALL_DIR}/include" "${GRPC_SRC}/third_party/abseil-cpp")
+	set(GPR_LIB "${GRPC_SRC}/libgpr.a")
+	set(GRPC_LIB "${GRPC_SRC}/libgrpc.a")
+	set(GRPCPP_LIB "${GRPC_SRC}/libgrpc++.a")
+	set(GRPC_CPP_PLUGIN "${GRPC_SRC}/grpc_cpp_plugin")
+	set(GRPC_MAIN_LIBS "")
+	list(
+		APPEND
+		GRPC_MAIN_LIBS
+		"${GPR_LIB}"
+		"${GRPC_LIB}"
+		"${GRPCPP_LIB}"
+		"${GRPC_SRC}/libgrpc++_alts.a"
+		"${GRPC_SRC}/libgrpc++_error_details.a"
+		"${GRPC_SRC}/libgrpc++_reflection.a"
+		"${GRPC_SRC}/libgrpc++_unsecure.a"
+		"${GRPC_SRC}/libgrpc_plugin_support.a"
+		"${GRPC_SRC}/libgrpc_unsecure.a"
+		"${GRPC_SRC}/libgrpcpp_channelz.a"
+	)
+
+	get_filename_component(PROTOC_DIR ${PROTOC} PATH)
+
+	if(NOT TARGET grpc)
+		message(STATUS "Using bundled grpc in '${GRPC_SRC}'")
+
+		# fixme(leogr): this workaround is required to inject the missing deps (built by gRCP
+		# cmakefiles) into target_link_libraries later note: the list below is manually generated
+		# starting from the output of pkg-config --libs grpc++
+		set(GRPC_LIBRARIES "")
+		list(
+			APPEND
+			GRPC_LIBRARIES
+			"${GRPC_SRC}/libaddress_sorting.a"
+			"${GRPC_SRC}/libupb.a"
+			"${GRPC_SRC}/third_party/abseil-cpp/absl/hash/libabsl_hash.a"
+			"${GRPC_SRC}/third_party/abseil-cpp/absl/hash/libabsl_city.a"
+			"${GRPC_SRC}/third_party/abseil-cpp/absl/hash/libabsl_low_level_hash.a"
+			"${GRPC_SRC}/third_party/abseil-cpp/absl/container/libabsl_raw_hash_set.a"
+			"${GRPC_SRC}/third_party/abseil-cpp/absl/container/libabsl_hashtablez_sampler.a"
+			"${GRPC_SRC}/third_party/abseil-cpp/absl/status/libabsl_statusor.a"
+			"${GRPC_SRC}/third_party/abseil-cpp/absl/status/libabsl_status.a"
+			"${GRPC_SRC}/third_party/abseil-cpp/absl/strings/libabsl_cord.a"
+			"${GRPC_SRC}/third_party/abseil-cpp/absl/strings/libabsl_cordz_functions.a"
+			"${GRPC_SRC}/third_party/abseil-cpp/absl/profiling/libabsl_exponential_biased.a"
+			"${GRPC_SRC}/third_party/abseil-cpp/absl/types/libabsl_bad_optional_access.a"
+			"${GRPC_SRC}/third_party/abseil-cpp/absl/types/libabsl_bad_variant_access.a"
+			"${GRPC_SRC}/third_party/abseil-cpp/absl/strings/libabsl_str_format_internal.a"
+			"${GRPC_SRC}/third_party/abseil-cpp/absl/synchronization/libabsl_synchronization.a"
+			"${GRPC_SRC}/third_party/abseil-cpp/absl/synchronization/libabsl_graphcycles_internal.a"
+			"${GRPC_SRC}/third_party/abseil-cpp/absl/debugging/libabsl_stacktrace.a"
+			"${GRPC_SRC}/third_party/abseil-cpp/absl/debugging/libabsl_symbolize.a"
+			"${GRPC_SRC}/third_party/abseil-cpp/absl/debugging/libabsl_debugging_internal.a"
+			"${GRPC_SRC}/third_party/abseil-cpp/absl/debugging/libabsl_demangle_internal.a"
+			"${GRPC_SRC}/third_party/abseil-cpp/absl/base/libabsl_malloc_internal.a"
+			"${GRPC_SRC}/third_party/abseil-cpp/absl/time/libabsl_time.a"
+			"${GRPC_SRC}/third_party/abseil-cpp/absl/time/libabsl_civil_time.a"
+			"${GRPC_SRC}/third_party/abseil-cpp/absl/strings/libabsl_strings.a"
+			"${GRPC_SRC}/third_party/abseil-cpp/absl/strings/libabsl_strings_internal.a"
+			"${GRPC_SRC}/third_party/abseil-cpp/absl/base/libabsl_base.a"
+			"${GRPC_SRC}/third_party/abseil-cpp/absl/base/libabsl_spinlock_wait.a"
+			"${GRPC_SRC}/third_party/abseil-cpp/absl/numeric/libabsl_int128.a"
+			"${GRPC_SRC}/third_party/abseil-cpp/absl/base/libabsl_throw_delegate.a"
+			"${GRPC_SRC}/third_party/abseil-cpp/absl/base/libabsl_raw_logging_internal.a"
+			"${GRPC_SRC}/third_party/abseil-cpp/absl/base/libabsl_log_severity.a"
+			"${GRPC_SRC}/third_party/abseil-cpp/absl/time/libabsl_time_zone.a"
+			"${GRPC_SRC}/third_party/abseil-cpp/absl/strings/libabsl_cord_internal.a"
+			"${GRPC_SRC}/third_party/abseil-cpp/absl/strings/libabsl_cordz_info.a"
+			"${GRPC_SRC}/third_party/abseil-cpp/absl/strings/libabsl_cordz_handle.a"
+			"${GRPC_SRC}/third_party/abseil-cpp/absl/random/libabsl_random_internal_pool_urbg.a"
+			"${GRPC_SRC}/third_party/abseil-cpp/absl/random/libabsl_random_internal_randen.a"
+			"${GRPC_SRC}/third_party/abseil-cpp/absl/random/libabsl_random_internal_randen_hwaes.a"
+			"${GRPC_SRC}/third_party/abseil-cpp/absl/random/libabsl_random_internal_randen_hwaes_impl.a"
+			"${GRPC_SRC}/third_party/abseil-cpp/absl/random/libabsl_random_internal_randen_slow.a"
+			"${GRPC_SRC}/third_party/abseil-cpp/absl/random/libabsl_random_internal_seed_material.a"
+			"${GRPC_SRC}/third_party/abseil-cpp/absl/random/libabsl_random_internal_platform.a"
+			"${GRPC_SRC}/third_party/abseil-cpp/absl/random/libabsl_random_seed_gen_exception.a"
+		)
+
+		ExternalProject_Add(
+			grpc
+			PREFIX "${PROJECT_BINARY_DIR}/grpc-prefix"
+			DEPENDS openssl protobuf c-ares zlib re2
+			GIT_REPOSITORY https://github.com/grpc/grpc.git
+			GIT_TAG v1.44.0
+			GIT_SUBMODULES "third_party/abseil-cpp"
+			CMAKE_CACHE_ARGS
+				-DCMAKE_INSTALL_PREFIX:PATH=${GRPC_INSTALL_DIR}
+				-DCMAKE_BUILD_TYPE:STRING=${CMAKE_BUILD_TYPE}
+				-DCMAKE_POSITION_INDEPENDENT_CODE:BOOL=${ENABLE_PIC}
+				-DgRPC_INSTALL:BOOL=OFF
+				# disable unused stuff
+				-DgRPC_BUILD_TESTS:BOOL=OFF
+				-DgRPC_BUILD_CSHARP_EXT:BOOL=OFF
+				-DgRPC_BUILD_GRPC_CSHARP_PLUGIN:BOOL=OFF
+				-DgRPC_BUILD_GRPC_NODE_PLUGIN:BOOL=OFF
+				-DgRPC_BUILD_GRPC_OBJECTIVE_C_PLUGIN:BOOL=OFF
+				-DgRPC_BUILD_GRPC_PHP_PLUGIN:BOOL=OFF
+				-DgRPC_BUILD_GRPC_PYTHON_PLUGIN:BOOL=OFF
+				-DgRPC_BUILD_GRPC_RUBY_PLUGIN:BOOL=OFF
+				# deps provided by us
+				# https://github.com/grpc/grpc/blob/v1.32.0/cmake/modules/Findc-ares.cmake
+				-DgRPC_CARES_PROVIDER:STRING=package
+				-Dc-ares_DIR:PATH=${CARES_SRC}
+				-Dc-ares_INCLUDE_DIR:PATH=${CARES_INCLUDE}
+				-Dc-ares_LIBRARY:PATH=${CARES_LIB}
+				# https://cmake.org/cmake/help/v3.6/module/FindProtobuf.html
+				-DgRPC_PROTOBUF_PROVIDER:STRING=package
+				-DCMAKE_CXX_FLAGS:STRING=-I${PROTOBUF_INCLUDE}
+				-DProtobuf_INCLUDE_DIR:PATH=${PROTOBUF_INCLUDE}
+				-DProtobuf_LIBRARY:PATH=${PROTOBUF_LIB}
+				-DProtobuf_PROTOC_LIBRARY:PATH=${PROTOC_LIB}
+				-DProtobuf_PROTOC_EXECUTABLE:PATH=${PROTOC}
+				# https://cmake.org/cmake/help/v3.6/module/FindOpenSSL.html
+				-DgRPC_SSL_PROVIDER:STRING=package
+				-DOPENSSL_ROOT_DIR:PATH=${OPENSSL_INSTALL_DIR}
+				-DOPENSSL_USE_STATIC_LIBS:BOOL=${GRPC_OPENSSL_STATIC_LIBS_OPTION}
+				# https://cmake.org/cmake/help/v3.6/module/FindZLIB.html
+				-DgRPC_ZLIB_PROVIDER:STRING=package
+				-DZLIB_ROOT:STRING=${ZLIB_SRC}
+				# RE2
+				-DgRPC_RE2_PROVIDER:STRING=package
+				-Dre2_DIR:PATH=${RE2_DIR}
+			BUILD_IN_SOURCE 1
+			BUILD_BYPRODUCTS ${GRPC_LIB} ${GRPCPP_LIB} ${GPR_LIB} ${GRPC_LIBRARIES}
+			# Keep installation files into the local ${GRPC_INSTALL_DIR} since here is the case when
+			# we are embedding gRPC
+			UPDATE_COMMAND ""
+			INSTALL_COMMAND DESTDIR= ${CMAKE_MAKE_PROGRAM} install
+		)
+		install(
+			FILES ${GRPC_MAIN_LIBS}
+			DESTINATION "${CMAKE_INSTALL_LIBDIR}/${LIBS_PACKAGE_NAME}"
+			COMPONENT "libs-deps"
+		)
+		install(
+			FILES ${GRPC_LIBRARIES}
+			DESTINATION "${CMAKE_INSTALL_LIBDIR}/${LIBS_PACKAGE_NAME}"
+			COMPONENT "libs-deps"
+		)
+		install(
+			DIRECTORY "${GRPC_SRC}/target/include/"
+			DESTINATION "${CMAKE_INSTALL_INCLUDEDIR}/${LIBS_PACKAGE_NAME}"
+			COMPONENT "libs-deps"
+		)
+	endif()
+endif()
+
+if(NOT TARGET grpc)
+	add_custom_target(grpc)
+endif()
+
+include_directories("${GRPC_INCLUDE}")
--- a/cmake/modules/libbpf.cmake
+++ b/cmake/modules/libbpf.cmake
@ -15,19 +15,12 @@

 option(USE_BUNDLED_LIBBPF "Enable building of the bundled libbpf" ${USE_BUNDLED_DEPS})

-if(TARGET lbpf)
+if(LIBBPF_INCLUDE)
 	# we already have libbpf
 elseif(NOT USE_BUNDLED_LIBBPF)
-	include(zlib)
-	include(libelf)
 	find_path(LIBBPF_INCLUDE bpf/libbpf.h)
 	find_library(LIBBPF_LIB NAMES bpf)
 	if(LIBBPF_INCLUDE AND LIBBPF_LIB)
-		add_library(lbpf STATIC IMPORTED GLOBAL)
-		set_target_properties(lbpf PROPERTIES IMPORTED_LOCATION ${LIBBPF_LIB})
-		target_include_directories(lbpf INTERFACE $<BUILD_INTERFACE:${LIBBPF_INCLUDE}>)
-		target_link_libraries(lbpf INTERFACE elf ${ZLIB_LIB})
-
 		message(STATUS "Found libbpf: include: ${LIBBPF_INCLUDE}, lib: ${LIBBPF_LIB}")
 	else()
 		message(FATAL_ERROR "Couldn't find system libbpf")
@ -39,42 +32,38 @@ else()
 	set(LIBBPF_BUILD_DIR "${LIBBPF_SRC}/libbpf-build")
 	set(LIBBPF_INCLUDE "${LIBBPF_BUILD_DIR}/root/usr/include")
 	set(LIBBPF_LIB "${LIBBPF_BUILD_DIR}/root/usr/lib64/libbpf.a")
-
-	get_target_property(LIBELF_INCLUDE_DIR elf INCLUDE_DIRECTORIES)
-
-	foreach(dir ${LIBELF_INCLUDE_DIR})
-		string(APPEND LIBELF_COMPILER_STRING "-I${dir} ")
-	endforeach()
-
 	ExternalProject_Add(
 		libbpf
 		PREFIX "${PROJECT_BINARY_DIR}/libbpf-prefix"
-		DEPENDS zlib elf
+		DEPENDS zlib libelf
 		URL "https://github.com/libbpf/libbpf/archive/refs/tags/v1.3.0.tar.gz"
 		URL_HASH "SHA256=11db86acd627e468bc48b7258c1130aba41a12c4d364f78e184fd2f5a913d861"
 		CONFIGURE_COMMAND mkdir -p build root
 		BUILD_COMMAND
 			make BUILD_STATIC_ONLY=y OBJDIR=${LIBBPF_BUILD_DIR}/build
 			DESTDIR=${LIBBPF_BUILD_DIR}/root NO_PKG_CONFIG=1
-			"EXTRA_CFLAGS=-fPIC ${LIBELF_COMPILER_STRING} -I${ZLIB_INCLUDE}" "LDFLAGS=-Wl,-Bstatic"
+			"EXTRA_CFLAGS=-fPIC -I${LIBELF_INCLUDE} -I${ZLIB_INCLUDE}" "LDFLAGS=-Wl,-Bstatic"
 			"EXTRA_LDFLAGS=-L${LIBELF_SRC}/libelf/libelf -L${ZLIB_SRC}" -C ${LIBBPF_SRC}/libbpf/src
 			install install_uapi_headers
 		INSTALL_COMMAND ""
 		UPDATE_COMMAND ""
 		BUILD_BYPRODUCTS ${LIBBPF_LIB}
 	)
-
-	add_library(lbpf STATIC IMPORTED GLOBAL)
-	set_target_properties(lbpf PROPERTIES IMPORTED_LOCATION ${LIBBPF_LIB})
-	file(MAKE_DIRECTORY ${LIBBPF_INCLUDE}) # necessary to make target_include_directories() work
-	target_include_directories(lbpf INTERFACE $<BUILD_INTERFACE:${LIBBPF_INCLUDE}>)
-	add_dependencies(lbpf libbpf)
-	target_link_libraries(lbpf INTERFACE elf ${ZLIB_LIB})
-
 	message(STATUS "Using bundled libbpf: include'${LIBBPF_INCLUDE}', lib: ${LIBBPF_LIB}")
 	install(
 		FILES "${LIBBPF_LIB}"
 		DESTINATION "${CMAKE_INSTALL_LIBDIR}/${LIBS_PACKAGE_NAME}"
 		COMPONENT "libs-deps"
 	)
+	install(
+		DIRECTORY "${LIBBPF_INCLUDE}"
+		DESTINATION "${CMAKE_INSTALL_INCLUDEDIR}/${LIBS_PACKAGE_NAME}"
+		COMPONENT "libs-deps"
+	)
 endif()
+
+if(NOT TARGET libbpf)
+	add_custom_target(libbpf)
+endif()
+
+include_directories(${LIBBPF_INCLUDE})
--- a/cmake/modules/libelf.cmake
+++ b/cmake/modules/libelf.cmake
@ -13,13 +13,11 @@
 # the License.
 #

-include_guard()
-
 option(USE_BUNDLED_LIBELF "Enable building of the bundled libelf" ${USE_BUNDLED_DEPS})
 option(USE_SHARED_LIBELF "When not using bundled libelf, link it dynamically" ON)

-if(TARGET elf)
-	# we already have libelf
+if(LIBELF_INCLUDE)
+	# we already have LIBELF
 elseif(NOT USE_BUNDLED_LIBELF)
 	find_path(LIBELF_INCLUDE elf.h PATH_SUFFIXES elf)
 	if(BUILD_SHARED_LIBS OR USE_SHARED_LIBELF)
@ -27,49 +25,62 @@ elseif(NOT USE_BUNDLED_LIBELF)
 	else()
 		set(LIBELF_LIB_SUFFIX ${CMAKE_STATIC_LIBRARY_SUFFIX})
 	endif()
-	# Zig workaround: since it won't look up in /usr/lib/..., add an HINT
-	if(CMAKE_C_COMPILER MATCHES "zig")
-		find_library(
-			LIBELF_LIB
-			NAMES libelf${LIBELF_LIB_SUFFIX}
-			HINTS /usr/lib/${CMAKE_SYSTEM_PROCESSOR}-linux-gnu/
-		)
-	else()
-		find_library(LIBELF_LIB NAMES libelf${LIBELF_LIB_SUFFIX})
-	endif()
+	find_library(LIBELF_LIB NAMES libelf${LIBELF_LIB_SUFFIX})
 	if(LIBELF_LIB)
-		# Zig workaround: avoid include whole /usr/include because it would include also system
-		# glibc headers breaking the build since we are targeting the build against our boostrapped
-		# zig.
-		if(CMAKE_C_COMPILER MATCHES "zig")
-			message(STATUS "Enabling zig workaround for libelf")
-			configure_file(${LIBELF_INCLUDE}/libelf.h libelf/libelf.h COPYONLY)
-			configure_file(${LIBELF_INCLUDE}/elf.h libelf/elf.h COPYONLY)
-			configure_file(${LIBELF_INCLUDE}/gelf.h libelf/gelf.h COPYONLY)
-			set(LIBELF_INCLUDE ${CMAKE_CURRENT_BINARY_DIR}/libelf)
-		endif()
 		message(STATUS "Found LIBELF: include: ${LIBELF_INCLUDE}, lib: ${LIBELF_LIB}")
 	else()
 		message(FATAL_ERROR "Couldn't find system libelf")
 	endif()
-
-	if(BUILD_SHARED_LIBS OR USE_SHARED_LIBELF)
-		add_library(elf SHARED IMPORTED GLOBAL)
-	else()
-		add_library(elf STATIC IMPORTED GLOBAL)
-	endif()
-
-	set_target_properties(elf PROPERTIES IMPORTED_LOCATION ${LIBELF_LIB})
-	target_include_directories(elf INTERFACE ${LIBELF_INCLUDE})
+	# We add a custom target, in this way we can always depend on `libelf` without distinguishing
+	# between "bundled" and "not-bundled" case
+	add_custom_target(libelf)
 else()
-	include(FetchContent)
-	FetchContent_Declare(
-		libelf_elftoolchain
-		URL https://github.com/falcosecurity/elftoolchain/releases/download/libelf-r4073-0/libelf-r4073-0.tar.gz
-		URL_HASH SHA256=adfeb3033c23ca579902f2bce7d9ffeec662f97d3846bb74e57fb65d70f6f056
+	if(BUILD_SHARED_LIBS)
+		set(LIBELF_LIB_SUFFIX ${CMAKE_SHARED_LIBRARY_SUFFIX})
+	else()
+		set(LIBELF_LIB_SUFFIX ${CMAKE_STATIC_LIBRARY_SUFFIX})
+	endif()
+	set(LIBELF_CFLAGS "-I${ZLIB_INCLUDE}")
+	if(ENABLE_PIC)
+		set(LIBELF_CFLAGS "${LIBELF_CFLAGS} -fPIC")
+	endif()
+	set(LIBELF_SRC "${PROJECT_BINARY_DIR}/libelf-prefix/src")
+	set(LIBELF_INCLUDE "${LIBELF_SRC}/libelf/libelf")
+	set(LIBELF_LIB "${LIBELF_SRC}/libelf/libelf/libelf${LIBELF_LIB_SUFFIX}")
+	ExternalProject_Add(
+		libelf
+		PREFIX "${PROJECT_BINARY_DIR}/libelf-prefix"
+		DEPENDS zlib
+		URL "https://sourceware.org/elfutils/ftp/0.189/elfutils-0.189.tar.bz2"
+		URL_HASH "SHA256=39bd8f1a338e2b7cd4abc3ff11a0eddc6e690f69578a57478d8179b4148708c8"
+		CONFIGURE_COMMAND
+			./configure LDFLAGS=-L${ZLIB_SRC} "CFLAGS=${LIBELF_CFLAGS}"
+			--enable-deterministic-archives --disable-debuginfod --disable-libdebuginfod
+			--without-zstd
+		BUILD_IN_SOURCE 1
+		BUILD_COMMAND make -C lib libeu.a
+		COMMAND make -C libelf libelf${LIBELF_LIB_SUFFIX}
+		INSTALL_COMMAND ""
+		UPDATE_COMMAND ""
+		BUILD_BYPRODUCTS ${LIBELF_LIB}
+	)
+	message(STATUS "Using bundled libelf: include'${LIBELF_INCLUDE}', lib: ${LIBELF_LIB}")
+	install(
+		FILES "${LIBELF_LIB}"
+		DESTINATION "${CMAKE_INSTALL_LIBDIR}/${LIBS_PACKAGE_NAME}"
+		COMPONENT "libs-deps"
+	)
+	install(
+		DIRECTORY "${LIBELF_INCLUDE}"
+		DESTINATION "${CMAKE_INSTALL_INCLUDEDIR}/${LIBS_PACKAGE_NAME}"
+		COMPONENT "libs-deps"
 	)
-	FetchContent_MakeAvailable(libelf_elftoolchain)
-	get_target_property(LIBELF_INCLUDE elf INCLUDE_DIRECTORIES)
-
-	message(STATUS "Using bundled libelf: include'${LIBELF_INCLUDE}'")
 endif()
+
+# We add a custom target, in this way we can always depend on `libelf` without distinguishing
+# between "bundled" and "not-bundled" case
+if(NOT TARGET libelf)
+	add_custom_target(libelf)
+endif()
+
+include_directories(${LIBELF_INCLUDE})
--- a/cmake/modules/libscap.cmake
+++ b/cmake/modules/libscap.cmake
@ -32,8 +32,6 @@ if(NOT HAVE_LIBSCAP)
 	check_symbol_exists(strlcpy "string.h" HAVE_STRLCPY)
 	check_symbol_exists(strlcat "string.h" HAVE_STRLCAT)

-	include(BuildPkgConfigDependencies)
-
 	if(HAVE_STRLCPY)
 		message(STATUS "Existing strlcpy found, will *not* use local definition")
 	else()
@ -91,6 +89,40 @@ if(NOT HAVE_LIBSCAP)
 		endif()
 	endforeach()

+	# Installation targets and their dependencies
+	set(libscap_link_libraries)
+	set(libscap_link_libdirs)
+	foreach(libscap_install_lib ${LIBSCAP_INSTALL_LIBS})
+		list(APPEND libscap_link_libraries ${libscap_install_lib})
+		get_target_property(install_lib_link_libraries ${libscap_install_lib} LINK_LIBRARIES)
+		foreach(install_lib_link_library ${install_lib_link_libraries})
+			if(NOT ${install_lib_link_library} IN_LIST libscap_subdir_targets)
+				if(${install_lib_link_library} MATCHES "/")
+					# We have a path. Convert it to -L<dir> + -l<lib>.
+					get_filename_component(scap_lib_dir ${install_lib_link_library} DIRECTORY)
+					list(APPEND libscap_link_libdirs -L${scap_lib_dir})
+					get_filename_component(scap_lib_base ${install_lib_link_library} NAME_WE)
+					string(REGEX REPLACE "^lib" "" scap_lib_base ${scap_lib_base})
+					list(APPEND libscap_link_libraries ${scap_lib_base})
+				else()
+					list(APPEND libscap_link_libraries ${install_lib_link_library})
+				endif()
+			endif()
+		endforeach()
+	endforeach()
+	list(REMOVE_DUPLICATES libscap_link_libraries)
+
+	set(libscap_link_flags)
+	foreach(libscap_link_library ${libscap_link_libraries})
+		list(APPEND libscap_link_flags "-l${libscap_link_library}")
+	endforeach()
+
+	string(REPLACE ";" " " LIBSCAP_LINK_LIBRARIES_FLAGS "${libscap_link_flags}")
+	string(REPLACE ";" " " LIBSCAP_LINK_LIBDIRS_FLAGS "${libscap_link_libdirs}")
+	configure_file(
+		${LIBS_DIR}/userspace/libscap/libscap.pc.in ${PROJECT_BINARY_DIR}/libscap/libscap.pc @ONLY
+	)
+
 	install(
 		TARGETS ${LIBSCAP_INSTALL_LIBS}
 		ARCHIVE DESTINATION "${CMAKE_INSTALL_LIBDIR}"
@ -122,13 +154,6 @@ if(NOT HAVE_LIBSCAP)
 		FILES_MATCHING
 		PATTERN "*.h"
 	)
-
-	if(USE_BUNDLED_UTHASH)
-		install(FILES ${UTHASH_INCLUDE}/uthash.h
-				DESTINATION ${CMAKE_INSTALL_INCLUDEDIR}/${LIBS_PACKAGE_NAME}/libscap
-		)
-	endif()
-
 	install(FILES ${PROJECT_BINARY_DIR}/libscap/scap_config.h
 			DESTINATION ${CMAKE_INSTALL_INCLUDEDIR}/${LIBS_PACKAGE_NAME}/libscap
 	)
--- a/cmake/modules/libsinsp.cmake
+++ b/cmake/modules/libsinsp.cmake
@ -32,6 +32,14 @@ if(NOT HAVE_LIBSINSP)
 	if(NOT EMSCRIPTEN)
 		include(tbb)
 	endif()
+	if(NOT WIN32
+	   AND NOT APPLE
+	   AND NOT MINIMAL_BUILD
+	   AND NOT EMSCRIPTEN
+	)
+		include(cares)
+		include(curl)
+	endif()
 	include(jsoncpp)
 	include(valijson)
 	include(re2)
@ -40,14 +48,44 @@ if(NOT HAVE_LIBSINSP)
 		include(bs_threadpool)
 	endif()

-	set(LIBSINSP_INCLUDE_DIRS)
+	set(LIBSINSP_INCLUDE_DIRS ${LIBS_DIR} ${LIBS_DIR}/userspace ${LIBSCAP_INCLUDE_DIRS}
+							  ${DRIVER_CONFIG_DIR}
+	)

-	if(NOT USE_BUNDLED_TBB AND NOT EMSCRIPTEN)
-		list(APPEND LIBSINSP_INCLUDE_DIRS ${TBB_INCLUDE_DIR})
+	if(NOT EMSCRIPTEN)
+		get_filename_component(TBB_ABSOLUTE_INCLUDE_DIR ${TBB_INCLUDE_DIR} ABSOLUTE)
+		list(APPEND LIBSINSP_INCLUDE_DIRS ${TBB_ABSOLUTE_INCLUDE_DIR})
 	endif()

-	if(NOT USE_BUNDLED_JSONCPP)
-		list(APPEND LIBSINSP_INCLUDE_DIRS ${JSONCPP_INCLUDE})
+	get_filename_component(JSONCPP_ABSOLUTE_INCLUDE_DIR ${JSONCPP_INCLUDE} ABSOLUTE)
+	list(APPEND LIBSINSP_INCLUDE_DIRS ${JSONCPP_ABSOLUTE_INCLUDE_DIR})
+
+	get_filename_component(VALIJSON_ABSOLUTE_INCLUDE_DIR ${VALIJSON_INCLUDE} ABSOLUTE)
+	list(APPEND LIBSINSP_INCLUDE_DIRS ${VALIJSON_ABSOLUTE_INCLUDE_DIR})
+
+	get_filename_component(RE2_ABSOLUTE_INCLUDE_DIR ${RE2_INCLUDE} ABSOLUTE)
+	list(APPEND LIBSINSP_INCLUDE_DIRS ${RE2_ABSOLUTE_INCLUDE_DIR})
+
+	if(ENABLE_THREAD_POOL AND NOT EMSCRIPTEN)
+		get_filename_component(BS_THREADPOOL_ABSOLUTE_INCLUDE_DIR ${BS_THREADPOOL_INCLUDE} ABSOLUTE)
+		list(APPEND LIBSINSP_INCLUDE_DIRS ${BS_THREADPOOL_ABSOLUTE_INCLUDE_DIR})
+	endif()
+
+	if(NOT MINIMAL_BUILD
+	   AND NOT EMSCRIPTEN
+	   AND NOT APPLE
+	)
+		get_filename_component(CARES_ABSOLUTE_INCLUDE_DIR ${CARES_INCLUDE} ABSOLUTE)
+		list(APPEND LIBSINSP_INCLUDE_DIRS ${CARES_ABSOLUTE_INCLUDE_DIR})
+	endif()
+
+	if(NOT WIN32
+	   AND NOT APPLE
+	   AND NOT MINIMAL_BUILD
+	   AND NOT EMSCRIPTEN
+	)
+		get_filename_component(CURL_ABSOLUTE_INCLUDE_DIR ${CURL_INCLUDE_DIRS} ABSOLUTE)
+		list(APPEND LIBSINSP_INCLUDE_DIRS ${CURL_ABSOLUTE_INCLUDE_DIR})
 	endif()

 	function(set_sinsp_target_properties target)
--- a/cmake/modules/openssl.cmake
+++ b/cmake/modules/openssl.cmake
@ -0,0 +1,81 @@
+# SPDX-License-Identifier: Apache-2.0
+#
+# Copyright (C) 2023 The Falco Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except
+# in compliance with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed under the License
+# is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express
+# or implied. See the License for the specific language governing permissions and limitations under
+# the License.
+#
+
+option(USE_BUNDLED_OPENSSL "Enable building of the bundled OpenSSL" ${USE_BUNDLED_DEPS})
+
+if(OPENSSL_INCLUDE_DIR)
+	# we already have openssl
+elseif(NOT USE_BUNDLED_OPENSSL)
+	find_package(OpenSSL REQUIRED)
+	message(STATUS "Found OpenSSL: include: ${OPENSSL_INCLUDE_DIR}, lib: ${OPENSSL_LIBRARIES}")
+else()
+	if(BUILD_SHARED_LIBS)
+		set(OPENSSL_LIB_SUFFIX ${CMAKE_SHARED_LIBRARY_SUFFIX})
+		set(OPENSSL_SHARED_OPTION shared)
+	else()
+		set(OPENSSL_LIB_SUFFIX ${CMAKE_STATIC_LIBRARY_SUFFIX})
+		set(OPENSSL_SHARED_OPTION no-shared)
+	endif()
+	set(OPENSSL_BUNDLE_DIR "${PROJECT_BINARY_DIR}/openssl-prefix/src/openssl")
+	set(OPENSSL_INSTALL_DIR "${OPENSSL_BUNDLE_DIR}/target")
+	set(OPENSSL_INCLUDE_DIR "${PROJECT_BINARY_DIR}/openssl-prefix/src/openssl/include/")
+	set(OPENSSL_LIBRARY_SSL "${OPENSSL_INSTALL_DIR}/lib/libssl${OPENSSL_LIB_SUFFIX}")
+	set(OPENSSL_LIBRARY_CRYPTO "${OPENSSL_INSTALL_DIR}/lib/libcrypto${OPENSSL_LIB_SUFFIX}")
+	set(OPENSSL_LIBRARIES ${OPENSSL_LIBRARY_SSL} ${OPENSSL_LIBRARY_CRYPTO})
+
+	if(NOT TARGET openssl)
+		if(NOT ENABLE_PIC)
+			set(OPENSSL_PIC_OPTION)
+		else()
+			set(OPENSSL_PIC_OPTION "-fPIC")
+		endif()
+
+		message(STATUS "Using bundled openssl in '${OPENSSL_BUNDLE_DIR}'")
+
+		ExternalProject_Add(
+			openssl
+			PREFIX "${PROJECT_BINARY_DIR}/openssl-prefix"
+			URL "https://github.com/openssl/openssl/releases/download/openssl-3.1.4/openssl-3.1.4.tar.gz"
+			URL_HASH "SHA256=840af5366ab9b522bde525826be3ef0fb0af81c6a9ebd84caa600fea1731eee3"
+			CONFIGURE_COMMAND ./config ${OPENSSL_SHARED_OPTION} ${OPENSSL_PIC_OPTION}
+							  --prefix=${OPENSSL_INSTALL_DIR} --libdir=lib
+			BUILD_COMMAND make
+			BUILD_IN_SOURCE 1
+			BUILD_BYPRODUCTS ${OPENSSL_LIBRARY_SSL} ${OPENSSL_LIBRARY_CRYPTO}
+			INSTALL_COMMAND make install_sw
+		)
+		install(
+			FILES "${OPENSSL_LIBRARY_SSL}"
+			DESTINATION "${CMAKE_INSTALL_LIBDIR}/${LIBS_PACKAGE_NAME}"
+			COMPONENT "libs-deps"
+		)
+		install(
+			FILES "${OPENSSL_LIBRARY_CRYPTO}"
+			DESTINATION "${CMAKE_INSTALL_LIBDIR}/${LIBS_PACKAGE_NAME}"
+			COMPONENT "libs-deps"
+		)
+		install(
+			DIRECTORY "${OPENSSL_INCLUDE_DIR}"
+			DESTINATION "${CMAKE_INSTALL_INCLUDEDIR}/${LIBS_PACKAGE_NAME}"
+			COMPONENT "libs-deps"
+		)
+	endif()
+endif()
+
+if(NOT TARGET openssl)
+	add_custom_target(openssl)
+endif()
+
+include_directories("${OPENSSL_INCLUDE_DIR}")
--- a/cmake/modules/protobuf.cmake
+++ b/cmake/modules/protobuf.cmake
@ -58,9 +58,8 @@ else()
 		else()
 			set(PROTOBUF_PIC_OPTION "--with-pic=yes")
 		endif()
-		# Match both release and relwithdebinfo builds
-		if(CMAKE_BUILD_TYPE MATCHES "[R,r]el*")
-			set(PROTOBUF_CXXFLAGS "-O3 -std=c++11 -DNDEBUG")
+		if(CMAKE_BUILD_TYPE STREQUAL "Release")
+			set(PROTOBUF_CXXFLAGS "-O2 -std=c++11 -DNDEBUG")
 		else()
 			set(PROTOBUF_CXXFLAGS "-g -std=c++11")
 		endif()
@ -73,8 +72,8 @@ else()
 			URL_HASH "SHA256=e51cc8fc496f893e2a48beb417730ab6cbcb251142ad8b2cd1951faa5c76fe3d"
 			# TODO what if using system zlib?
 			CONFIGURE_COMMAND
-				./configure CXXFLAGS=${PROTOBUF_CXXFLAGS} --with-zlib-include=${ZLIB_INCLUDE}
-				--with-zlib-lib=${ZLIB_SRC} --with-zlib ${PROTOBUF_CONFIGURE_FLAGS}
+				CPPFLAGS=-I${ZLIB_INCLUDE} LDFLAGS=-L${ZLIB_SRC} ./configure
+				CXXFLAGS=${PROTOBUF_CXXFLAGS} --with-zlib ${PROTOBUF_CONFIGURE_FLAGS}
 				${PROTOBUF_PIC_OPTION} --prefix=${PROTOBUF_INSTALL_DIR}
 			BUILD_COMMAND make
 			BUILD_IN_SOURCE 1
--- a/cmake/modules/re2.cmake
+++ b/cmake/modules/re2.cmake
@ -55,7 +55,6 @@ else()
 						   -DRE2_BUILD_TESTING=OFF
 						   -DBUILD_SHARED_LIBS=${BUILD_SHARED_LIBS}
 						   -DCMAKE_INSTALL_PREFIX=${RE2_SRC}
-						   -DCMAKE_BUILD_TYPE=${CMAKE_BUILD_TYPE}
 			)
 		else()
 			# CMake 3.29.1 removed the support for the `PACKAGE_PREFIX_DIR` variable. The patch
@ -75,7 +74,6 @@ else()
 						   -DRE2_BUILD_TESTING=OFF
 						   -DBUILD_SHARED_LIBS=${BUILD_SHARED_LIBS}
 						   -DCMAKE_INSTALL_PREFIX=${RE2_SRC}
-						   -DCMAKE_BUILD_TYPE=${CMAKE_BUILD_TYPE}
 			)
 		endif()
 	else()
@ -97,7 +95,6 @@ else()
 						   -DRE2_BUILD_TESTING=OFF
 						   -DBUILD_SHARED_LIBS=${BUILD_SHARED_LIBS}
 						   -DCMAKE_INSTALL_PREFIX=${RE2_SRC}
-						   -DCMAKE_BUILD_TYPE=${CMAKE_BUILD_TYPE}
 			)
 		else()
 			ExternalProject_Add(
@ -114,7 +111,6 @@ else()
 						   -DRE2_BUILD_TESTING=OFF
 						   -DBUILD_SHARED_LIBS=${BUILD_SHARED_LIBS}
 						   -DCMAKE_INSTALL_PREFIX=${RE2_SRC}
-						   -DCMAKE_BUILD_TYPE=${CMAKE_BUILD_TYPE}
 			)
 		endif()
 	endif()
--- a/cmake/modules/tbb.cmake
+++ b/cmake/modules/tbb.cmake
@ -58,9 +58,9 @@ else()

 	if(NOT TARGET tbb)
 		message(STATUS "Using bundled tbb in '${TBB_SRC}'")
-		set(TBB_SRC_URL "https://github.com/oneapi-src/oneTBB/archive/refs/tags/v2022.1.0.tar.gz")
+		set(TBB_SRC_URL "https://github.com/oneapi-src/oneTBB/archive/refs/tags/v2021.9.0.tar.gz")
 		set(TBB_SRC_URL_HASH
-			"SHA256=ed067603ece0dc832d2881ba5c516625ac2522c665d95f767ef6304e34f961b5"
+			"SHA256=1ce48f34dada7837f510735ff1172f6e2c261b09460e3bf773b49791d247d24e"
 		)
 		set(TBB_FLAGS "")
 		if(CMAKE_CXX_COMPILER_ID STREQUAL "GNU")
@ -68,10 +68,6 @@ else()
 			# https://github.com/oneapi-src/oneTBB/issues/843#issuecomment-1152646035
 			set(TBB_FLAGS "-Wno-error=stringop-overflow")
 		endif()
-		if(EMSCRIPTEN)
-			set(TBB_FLAGS "${TBB_FLAGS} -Wno-unused-command-line-argument")
-			set(TBB_EMSCRIPTEN "ON")
-		endif()

 		if(NOT WIN32)
 			ExternalProject_Add(
@ -84,13 +80,10 @@ else()
 				CMAKE_ARGS -DBUILD_SHARED_LIBS=${BUILD_SHARED_LIBS}
 						   -DCMAKE_BUILD_TYPE=${CMAKE_BUILD_TYPE}
 						   -DTBB_OUTPUT_DIR_BASE=lib
-						   -DCMAKE_CXX_FLAGS=${TBB_FLAGS}
+						   -DCMAKE_CXX_FLAGS="${TBB_FLAGS}"
 						   -DCMAKE_POSITION_INDEPENDENT_CODE=${ENABLE_PIC}
 						   -DCMAKE_CXX_COMPILER=${CMAKE_CXX_COMPILER}
 						   -DCMAKE_C_COMPILER=${CMAKE_C_COMPILER}
-						   -DEMSCRIPTEN=${TBB_EMSCRIPTEN}
-						   -DTBB_FILE_TRIM=Off
-						   -DTBB_INSTALL=Off
 				BUILD_BYPRODUCTS ${TBB_LIB}
 				INSTALL_COMMAND ""
 			)
@ -112,8 +105,6 @@ else()
 							   -DTBB_OUTPUT_DIR_BASE=lib
 							   -DCMAKE_CXX_FLAGS="${TBB_FLAGS}"
 							   -DCMAKE_POSITION_INDEPENDENT_CODE=${ENABLE_PIC}
-							   -DTBB_FILE_TRIM=Off
-							   -DTBB_INSTALL=Off
 					BUILD_BYPRODUCTS ${TBB_LIB}
 					INSTALL_COMMAND ""
 				)
@ -133,8 +124,6 @@ else()
 							   -DTBB_OUTPUT_DIR_BASE=lib
 							   -DCMAKE_CXX_FLAGS="${TBB_FLAGS}"
 							   -DCMAKE_POSITION_INDEPENDENT_CODE=${ENABLE_PIC}
-							   -DTBB_FILE_TRIM=Off
-							   -DTBB_INSTALL=Off
 					BUILD_BYPRODUCTS ${TBB_LIB}
 					INSTALL_COMMAND ""
 				)
--- a/cmake/modules/zlib.cmake
+++ b/cmake/modules/zlib.cmake
@ -45,14 +45,9 @@ else()
 		"${ZLIB_INCLUDE}/zutil.h"
 	)
 	if(NOT TARGET zlib)
-		# Match both release and relwithdebinfo builds
-		if(CMAKE_BUILD_TYPE MATCHES "[R,r]el*")
-			set(ZLIB_CFLAGS "-O3")
-		else()
-			set(ZLIB_CFLAGS "-g")
-		endif()
+		set(ZLIB_CFLAGS)
 		if(ENABLE_PIC)
-			set(ZLIB_CFLAGS "${ZLIB_CFLAGS} -fPIC")
+			set(ZLIB_CFLAGS -fPIC)
 		endif()

 		message(STATUS "Using bundled zlib in '${ZLIB_SRC}'")
--- a/docs/report.md
+++ b/docs/report.md
@ -116,7 +116,6 @@
 | gettimeofday            | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
 | getuid                  | 🟢        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
 | getxattr                | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
-| getxattrat              | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
 | init_module             | 🟢        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
 | inotify_add_watch       | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
 | inotify_init            | 🟢        | ppc64le,s390x,x86_64                             |
@ -152,7 +151,6 @@
 | listen                  | 🟢        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
 | listmount               | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
 | listxattr               | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
-| listxattrat             | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
 | llistxattr              | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
 | lookup_dcookie          | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
 | lremovexattr            | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
@ -213,7 +211,6 @@
 | open                    | 🟢        | ppc64le,s390x,x86_64                             |
 | open_by_handle_at       | 🟢        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
 | open_tree               | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
-| open_tree_attr          | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
 | openat                  | 🟢        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
 | openat2                 | 🟢        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
 | pause                   | 🟡        | ppc64le,s390x,x86_64                             |
@ -262,7 +259,6 @@
 | recvmsg                 | 🟢        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
 | remap_file_pages        | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
 | removexattr             | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
-| removexattrat           | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
 | rename                  | 🟢        | ppc64le,s390x,x86_64                             |
 | renameat                | 🟢        | aarch64,ppc64le,s390x,x86_64                     |
 | renameat2               | 🟢        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
@ -334,7 +330,6 @@
 | settimeofday            | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
 | setuid                  | 🟢        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
 | setxattr                | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
-| setxattrat              | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
 | sgetmask                | 🟡        | ppc64le                                          |
 | shmat                   | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
 | shmctl                  | 🟡        | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
--- a/driver/API_VERSION
+++ b/driver/API_VERSION
@ -1 +1 @@
-8.0.4
+8.0.3
--- a/driver/CMakeLists.txt
+++ b/driver/CMakeLists.txt
@ -158,11 +158,6 @@ set(DRIVER_SOURCES
 	ppm_consumer.h
 	capture_macro.h
 	socketcall_to_syscall.h
-	syscall_compat_loongarch64.h
-	syscall_compat_ppc64le.h
-	syscall_compat_riscv64.h
-	syscall_compat_s390x.h
-	syscall_compat_x86_64.h
 	syscall_ia32_64_map.c
 )

--- a/driver/Makefile.in
+++ b/driver/Makefile.in
@ -29,7 +29,7 @@ install: all

 else

-KERNELDIR 	?= $(realpath $(objtree))
+KERNELDIR 	?= $(CURDIR)
 #
 # Get the path of the module sources
 #
--- a/driver/SCHEMA_VERSION
+++ b/driver/SCHEMA_VERSION
@ -1 +1 @@
-3.69.0
+2.22.1
--- a/driver/bpf/Makefile
+++ b/driver/bpf/Makefile
@ -28,7 +28,7 @@ clean:

 else

-KERNELDIR 	?= $(realpath $(objtree))
+KERNELDIR 	?= $(CURDIR)
 #
 # Get the path of the module sources
 #
--- a/driver/bpf/configure/0__SANITY/test.c
+++ b/driver/bpf/configure/0__SANITY/test.c
@ -1,23 +0,0 @@
-// SPDX-License-Identifier: GPL-2.0-only OR MIT
-/*
-
-Copyright (C) 2024 The Falco Authors.
-
-This file is dual licensed under either the MIT or GPL 2. See MIT.txt
-or GPL2.txt for full copies of the license.
-
-*/
-
-/*
- * Check that the build system is sane.
- */
-
-#include "../../quirks.h"
-#include "../../ppm_events_public.h"
-#include "../../types.h"
-
-BPF_PROBE("sanity/", sanity, sanity_args) {
-	return 0;
-}
-
-char __license[] __bpf_section("license") = "Dual MIT/GPL";
--- a/driver/bpf/configure/KERNFS_NODE_PARENT/test.c
+++ b/driver/bpf/configure/KERNFS_NODE_PARENT/test.c
@ -1,32 +0,0 @@
-// SPDX-License-Identifier: GPL-2.0-only OR MIT
-/*
-
-Copyright (C) 2025 The Falco Authors.
-
-This file is dual licensed under either the MIT or GPL 2. See MIT.txt
-or GPL2.txt for full copies of the license.
-
-*/
-
-/*
- * Check that kernfs_node's field `parent` exists.
- * See 6.15 kernel commit it is named __parent:
- * https://github.com/torvalds/linux/commit/633488947ef66b194377411322dc9e12aab79b65
- */
-
-#include "../../quirks.h"
-#include "../../ppm_events_public.h"
-#include "../../types.h"
-
-// struct kernfs_node declaration
-#include <linux/kernfs.h>
-
-BPF_PROBE("signal/", signal_deliver, signal_deliver_args) {
-	struct kernfs_node *parent;
-	struct kernfs_node node;
-
-	parent = node.parent;
-	return 0;
-}
-
-char __license[] __bpf_section("license") = "Dual MIT/GPL";
--- a/driver/bpf/configure/Makefile.inc.in
+++ b/driver/bpf/configure/Makefile.inc.in
@ -7,17 +7,7 @@ ifeq ($(HAS_@CONFIGURE_MODULE@),0)
 $(info [configure-bpf] Setting HAS_@CONFIGURE_MODULE@ flag)
 KBUILD_CPPFLAGS += -DHAS_@CONFIGURE_MODULE@
 else
-HAS_@CONFIGURE_MODULE@_OUT1 := $(shell cat $(MODULE_MAKEFILE_DIR)/build.log | sed -n ':a;N;$$$!ba;s/\n/@@NEWLINE@@/g;P')
-HAS_@CONFIGURE_MODULE@_OUT := $(subst @@NEWLINE@@,$(newline),$(HAS_@CONFIGURE_MODULE@_OUT1))
+HAS_@CONFIGURE_MODULE@_OUT := $(shell cat $(MODULE_MAKEFILE_DIR)/build.log)
 $(info [configure-bpf] Build output for HAS_@CONFIGURE_MODULE@:)
 $(info [configure-bpf] $(HAS_@CONFIGURE_MODULE@_OUT))
 endif
-
-ifeq ('@CONFIGURE_MODULE@','0__SANITY')
-    ifeq ($(HAS_@CONFIGURE_MODULE@),0)
-        $(info [configure-bpf] Build system is sane)
-    else
-        $(info [configure-bpf] Build system is broken, please see above errors)
-        $(error The build system is broken, please see above errors)
-    endif
-endif
--- a/driver/bpf/configure/TASK_PIDS_FIELD/test.c
+++ b/driver/bpf/configure/TASK_PIDS_FIELD/test.c
@ -1,29 +0,0 @@
-// SPDX-License-Identifier: GPL-2.0-only OR MIT
-/*
-
-Copyright (C) 2024 The Falco Authors.
-
-This file is dual licensed under either the MIT or GPL 2. See MIT.txt
-or GPL2.txt for full copies of the license.
-
-*/
-
-/*
- * Check that the `pids` field is defined in the `task_struct` struct.
- * Since kernel version 4.19.0 the `pids` field is moved in the `signal_struct` struct, but this
- * change has been backported to older kernels.
- */
-
-#include "../../quirks.h"
-#include "../../ppm_events_public.h"
-#include "../../types.h"
-
-BPF_PROBE("signal/", signal_deliver, signal_deliver_args) {
-	struct task_struct *task = (struct task_struct *)0;
-	if(task->pids) {
-		return 1;
-	}
-	return 0;
-}
-
-char __license[] __bpf_section("license") = "Dual MIT/GPL";
--- a/driver/bpf/filler_helpers.h
+++ b/driver/bpf/filler_helpers.h
@ -425,7 +425,10 @@ static __always_inline bool bpf_getsockname(struct socket *sock,

 		u = (struct unix_sock *)sk;
 		addr = _READ(u->addr);
-		if(u && addr) {
+		if(!addr) {
+			sunaddr->sun_family = AF_UNIX;
+			sunaddr->sun_path[0] = 0;
+		} else {
 			unsigned int len = _READ(addr->len);

 			if(len > sizeof(struct sockaddr_storage))
@ -437,13 +440,6 @@ static __always_inline bool bpf_getsockname(struct socket *sock,
 #else
 			bpf_probe_read_kernel(sunaddr, len, addr->name);
 #endif
-		} else {
-			sunaddr->sun_family = AF_UNIX;
-			sunaddr->sun_path[0] = 0;
-			// The first byte to 0 can be confused with an `abstract socket address` for this reason
-			// we put also the second byte to 0 to comunicate to the caller that the address is not
-			// valid.
-			sunaddr->sun_path[1] = 0;
 		}

 		break;
@ -610,9 +606,11 @@ static __always_inline int unix_socket_path(char *dest, const char *user_ptr, si
 	 * specified length of the address structure.
 	 */
 	if(res == 1) {
-		res = bpf_probe_read_kernel_str(dest,
+		dest[0] = '@';
+		res = bpf_probe_read_kernel_str(dest + 1,
 		                                size - 1,  // account for '@'
 		                                user_ptr + 1);
+		res++;  // account for '@'
 	}
 	return res;
 }
@ -884,8 +882,7 @@ static __always_inline long bpf_fd_to_socktuple(struct filler_data *data,
 		 */
 		struct unix_sock *us = (struct unix_sock *)sk;
 		struct sock *speer = _READ(us->peer);
-		struct sockaddr_un *usrsockaddr_un;
-		char *us_name = NULL;
+		char *us_name;

 		data->buf[data->state->tail_ctx.curoff & SCRATCH_SIZE_HALF] = socket_family_to_scap(family);

@ -894,23 +891,51 @@ static __always_inline long bpf_fd_to_socktuple(struct filler_data *data,
 			memcpy(&data->buf[(data->state->tail_ctx.curoff + 1 + 8) & SCRATCH_SIZE_HALF],
 			       &speer,
 			       8);
-			us_name = ((struct sockaddr_un *)sock_address)->sun_path;
 		} else {
 			memcpy(&data->buf[(data->state->tail_ctx.curoff + 1) & SCRATCH_SIZE_HALF], &speer, 8);
 			memcpy(&data->buf[(data->state->tail_ctx.curoff + 1 + 8) & SCRATCH_SIZE_HALF], &us, 8);
-			bpf_getsockname(sock, peer_address, 1);
-			us_name = ((struct sockaddr_un *)peer_address)->sun_path;
-			if(us_name[0] == '\0' && us_name[1] == '\0' && usrsockaddr != NULL) {
-				usrsockaddr_un = (struct sockaddr_un *)usrsockaddr;
-				us_name = usrsockaddr_un->sun_path;
+		}
+
+		/*
+		 * Pack the data into the target buffer
+		 */
+		size = 1 + 8 + 8;
+
+		if(!use_userdata) {
+			if(is_inbound) {
+				us_name = ((struct sockaddr_un *)sock_address)->sun_path;
+			} else {
+				bpf_getsockname(sock, peer_address, 1);
+				us_name = ((struct sockaddr_un *)peer_address)->sun_path;
 			}
+		} else {
+			/*
+			 * Map the user-provided address to a sockaddr_in
+			 */
+			struct sockaddr_un *usrsockaddr_un = (struct sockaddr_un *)usrsockaddr;
+
+			/*
+			 * Put a 0 at the end of struct sockaddr_un because
+			 * the user might not have considered it in the length
+			 */
+			if(ulen == sizeof(struct sockaddr_storage))
+				((char *)usrsockaddr_un)[(ulen - 1) & SCRATCH_SIZE_MAX] = 0;
+			else
+				((char *)usrsockaddr_un)[ulen & SCRATCH_SIZE_MAX] = 0;
+
+			if(is_inbound)
+				us_name = ((struct sockaddr_un *)sock_address)->sun_path;
+			else
+				us_name = usrsockaddr_un->sun_path;
 		}

 		int res = unix_socket_path(
 		        &data->buf[(data->state->tail_ctx.curoff + 1 + 8 + 8) & SCRATCH_SIZE_HALF],
 		        us_name,
 		        UNIX_PATH_MAX);
-		size = 1 + 8 + 8 + res;
+
+		size += res;
+
 		break;
 	}
 	}
@ -1379,43 +1404,4 @@ static __always_inline int bpf_val_to_ring_type(struct filler_data *data,
 	return __bpf_val_to_ring(data, val, 0, type, -1, false, param_type_to_mem(type));
 }

-static __always_inline pid_t bpf_push_pgid(struct filler_data *data, struct task_struct *task) {
-	pid_t pgid = 0;
-	// this is like calling in the kernel:
-	//
-	// struct pid *grp = task_pgrp(current);
-	// int pgrp = pid_nr(grp);
-#ifdef HAS_TASK_PIDS_FIELD
-	struct task_struct *leader = (struct task_struct *)_READ(task->group_leader);
-	if(leader) {
-		struct pid_link link = _READ(leader->pids[PIDTYPE_PGID]);
-		struct pid *pid_struct = link.pid;
-		if(pid_struct) {
-			pgid = _READ(pid_struct->numbers[0].nr);
-		}
-	}
-#else
-	struct signal_struct *signal = (struct signal_struct *)_READ(task->signal);
-	if(signal) {
-		struct pid *pid_struct = _READ(signal->pids[PIDTYPE_PGID]);
-		if(pid_struct) {
-			pgid = _READ(pid_struct->numbers[0].nr);
-		}
-	}
 #endif
-	return bpf_push_s64_to_ring(data, (int64_t)pgid);
-}
-
-#endif
-
-/* Legacy-probe-specific replacement for `socket_family_to_scap` helper. As encoding the socket
- * family using the `socket_family_to_scap` helper breaks the verifier on old kernel versions, just
- * send `PPM_AF_UNSPEC` if the user-provided socket family is negative, and leave it as is
- * otherwise. This solution relies on the fact that `AF_*` and corresponding `PPM_AF_*` macros map
- * to the same values. */
-static __always_inline uint8_t bpf_socket_family_to_scap(int8_t family) {
-	if(family < 0) {
-		family = PPM_AF_UNSPEC;
-	}
-	return (uint8_t)family;
-}
--- a/driver/bpf/fillers.h
+++ b/driver/bpf/fillers.h
--- a/driver/bpf/probe.c
+++ b/driver/bpf/probe.c
@ -14,6 +14,7 @@ or GPL2.txt for full copies of the license.
 #if __has_include(<asm/rwonce.h>)
 #include <asm/rwonce.h>
 #endif
+#include <linux/sched.h>

 #include "driver_config.h"
 #include "ppm_events_public.h"
--- a/driver/bpf/types.h
+++ b/driver/bpf/types.h
@ -12,8 +12,6 @@ or GPL2.txt for full copies of the license.

 #ifdef __KERNEL__

-#include <linux/sched.h>  // TASK_COMM_LEN definition
-
 #define __bpf_section(NAME) __attribute__((section(NAME), used))

 #ifndef __always_inline
@ -143,16 +141,6 @@ struct sys_stash_args {
 #ifdef CAPTURE_SCHED_PROC_EXEC

 #ifndef BPF_SUPPORTS_RAW_TRACEPOINTS
-struct sched_process_exec_args {
-	unsigned short common_type;
-	unsigned char common_flags;
-	unsigned char common_preempt_count;
-	int common_pid;
-	__u32 filename;  // This is actually defined as "__data_loc char[] filename;".
-	pid_t pid;
-	pid_t old_pid;
-};
-#else
 /* TP_PROTO(struct task_struct *p, pid_t old_pid, struct linux_binprm *bprm)
 * Taken from `/include/trace/events/sched.h`
 */
@ -161,6 +149,16 @@ struct sched_process_exec_args {
 	pid_t old_pid;
 	struct linux_binprm *bprm;
 };
+#else
+struct sched_process_exec_args {
+	unsigned short common_type;
+	unsigned char common_flags;
+	unsigned char common_preempt_count;
+	int common_pid;
+	int filename;
+	pid_t pid;
+	pid_t old_pid;
+};
 #endif /* BPF_SUPPORTS_RAW_TRACEPOINTS */

 #endif /* CAPTURE_SCHED_PROC_EXEC */
--- a/driver/configure/0__SANITY/test.c
+++ b/driver/configure/0__SANITY/test.c
@ -1,26 +0,0 @@
-/*
-
-Copyright (C) 2023 The Falco Authors.
-
-This file is dual licensed under either the MIT or GPL 2. See MIT.txt
-or GPL2.txt for full copies of the license.
-
-*/
-
-/*
- * Check that the build environment is sane
- */
-
-#include <linux/module.h>
-
-MODULE_LICENSE("GPL");
-MODULE_AUTHOR("the Falco authors");
-
-static int empty_init(void) {
-	return 0;
-}
-
-static void empty_exit(void) {}
-
-module_init(empty_init);
-module_exit(empty_exit);
--- a/driver/configure/FS_MNT_IDMAP/test.c
+++ b/driver/configure/FS_MNT_IDMAP/test.c
@ -1,33 +0,0 @@
-/*
-
-Copyright (C) 2025 The Falco Authors.
-
-This file is dual licensed under either the MIT or GPL 2. See MIT.txt
-or GPL2.txt for full copies of the license.
-
-*/
-
-/*
- * Check that fs function wants mnt_idmap
- * See linux 6.3 changes:
- * - https://github.com/torvalds/linux/commit/abf08576afe3
- * - https://github.com/torvalds/linux/commit/01beba7957a2
- */
-
-#include <linux/module.h>
-#include <linux/fs.h>
-
-MODULE_LICENSE("GPL");
-MODULE_AUTHOR("the Falco authors");
-
-static int fs_mnt_idmap_init(void) {
-	struct mnt_idmap *idmap = NULL;
-	const struct inode *inode = NULL;
-	inode_owner_or_capable(idmap, inode);
-	return 0;
-}
-
-static void fs_mnt_idmap_exit(void) {}
-
-module_init(fs_mnt_idmap_init);
-module_exit(fs_mnt_idmap_exit);
--- a/driver/configure/Makefile.inc.in
+++ b/driver/configure/Makefile.inc.in
@ -9,17 +9,7 @@ ifeq ($(HAS_@CONFIGURE_MODULE@),0)
 $(info [configure-kmod] Setting HAS_@CONFIGURE_MODULE@ flag)
 ccflags-y += -DHAS_@CONFIGURE_MODULE@
 else
-HAS_@CONFIGURE_MODULE@_OUT1 := $(shell cat $(MODULE_MAKEFILE_DIR)/build.log | sed -n ':a;N;$$$!ba;s/\n/@@NEWLINE@@/g;P')
-HAS_@CONFIGURE_MODULE@_OUT := $(subst @@NEWLINE@@,$(newline),$(HAS_@CONFIGURE_MODULE@_OUT1))
+HAS_@CONFIGURE_MODULE@_OUT := $(shell cat $(MODULE_MAKEFILE_DIR)/build.log)
 $(info [configure-kmod] Build output for HAS_@CONFIGURE_MODULE@:)
 $(info [configure-kmod] $(HAS_@CONFIGURE_MODULE@_OUT))
 endif
-
-ifeq ('@CONFIGURE_MODULE@','0__SANITY')
-    ifeq ($(HAS_@CONFIGURE_MODULE@),0)
-        $(info [configure-kmod] Build system is sane)
-    else
-        $(info [configure-kmod] Build system is broken, please see above errors)
-        $(error The build system is broken, please see above errors)
-    endif
-endif
--- a/driver/event_table.c
+++ b/driver/event_table.c
--- a/driver/fillers_table.c
+++ b/driver/fillers_table.c
@ -20,6 +20,8 @@ or GPL2.txt for full copies of the license.
 #define FILLER_REF(x) 0, PPM_FILLER_##x
 #endif /* __KERNEL__ */

+#define f_sys_socket_x f_sys_single_x
+
 #pragma GCC diagnostic push
 #pragma GCC diagnostic ignored "-Wmissing-field-initializers"
 const struct ppm_event_entry g_ppm_events[PPM_EVENT_MAX] = {
@ -41,17 +43,17 @@ const struct ppm_event_entry g_ppm_events[PPM_EVENT_MAX] = {
        [PPME_SOCKET_CONNECT_E] = {FILLER_REF(sys_connect_e)},
        [PPME_SOCKET_CONNECT_X] = {FILLER_REF(sys_connect_x)},
        [PPME_SOCKET_LISTEN_E] = {FILLER_REF(sys_listen_e)},
-        [PPME_SOCKET_LISTEN_X] = {FILLER_REF(sys_listen_x)},
+        [PPME_SOCKET_LISTEN_X] = {FILLER_REF(sys_single_x)},
        [PPME_SOCKET_SEND_E] = {FILLER_REF(sys_send_e)},
        [PPME_SOCKET_SEND_X] = {FILLER_REF(sys_send_x)},
        [PPME_SOCKET_SENDTO_E] = {FILLER_REF(sys_sendto_e)},
-        [PPME_SOCKET_SENDTO_X] = {FILLER_REF(sys_sendto_x)},
+        [PPME_SOCKET_SENDTO_X] = {FILLER_REF(sys_send_x)},
        [PPME_SOCKET_RECV_E] = {FILLER_REF(sys_autofill), 2, APT_SOCK, {{0}, {2}}},
        [PPME_SOCKET_RECV_X] = {FILLER_REF(sys_recv_x)},
        [PPME_SOCKET_RECVFROM_E] = {FILLER_REF(sys_recvfrom_e)},
        [PPME_SOCKET_RECVFROM_X] = {FILLER_REF(sys_recvfrom_x)},
        [PPME_SOCKET_SHUTDOWN_E] = {FILLER_REF(sys_shutdown_e)},
-        [PPME_SOCKET_SHUTDOWN_X] = {FILLER_REF(sys_shutdown_x)},
+        [PPME_SOCKET_SHUTDOWN_X] = {FILLER_REF(sys_single_x)},
        [PPME_SOCKET_GETSOCKNAME_E] = {FILLER_REF(sys_empty)},
        [PPME_SOCKET_GETSOCKNAME_X] = {FILLER_REF(sys_empty)},
        [PPME_SOCKET_GETPEERNAME_E] = {FILLER_REF(sys_empty)},
@ -65,25 +67,25 @@ const struct ppm_event_entry g_ppm_events[PPM_EVENT_MAX] = {
        [PPME_SOCKET_SENDMSG_E] = {FILLER_REF(sys_sendmsg_e)},
        [PPME_SOCKET_SENDMSG_X] = {FILLER_REF(sys_sendmsg_x)},
        [PPME_SOCKET_SENDMMSG_E] = {FILLER_REF(sys_empty)},
-        [PPME_SOCKET_SENDMMSG_X] = {FILLER_REF(sys_sendmmsg_x)},
+        [PPME_SOCKET_SENDMMSG_X] = {FILLER_REF(sys_empty)},
        [PPME_SOCKET_RECVMSG_E] = {FILLER_REF(sys_recvmsg_e)},
        [PPME_SOCKET_RECVMSG_X] = {FILLER_REF(sys_recvmsg_x)},
        [PPME_SOCKET_RECVMMSG_E] = {FILLER_REF(sys_empty)},
-        [PPME_SOCKET_RECVMMSG_X] = {FILLER_REF(sys_recvmmsg_x)},
+        [PPME_SOCKET_RECVMMSG_X] = {FILLER_REF(sys_empty)},
        [PPME_SYSCALL_CREAT_E] = {FILLER_REF(sys_creat_e)},
        [PPME_SYSCALL_CREAT_X] = {FILLER_REF(sys_creat_x)},
        [PPME_SYSCALL_PIPE_E] = {FILLER_REF(sys_empty)},
        [PPME_SYSCALL_PIPE_X] = {FILLER_REF(sys_pipe_x)},
        [PPME_SYSCALL_EVENTFD_E] = {FILLER_REF(sys_eventfd_e)},
-        [PPME_SYSCALL_EVENTFD_X] = {FILLER_REF(sys_eventfd_x)},
+        [PPME_SYSCALL_EVENTFD_X] = {FILLER_REF(sys_single_x)},
        [PPME_SYSCALL_FUTEX_E] = {FILLER_REF(sys_futex_e)},
-        [PPME_SYSCALL_FUTEX_X] = {FILLER_REF(sys_futex_x)},
+        [PPME_SYSCALL_FUTEX_X] = {FILLER_REF(sys_single_x)},
        [PPME_SYSCALL_STAT_E] = {FILLER_REF(sys_empty)},
        [PPME_SYSCALL_STAT_X] = {FILLER_REF(sys_autofill), 2, APT_REG, {{AF_ID_RETVAL}, {0}}},
        [PPME_SYSCALL_LSTAT_E] = {FILLER_REF(sys_empty)},
        [PPME_SYSCALL_LSTAT_X] = {FILLER_REF(sys_autofill), 2, APT_REG, {{AF_ID_RETVAL}, {0}}},
        [PPME_SYSCALL_FSTAT_E] = {FILLER_REF(sys_fstat_e)},
-        [PPME_SYSCALL_FSTAT_X] = {FILLER_REF(sys_fstat_x)},
+        [PPME_SYSCALL_FSTAT_X] = {FILLER_REF(sys_single_x)},
        [PPME_SYSCALL_STAT64_E] = {FILLER_REF(sys_empty)},
        [PPME_SYSCALL_STAT64_X] = {FILLER_REF(sys_autofill), 2, APT_REG, {{AF_ID_RETVAL}, {0}}},
        [PPME_SYSCALL_LSTAT64_E] = {FILLER_REF(sys_empty)},
@ -91,7 +93,7 @@ const struct ppm_event_entry g_ppm_events[PPM_EVENT_MAX] = {
        [PPME_SYSCALL_FSTAT64_E] = {FILLER_REF(sys_single)},
        [PPME_SYSCALL_FSTAT64_X] = {FILLER_REF(sys_single_x)},
        [PPME_SYSCALL_EPOLLWAIT_E] = {FILLER_REF(sys_autofill), 1, APT_REG, {{2}}},
-        [PPME_SYSCALL_EPOLLWAIT_X] = {FILLER_REF(sys_epoll_wait_x)},
+        [PPME_SYSCALL_EPOLLWAIT_X] = {FILLER_REF(sys_single_x)},
        [PPME_SYSCALL_POLL_E] = {FILLER_REF(sys_poll_e)},
        [PPME_SYSCALL_POLL_X] = {FILLER_REF(sys_poll_x)},
        [PPME_SYSCALL_SELECT_E] = {FILLER_REF(sys_empty)},
@ -99,7 +101,7 @@ const struct ppm_event_entry g_ppm_events[PPM_EVENT_MAX] = {
        [PPME_SYSCALL_NEWSELECT_E] = {FILLER_REF(sys_empty)},
        [PPME_SYSCALL_NEWSELECT_X] = {FILLER_REF(sys_single_x)},
        [PPME_SYSCALL_LSEEK_E] = {FILLER_REF(sys_lseek_e)},
-        [PPME_SYSCALL_LSEEK_X] = {FILLER_REF(sys_lseek_x)},
+        [PPME_SYSCALL_LSEEK_X] = {FILLER_REF(sys_single_x)},
        [PPME_SYSCALL_LLSEEK_E] = {FILLER_REF(sys_llseek_e)},
        [PPME_SYSCALL_LLSEEK_X] = {FILLER_REF(sys_single_x)},
        [PPME_SYSCALL_GETCWD_E] = {FILLER_REF(sys_empty)},
@ -113,17 +115,17 @@ const struct ppm_event_entry g_ppm_events[PPM_EVENT_MAX] = {
        [PPME_SYSCALL_UNLINKAT_E] = {FILLER_REF(sys_autofill), 2, APT_REG, {{0}, {1}}},
        [PPME_SYSCALL_UNLINKAT_X] = {FILLER_REF(sys_single_x)},
        [PPME_SYSCALL_PREAD_E] = {FILLER_REF(sys_pread64_e)},
-        [PPME_SYSCALL_PREAD_X] = {FILLER_REF(sys_pread64_x)},
+        [PPME_SYSCALL_PREAD_X] = {FILLER_REF(sys_read_x)},
        [PPME_SYSCALL_PWRITE_E] = {FILLER_REF(sys_pwrite64_e)},
-        [PPME_SYSCALL_PWRITE_X] = {FILLER_REF(sys_pwrite64_x)},
+        [PPME_SYSCALL_PWRITE_X] = {FILLER_REF(sys_write_x)},
        [PPME_SYSCALL_READV_E] = {FILLER_REF(sys_readv_e)},
-        [PPME_SYSCALL_READV_X] = {FILLER_REF(sys_readv_x)},
+        [PPME_SYSCALL_READV_X] = {FILLER_REF(sys_readv_preadv_x)},
        [PPME_SYSCALL_WRITEV_E] = {FILLER_REF(sys_writev_e)},
-        [PPME_SYSCALL_WRITEV_X] = {FILLER_REF(sys_writev_x)},
+        [PPME_SYSCALL_WRITEV_X] = {FILLER_REF(sys_writev_pwritev_x)},
        [PPME_SYSCALL_PREADV_E] = {FILLER_REF(sys_preadv_e)},
-        [PPME_SYSCALL_PREADV_X] = {FILLER_REF(sys_preadv_x)},
+        [PPME_SYSCALL_PREADV_X] = {FILLER_REF(sys_readv_preadv_x)},
        [PPME_SYSCALL_PWRITEV_E] = {FILLER_REF(sys_pwritev_e)},
-        [PPME_SYSCALL_PWRITEV_X] = {FILLER_REF(sys_pwritev_x)},
+        [PPME_SYSCALL_PWRITEV_X] = {FILLER_REF(sys_writev_pwritev_x)},
        [PPME_SYSCALL_DUP_1_E] = {FILLER_REF(sys_dup_e)},
        [PPME_SYSCALL_DUP_1_X] = {FILLER_REF(sys_dup_x)},
        [PPME_SYSCALL_DUP2_E] = {FILLER_REF(sys_dup2_e)},
@ -131,22 +133,22 @@ const struct ppm_event_entry g_ppm_events[PPM_EVENT_MAX] = {
        [PPME_SYSCALL_DUP3_E] = {FILLER_REF(sys_dup3_e)},
        [PPME_SYSCALL_DUP3_X] = {FILLER_REF(sys_dup3_x)},
        [PPME_SYSCALL_SIGNALFD_E] = {FILLER_REF(sys_signalfd_e)},
-        [PPME_SYSCALL_SIGNALFD_X] = {FILLER_REF(sys_signalfd_x)},
+        [PPME_SYSCALL_SIGNALFD_X] = {FILLER_REF(sys_single_x)},
        [PPME_SYSCALL_KILL_E] = {FILLER_REF(sys_autofill), 2, APT_REG, {{0}, {1}}},
-        [PPME_SYSCALL_KILL_X] = {FILLER_REF(sys_kill_x)},
+        [PPME_SYSCALL_KILL_X] = {FILLER_REF(sys_single_x)},
        [PPME_SYSCALL_TKILL_E] = {FILLER_REF(sys_autofill), 2, APT_REG, {{0}, {1}}},
-        [PPME_SYSCALL_TKILL_X] = {FILLER_REF(sys_tkill_x)},
+        [PPME_SYSCALL_TKILL_X] = {FILLER_REF(sys_single_x)},
        [PPME_SYSCALL_TGKILL_E] = {FILLER_REF(sys_autofill), 3, APT_REG, {{0}, {1}, {2}}},
-        [PPME_SYSCALL_TGKILL_X] = {FILLER_REF(sys_tgkill_x)},
+        [PPME_SYSCALL_TGKILL_X] = {FILLER_REF(sys_single_x)},
        [PPME_SYSCALL_NANOSLEEP_E] = {FILLER_REF(sys_nanosleep_e)},
-        [PPME_SYSCALL_NANOSLEEP_X] = {FILLER_REF(sys_nanosleep_x)},
+        [PPME_SYSCALL_NANOSLEEP_X] = {FILLER_REF(sys_single_x)},
        [PPME_SYSCALL_TIMERFD_CREATE_E] = {FILLER_REF(sys_autofill),
                                           2,
                                           APT_REG,
                                           {{AF_ID_USEDEFAULT, 0}, {AF_ID_USEDEFAULT, 0}}},
-        [PPME_SYSCALL_TIMERFD_CREATE_X] = {FILLER_REF(sys_timerfd_create_x)},
+        [PPME_SYSCALL_TIMERFD_CREATE_X] = {FILLER_REF(sys_single_x)},
        [PPME_SYSCALL_INOTIFY_INIT_E] = {FILLER_REF(sys_inotify_init_e)},
-        [PPME_SYSCALL_INOTIFY_INIT_X] = {FILLER_REF(sys_inotify_init_x)},
+        [PPME_SYSCALL_INOTIFY_INIT_X] = {FILLER_REF(sys_single_x)},
        [PPME_SYSCALL_GETRLIMIT_E] = {FILLER_REF(sys_getrlimit_setrlimit_e)},
        [PPME_SYSCALL_GETRLIMIT_X] = {FILLER_REF(sys_getrlimit_x)},
        [PPME_SYSCALL_SETRLIMIT_E] = {FILLER_REF(sys_getrlimit_setrlimit_e)},
@ -161,19 +163,19 @@ const struct ppm_event_entry g_ppm_events[PPM_EVENT_MAX] = {
        [PPME_SCHEDSWITCH_6_E] = {FILLER_REF(sched_switch_e)},
 #endif
        [PPME_SYSCALL_BRK_4_E] = {FILLER_REF(sys_autofill), 1, APT_REG, {{0}}},
-        [PPME_SYSCALL_BRK_4_X] = {FILLER_REF(sys_brk_x)},
+        [PPME_SYSCALL_BRK_4_X] = {FILLER_REF(sys_brk_munmap_mmap_x)},
        [PPME_SYSCALL_MMAP_E] = {FILLER_REF(sys_mmap_e)},
-        [PPME_SYSCALL_MMAP_X] = {FILLER_REF(sys_mmap_x)},
+        [PPME_SYSCALL_MMAP_X] = {FILLER_REF(sys_brk_munmap_mmap_x)},
        [PPME_SYSCALL_MMAP2_E] = {FILLER_REF(sys_mmap_e)},
-        [PPME_SYSCALL_MMAP2_X] = {FILLER_REF(sys_mmap2_x)},
+        [PPME_SYSCALL_MMAP2_X] = {FILLER_REF(sys_brk_munmap_mmap_x)},
        [PPME_SYSCALL_MUNMAP_E] = {FILLER_REF(sys_autofill), 2, APT_REG, {{0}, {1}}},
-        [PPME_SYSCALL_MUNMAP_X] = {FILLER_REF(sys_munmap_x)},
+        [PPME_SYSCALL_MUNMAP_X] = {FILLER_REF(sys_brk_munmap_mmap_x)},
        [PPME_SYSCALL_SPLICE_E] = {FILLER_REF(sys_splice_e)},
-        [PPME_SYSCALL_SPLICE_X] = {FILLER_REF(sys_splice_x)},
+        [PPME_SYSCALL_SPLICE_X] = {FILLER_REF(sys_autofill), 1, APT_REG, {{AF_ID_RETVAL}}},
        [PPME_SYSCALL_PTRACE_E] = {FILLER_REF(sys_ptrace_e)},
        [PPME_SYSCALL_PTRACE_X] = {FILLER_REF(sys_ptrace_x)},
        [PPME_SYSCALL_IOCTL_3_E] = {FILLER_REF(sys_ioctl_e)},
-        [PPME_SYSCALL_IOCTL_3_X] = {FILLER_REF(sys_ioctl_x)},
+        [PPME_SYSCALL_IOCTL_3_X] = {FILLER_REF(sys_single_x)},
        [PPME_SYSCALL_RENAME_E] = {FILLER_REF(sys_empty)},
        [PPME_SYSCALL_RENAME_X] = {FILLER_REF(sys_autofill),
                                   3,
@ -193,14 +195,14 @@ const struct ppm_event_entry g_ppm_events[PPM_EVENT_MAX] = {
        [PPME_SYSCALL_QUOTACTL_E] = {FILLER_REF(sys_quotactl_e)},
        [PPME_SYSCALL_QUOTACTL_X] = {FILLER_REF(sys_quotactl_x)},
        [PPME_SYSCALL_SETRESUID_E] = {FILLER_REF(sys_autofill), 3, APT_REG, {{0}, {1}, {2}}},
-        [PPME_SYSCALL_SETRESUID_X] = {FILLER_REF(sys_setresuid_x)},
+        [PPME_SYSCALL_SETRESUID_X] = {FILLER_REF(sys_autofill), 1, APT_REG, {{AF_ID_RETVAL}}},
        [PPME_SYSCALL_SETRESGID_E] = {FILLER_REF(sys_autofill), 3, APT_REG, {{0}, {1}, {2}}},
-        [PPME_SYSCALL_SETRESGID_X] = {FILLER_REF(sys_setresgid_x)},
+        [PPME_SYSCALL_SETRESGID_X] = {FILLER_REF(sys_autofill), 1, APT_REG, {{AF_ID_RETVAL}}},
        [PPME_SCAPEVENT_E] = {FILLER_REF(sys_scapevent_e)},
        [PPME_SYSCALL_SETUID_E] = {FILLER_REF(sys_autofill), 1, APT_REG, {{0}}},
-        [PPME_SYSCALL_SETUID_X] = {FILLER_REF(sys_setuid_x)},
+        [PPME_SYSCALL_SETUID_X] = {FILLER_REF(sys_autofill), 1, APT_REG, {{AF_ID_RETVAL}}},
        [PPME_SYSCALL_SETGID_E] = {FILLER_REF(sys_autofill), 1, APT_REG, {{0}}},
-        [PPME_SYSCALL_SETGID_X] = {FILLER_REF(sys_setgid_x)},
+        [PPME_SYSCALL_SETGID_X] = {FILLER_REF(sys_autofill), 1, APT_REG, {{AF_ID_RETVAL}}},
        [PPME_SYSCALL_GETUID_E] = {FILLER_REF(sys_empty)},
        [PPME_SYSCALL_GETUID_X] = {FILLER_REF(sys_autofill), 1, APT_REG, {{AF_ID_RETVAL}}},
        [PPME_SYSCALL_GETEUID_E] = {FILLER_REF(sys_empty)},
@ -223,43 +225,43 @@ const struct ppm_event_entry g_ppm_events[PPM_EVENT_MAX] = {
        [PPME_SIGNALDELIVER_E] = {FILLER_REF(sys_signaldeliver_e)},
 #endif
        [PPME_SYSCALL_GETDENTS_E] = {FILLER_REF(sys_getdents_e)},
-        [PPME_SYSCALL_GETDENTS_X] = {FILLER_REF(sys_getdents_x)},
+        [PPME_SYSCALL_GETDENTS_X] = {FILLER_REF(sys_single_x)},
        [PPME_SYSCALL_GETDENTS64_E] = {FILLER_REF(sys_getdents64_e)},
-        [PPME_SYSCALL_GETDENTS64_X] = {FILLER_REF(sys_getdents64_x)},
+        [PPME_SYSCALL_GETDENTS64_X] = {FILLER_REF(sys_single_x)},
        [PPME_SYSCALL_SETNS_E] = {FILLER_REF(sys_setns_e)},
-        [PPME_SYSCALL_SETNS_X] = {FILLER_REF(sys_setns_x)},
+        [PPME_SYSCALL_SETNS_X] = {FILLER_REF(sys_autofill), 1, APT_REG, {{AF_ID_RETVAL}}},
        [PPME_SYSCALL_FLOCK_E] = {FILLER_REF(sys_flock_e)},
-        [PPME_SYSCALL_FLOCK_X] = {FILLER_REF(sys_flock_x)},
+        [PPME_SYSCALL_FLOCK_X] = {FILLER_REF(sys_autofill), 1, APT_REG, {{AF_ID_RETVAL}}},
        [PPME_CPU_HOTPLUG_E] = {FILLER_REF(cpu_hotplug_e)},
        [PPME_SOCKET_ACCEPT_5_E] = {FILLER_REF(sys_empty)},
        [PPME_SOCKET_ACCEPT_5_X] = {FILLER_REF(sys_accept_x)},
        [PPME_SYSCALL_SEMOP_E] = {FILLER_REF(sys_single)},
        [PPME_SYSCALL_SEMOP_X] = {FILLER_REF(sys_semop_x)},
        [PPME_SYSCALL_SEMCTL_E] = {FILLER_REF(sys_semctl_e)},
-        [PPME_SYSCALL_SEMCTL_X] = {FILLER_REF(sys_semctl_x)},
+        [PPME_SYSCALL_SEMCTL_X] = {FILLER_REF(sys_single_x)},
        [PPME_SYSCALL_PPOLL_E] = {FILLER_REF(sys_ppoll_e)},
-        [PPME_SYSCALL_PPOLL_X] = {FILLER_REF(sys_ppoll_x)},
+        [PPME_SYSCALL_PPOLL_X] = {FILLER_REF(sys_poll_x)}, /* exit same for poll() and ppoll() */
        [PPME_SYSCALL_MOUNT_E] = {FILLER_REF(sys_mount_e)},
-        [PPME_SYSCALL_MOUNT_X] = {FILLER_REF(sys_mount_x),
+        [PPME_SYSCALL_MOUNT_X] = {FILLER_REF(sys_autofill),
                                  4,
                                  APT_REG,
                                  {{AF_ID_RETVAL}, {0}, {1}, {2}}},
        [PPME_SYSCALL_SEMGET_E] = {FILLER_REF(sys_semget_e)},
-        [PPME_SYSCALL_SEMGET_X] = {FILLER_REF(sys_semget_x)},
+        [PPME_SYSCALL_SEMGET_X] = {FILLER_REF(sys_single_x)},
        [PPME_SYSCALL_ACCESS_E] = {FILLER_REF(sys_access_e)},
-        [PPME_SYSCALL_ACCESS_X] = {FILLER_REF(sys_access_x)},
+        [PPME_SYSCALL_ACCESS_X] = {FILLER_REF(sys_autofill), 2, APT_REG, {{AF_ID_RETVAL}, {0}}},
        [PPME_SYSCALL_CHROOT_E] = {FILLER_REF(sys_empty)},
        [PPME_SYSCALL_CHROOT_X] = {FILLER_REF(sys_autofill), 2, APT_REG, {{AF_ID_RETVAL}, {0}}},
        [PPME_SYSCALL_SETSID_E] = {FILLER_REF(sys_empty)},
        [PPME_SYSCALL_SETSID_X] = {FILLER_REF(sys_autofill), 1, APT_REG, {{AF_ID_RETVAL}}},
        [PPME_SYSCALL_SETPGID_E] = {FILLER_REF(sys_setpgid_e)},
-        [PPME_SYSCALL_SETPGID_X] = {FILLER_REF(sys_setpgid_x)},
+        [PPME_SYSCALL_SETPGID_X] = {FILLER_REF(sys_autofill), 1, APT_REG, {{AF_ID_RETVAL}}},
        [PPME_SYSCALL_MKDIR_2_E] = {FILLER_REF(sys_mkdir_e)},
-        [PPME_SYSCALL_MKDIR_2_X] = {FILLER_REF(sys_mkdir_x)},
+        [PPME_SYSCALL_MKDIR_2_X] = {FILLER_REF(sys_autofill), 2, APT_REG, {{AF_ID_RETVAL}, {0}}},
        [PPME_SYSCALL_RMDIR_2_E] = {FILLER_REF(sys_empty)},
        [PPME_SYSCALL_RMDIR_2_X] = {FILLER_REF(sys_autofill), 2, APT_REG, {{AF_ID_RETVAL}, {0}}},
        [PPME_SYSCALL_UNSHARE_E] = {FILLER_REF(sys_unshare_e)},
-        [PPME_SYSCALL_UNSHARE_X] = {FILLER_REF(sys_unshare_x)},
+        [PPME_SYSCALL_UNSHARE_X] = {FILLER_REF(sys_autofill), 1, APT_REG, {{AF_ID_RETVAL}}},
        [PPME_SYSCALL_EXECVE_19_E] = {FILLER_REF(sys_execve_e)},
        [PPME_SYSCALL_EXECVE_19_X] = {FILLER_REF(proc_startupdate)},
 #ifdef CAPTURE_PAGE_FAULTS
@ -268,7 +270,7 @@ const struct ppm_event_entry g_ppm_events[PPM_EVENT_MAX] = {
        [PPME_SYSCALL_BPF_2_E] = {FILLER_REF(sys_bpf_e)},
        [PPME_SYSCALL_BPF_2_X] = {FILLER_REF(sys_bpf_x)},
        [PPME_SYSCALL_SECCOMP_E] = {FILLER_REF(sys_autofill), 2, APT_REG, {{0}, {1}}},
-        [PPME_SYSCALL_SECCOMP_X] = {FILLER_REF(sys_seccomp_x)},
+        [PPME_SYSCALL_SECCOMP_X] = {FILLER_REF(sys_autofill), 1, APT_REG, {{AF_ID_RETVAL}}},
        [PPME_SYSCALL_UNLINK_2_E] = {FILLER_REF(sys_empty)},
        [PPME_SYSCALL_UNLINK_2_X] = {FILLER_REF(sys_autofill), 2, APT_REG, {{AF_ID_RETVAL}, {0}}},
        [PPME_SYSCALL_UNLINKAT_2_E] = {FILLER_REF(sys_empty)},
@ -344,7 +346,7 @@ const struct ppm_event_entry g_ppm_events[PPM_EVENT_MAX] = {
        [PPME_SYSCALL_UMOUNT_1_E] = {FILLER_REF(sys_empty)},
        [PPME_SYSCALL_UMOUNT_1_X] = {FILLER_REF(sys_umount_x)},
        [PPME_SOCKET_ACCEPT4_6_E] = {FILLER_REF(sys_accept4_e)},
-        [PPME_SOCKET_ACCEPT4_6_X] = {FILLER_REF(sys_accept4_x)},
+        [PPME_SOCKET_ACCEPT4_6_X] = {FILLER_REF(sys_accept_x)},
        [PPME_SYSCALL_UMOUNT2_E] = {FILLER_REF(sys_umount2_e)},
        [PPME_SYSCALL_UMOUNT2_X] = {FILLER_REF(sys_umount2_x)},
        [PPME_SYSCALL_PIPE2_E] = {FILLER_REF(sys_empty)},
--- a/driver/main.c
+++ b/driver/main.c
@ -106,10 +106,6 @@ struct event_data_t {
 		struct {
 			struct pt_regs *regs;
 			long id;
-			struct {
-				long index;
-				long count;
-			} mmsg;
 		} syscall_data;

 		struct {
@ -277,6 +273,10 @@ static bool verbose = 0;

 static unsigned int max_consumers = 5;

+#if(LINUX_VERSION_CODE >= KERNEL_VERSION(4, 10, 0))
+static enum cpuhp_state hp_state = 0;
+#endif
+
 #define vpr_info(fmt, ...)               \
 	do {                                 \
 		if(verbose)                      \
@ -442,7 +442,6 @@ static int ppm_open(struct inode *inode, struct file *filp) {
 		consumer->consumer_id = consumer_id;
 		consumer->buffer_bytes_dim = g_buffer_bytes_dim;
 		consumer->tracepoints_attached = 0; /* Start with no tracepoints */
-		consumer->hotplug_cpu = -1;

 		/*
 		 * Initialize the ring buffers array
@ -473,6 +472,14 @@ static int ppm_open(struct inode *inode, struct file *filp) {
 			ring->info = NULL;
 		}

+		/*
+		 * If a cpu is offline when the consumer is first created, we
+		 * will never get events for that cpu even if it later comes
+		 * online via hotplug. We could allocate these rings on-demand
+		 * later in this function if needed for hotplug, but that
+		 * requires the consumer to know to call open again, and that is
+		 * not supported.
+		 */
 		for_each_online_cpu(cpu) {
 			ring = per_cpu_ptr(consumer->ring_buffers, cpu);

@ -1781,10 +1788,6 @@ static int record_event_consumer(struct ppm_consumer_t *consumer,
 		if(unlikely(preload_params(&args, event_datap->extract_socketcall_params) == -1)) {
 			return res;
 		}
-
-		if(event_type == PPME_SOCKET_SENDMMSG_X || event_type == PPME_SOCKET_RECVMMSG_X) {
-			args.mmsg.index = event_datap->event_info.syscall_data.mmsg.index;
-		}
 	}

 	if(event_type != PPME_DROP_E && event_type != PPME_DROP_X) {
@ -1809,27 +1812,6 @@ static int record_event_consumer(struct ppm_consumer_t *consumer,
 	ASSERT(ring);

 	ring_info = ring->info;
-	if(!ring_info) {
-		// If we haven't got the ring info, it means
-		// the event was generated by a CPU that was not
-		// online when the ring buffers were initialized.
-		// Store info about hotplugged CPU here to later
-		// send hotplug events on cpu0.
-		consumer->hotplug_cpu = cpu;
-		put_cpu();
-		return res;
-	}
-
-	// Manage hotplug on cpu 0
-	if(consumer->hotplug_cpu != -1 && cpu == 0) {
-		event_type = PPME_CPU_HOTPLUG_E;
-		drop_flags = UF_NEVER_DROP;
-		tp_type = INTERNAL_EVENTS;
-		event_datap->category = PPMC_CONTEXT_SWITCH;
-		event_datap->event_info.context_data.sched_prev = (void *)(long)consumer->hotplug_cpu;
-		event_datap->event_info.context_data.sched_next = (void *)(long)0;
-	}
-
 	if(event_datap->category == PPMC_CONTEXT_SWITCH &&
 	   event_datap->event_info.context_data.sched_prev != NULL) {
 		if(event_type != PPME_SCAPEVENT_E && event_type != PPME_CPU_HOTPLUG_E) {
@ -2024,12 +2006,6 @@ static int record_event_consumer(struct ppm_consumer_t *consumer,
 				ASSERT(0);
 			}
 		}
-
-		if(event_datap->category == PPMC_SYSCALL &&
-		   (event_type == PPME_SOCKET_SENDMMSG_X || event_type == PPME_SOCKET_RECVMMSG_X)) {
-			// Communicate the number of total messages to the caller
-			event_datap->event_info.syscall_data.mmsg.count = args.mmsg.count;
-		}
 	}

 	if(likely(!drop)) {
@ -2341,27 +2317,6 @@ TRACEPOINT_PROBE(syscall_exit_probe, struct pt_regs *regs, long ret) {
 		return;
 #endif

-	if(event_pair->exit_event_type == PPME_SOCKET_SENDMMSG_X ||
-	   event_pair->exit_event_type == PPME_SOCKET_RECVMMSG_X) {
-		int i;
-
-		// We don't know how many messages the syscall actually handled until
-		// we call the filler the first time, so we set it to the max for the
-		// first call.
-		//
-		// If the syscall failed, the count value will be negative, so we
-		// immediately exit after sending a failure event.
-		event_data.event_info.syscall_data.mmsg.count = 1024;
-
-		for(i = 0; i < event_data.event_info.syscall_data.mmsg.count; i++) {
-			event_data.event_info.syscall_data.mmsg.index = i;
-			record_event_all_consumers(event_pair->exit_event_type,
-			                           event_pair->flags,
-			                           &event_data,
-			                           KMOD_PROG_SYS_EXIT);
-		}
-	}
-
 	if(event_pair->flags & UF_USED)
 		record_event_all_consumers(event_pair->exit_event_type,
 		                           event_pair->flags,
@ -2781,12 +2736,96 @@ static char *ppm_devnode(struct device *dev, mode_t *mode)
 }
 #endif /* LINUX_VERSION_CODE > KERNEL_VERSION(2, 6, 20) */

+static int do_cpu_callback(unsigned long cpu, long sd_action) {
+	struct ppm_ring_buffer_context *ring;
+	struct ppm_consumer_t *consumer;
+	struct event_data_t event_data;
+
+	if(sd_action != 0) {
+		rcu_read_lock();
+
+		list_for_each_entry_rcu(consumer, &g_consumer_list, node) {
+			ring = per_cpu_ptr(consumer->ring_buffers, cpu);
+			if(sd_action == 1) {
+				/*
+				 * If the cpu was offline when the consumer was created,
+				 * this won't do anything because we never created a ring
+				 * buffer. We can't safely create one here because we're
+				 * in atomic context, and the consumer needs to call open
+				 * on this device anyways, so do it in ppm_open.
+				 */
+				ring->cpu_online = true;
+			} else if(sd_action == 2) {
+				ring->cpu_online = false;
+			}
+		}
+
+		rcu_read_unlock();
+
+		event_data.category = PPMC_CONTEXT_SWITCH;
+		event_data.event_info.context_data.sched_prev = (void *)cpu;
+		event_data.event_info.context_data.sched_next = (void *)sd_action;
+		record_event_all_consumers(PPME_CPU_HOTPLUG_E, UF_NEVER_DROP, &event_data, INTERNAL_EVENTS);
+	}
+	return 0;
+}
+
+#if(LINUX_VERSION_CODE >= KERNEL_VERSION(4, 10, 0))
+static int scap_cpu_online(unsigned int cpu) {
+	vpr_info("scap_cpu_online on cpu %d\n", cpu);
+	return do_cpu_callback(cpu, 1);
+}
+
+static int scap_cpu_offline(unsigned int cpu) {
+	vpr_info("scap_cpu_offline on cpu %d\n", cpu);
+	return do_cpu_callback(cpu, 2);
+}
+#else /* LINUX_VERSION_CODE < KERNEL_VERSION(4, 10, 0)) */
+/*
+ * This gets called every time a CPU is added or removed
+ */
+static int cpu_callback(struct notifier_block *self, unsigned long action, void *hcpu) {
+	unsigned long cpu = (unsigned long)hcpu;
+	long sd_action = 0;
+
+	switch(action) {
+	case CPU_UP_PREPARE:
+#if LINUX_VERSION_CODE > KERNEL_VERSION(2, 6, 20)
+	case CPU_UP_PREPARE_FROZEN:
+#endif
+		sd_action = 1;
+		break;
+	case CPU_DOWN_PREPARE:
+#if LINUX_VERSION_CODE > KERNEL_VERSION(2, 6, 20)
+	case CPU_DOWN_PREPARE_FROZEN:
+#endif
+		sd_action = 2;
+		break;
+	default:
+		break;
+	}
+
+	if(do_cpu_callback(cpu, sd_action) < 0)
+		return NOTIFY_BAD;
+	else
+		return NOTIFY_OK;
+}
+
+static struct notifier_block cpu_notifier = {
+        .notifier_call = &cpu_callback,
+        .next = NULL,
+};
+#endif /* LINUX_VERSION_CODE >= KERNEL_VERSION(4, 10, 0) */
+
 static int scap_init(void) {
 	dev_t dev;
 	unsigned int cpu;
 	unsigned int num_cpus;
 	int ret;
 	int acrret = 0;
+#if(LINUX_VERSION_CODE >= KERNEL_VERSION(4, 10, 0))
+	int hp_ret;
+#endif
 	int j;
 	int n_created_devices = 0;
 #if LINUX_VERSION_CODE > KERNEL_VERSION(2, 6, 20)
@ -2890,6 +2929,25 @@ static int scap_init(void) {
 		goto init_module_err;
 	}

+	/*
+	 * Set up our callback in case we get a hotplug even while we are
+	 * initializing the cpu structures
+	 */
+#if(LINUX_VERSION_CODE >= KERNEL_VERSION(4, 10, 0))
+	hp_ret = cpuhp_setup_state_nocalls(CPUHP_AP_ONLINE_DYN,
+	                                   DRIVER_NAME "/driver:online",
+	                                   scap_cpu_online,
+	                                   scap_cpu_offline);
+	if(hp_ret <= 0) {
+		pr_err("error registering cpu hotplug callback\n");
+		ret = hp_ret;
+		goto init_module_err;
+	}
+	hp_state = hp_ret;
+#else
+	register_cpu_notifier(&cpu_notifier);
+#endif
+
 	// Initialize globals
 	g_tracepoints_attached = 0;
 	for(j = 0; j < KMOD_PROG_ATTACHED_MAX; j++) {
@ -2948,6 +3006,13 @@ static void scap_exit(void) {
 #if LINUX_VERSION_CODE > KERNEL_VERSION(2, 6, 20)
 	tracepoint_synchronize_unregister();
 #endif
+
+#if(LINUX_VERSION_CODE >= KERNEL_VERSION(4, 10, 0))
+	if(hp_state > 0)
+		cpuhp_remove_state_nocalls(hp_state);
+#else
+	unregister_cpu_notifier(&cpu_notifier);
+#endif
 }

 module_init(scap_init);
--- a/driver/modern_bpf/CMakeLists.txt
+++ b/driver/modern_bpf/CMakeLists.txt
@ -222,14 +222,6 @@ list(APPEND MODERN_PROBE_INCLUDE "-I${CMAKE_CURRENT_SOURCE_DIR}")
 # inside `driver` and the `libbpf` includes.
 set(PPM_INCLUDE ${LIBS_DIR})

-include(libbpf)
-
-# Get libbpf include
-get_target_property(LIBBPF_INTERFACE_INCLUDE_DIRS lbpf INTERFACE_INCLUDE_DIRECTORIES)
-foreach(dir ${LIBBPF_INTERFACE_INCLUDE_DIRS})
-	list(APPEND LIBBPF_INTERFACE_INCLUDE "-I${dir}")
-endforeach()
-
 # Set CLANG FLAGS
 set(CLANG_FLAGS "")
 list(
@ -242,7 +234,7 @@ list(
 	-D__${DEBUG}__
 	-D__TARGET_ARCH_${ARCH} # Match libbpf usage in `/libbpf/src/bpf_tracing.h`
 	-D__USE_VMLINUX__ # Used to compile without kernel headers.
-	${LIBBPF_INTERFACE_INCLUDE}
+	-I${LIBBPF_INCLUDE}
 	${MODERN_PROBE_INCLUDE}
 	-I${PPM_INCLUDE}
 	-isystem
@ -256,32 +248,6 @@ file(GLOB_RECURSE BPF_H_FILES ${CMAKE_CURRENT_SOURCE_DIR}/*.h)
 # Search all bpf.c files
 file(GLOB_RECURSE BPF_C_FILES ${CMAKE_CURRENT_SOURCE_DIR}/*.bpf.c)

-# ##################################################################################################
-# Generate the events dimensions file generator executable.
-# ##################################################################################################
-
-add_executable(
-	events_dimensions_generator ${CMAKE_CURRENT_SOURCE_DIR}/definitions/generator/generator.cpp
-)
-target_link_libraries(events_dimensions_generator PRIVATE scap_event_schema)
-add_dependencies(events_dimensions_generator scap_event_schema)
-
-# ##################################################################################################
-# Generate the events dimensions file.
-# ##################################################################################################
-
-set(BPF_EVENTS_DIMENSIONS_FILE ${CMAKE_CURRENT_SOURCE_DIR}/definitions/events_dimensions.h)
-add_custom_command(
-	OUTPUT ${BPF_EVENTS_DIMENSIONS_FILE}
-	COMMAND events_dimensions_generator ${BPF_EVENTS_DIMENSIONS_FILE}
-	VERBATIM
-	DEPENDS events_dimensions_generator ${CMAKE_CURRENT_SOURCE_DIR}/../event_table.c
-	COMMENT
-		"${MODERN_BPF_LOG_PREFIX} Building events dimensions file: ${BPF_EVENTS_DIMENSIONS_FILE}"
-)
-
-add_custom_target(EventsDimensions ALL DEPENDS ${BPF_EVENTS_DIMENSIONS_FILE})
-
 # ##################################################################################################
 # Generate an `bpf.o` file for every `bpf.c`
 # ##################################################################################################
@ -303,8 +269,8 @@ foreach(BPF_C_FILE ${BPF_C_FILES})
 		COMMAND ${MODERN_CLANG_EXE} ${CLANG_FLAGS} ${CLANG_SYSTEM_INCLUDES} -c ${BPF_C_FILE} -o
 				${BPF_O_FILE}
 		VERBATIM
-		DEPENDS lbpf
-		DEPENDS ${BPF_C_FILE} ${BPF_H_FILES} EventsDimensions
+		DEPENDS libbpf
+		DEPENDS ${BPF_C_FILE} ${BPF_H_FILES}
 		COMMENT "${MODERN_BPF_LOG_PREFIX} Building BPF object: ${BPF_O_FILE}"
 	)

--- a/driver/modern_bpf/bpfvalidator_config.yaml
+++ b/driver/modern_bpf/bpfvalidator_config.yaml
@ -1,8 +0,0 @@
-parallel: 2
-kernel_versions:
-    - v5.10.237
-    - v5.15.184
-    - v6.1.140
-    - v6.6.92
-    - v6.12.30
-    - v6.15
--- a/driver/modern_bpf/definitions/aarch64/vmlinux.h
+++ b/driver/modern_bpf/definitions/aarch64/vmlinux.h
@ -7538,38 +7538,7 @@ enum bpf_func_id {
 	BPF_FUNC_ktime_get_coarse_ns = 160,
 	BPF_FUNC_ima_inode_hash = 161,
 	BPF_FUNC_sock_from_file = 162,
-	BPF_FUNC_check_mtu = 163,
-	BPF_FUNC_for_each_map_elem = 164,
-	BPF_FUNC_snprintf = 165,
-	BPF_FUNC_sys_bpf = 166,
-	BPF_FUNC_btf_find_by_name_kind = 167,
-	BPF_FUNC_sys_close = 168,
-	BPF_FUNC_timer_init = 169,
-	BPF_FUNC_timer_set_callback = 170,
-	BPF_FUNC_timer_start = 171,
-	BPF_FUNC_timer_cancel = 172,
-	BPF_FUNC_get_func_ip = 173,
-	BPF_FUNC_get_attach_cookie = 174,
-	BPF_FUNC_task_pt_regs = 175,
-	BPF_FUNC_get_branch_snapshot = 176,
-	BPF_FUNC_trace_vprintk = 177,
-	BPF_FUNC_skc_to_unix_sock = 178,
-	BPF_FUNC_kallsyms_lookup_name = 179,
-	BPF_FUNC_find_vma = 180,
-	BPF_FUNC_loop = 181,
-	BPF_FUNC_strncmp = 182,
-	BPF_FUNC_get_func_arg = 183,
-	BPF_FUNC_get_func_ret = 184,
-	BPF_FUNC_get_func_arg_cnt = 185,
-	BPF_FUNC_get_retval = 186,
-	BPF_FUNC_set_retval = 187,
-	BPF_FUNC_xdp_get_buff_len = 188,
-	BPF_FUNC_xdp_load_bytes = 189,
-	BPF_FUNC_xdp_store_bytes = 190,
-	BPF_FUNC_copy_from_user_task = 191,
-	BPF_FUNC_skb_set_tstamp = 192,
-	BPF_FUNC_ima_file_hash = 193,
-	__BPF_FUNC_MAX_ID = 194,
+	__BPF_FUNC_MAX_ID = 163,
 };

 struct bpf_func_info {
--- a/driver/modern_bpf/definitions/events_dimensions.h
+++ b/driver/modern_bpf/definitions/events_dimensions.h
@ -1,6 +1,6 @@
 // SPDX-License-Identifier: GPL-2.0-only OR MIT
 /*
- * Copyright (C) 2025 The Falco Authors.
+ * Copyright (C) 2023 The Falco Authors.
 *
 * This file is dual licensed under either the MIT or GPL 2. See MIT.txt
 * or GPL2.txt for full copies of the license.
@ -21,239 +21,245 @@
 /// want to touch scap tables.

 /* Syscall events */
-#define SYSCALL_E_SIZE HEADER_LEN + sizeof(uint16_t) * 2 + PARAM_LEN * 2
-#define SYSCALL_X_SIZE HEADER_LEN + sizeof(uint16_t) + PARAM_LEN
-#define CLOSE_E_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
-#define CLOSE_X_SIZE HEADER_LEN + sizeof(int64_t) * 2 + PARAM_LEN * 2
-#define READ_E_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint32_t) + PARAM_LEN * 2
-#define WRITE_E_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint32_t) + PARAM_LEN * 2
-#define SOCKET_E_SIZE HEADER_LEN + sizeof(uint32_t) * 3 + PARAM_LEN * 3
-#define SOCKET_X_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint32_t) * 3 + PARAM_LEN * 4
-#define BIND_E_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
-#define LISTEN_E_SIZE HEADER_LEN + sizeof(int32_t) + sizeof(int64_t) + PARAM_LEN * 2
-#define LISTEN_X_SIZE HEADER_LEN + sizeof(int32_t) + sizeof(int64_t) * 2 + PARAM_LEN * 3
-#define SEND_E_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint32_t) + PARAM_LEN * 2
-#define RECV_E_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint32_t) + PARAM_LEN * 2
-#define RECVFROM_E_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint32_t) + PARAM_LEN * 2
-#define SHUTDOWN_E_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint8_t) + PARAM_LEN * 2
-#define SHUTDOWN_X_SIZE HEADER_LEN + sizeof(int64_t) * 2 + sizeof(uint8_t) + PARAM_LEN * 3
-#define GETSOCKNAME_E_SIZE HEADER_LEN
-#define GETSOCKNAME_X_SIZE HEADER_LEN
+#define GENERIC_E_SIZE HEADER_LEN + sizeof(uint16_t) * 2 + PARAM_LEN * 2
+#define GENERIC_X_SIZE HEADER_LEN + sizeof(uint16_t) + PARAM_LEN
+#define GETCWD_E_SIZE HEADER_LEN
+#define GETDENTS_E_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
+#define GETDENTS_X_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
+#define GETDENTS64_E_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
+#define GETDENTS64_X_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
+#define EPOLL_WAIT_E_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
+#define EPOLL_WAIT_X_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
 #define GETPEERNAME_E_SIZE HEADER_LEN
 #define GETPEERNAME_X_SIZE HEADER_LEN
-#define SOCKETPAIR_E_SIZE HEADER_LEN + sizeof(uint32_t) * 3 + PARAM_LEN * 3
-#define SOCKETPAIR_X_SIZE HEADER_LEN + sizeof(int64_t) * 3 + sizeof(uint32_t) * 3 + sizeof(uint64_t) * 2 + PARAM_LEN * 8
-#define SETSOCKOPT_E_SIZE HEADER_LEN
-#define GETSOCKOPT_E_SIZE HEADER_LEN
-#define SENDMMSG_E_SIZE HEADER_LEN
-#define RECVMSG_E_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
-#define RECVMMSG_E_SIZE HEADER_LEN
-#define PIPE_E_SIZE HEADER_LEN
-#define PIPE_X_SIZE HEADER_LEN + sizeof(int64_t) * 3 + sizeof(uint64_t) + PARAM_LEN * 4
-#define EVENTFD_E_SIZE HEADER_LEN + sizeof(uint32_t) + sizeof(uint64_t) + PARAM_LEN * 2
-#define EVENTFD_X_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint32_t) + sizeof(uint64_t) + PARAM_LEN * 3
-#define FUTEX_E_SIZE HEADER_LEN + sizeof(uint16_t) + sizeof(uint64_t) * 2 + PARAM_LEN * 3
-#define FUTEX_X_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint16_t) + sizeof(uint64_t) * 2 + PARAM_LEN * 4
-#define STAT_E_SIZE HEADER_LEN
-#define LSTAT_E_SIZE HEADER_LEN
-#define FSTAT_E_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
-#define FSTAT_X_SIZE HEADER_LEN + sizeof(int64_t) * 2 + PARAM_LEN * 2
-#define STAT64_E_SIZE HEADER_LEN
-#define LSTAT64_E_SIZE HEADER_LEN
-#define FSTAT64_E_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
-#define FSTAT64_X_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
-#define EPOLL_WAIT_E_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
-#define EPOLL_WAIT_X_SIZE HEADER_LEN + sizeof(int64_t) * 2 + PARAM_LEN * 2
-#define SELECT_E_SIZE HEADER_LEN
-#define SELECT_X_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
-#define LSEEK_E_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint64_t) + sizeof(uint8_t) + PARAM_LEN * 3
-#define LSEEK_X_SIZE HEADER_LEN + sizeof(int64_t) * 2 + sizeof(uint64_t) + sizeof(uint8_t) + PARAM_LEN * 4
-#define LLSEEK_E_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint64_t) + sizeof(uint8_t) + PARAM_LEN * 3
-#define LLSEEK_X_SIZE HEADER_LEN + sizeof(int64_t) * 2 + sizeof(uint64_t) + sizeof(uint8_t) + PARAM_LEN * 4
-#define GETCWD_E_SIZE HEADER_LEN
-#define CHDIR_E_SIZE HEADER_LEN
-#define FCHDIR_E_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
-#define FCHDIR_X_SIZE HEADER_LEN + sizeof(int64_t) * 2 + PARAM_LEN * 2
-#define PREAD_E_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint32_t) + sizeof(uint64_t) + PARAM_LEN * 3
-#define PWRITE_E_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint32_t) + sizeof(uint64_t) + PARAM_LEN * 3
-#define READV_E_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
-#define WRITEV_E_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint32_t) + PARAM_LEN * 2
-#define PREADV_E_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint64_t) + PARAM_LEN * 2
-#define PWRITEV_E_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint32_t) + sizeof(uint64_t) + PARAM_LEN * 3
-#define SIGNALFD_E_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint32_t) + sizeof(uint8_t) + PARAM_LEN * 3
-#define SIGNALFD_X_SIZE HEADER_LEN + sizeof(int64_t) * 2 + sizeof(uint32_t) + sizeof(uint8_t) + PARAM_LEN * 4
-#define KILL_E_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint8_t) + PARAM_LEN * 2
-#define KILL_X_SIZE HEADER_LEN + sizeof(int64_t) * 2 + sizeof(uint8_t) + PARAM_LEN * 3
-#define TKILL_E_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint8_t) + PARAM_LEN * 2
-#define TKILL_X_SIZE HEADER_LEN + sizeof(int64_t) * 2 + sizeof(uint8_t) + PARAM_LEN * 3
-#define TGKILL_E_SIZE HEADER_LEN + sizeof(int64_t) * 2 + sizeof(uint8_t) + PARAM_LEN * 3
-#define TGKILL_X_SIZE HEADER_LEN + sizeof(int64_t) * 3 + sizeof(uint8_t) + PARAM_LEN * 4
-#define NANOSLEEP_E_SIZE HEADER_LEN + sizeof(uint64_t) + PARAM_LEN
-#define NANOSLEEP_X_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint64_t) + PARAM_LEN * 2
-#define TIMERFD_CREATE_E_SIZE HEADER_LEN + sizeof(uint8_t) * 2 + PARAM_LEN * 2
-#define TIMERFD_CREATE_X_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint8_t) * 2 + PARAM_LEN * 3
-#define INOTIFY_INIT_E_SIZE HEADER_LEN + sizeof(uint8_t) + PARAM_LEN
-#define INOTIFY_INIT_X_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint8_t) + PARAM_LEN * 2
-#define GETRLIMIT_E_SIZE HEADER_LEN + sizeof(uint8_t) + PARAM_LEN
-#define GETRLIMIT_X_SIZE HEADER_LEN + sizeof(int64_t) * 3 + sizeof(uint8_t) + PARAM_LEN * 4
-#define SETRLIMIT_E_SIZE HEADER_LEN + sizeof(uint8_t) + PARAM_LEN
-#define SETRLIMIT_X_SIZE HEADER_LEN + sizeof(int64_t) * 3 + sizeof(uint8_t) + PARAM_LEN * 4
-#define PRLIMIT_E_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint8_t) + PARAM_LEN * 2
-#define PRLIMIT_X_SIZE HEADER_LEN + sizeof(int64_t) * 6 + sizeof(uint8_t) + PARAM_LEN * 7
-#define DROP_E_SIZE HEADER_LEN + sizeof(uint32_t) + PARAM_LEN
-#define DROP_X_SIZE HEADER_LEN + sizeof(uint32_t) + PARAM_LEN
-#define FCNTL_E_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint8_t) + PARAM_LEN * 2
-#define FCNTL_X_SIZE HEADER_LEN + sizeof(int64_t) * 2 + sizeof(uint8_t) + PARAM_LEN * 3
-#define SWITCH_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint32_t) * 3 + sizeof(uint64_t) * 2 + PARAM_LEN * 6
-#define BRK_E_SIZE HEADER_LEN + sizeof(uint64_t) + PARAM_LEN
-#define BRK_X_SIZE HEADER_LEN + sizeof(uint32_t) * 3 + sizeof(uint64_t) * 2 + PARAM_LEN * 5
-#define MMAP_E_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint32_t) * 2 + sizeof(uint64_t) * 3 + PARAM_LEN * 6
-#define MMAP_X_SIZE HEADER_LEN + sizeof(int64_t) * 2 + sizeof(uint32_t) * 5 + sizeof(uint64_t) * 3 + PARAM_LEN * 10
-#define MMAP2_E_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint32_t) * 2 + sizeof(uint64_t) * 3 + PARAM_LEN * 6
-#define MMAP2_X_SIZE HEADER_LEN + sizeof(int64_t) * 2 + sizeof(uint32_t) * 5 + sizeof(uint64_t) * 3 + PARAM_LEN * 10
-#define MUNMAP_E_SIZE HEADER_LEN + sizeof(uint64_t) * 2 + PARAM_LEN * 2
-#define MUNMAP_X_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint32_t) * 3 + sizeof(uint64_t) * 2 + PARAM_LEN * 6
-#define SPLICE_E_SIZE HEADER_LEN + sizeof(int64_t) * 2 + sizeof(uint32_t) + sizeof(uint64_t) + PARAM_LEN * 4
-#define SPLICE_X_SIZE HEADER_LEN + sizeof(int64_t) * 3 + sizeof(uint32_t) + sizeof(uint64_t) + PARAM_LEN * 5
-#define PTRACE_E_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint16_t) + PARAM_LEN * 2
-#define IOCTL_E_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint64_t) * 2 + PARAM_LEN * 3
-#define IOCTL_X_SIZE HEADER_LEN + sizeof(int64_t) * 2 + sizeof(uint64_t) * 2 + PARAM_LEN * 4
-#define RENAME_E_SIZE HEADER_LEN
-#define RENAMEAT_E_SIZE HEADER_LEN
-#define SYMLINK_E_SIZE HEADER_LEN
-#define SYMLINKAT_E_SIZE HEADER_LEN
-#define PROCEXIT_SIZE HEADER_LEN + sizeof(int64_t) * 3 + sizeof(uint8_t) * 2 + PARAM_LEN * 5
-#define SENDFILE_E_SIZE HEADER_LEN + sizeof(int64_t) * 2 + sizeof(uint64_t) * 2 + PARAM_LEN * 4
-#define SENDFILE_X_SIZE HEADER_LEN + sizeof(int64_t) * 3 + sizeof(uint64_t) * 2 + PARAM_LEN * 5
-#define QUOTACTL_E_SIZE HEADER_LEN + sizeof(uint16_t) + sizeof(uint32_t) + sizeof(uint8_t) * 2 + PARAM_LEN * 4
-#define SETRESUID_E_SIZE HEADER_LEN + sizeof(uint32_t) * 3 + PARAM_LEN * 3
-#define SETRESUID_X_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint32_t) * 3 + PARAM_LEN * 4
-#define SETRESGID_E_SIZE HEADER_LEN + sizeof(uint32_t) * 3 + PARAM_LEN * 3
-#define SETRESGID_X_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint32_t) * 3 + PARAM_LEN * 4
-#define SCAPEVENT_E_SIZE HEADER_LEN + sizeof(uint32_t) + sizeof(uint64_t) + PARAM_LEN * 2
-#define SCAPEVENT_X_SIZE HEADER_LEN
-#define SETUID_E_SIZE HEADER_LEN + sizeof(uint32_t) + PARAM_LEN
-#define SETUID_X_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint32_t) + PARAM_LEN * 2
-#define SETGID_E_SIZE HEADER_LEN + sizeof(uint32_t) + PARAM_LEN
-#define SETGID_X_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint32_t) + PARAM_LEN * 2
-#define GETUID_E_SIZE HEADER_LEN
-#define GETUID_X_SIZE HEADER_LEN + sizeof(uint32_t) + PARAM_LEN
-#define GETEUID_E_SIZE HEADER_LEN
-#define GETEUID_X_SIZE HEADER_LEN + sizeof(uint32_t) + PARAM_LEN
-#define GETGID_E_SIZE HEADER_LEN
-#define GETGID_X_SIZE HEADER_LEN + sizeof(uint32_t) + PARAM_LEN
-#define GETEGID_E_SIZE HEADER_LEN
-#define GETEGID_X_SIZE HEADER_LEN + sizeof(uint32_t) + PARAM_LEN
-#define GETRESUID_E_SIZE HEADER_LEN
-#define GETRESUID_X_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint32_t) * 3 + PARAM_LEN * 4
-#define GETRESGID_E_SIZE HEADER_LEN
-#define GETRESGID_X_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint32_t) * 3 + PARAM_LEN * 4
-#define CLONE_E_SIZE HEADER_LEN
-#define FORK_E_SIZE HEADER_LEN
-#define VFORK_E_SIZE HEADER_LEN
-#define SIGNALDELIVER_SIZE HEADER_LEN + sizeof(int64_t) * 2 + sizeof(uint8_t) + PARAM_LEN * 3
-#define PROCINFO_E_SIZE HEADER_LEN + sizeof(uint64_t) * 2 + PARAM_LEN * 2
-#define GETDENTS_E_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
-#define GETDENTS_X_SIZE HEADER_LEN + sizeof(int64_t) * 2 + PARAM_LEN * 2
-#define GETDENTS64_E_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
-#define GETDENTS64_X_SIZE HEADER_LEN + sizeof(int64_t) * 2 + PARAM_LEN * 2
-#define SETNS_E_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint32_t) + PARAM_LEN * 2
-#define SETNS_X_SIZE HEADER_LEN + sizeof(int64_t) * 2 + sizeof(uint32_t) + PARAM_LEN * 3
-#define FLOCK_E_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint32_t) + PARAM_LEN * 2
-#define FLOCK_X_SIZE HEADER_LEN + sizeof(int64_t) * 2 + sizeof(uint32_t) + PARAM_LEN * 3
-#define CPU_HOTPLUG_E_SIZE HEADER_LEN + sizeof(uint32_t) * 2 + PARAM_LEN * 2
-#define ACCEPT_E_SIZE HEADER_LEN
-#define SEMOP_E_SIZE HEADER_LEN + sizeof(int32_t) + PARAM_LEN
-#define SEMOP_X_SIZE HEADER_LEN + sizeof(int16_t) * 2 + sizeof(int32_t) + sizeof(int64_t) + sizeof(uint16_t) * 4 + sizeof(uint32_t) + PARAM_LEN * 9
-#define SEMCTL_E_SIZE HEADER_LEN + sizeof(int32_t) * 3 + sizeof(uint16_t) + PARAM_LEN * 4
-#define SEMCTL_X_SIZE HEADER_LEN + sizeof(int32_t) * 3 + sizeof(int64_t) + sizeof(uint16_t) + PARAM_LEN * 5
-#define MOUNT_E_SIZE HEADER_LEN + sizeof(uint32_t) + PARAM_LEN
-#define SEMGET_E_SIZE HEADER_LEN + sizeof(int32_t) * 2 + sizeof(uint32_t) + PARAM_LEN * 3
-#define SEMGET_X_SIZE HEADER_LEN + sizeof(int32_t) * 2 + sizeof(int64_t) + sizeof(uint32_t) + PARAM_LEN * 4
-#define ACCESS_E_SIZE HEADER_LEN + sizeof(uint32_t) + PARAM_LEN
-#define CHROOT_E_SIZE HEADER_LEN
-#define SETSID_E_SIZE HEADER_LEN
-#define SETSID_X_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
+#define GETSOCKNAME_E_SIZE HEADER_LEN
+#define GETSOCKNAME_X_SIZE HEADER_LEN
 #define MKDIR_E_SIZE HEADER_LEN + sizeof(uint32_t) + PARAM_LEN
-#define RMDIR_E_SIZE HEADER_LEN
-#define UNSHARE_E_SIZE HEADER_LEN + sizeof(uint32_t) + PARAM_LEN
-#define UNSHARE_X_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint32_t) + PARAM_LEN * 2
-#define PAGE_FAULT_SIZE HEADER_LEN + sizeof(uint32_t) + sizeof(uint64_t) * 2 + PARAM_LEN * 3
-#define SETPGID_E_SIZE HEADER_LEN + sizeof(int64_t) * 2 + PARAM_LEN * 2
-#define SETPGID_X_SIZE HEADER_LEN + sizeof(int64_t) * 3 + PARAM_LEN * 3
-#define SECCOMP_E_SIZE HEADER_LEN + sizeof(uint64_t) * 2 + PARAM_LEN * 2
-#define SECCOMP_X_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint64_t) * 2 + PARAM_LEN * 3
-#define UNLINK_E_SIZE HEADER_LEN
-#define UNLINKAT_E_SIZE HEADER_LEN
-#define MKDIRAT_E_SIZE HEADER_LEN
-#define LINK_E_SIZE HEADER_LEN
-#define LINKAT_E_SIZE HEADER_LEN
-#define FCHMODAT_E_SIZE HEADER_LEN
+#define MMAP_E_SIZE \
+	HEADER_LEN + sizeof(uint64_t) * 3 + sizeof(int64_t) + sizeof(uint32_t) * 2 + PARAM_LEN * 6
+#define MMAP_X_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint32_t) * 3 + PARAM_LEN * 4
+#define MUNMAP_E_SIZE HEADER_LEN + sizeof(uint64_t) * 2 + PARAM_LEN * 2
+#define MUNMAP_X_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint32_t) * 3 + PARAM_LEN * 4
+#define OPEN_BY_HANDLE_AT_E_SIZE HEADER_LEN
+#define CLOSE_E_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
+#define CLOSE_X_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
+#define COPY_FILE_RANGE_E_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint64_t) * 2 + PARAM_LEN * 3
+#define COPY_FILE_RANGE_X_SIZE HEADER_LEN + sizeof(int64_t) * 2 + sizeof(uint64_t) + PARAM_LEN * 3
+#define DUP_E_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
+#define DUP_X_SIZE HEADER_LEN + sizeof(int64_t) * 2 + PARAM_LEN * 2
+#define DUP2_E_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
+#define DUP2_X_SIZE HEADER_LEN + sizeof(int64_t) * 3 + PARAM_LEN * 3
+#define DUP3_E_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
+#define DUP3_X_SIZE HEADER_LEN + sizeof(int64_t) * 3 + sizeof(uint32_t) + PARAM_LEN * 4
+#define CHDIR_E_SIZE HEADER_LEN
 #define CHMOD_E_SIZE HEADER_LEN
+#define CHOWN_E_SIZE HEADER_LEN
+#define LCHOWN_E_SIZE HEADER_LEN
+#define CHROOT_E_SIZE HEADER_LEN
+#define FCHDIR_E_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
+#define FCHDIR_X_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
 #define FCHMOD_E_SIZE HEADER_LEN
 #define FCHMOD_X_SIZE HEADER_LEN + sizeof(int64_t) * 2 + sizeof(uint32_t) + PARAM_LEN * 3
-#define RENAMEAT2_E_SIZE HEADER_LEN
+#define FCHMODAT_E_SIZE HEADER_LEN
+#define FCHOWN_E_SIZE HEADER_LEN
+#define FCHOWN_X_SIZE HEADER_LEN + sizeof(int64_t) * 2 + sizeof(uint32_t) * 2 + PARAM_LEN * 4
+#define FCHOWNAT_E_SIZE HEADER_LEN
+#define MKDIRAT_E_SIZE HEADER_LEN
+#define RMDIR_E_SIZE HEADER_LEN
+#define EVENTFD_E_SIZE HEADER_LEN + sizeof(uint64_t) + sizeof(uint32_t) + PARAM_LEN * 2
+#define EVENTFD_X_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
+#define INOTIFY_INIT_E_SIZE HEADER_LEN + sizeof(uint8_t) + PARAM_LEN
+#define INOTIFY_INIT_X_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
+#define TIMERFD_CREATE_E_SIZE HEADER_LEN + sizeof(uint8_t) * 2 + PARAM_LEN * 2
+#define TIMERFD_CREATE_X_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
 #define USERFAULTFD_E_SIZE HEADER_LEN
 #define USERFAULTFD_X_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint32_t) + PARAM_LEN * 2
-#define MPROTECT_E_SIZE HEADER_LEN + sizeof(uint32_t) + sizeof(uint64_t) * 2 + PARAM_LEN * 3
-#define MPROTECT_X_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint32_t) + sizeof(uint64_t) * 2 + PARAM_LEN * 4
-#define COPY_FILE_RANGE_E_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint64_t) * 2 + PARAM_LEN * 3
-#define COPY_FILE_RANGE_X_SIZE HEADER_LEN + sizeof(int64_t) * 3 + sizeof(uint64_t) * 3 + PARAM_LEN * 6
+#define SIGNALFD_E_SIZE \
+	HEADER_LEN + sizeof(int64_t) + sizeof(uint32_t) + sizeof(uint8_t) + PARAM_LEN * 3
+#define SIGNALFD_X_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
+#define KILL_E_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint8_t) + PARAM_LEN * 2
+#define KILL_X_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
+#define TGKILL_E_SIZE HEADER_LEN + sizeof(int64_t) * 2 + sizeof(uint8_t) + PARAM_LEN * 3
+#define TGKILL_X_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
+#define TKILL_E_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint8_t) + PARAM_LEN * 2
+#define TKILL_X_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
+#define SECCOMP_E_SIZE HEADER_LEN + sizeof(uint64_t) * 2 + PARAM_LEN * 2
+#define SECCOMP_X_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
+#define PTRACE_E_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint16_t) + PARAM_LEN * 2
+#define CAPSET_E_SIZE HEADER_LEN
+#define CAPSET_X_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint64_t) * 3 + PARAM_LEN * 4
+#define SOCKET_E_SIZE HEADER_LEN + sizeof(uint32_t) * 3 + PARAM_LEN * 3
+#define SOCKET_X_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
+#define SOCKETPAIR_E_SIZE HEADER_LEN + sizeof(uint32_t) * 3 + PARAM_LEN * 3
+#define SOCKETPAIR_X_SIZE HEADER_LEN + sizeof(int64_t) * 3 + sizeof(uint64_t) * 2 + PARAM_LEN * 5
+#define ACCEPT_E_SIZE HEADER_LEN
+#define ACCEPT4_E_SIZE HEADER_LEN + sizeof(uint32_t) + PARAM_LEN
+#define BIND_E_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
+#define LISTEN_E_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(int32_t) + PARAM_LEN * 2
+#define LISTEN_X_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
+#define CLONE_E_SIZE HEADER_LEN
 #define CLONE3_E_SIZE HEADER_LEN
-#define OPEN_BY_HANDLE_AT_E_SIZE HEADER_LEN
-#define IO_URING_SETUP_E_SIZE HEADER_LEN
-#define IO_URING_SETUP_X_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint32_t) * 7 + PARAM_LEN * 8
-#define IO_URING_ENTER_E_SIZE HEADER_LEN
-#define IO_URING_ENTER_X_SIZE HEADER_LEN + sizeof(int64_t) * 2 + sizeof(uint32_t) * 4 + PARAM_LEN * 6
-#define IO_URING_REGISTER_E_SIZE HEADER_LEN
-#define IO_URING_REGISTER_X_SIZE HEADER_LEN + sizeof(int64_t) * 2 + sizeof(uint16_t) + sizeof(uint32_t) + sizeof(uint64_t) + PARAM_LEN * 5
+#define FORK_E_SIZE HEADER_LEN
+#define VFORK_E_SIZE HEADER_LEN
+#define RENAME_E_SIZE HEADER_LEN
+#define RENAMEAT_E_SIZE HEADER_LEN
+#define RENAMEAT2_E_SIZE HEADER_LEN
+#define PIPE_E_SIZE HEADER_LEN
+#define PIPE_X_SIZE HEADER_LEN + sizeof(int64_t) * 3 + sizeof(uint64_t) + PARAM_LEN * 4
+#define BPF_E_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
+#define BPF_X_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(int32_t) + PARAM_LEN * 2
+#define FLOCK_E_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint32_t) + PARAM_LEN * 2
+#define FLOCK_X_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
+#define IOCTL_E_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint64_t) * 2 + PARAM_LEN * 3
+#define IOCTL_X_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
+#define QUOTACTL_E_SIZE \
+	HEADER_LEN + sizeof(uint16_t) + sizeof(uint8_t) * 2 + sizeof(uint32_t) + PARAM_LEN * 4
+#define UNSHARE_E_SIZE HEADER_LEN + sizeof(uint32_t) + PARAM_LEN
+#define UNSHARE_X_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
+#define MOUNT_E_SIZE HEADER_LEN + sizeof(uint32_t) + PARAM_LEN
+#define UMOUNT2_E_SIZE HEADER_LEN + sizeof(uint32_t) + PARAM_LEN
+#define UMOUNT_E_SIZE HEADER_LEN
+#define LINK_E_SIZE HEADER_LEN
+#define LINKAT_E_SIZE HEADER_LEN
+#define SYMLINK_E_SIZE HEADER_LEN
+#define SYMLINKAT_E_SIZE HEADER_LEN
+#define UNLINK_E_SIZE HEADER_LEN
+#define UNLINKAT_E_SIZE HEADER_LEN
+#define SETGID_E_SIZE HEADER_LEN + sizeof(uint32_t) + PARAM_LEN
+#define SETGID_X_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
+#define SETUID_E_SIZE HEADER_LEN + sizeof(uint32_t) + PARAM_LEN
+#define SETUID_X_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
+#define SETNS_E_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint32_t) + PARAM_LEN * 2
+#define SETNS_X_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
+#define SETPGID_E_SIZE HEADER_LEN + sizeof(int64_t) * 2 + PARAM_LEN * 2
+#define SETPGID_X_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
+#define SETRESGID_E_SIZE HEADER_LEN + sizeof(uint32_t) * 3 + PARAM_LEN * 3
+#define SETRESGID_X_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
+#define SETRESUID_E_SIZE HEADER_LEN + sizeof(uint32_t) * 3 + PARAM_LEN * 3
+#define SETRESUID_X_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
+#define SETSID_E_SIZE HEADER_LEN
+#define SETSID_X_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
+#define SETRLIMIT_E_SIZE HEADER_LEN + sizeof(uint8_t) + PARAM_LEN
+#define SETRLIMIT_X_SIZE HEADER_LEN + sizeof(int64_t) * 3 + sizeof(uint8_t) + PARAM_LEN * 4
+#define PRLIMIT64_E_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint8_t) + PARAM_LEN * 2
+#define PRLIMIT64_X_SIZE HEADER_LEN + sizeof(int64_t) * 6 + sizeof(uint8_t) + PARAM_LEN * 7
+#define GETSOCKOPT_E_SIZE HEADER_LEN
+#define SETSOCKOPT_E_SIZE HEADER_LEN
+#define RECVMSG_E_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
+#define READV_E_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
+#define PREADV_E_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint64_t) + PARAM_LEN * 2
+#define PREAD64_E_SIZE \
+	HEADER_LEN + sizeof(int64_t) + sizeof(uint32_t) + sizeof(uint64_t) + PARAM_LEN * 3
+#define RECVFROM_E_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint32_t) + PARAM_LEN * 2
+#define FCNTL_E_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint8_t) + PARAM_LEN * 2
+#define FCNTL_X_SIZE \
+	HEADER_LEN + sizeof(int64_t) + sizeof(int64_t) + sizeof(uint8_t) + PARAM_LEN * 3
+#define SHUTDOWN_E_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint8_t) + PARAM_LEN * 2
+#define SHUTDOWN_X_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
+#define FSCONFIG_E_SIZE HEADER_LEN
+#define EPOLL_CREATE_E_SIZE HEADER_LEN + sizeof(int32_t) + PARAM_LEN
+#define EPOLL_CREATE_X_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
+#define EPOLL_CREATE1_E_SIZE HEADER_LEN + sizeof(uint32_t) + PARAM_LEN
+#define EPOLL_CREATE1_X_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
+#define ACCESS_E_SIZE HEADER_LEN + sizeof(uint32_t) + PARAM_LEN
+#define MPROTECT_E_SIZE HEADER_LEN + sizeof(uint64_t) * 2 + sizeof(uint32_t) + PARAM_LEN * 3
+#define MPROTECT_X_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
+#define GETUID_E_SIZE HEADER_LEN
+#define GETUID_X_SIZE HEADER_LEN + sizeof(uint32_t) + PARAM_LEN
+#define GETGID_E_SIZE HEADER_LEN
+#define GETGID_X_SIZE HEADER_LEN + sizeof(uint32_t) + PARAM_LEN
+#define GETEUID_E_SIZE HEADER_LEN
+#define GETEUID_X_SIZE HEADER_LEN + sizeof(uint32_t) + PARAM_LEN
+#define GETEGID_E_SIZE HEADER_LEN
+#define GETEGID_X_SIZE HEADER_LEN + sizeof(uint32_t) + PARAM_LEN
 #define MLOCK_E_SIZE HEADER_LEN
 #define MLOCK_X_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint64_t) * 2 + PARAM_LEN * 3
+#define MLOCK2_E_SIZE HEADER_LEN
+#define MLOCK2_X_SIZE \
+	HEADER_LEN + sizeof(int64_t) + sizeof(uint32_t) + sizeof(uint64_t) * 2 + PARAM_LEN * 4
 #define MUNLOCK_E_SIZE HEADER_LEN
 #define MUNLOCK_X_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint64_t) * 2 + PARAM_LEN * 3
 #define MLOCKALL_E_SIZE HEADER_LEN
 #define MLOCKALL_X_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint32_t) + PARAM_LEN * 2
 #define MUNLOCKALL_E_SIZE HEADER_LEN
 #define MUNLOCKALL_X_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
-#define CAPSET_E_SIZE HEADER_LEN
-#define CAPSET_X_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint64_t) * 3 + PARAM_LEN * 4
-#define DUP2_E_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
-#define DUP2_X_SIZE HEADER_LEN + sizeof(int64_t) * 3 + PARAM_LEN * 3
-#define DUP3_E_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
-#define DUP3_X_SIZE HEADER_LEN + sizeof(int64_t) * 3 + sizeof(uint32_t) + PARAM_LEN * 4
-#define DUP_E_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
-#define DUP_X_SIZE HEADER_LEN + sizeof(int64_t) * 2 + PARAM_LEN * 2
-#define BPF_E_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
-#define BPF_X_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint32_t) + PARAM_LEN * 2
-#define MLOCK2_E_SIZE HEADER_LEN
-#define MLOCK2_X_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint32_t) + sizeof(uint64_t) * 2 + PARAM_LEN * 4
-#define FSCONFIG_E_SIZE HEADER_LEN
-#define EPOLL_CREATE_E_SIZE HEADER_LEN + sizeof(int32_t) + PARAM_LEN
-#define EPOLL_CREATE_X_SIZE HEADER_LEN + sizeof(int32_t) + sizeof(int64_t) + PARAM_LEN * 2
-#define EPOLL_CREATE1_E_SIZE HEADER_LEN + sizeof(uint32_t) + PARAM_LEN
-#define EPOLL_CREATE1_X_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint32_t) + PARAM_LEN * 2
-#define CHOWN_E_SIZE HEADER_LEN
-#define LCHOWN_E_SIZE HEADER_LEN
-#define FCHOWN_E_SIZE HEADER_LEN
-#define FCHOWN_X_SIZE HEADER_LEN + sizeof(int64_t) * 2 + sizeof(uint32_t) * 2 + PARAM_LEN * 4
-#define FCHOWNAT_E_SIZE HEADER_LEN
-#define UMOUNT_E_SIZE HEADER_LEN
-#define ACCEPT4_E_SIZE HEADER_LEN + sizeof(int32_t) + PARAM_LEN
-#define UMOUNT2_E_SIZE HEADER_LEN + sizeof(uint32_t) + PARAM_LEN
+#define READ_E_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint32_t) + PARAM_LEN * 2
+#define IO_URING_ENTER_E_SIZE HEADER_LEN
+#define IO_URING_ENTER_X_SIZE \
+	HEADER_LEN + sizeof(int64_t) * 2 + sizeof(uint32_t) * 4 + PARAM_LEN * 6
+#define IO_URING_REGISTER_E_SIZE HEADER_LEN
+#define IO_URING_REGISTER_X_SIZE                                                                \
+	HEADER_LEN + sizeof(int64_t) * 2 + sizeof(uint16_t) + sizeof(uint64_t) + sizeof(uint32_t) + \
+	        PARAM_LEN * 5
+#define IO_URING_SETUP_E_SIZE HEADER_LEN
+#define IO_URING_SETUP_X_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint32_t) * 7 + PARAM_LEN * 8
+#define MMAP2_E_SIZE \
+	HEADER_LEN + sizeof(uint64_t) * 3 + sizeof(int64_t) + sizeof(uint32_t) * 2 + PARAM_LEN * 6
+#define MMAP2_X_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint32_t) * 3 + PARAM_LEN * 4
+#define SEMGET_E_SIZE HEADER_LEN + sizeof(int32_t) * 2 + sizeof(uint32_t) + PARAM_LEN * 3
+#define SEMGET_X_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
+#define SEMCTL_E_SIZE HEADER_LEN + sizeof(int32_t) * 3 + sizeof(uint16_t) + PARAM_LEN * 4
+#define SEMCTL_X_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
+#define SELECT_E_SIZE HEADER_LEN
+#define SELECT_X_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
+#define SPLICE_E_SIZE \
+	HEADER_LEN + sizeof(int64_t) * 2 + sizeof(uint64_t) + sizeof(uint32_t) + PARAM_LEN * 4
+#define SPLICE_X_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
+#define RECVMMSG_E_SIZE HEADER_LEN
+#define RECVMMSG_X_SIZE HEADER_LEN
+#define SENDMMSG_E_SIZE HEADER_LEN
+#define SENDMMSG_X_SIZE HEADER_LEN
+#define SEMOP_E_SIZE HEADER_LEN + sizeof(int32_t) + PARAM_LEN
+#define SEMOP_X_SIZE                                                                               \
+	HEADER_LEN + sizeof(int64_t) + sizeof(uint32_t) + sizeof(uint16_t) * 4 + sizeof(int16_t) * 2 + \
+	        PARAM_LEN * 8
+#define GETRESUID_E_SIZE HEADER_LEN
+#define GETRESUID_X_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint32_t) * 3 + PARAM_LEN * 4
+#define SENDFILE_E_SIZE HEADER_LEN + sizeof(int64_t) * 2 + sizeof(uint64_t) * 2 + PARAM_LEN * 4
+#define SENDFILE_X_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint64_t) + PARAM_LEN * 2
+#define FUTEX_E_SIZE HEADER_LEN + sizeof(uint64_t) * 2 + sizeof(uint16_t) + PARAM_LEN * 3
+#define FUTEX_X_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
+#define STAT_E_SIZE HEADER_LEN
+#define LSTAT_E_SIZE HEADER_LEN
+#define FSTAT_E_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
+#define FSTAT_X_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
+#define LSEEK_E_SIZE \
+	HEADER_LEN + sizeof(int64_t) + sizeof(uint64_t) + sizeof(uint8_t) + 3 * PARAM_LEN
+#define LSEEK_X_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
+#define LLSEEK_E_SIZE \
+	HEADER_LEN + sizeof(int64_t) + sizeof(uint64_t) + sizeof(uint8_t) + 3 * PARAM_LEN
+#define LLSEEK_X_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
+#define WRITE_E_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint32_t) + PARAM_LEN * 2
+#define WRITEV_E_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint32_t) + PARAM_LEN * 2
+#define PWRITEV_E_SIZE \
+	HEADER_LEN + sizeof(int64_t) + sizeof(uint32_t) + sizeof(uint64_t) + PARAM_LEN * 3
+#define PWRITE64_E_SIZE \
+	HEADER_LEN + sizeof(int64_t) + sizeof(uint32_t) + sizeof(uint64_t) + PARAM_LEN * 3
+#define GETRESGID_E_SIZE HEADER_LEN
+#define GETRESGID_X_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint32_t) * 3 + PARAM_LEN * 4
+#define BRK_E_SIZE HEADER_LEN + sizeof(uint64_t) + PARAM_LEN
+#define BRK_X_SIZE HEADER_LEN + sizeof(uint64_t) + sizeof(uint32_t) * 3 + PARAM_LEN * 4
+#define GETRLIMIT_E_SIZE HEADER_LEN + sizeof(uint8_t) + PARAM_LEN
+#define GETRLIMIT_X_SIZE HEADER_LEN + sizeof(int64_t) * 3 + PARAM_LEN * 3
+#define SEND_E_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint32_t) + PARAM_LEN * 2
+#define RECV_E_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint32_t) + PARAM_LEN * 2
+#define NANOSLEEP_E_SIZE HEADER_LEN + sizeof(uint64_t) + PARAM_LEN
+#define NANOSLEEP_X_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
 #define PIPE2_E_SIZE HEADER_LEN
-#define PIPE2_X_SIZE HEADER_LEN + sizeof(int64_t) * 3 + sizeof(uint32_t) + sizeof(uint64_t) + PARAM_LEN * 5
+#define PIPE2_X_SIZE \
+	HEADER_LEN + sizeof(int64_t) * 3 + sizeof(uint64_t) + sizeof(uint32_t) + PARAM_LEN * 5
 #define INOTIFY_INIT1_E_SIZE HEADER_LEN
-#define INOTIFY_INIT1_X_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint16_t) + PARAM_LEN * 2
+#define INOTIFY_INIT1_X_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint16_t) + 2 * PARAM_LEN
 #define EVENTFD2_E_SIZE HEADER_LEN + sizeof(uint64_t) + PARAM_LEN
-#define EVENTFD2_X_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint16_t) + sizeof(uint64_t) + PARAM_LEN * 3
-#define SIGNALFD4_E_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint32_t) + PARAM_LEN * 2
-#define SIGNALFD4_X_SIZE HEADER_LEN + sizeof(int64_t) * 2 + sizeof(uint16_t) + sizeof(uint32_t) + PARAM_LEN * 4
+#define EVENTFD2_X_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint16_t) + 2 * PARAM_LEN
+#define SIGNALFD4_E_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint32_t) + 2 * PARAM_LEN
+#define SIGNALFD4_X_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint16_t) + 2 * PARAM_LEN
 #define PRCTL_E_SIZE HEADER_LEN
 #define MEMFD_CREATE_E_SIZE HEADER_LEN
 #define PIDFD_GETFD_E_SIZE HEADER_LEN
-#define PIDFD_GETFD_X_SIZE HEADER_LEN + sizeof(int64_t) * 3 + sizeof(uint32_t) + PARAM_LEN * 4
+#define PIDFD_GETFD_X_SIZE HEADER_LEN + sizeof(int64_t) * 3 + sizeof(uint32_t) + 4 * PARAM_LEN
 #define PIDFD_OPEN_E_SIZE HEADER_LEN
-#define PIDFD_OPEN_X_SIZE HEADER_LEN + sizeof(int64_t) * 2 + sizeof(uint32_t) + PARAM_LEN * 3
+#define PIDFD_OPEN_X_SIZE HEADER_LEN + sizeof(int64_t) * 2 + sizeof(uint32_t) + 3 * PARAM_LEN
 #define INIT_MODULE_E_SIZE HEADER_LEN
 #define FINIT_MODULE_E_SIZE HEADER_LEN
 #define MKNOD_E_SIZE HEADER_LEN
@ -263,8 +269,19 @@
 #define PROCESS_VM_WRITEV_E_SIZE HEADER_LEN
 #define DELETE_MODULE_E_SIZE HEADER_LEN
 #define SETREUID_E_SIZE HEADER_LEN
-#define SETREUID_X_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint32_t) * 2 + PARAM_LEN * 3
+#define SETREUID_X_SIZE HEADER_LEN + sizeof(uint32_t) * 2 + sizeof(int64_t) + 3 * PARAM_LEN
 #define SETREGID_E_SIZE HEADER_LEN
-#define SETREGID_X_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint32_t) * 2 + PARAM_LEN * 3
+#define SETREGID_X_SIZE HEADER_LEN + sizeof(uint32_t) * 2 + sizeof(int64_t) + 3 * PARAM_LEN
+
+/* Generic tracepoints events. */
+#define SCHED_SWITCH_SIZE \
+	HEADER_LEN + sizeof(int64_t) + sizeof(uint64_t) * 2 + sizeof(uint32_t) * 3 + PARAM_LEN * 6
+#define PAGE_FAULT_SIZE HEADER_LEN + sizeof(uint64_t) * 2 + sizeof(uint32_t) + PARAM_LEN * 3
+#define SIGNAL_DELIVER_SIZE HEADER_LEN + sizeof(int64_t) * 2 + sizeof(uint8_t) + PARAM_LEN * 3
+
+/* Special internal events */
+#define DROP_E_SIZE HEADER_LEN + sizeof(uint32_t) + PARAM_LEN
+#define DROP_X_SIZE HEADER_LEN + sizeof(uint32_t) + PARAM_LEN
+#define HOTPLUG_E_SIZE HEADER_LEN + sizeof(uint32_t) * 2 + PARAM_LEN * 2

 #endif /* __EVENT_DIMENSIONS_H__ */
--- a/driver/modern_bpf/definitions/generator/generator.cpp
+++ b/driver/modern_bpf/definitions/generator/generator.cpp
@ -1,234 +0,0 @@
-#include <functional>
-#include <iostream>
-#include <map>
-#include <sstream>
-#include <fstream>
-#include <algorithm>
-
-#include "driver/ppm_events_public.h"
-
-extern const struct ppm_event_info g_event_info[];
-
-auto PREFACE = R"(// SPDX-License-Identifier: GPL-2.0-only OR MIT
-/*
- * Copyright (C) 2025 The Falco Authors.
- *
- * This file is dual licensed under either the MIT or GPL 2. See MIT.txt
- * or GPL2.txt for full copies of the license.
- */
-
-#ifndef __EVENT_DIMENSIONS_H__
-#define __EVENT_DIMENSIONS_H__
-
-#include "vmlinux.h"
-
-/* Here we have all the dimensions for fixed-size events.
- */
-
-#define PARAM_LEN 2
-#define HEADER_LEN sizeof(struct ppm_evt_hdr)
-
-/// TODO: We have to move these in the event_table.c. Right now we don't
-/// want to touch scap tables.
-
-/* Syscall events */
-)";
-
-auto POSTFACE = R"(
-#endif /* __EVENT_DIMENSIONS_H__ */
-)";
-
-// Use the following macro to get the stringified version of the C expression retrieving the type
-// size (e.g.: SIZE_OF_EXPR(uint8_t) is resolved in "sizeof(uint8_t)").
-#define SIZE_OF_EXPR(type) SIZE_OF_EXPR_##type
-
-// Generate the "sizeof" stringified expression for the listed types. New handled types must be
-// appended to the list.
-#define SIZE_OF_EXPR_DECL_LIST_GEN(FN) \
-	FN(int8_t)                         \
-	FN(int16_t)                        \
-	FN(int32_t)                        \
-	FN(int64_t)                        \
-	FN(uint8_t)                        \
-	FN(uint16_t)                       \
-	FN(uint32_t)                       \
-	FN(uint64_t)
-#define SIZE_OF_EXPR_DECL(type) char SIZE_OF_EXPR(type)[] = "sizeof(" #type ")";
-SIZE_OF_EXPR_DECL_LIST_GEN(SIZE_OF_EXPR_DECL)
-#undef SIZE_OF_EXPR_DECL
-#undef SIZE_OF_EXPR_DECL_LIST_GEN
-
-// Special expressions denoting variable size or unused parameter types.
-char SIZE_OF_EXPR_VARIABLE_SIZE[] = "<variable_size>", SIZE_OF_EXPR_UNUSED[] = "<unused>";
-
-// Table containing the mapping between parameter types and the corresponding stringified "sizeof"
-// expression.
-std::map<long long, char *> type_to_size_expr{
-        {PT_NONE, SIZE_OF_EXPR_UNUSED},
-        {PT_INT8, SIZE_OF_EXPR(int8_t)},
-        {PT_INT16, SIZE_OF_EXPR(int16_t)},
-        {PT_INT32, SIZE_OF_EXPR(int32_t)},
-        {PT_INT64, SIZE_OF_EXPR(int64_t)},
-        {PT_UINT8, SIZE_OF_EXPR(uint8_t)},
-        {PT_UINT16, SIZE_OF_EXPR(uint16_t)},
-        {PT_UINT32, SIZE_OF_EXPR(uint32_t)},
-        {PT_UINT64, SIZE_OF_EXPR(uint64_t)},
-        {PT_CHARBUF, SIZE_OF_EXPR_VARIABLE_SIZE},
-        {PT_BYTEBUF, SIZE_OF_EXPR_VARIABLE_SIZE},
-        {PT_ERRNO, SIZE_OF_EXPR(int64_t)},
-        {PT_SOCKADDR, SIZE_OF_EXPR_VARIABLE_SIZE},
-        {PT_SOCKTUPLE, SIZE_OF_EXPR_VARIABLE_SIZE},
-        {PT_FD, SIZE_OF_EXPR(int64_t)},
-        {PT_PID, SIZE_OF_EXPR(int64_t)},
-        {PT_FDLIST, SIZE_OF_EXPR_VARIABLE_SIZE},
-        {PT_FSPATH, SIZE_OF_EXPR_VARIABLE_SIZE},
-        {PT_SYSCALLID, SIZE_OF_EXPR(uint16_t)},
-        {PT_SIGTYPE, SIZE_OF_EXPR(uint8_t)},
-        {PT_RELTIME, SIZE_OF_EXPR(uint64_t)},
-        {PT_ABSTIME, SIZE_OF_EXPR(uint64_t)},
-        {PT_PORT, SIZE_OF_EXPR_UNUSED},
-        {PT_L4PROTO, SIZE_OF_EXPR_UNUSED},
-        {PT_SOCKFAMILY, SIZE_OF_EXPR_UNUSED},
-        {PT_BOOL, SIZE_OF_EXPR_UNUSED},
-        {PT_IPV4ADDR, SIZE_OF_EXPR_UNUSED},
-        {PT_DYN, SIZE_OF_EXPR_VARIABLE_SIZE},
-        {PT_FLAGS8, SIZE_OF_EXPR(uint8_t)},
-        {PT_FLAGS16, SIZE_OF_EXPR(uint16_t)},
-        {PT_FLAGS32, SIZE_OF_EXPR(uint32_t)},
-        {PT_UID, SIZE_OF_EXPR(uint32_t)},
-        {PT_GID, SIZE_OF_EXPR(uint32_t)},
-        {PT_DOUBLE, SIZE_OF_EXPR_UNUSED},
-        {PT_SIGSET, SIZE_OF_EXPR(uint32_t)},
-        {PT_CHARBUFARRAY, SIZE_OF_EXPR_VARIABLE_SIZE},
-        {PT_CHARBUF_PAIR_ARRAY, SIZE_OF_EXPR_VARIABLE_SIZE},
-        {PT_IPV4NET, SIZE_OF_EXPR_UNUSED},
-        {PT_IPV6ADDR, SIZE_OF_EXPR_UNUSED},
-        {PT_IPV6NET, SIZE_OF_EXPR_UNUSED},
-        {PT_IPADDR, SIZE_OF_EXPR_UNUSED},
-        {PT_IPNET, SIZE_OF_EXPR_UNUSED},
-        {PT_MODE, SIZE_OF_EXPR(uint32_t)},
-        {PT_FSRELPATH, SIZE_OF_EXPR_VARIABLE_SIZE},
-        {PT_ENUMFLAGS8, SIZE_OF_EXPR(uint8_t)},
-        {PT_ENUMFLAGS16, SIZE_OF_EXPR(uint16_t)},
-        {PT_ENUMFLAGS32, SIZE_OF_EXPR(uint32_t)},
-};
-
-// is_fixed_size_event determines if the provided event has a fixed size or not.
-bool is_fixed_size_event(struct ppm_event_info const *const evt) {
-	for(uint32_t i = 0; i < evt->nparams; i++) {
-		auto &param = evt->params[i];
-		auto const param_type = param.type;
-
-		auto it = type_to_size_expr.find(param_type);
-		if(it == type_to_size_expr.end()) {
-			throw std::runtime_error("Unknown event parameter type: " + std::to_string(param_type));
-		}
-
-		auto const size_expr = it->second;
-		// Just compare pointers is enough.
-		if(size_expr == SIZE_OF_EXPR_UNUSED) {
-			throw std::runtime_error("Unexpected unused event parameter type: " +
-			                         std::to_string(param_type));
-		}
-		if(size_expr == SIZE_OF_EXPR_VARIABLE_SIZE) {
-			return false;
-		}
-	}
-	return true;
-}
-
-// get_vent_size_expr_counts returns, given the provided event and the resulting size expression of
-// its parameters, a map containing, for each size expression, the number of occurrences.
-std::map<std::string, size_t> get_event_size_expr_counts(struct ppm_event_info const *const evt) {
-	std::map<std::string, size_t> size_expr_counts;
-	for(uint32_t i = 0; i < evt->nparams; i++) {
-		auto const &param = evt->params[i];
-		auto const param_type = param.type;
-		auto const it = type_to_size_expr.find(param_type);
-		if(it == type_to_size_expr.end()) {
-			throw std::runtime_error("Unknown event parameter type: " + std::to_string(param_type));
-		}
-		auto const size_expr = it->second;
-		size_expr_counts[size_expr]++;
-	}
-	return size_expr_counts;
-}
-
-// output_event_size outputs the event size macro for the provided event into the provided output
-// stream.
-void output_event_size(std::ostream &os,
-                       struct ppm_event_info const *const evt,
-                       bool const is_enter_evt) {
-	// Exclude old versions.
-	if(evt->flags & EF_OLD_VERSION) {
-		return;
-	}
-
-	std::string name{evt->name};
-	// Ignore events without name.
-	if(name == "NA") {
-		return;
-	}
-
-	// Exclude events not having a fixed size.
-	if(!is_fixed_size_event(evt)) {
-		return;
-	}
-
-	// Generate the complete event size macro name.
-	std::transform(name.cbegin(), name.cend(), name.begin(), toupper);
-	if((evt->category & EC_TRACEPOINT) == 0) {
-		name += is_enter_evt ? "_E" : "_X";
-	}
-	name += "_SIZE";
-
-	// The event contains at least the header.
-	os << "#define " << name << " HEADER_LEN";
-
-	auto const params_num = evt->nparams;
-
-	// Count the number of occurrences for each size expression.
-	auto size_expr_counts = get_event_size_expr_counts(evt);
-
-	// Output "size expression" * "number of occurrences of size expression", for each size
-	// expression.
-	for(auto const &[size_expr, count] : size_expr_counts) {
-		os << " + " << size_expr;
-		if(count != 1) {
-			os << " * " << count;
-		}
-	}
-
-	// Add "number of parameters" * PARAM_LEN, to account the size of each parameter length.
-	if(params_num != 0) {
-		os << " + PARAM_LEN";
-		if(params_num != 1) {
-			os << " * " << params_num;
-		}
-	}
-	os << '\n';
-}
-
-int main(int argc, char *argv[]) {
-	if(argc != 2) {
-		std::cerr << "Usage: " << argv[0] << " <filepath>\n";
-		std::exit(EXIT_FAILURE);
-	}
-
-	std::string filepath{argv[1]};
-
-	// Build file content.
-	std::ostringstream oss;
-	oss << PREFACE;
-	for(int i = 0; i < PPM_EVENT_MAX; i++) {
-		output_event_size(oss, &g_event_info[i], i % 2 == 0);
-	}
-	oss << POSTFACE;
-
-	// Write content to file.
-	std::ofstream f{filepath, std::fstream::out | std::fstream::trunc};
-	f << oss.str();
-	f.close();
-
-	return 0;
-}
--- a/driver/modern_bpf/definitions/struct_flavors.h
+++ b/driver/modern_bpf/definitions/struct_flavors.h
@ -59,10 +59,6 @@ struct inode___v6_11 {
 	uint32_t i_ctime_nsec;
 };

-struct kernfs_node___v6_15 {
-	struct kernfs_node *__parent;
-};
-
 #ifndef BPF_NO_PRESERVE_ACCESS_INDEX
 #pragma clang attribute pop
 #endif
--- a/driver/modern_bpf/definitions/x86_64/vmlinux.h
+++ b/driver/modern_bpf/definitions/x86_64/vmlinux.h
@ -39754,38 +39754,7 @@ enum bpf_func_id {
 	BPF_FUNC_ktime_get_coarse_ns = 160,
 	BPF_FUNC_ima_inode_hash = 161,
 	BPF_FUNC_sock_from_file = 162,
-	BPF_FUNC_check_mtu = 163,
-	BPF_FUNC_for_each_map_elem = 164,
-	BPF_FUNC_snprintf = 165,
-	BPF_FUNC_sys_bpf = 166,
-	BPF_FUNC_btf_find_by_name_kind = 167,
-	BPF_FUNC_sys_close = 168,
-	BPF_FUNC_timer_init = 169,
-	BPF_FUNC_timer_set_callback = 170,
-	BPF_FUNC_timer_start = 171,
-	BPF_FUNC_timer_cancel = 172,
-	BPF_FUNC_get_func_ip = 173,
-	BPF_FUNC_get_attach_cookie = 174,
-	BPF_FUNC_task_pt_regs = 175,
-	BPF_FUNC_get_branch_snapshot = 176,
-	BPF_FUNC_trace_vprintk = 177,
-	BPF_FUNC_skc_to_unix_sock = 178,
-	BPF_FUNC_kallsyms_lookup_name = 179,
-	BPF_FUNC_find_vma = 180,
-	BPF_FUNC_loop = 181,
-	BPF_FUNC_strncmp = 182,
-	BPF_FUNC_get_func_arg = 183,
-	BPF_FUNC_get_func_ret = 184,
-	BPF_FUNC_get_func_arg_cnt = 185,
-	BPF_FUNC_get_retval = 186,
-	BPF_FUNC_set_retval = 187,
-	BPF_FUNC_xdp_get_buff_len = 188,
-	BPF_FUNC_xdp_load_bytes = 189,
-	BPF_FUNC_xdp_store_bytes = 190,
-	BPF_FUNC_copy_from_user_task = 191,
-	BPF_FUNC_skb_set_tstamp = 192,
-	BPF_FUNC_ima_file_hash = 193,
-	__BPF_FUNC_MAX_ID = 194,
+	__BPF_FUNC_MAX_ID = 163,
 };

 enum {
--- a/driver/modern_bpf/helpers/base/maps_getters.h
+++ b/driver/modern_bpf/helpers/base/maps_getters.h
@ -17,99 +17,44 @@

 /*=============================== SETTINGS ===========================*/

-static __always_inline struct capture_settings *maps__get_capture_settings() {
-	uint32_t key = 0;
-	return bpf_map_lookup_elem(&capture_settings, &key);
-}
-
 static __always_inline uint64_t maps__get_boot_time() {
-	struct capture_settings *settings = maps__get_capture_settings();
-	if(settings == NULL) {
-		return 0;
-	}
-
-	return settings->boot_time;
+	return g_settings.boot_time;
 }

 static __always_inline uint32_t maps__get_snaplen() {
-	struct capture_settings *settings = maps__get_capture_settings();
-	if(settings == NULL) {
-		return 0;
-	}
-
-	return settings->snaplen;
+	return g_settings.snaplen;
 }

 static __always_inline bool maps__get_dropping_mode() {
-	struct capture_settings *settings = maps__get_capture_settings();
-	if(settings == NULL) {
-		return 0;
-	}
-
-	return settings->dropping_mode;
+	return g_settings.dropping_mode;
 }

 static __always_inline uint32_t maps__get_sampling_ratio() {
-	struct capture_settings *settings = maps__get_capture_settings();
-	if(settings == NULL) {
-		return 0;
-	}
-
-	return settings->sampling_ratio;
+	return g_settings.sampling_ratio;
 }

 static __always_inline bool maps__get_drop_failed() {
-	struct capture_settings *settings = maps__get_capture_settings();
-	if(settings == NULL) {
-		return 0;
-	}
-
-	return settings->drop_failed;
+	return g_settings.drop_failed;
 }

 static __always_inline bool maps__get_do_dynamic_snaplen() {
-	struct capture_settings *settings = maps__get_capture_settings();
-	if(settings == NULL) {
-		return 0;
-	}
-
-	return settings->do_dynamic_snaplen;
+	return g_settings.do_dynamic_snaplen;
 }

 static __always_inline uint16_t maps__get_fullcapture_port_range_start() {
-	struct capture_settings *settings = maps__get_capture_settings();
-	if(settings == NULL) {
-		return 0;
-	}
-
-	return settings->fullcapture_port_range_start;
+	return g_settings.fullcapture_port_range_start;
 }

 static __always_inline uint16_t maps__get_fullcapture_port_range_end() {
-	struct capture_settings *settings = maps__get_capture_settings();
-	if(settings == NULL) {
-		return 0;
-	}
-
-	return settings->fullcapture_port_range_end;
+	return g_settings.fullcapture_port_range_end;
 }

 static __always_inline uint16_t maps__get_statsd_port() {
-	struct capture_settings *settings = maps__get_capture_settings();
-	if(settings == NULL) {
-		return 0;
-	}
-
-	return settings->statsd_port;
+	return g_settings.statsd_port;
 }

 static __always_inline int32_t maps__get_scap_tid() {
-	struct capture_settings *settings = maps__get_capture_settings();
-	if(settings == NULL) {
-		return 0;
-	}
-
-	return settings->scap_tid;
+	return g_settings.scap_tid;
 }

 /*=============================== SETTINGS ===========================*/
@ -144,12 +89,8 @@ static __always_inline uint8_t maps__64bit_sampling_syscall_table(uint32_t sysca

 /*=============================== SYSCALL-64 INTERESTING TABLE ===========================*/

-static __always_inline bool maps__interesting_syscall_64bit(uint32_t syscall_id) {
-	bool *ret = bpf_map_lookup_elem(&interesting_syscalls_table_64bit, &syscall_id);
-	if(ret == NULL) {
-		return false;
-	}
-	return *ret;
+static __always_inline bool maps__64bit_interesting_syscall(uint32_t syscall_id) {
+	return g_64bit_interesting_syscalls_table[syscall_id & (SYSCALL_TABLE_SIZE - 1)];
 }

 /*=============================== SYSCALL-64 INTERESTING TABLE ===========================*/
--- a/driver/modern_bpf/helpers/base/shared_size.h
+++ b/driver/modern_bpf/helpers/base/shared_size.h
@ -26,9 +26,6 @@
 /* Maximum number of `iovec` structures that we can analyze. */
 #define MAX_IOVCNT 32

-/* Maximum number of supported sendmmsg/recvmmsg loops with bpf_loop helper */
-#define MAX_SENDMMSG_RECVMMSG_SIZE 16
-
 /* Maximum number of `pollfd` structures that we can analyze. */
 #define MAX_POLLFD 16

--- a/driver/modern_bpf/helpers/extract/extract_from_kernel.h
+++ b/driver/modern_bpf/helpers/extract/extract_from_kernel.h
@ -10,7 +10,6 @@

 #include <helpers/base/maps_getters.h>
 #include <helpers/base/read_from_task.h>
-#include <helpers/base/shared_size.h>
 #include <driver/ppm_flag_helpers.h>

 #if __has_include(<sys/syscall.h>)
@ -1032,47 +1031,3 @@ static __always_inline struct socket *get_sock_from_file(struct file *file) {
 	}
 	return (struct socket *)BPF_CORE_READ(file, private_data);
 }
-
-///////////////////////////
-// EXTRACT FROM MSGHDR
-///////////////////////////
-
-/**
- * @brief Read the msghdr pointed by `msghdr_pointer` and store it in `msghdr` location.
- * @param msghdr pointer to the user_msghdr struct used to store the read msghdr.
- * @param msghdr_pointer pointer to the msghdr to be read.
- * @return 0 on success, or a negative error in case of failure.
- */
-static __always_inline long extract__msghdr(struct user_msghdr *msghdr,
-                                            unsigned long msghdr_pointer) {
-	return bpf_probe_read_user((void *)msghdr,
-	                           bpf_core_type_size(struct user_msghdr),
-	                           (void *)msghdr_pointer);
-}
-
-/**
- * @brief Extract the size of a message extracted from an `iovec` struct array.
- * @param scratch_space pointer the scratch space on which iovecs are read.
- * @param scratch_space_size scratch space total size.
- * @param iov_pointer pointer to `iovec` struct array.
- * @param iov_cnt number of `iovec` structs.
- * @return the size of the message on success, or 0 in case of failure.
- */
-static __always_inline uint32_t extract__iovec_size(void *scratch_space,
-                                                    uint32_t scratch_space_size,
-                                                    unsigned long iov_pointer,
-                                                    unsigned long iov_cnt) {
-	if(bpf_probe_read_user(scratch_space, scratch_space_size, (void *)iov_pointer)) {
-		return 0;
-	}
-
-	uint32_t total_size_to_read = 0;
-	const struct iovec *iovec = (const struct iovec *)scratch_space;
-	for(int i = 0; i < MAX_IOVCNT; i++) {
-		if(i == iov_cnt) {
-			break;
-		}
-		total_size_to_read += iovec[i].iov_len;
-	}
-	return total_size_to_read;
-}
--- a/driver/modern_bpf/helpers/interfaces/attached_programs.h
+++ b/driver/modern_bpf/helpers/interfaces/attached_programs.h
@ -0,0 +1,60 @@
+// SPDX-License-Identifier: GPL-2.0-only OR MIT
+/*
+ * Copyright (C) 2023 The Falco Authors.
+ *
+ * This file is dual licensed under either the MIT or GPL 2. See MIT.txt
+ * or GPL2.txt for full copies of the license.
+ */
+
+#pragma once
+
+#include <helpers/base/maps_getters.h>
+
+/* The sampling logic is used by all BPF programs attached to the kernel.
+ * We treat the syscalls tracepoints in a dedicated way because they could generate
+ * more than one event (1 for each syscall) for this reason we need a dedicated table.
+ */
+static __always_inline bool sampling_logic(void* ctx, uint32_t id) {
+	/* If dropping mode is not enabled we don't perform any sampling
+	 * false: means don't drop the syscall
+	 * true: means drop the syscall
+	 */
+	if(!maps__get_dropping_mode()) {
+		return false;
+	}
+
+	uint8_t sampling_flag = maps__64bit_sampling_syscall_table(id);
+
+	if(sampling_flag == UF_NEVER_DROP) {
+		return false;
+	}
+
+	if(sampling_flag == UF_ALWAYS_DROP) {
+		return true;
+	}
+
+	if((bpf_ktime_get_boot_ns() % SECOND_TO_NS) >= (SECOND_TO_NS / maps__get_sampling_ratio())) {
+		/* If we are starting the dropping phase we need to notify the userspace, otherwise, we
+		 * simply drop our event.
+		 * PLEASE NOTE: this logic is not per-CPU so it is best effort!
+		 */
+		if(!maps__get_is_dropping()) {
+			/* Here we are not sure we can send the drop_e event to userspace
+			 * if the buffer is full, but this is not essential even if we lose
+			 * an iteration we will synchronize again the next time the logic is enabled.
+			 */
+			maps__set_is_dropping(true);
+			bpf_tail_call(ctx, &extra_syscall_calls, T1_DROP_E);
+			bpf_printk("unable to tail call into 'drop_e' prog");
+		}
+		return true;
+	}
+
+	if(maps__get_is_dropping()) {
+		maps__set_is_dropping(false);
+		bpf_tail_call(ctx, &extra_syscall_calls, T1_DROP_X);
+		bpf_printk("unable to tail call into 'drop_x' prog");
+	}
+
+	return false;
+}
--- a/driver/modern_bpf/helpers/interfaces/syscalls_dispatcher.h
+++ b/driver/modern_bpf/helpers/interfaces/syscalls_dispatcher.h
@ -14,7 +14,7 @@
 #include <helpers/extract/extract_from_kernel.h>

 static __always_inline bool syscalls_dispatcher__64bit_interesting_syscall(uint32_t syscall_id) {
-	return maps__interesting_syscall_64bit(syscall_id);
+	return maps__64bit_interesting_syscall(syscall_id);
 }

 static __always_inline long convert_network_syscalls(struct pt_regs *regs) {
--- a/driver/modern_bpf/helpers/store/auxmap_store_params.h
+++ b/driver/modern_bpf/helpers/store/auxmap_store_params.h
@ -113,7 +113,7 @@ static __always_inline void auxmap__finalize_event_header(struct auxiliary_map *

 /**
 * @brief Copy the entire event from the auxiliary map to bpf ringbuf.
- * If the event is correctly copied in the ringbuf we increment the number
+ * If the event is correctly copied in the ringbuf we increments the number
 * of events sent to userspace, otherwise we increment the dropped events.
 *
 * @param auxmap pointer to the auxmap in which we have already written the entire event.
@ -776,8 +776,7 @@ static __always_inline void auxmap__store_socktuple_param(struct auxiliary_map *

 	case AF_UNIX: {
 		struct unix_sock *socket_local = (struct unix_sock *)sk;
-		struct unix_sock *socket_peer = (struct unix_sock *)BPF_CORE_READ(socket_local, peer);
-		struct sockaddr_un usrsockaddr_un = {};
+		struct unix_sock *socket_remote = (struct unix_sock *)BPF_CORE_READ(socket_local, peer);
 		char *path = NULL;

 		/* Pack the tuple info:
@ -788,23 +787,18 @@ static __always_inline void auxmap__store_socktuple_param(struct auxiliary_map *
 		 */
 		push__u8(auxmap->data, &auxmap->payload_pos, socket_family_to_scap(socket_family));
 		if(direction == OUTBOUND) {
-			push__u64(auxmap->data, &auxmap->payload_pos, (uint64_t)socket_peer);
+			push__u64(auxmap->data, &auxmap->payload_pos, (uint64_t)socket_remote);
 			push__u64(auxmap->data, &auxmap->payload_pos, (uint64_t)socket_local);
-			if(socket_peer == NULL && usrsockaddr != NULL) {
-				bpf_probe_read_user(&usrsockaddr_un,
-				                    bpf_core_type_size(struct sockaddr_un),
-				                    (void *)usrsockaddr);
-				path = usrsockaddr_un.sun_path;
-			} else {
-				path = BPF_CORE_READ(socket_peer, addr, name[0].sun_path);
-			}
+			path = BPF_CORE_READ(socket_remote, addr, name[0].sun_path);
 		} else {
 			push__u64(auxmap->data, &auxmap->payload_pos, (uint64_t)socket_local);
-			push__u64(auxmap->data, &auxmap->payload_pos, (uint64_t)socket_peer);
+			push__u64(auxmap->data, &auxmap->payload_pos, (uint64_t)socket_remote);
 			path = BPF_CORE_READ(socket_local, addr, name[0].sun_path);
 		}

-		if(path[0] == '\0') {
+		unsigned long start_reading_point;
+		char first_path_byte = *(char *)path;
+		if(first_path_byte == '\0') {
 			/* Please note exceptions in the `sun_path`:
 			 * Taken from: https://man7.org/linux/man-pages/man7/unix.7.html
 			 *
@ -814,12 +808,14 @@ static __always_inline void auxmap__store_socktuple_param(struct auxiliary_map *
 			 *
 			 * So in this case, we need to skip the initial `\0`.
 			 */
-			path++;
+			start_reading_point = (unsigned long)path + 1;
+		} else {
+			start_reading_point = (unsigned long)path;
 		}

 		uint16_t written_bytes = push__charbuf(auxmap->data,
 		                                       &auxmap->payload_pos,
-		                                       (unsigned long)path,
+		                                       start_reading_point,
 		                                       MAX_UNIX_SOCKET_PATH,
 		                                       KERNEL);
 		final_param_len = FAMILY_SIZE + KERNEL_POINTER + KERNEL_POINTER + written_bytes;
@ -1121,7 +1117,9 @@ static __always_inline void auxmap__store_msghdr_size_param(struct auxiliary_map
 	 * we return 0.
 	 */
 	struct user_msghdr msghdr = {0};
-	if(extract__msghdr(&msghdr, msghdr_pointer)) {
+	if(bpf_probe_read_user((void *)&msghdr,
+	                       bpf_core_type_size(struct user_msghdr),
+	                       (void *)msghdr_pointer)) {
 		auxmap__store_u32_param(auxmap, 0);
 		return;
 	}
@ -1146,7 +1144,9 @@ static __always_inline struct user_msghdr auxmap__store_msghdr_data_param(
 	 * we return an empty param.
 	 */
 	struct user_msghdr msghdr = {0};
-	if(extract__msghdr(&msghdr, msghdr_pointer)) {
+	if(bpf_probe_read_user((void *)&msghdr,
+	                       bpf_core_type_size(struct user_msghdr),
+	                       (void *)msghdr_pointer)) {
 		/* in case of NULL msghdr we return an empty param */
 		push__param_len(auxmap->data, &auxmap->lengths_pos, 0);
 		return msghdr;
@ -1292,12 +1292,7 @@ static __always_inline uint16_t store_cgroup_subsys(struct auxiliary_map *auxmap
 		}
 		path_components++;
 		BPF_CORE_READ_INTO(&cgroup_path_pointers[k], kn, name);
-		if(bpf_core_field_exists(kn->parent)) {
-			BPF_CORE_READ_INTO(&kn, kn, parent);
-		} else {
-			struct kernfs_node___v6_15 *kn_v6_15 = (void *)kn;
-			BPF_CORE_READ_INTO(&kn, kn_v6_15, __parent);
-		}
+		BPF_CORE_READ_INTO(&kn, kn, parent);
 	}

 	/* Reconstruct the path in reverse, using previously collected pointers.
@ -1307,7 +1302,7 @@ static __always_inline uint16_t store_cgroup_subsys(struct auxiliary_map *auxmap
 	 * at the end of the string, reading with `bpf_probe_read_str()`).
 	 *
 	 * The rationale here is to replace the string terminator '\0'
-	 * with the '/' for every path component, excluding the last.
+	 * with the '/' for every path compotent, excluding the last.
 	 *
 	 * Starting from what we have already inserted ("cpuset="),
 	 * we want to obtain as a final result:
@ -1327,39 +1322,6 @@ static __always_inline uint16_t store_cgroup_subsys(struct auxiliary_map *auxmap
 	 *
 	 *  cpuset=/path_part1/path_part2\0
 	 */
-
-	/*
-	 *  If kernfs node is still not NULL, it means last path component retrieved
-	 *  (ie: the first one to be printed) was still not '\0' (ie: '/').
-	 *  To avoid sending a cgroup that does not start with '/', manually add it.
-	 *
-	 *  Example:
-	 *  /user.slice/user-1000.slice/user@1000.service/app.slice/app-org.gnome.Terminal.slice/vte-spawn-2f17b2eb-994e-415d-bce0-44c1447d7cd2.scope
-	 *  gets split as:
-	 *  * vte-spawn-2f17b2eb-994e-415d-bce0-44c1447d7cd2.scope\0
-	 *  * app-org.gnome.Terminal.slice\0
-	 *  * app.slice\0
-	 *  * user@1000.service\0
-	 *  * user-1000.slice\0
-	 *  * user.slice\0
-	 * Without the below fix, we would send to userspace "user.slice/user-1000.slice/..." without
-	 * leading '/'.
-	 *
-	 * Counter example with "5" components + the root:
-	 * /user.slice/user-1000.slice/user@1000.service/app.slice/app-org.gnome.Terminal.slice
-	 * gets split as:
-	 * * app-org.gnome.Terminal.slice\0
-	 * * app.slice\0
-	 * * user@1000.service\0
-	 * * user-1000.slice\0
-	 * * user.slice\0
-	 * * \0
-	 * In this case, we won't push the new character, instead we will push the correct string.
-	 */
-	if(kn) {
-		push__new_character(auxmap->data, &auxmap->payload_pos, '/');
-		total_size++;
-	}
 	for(int k = MAX_CGROUP_PATH_POINTERS - 1; k >= 0; --k) {
 		if(cgroup_path_pointers[k]) {
 			total_size += push__charbuf(auxmap->data,
@ -1504,17 +1466,10 @@ static __always_inline void auxmap__store_fdlist_param(struct auxiliary_map *aux
 	                sizeof(uint16_t) + (num_pairs * (sizeof(int64_t) + sizeof(int16_t))));
 }

-typedef struct {
-	bool only_port_range;
-	ppm_event_code evt_type;
-	long mmsg_index;         // Only used by sendmmsg/recvmmsg to pass the current message index
-	unsigned long *mm_args;  // Only used by sendmmsg/recvmmsg to reduce stack size to avoid
-	                         // verifier issues
-} dynamic_snaplen_args;
-
 static __always_inline void apply_dynamic_snaplen(struct pt_regs *regs,
                                                  uint16_t *snaplen,
-                                                  const dynamic_snaplen_args *input_args) {
+                                                  bool only_port_range,
+                                                  ppm_event_code evt_type) {
 	if(!maps__get_do_dynamic_snaplen()) {
 		return;
 	}
@ -1531,9 +1486,7 @@ static __always_inline void apply_dynamic_snaplen(struct pt_regs *regs,
 	 *  - writev
 	 *  - pwritev
 	 *  - recvmsg
-	 *  - recvmmsg
 	 *  - sendmsg
-	 *  - sendmmsg
 	 *  - send
 	 *  - recv
 	 *  - recvfrom
@ -1553,20 +1506,12 @@ static __always_inline void apply_dynamic_snaplen(struct pt_regs *regs,
 	 *  - writev
 	 *  - pwritev
 	 *  - recvmsg
-	 *  - recvmmsg
 	 *  - sendmsg
-	 *  - sendmmsg
 	 */
 	unsigned long args[5] = {0};
 	struct sockaddr *sockaddr = NULL;
-	union {
-		struct compat_msghdr compat_mh;
-		struct user_msghdr mh;
-		struct compat_mmsghdr compat_mmh;
-		struct mmsghdr mmh;
-	} msg_mh = {};

-	switch(input_args->evt_type) {
+	switch(evt_type) {
 	case PPME_SOCKET_SENDTO_X:
 	case PPME_SOCKET_RECVFROM_X:
 		extract__network_args(args, 5, regs);
@ -1577,41 +1522,19 @@ static __always_inline void apply_dynamic_snaplen(struct pt_regs *regs,
 	case PPME_SOCKET_SENDMSG_X: {
 		extract__network_args(args, 3, regs);
 		if(bpf_in_ia32_syscall()) {
-			if(likely(bpf_probe_read_user(&msg_mh.compat_mh,
+			struct compat_msghdr compat_mh = {};
+			if(likely(bpf_probe_read_user(&compat_mh,
 			                              bpf_core_type_size(struct compat_msghdr),
 			                              (void *)args[1]) == 0)) {
-				sockaddr = (struct sockaddr *)(unsigned long)(msg_mh.compat_mh.msg_name);
+				sockaddr = (struct sockaddr *)(unsigned long)(compat_mh.msg_name);
 			}
 			// in any case we break the switch.
 			break;
 		}
-		if(extract__msghdr(&msg_mh.mh, args[1]) == 0) {
-			sockaddr = (struct sockaddr *)msg_mh.mh.msg_name;
-		}
-	} break;

-	case PPME_SOCKET_RECVMMSG_X:
-	case PPME_SOCKET_SENDMMSG_X: {
-		// To avoid verifier stack size issues, sendmmsg and recvmmsg directly pass args
-		// in dynamic_snaplen_args.
-		// This also gives a small perf boost while using `bpf_loop` because we don't need
-		// to re-fetch first 3 syscall args at every iteration.
-		__builtin_memcpy(args, input_args->mm_args, 3 * sizeof(unsigned long));
-		if(bpf_in_ia32_syscall()) {
-			struct compat_mmsghdr *mmh_ptr = (struct compat_mmsghdr *)args[1];
-			if(likely(bpf_probe_read_user(&msg_mh.compat_mmh,
-			                              bpf_core_type_size(struct compat_mmsghdr),
-			                              (void *)(mmh_ptr + input_args->mmsg_index)) == 0)) {
-				sockaddr = (struct sockaddr *)(unsigned long)(msg_mh.compat_mmh.msg_hdr.msg_name);
-			}
-			// in any case we break the switch.
-			break;
-		}
-		struct mmsghdr *mmh_ptr = (struct mmsghdr *)args[1];
-		if(bpf_probe_read_user(&msg_mh.mmh,
-		                       bpf_core_type_size(struct mmsghdr),
-		                       (void *)(mmh_ptr + input_args->mmsg_index)) == 0) {
-			sockaddr = (struct sockaddr *)msg_mh.mmh.msg_hdr.msg_name;
+		struct user_msghdr mh = {};
+		if(bpf_probe_read_user(&mh, bpf_core_type_size(struct user_msghdr), (void *)args[1]) == 0) {
+			sockaddr = (struct sockaddr *)mh.msg_name;
 		}
 	} break;

@ -1649,20 +1572,16 @@ static __always_inline void apply_dynamic_snaplen(struct pt_regs *regs,
 		port_remote = ntohs(port_remote);

 		if(port_remote == 0 && sockaddr != NULL) {
-			union {
-				struct sockaddr_in sockaddr_in;
-				struct sockaddr_in6 sockaddr_in6;
-			} saddr_in = {};
 			if(socket_family == AF_INET) {
-				bpf_probe_read_user(&saddr_in.sockaddr_in,
-				                    bpf_core_type_size(struct sockaddr_in),
-				                    sockaddr);
-				port_remote = ntohs(saddr_in.sockaddr_in.sin_port);
+				struct sockaddr_in sockaddr_in = {};
+				bpf_probe_read_user(&sockaddr_in, bpf_core_type_size(struct sockaddr_in), sockaddr);
+				port_remote = ntohs(sockaddr_in.sin_port);
 			} else {
-				bpf_probe_read_user(&saddr_in.sockaddr_in6,
+				struct sockaddr_in6 sockaddr_in6 = {};
+				bpf_probe_read_user(&sockaddr_in6,
 				                    bpf_core_type_size(struct sockaddr_in6),
 				                    sockaddr);
-				port_remote = ntohs(saddr_in.sockaddr_in6.sin6_port);
+				port_remote = ntohs(sockaddr_in6.sin6_port);
 			}
 		}
 	}
@ -1687,7 +1606,7 @@ static __always_inline void apply_dynamic_snaplen(struct pt_regs *regs,
 	}

 	/* If we check only port range without reading syscall data we can stop here */
-	if(input_args->only_port_range) {
+	if(only_port_range) {
 		return;
 	}

@ -1895,12 +1814,3 @@ static __always_inline void auxmap__store_d_path_approx(struct auxiliary_map *au
 	                            MAX_COMPONENT_LEN,
 	                            KERNEL);
 }
-
-static __always_inline void auxmap__store_pgid(struct auxiliary_map *auxmap,
-                                               struct task_struct *task) {
-	pid_t pgid = 0;
-	struct pid *pid_struct = NULL;
-	READ_TASK_FIELD_INTO(&pid_struct, task, signal, pids[PIDTYPE_PGID]);
-	BPF_CORE_READ_INTO(&pgid, pid_struct, numbers[0].nr);
-	auxmap__store_s64_param(auxmap, (int64_t)pgid);
-}
--- a/driver/modern_bpf/maps/maps.h
+++ b/driver/modern_bpf/maps/maps.h
@ -47,23 +47,35 @@ __weak const volatile uint64_t probe_api_ver = PPM_API_CURRENT_VERSION;
 */
 __weak const volatile uint64_t probe_schema_var = PPM_SCHEMA_CURRENT_VERSION;

+/*=============================== BPF READ-ONLY GLOBAL VARIABLES ===============================*/
+
+/*=============================== BPF GLOBAL VARIABLES ===============================*/
+
+/**
+ * @brief Given the syscall id on 64-bit-architectures returns if
+ * the syscall must be filtered out according to the simple consumer logic.
+ */
+__weak bool g_64bit_interesting_syscalls_table[SYSCALL_TABLE_SIZE];
+
 /**
 * @brief Given the syscall id on 64-bit-architectures returns:
 * - `UF_NEVER_DROP` if the syscall must not be dropped in the sampling logic.
 * - `UF_ALWAYS_DROP` if the syscall must always be dropped in the sampling logic.
 * - `UF_NONE` if we drop the syscall depends on the sampling ratio.
 */
-__weak const volatile uint8_t g_64bit_sampling_syscall_table[SYSCALL_TABLE_SIZE];
+__weak uint8_t g_64bit_sampling_syscall_table[SYSCALL_TABLE_SIZE];

 /**
 * @brief Given the syscall id on 32-bit x86 arch returns
 * its x64 value. Used to support ia32 syscall emulation.
 */
-__weak const volatile uint32_t g_ia32_to_64_table[SYSCALL_TABLE_SIZE];
+__weak uint32_t g_ia32_to_64_table[SYSCALL_TABLE_SIZE];

-/*=============================== BPF READ-ONLY GLOBAL VARIABLES ===============================*/
-
-/*=============================== BPF GLOBAL VARIABLES ===============================*/
+/**
+ * @brief Global capture settings shared between userspace and
+ * bpf programs.
+ */
+__weak struct capture_settings g_settings;

 /**
 * @brief Variable used only kernel side to understand when we need to send
@ -105,44 +117,25 @@ struct {
 } syscall_exit_tail_table __weak SEC(".maps");

 /**
- * @brief This tail table is used when a sys exit bpf program needs another program
- * to complete its execution flow.
- * Given a predefined tail-code (`sys_exit_extra_code`), it calls
+ * @brief This tail table is used when a bpf program needs another program
+ * to complete its execution flow. This table could be used both by
+ * programs directly attached in the kernel (like page_faults,
+ * context_switch, ...) and by syscall_events (like
+ * ppme_syscall_execveat_x, ...).
+ * Given a predefined tail-code (`extra_syscall_codes`), it calls
 * the right bpf program.
 */
 struct {
 	__uint(type, BPF_MAP_TYPE_PROG_ARRAY);
-	__uint(max_entries, SYS_EXIT_EXTRA_CODE_MAX);
+	__uint(max_entries, TAIL_EXTRA_EVENT_PROG_MAX);
 	__type(key, uint32_t);
 	__type(value, uint32_t);
-} syscall_exit_extra_tail_table __weak SEC(".maps");
+} extra_syscall_calls __weak SEC(".maps");

 /*=============================== BPF_MAP_TYPE_PROG_ARRAY ===============================*/

 /*=============================== BPF_MAP_TYPE_ARRAY ===============================*/

-/**
- * @brief This table is used to keep track of which syscalls must be filtered out
- * according to the simple consumer logic.
- */
-struct {
-	__uint(type, BPF_MAP_TYPE_ARRAY);
-	__uint(max_entries, SYSCALL_TABLE_SIZE);
-	__type(key, uint32_t);
-	__type(value, bool);
-} interesting_syscalls_table_64bit __weak SEC(".maps");
-
-/**
- * @brief Global capture settings shared between userspace and
- * bpf programs.
- */
-struct {
-	__uint(type, BPF_MAP_TYPE_ARRAY);
-	__uint(max_entries, 1);
-	__type(key, uint32_t);
-	__type(value, struct capture_settings);
-} capture_settings __weak SEC(".maps");
-
 /* These maps have one entry for each CPU.
 *
 * PLEASE NOTE:
--- a/driver/modern_bpf/programs/attached/dispatchers/syscall_enter.bpf.c
+++ b/driver/modern_bpf/programs/attached/dispatchers/syscall_enter.bpf.c
@ -7,42 +7,13 @@
 */

 #include <helpers/interfaces/syscalls_dispatcher.h>
-
-// We don't want to send DROP_E/DROP_X events from the enter tracepoint because it would requires us
-// to create a dedicated tail table for the enter. It is enough to send DROP_E/DROP_X events from
-// the exit tracepoint.
-static __always_inline bool sampling_logic_enter(void* ctx, uint32_t id) {
-	/* If dropping mode is not enabled we don't perform any sampling
-	 * false: means don't drop the syscall
-	 * true: means drop the syscall
-	 */
-	if(!maps__get_dropping_mode()) {
-		return false;
-	}
-
-	uint8_t sampling_flag = maps__64bit_sampling_syscall_table(id);
-
-	if(sampling_flag == UF_NEVER_DROP) {
-		return false;
-	}
-
-	if(sampling_flag == UF_ALWAYS_DROP) {
-		return true;
-	}
-
-	// If we are in the sampling period we drop the event
-	if((bpf_ktime_get_boot_ns() % SECOND_TO_NS) >= (SECOND_TO_NS / maps__get_sampling_ratio())) {
-		return true;
-	}
-
-	return false;
-}
+#include <helpers/interfaces/attached_programs.h>

 /* From linux tree: /include/trace/events/syscall.h
 * TP_PROTO(struct pt_regs *regs, long id),
 */
 SEC("tp_btf/sys_enter")
-int BPF_PROG(sys_enter, struct pt_regs* regs, long syscall_id) {
+int BPF_PROG(sys_enter, struct pt_regs *regs, long syscall_id) {
 	int socketcall_syscall_id = -1;

 	if(bpf_in_ia32_syscall()) {
@ -78,7 +49,7 @@ int BPF_PROG(sys_enter, struct pt_regs* regs, long syscall_id) {
 		return 0;
 	}

-	if(sampling_logic_enter(ctx, syscall_id)) {
+	if(sampling_logic(ctx, syscall_id)) {
 		return 0;
 	}

--- a/driver/modern_bpf/programs/attached/dispatchers/syscall_exit.bpf.c
+++ b/driver/modern_bpf/programs/attached/dispatchers/syscall_exit.bpf.c
@ -7,165 +7,8 @@
 */

 #include <helpers/interfaces/syscalls_dispatcher.h>
+#include <helpers/interfaces/attached_programs.h>
 #include <bpf/bpf_helpers.h>
-#include <helpers/interfaces/fixed_size_event.h>
-
-SEC("tp_btf/sys_exit")
-int BPF_PROG(t_hotplug) {
-	/* We assume that the ring buffer for CPU 0 is always there so we send the
-	 * HOT-PLUG event through this buffer.
-	 */
-	uint32_t cpu_0 = 0;
-	struct ringbuf_map *rb = bpf_map_lookup_elem(&ringbuf_maps, &cpu_0);
-	if(!rb) {
-		bpf_printk("unable to obtain the ring buffer for CPU 0");
-		return 0;
-	}
-
-	struct counter_map *counter = bpf_map_lookup_elem(&counter_maps, &cpu_0);
-	if(!counter) {
-		bpf_printk("unable to obtain the counter map for CPU 0");
-		return 0;
-	}
-
-	/* This counts the event seen by the drivers even if they are dropped because the buffer is
-	 * full. */
-	counter->n_evts++;
-
-	/* If we are not able to reserve space we stop here
-	 * the event collection.
-	 */
-	struct ringbuf_struct ringbuf;
-	ringbuf.reserved_event_size = CPU_HOTPLUG_E_SIZE;
-	ringbuf.event_type = PPME_CPU_HOTPLUG_E;
-	ringbuf.data = bpf_ringbuf_reserve(rb, CPU_HOTPLUG_E_SIZE, 0);
-	if(!ringbuf.data) {
-		counter->n_drops_buffer++;
-		return 0;
-	}
-
-	ringbuf__store_event_header(&ringbuf);
-
-	/*=============================== COLLECT PARAMETERS ===========================*/
-
-	/* Parameter 1: cpu (type: PT_UINT32) */
-	uint32_t current_cpu_id = (uint32_t)bpf_get_smp_processor_id();
-	ringbuf__store_u32(&ringbuf, current_cpu_id);
-
-	/* Parameter 2: action (type: PT_UINT32) */
-	/* Right now we don't have actions we always send 0 */
-	ringbuf__store_u32(&ringbuf, 0);
-
-	/*=============================== COLLECT PARAMETERS ===========================*/
-
-	ringbuf__submit_event(&ringbuf);
-	return 0;
-}
-
-SEC("tp_btf/sys_exit")
-int BPF_PROG(t_drop_e) {
-	struct ringbuf_struct ringbuf;
-	if(!ringbuf__reserve_space(&ringbuf, DROP_E_SIZE, PPME_DROP_E)) {
-		return 0;
-	}
-
-	ringbuf__store_event_header(&ringbuf);
-
-	/*=============================== COLLECT PARAMETERS ===========================*/
-
-	ringbuf__store_u32(&ringbuf, maps__get_sampling_ratio());
-
-	/*=============================== COLLECT PARAMETERS ===========================*/
-
-	ringbuf__submit_event(&ringbuf);
-	return 0;
-}
-
-SEC("tp_btf/sys_exit")
-int BPF_PROG(t_drop_x) {
-	struct ringbuf_struct ringbuf;
-	if(!ringbuf__reserve_space(&ringbuf, DROP_X_SIZE, PPME_DROP_X)) {
-		return 0;
-	}
-
-	ringbuf__store_event_header(&ringbuf);
-
-	/*=============================== COLLECT PARAMETERS ===========================*/
-
-	ringbuf__store_u32(&ringbuf, maps__get_sampling_ratio());
-
-	/*=============================== COLLECT PARAMETERS ===========================*/
-
-	ringbuf__submit_event(&ringbuf);
-	return 0;
-}
-
-enum custom_sys_exit_logic_codes {
-	T_HOTPLUG,
-	T_DROP_E,
-	T_DROP_X,
-	// add more codes here.
-	T_CUSTOM_MAX,
-};
-
-struct {
-	__uint(type, BPF_MAP_TYPE_PROG_ARRAY);
-	__uint(max_entries, T_CUSTOM_MAX);
-	__uint(key_size, sizeof(__u32));
-	__array(values, int(void *));
-} custom_sys_exit_calls SEC(".maps") = {
-        .values =
-                {
-                        [T_HOTPLUG] = (void *)&t_hotplug,
-                        [T_DROP_E] = (void *)&t_drop_e,
-                        [T_DROP_X] = (void *)&t_drop_x,
-                },
-};
-
-static __always_inline bool sampling_logic_exit(void *ctx, uint32_t id) {
-	/* If dropping mode is not enabled we don't perform any sampling
-	 * false: means don't drop the syscall
-	 * true: means drop the syscall
-	 */
-	if(!maps__get_dropping_mode()) {
-		return false;
-	}
-
-	uint8_t sampling_flag = maps__64bit_sampling_syscall_table(id);
-
-	if(sampling_flag == UF_NEVER_DROP) {
-		return false;
-	}
-
-	if(sampling_flag == UF_ALWAYS_DROP) {
-		return true;
-	}
-
-	if((bpf_ktime_get_boot_ns() % SECOND_TO_NS) >= (SECOND_TO_NS / maps__get_sampling_ratio())) {
-		/* If we are starting the dropping phase we need to notify the userspace, otherwise, we
-		 * simply drop our event.
-		 * PLEASE NOTE: this logic is not per-CPU so it is best effort!
-		 */
-		if(!maps__get_is_dropping()) {
-			/* Here we are not sure we can send the drop_e event to userspace
-			 * if the buffer is full, but this is not essential even if we lose
-			 * an iteration we will synchronize again the next time the logic is enabled.
-			 */
-			maps__set_is_dropping(true);
-			bpf_tail_call(ctx, &custom_sys_exit_calls, T_DROP_E);
-			bpf_printk("unable to tail call into 'drop_e' prog");
-		}
-		return true;
-	}
-
-	if(maps__get_is_dropping()) {
-		maps__set_is_dropping(false);
-		bpf_tail_call(ctx, &custom_sys_exit_calls, T_DROP_X);
-		bpf_printk("unable to tail call into 'drop_x' prog");
-	}
-
-	return false;
-}

 #define X86_64_NR_EXECVE 59
 #define X86_64_NR_EXECVEAT 322
@ -220,7 +63,7 @@ int BPF_PROG(sys_exit, struct pt_regs *regs, long ret) {
 		return 0;
 	}

-	if(sampling_logic_exit(ctx, syscall_id)) {
+	if(sampling_logic(ctx, syscall_id)) {
 		return 0;
 	}

@ -233,7 +76,7 @@ int BPF_PROG(sys_exit, struct pt_regs *regs, long ret) {
 	// we change our architecture we may need to update this logic.
 	struct ringbuf_map *rb = maps__get_ringbuf_map();
 	if(!rb) {
-		bpf_tail_call(ctx, &custom_sys_exit_calls, T_HOTPLUG);
+		bpf_tail_call(ctx, &extra_syscall_calls, T1_HOTPLUG_E);
 		bpf_printk("failed to tail call into the 'hotplug' prog");
 		return 0;
 	}
--- a/driver/modern_bpf/programs/attached/events/page_fault_kernel.bpf.c
+++ b/driver/modern_bpf/programs/attached/events/page_fault_kernel.bpf.c
@ -7,6 +7,7 @@
 */

 #include <helpers/interfaces/fixed_size_event.h>
+#include <helpers/interfaces/attached_programs.h>

 /* From linux tree: `/arch/x86/include/asm/trace/exceptions.h`
 *	 TP_PROTO(unsigned long address, struct pt_regs *regs,
--- a/driver/modern_bpf/programs/attached/events/page_fault_user.bpf.c
+++ b/driver/modern_bpf/programs/attached/events/page_fault_user.bpf.c
@ -7,6 +7,7 @@
 */

 #include <helpers/interfaces/fixed_size_event.h>
+#include <helpers/interfaces/attached_programs.h>

 /* From linux tree: `/arch/x86/include/asm/trace/exceptions.h`
 *	 TP_PROTO(unsigned long address, struct pt_regs *regs,
--- a/driver/modern_bpf/programs/attached/events/sched_process_exec.bpf.c
+++ b/driver/modern_bpf/programs/attached/events/sched_process_exec.bpf.c
@ -179,9 +179,9 @@ int BPF_PROG(t1_sched_p_exec, struct task_struct *p, pid_t old_pid, struct linux
 	uint32_t tty = exctract__tty(task);
 	auxmap__store_u32_param(auxmap, (uint32_t)tty);

-	/* Parameter 18: vpgid (type: PT_PID) */
-	pid_t vpgid = extract__task_xid_vnr(task, PIDTYPE_PGID);
-	auxmap__store_s64_param(auxmap, (int64_t)vpgid);
+	/* Parameter 18: pgid (type: PT_PID) */
+	pid_t pgid = extract__task_xid_vnr(task, PIDTYPE_PGID);
+	auxmap__store_s64_param(auxmap, (int64_t)pgid);

 	/* Parameter 19: loginuid (type: PT_UID) */
 	uint32_t loginuid;
@ -288,14 +288,6 @@ int BPF_PROG(t2_sched_p_exec, struct pt_regs *regs, long ret) {
 		auxmap__store_empty_param(auxmap);
 	}

-	/* Parameter 29: pgid (type: PT_PID) */
-	auxmap__store_pgid(auxmap, task);
-
-	/* Parameter 30: egid (type: PT_GID) */
-	uint32_t egid;
-	extract__egid(task, &egid);
-	auxmap__store_u32_param(auxmap, egid);
-
 	/*=============================== COLLECT PARAMETERS  ===========================*/

 	auxmap__finalize_event_header(auxmap);
--- a/driver/modern_bpf/programs/attached/events/sched_process_exit.bpf.c
+++ b/driver/modern_bpf/programs/attached/events/sched_process_exit.bpf.c
@ -8,6 +8,7 @@

 #include <helpers/interfaces/variable_size_event.h>
 #include <driver/systype_compat.h>
+#include <helpers/interfaces/attached_programs.h>

 /* The instruction limit is 1000000, so we shouldn't have issues */
 #define MAX_THREADS_GROUPS 30
--- a/driver/modern_bpf/programs/attached/events/sched_switch.bpf.c
+++ b/driver/modern_bpf/programs/attached/events/sched_switch.bpf.c
@ -7,6 +7,7 @@
 */

 #include <helpers/interfaces/fixed_size_event.h>
+#include <helpers/interfaces/attached_programs.h>

 /* From linux tree: /include/linux/events/sched.h
 * TP_PROTO(bool preempt, struct task_struct *prev,
@ -22,7 +23,7 @@ int BPF_PROG(sched_switch, bool preempt, struct task_struct *prev, struct task_s
 	/// TODO: we could avoid switches from kernel threads to kernel threads (?).

 	struct ringbuf_struct ringbuf;
-	if(!ringbuf__reserve_space(&ringbuf, SWITCH_SIZE, PPME_SCHEDSWITCH_6_E)) {
+	if(!ringbuf__reserve_space(&ringbuf, SCHED_SWITCH_SIZE, PPME_SCHEDSWITCH_6_E)) {
 		return 0;
 	}

--- a/driver/modern_bpf/programs/attached/events/signal_deliver.bpf.c
+++ b/driver/modern_bpf/programs/attached/events/signal_deliver.bpf.c
@ -7,6 +7,7 @@
 */

 #include <helpers/interfaces/fixed_size_event.h>
+#include <helpers/interfaces/attached_programs.h>

 /* From linux tree: `/include/trace/events/signal.h`
 *	 TP_PROTO(int sig, struct kernel_siginfo *info, struct k_sigaction *ka)
@ -19,7 +20,7 @@ int BPF_PROG(signal_deliver, int sig, struct kernel_siginfo *info, struct k_siga
 	}

 	struct ringbuf_struct ringbuf;
-	if(!ringbuf__reserve_space(&ringbuf, SIGNALDELIVER_SIZE, PPME_SIGNALDELIVER_E)) {
+	if(!ringbuf__reserve_space(&ringbuf, SIGNAL_DELIVER_SIZE, PPME_SIGNALDELIVER_E)) {
 		return 0;
 	}

--- a/driver/modern_bpf/programs/tail_called/events/custom_logic/drop.bpf.c
+++ b/driver/modern_bpf/programs/tail_called/events/custom_logic/drop.bpf.c
@ -0,0 +1,55 @@
+// SPDX-License-Identifier: GPL-2.0-only OR MIT
+/*
+ * Copyright (C) 2023 The Falco Authors.
+ *
+ * This file is dual licensed under either the MIT or GPL 2. See MIT.txt
+ * or GPL2.txt for full copies of the license.
+ */
+
+#include <helpers/interfaces/fixed_size_event.h>
+
+/*=============================== ENTER EVENT ===========================*/
+
+SEC("tp_btf/sys_enter")
+int BPF_PROG(t1_drop_e) {
+	struct ringbuf_struct ringbuf;
+	if(!ringbuf__reserve_space(&ringbuf, DROP_E_SIZE, PPME_DROP_E)) {
+		return 0;
+	}
+
+	ringbuf__store_event_header(&ringbuf);
+
+	/*=============================== COLLECT PARAMETERS ===========================*/
+
+	ringbuf__store_u32(&ringbuf, maps__get_sampling_ratio());
+
+	/*=============================== COLLECT PARAMETERS ===========================*/
+
+	ringbuf__submit_event(&ringbuf);
+	return 0;
+}
+
+/*=============================== ENTER EVENT ===========================*/
+
+/*=============================== EXIT EVENT ===========================*/
+
+SEC("tp_btf/sys_exit")
+int BPF_PROG(t1_drop_x) {
+	struct ringbuf_struct ringbuf;
+	if(!ringbuf__reserve_space(&ringbuf, DROP_X_SIZE, PPME_DROP_X)) {
+		return 0;
+	}
+
+	ringbuf__store_event_header(&ringbuf);
+
+	/*=============================== COLLECT PARAMETERS ===========================*/
+
+	ringbuf__store_u32(&ringbuf, maps__get_sampling_ratio());
+
+	/*=============================== COLLECT PARAMETERS ===========================*/
+
+	ringbuf__submit_event(&ringbuf);
+	return 0;
+}
+
+/*=============================== EXIT EVENT ===========================*/
--- a/driver/modern_bpf/programs/tail_called/events/custom_logic/hotplug.bpf.c
+++ b/driver/modern_bpf/programs/tail_called/events/custom_logic/hotplug.bpf.c
@ -0,0 +1,61 @@
+// SPDX-License-Identifier: GPL-2.0-only OR MIT
+/*
+ * Copyright (C) 2023 The Falco Authors.
+ *
+ * This file is dual licensed under either the MIT or GPL 2. See MIT.txt
+ * or GPL2.txt for full copies of the license.
+ */
+
+#include <helpers/interfaces/fixed_size_event.h>
+
+SEC("tp_btf/sys_exit")
+int BPF_PROG(t1_hotplug_e) {
+	/* We assume that the ring buffer for CPU 0 is always there so we send the
+	 * HOT-PLUG event through this buffer.
+	 */
+	uint32_t cpu_0 = 0;
+	struct ringbuf_map *rb = bpf_map_lookup_elem(&ringbuf_maps, &cpu_0);
+	if(!rb) {
+		bpf_printk("unable to obtain the ring buffer for CPU 0");
+		return 0;
+	}
+
+	struct counter_map *counter = bpf_map_lookup_elem(&counter_maps, &cpu_0);
+	if(!counter) {
+		bpf_printk("unable to obtain the counter map for CPU 0");
+		return 0;
+	}
+
+	/* This counts the event seen by the drivers even if they are dropped because the buffer is
+	 * full. */
+	counter->n_evts++;
+
+	/* If we are not able to reserve space we stop here
+	 * the event collection.
+	 */
+	struct ringbuf_struct ringbuf;
+	ringbuf.reserved_event_size = HOTPLUG_E_SIZE;
+	ringbuf.event_type = PPME_CPU_HOTPLUG_E;
+	ringbuf.data = bpf_ringbuf_reserve(rb, HOTPLUG_E_SIZE, 0);
+	if(!ringbuf.data) {
+		counter->n_drops_buffer++;
+		return 0;
+	}
+
+	ringbuf__store_event_header(&ringbuf);
+
+	/*=============================== COLLECT PARAMETERS ===========================*/
+
+	/* Parameter 1: cpu (type: PT_UINT32) */
+	uint32_t current_cpu_id = (uint32_t)bpf_get_smp_processor_id();
+	ringbuf__store_u32(&ringbuf, current_cpu_id);
+
+	/* Parameter 2: action (type: PT_UINT32) */
+	/* Right now we don't have actions we always send 0 */
+	ringbuf__store_u32(&ringbuf, 0);
+
+	/*=============================== COLLECT PARAMETERS ===========================*/
+
+	ringbuf__submit_event(&ringbuf);
+	return 0;
+}
--- a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/accept4.bpf.c
+++ b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/accept4.bpf.c
@ -105,12 +105,6 @@ int BPF_PROG(accept4_x, struct pt_regs *regs, long ret) {
 	/* Parameter 5: queuemax (type: PT_UINT32) */
 	auxmap__store_u32_param(auxmap, queuemax);

-	/* Parameter 6: flags (type: PT_FLAGS32) */
-	/// TODO: we don't support flags yet and so we just return zero.
-	///    If implemented, special handling for SYS_ACCEPT socketcall is needed.
-	uint32_t flags = 0;
-	auxmap__store_u32_param(auxmap, flags);
-
 	/*=============================== COLLECT PARAMETERS  ===========================*/

 	auxmap__finalize_event_header(auxmap);
--- a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/access.bpf.c
+++ b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/access.bpf.c
@ -51,14 +51,10 @@ int BPF_PROG(access_x, struct pt_regs *regs, long ret) {
 	/* Parameter 1: res (type: PT_ERRNO) */
 	auxmap__store_s64_param(auxmap, ret);

-	/* Parameter 2: name (type: PT_FSPATH) */
+	/* Parameter 2: pathname (type: PT_FSPATH) */
 	unsigned long path_pointer = extract__syscall_argument(regs, 0);
 	auxmap__store_charbuf_param(auxmap, path_pointer, MAX_PATH, USER);

-	/* Parameter 3: mode (type: PT_UINT32) */
-	int mode = (int)extract__syscall_argument(regs, 1);
-	auxmap__store_u32_param(auxmap, (uint32_t)access_flags_to_scap(mode));
-
 	/*=============================== COLLECT PARAMETERS  ===========================*/

 	auxmap__finalize_event_header(auxmap);
--- a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/bind.bpf.c
+++ b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/bind.bpf.c
@ -13,9 +13,7 @@

 SEC("tp_btf/sys_enter")
 int BPF_PROG(bind_e, struct pt_regs *regs, long id) {
-	/* We need to keep this at the beginning of the program because otherwise we alter the state of
-	 * the ebpf registers causing a verifier issue.
-	 */
+	/* Collect parameters at the beginning to easily manage socketcalls */
 	unsigned long socket_fd = 0;
 	extract__network_args(&socket_fd, 1, regs);

@ -68,9 +66,6 @@ int BPF_PROG(bind_x, struct pt_regs *regs, long ret) {
 	uint16_t addrlen = (uint16_t)args[2];
 	auxmap__store_sockaddr_param(auxmap, sockaddr_ptr, addrlen);

-	/* Parameter 3: fd (type: PT_FD) */
-	auxmap__store_s64_param(auxmap, (int64_t)(int32_t)args[0]);
-
 	/*=============================== COLLECT PARAMETERS  ===========================*/

 	auxmap__finalize_event_header(auxmap);
--- a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/brk.bpf.c
+++ b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/brk.bpf.c
@ -22,7 +22,7 @@ int BPF_PROG(brk_e, struct pt_regs *regs, long id) {
 	/*=============================== COLLECT PARAMETERS  ===========================*/

 	/* Parameter 1: addr (type: PT_UINT64) */
-	uint64_t addr = extract__syscall_argument(regs, 0);
+	unsigned long addr = extract__syscall_argument(regs, 0);
 	ringbuf__store_u64(&ringbuf, addr);

 	/*=============================== COLLECT PARAMETERS  ===========================*/
@ -68,10 +68,6 @@ int BPF_PROG(brk_x, struct pt_regs *regs, long ret) {
 	/* Parameter 4: vm_swap (type: PT_UINT32) */
 	ringbuf__store_u32(&ringbuf, swap_size);

-	/* Parameter 5: addr (type: PT_UINT64) */
-	uint64_t addr = extract__syscall_argument(regs, 0);
-	ringbuf__store_u64(&ringbuf, addr);
-
 	/*=============================== COLLECT PARAMETERS  ===========================*/

 	ringbuf__submit_event(&ringbuf);
--- a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/clone.bpf.c
+++ b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/clone.bpf.c
@ -150,7 +150,7 @@ int BPF_PROG(clone_x, struct pt_regs *regs, long ret) {
 	/* We have to split here the bpf program, otherwise, it is too large
 	 * for the verifier (limit 1000000 instructions).
 	 */
-	bpf_tail_call(ctx, &syscall_exit_extra_tail_table, T1_CLONE_X);
+	bpf_tail_call(ctx, &extra_syscall_calls, T1_CLONE_X);
 	return 0;
 }

@ -206,7 +206,7 @@ int BPF_PROG(t1_clone_x, struct pt_regs *regs, long ret) {
 	/* We have to split here the bpf program, otherwise, it is too large
 	 * for the verifier (limit 1000000 instructions).
 	 */
-	bpf_tail_call(ctx, &syscall_exit_extra_tail_table, T2_CLONE_X);
+	bpf_tail_call(ctx, &extra_syscall_calls, T2_CLONE_X);
 	return 0;
 }

--- a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/clone3.bpf.c
+++ b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/clone3.bpf.c
@ -150,7 +150,7 @@ int BPF_PROG(clone3_x, struct pt_regs *regs, long ret) {
 	/* We have to split here the bpf program, otherwise, it is too large
 	 * for the verifier (limit 1000000 instructions).
 	 */
-	bpf_tail_call(ctx, &syscall_exit_extra_tail_table, T1_CLONE3_X);
+	bpf_tail_call(ctx, &extra_syscall_calls, T1_CLONE3_X);
 	return 0;
 }

@ -204,7 +204,7 @@ int BPF_PROG(t1_clone3_x, struct pt_regs *regs, long ret) {
 	/* We have to split here the bpf program, otherwise, it is too large
 	 * for the verifier (limit 1000000 instructions).
 	 */
-	bpf_tail_call(ctx, &syscall_exit_extra_tail_table, T2_CLONE3_X);
+	bpf_tail_call(ctx, &extra_syscall_calls, T2_CLONE3_X);
 	return 0;
 }

--- a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/close.bpf.c
+++ b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/close.bpf.c
@ -50,9 +50,9 @@ int BPF_PROG(close_e, struct pt_regs *regs, long id) {

 	/*=============================== COLLECT PARAMETERS  ===========================*/

-	/* Parameter 1: fd (type: PT_FD) */
-	int64_t fd = (int64_t)(int32_t)extract__syscall_argument(regs, 0);
-	ringbuf__store_s64(&ringbuf, fd);
+	/* Parameter 1: fd (type: PT_FD)*/
+	int32_t fd = (int32_t)extract__syscall_argument(regs, 0);
+	ringbuf__store_s64(&ringbuf, (int64_t)fd);

 	/*=============================== COLLECT PARAMETERS  ===========================*/

@ -80,13 +80,9 @@ int BPF_PROG(close_x, struct pt_regs *regs, long ret) {

 	/*=============================== COLLECT PARAMETERS  ===========================*/

-	/* Parameter 1: res (type: PT_ERRNO) */
+	/* Parameter 1: res (type: PT_ERRNO)*/
 	ringbuf__store_s64(&ringbuf, ret);

-	/* Parameter 2: fd (type: PT_FD) */
-	int64_t fd = (int64_t)(int32_t)extract__syscall_argument(regs, 0);
-	ringbuf__store_s64(&ringbuf, fd);
-
 	/*=============================== COLLECT PARAMETERS  ===========================*/

 	ringbuf__submit_event(&ringbuf);
--- a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/connect.bpf.c
+++ b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/connect.bpf.c
@ -24,14 +24,14 @@ int BPF_PROG(connect_e, struct pt_regs *regs, long id) {
 	unsigned long args[3] = {0};
 	extract__network_args(args, 3, regs);

-	/* Parameter 1: fd (type: PT_FD) */
-	int64_t socket_fd = (int64_t)(int32_t)args[0];
-	auxmap__store_s64_param(auxmap, socket_fd);
+	/* Parameter 1: fd (type: PT_FD)*/
+	int32_t socket_fd = (int32_t)args[0];
+	auxmap__store_s64_param(auxmap, (int64_t)socket_fd);

-	/* Parameter 2: addr (type: PT_SOCKADDR) */
-	unsigned long usrsockaddr = args[1];
-	uint16_t usrsockaddr_len = (uint16_t)args[2];
-	auxmap__store_sockaddr_param(auxmap, usrsockaddr, usrsockaddr_len);
+	/* Parameter 2: addr (type: PT_SOCKADDR)*/
+	unsigned long sockaddr_ptr = args[1];
+	uint16_t addrlen = (uint16_t)args[2];
+	auxmap__store_sockaddr_param(auxmap, sockaddr_ptr, addrlen);

 	/*=============================== COLLECT PARAMETERS  ===========================*/

@ -57,30 +57,25 @@ int BPF_PROG(connect_x, struct pt_regs *regs, long ret) {

 	/*=============================== COLLECT PARAMETERS  ===========================*/

-	unsigned long args[3] = {0};
-	extract__network_args(args, 3, regs);
-	int64_t socket_fd = (int64_t)(int32_t)args[0];
+	unsigned long socket_fd = 0;
+	extract__network_args(&socket_fd, 1, regs);

 	/* Parameter 1: res (type: PT_ERRNO) */
 	auxmap__store_s64_param(auxmap, ret);

-	struct sockaddr *usrsockaddr = (struct sockaddr *)args[1];
-
 	/* Parameter 2: tuple (type: PT_SOCKTUPLE) */
+	/* We need a valid sockfd to extract source data.*/
 	if(ret == 0 || ret == -EINPROGRESS) {
-		/* Notice: the following will push an empty parameter if
-		 * something goes wrong (e.g.: fd not valid). */
-		auxmap__store_socktuple_param(auxmap, (int32_t)socket_fd, OUTBOUND, usrsockaddr);
+		auxmap__store_socktuple_param(auxmap, (int32_t)socket_fd, OUTBOUND, NULL);
 	} else {
 		auxmap__store_empty_param(auxmap);
 	}

-	/* Parameter 3: fd (type: PT_FD) */
-	auxmap__store_s64_param(auxmap, socket_fd);
-
-	/* Parameter 4: addr (type: PT_SOCKADDR) */
-	uint16_t usrsockaddr_len = (uint16_t)args[2];
-	auxmap__store_sockaddr_param(auxmap, (unsigned long)usrsockaddr, usrsockaddr_len);
+	/* Parameter 3: fd (type: PT_FD)*/
+	/* We need the double cast to extract the first 4 bytes and then
+	 * convert them to a signed integer on 64-bit
+	 */
+	auxmap__store_s64_param(auxmap, (int64_t)(int32_t)socket_fd);

 	/*=============================== COLLECT PARAMETERS  ===========================*/

--- a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/copy_file_range.bpf.c
+++ b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/copy_file_range.bpf.c
@ -25,8 +25,8 @@ int BPF_PROG(copy_file_range_e, struct pt_regs *regs, long id) {
 	/*=============================== COLLECT PARAMETERS  ===========================*/

 	/* Parameter 1: fdin (type: PT_FD) */
-	int64_t fdin = (int64_t)(int32_t)extract__syscall_argument(regs, 0);
-	ringbuf__store_s64(&ringbuf, fdin);
+	int32_t fdin = (int32_t)extract__syscall_argument(regs, 0);
+	ringbuf__store_s64(&ringbuf, (int64_t)fdin);

 	/* Parameter 2: offin (type: PT_UINT64) */
 	uint64_t offin = extract__syscall_argument(regs, 1);
@ -58,29 +58,17 @@ int BPF_PROG(copy_file_range_x, struct pt_regs *regs, long ret) {

 	/*=============================== COLLECT PARAMETERS  ===========================*/

-	/* Parameter 1: res (type: PT_ERRNO) */
+	/* Parameter 1: res (type: PT_ERRNO)*/
 	ringbuf__store_s64(&ringbuf, ret);

 	/* Parameter 2: fdout (type: PT_FD) */
-	int64_t fdout = (int64_t)(int32_t)extract__syscall_argument(regs, 2);
-	ringbuf__store_s64(&ringbuf, fdout);
+	int32_t fdout = (int32_t)extract__syscall_argument(regs, 2);
+	ringbuf__store_s64(&ringbuf, (int64_t)fdout);

 	/* Parameter 3: offout (type: PT_UINT64) */
 	uint64_t offout = extract__syscall_argument(regs, 3);
 	ringbuf__store_u64(&ringbuf, offout);

-	/* Parameter 4: fdin (type: PT_FD) */
-	int64_t fdin = (int64_t)(int32_t)extract__syscall_argument(regs, 0);
-	ringbuf__store_s64(&ringbuf, fdin);
-
-	/* Parameter 5: offin (type: PT_UINT64) */
-	uint64_t offin = extract__syscall_argument(regs, 1);
-	ringbuf__store_u64(&ringbuf, offin);
-
-	/* Parameter 6: len (type: PT_UINT64) */
-	uint64_t len = extract__syscall_argument(regs, 4);
-	ringbuf__store_u64(&ringbuf, len);
-
 	/*=============================== COLLECT PARAMETERS  ===========================*/

 	ringbuf__submit_event(&ringbuf);
--- a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/dup.bpf.c
+++ b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/dup.bpf.c
@ -21,9 +21,9 @@ int BPF_PROG(dup_e, struct pt_regs *regs, long id) {

 	/*=============================== COLLECT PARAMETERS  ===========================*/

-	/* Parameter 1: fd (type: PT_FD) */
-	int64_t oldfd = (int64_t)(int32_t)extract__syscall_argument(regs, 0);
-	ringbuf__store_s64(&ringbuf, oldfd);
+	/* Parameter 1: oldfd (type: PT_FD) */
+	int32_t oldfd = (int32_t)extract__syscall_argument(regs, 0);
+	ringbuf__store_s64(&ringbuf, (int64_t)oldfd);

 	/*=============================== COLLECT PARAMETERS  ===========================*/

@ -47,12 +47,12 @@ int BPF_PROG(dup_x, struct pt_regs *regs, long ret) {

 	/*=============================== COLLECT PARAMETERS  ===========================*/

-	/* Parameter 1: res (type: PT_FD) */
-	ringbuf__store_s64(&ringbuf, (int64_t)(int32_t)ret);
+	/* Parameter 1: res (type: PT_FD)*/
+	ringbuf__store_s64(&ringbuf, ret);

 	/* Parameter 2: oldfd (type: PT_FD) */
-	int64_t oldfd = (int64_t)(int32_t)extract__syscall_argument(regs, 0);
-	ringbuf__store_s64(&ringbuf, oldfd);
+	int32_t oldfd = (int32_t)extract__syscall_argument(regs, 0);
+	ringbuf__store_s64(&ringbuf, (int64_t)oldfd);

 	/*=============================== COLLECT PARAMETERS  ===========================*/

--- a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/dup2.bpf.c
+++ b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/dup2.bpf.c
@ -21,9 +21,9 @@ int BPF_PROG(dup2_e, struct pt_regs *regs, long id) {

 	/*=============================== COLLECT PARAMETERS  ===========================*/

-	/* Parameter 1: fd (type: PT_FD) */
-	int64_t oldfd = (int64_t)(int32_t)extract__syscall_argument(regs, 0);
-	ringbuf__store_s64(&ringbuf, oldfd);
+	/* Parameter 1: oldfd (type: PT_FD) */
+	int32_t oldfd = (int32_t)extract__syscall_argument(regs, 0);
+	ringbuf__store_s64(&ringbuf, (int64_t)oldfd);

 	/*=============================== COLLECT PARAMETERS  ===========================*/

@ -47,16 +47,16 @@ int BPF_PROG(dup2_x, struct pt_regs *regs, long ret) {

 	/*=============================== COLLECT PARAMETERS  ===========================*/

-	/* Parameter 1: res (type: PT_FD) */
-	ringbuf__store_s64(&ringbuf, (int64_t)(int32_t)ret);
+	/* Parameter 1: res (type: PT_FD)*/
+	ringbuf__store_s64(&ringbuf, ret);

 	/* Parameter 2: oldfd (type: PT_FD) */
-	int64_t oldfd = (int64_t)(int32_t)extract__syscall_argument(regs, 0);
-	ringbuf__store_s64(&ringbuf, oldfd);
+	int32_t oldfd = (int32_t)extract__syscall_argument(regs, 0);
+	ringbuf__store_s64(&ringbuf, (int64_t)oldfd);

 	/* Parameter 3: newfd (type: PT_FD) */
-	int64_t newfd = (int64_t)(int32_t)extract__syscall_argument(regs, 1);
-	ringbuf__store_s64(&ringbuf, newfd);
+	int32_t newfd = (int32_t)extract__syscall_argument(regs, 1);
+	ringbuf__store_s64(&ringbuf, (int64_t)newfd);

 	/*=============================== COLLECT PARAMETERS  ===========================*/

--- a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/dup3.bpf.c
+++ b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/dup3.bpf.c
@ -21,9 +21,9 @@ int BPF_PROG(dup3_e, struct pt_regs *regs, long id) {

 	/*=============================== COLLECT PARAMETERS  ===========================*/

-	/* Parameter 1: fd (type: PT_FD) */
-	int64_t oldfd = (int64_t)(int32_t)extract__syscall_argument(regs, 0);
-	ringbuf__store_s64(&ringbuf, oldfd);
+	/* Parameter 1: oldfd (type: PT_FD) */
+	int32_t oldfd = (int32_t)extract__syscall_argument(regs, 0);
+	ringbuf__store_s64(&ringbuf, (int64_t)oldfd);

 	/*=============================== COLLECT PARAMETERS  ===========================*/

@ -47,16 +47,16 @@ int BPF_PROG(dup3_x, struct pt_regs *regs, long ret) {

 	/*=============================== COLLECT PARAMETERS  ===========================*/

-	/* Parameter 1: res (type: PT_FD) */
-	ringbuf__store_s64(&ringbuf, (int64_t)(int32_t)ret);
+	/* Parameter 1: res (type: PT_FD)*/
+	ringbuf__store_s64(&ringbuf, ret);

 	/* Parameter 2: oldfd (type: PT_FD) */
-	int64_t oldfd = (int64_t)(int32_t)extract__syscall_argument(regs, 0);
-	ringbuf__store_s64(&ringbuf, oldfd);
+	int32_t oldfd = (int32_t)extract__syscall_argument(regs, 0);
+	ringbuf__store_s64(&ringbuf, (int64_t)oldfd);

 	/* Parameter 3: newfd (type: PT_FD) */
-	int64_t newfd = (int64_t)(int32_t)extract__syscall_argument(regs, 1);
-	ringbuf__store_s64(&ringbuf, newfd);
+	int32_t newfd = (int32_t)extract__syscall_argument(regs, 1);
+	ringbuf__store_s64(&ringbuf, (int64_t)newfd);

 	/* Parameter 4: flags (type: PT_FLAGS32) */
 	int32_t flags = extract__syscall_argument(regs, 2);
--- a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/epoll_create.bpf.c
+++ b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/epoll_create.bpf.c
@ -47,13 +47,9 @@ int BPF_PROG(epoll_create_x, struct pt_regs *regs, long ret) {

 	/*=============================== COLLECT PARAMETERS  ===========================*/

-	/* Parameter 1: res (type: PT_ERRNO) */
+	/* Parameter 1: res (type: PT_ERRNO)*/
 	ringbuf__store_s64(&ringbuf, ret);

-	/* Parameter 2: size (type: PT_INT32) */
-	int32_t size = (int32_t)extract__syscall_argument(regs, 0);
-	ringbuf__store_s32(&ringbuf, size);
-
 	/*=============================== COLLECT PARAMETERS  ===========================*/

 	ringbuf__submit_event(&ringbuf);
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
dependabot[bot]	a414ad33a2	chore(deps): Bump softprops/action-gh-release in the actions group Bumps the actions group with 1 update: [softprops/action-gh-release](https://github.com/softprops/action-gh-release). Updates `softprops/action-gh-release` from 2.0.8 to 2.0.9 - [Release notes](https://github.com/softprops/action-gh-release/releases) - [Changelog](https://github.com/softprops/action-gh-release/blob/master/CHANGELOG.md) - [Commits](`c062e08bd5...e7a8f85e1c`) --- updated-dependencies: - dependency-name: softprops/action-gh-release dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions ... Signed-off-by: dependabot[bot] <support@github.com>	2024-11-20 10:36:18 +01:00
dependabot[bot]	35a256a07c	chore(deps): Bump softprops/action-gh-release from 1 to 2 Bumps [softprops/action-gh-release](https://github.com/softprops/action-gh-release) from 1 to 2. - [Release notes](https://github.com/softprops/action-gh-release/releases) - [Changelog](https://github.com/softprops/action-gh-release/blob/master/CHANGELOG.md) - [Commits](`de2c0eb89a...c062e08bd5`) --- updated-dependencies: - dependency-name: softprops/action-gh-release dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>	2024-11-20 10:36:18 +01:00
dependabot[bot]	5a808131e3	chore(deps): Bump the actions group with 3 updates Bumps the actions group with 3 updates: [actions/checkout](https://github.com/actions/checkout), [actions/cache](https://github.com/actions/cache) and [actions/setup-python](https://github.com/actions/setup-python). Updates `actions/checkout` from 4.2.1 to 4.2.2 - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](`eef61447b9...11bd71901b`) Updates `actions/cache` from 4.1.1 to 4.1.2 - [Release notes](https://github.com/actions/cache/releases) - [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md) - [Commits](`3624ceb22c...6849a64899`) Updates `actions/setup-python` from 5.2.0 to 5.3.0 - [Release notes](https://github.com/actions/setup-python/releases) - [Commits](`f677139bbe...0b93645e9f`) --- updated-dependencies: - dependency-name: actions/checkout dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions - dependency-name: actions/cache dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions - dependency-name: actions/setup-python dependency-type: direct:production update-type: version-update:semver-minor dependency-group: actions ... Signed-off-by: dependabot[bot] <support@github.com>	2024-11-20 10:36:18 +01:00
Federico Di Pierro	7a93637acb	update(ci): use cncf provided self hosted runners for arm64. Signed-off-by: Federico Di Pierro <nierro92@gmail.com>	2024-11-20 10:36:18 +01:00
Federico Di Pierro	6a72867e34	chore(ci): increase timeout to 5minutes for driverkit build in latest-kernel workflow. Signed-off-by: Federico Di Pierro <nierro92@gmail.com>	2024-11-20 10:36:18 +01:00
Federico Di Pierro	86c37904d0	fix(ci): fixed create-comment-kernel-testing typo. Signed-off-by: Federico Di Pierro <nierro92@gmail.com>	2024-11-20 10:36:18 +01:00
Federico Di Pierro	a564e271cb	chore(ci): bump zig version and improve install-zig action. Signed-off-by: Federico Di Pierro <nierro92@gmail.com>	2024-11-20 10:36:18 +01:00
Federico Di Pierro	66e759133d	chore(ci): bump the zig version to latest. Moreover, use zig version as cache key too. Signed-off-by: Federico Di Pierro <nierro92@gmail.com>	2024-11-20 10:36:18 +01:00
Federico Di Pierro	c869780d67	chore(ci): keep zig development version alive by using actions/cache. Signed-off-by: Federico Di Pierro <nierro92@gmail.com>	2024-11-20 10:36:18 +01:00
dependabot[bot]	efe94d50ba	chore(deps): Bump uraimo/run-on-arch-action in the actions group Bumps the actions group with 1 update: [uraimo/run-on-arch-action](https://github.com/uraimo/run-on-arch-action). Updates `uraimo/run-on-arch-action` from 2.7.2 to 2.8.1 - [Release notes](https://github.com/uraimo/run-on-arch-action/releases) - [Commits](`b0ffb25eb0...5397f9e30a`) --- updated-dependencies: - dependency-name: uraimo/run-on-arch-action dependency-type: direct:production update-type: version-update:semver-minor dependency-group: actions ... Signed-off-by: dependabot[bot] <support@github.com>	2024-11-20 10:36:18 +01:00
Federico Di Pierro	9289d422ec	fix(ci): create-comment workflows array length check. Signed-off-by: Federico Di Pierro <nierro92@gmail.com>	2024-11-20 10:36:18 +01:00
Federico Di Pierro	36d10e1859	fix(ci): use `process.exit();` to leave node script in github/action-script. Signed-off-by: Federico Di Pierro <nierro92@gmail.com>	2024-11-20 10:36:18 +01:00
Federico Di Pierro	046df0ff26	fix(ci): fixed create-comment-perf workflow when perf CI does not run. Signed-off-by: Federico Di Pierro <nierro92@gmail.com>	2024-11-20 10:36:18 +01:00
Federico Di Pierro	7525fb186f	fix(ci): fixed create-comment-kernel-testing workflow when kernel-testing CI does not run. Signed-off-by: Federico Di Pierro <nierro92@gmail.com>	2024-11-20 10:36:18 +01:00
Federico Di Pierro	dcae4286d4	fix(ci): fixed latest-kernel CI usage of steps/jobs outputs. Signed-off-by: Federico Di Pierro <nierro92@gmail.com>	2024-11-20 10:36:18 +01:00
Federico Di Pierro	c2674c7206	new(ci): run latest-kernel CI against arm64 too. Signed-off-by: Federico Di Pierro <nierro92@gmail.com>	2024-11-20 10:36:18 +01:00
dependabot[bot]	de05daf591	chore(deps): Bump the actions group with 2 updates Bumps the actions group with 2 updates: [actions/upload-artifact](https://github.com/actions/upload-artifact) and [codecov/codecov-action](https://github.com/codecov/codecov-action). Updates `actions/upload-artifact` from 4.4.2 to 4.4.3 - [Release notes](https://github.com/actions/upload-artifact/releases) - [Commits](`84480863f2...b4b15b8c7c`) Updates `codecov/codecov-action` from 4.5.0 to 4.6.0 - [Release notes](https://github.com/codecov/codecov-action/releases) - [Changelog](https://github.com/codecov/codecov-action/blob/main/CHANGELOG.md) - [Commits](`e28ff129e5...b9fd7d16f6`) --- updated-dependencies: - dependency-name: actions/upload-artifact dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions - dependency-name: codecov/codecov-action dependency-type: direct:production update-type: version-update:semver-minor dependency-group: actions ... Signed-off-by: dependabot[bot] <support@github.com>	2024-11-20 10:36:18 +01:00
Federico Di Pierro	732cdb9b85	chore(ci): bump actions/download-artifact to latest release (v4.1.8). Signed-off-by: Federico Di Pierro <nierro92@gmail.com>	2024-11-20 10:36:18 +01:00
Federico Di Pierro	61cfcfada0	fix(ci): fixed build-scap-open-w-extern-bpf-skeleton: we do not rely on centos7 anymore. Signed-off-by: Federico Di Pierro <nierro92@gmail.com>	2024-11-20 10:36:18 +01:00
Federico Di Pierro	ef58f9b2bb	fix(ci): fix kernel testing action by using proper tag name. Signed-off-by: Federico Di Pierro <nierro92@gmail.com>	2024-11-20 10:36:18 +01:00
dependabot[bot]	42520b6515	chore(deps): Bump actions/checkout from 3.6.0 to 4.2.1 Bumps [actions/checkout](https://github.com/actions/checkout) from 3.6.0 to 4.2.1. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](https://github.com/actions/checkout/compare/v3.6.0...eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871) --- updated-dependencies: - dependency-name: actions/checkout dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>	2024-11-20 10:36:18 +01:00
dependabot[bot]	b468f29f63	chore(deps): Bump actions/upload-artifact from 3.1.3 to 4.4.2 Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 3.1.3 to 4.4.2. - [Release notes](https://github.com/actions/upload-artifact/releases) - [Commits](https://github.com/actions/upload-artifact/compare/v3.1.3...84480863f228bb9747b473957fcc9e309aa96097) --- updated-dependencies: - dependency-name: actions/upload-artifact dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>	2024-11-20 10:36:18 +01:00
dependabot[bot]	2b33c45919	chore(deps): Bump actions/deploy-pages from 2.0.4 to 4.0.5 Bumps [actions/deploy-pages](https://github.com/actions/deploy-pages) from 2.0.4 to 4.0.5. - [Release notes](https://github.com/actions/deploy-pages/releases) - [Commits](`9dbe382482...d6db90164a`) --- updated-dependencies: - dependency-name: actions/deploy-pages dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>	2024-11-20 10:36:18 +01:00
dependabot[bot]	0317bd6069	chore(deps): Bump peter-evans/create-pull-request from 5.0.2 to 7.0.5 Bumps [peter-evans/create-pull-request](https://github.com/peter-evans/create-pull-request) from 5.0.2 to 7.0.5. - [Release notes](https://github.com/peter-evans/create-pull-request/releases) - [Commits](`153407881e...5e914681df`) --- updated-dependencies: - dependency-name: peter-evans/create-pull-request dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>	2024-11-20 10:36:18 +01:00
dependabot[bot]	3bea477d6f	chore(deps): Bump actions/upload-pages-artifact from 2.0.0 to 3.0.1 Bumps [actions/upload-pages-artifact](https://github.com/actions/upload-pages-artifact) from 2.0.0 to 3.0.1. - [Release notes](https://github.com/actions/upload-pages-artifact/releases) - [Commits](`a753861a5d...56afc609e7`) --- updated-dependencies: - dependency-name: actions/upload-pages-artifact dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>	2024-11-20 10:36:18 +01:00
dependabot[bot]	e47ac53b54	chore(deps): Bump actions/setup-python from 4.7.1 to 5.2.0 Bumps [actions/setup-python](https://github.com/actions/setup-python) from 4.7.1 to 5.2.0. - [Release notes](https://github.com/actions/setup-python/releases) - [Commits](`65d7f2d534...f677139bbe`) --- updated-dependencies: - dependency-name: actions/setup-python dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>	2024-11-20 10:36:18 +01:00
dependabot[bot]	f48db7fe7d	chore(deps): Bump dorny/paths-filter from 2.11.1 to 3.0.2 Bumps [dorny/paths-filter](https://github.com/dorny/paths-filter) from 2.11.1 to 3.0.2. - [Release notes](https://github.com/dorny/paths-filter/releases) - [Changelog](https://github.com/dorny/paths-filter/blob/master/CHANGELOG.md) - [Commits](`4512585405...de90cc6fb3`) --- updated-dependencies: - dependency-name: dorny/paths-filter dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>	2024-11-20 10:36:18 +01:00
dependabot[bot]	4979b254f3	chore(deps): Bump codecov/codecov-action Bumps [codecov/codecov-action](https://github.com/codecov/codecov-action) from 79066c46f8dcdf8d7355f820dbac958c5b4cb9d3 to e28ff129e5465c2c0dcc6f003fc735cb6ae0c673. - [Release notes](https://github.com/codecov/codecov-action/releases) - [Changelog](https://github.com/codecov/codecov-action/blob/main/CHANGELOG.md) - [Commits](`79066c46f8...e28ff129e5`) --- updated-dependencies: - dependency-name: codecov/codecov-action dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com>	2024-11-20 10:36:18 +01:00
dependabot[bot]	ba8c215f8f	chore(deps): Bump the actions group with 5 updates Bumps the actions group with 5 updates: \| Package \| From \| To \| \| --- \| --- \| --- \| \| [mshick/add-pr-comment](https://github.com/mshick/add-pr-comment) \| `2.8.1` \| `2.8.2` \| \| [appleboy/ssh-action](https://github.com/appleboy/ssh-action) \| `1.0.3` \| `1.1.0` \| \| [uraimo/run-on-arch-action](https://github.com/uraimo/run-on-arch-action) \| `2.5.1` \| `2.7.2` \| \| [mozilla-actions/sccache-action](https://github.com/mozilla-actions/sccache-action) \| `0.0.4` \| `0.0.6` \| \| [actions/cache](https://github.com/actions/cache) \| `4.0.2` \| `4.1.1` \| Updates `mshick/add-pr-comment` from 2.8.1 to 2.8.2 - [Release notes](https://github.com/mshick/add-pr-comment/releases) - [Commits](`7c0890544f...b8f338c590`) Updates `appleboy/ssh-action` from 1.0.3 to 1.1.0 - [Release notes](https://github.com/appleboy/ssh-action/releases) - [Changelog](https://github.com/appleboy/ssh-action/blob/master/.goreleaser.yaml) - [Commits](`029f5b4aee...25ce8cbbcb`) Updates `uraimo/run-on-arch-action` from 2.5.1 to 2.7.2 - [Release notes](https://github.com/uraimo/run-on-arch-action/releases) - [Commits](`4ed76f16f0...b0ffb25eb0`) Updates `mozilla-actions/sccache-action` from 0.0.4 to 0.0.6 - [Release notes](https://github.com/mozilla-actions/sccache-action/releases) - [Commits](`2e7f9ec792...9e326ebed9`) Updates `actions/cache` from 4.0.2 to 4.1.1 - [Release notes](https://github.com/actions/cache/releases) - [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md) - [Commits](`0c45773b62...3624ceb22c`) --- updated-dependencies: - dependency-name: mshick/add-pr-comment dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions - dependency-name: appleboy/ssh-action dependency-type: direct:production update-type: version-update:semver-minor dependency-group: actions - dependency-name: uraimo/run-on-arch-action dependency-type: direct:production update-type: version-update:semver-minor dependency-group: actions - dependency-name: mozilla-actions/sccache-action dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions - dependency-name: actions/cache dependency-type: direct:production update-type: version-update:semver-minor dependency-group: actions ... Signed-off-by: dependabot[bot] <support@github.com>	2024-11-20 10:36:18 +01:00
cpanato	a5c268d4a2	clean up and update ci Signed-off-by: cpanato <ctadeu@gmail.com>	2024-11-20 10:36:18 +01:00
Mauro Ezequiel Moltrasio	f9cdd99082	chore(ci): show diff on failed format The provided patch is great to fix large formatting errors, however, it would be nice for CI to also show the diff for smaller changes that could be directly typed without having to download the patch. Signed-off-by: Mauro Ezequiel Moltrasio <mmoltras@redhat.com>	2024-11-20 10:36:18 +01:00
Federico Di Pierro	a327a68e47	chore(ci): check linked glibc version on zig. Signed-off-by: Federico Di Pierro <nierro92@gmail.com>	2024-11-20 10:36:18 +01:00
Federico Di Pierro	fcfbbbca7c	new(ci): add a zig build job plus a composite action to setup zig. Signed-off-by: Federico Di Pierro <nierro92@gmail.com>	2024-11-20 10:36:18 +01:00
Federico Di Pierro	ae7119a8c7	chore(test/libsinsp_e2e,ci): port libsinsp_e2e tests to use python3. Signed-off-by: Federico Di Pierro <nierro92@gmail.com>	2024-11-20 10:36:18 +01:00
Federico Di Pierro	ac30b9d90c	chore(ci): bumped perf unit tests threshold to 5% (relative) slowdown. Same threshold used for google benchmarks. Signed-off-by: Federico Di Pierro <nierro92@gmail.com>	2024-11-20 10:36:18 +01:00
Andrea Terzolo	c68813fc61	cleanup(tests): improve test stability Signed-off-by: Andrea Terzolo <andreaterzolo3@gmail.com>	2024-11-20 10:36:18 +01:00
Andrea Terzolo	db54b9f6d1	cleanup: remove `ctx` Signed-off-by: Andrea Terzolo <andreaterzolo3@gmail.com>	2024-11-20 10:36:18 +01:00
Andrea Terzolo	6195ecd6d1	cleanup: don't initialize enums if not needed Signed-off-by: Andrea Terzolo <andreaterzolo3@gmail.com>	2024-11-20 10:36:18 +01:00
Andrea Terzolo	9211890094	cleanup: rename some methods Signed-off-by: Andrea Terzolo <andreaterzolo3@gmail.com>	2024-11-20 10:36:18 +01:00
Andrea Terzolo	c4455019fe	update: set sched_switch as UF_ALWAYS_DROP Signed-off-by: Andrea Terzolo <andreaterzolo3@gmail.com>	2024-11-20 10:36:18 +01:00
Andrea Terzolo	2739d3cd76	cleanup: simplify droppping logic for tracepoint Signed-off-by: Andrea Terzolo <andreaterzolo3@gmail.com>	2024-11-20 10:36:18 +01:00
Andrea Terzolo	05406cd374	cleanup: move `hotplug` logic into sys_exit Signed-off-by: Andrea Terzolo <andreaterzolo3@gmail.com>	2024-11-20 10:36:18 +01:00
Andrea Terzolo	bbebce8d3c	cleanup: move `sched_p_fork` tail calls Signed-off-by: Andrea Terzolo <andreaterzolo3@gmail.com>	2024-11-20 10:36:18 +01:00
Andrea Terzolo	53b38a3e25	cleanup: move `sched_p_exec` tail calls With this new approach the tail calls are only visible inside the sched_proc_exec file. Signed-off-by: Andrea Terzolo <andreaterzolo3@gmail.com>	2024-11-20 10:36:18 +01:00
Andrea Terzolo	4094a25963	fix(modern): check `cred` field is not NULL before the access Signed-off-by: Andrea Terzolo <andreaterzolo3@gmail.com>	2024-11-20 10:36:18 +01:00
Luca Guerra	e1999d0798	chore(libsinsp): style, lint Signed-off-by: Luca Guerra <luca@guerra.sh> Co-authored-by: Mauro Ezequiel Moltrasio <mmoltras@redhat.com> Co-authored-by: Federico Di Pierro <nierro92@gmail.com>	2024-09-25 14:54:11 +02:00
Federico Di Pierro	227233b8bf	fix(userspace/libsinsp): avoid dereferencing a possible nullptr in parsers Signed-off-by: Federico Di Pierro <nierro92@gmail.com>	2024-09-25 14:54:11 +02:00
Andrea Terzolo	d4efc80ece	fix: fix some warnings as errors Signed-off-by: Andrea Terzolo <andreaterzolo3@gmail.com>	2024-09-16 09:44:45 +02:00
Andrea Terzolo	62bb482edd	fix(libscap): use the correct memory barrier for ARM64 Signed-off-by: Andrea Terzolo <andreaterzolo3@gmail.com>	2024-09-16 09:44:45 +02:00
Andrea Terzolo	4c907c1d6d	ci: pin dependencies Signed-off-by: Andrea Terzolo <andreaterzolo3@gmail.com>	2024-09-16 09:44:45 +02:00
Federico Di Pierro	7d9cb26415	fix(test/drivers): fixed s390x `Werror` related failures for drivers tests. Signed-off-by: Federico Di Pierro <nierro92@gmail.com>	2024-09-16 09:44:45 +02:00
Gianmatteo Palmieri	01d4dcaa62	chore(sinsp): rename `thread_pool` to `sinsp_thread_pool` to avoid symbol conflicts Signed-off-by: Gianmatteo Palmieri <mail@gian.im>	2024-09-16 09:44:45 +02:00
Z. Liu	82eee89861	chore(libs): fix -Werror=unused-variable otherwise test will give wrong result if compiler has -Werror flags, complained with: error: unused variable 'g_ppm_class' [-Werror=unused-variable] Signed-off-by: Z. Liu <zhixu.liu@gmail.com>	2024-09-16 09:44:45 +02:00
Jason Dellaluce	e89a18dba4	fix(libsinsp): solve field-field comparison pointer instability issues Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>	2024-09-16 09:44:45 +02:00
Jason Dellaluce	0633fd9784	fix(libsinsp): wrong error message in rhs field comparison checks Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>	2024-09-16 09:44:45 +02:00
Federico Di Pierro	1c5c79e1a7	fix(ci): avoid running drivers CI jobs that need secrets in PR coming from forks. Signed-off-by: Federico Di Pierro <nierro92@gmail.com>	2024-09-16 09:44:45 +02:00
 @ -1 +1 @@
 .0.4
 .0.3
 @ -1 +1 @@
 .69.0
 .22.1