.github/PULL_REQUEST_TEMPLATE.md

@@ -20,8 +20,6 @@
 
 > /kind failing-test
 
-> /kind test
-
 > /kind feature
 
 <!--

.github/actions/install-zig/action.yml

@@ -8,29 +8,29 @@ runs:
       shell: bash
       id: store
       env:
-        ZIG_VERSION: '0.14.1'
+        ZIG_VERSION: '0.14.0'
       run: |
         echo "zig_version=${ZIG_VERSION}" >> "$GITHUB_OUTPUT"
 
     - name: Download zig
       shell: bash
       run: |
-        curl -L -o zig.tar.xz https://ziglang.org/download/${{ steps.store.outputs.zig_version }}/zig-$(uname -m)-linux-${{ steps.store.outputs.zig_version }}.tar.xz
+        curl -L -o zig.tar.xz https://ziglang.org/download/${{ steps.store.outputs.zig_version }}/zig-linux-$(uname -m)-${{ steps.store.outputs.zig_version }}.tar.xz
         tar -xvf zig.tar.xz
 
-        cat > zig-$(uname -m)-linux-${{ steps.store.outputs.zig_version }}/zig-cc <<EOF
+        cat > zig-linux-$(uname -m)-${{ steps.store.outputs.zig_version }}/zig-cc <<EOF
         #!/bin/bash
         exec zig cc -target $(uname -m)-linux-gnu.2.17 -mcpu=baseline "\$@"
         EOF
-        chmod +x zig-$(uname -m)-linux-${{ steps.store.outputs.zig_version }}/zig-cc
+        chmod +x zig-linux-$(uname -m)-${{ steps.store.outputs.zig_version }}/zig-cc
 
-        cat > zig-$(uname -m)-linux-${{ steps.store.outputs.zig_version }}/zig-c++ <<EOF
+        cat > zig-linux-$(uname -m)-${{ steps.store.outputs.zig_version }}/zig-c++ <<EOF
         #!/bin/bash
         exec zig c++ -target $(uname -m)-linux-gnu.2.17 -mcpu=baseline "\$@"
         EOF
-        chmod +x zig-$(uname -m)-linux-${{ steps.store.outputs.zig_version }}/zig-c++
+        chmod +x zig-linux-$(uname -m)-${{ steps.store.outputs.zig_version }}/zig-c++
 
-        mv zig-$(uname -m)-linux-${{ steps.store.outputs.zig_version }}/ zig
+        mv zig-linux-$(uname -m)-${{ steps.store.outputs.zig_version }}/ zig
 
     - name: Setup zig
       shell: bash

.github/workflows/ci.yml

@@ -36,8 +36,6 @@ jobs:
     steps:
       - name: Install deps ⛓️
         run: |
-          # Use 20250630T203427Z debian apt snapshot as it still contains support for buster.
-          printf "deb http://snapshot.debian.org/archive/debian/20250630T203427Z buster main\ndeb http://snapshot.debian.org/archive/debian-security/20250630T203427Z buster/updates main\ndeb http://snapshot.debian.org/archive/debian/20250630T203427Z buster-updates main" > /etc/apt/sources.list
           apt update && apt install -y --no-install-recommends curl ca-certificates build-essential git clang llvm pkg-config autoconf automake libtool libelf-dev wget libtbb-dev libjq-dev libjsoncpp-dev protobuf-compiler libgtest-dev libprotobuf-dev linux-headers-${{ matrix.arch }}
 
       - name: Install a recent version of CMake ⛓️

.github/workflows/drivers_ci.yml

@@ -39,7 +39,7 @@ jobs:
   # This job run all engine tests and scap-open
   test-scap:
     name: test-scap-${{ matrix.arch }} 😆 (bundled_deps)
-    runs-on: ${{ (matrix.arch == 'arm64' && 'ubuntu-24.04-arm') || 'ubuntu-24.04' }}
+    runs-on: ${{ (matrix.arch == 'arm64' && 'ubuntu-22.04-arm') || 'ubuntu-22.04' }}
     needs: paths-filter
     strategy:
       matrix:
@@ -102,13 +102,6 @@ jobs:
           cd build
           sudo ./test/libscap/libscap_test
 
-      - name: Validate scap-open with modern bpf
-        if: needs.paths-filter.outputs.driver == 'true' || needs.paths-filter.outputs.libscap == 'true' || needs.paths-filter.outputs.libpman == 'true'
-        uses: Andreagit97/bpfvalidator@v0.3.0
-        with:
-          args: |
-            --config=$GITHUB_WORKSPACE/driver/modern_bpf/bpfvalidator_config.yaml --cmd="$GITHUB_WORKSPACE/build/libscap/examples/01-open/scap-open --modern_bpf --num_events 10"
-
   test-drivers:
     name: test-drivers-${{ matrix.arch }} 😇 (bundled_deps)
     runs-on: ${{ (matrix.arch == 'arm64' && 'ubuntu-22.04-arm') || 'ubuntu-22.04' }}
@@ -187,12 +180,10 @@ jobs:
           command_timeout: 60m
           script: |
             sudo dnf install -y bpftool ca-certificates cmake make automake gcc gcc-c++ kernel-devel clang git pkg-config autoconf automake libbpf-devel
-            # Remove, if present, any libs clone created by a previous job run.
-            rm -rf libs
             git clone -b $GIT_BRANCH $GITHUB_SERVER_URL/$GITHUB_REPOSITORY.git libs
             cd libs
             mkdir -p build
-            cd build && cmake -DBUILD_WARNINGS_AS_ERRORS=On -DUSE_BUNDLED_DEPS=ON -DENABLE_DRIVERS_TESTS=ON -DBUILD_LIBSCAP_MODERN_BPF=ON -DMODERN_BPF_DEBUG_MODE=ON -DBUILD_BPF=True -DBUILD_LIBSCAP_GVISOR=OFF -DUSE_BUNDLED_LIBELF=OFF ../
+            cd build && cmake -DBUILD_WARNINGS_AS_ERRORS=On -DUSE_BUNDLED_DEPS=ON -DENABLE_DRIVERS_TESTS=ON -DBUILD_LIBSCAP_MODERN_BPF=ON -DMODERN_BPF_DEBUG_MODE=ON -DBUILD_BPF=True -DBUILD_LIBSCAP_GVISOR=OFF ../
             make drivers_test driver bpf -j6
             sudo ./test/drivers/drivers_test -m
             rc_modern=$?

.github/workflows/perf.yml

@@ -27,7 +27,7 @@ jobs:
         uses: ./.github/actions/composite-perf
 
       - name: Download latest master report
-        uses: dawidd6/action-download-artifact@ac66b43f0e6a346234dd65d4d0c8fbb31cb316e5 # v11
+        uses: dawidd6/action-download-artifact@07ab29fd4a977ae4d2b275087cf67563dfdf0295 # v9
         with:
           branch: master
           event: push

.github/workflows/release-body.yml

@@ -98,7 +98,7 @@ jobs:
           echo "#### Release Manager @${{ github.event.release.author.login }}" >> release-body.md
 
       - name: Release
-        uses: softprops/action-gh-release@72f2c25fcb47643c292f7107632f7a47c1df5cd8 # v2.3.2
+        uses: softprops/action-gh-release@da05d552573ad5aba039eaac05058a918a7bf631 # v2.2.2
         with:
           body_path: ./release-body.md
           tag_name: ${{ github.event.release.tag_name }}
@@ -203,7 +203,7 @@ jobs:
           echo "#### Release Manager @${{ github.event.release.author.login }}" >> release-body.md
 
       - name: Release
-        uses: softprops/action-gh-release@72f2c25fcb47643c292f7107632f7a47c1df5cd8 # v2.3.2
+        uses: softprops/action-gh-release@da05d552573ad5aba039eaac05058a918a7bf631 # v2.2.2
         with:
           body_path: ./release-body.md
           tag_name: ${{ github.event.release.tag_name }}

.github/workflows/test_coverage_ci.yml

@@ -37,7 +37,7 @@ jobs:
           gcovr --xml -o ./libsinsp.coverage.xml
 
       - name: Upload to codecov
-        uses: codecov/codecov-action@18283e04ce6e62d37312384ff67231eb8fd56d24 # v5.4.3
+        uses: codecov/codecov-action@ad3126e916f78f00edff4ed0317cf185271ccc2d # v5.4.2
         with:
           fail_ci_if_error: true
           files: ./libsinsp.coverage.xml

CMakeLists.txt

@@ -62,6 +62,7 @@ option(ENABLE_DRIVERS_TESTS "Enable driver tests (bpf, kernel module, modern bpf
 option(ENABLE_LIBSCAP_TESTS "Enable libscap unit tests" OFF)
 option(ENABLE_LIBSINSP_E2E_TESTS "Enable libsinsp e2e tests" OFF)
 option(BUILD_SHARED_LIBS "Build libscap and libsinsp as shared libraries" OFF)
+option(ENABLE_VM_TESTS "Enable driver sanity tests" OFF)
 option(USE_ASAN "Build with AddressSanitizer" OFF)
 option(USE_UBSAN "Build with UndefinedBehaviorSanitizer" OFF)
 option(USE_TSAN "Build with ThreadSanitizer" OFF)
@@ -144,6 +145,10 @@ if(CREATE_TEST_TARGETS)
 		add_subdirectory(test/libsinsp_e2e/resources)
 	endif()
 
+	if(ENABLE_VM_TESTS)
+		add_subdirectory(test/vm)
+	endif()
+
 endif()
 
 option(ENABLE_BENCHMARKS "Enable Benchmarks" OFF)

OWNERS

@@ -7,11 +7,10 @@ approvers:
   - molter73
   - lucaguerra
   - jasondellaluce
-  - ekoops
+  - incertum
 reviewers:
   - hbrueckner
 emeritus_approvers:
   - fntlnz
   - leodido
   - ldegio
-  - incertum

README.md

@@ -11,7 +11,7 @@ This repository contains **libsinsp**, **libscap**, the **kernel module** and th
 
 These components are at the foundation of [Falco](https://github.com/falcosecurity/falco) and other projects that work with the same kind of data.
 
-This component stack mainly operates on syscall events. We monitor syscalls using either a kernel module or an eBPF probe, which we call *drivers*. On top of the drivers, `libscap` manages the data capture process, while `libsinsp` enriches the data, and provides a rich set of API to consume the data. Furthermore, these two libraries also implement a [plugin](https://github.com/falcosecurity/plugins) framework that extends this stack to potentially any other data sources. For further details, please refer to Falco's [official documentation](https://falco.org/docs/).
+This component stack mainly operates on syscall events. We monitor syscalls using either a kernel module or an eBPF probe, which we call *drivers*. On top of the drivers, `libscap` manages the data capture process, while `libsinsp` enriches the data, and provides a rich set of API to consume the data. Furthermore, these two libraries also implement a [plugin](https://github.com/falcosecurity/plugins) framework that extends this stack to potentially any other data sources. For further details, please refer to the [official documentation](https://falco.org/docs/).
 
 An image is worth a thousand words, they say:
 
@@ -104,13 +104,13 @@ If you are building this project outside of a Git working directory, or if you w
 <details>
 	<summary>Expand Build Instructions</summary>
 
-For your convenience, we have included the instructions for building the `libs` modules here, in addition to the information available in Falco's [official documentation](https://falco.org/docs/install-operate/source/). These instructions are designed for building and testing `libs` on your own Linux development machine. However, if you intend to adopt CI or build within containers, there are additional considerations to take into account. The official [website]((https://falco.org/docs/install-operate/source/)) continually extends its guidance in this respect.
+For your convenience, we have included the instructions for building the `libs` modules here, in addition to the information available in the [official documentation](https://falco.org/docs/install-operate/source/). These instructions are designed for building and testing `libs` on your own Linux development machine. However, if you intend to adopt CI or build within containers, there are additional considerations to take into account. The official [website]((https://falco.org/docs/install-operate/source/)) continually extends its guidance in this respect.
 
 The project utilizes the `cmake` build system, and the key `make` targets are as follows: 
 
 * `driver` -> build the kmod
-* `bpf` -> build the legacy `ebpf` probe
+* `bpf` -> build the eBPF probe
-* `scap` -> build libscap (`modern_ebpf` driver will be bundled into `scap` if enabled)
+* `scap` -> build libscap (`modern_bpf` driver will be bundled into `scap` if enabled)
 * `sinsp` -> build libsinsp (depends upon `scap` target)
 * `scap-open` -> build a small example binary for `libscap` to test the drivers (dependent on `scap`)
 * `sinsp-example` -> build a small example binary for `libsinsp` to test the drivers and/or `libsinsp` functionality (dependent on `scap` and `sinsp`)
@@ -135,7 +135,7 @@ make sinsp
 
 ### Build userspace using system deps
 
-To build using the system deps instead, first, make sure to have all the needed packages installed. Refer to Falco's [official documentation](https://falco.org/docs/install-operate/source/).
+To build using the system deps instead, first, make sure to have all the needed packages installed. Refer to the [official documentation](https://falco.org/docs/install-operate/source/).
 
 ```bash
 cmake -DUSE_BUNDLED_DEPS=OFF ../;
@@ -146,27 +146,29 @@ make sinsp
 
 ### Build driver - kmod
 
-To build the kmod driver, you need your kernel headers installed. Check out Falco's [official documentation](https://falco.org/docs/install-operate/source/).
+To build the kmod driver, you need your kernel headers installed. Check out the [official documentation](https://falco.org/docs/install-operate/source/).
 
 ```bash
 make driver
-# Verify the kmod binary object file was created, uses `.ko` extension.
+# Verify the kmod object code was created, uses `.ko` extension.
 ls -l driver/src/scap.ko;
 ```
 
 ### Build driver - eBPF probe
 
-To build the eBPF probe, you need `clang` and `llvm` packages and you also need your kernel headers installed. Check out Falco's [official documentation](https://falco.org/docs/install-operate/source/).
+To build the eBPF probe, you need `clang` and `llvm` packages and you also need your kernel headers installed. Check out the [official documentation](https://falco.org/docs/install-operate/source/).
 
 ```bash
 cmake -DBUILD_BPF=ON ../;
 make bpf
-# Verify the eBPF bytecode file was created, uses `.o` extension.
+# Verify the eBPF object code was created, uses `.o` extension.
 ls -l driver/bpf/probe.o;
 ```
 
 >__WARNING__: **clang-7** is the oldest supported version to build our BPF probe.
 
+Initial guidance for CI and building within containers: To build either the kmod or eBPF probe in a container, you will need to make the extracted kernel headers available. The [test/vm](test/vm/) directory contains example [scripts](test/vm/scripts/compile_drivers.sh) demonstrating how to pass them to the `make` command using the argument `KERNELDIR=${EXTRACTED_KERNEL_HEADERS_DIR}`. You can also use the [falcosecurity/driverkit](https://github.com/falcosecurity/driverkit) or explore the scripts within the driverkit repository. The mentioned resources also provide candidate builder containers.
+
 ### Build driver - modern eBPF probe
 
 To build the modern eBPF probe, further prerequisites are necessary:
@@ -191,13 +193,13 @@ To build the modern eBPF probe, further prerequisites are necessary:
 
 > __NOTE:__ These are not the requirements to use the modern BPF probe, but rather for building it from source.
 
-Regarding the previously discussed legacy eBPF driver, it generates kernel-specific bytecode (`driver/bpf/probe.o`) tailored to your machine's kernel release (`uname -r`). The location of the bytecode file can then be passed as an argument for testing with the `scap-open` and `sinsp-example` binaries.
+Regarding the previously discussed bpf drivers, they create a kernel-specific object code (`driver/bpf/probe.o`) for your machine's kernel release (`uname -r`). This object code is then used as an argument for testing with `scap-open` and `sinsp-example` binaries.
 
-However, the modern eBPF driver build process doesn't require kernel headers, and it isn't tied to your kernel release. This is enabled by the CO-RE (Compile Once - Run Everywhere) feature of the modern eBPF driver.
+However, the modern BPF driver operates differently. It doesn't require kernel headers, and its build isn't tied to your kernel release. This is enabled by the CO-RE (Compile Once - Run Everywhere) feature of the modern BPF driver. CO-RE allows the driver to work on kernels with backported BTF (BPF Type Format) support or kernel versions >= 5.8.
 
-CO-RE allows the driver to work on kernels with backported BTF (BPF Type Format) support or kernel versions >= 5.8. The way the driver interprets kernel data structures without direct knowledge of the running kernel is not magic — it leverages predefined type information and BTF-based relocations. We maintain a [vmlinux.h](driver/modern_bpf/definitions/vmlinux.h) file containing essential kernel data structure definitions, allowing the eBPF program to reference fields dynamically. Additionally, for cases where macros or functions from system headers are required, we redefine them in [struct_flavors.h](driver/modern_bpf/definitions/struct_flavors.h). Combined with CO-RE (Compile Once, Run Everywhere), this enables the driver to remain portable across different kernel versions.
+To comprehend how the driver understands kernel data structures without knowledge of the kernel it runs on, there's no black magic involved. We maintain a [vmlinux.h](driver/modern_bpf/definitions/vmlinux.h) file in our project containing all necessary kernel data structure definitions. Additionally, we sometimes rely on macros or functions typically found in system header files, which we redefine in [struct_flavors.h](driver/modern_bpf/definitions/struct_flavors.h).
  
-The modern eBPF driver build process produces an eBPF header skeleton file using `bpftool`. The skeleton file is a C header file that embeds the compiled eBPF program as bytecode.
+That being said, the modern BPF driver still produces an object file, which you can create using the target below. Nevertheless, we ultimately include it in `scap` regardless. Hence, when modern BPF is enabled, building `scap` will already cover this step for you.
 
 ```bash
 cmake \
@@ -205,15 +207,13 @@ cmake \
 -DBUILD_LIBSCAP_MODERN_BPF=ON ../;
 
 make ProbeSkeleton
-# Verify the modern eBPF bytecode / final composed header file including all `.o` modern_ebpf files was created, uses `.h` extension.
+# Verify the modern eBPF object code / final composed header file including all `.o` modern_bpf files was created, uses `.h` extension.
 ls -l skel_dir/bpf_probe.skel.h;
 # Now includes skel_dir/bpf_probe.skel.h in `scap` during the linking process.
 make scap
 ```
 
-Since modern eBPF is included in `scap`, running `make scap` automatically covers the `make ProbeSkeleton` build step.
+Initial guidance for CI and building within containers: The Falco Project, for instance, compiles the final Falco userspace binary within older centos7 [falco-builder](https://falco.org/docs/install-operate/source/#build-using-falco-builder-container) containers with bundled dependencies. This ensures compatibility across supported systems, mainly due to GLIBC versions and other intricacies. However, you won't be able to compile the modern BPF driver on such old systems or builder containers. One solution is to build `skel_dir/bpf_probe.skel.h` in a more recent builder container. For example, you can refer to this [container](test/vm/containers/ubuntu2310.Dockerfile) as a guide. Subsequently, you can provide the modern BPF header file as an artifact to `scap` during building in an older builder container. As an illustrative example, we use `/tmp/skel-dir` containing the `bpf_probe.skel.h` file.
-
-You can also split the build process and specify the directory containing the `bpf_probe.skel.h` file.
 
 ```bash
 cmake \
@@ -243,7 +243,7 @@ This repository includes convenient test example binaries for both `scap` and `s
 
 When developing new features, you would run either one depending on what you're working on, in order to test and validate your changes.
 
-> __NOTE:__ When you're working on driver development, it can be quite useful to make use of the kernel's built-in `printk` functionality. However, for the traditional bpf driver, you'll need to uncomment a line in the [bpf Makefile](driver/bpf/Makefile) first and use a dedicated build flag `BPF_DEBUG`. For modern eBPF, use the build flag `MODERN_BPF_DEBUG_MODE`. Any logs generated by `bpf_printk()` will be written to `/sys/kernel/debug/tracing/trace_pipe`. Just make sure you have the right permissions set up for this.
+> __NOTE:__ When you're working on driver development, it can be quite useful to make use of the kernel's built-in `printk` functionality. However, for the traditional bpf driver, you'll need to uncomment a line in the [bpf Makefile](driver/bpf/Makefile) first and use a dedicated build flag `BPF_DEBUG`. For modern BPF, use the build flag `MODERN_BPF_DEBUG_MODE`. Any logs generated by `bpf_printk()` will be written to `/sys/kernel/debug/tracing/trace_pipe`. Just make sure you have the right permissions set up for this.
 
 Here's an example of a `cmake` command that will enable everything you need for all tests and components. By default, the following flags are disabled, with the exception of `USE_BUNDLED_DEPS` and `CREATE_TEST_TARGETS` (they are enabled by default).
 
@@ -259,7 +259,8 @@ cmake \
 -DCREATE_TEST_TARGETS=ON \
 -DENABLE_LIBSCAP_TESTS=ON \
 -DENABLE_DRIVERS_TESTS=ON \
--DENABLE_LIBSINSP_E2E_TESTS=ON ../;
+-DENABLE_LIBSINSP_E2E_TESTS=ON \
+-DENABLE_VM_TESTS=ON ../;
 ```
 
 > __NOTE:__ The `ENABLE_LIBSINSP_E2E_TESTS` flag enables the new e2e tests for libsinsp. Please keep in mind these tests are currently in heavy development and need some extra steps (see in the section below) to run correctly.
@@ -301,10 +302,9 @@ sudo ./test/drivers/drivers_test -m;
 The tests mentioned below expand beyond the scope of "unit tests". In this context as well, we are dedicated to making sure they run smoothly on your `localhost` for pre-PR testing, to the best of our ability:
 
 - [test/e2e](test/e2e) - enforced by our CI
+- [test/vm](test/vm) - our CI includes comparable tests, but it employs a distinct framework. For current status reports on Falco drivers kernel testing, please visit this [page](https://falcosecurity.github.io/libs/).
 
-For current status reports on the CI powered Falco drivers kernel testing, please visit this [page](https://falcosecurity.github.io/libs/).
+As mentioned earlier, The Falco Project's `libs` repository includes numerous CI-powered checks. For the most current information, please refer to the CI definitions under the [workflows](.github/workflows/) directory.
-
-In general, The Falco Project's `libs` repository includes numerous CI-powered checks. For the most current information, please refer to the CI definitions under the [workflows](.github/workflows/) directory.
 
 ### [EXPERIMENTAL] Run libsinsp e2e tests
 

cmake/modules/container_plugin.cmake

@@ -22,13 +22,13 @@ set(CONTAINER_LIBRARY
 )
 
 if(NOT CONTAINER_VERSION)
-	set(CONTAINER_VERSION "0.3.4")
+	set(CONTAINER_VERSION "0.2.2")
 endif()
 if(NOT CONTAINER_HASH)
 	if(${CMAKE_HOST_SYSTEM_PROCESSOR} STREQUAL "x86_64")
-		set(CONTAINER_HASH "658f96c4b4a56d1bf945a788d60571076f808ae1bcc877c4ba3625b0fd752d8d")
+		set(CONTAINER_HASH "e770975d06bad6c593ea43dd56364afdb9314a47924f29198ba3ab184e6aca5d")
 	else() # arm64
-		set(CONTAINER_HASH "34a153aca0164843a169193aba092a3063b24bca9ef80fd4f1d1f1919aba3bde")
+		set(CONTAINER_HASH "52fa2687152eb89c7e54a7b96bd1b08e78fdef15b98c989322f8eab7debcbf35")
 	endif()
 endif()
 if(NOT TARGET container_plugin)

cmake/modules/tbb.cmake

@@ -58,9 +58,9 @@ else()
 
 	if(NOT TARGET tbb)
 		message(STATUS "Using bundled tbb in '${TBB_SRC}'")
-		set(TBB_SRC_URL "https://github.com/oneapi-src/oneTBB/archive/refs/tags/v2022.1.0.tar.gz")
+		set(TBB_SRC_URL "https://github.com/oneapi-src/oneTBB/archive/refs/tags/v2022.0.0.tar.gz")
 		set(TBB_SRC_URL_HASH
-			"SHA256=ed067603ece0dc832d2881ba5c516625ac2522c665d95f767ef6304e34f961b5"
+			"SHA256=e8e89c9c345415b17b30a2db3095ba9d47647611662073f7fbf54ad48b7f3c2a"
 		)
 		set(TBB_FLAGS "")
 		if(CMAKE_CXX_COMPILER_ID STREQUAL "GNU")
@@ -89,8 +89,6 @@ else()
 						   -DCMAKE_CXX_COMPILER=${CMAKE_CXX_COMPILER}
 						   -DCMAKE_C_COMPILER=${CMAKE_C_COMPILER}
 						   -DEMSCRIPTEN=${TBB_EMSCRIPTEN}
-						   -DTBB_FILE_TRIM=Off
-						   -DTBB_INSTALL=Off
 				BUILD_BYPRODUCTS ${TBB_LIB}
 				INSTALL_COMMAND ""
 			)
@@ -112,8 +110,6 @@ else()
 							   -DTBB_OUTPUT_DIR_BASE=lib
 							   -DCMAKE_CXX_FLAGS="${TBB_FLAGS}"
 							   -DCMAKE_POSITION_INDEPENDENT_CODE=${ENABLE_PIC}
-							   -DTBB_FILE_TRIM=Off
-							   -DTBB_INSTALL=Off
 					BUILD_BYPRODUCTS ${TBB_LIB}
 					INSTALL_COMMAND ""
 				)
@@ -133,8 +129,6 @@ else()
 							   -DTBB_OUTPUT_DIR_BASE=lib
 							   -DCMAKE_CXX_FLAGS="${TBB_FLAGS}"
 							   -DCMAKE_POSITION_INDEPENDENT_CODE=${ENABLE_PIC}
-							   -DTBB_FILE_TRIM=Off
-							   -DTBB_INSTALL=Off
 					BUILD_BYPRODUCTS ${TBB_LIB}
 					INSTALL_COMMAND ""
 				)

driver/API_VERSION

@@ -1 +1 @@
-8.0.4
+8.0.3

driver/SCHEMA_VERSION

@@ -1 +1 @@
-3.69.0
+3.6.1

driver/bpf/filler_helpers.h

@@ -1407,15 +1407,3 @@ static __always_inline pid_t bpf_push_pgid(struct filler_data *data, struct task
 }
 
 #endif
-
-/* Legacy-probe-specific replacement for `socket_family_to_scap` helper. As encoding the socket
- * family using the `socket_family_to_scap` helper breaks the verifier on old kernel versions, just
- * send `PPM_AF_UNSPEC` if the user-provided socket family is negative, and leave it as is
- * otherwise. This solution relies on the fact that `AF_*` and corresponding `PPM_AF_*` macros map
- * to the same values. */
-static __always_inline uint8_t bpf_socket_family_to_scap(int8_t family) {
-	if(family < 0) {
-		family = PPM_AF_UNSPEC;
-	}
-	return (uint8_t)family;
-}

driver/bpf/types.h

@@ -143,16 +143,6 @@ struct sys_stash_args {
 #ifdef CAPTURE_SCHED_PROC_EXEC
 
 #ifndef BPF_SUPPORTS_RAW_TRACEPOINTS
-struct sched_process_exec_args {
-	unsigned short common_type;
-	unsigned char common_flags;
-	unsigned char common_preempt_count;
-	int common_pid;
-	__u32 filename;  // This is actually defined as "__data_loc char[] filename;".
-	pid_t pid;
-	pid_t old_pid;
-};
-#else
 /* TP_PROTO(struct task_struct *p, pid_t old_pid, struct linux_binprm *bprm)
  * Taken from `/include/trace/events/sched.h`
  */
@@ -161,6 +151,16 @@ struct sched_process_exec_args {
 	pid_t old_pid;
 	struct linux_binprm *bprm;
 };
+#else
+struct sched_process_exec_args {
+	unsigned short common_type;
+	unsigned char common_flags;
+	unsigned char common_preempt_count;
+	int common_pid;
+	int filename;
+	pid_t pid;
+	pid_t old_pid;
+};
 #endif /* BPF_SUPPORTS_RAW_TRACEPOINTS */
 
 #endif /* CAPTURE_SCHED_PROC_EXEC */

driver/fillers_table.c

@@ -45,13 +45,13 @@ const struct ppm_event_entry g_ppm_events[PPM_EVENT_MAX] = {
         [PPME_SOCKET_SEND_E] = {FILLER_REF(sys_send_e)},
         [PPME_SOCKET_SEND_X] = {FILLER_REF(sys_send_x)},
         [PPME_SOCKET_SENDTO_E] = {FILLER_REF(sys_sendto_e)},
-        [PPME_SOCKET_SENDTO_X] = {FILLER_REF(sys_sendto_x)},
+        [PPME_SOCKET_SENDTO_X] = {FILLER_REF(sys_send_x)},
         [PPME_SOCKET_RECV_E] = {FILLER_REF(sys_autofill), 2, APT_SOCK, {{0}, {2}}},
         [PPME_SOCKET_RECV_X] = {FILLER_REF(sys_recv_x)},
         [PPME_SOCKET_RECVFROM_E] = {FILLER_REF(sys_recvfrom_e)},
         [PPME_SOCKET_RECVFROM_X] = {FILLER_REF(sys_recvfrom_x)},
         [PPME_SOCKET_SHUTDOWN_E] = {FILLER_REF(sys_shutdown_e)},
-        [PPME_SOCKET_SHUTDOWN_X] = {FILLER_REF(sys_shutdown_x)},
+        [PPME_SOCKET_SHUTDOWN_X] = {FILLER_REF(sys_single_x)},
         [PPME_SOCKET_GETSOCKNAME_E] = {FILLER_REF(sys_empty)},
         [PPME_SOCKET_GETSOCKNAME_X] = {FILLER_REF(sys_empty)},
         [PPME_SOCKET_GETPEERNAME_E] = {FILLER_REF(sys_empty)},
@@ -75,15 +75,15 @@ const struct ppm_event_entry g_ppm_events[PPM_EVENT_MAX] = {
         [PPME_SYSCALL_PIPE_E] = {FILLER_REF(sys_empty)},
         [PPME_SYSCALL_PIPE_X] = {FILLER_REF(sys_pipe_x)},
         [PPME_SYSCALL_EVENTFD_E] = {FILLER_REF(sys_eventfd_e)},
-        [PPME_SYSCALL_EVENTFD_X] = {FILLER_REF(sys_eventfd_x)},
+        [PPME_SYSCALL_EVENTFD_X] = {FILLER_REF(sys_single_x)},
         [PPME_SYSCALL_FUTEX_E] = {FILLER_REF(sys_futex_e)},
-        [PPME_SYSCALL_FUTEX_X] = {FILLER_REF(sys_futex_x)},
+        [PPME_SYSCALL_FUTEX_X] = {FILLER_REF(sys_single_x)},
         [PPME_SYSCALL_STAT_E] = {FILLER_REF(sys_empty)},
         [PPME_SYSCALL_STAT_X] = {FILLER_REF(sys_autofill), 2, APT_REG, {{AF_ID_RETVAL}, {0}}},
         [PPME_SYSCALL_LSTAT_E] = {FILLER_REF(sys_empty)},
         [PPME_SYSCALL_LSTAT_X] = {FILLER_REF(sys_autofill), 2, APT_REG, {{AF_ID_RETVAL}, {0}}},
         [PPME_SYSCALL_FSTAT_E] = {FILLER_REF(sys_fstat_e)},
-        [PPME_SYSCALL_FSTAT_X] = {FILLER_REF(sys_fstat_x)},
+        [PPME_SYSCALL_FSTAT_X] = {FILLER_REF(sys_single_x)},
         [PPME_SYSCALL_STAT64_E] = {FILLER_REF(sys_empty)},
         [PPME_SYSCALL_STAT64_X] = {FILLER_REF(sys_autofill), 2, APT_REG, {{AF_ID_RETVAL}, {0}}},
         [PPME_SYSCALL_LSTAT64_E] = {FILLER_REF(sys_empty)},
@@ -91,7 +91,7 @@ const struct ppm_event_entry g_ppm_events[PPM_EVENT_MAX] = {
         [PPME_SYSCALL_FSTAT64_E] = {FILLER_REF(sys_single)},
         [PPME_SYSCALL_FSTAT64_X] = {FILLER_REF(sys_single_x)},
         [PPME_SYSCALL_EPOLLWAIT_E] = {FILLER_REF(sys_autofill), 1, APT_REG, {{2}}},
-        [PPME_SYSCALL_EPOLLWAIT_X] = {FILLER_REF(sys_epoll_wait_x)},
+        [PPME_SYSCALL_EPOLLWAIT_X] = {FILLER_REF(sys_single_x)},
         [PPME_SYSCALL_POLL_E] = {FILLER_REF(sys_poll_e)},
         [PPME_SYSCALL_POLL_X] = {FILLER_REF(sys_poll_x)},
         [PPME_SYSCALL_SELECT_E] = {FILLER_REF(sys_empty)},
@@ -99,7 +99,7 @@ const struct ppm_event_entry g_ppm_events[PPM_EVENT_MAX] = {
         [PPME_SYSCALL_NEWSELECT_E] = {FILLER_REF(sys_empty)},
         [PPME_SYSCALL_NEWSELECT_X] = {FILLER_REF(sys_single_x)},
         [PPME_SYSCALL_LSEEK_E] = {FILLER_REF(sys_lseek_e)},
-        [PPME_SYSCALL_LSEEK_X] = {FILLER_REF(sys_lseek_x)},
+        [PPME_SYSCALL_LSEEK_X] = {FILLER_REF(sys_single_x)},
         [PPME_SYSCALL_LLSEEK_E] = {FILLER_REF(sys_llseek_e)},
         [PPME_SYSCALL_LLSEEK_X] = {FILLER_REF(sys_single_x)},
         [PPME_SYSCALL_GETCWD_E] = {FILLER_REF(sys_empty)},
@@ -117,13 +117,13 @@ const struct ppm_event_entry g_ppm_events[PPM_EVENT_MAX] = {
         [PPME_SYSCALL_PWRITE_E] = {FILLER_REF(sys_pwrite64_e)},
         [PPME_SYSCALL_PWRITE_X] = {FILLER_REF(sys_pwrite64_x)},
         [PPME_SYSCALL_READV_E] = {FILLER_REF(sys_readv_e)},
-        [PPME_SYSCALL_READV_X] = {FILLER_REF(sys_readv_x)},
+        [PPME_SYSCALL_READV_X] = {FILLER_REF(sys_readv_preadv_x)},
         [PPME_SYSCALL_WRITEV_E] = {FILLER_REF(sys_writev_e)},
-        [PPME_SYSCALL_WRITEV_X] = {FILLER_REF(sys_writev_x)},
+        [PPME_SYSCALL_WRITEV_X] = {FILLER_REF(sys_writev_pwritev_x)},
         [PPME_SYSCALL_PREADV_E] = {FILLER_REF(sys_preadv_e)},
-        [PPME_SYSCALL_PREADV_X] = {FILLER_REF(sys_preadv_x)},
+        [PPME_SYSCALL_PREADV_X] = {FILLER_REF(sys_readv_preadv_x)},
         [PPME_SYSCALL_PWRITEV_E] = {FILLER_REF(sys_pwritev_e)},
-        [PPME_SYSCALL_PWRITEV_X] = {FILLER_REF(sys_pwritev_x)},
+        [PPME_SYSCALL_PWRITEV_X] = {FILLER_REF(sys_writev_pwritev_x)},
         [PPME_SYSCALL_DUP_1_E] = {FILLER_REF(sys_dup_e)},
         [PPME_SYSCALL_DUP_1_X] = {FILLER_REF(sys_dup_x)},
         [PPME_SYSCALL_DUP2_E] = {FILLER_REF(sys_dup2_e)},
@@ -131,22 +131,22 @@ const struct ppm_event_entry g_ppm_events[PPM_EVENT_MAX] = {
         [PPME_SYSCALL_DUP3_E] = {FILLER_REF(sys_dup3_e)},
         [PPME_SYSCALL_DUP3_X] = {FILLER_REF(sys_dup3_x)},
         [PPME_SYSCALL_SIGNALFD_E] = {FILLER_REF(sys_signalfd_e)},
-        [PPME_SYSCALL_SIGNALFD_X] = {FILLER_REF(sys_signalfd_x)},
+        [PPME_SYSCALL_SIGNALFD_X] = {FILLER_REF(sys_single_x)},
         [PPME_SYSCALL_KILL_E] = {FILLER_REF(sys_autofill), 2, APT_REG, {{0}, {1}}},
-        [PPME_SYSCALL_KILL_X] = {FILLER_REF(sys_kill_x)},
+        [PPME_SYSCALL_KILL_X] = {FILLER_REF(sys_single_x)},
         [PPME_SYSCALL_TKILL_E] = {FILLER_REF(sys_autofill), 2, APT_REG, {{0}, {1}}},
-        [PPME_SYSCALL_TKILL_X] = {FILLER_REF(sys_tkill_x)},
+        [PPME_SYSCALL_TKILL_X] = {FILLER_REF(sys_single_x)},
         [PPME_SYSCALL_TGKILL_E] = {FILLER_REF(sys_autofill), 3, APT_REG, {{0}, {1}, {2}}},
-        [PPME_SYSCALL_TGKILL_X] = {FILLER_REF(sys_tgkill_x)},
+        [PPME_SYSCALL_TGKILL_X] = {FILLER_REF(sys_single_x)},
         [PPME_SYSCALL_NANOSLEEP_E] = {FILLER_REF(sys_nanosleep_e)},
-        [PPME_SYSCALL_NANOSLEEP_X] = {FILLER_REF(sys_nanosleep_x)},
+        [PPME_SYSCALL_NANOSLEEP_X] = {FILLER_REF(sys_single_x)},
         [PPME_SYSCALL_TIMERFD_CREATE_E] = {FILLER_REF(sys_autofill),
                                            2,
                                            APT_REG,
                                            {{AF_ID_USEDEFAULT, 0}, {AF_ID_USEDEFAULT, 0}}},
-        [PPME_SYSCALL_TIMERFD_CREATE_X] = {FILLER_REF(sys_timerfd_create_x)},
+        [PPME_SYSCALL_TIMERFD_CREATE_X] = {FILLER_REF(sys_single_x)},
         [PPME_SYSCALL_INOTIFY_INIT_E] = {FILLER_REF(sys_inotify_init_e)},
-        [PPME_SYSCALL_INOTIFY_INIT_X] = {FILLER_REF(sys_inotify_init_x)},
+        [PPME_SYSCALL_INOTIFY_INIT_X] = {FILLER_REF(sys_single_x)},
         [PPME_SYSCALL_GETRLIMIT_E] = {FILLER_REF(sys_getrlimit_setrlimit_e)},
         [PPME_SYSCALL_GETRLIMIT_X] = {FILLER_REF(sys_getrlimit_x)},
         [PPME_SYSCALL_SETRLIMIT_E] = {FILLER_REF(sys_getrlimit_setrlimit_e)},
@@ -161,19 +161,19 @@ const struct ppm_event_entry g_ppm_events[PPM_EVENT_MAX] = {
         [PPME_SCHEDSWITCH_6_E] = {FILLER_REF(sched_switch_e)},
 #endif
         [PPME_SYSCALL_BRK_4_E] = {FILLER_REF(sys_autofill), 1, APT_REG, {{0}}},
-        [PPME_SYSCALL_BRK_4_X] = {FILLER_REF(sys_brk_x)},
+        [PPME_SYSCALL_BRK_4_X] = {FILLER_REF(sys_brk_munmap_mmap_x)},
         [PPME_SYSCALL_MMAP_E] = {FILLER_REF(sys_mmap_e)},
-        [PPME_SYSCALL_MMAP_X] = {FILLER_REF(sys_mmap_x)},
+        [PPME_SYSCALL_MMAP_X] = {FILLER_REF(sys_brk_munmap_mmap_x)},
         [PPME_SYSCALL_MMAP2_E] = {FILLER_REF(sys_mmap_e)},
-        [PPME_SYSCALL_MMAP2_X] = {FILLER_REF(sys_mmap2_x)},
+        [PPME_SYSCALL_MMAP2_X] = {FILLER_REF(sys_brk_munmap_mmap_x)},
         [PPME_SYSCALL_MUNMAP_E] = {FILLER_REF(sys_autofill), 2, APT_REG, {{0}, {1}}},
-        [PPME_SYSCALL_MUNMAP_X] = {FILLER_REF(sys_munmap_x)},
+        [PPME_SYSCALL_MUNMAP_X] = {FILLER_REF(sys_brk_munmap_mmap_x)},
         [PPME_SYSCALL_SPLICE_E] = {FILLER_REF(sys_splice_e)},
-        [PPME_SYSCALL_SPLICE_X] = {FILLER_REF(sys_splice_x)},
+        [PPME_SYSCALL_SPLICE_X] = {FILLER_REF(sys_autofill), 1, APT_REG, {{AF_ID_RETVAL}}},
         [PPME_SYSCALL_PTRACE_E] = {FILLER_REF(sys_ptrace_e)},
         [PPME_SYSCALL_PTRACE_X] = {FILLER_REF(sys_ptrace_x)},
         [PPME_SYSCALL_IOCTL_3_E] = {FILLER_REF(sys_ioctl_e)},
-        [PPME_SYSCALL_IOCTL_3_X] = {FILLER_REF(sys_ioctl_x)},
+        [PPME_SYSCALL_IOCTL_3_X] = {FILLER_REF(sys_single_x)},
         [PPME_SYSCALL_RENAME_E] = {FILLER_REF(sys_empty)},
         [PPME_SYSCALL_RENAME_X] = {FILLER_REF(sys_autofill),
                                    3,
@@ -193,14 +193,14 @@ const struct ppm_event_entry g_ppm_events[PPM_EVENT_MAX] = {
         [PPME_SYSCALL_QUOTACTL_E] = {FILLER_REF(sys_quotactl_e)},
         [PPME_SYSCALL_QUOTACTL_X] = {FILLER_REF(sys_quotactl_x)},
         [PPME_SYSCALL_SETRESUID_E] = {FILLER_REF(sys_autofill), 3, APT_REG, {{0}, {1}, {2}}},
-        [PPME_SYSCALL_SETRESUID_X] = {FILLER_REF(sys_setresuid_x)},
+        [PPME_SYSCALL_SETRESUID_X] = {FILLER_REF(sys_autofill), 1, APT_REG, {{AF_ID_RETVAL}}},
         [PPME_SYSCALL_SETRESGID_E] = {FILLER_REF(sys_autofill), 3, APT_REG, {{0}, {1}, {2}}},
-        [PPME_SYSCALL_SETRESGID_X] = {FILLER_REF(sys_setresgid_x)},
+        [PPME_SYSCALL_SETRESGID_X] = {FILLER_REF(sys_autofill), 1, APT_REG, {{AF_ID_RETVAL}}},
         [PPME_SCAPEVENT_E] = {FILLER_REF(sys_scapevent_e)},
         [PPME_SYSCALL_SETUID_E] = {FILLER_REF(sys_autofill), 1, APT_REG, {{0}}},
-        [PPME_SYSCALL_SETUID_X] = {FILLER_REF(sys_setuid_x)},
+        [PPME_SYSCALL_SETUID_X] = {FILLER_REF(sys_autofill), 1, APT_REG, {{AF_ID_RETVAL}}},
         [PPME_SYSCALL_SETGID_E] = {FILLER_REF(sys_autofill), 1, APT_REG, {{0}}},
-        [PPME_SYSCALL_SETGID_X] = {FILLER_REF(sys_setgid_x)},
+        [PPME_SYSCALL_SETGID_X] = {FILLER_REF(sys_autofill), 1, APT_REG, {{AF_ID_RETVAL}}},
         [PPME_SYSCALL_GETUID_E] = {FILLER_REF(sys_empty)},
         [PPME_SYSCALL_GETUID_X] = {FILLER_REF(sys_autofill), 1, APT_REG, {{AF_ID_RETVAL}}},
         [PPME_SYSCALL_GETEUID_E] = {FILLER_REF(sys_empty)},
@@ -223,43 +223,43 @@ const struct ppm_event_entry g_ppm_events[PPM_EVENT_MAX] = {
         [PPME_SIGNALDELIVER_E] = {FILLER_REF(sys_signaldeliver_e)},
 #endif
         [PPME_SYSCALL_GETDENTS_E] = {FILLER_REF(sys_getdents_e)},
-        [PPME_SYSCALL_GETDENTS_X] = {FILLER_REF(sys_getdents_x)},
+        [PPME_SYSCALL_GETDENTS_X] = {FILLER_REF(sys_single_x)},
         [PPME_SYSCALL_GETDENTS64_E] = {FILLER_REF(sys_getdents64_e)},
-        [PPME_SYSCALL_GETDENTS64_X] = {FILLER_REF(sys_getdents64_x)},
+        [PPME_SYSCALL_GETDENTS64_X] = {FILLER_REF(sys_single_x)},
         [PPME_SYSCALL_SETNS_E] = {FILLER_REF(sys_setns_e)},
-        [PPME_SYSCALL_SETNS_X] = {FILLER_REF(sys_setns_x)},
+        [PPME_SYSCALL_SETNS_X] = {FILLER_REF(sys_autofill), 1, APT_REG, {{AF_ID_RETVAL}}},
         [PPME_SYSCALL_FLOCK_E] = {FILLER_REF(sys_flock_e)},
-        [PPME_SYSCALL_FLOCK_X] = {FILLER_REF(sys_flock_x)},
+        [PPME_SYSCALL_FLOCK_X] = {FILLER_REF(sys_autofill), 1, APT_REG, {{AF_ID_RETVAL}}},
         [PPME_CPU_HOTPLUG_E] = {FILLER_REF(cpu_hotplug_e)},
         [PPME_SOCKET_ACCEPT_5_E] = {FILLER_REF(sys_empty)},
         [PPME_SOCKET_ACCEPT_5_X] = {FILLER_REF(sys_accept_x)},
         [PPME_SYSCALL_SEMOP_E] = {FILLER_REF(sys_single)},
         [PPME_SYSCALL_SEMOP_X] = {FILLER_REF(sys_semop_x)},
         [PPME_SYSCALL_SEMCTL_E] = {FILLER_REF(sys_semctl_e)},
-        [PPME_SYSCALL_SEMCTL_X] = {FILLER_REF(sys_semctl_x)},
+        [PPME_SYSCALL_SEMCTL_X] = {FILLER_REF(sys_single_x)},
         [PPME_SYSCALL_PPOLL_E] = {FILLER_REF(sys_ppoll_e)},
-        [PPME_SYSCALL_PPOLL_X] = {FILLER_REF(sys_ppoll_x)},
+        [PPME_SYSCALL_PPOLL_X] = {FILLER_REF(sys_poll_x)}, /* exit same for poll() and ppoll() */
         [PPME_SYSCALL_MOUNT_E] = {FILLER_REF(sys_mount_e)},
-        [PPME_SYSCALL_MOUNT_X] = {FILLER_REF(sys_mount_x),
+        [PPME_SYSCALL_MOUNT_X] = {FILLER_REF(sys_autofill),
                                   4,
                                   APT_REG,
                                   {{AF_ID_RETVAL}, {0}, {1}, {2}}},
         [PPME_SYSCALL_SEMGET_E] = {FILLER_REF(sys_semget_e)},
-        [PPME_SYSCALL_SEMGET_X] = {FILLER_REF(sys_semget_x)},
+        [PPME_SYSCALL_SEMGET_X] = {FILLER_REF(sys_single_x)},
         [PPME_SYSCALL_ACCESS_E] = {FILLER_REF(sys_access_e)},
-        [PPME_SYSCALL_ACCESS_X] = {FILLER_REF(sys_access_x)},
+        [PPME_SYSCALL_ACCESS_X] = {FILLER_REF(sys_autofill), 2, APT_REG, {{AF_ID_RETVAL}, {0}}},
         [PPME_SYSCALL_CHROOT_E] = {FILLER_REF(sys_empty)},
         [PPME_SYSCALL_CHROOT_X] = {FILLER_REF(sys_autofill), 2, APT_REG, {{AF_ID_RETVAL}, {0}}},
         [PPME_SYSCALL_SETSID_E] = {FILLER_REF(sys_empty)},
         [PPME_SYSCALL_SETSID_X] = {FILLER_REF(sys_autofill), 1, APT_REG, {{AF_ID_RETVAL}}},
         [PPME_SYSCALL_SETPGID_E] = {FILLER_REF(sys_setpgid_e)},
-        [PPME_SYSCALL_SETPGID_X] = {FILLER_REF(sys_setpgid_x)},
+        [PPME_SYSCALL_SETPGID_X] = {FILLER_REF(sys_autofill), 1, APT_REG, {{AF_ID_RETVAL}}},
         [PPME_SYSCALL_MKDIR_2_E] = {FILLER_REF(sys_mkdir_e)},
-        [PPME_SYSCALL_MKDIR_2_X] = {FILLER_REF(sys_mkdir_x)},
+        [PPME_SYSCALL_MKDIR_2_X] = {FILLER_REF(sys_autofill), 2, APT_REG, {{AF_ID_RETVAL}, {0}}},
         [PPME_SYSCALL_RMDIR_2_E] = {FILLER_REF(sys_empty)},
         [PPME_SYSCALL_RMDIR_2_X] = {FILLER_REF(sys_autofill), 2, APT_REG, {{AF_ID_RETVAL}, {0}}},
         [PPME_SYSCALL_UNSHARE_E] = {FILLER_REF(sys_unshare_e)},
-        [PPME_SYSCALL_UNSHARE_X] = {FILLER_REF(sys_unshare_x)},
+        [PPME_SYSCALL_UNSHARE_X] = {FILLER_REF(sys_autofill), 1, APT_REG, {{AF_ID_RETVAL}}},
         [PPME_SYSCALL_EXECVE_19_E] = {FILLER_REF(sys_execve_e)},
         [PPME_SYSCALL_EXECVE_19_X] = {FILLER_REF(proc_startupdate)},
 #ifdef CAPTURE_PAGE_FAULTS
@@ -268,7 +268,7 @@ const struct ppm_event_entry g_ppm_events[PPM_EVENT_MAX] = {
         [PPME_SYSCALL_BPF_2_E] = {FILLER_REF(sys_bpf_e)},
         [PPME_SYSCALL_BPF_2_X] = {FILLER_REF(sys_bpf_x)},
         [PPME_SYSCALL_SECCOMP_E] = {FILLER_REF(sys_autofill), 2, APT_REG, {{0}, {1}}},
-        [PPME_SYSCALL_SECCOMP_X] = {FILLER_REF(sys_seccomp_x)},
+        [PPME_SYSCALL_SECCOMP_X] = {FILLER_REF(sys_autofill), 1, APT_REG, {{AF_ID_RETVAL}}},
         [PPME_SYSCALL_UNLINK_2_E] = {FILLER_REF(sys_empty)},
         [PPME_SYSCALL_UNLINK_2_X] = {FILLER_REF(sys_autofill), 2, APT_REG, {{AF_ID_RETVAL}, {0}}},
         [PPME_SYSCALL_UNLINKAT_2_E] = {FILLER_REF(sys_empty)},
@@ -344,7 +344,7 @@ const struct ppm_event_entry g_ppm_events[PPM_EVENT_MAX] = {
         [PPME_SYSCALL_UMOUNT_1_E] = {FILLER_REF(sys_empty)},
         [PPME_SYSCALL_UMOUNT_1_X] = {FILLER_REF(sys_umount_x)},
         [PPME_SOCKET_ACCEPT4_6_E] = {FILLER_REF(sys_accept4_e)},
-        [PPME_SOCKET_ACCEPT4_6_X] = {FILLER_REF(sys_accept4_x)},
+        [PPME_SOCKET_ACCEPT4_6_X] = {FILLER_REF(sys_accept_x)},
         [PPME_SYSCALL_UMOUNT2_E] = {FILLER_REF(sys_umount2_e)},
         [PPME_SYSCALL_UMOUNT2_X] = {FILLER_REF(sys_umount2_x)},
         [PPME_SYSCALL_PIPE2_E] = {FILLER_REF(sys_empty)},

driver/modern_bpf/bpfvalidator_config.yaml

@@ -1,8 +0,0 @@
-parallel: 2
-kernel_versions:
-    - v5.10.237
-    - v5.15.184
-    - v6.1.140
-    - v6.6.92
-    - v6.12.30
-    - v6.15

driver/modern_bpf/definitions/events_dimensions.h

@@ -24,7 +24,7 @@
 #define SYSCALL_E_SIZE HEADER_LEN + sizeof(uint16_t) * 2 + PARAM_LEN * 2
 #define SYSCALL_X_SIZE HEADER_LEN + sizeof(uint16_t) + PARAM_LEN
 #define CLOSE_E_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
-#define CLOSE_X_SIZE HEADER_LEN + sizeof(int64_t) * 2 + PARAM_LEN * 2
+#define CLOSE_X_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
 #define READ_E_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint32_t) + PARAM_LEN * 2
 #define WRITE_E_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint32_t) + PARAM_LEN * 2
 #define SOCKET_E_SIZE HEADER_LEN + sizeof(uint32_t) * 3 + PARAM_LEN * 3
@@ -36,13 +36,13 @@
 #define RECV_E_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint32_t) + PARAM_LEN * 2
 #define RECVFROM_E_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint32_t) + PARAM_LEN * 2
 #define SHUTDOWN_E_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint8_t) + PARAM_LEN * 2
-#define SHUTDOWN_X_SIZE HEADER_LEN + sizeof(int64_t) * 2 + sizeof(uint8_t) + PARAM_LEN * 3
+#define SHUTDOWN_X_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
 #define GETSOCKNAME_E_SIZE HEADER_LEN
 #define GETSOCKNAME_X_SIZE HEADER_LEN
 #define GETPEERNAME_E_SIZE HEADER_LEN
 #define GETPEERNAME_X_SIZE HEADER_LEN
 #define SOCKETPAIR_E_SIZE HEADER_LEN + sizeof(uint32_t) * 3 + PARAM_LEN * 3
-#define SOCKETPAIR_X_SIZE HEADER_LEN + sizeof(int64_t) * 3 + sizeof(uint32_t) * 3 + sizeof(uint64_t) * 2 + PARAM_LEN * 8
+#define SOCKETPAIR_X_SIZE HEADER_LEN + sizeof(int64_t) * 3 + sizeof(uint64_t) * 2 + PARAM_LEN * 5
 #define SETSOCKOPT_E_SIZE HEADER_LEN
 #define GETSOCKOPT_E_SIZE HEADER_LEN
 #define SENDMMSG_E_SIZE HEADER_LEN
@@ -51,29 +51,29 @@
 #define PIPE_E_SIZE HEADER_LEN
 #define PIPE_X_SIZE HEADER_LEN + sizeof(int64_t) * 3 + sizeof(uint64_t) + PARAM_LEN * 4
 #define EVENTFD_E_SIZE HEADER_LEN + sizeof(uint32_t) + sizeof(uint64_t) + PARAM_LEN * 2
-#define EVENTFD_X_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint32_t) + sizeof(uint64_t) + PARAM_LEN * 3
+#define EVENTFD_X_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
 #define FUTEX_E_SIZE HEADER_LEN + sizeof(uint16_t) + sizeof(uint64_t) * 2 + PARAM_LEN * 3
-#define FUTEX_X_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint16_t) + sizeof(uint64_t) * 2 + PARAM_LEN * 4
+#define FUTEX_X_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
 #define STAT_E_SIZE HEADER_LEN
 #define LSTAT_E_SIZE HEADER_LEN
 #define FSTAT_E_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
-#define FSTAT_X_SIZE HEADER_LEN + sizeof(int64_t) * 2 + PARAM_LEN * 2
+#define FSTAT_X_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
 #define STAT64_E_SIZE HEADER_LEN
 #define LSTAT64_E_SIZE HEADER_LEN
 #define FSTAT64_E_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
 #define FSTAT64_X_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
 #define EPOLL_WAIT_E_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
-#define EPOLL_WAIT_X_SIZE HEADER_LEN + sizeof(int64_t) * 2 + PARAM_LEN * 2
+#define EPOLL_WAIT_X_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
 #define SELECT_E_SIZE HEADER_LEN
 #define SELECT_X_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
 #define LSEEK_E_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint64_t) + sizeof(uint8_t) + PARAM_LEN * 3
-#define LSEEK_X_SIZE HEADER_LEN + sizeof(int64_t) * 2 + sizeof(uint64_t) + sizeof(uint8_t) + PARAM_LEN * 4
+#define LSEEK_X_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
 #define LLSEEK_E_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint64_t) + sizeof(uint8_t) + PARAM_LEN * 3
-#define LLSEEK_X_SIZE HEADER_LEN + sizeof(int64_t) * 2 + sizeof(uint64_t) + sizeof(uint8_t) + PARAM_LEN * 4
+#define LLSEEK_X_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
 #define GETCWD_E_SIZE HEADER_LEN
 #define CHDIR_E_SIZE HEADER_LEN
 #define FCHDIR_E_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
-#define FCHDIR_X_SIZE HEADER_LEN + sizeof(int64_t) * 2 + PARAM_LEN * 2
+#define FCHDIR_X_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
 #define PREAD_E_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint32_t) + sizeof(uint64_t) + PARAM_LEN * 3
 #define PWRITE_E_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint32_t) + sizeof(uint64_t) + PARAM_LEN * 3
 #define READV_E_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
@@ -81,21 +81,21 @@
 #define PREADV_E_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint64_t) + PARAM_LEN * 2
 #define PWRITEV_E_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint32_t) + sizeof(uint64_t) + PARAM_LEN * 3
 #define SIGNALFD_E_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint32_t) + sizeof(uint8_t) + PARAM_LEN * 3
-#define SIGNALFD_X_SIZE HEADER_LEN + sizeof(int64_t) * 2 + sizeof(uint32_t) + sizeof(uint8_t) + PARAM_LEN * 4
+#define SIGNALFD_X_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
 #define KILL_E_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint8_t) + PARAM_LEN * 2
-#define KILL_X_SIZE HEADER_LEN + sizeof(int64_t) * 2 + sizeof(uint8_t) + PARAM_LEN * 3
+#define KILL_X_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
 #define TKILL_E_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint8_t) + PARAM_LEN * 2
-#define TKILL_X_SIZE HEADER_LEN + sizeof(int64_t) * 2 + sizeof(uint8_t) + PARAM_LEN * 3
+#define TKILL_X_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
 #define TGKILL_E_SIZE HEADER_LEN + sizeof(int64_t) * 2 + sizeof(uint8_t) + PARAM_LEN * 3
-#define TGKILL_X_SIZE HEADER_LEN + sizeof(int64_t) * 3 + sizeof(uint8_t) + PARAM_LEN * 4
+#define TGKILL_X_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
 #define NANOSLEEP_E_SIZE HEADER_LEN + sizeof(uint64_t) + PARAM_LEN
-#define NANOSLEEP_X_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint64_t) + PARAM_LEN * 2
+#define NANOSLEEP_X_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
 #define TIMERFD_CREATE_E_SIZE HEADER_LEN + sizeof(uint8_t) * 2 + PARAM_LEN * 2
-#define TIMERFD_CREATE_X_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint8_t) * 2 + PARAM_LEN * 3
+#define TIMERFD_CREATE_X_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
 #define INOTIFY_INIT_E_SIZE HEADER_LEN + sizeof(uint8_t) + PARAM_LEN
-#define INOTIFY_INIT_X_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint8_t) + PARAM_LEN * 2
+#define INOTIFY_INIT_X_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
 #define GETRLIMIT_E_SIZE HEADER_LEN + sizeof(uint8_t) + PARAM_LEN
-#define GETRLIMIT_X_SIZE HEADER_LEN + sizeof(int64_t) * 3 + sizeof(uint8_t) + PARAM_LEN * 4
+#define GETRLIMIT_X_SIZE HEADER_LEN + sizeof(int64_t) * 3 + PARAM_LEN * 3
 #define SETRLIMIT_E_SIZE HEADER_LEN + sizeof(uint8_t) + PARAM_LEN
 #define SETRLIMIT_X_SIZE HEADER_LEN + sizeof(int64_t) * 3 + sizeof(uint8_t) + PARAM_LEN * 4
 #define PRLIMIT_E_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint8_t) + PARAM_LEN * 2
@@ -106,36 +106,36 @@
 #define FCNTL_X_SIZE HEADER_LEN + sizeof(int64_t) * 2 + sizeof(uint8_t) + PARAM_LEN * 3
 #define SWITCH_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint32_t) * 3 + sizeof(uint64_t) * 2 + PARAM_LEN * 6
 #define BRK_E_SIZE HEADER_LEN + sizeof(uint64_t) + PARAM_LEN
-#define BRK_X_SIZE HEADER_LEN + sizeof(uint32_t) * 3 + sizeof(uint64_t) * 2 + PARAM_LEN * 5
+#define BRK_X_SIZE HEADER_LEN + sizeof(uint32_t) * 3 + sizeof(uint64_t) + PARAM_LEN * 4
 #define MMAP_E_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint32_t) * 2 + sizeof(uint64_t) * 3 + PARAM_LEN * 6
-#define MMAP_X_SIZE HEADER_LEN + sizeof(int64_t) * 2 + sizeof(uint32_t) * 5 + sizeof(uint64_t) * 3 + PARAM_LEN * 10
+#define MMAP_X_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint32_t) * 3 + PARAM_LEN * 4
 #define MMAP2_E_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint32_t) * 2 + sizeof(uint64_t) * 3 + PARAM_LEN * 6
-#define MMAP2_X_SIZE HEADER_LEN + sizeof(int64_t) * 2 + sizeof(uint32_t) * 5 + sizeof(uint64_t) * 3 + PARAM_LEN * 10
+#define MMAP2_X_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint32_t) * 3 + PARAM_LEN * 4
 #define MUNMAP_E_SIZE HEADER_LEN + sizeof(uint64_t) * 2 + PARAM_LEN * 2
-#define MUNMAP_X_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint32_t) * 3 + sizeof(uint64_t) * 2 + PARAM_LEN * 6
+#define MUNMAP_X_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint32_t) * 3 + PARAM_LEN * 4
 #define SPLICE_E_SIZE HEADER_LEN + sizeof(int64_t) * 2 + sizeof(uint32_t) + sizeof(uint64_t) + PARAM_LEN * 4
-#define SPLICE_X_SIZE HEADER_LEN + sizeof(int64_t) * 3 + sizeof(uint32_t) + sizeof(uint64_t) + PARAM_LEN * 5
+#define SPLICE_X_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
 #define PTRACE_E_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint16_t) + PARAM_LEN * 2
 #define IOCTL_E_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint64_t) * 2 + PARAM_LEN * 3
-#define IOCTL_X_SIZE HEADER_LEN + sizeof(int64_t) * 2 + sizeof(uint64_t) * 2 + PARAM_LEN * 4
+#define IOCTL_X_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
 #define RENAME_E_SIZE HEADER_LEN
 #define RENAMEAT_E_SIZE HEADER_LEN
 #define SYMLINK_E_SIZE HEADER_LEN
 #define SYMLINKAT_E_SIZE HEADER_LEN
 #define PROCEXIT_SIZE HEADER_LEN + sizeof(int64_t) * 3 + sizeof(uint8_t) * 2 + PARAM_LEN * 5
 #define SENDFILE_E_SIZE HEADER_LEN + sizeof(int64_t) * 2 + sizeof(uint64_t) * 2 + PARAM_LEN * 4
-#define SENDFILE_X_SIZE HEADER_LEN + sizeof(int64_t) * 3 + sizeof(uint64_t) * 2 + PARAM_LEN * 5
+#define SENDFILE_X_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint64_t) + PARAM_LEN * 2
 #define QUOTACTL_E_SIZE HEADER_LEN + sizeof(uint16_t) + sizeof(uint32_t) + sizeof(uint8_t) * 2 + PARAM_LEN * 4
 #define SETRESUID_E_SIZE HEADER_LEN + sizeof(uint32_t) * 3 + PARAM_LEN * 3
-#define SETRESUID_X_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint32_t) * 3 + PARAM_LEN * 4
+#define SETRESUID_X_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
 #define SETRESGID_E_SIZE HEADER_LEN + sizeof(uint32_t) * 3 + PARAM_LEN * 3
-#define SETRESGID_X_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint32_t) * 3 + PARAM_LEN * 4
+#define SETRESGID_X_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
 #define SCAPEVENT_E_SIZE HEADER_LEN + sizeof(uint32_t) + sizeof(uint64_t) + PARAM_LEN * 2
 #define SCAPEVENT_X_SIZE HEADER_LEN
 #define SETUID_E_SIZE HEADER_LEN + sizeof(uint32_t) + PARAM_LEN
-#define SETUID_X_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint32_t) + PARAM_LEN * 2
+#define SETUID_X_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
 #define SETGID_E_SIZE HEADER_LEN + sizeof(uint32_t) + PARAM_LEN
-#define SETGID_X_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint32_t) + PARAM_LEN * 2
+#define SETGID_X_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
 #define GETUID_E_SIZE HEADER_LEN
 #define GETUID_X_SIZE HEADER_LEN + sizeof(uint32_t) + PARAM_LEN
 #define GETEUID_E_SIZE HEADER_LEN
@@ -154,22 +154,22 @@
 #define SIGNALDELIVER_SIZE HEADER_LEN + sizeof(int64_t) * 2 + sizeof(uint8_t) + PARAM_LEN * 3
 #define PROCINFO_E_SIZE HEADER_LEN + sizeof(uint64_t) * 2 + PARAM_LEN * 2
 #define GETDENTS_E_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
-#define GETDENTS_X_SIZE HEADER_LEN + sizeof(int64_t) * 2 + PARAM_LEN * 2
+#define GETDENTS_X_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
 #define GETDENTS64_E_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
-#define GETDENTS64_X_SIZE HEADER_LEN + sizeof(int64_t) * 2 + PARAM_LEN * 2
+#define GETDENTS64_X_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
 #define SETNS_E_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint32_t) + PARAM_LEN * 2
-#define SETNS_X_SIZE HEADER_LEN + sizeof(int64_t) * 2 + sizeof(uint32_t) + PARAM_LEN * 3
+#define SETNS_X_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
 #define FLOCK_E_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint32_t) + PARAM_LEN * 2
-#define FLOCK_X_SIZE HEADER_LEN + sizeof(int64_t) * 2 + sizeof(uint32_t) + PARAM_LEN * 3
+#define FLOCK_X_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
 #define CPU_HOTPLUG_E_SIZE HEADER_LEN + sizeof(uint32_t) * 2 + PARAM_LEN * 2
 #define ACCEPT_E_SIZE HEADER_LEN
 #define SEMOP_E_SIZE HEADER_LEN + sizeof(int32_t) + PARAM_LEN
-#define SEMOP_X_SIZE HEADER_LEN + sizeof(int16_t) * 2 + sizeof(int32_t) + sizeof(int64_t) + sizeof(uint16_t) * 4 + sizeof(uint32_t) + PARAM_LEN * 9
+#define SEMOP_X_SIZE HEADER_LEN + sizeof(int16_t) * 2 + sizeof(int64_t) + sizeof(uint16_t) * 4 + sizeof(uint32_t) + PARAM_LEN * 8
 #define SEMCTL_E_SIZE HEADER_LEN + sizeof(int32_t) * 3 + sizeof(uint16_t) + PARAM_LEN * 4
-#define SEMCTL_X_SIZE HEADER_LEN + sizeof(int32_t) * 3 + sizeof(int64_t) + sizeof(uint16_t) + PARAM_LEN * 5
+#define SEMCTL_X_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
 #define MOUNT_E_SIZE HEADER_LEN + sizeof(uint32_t) + PARAM_LEN
 #define SEMGET_E_SIZE HEADER_LEN + sizeof(int32_t) * 2 + sizeof(uint32_t) + PARAM_LEN * 3
-#define SEMGET_X_SIZE HEADER_LEN + sizeof(int32_t) * 2 + sizeof(int64_t) + sizeof(uint32_t) + PARAM_LEN * 4
+#define SEMGET_X_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
 #define ACCESS_E_SIZE HEADER_LEN + sizeof(uint32_t) + PARAM_LEN
 #define CHROOT_E_SIZE HEADER_LEN
 #define SETSID_E_SIZE HEADER_LEN
@@ -177,12 +177,12 @@
 #define MKDIR_E_SIZE HEADER_LEN + sizeof(uint32_t) + PARAM_LEN
 #define RMDIR_E_SIZE HEADER_LEN
 #define UNSHARE_E_SIZE HEADER_LEN + sizeof(uint32_t) + PARAM_LEN
-#define UNSHARE_X_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint32_t) + PARAM_LEN * 2
+#define UNSHARE_X_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
 #define PAGE_FAULT_SIZE HEADER_LEN + sizeof(uint32_t) + sizeof(uint64_t) * 2 + PARAM_LEN * 3
 #define SETPGID_E_SIZE HEADER_LEN + sizeof(int64_t) * 2 + PARAM_LEN * 2
-#define SETPGID_X_SIZE HEADER_LEN + sizeof(int64_t) * 3 + PARAM_LEN * 3
+#define SETPGID_X_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
 #define SECCOMP_E_SIZE HEADER_LEN + sizeof(uint64_t) * 2 + PARAM_LEN * 2
-#define SECCOMP_X_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint64_t) * 2 + PARAM_LEN * 3
+#define SECCOMP_X_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
 #define UNLINK_E_SIZE HEADER_LEN
 #define UNLINKAT_E_SIZE HEADER_LEN
 #define MKDIRAT_E_SIZE HEADER_LEN
@@ -196,9 +196,9 @@
 #define USERFAULTFD_E_SIZE HEADER_LEN
 #define USERFAULTFD_X_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint32_t) + PARAM_LEN * 2
 #define MPROTECT_E_SIZE HEADER_LEN + sizeof(uint32_t) + sizeof(uint64_t) * 2 + PARAM_LEN * 3
-#define MPROTECT_X_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint32_t) + sizeof(uint64_t) * 2 + PARAM_LEN * 4
+#define MPROTECT_X_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
 #define COPY_FILE_RANGE_E_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint64_t) * 2 + PARAM_LEN * 3
-#define COPY_FILE_RANGE_X_SIZE HEADER_LEN + sizeof(int64_t) * 3 + sizeof(uint64_t) * 3 + PARAM_LEN * 6
+#define COPY_FILE_RANGE_X_SIZE HEADER_LEN + sizeof(int64_t) * 2 + sizeof(uint64_t) + PARAM_LEN * 3
 #define CLONE3_E_SIZE HEADER_LEN
 #define OPEN_BY_HANDLE_AT_E_SIZE HEADER_LEN
 #define IO_URING_SETUP_E_SIZE HEADER_LEN
@@ -229,9 +229,9 @@
 #define MLOCK2_X_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint32_t) + sizeof(uint64_t) * 2 + PARAM_LEN * 4
 #define FSCONFIG_E_SIZE HEADER_LEN
 #define EPOLL_CREATE_E_SIZE HEADER_LEN + sizeof(int32_t) + PARAM_LEN
-#define EPOLL_CREATE_X_SIZE HEADER_LEN + sizeof(int32_t) + sizeof(int64_t) + PARAM_LEN * 2
+#define EPOLL_CREATE_X_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
 #define EPOLL_CREATE1_E_SIZE HEADER_LEN + sizeof(uint32_t) + PARAM_LEN
-#define EPOLL_CREATE1_X_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint32_t) + PARAM_LEN * 2
+#define EPOLL_CREATE1_X_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
 #define CHOWN_E_SIZE HEADER_LEN
 #define LCHOWN_E_SIZE HEADER_LEN
 #define FCHOWN_E_SIZE HEADER_LEN
@@ -245,9 +245,9 @@
 #define INOTIFY_INIT1_E_SIZE HEADER_LEN
 #define INOTIFY_INIT1_X_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint16_t) + PARAM_LEN * 2
 #define EVENTFD2_E_SIZE HEADER_LEN + sizeof(uint64_t) + PARAM_LEN
-#define EVENTFD2_X_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint16_t) + sizeof(uint64_t) + PARAM_LEN * 3
+#define EVENTFD2_X_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint16_t) + PARAM_LEN * 2
 #define SIGNALFD4_E_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint32_t) + PARAM_LEN * 2
-#define SIGNALFD4_X_SIZE HEADER_LEN + sizeof(int64_t) * 2 + sizeof(uint16_t) + sizeof(uint32_t) + PARAM_LEN * 4
+#define SIGNALFD4_X_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint16_t) + PARAM_LEN * 2
 #define PRCTL_E_SIZE HEADER_LEN
 #define MEMFD_CREATE_E_SIZE HEADER_LEN
 #define PIDFD_GETFD_E_SIZE HEADER_LEN

driver/modern_bpf/helpers/base/maps_getters.h

@@ -17,99 +17,44 @@
 
 /*=============================== SETTINGS ===========================*/
 
-static __always_inline struct capture_settings *maps__get_capture_settings() {
-	uint32_t key = 0;
-	return bpf_map_lookup_elem(&capture_settings, &key);
-}
-
 static __always_inline uint64_t maps__get_boot_time() {
-	struct capture_settings *settings = maps__get_capture_settings();
+	return g_settings.boot_time;
-	if(settings == NULL) {
-		return 0;
-	}
-
-	return settings->boot_time;
 }
 
 static __always_inline uint32_t maps__get_snaplen() {
-	struct capture_settings *settings = maps__get_capture_settings();
+	return g_settings.snaplen;
-	if(settings == NULL) {
-		return 0;
-	}
-
-	return settings->snaplen;
 }
 
 static __always_inline bool maps__get_dropping_mode() {
-	struct capture_settings *settings = maps__get_capture_settings();
+	return g_settings.dropping_mode;
-	if(settings == NULL) {
-		return 0;
-	}
-
-	return settings->dropping_mode;
 }
 
 static __always_inline uint32_t maps__get_sampling_ratio() {
-	struct capture_settings *settings = maps__get_capture_settings();
+	return g_settings.sampling_ratio;
-	if(settings == NULL) {
-		return 0;
-	}
-
-	return settings->sampling_ratio;
 }
 
 static __always_inline bool maps__get_drop_failed() {
-	struct capture_settings *settings = maps__get_capture_settings();
+	return g_settings.drop_failed;
-	if(settings == NULL) {
-		return 0;
-	}
-
-	return settings->drop_failed;
 }
 
 static __always_inline bool maps__get_do_dynamic_snaplen() {
-	struct capture_settings *settings = maps__get_capture_settings();
+	return g_settings.do_dynamic_snaplen;
-	if(settings == NULL) {
-		return 0;
-	}
-
-	return settings->do_dynamic_snaplen;
 }
 
 static __always_inline uint16_t maps__get_fullcapture_port_range_start() {
-	struct capture_settings *settings = maps__get_capture_settings();
+	return g_settings.fullcapture_port_range_start;
-	if(settings == NULL) {
-		return 0;
-	}
-
-	return settings->fullcapture_port_range_start;
 }
 
 static __always_inline uint16_t maps__get_fullcapture_port_range_end() {
-	struct capture_settings *settings = maps__get_capture_settings();
+	return g_settings.fullcapture_port_range_end;
-	if(settings == NULL) {
-		return 0;
-	}
-
-	return settings->fullcapture_port_range_end;
 }
 
 static __always_inline uint16_t maps__get_statsd_port() {
-	struct capture_settings *settings = maps__get_capture_settings();
+	return g_settings.statsd_port;
-	if(settings == NULL) {
-		return 0;
-	}
-
-	return settings->statsd_port;
 }
 
 static __always_inline int32_t maps__get_scap_tid() {
-	struct capture_settings *settings = maps__get_capture_settings();
+	return g_settings.scap_tid;
-	if(settings == NULL) {
-		return 0;
-	}
-
-	return settings->scap_tid;
 }
 
 /*=============================== SETTINGS ===========================*/
@@ -144,12 +89,8 @@ static __always_inline uint8_t maps__64bit_sampling_syscall_table(uint32_t sysca
 
 /*=============================== SYSCALL-64 INTERESTING TABLE ===========================*/
 
-static __always_inline bool maps__interesting_syscall_64bit(uint32_t syscall_id) {
+static __always_inline bool maps__64bit_interesting_syscall(uint32_t syscall_id) {
-	bool *ret = bpf_map_lookup_elem(&interesting_syscalls_table_64bit, &syscall_id);
+	return g_64bit_interesting_syscalls_table[syscall_id & (SYSCALL_TABLE_SIZE - 1)];
-	if(ret == NULL) {
-		return false;
-	}
-	return *ret;
 }
 
 /*=============================== SYSCALL-64 INTERESTING TABLE ===========================*/

driver/modern_bpf/helpers/base/shared_size.h

@@ -26,9 +26,6 @@
 /* Maximum number of `iovec` structures that we can analyze. */
 #define MAX_IOVCNT 32
 
-/* Maximum number of supported sendmmsg/recvmmsg loops with bpf_loop helper */
-#define MAX_SENDMMSG_RECVMMSG_SIZE 16
-
 /* Maximum number of `pollfd` structures that we can analyze. */
 #define MAX_POLLFD 16
 

driver/modern_bpf/helpers/extract/extract_from_kernel.h

@@ -10,7 +10,6 @@
 
 #include <helpers/base/maps_getters.h>
 #include <helpers/base/read_from_task.h>
-#include <helpers/base/shared_size.h>
 #include <driver/ppm_flag_helpers.h>
 
 #if __has_include(<sys/syscall.h>)
@@ -1032,47 +1031,3 @@ static __always_inline struct socket *get_sock_from_file(struct file *file) {
 	}
 	return (struct socket *)BPF_CORE_READ(file, private_data);
 }
-
-///////////////////////////
-// EXTRACT FROM MSGHDR
-///////////////////////////
-
-/**
- * @brief Read the msghdr pointed by `msghdr_pointer` and store it in `msghdr` location.
- * @param msghdr pointer to the user_msghdr struct used to store the read msghdr.
- * @param msghdr_pointer pointer to the msghdr to be read.
- * @return 0 on success, or a negative error in case of failure.
- */
-static __always_inline long extract__msghdr(struct user_msghdr *msghdr,
-                                            unsigned long msghdr_pointer) {
-	return bpf_probe_read_user((void *)msghdr,
-	                           bpf_core_type_size(struct user_msghdr),
-	                           (void *)msghdr_pointer);
-}
-
-/**
- * @brief Extract the size of a message extracted from an `iovec` struct array.
- * @param scratch_space pointer the scratch space on which iovecs are read.
- * @param scratch_space_size scratch space total size.
- * @param iov_pointer pointer to `iovec` struct array.
- * @param iov_cnt number of `iovec` structs.
- * @return the size of the message on success, or 0 in case of failure.
- */
-static __always_inline uint32_t extract__iovec_size(void *scratch_space,
-                                                    uint32_t scratch_space_size,
-                                                    unsigned long iov_pointer,
-                                                    unsigned long iov_cnt) {
-	if(bpf_probe_read_user(scratch_space, scratch_space_size, (void *)iov_pointer)) {
-		return 0;
-	}
-
-	uint32_t total_size_to_read = 0;
-	const struct iovec *iovec = (const struct iovec *)scratch_space;
-	for(int i = 0; i < MAX_IOVCNT; i++) {
-		if(i == iov_cnt) {
-			break;
-		}
-		total_size_to_read += iovec[i].iov_len;
-	}
-	return total_size_to_read;
-}

driver/modern_bpf/helpers/interfaces/syscalls_dispatcher.h

@@ -14,7 +14,7 @@
 #include <helpers/extract/extract_from_kernel.h>
 
 static __always_inline bool syscalls_dispatcher__64bit_interesting_syscall(uint32_t syscall_id) {
-	return maps__interesting_syscall_64bit(syscall_id);
+	return maps__64bit_interesting_syscall(syscall_id);
 }
 
 static __always_inline long convert_network_syscalls(struct pt_regs *regs) {

driver/modern_bpf/helpers/store/auxmap_store_params.h

@@ -1121,7 +1121,9 @@ static __always_inline void auxmap__store_msghdr_size_param(struct auxiliary_map
 	 * we return 0.
 	 */
 	struct user_msghdr msghdr = {0};
-	if(extract__msghdr(&msghdr, msghdr_pointer)) {
+	if(bpf_probe_read_user((void *)&msghdr,
+	                       bpf_core_type_size(struct user_msghdr),
+	                       (void *)msghdr_pointer)) {
 		auxmap__store_u32_param(auxmap, 0);
 		return;
 	}
@@ -1146,7 +1148,9 @@ static __always_inline struct user_msghdr auxmap__store_msghdr_data_param(
 	 * we return an empty param.
 	 */
 	struct user_msghdr msghdr = {0};
-	if(extract__msghdr(&msghdr, msghdr_pointer)) {
+	if(bpf_probe_read_user((void *)&msghdr,
+	                       bpf_core_type_size(struct user_msghdr),
+	                       (void *)msghdr_pointer)) {
 		/* in case of NULL msghdr we return an empty param */
 		push__param_len(auxmap->data, &auxmap->lengths_pos, 0);
 		return msghdr;
@@ -1585,7 +1589,9 @@ static __always_inline void apply_dynamic_snaplen(struct pt_regs *regs,
 			// in any case we break the switch.
 			break;
 		}
-		if(extract__msghdr(&msg_mh.mh, args[1]) == 0) {
+		if(bpf_probe_read_user(&msg_mh.mh,
+		                       bpf_core_type_size(struct user_msghdr),
+		                       (void *)args[1]) == 0) {
 			sockaddr = (struct sockaddr *)msg_mh.mh.msg_name;
 		}
 	} break;

driver/modern_bpf/maps/maps.h

@@ -47,23 +47,35 @@ __weak const volatile uint64_t probe_api_ver = PPM_API_CURRENT_VERSION;
  */
 __weak const volatile uint64_t probe_schema_var = PPM_SCHEMA_CURRENT_VERSION;
 
+/*=============================== BPF READ-ONLY GLOBAL VARIABLES ===============================*/
+
+/*=============================== BPF GLOBAL VARIABLES ===============================*/
+
+/**
+ * @brief Given the syscall id on 64-bit-architectures returns if
+ * the syscall must be filtered out according to the simple consumer logic.
+ */
+__weak bool g_64bit_interesting_syscalls_table[SYSCALL_TABLE_SIZE];
+
 /**
  * @brief Given the syscall id on 64-bit-architectures returns:
  * - `UF_NEVER_DROP` if the syscall must not be dropped in the sampling logic.
  * - `UF_ALWAYS_DROP` if the syscall must always be dropped in the sampling logic.
  * - `UF_NONE` if we drop the syscall depends on the sampling ratio.
  */
-__weak const volatile uint8_t g_64bit_sampling_syscall_table[SYSCALL_TABLE_SIZE];
+__weak uint8_t g_64bit_sampling_syscall_table[SYSCALL_TABLE_SIZE];
 
 /**
  * @brief Given the syscall id on 32-bit x86 arch returns
  * its x64 value. Used to support ia32 syscall emulation.
  */
-__weak const volatile uint32_t g_ia32_to_64_table[SYSCALL_TABLE_SIZE];
+__weak uint32_t g_ia32_to_64_table[SYSCALL_TABLE_SIZE];
 
-/*=============================== BPF READ-ONLY GLOBAL VARIABLES ===============================*/
+/**
-
+ * @brief Global capture settings shared between userspace and
-/*=============================== BPF GLOBAL VARIABLES ===============================*/
+ * bpf programs.
+ */
+__weak struct capture_settings g_settings;
 
 /**
  * @brief Variable used only kernel side to understand when we need to send
@@ -121,28 +133,6 @@ struct {
 
 /*=============================== BPF_MAP_TYPE_ARRAY ===============================*/
 
-/**
- * @brief This table is used to keep track of which syscalls must be filtered out
- * according to the simple consumer logic.
- */
-struct {
-	__uint(type, BPF_MAP_TYPE_ARRAY);
-	__uint(max_entries, SYSCALL_TABLE_SIZE);
-	__type(key, uint32_t);
-	__type(value, bool);
-} interesting_syscalls_table_64bit __weak SEC(".maps");
-
-/**
- * @brief Global capture settings shared between userspace and
- * bpf programs.
- */
-struct {
-	__uint(type, BPF_MAP_TYPE_ARRAY);
-	__uint(max_entries, 1);
-	__type(key, uint32_t);
-	__type(value, struct capture_settings);
-} capture_settings __weak SEC(".maps");
-
 /* These maps have one entry for each CPU.
  *
  * PLEASE NOTE:

driver/modern_bpf/programs/attached/events/sched_process_exec.bpf.c

@@ -179,9 +179,9 @@ int BPF_PROG(t1_sched_p_exec, struct task_struct *p, pid_t old_pid, struct linux
 	uint32_t tty = exctract__tty(task);
 	auxmap__store_u32_param(auxmap, (uint32_t)tty);
 
-	/* Parameter 18: vpgid (type: PT_PID) */
+	/* Parameter 18: pgid (type: PT_PID) */
-	pid_t vpgid = extract__task_xid_vnr(task, PIDTYPE_PGID);
+	pid_t pgid = extract__task_xid_vnr(task, PIDTYPE_PGID);
-	auxmap__store_s64_param(auxmap, (int64_t)vpgid);
+	auxmap__store_s64_param(auxmap, (int64_t)pgid);
 
 	/* Parameter 19: loginuid (type: PT_UID) */
 	uint32_t loginuid;

driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/accept4.bpf.c

@@ -105,12 +105,6 @@ int BPF_PROG(accept4_x, struct pt_regs *regs, long ret) {
 	/* Parameter 5: queuemax (type: PT_UINT32) */
 	auxmap__store_u32_param(auxmap, queuemax);
 
-	/* Parameter 6: flags (type: PT_FLAGS32) */
-	/// TODO: we don't support flags yet and so we just return zero.
-	///    If implemented, special handling for SYS_ACCEPT socketcall is needed.
-	uint32_t flags = 0;
-	auxmap__store_u32_param(auxmap, flags);
-
 	/*=============================== COLLECT PARAMETERS  ===========================*/
 
 	auxmap__finalize_event_header(auxmap);

driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/access.bpf.c

@@ -51,14 +51,10 @@ int BPF_PROG(access_x, struct pt_regs *regs, long ret) {
 	/* Parameter 1: res (type: PT_ERRNO) */
 	auxmap__store_s64_param(auxmap, ret);
 
-	/* Parameter 2: name (type: PT_FSPATH) */
+	/* Parameter 2: pathname (type: PT_FSPATH) */
 	unsigned long path_pointer = extract__syscall_argument(regs, 0);
 	auxmap__store_charbuf_param(auxmap, path_pointer, MAX_PATH, USER);
 
-	/* Parameter 3: mode (type: PT_UINT32) */
-	int mode = (int)extract__syscall_argument(regs, 1);
-	auxmap__store_u32_param(auxmap, (uint32_t)access_flags_to_scap(mode));
-
 	/*=============================== COLLECT PARAMETERS  ===========================*/
 
 	auxmap__finalize_event_header(auxmap);

driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/brk.bpf.c

@@ -22,7 +22,7 @@ int BPF_PROG(brk_e, struct pt_regs *regs, long id) {
 	/*=============================== COLLECT PARAMETERS  ===========================*/
 
 	/* Parameter 1: addr (type: PT_UINT64) */
-	uint64_t addr = extract__syscall_argument(regs, 0);
+	unsigned long addr = extract__syscall_argument(regs, 0);
 	ringbuf__store_u64(&ringbuf, addr);
 
 	/*=============================== COLLECT PARAMETERS  ===========================*/
@@ -68,10 +68,6 @@ int BPF_PROG(brk_x, struct pt_regs *regs, long ret) {
 	/* Parameter 4: vm_swap (type: PT_UINT32) */
 	ringbuf__store_u32(&ringbuf, swap_size);
 
-	/* Parameter 5: addr (type: PT_UINT64) */
-	uint64_t addr = extract__syscall_argument(regs, 0);
-	ringbuf__store_u64(&ringbuf, addr);
-
 	/*=============================== COLLECT PARAMETERS  ===========================*/
 
 	ringbuf__submit_event(&ringbuf);

driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/close.bpf.c

@@ -51,8 +51,8 @@ int BPF_PROG(close_e, struct pt_regs *regs, long id) {
 	/*=============================== COLLECT PARAMETERS  ===========================*/
 
 	/* Parameter 1: fd (type: PT_FD)*/
-	int64_t fd = (int64_t)(int32_t)extract__syscall_argument(regs, 0);
+	int32_t fd = (int32_t)extract__syscall_argument(regs, 0);
-	ringbuf__store_s64(&ringbuf, fd);
+	ringbuf__store_s64(&ringbuf, (int64_t)fd);
 
 	/*=============================== COLLECT PARAMETERS  ===========================*/
 
@@ -83,10 +83,6 @@ int BPF_PROG(close_x, struct pt_regs *regs, long ret) {
 	/* Parameter 1: res (type: PT_ERRNO)*/
 	ringbuf__store_s64(&ringbuf, ret);
 
-	/* Parameter 2: fd (type: PT_FD) */
-	int64_t fd = (int64_t)(int32_t)extract__syscall_argument(regs, 0);
-	ringbuf__store_s64(&ringbuf, fd);
-
 	/*=============================== COLLECT PARAMETERS  ===========================*/
 
 	ringbuf__submit_event(&ringbuf);

driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/connect.bpf.c

@@ -25,13 +25,13 @@ int BPF_PROG(connect_e, struct pt_regs *regs, long id) {
 	extract__network_args(args, 3, regs);
 
 	/* Parameter 1: fd (type: PT_FD)*/
-	int64_t socket_fd = (int64_t)(int32_t)args[0];
+	int32_t socket_fd = (int32_t)args[0];
-	auxmap__store_s64_param(auxmap, socket_fd);
+	auxmap__store_s64_param(auxmap, (int64_t)socket_fd);
 
 	/* Parameter 2: addr (type: PT_SOCKADDR)*/
-	unsigned long usrsockaddr = args[1];
+	unsigned long sockaddr_ptr = args[1];
-	uint16_t usrsockaddr_len = (uint16_t)args[2];
+	uint16_t addrlen = (uint16_t)args[2];
-	auxmap__store_sockaddr_param(auxmap, usrsockaddr, usrsockaddr_len);
+	auxmap__store_sockaddr_param(auxmap, sockaddr_ptr, addrlen);
 
 	/*=============================== COLLECT PARAMETERS  ===========================*/
 
@@ -57,30 +57,25 @@ int BPF_PROG(connect_x, struct pt_regs *regs, long ret) {
 
 	/*=============================== COLLECT PARAMETERS  ===========================*/
 
-	unsigned long args[3] = {0};
+	unsigned long socket_fd = 0;
-	extract__network_args(args, 3, regs);
+	extract__network_args(&socket_fd, 1, regs);
-	int64_t socket_fd = (int64_t)(int32_t)args[0];
 
 	/* Parameter 1: res (type: PT_ERRNO) */
 	auxmap__store_s64_param(auxmap, ret);
 
-	struct sockaddr *usrsockaddr = (struct sockaddr *)args[1];
-
 	/* Parameter 2: tuple (type: PT_SOCKTUPLE) */
+	/* We need a valid sockfd to extract source data.*/
 	if(ret == 0 || ret == -EINPROGRESS) {
-		/* Notice: the following will push an empty parameter if
+		auxmap__store_socktuple_param(auxmap, (int32_t)socket_fd, OUTBOUND, NULL);
-		 * something goes wrong (e.g.: fd not valid). */
-		auxmap__store_socktuple_param(auxmap, (int32_t)socket_fd, OUTBOUND, usrsockaddr);
 	} else {
 		auxmap__store_empty_param(auxmap);
 	}
 
 	/* Parameter 3: fd (type: PT_FD)*/
-	auxmap__store_s64_param(auxmap, socket_fd);
+	/* We need the double cast to extract the first 4 bytes and then
-
+	 * convert them to a signed integer on 64-bit
-	/* Parameter 4: addr (type: PT_SOCKADDR) */
+	 */
-	uint16_t usrsockaddr_len = (uint16_t)args[2];
+	auxmap__store_s64_param(auxmap, (int64_t)(int32_t)socket_fd);
-	auxmap__store_sockaddr_param(auxmap, (unsigned long)usrsockaddr, usrsockaddr_len);
 
 	/*=============================== COLLECT PARAMETERS  ===========================*/
 

driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/copy_file_range.bpf.c

@@ -25,8 +25,8 @@ int BPF_PROG(copy_file_range_e, struct pt_regs *regs, long id) {
 	/*=============================== COLLECT PARAMETERS  ===========================*/
 
 	/* Parameter 1: fdin (type: PT_FD) */
-	int64_t fdin = (int64_t)(int32_t)extract__syscall_argument(regs, 0);
+	int32_t fdin = (int32_t)extract__syscall_argument(regs, 0);
-	ringbuf__store_s64(&ringbuf, fdin);
+	ringbuf__store_s64(&ringbuf, (int64_t)fdin);
 
 	/* Parameter 2: offin (type: PT_UINT64) */
 	uint64_t offin = extract__syscall_argument(regs, 1);
@@ -62,25 +62,13 @@ int BPF_PROG(copy_file_range_x, struct pt_regs *regs, long ret) {
 	ringbuf__store_s64(&ringbuf, ret);
 
 	/* Parameter 2: fdout (type: PT_FD) */
-	int64_t fdout = (int64_t)(int32_t)extract__syscall_argument(regs, 2);
+	int32_t fdout = (int32_t)extract__syscall_argument(regs, 2);
-	ringbuf__store_s64(&ringbuf, fdout);
+	ringbuf__store_s64(&ringbuf, (int64_t)fdout);
 
 	/* Parameter 3: offout (type: PT_UINT64) */
 	uint64_t offout = extract__syscall_argument(regs, 3);
 	ringbuf__store_u64(&ringbuf, offout);
 
-	/* Parameter 4: fdin (type: PT_FD) */
-	int64_t fdin = (int64_t)(int32_t)extract__syscall_argument(regs, 0);
-	ringbuf__store_s64(&ringbuf, fdin);
-
-	/* Parameter 5: offin (type: PT_UINT64) */
-	uint64_t offin = extract__syscall_argument(regs, 1);
-	ringbuf__store_u64(&ringbuf, offin);
-
-	/* Parameter 6: len (type: PT_UINT64) */
-	uint64_t len = extract__syscall_argument(regs, 4);
-	ringbuf__store_u64(&ringbuf, len);
-
 	/*=============================== COLLECT PARAMETERS  ===========================*/
 
 	ringbuf__submit_event(&ringbuf);

driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/dup.bpf.c

@@ -21,9 +21,9 @@ int BPF_PROG(dup_e, struct pt_regs *regs, long id) {
 
 	/*=============================== COLLECT PARAMETERS  ===========================*/
 
-	/* Parameter 1: fd (type: PT_FD) */
+	/* Parameter 1: oldfd (type: PT_FD) */
-	int64_t oldfd = (int64_t)(int32_t)extract__syscall_argument(regs, 0);
+	int32_t oldfd = (int32_t)extract__syscall_argument(regs, 0);
-	ringbuf__store_s64(&ringbuf, oldfd);
+	ringbuf__store_s64(&ringbuf, (int64_t)oldfd);
 
 	/*=============================== COLLECT PARAMETERS  ===========================*/
 
@@ -48,11 +48,11 @@ int BPF_PROG(dup_x, struct pt_regs *regs, long ret) {
 	/*=============================== COLLECT PARAMETERS  ===========================*/
 
 	/* Parameter 1: res (type: PT_FD)*/
-	ringbuf__store_s64(&ringbuf, (int64_t)(int32_t)ret);
+	ringbuf__store_s64(&ringbuf, ret);
 
 	/* Parameter 2: oldfd (type: PT_FD) */
-	int64_t oldfd = (int64_t)(int32_t)extract__syscall_argument(regs, 0);
+	int32_t oldfd = (int32_t)extract__syscall_argument(regs, 0);
-	ringbuf__store_s64(&ringbuf, oldfd);
+	ringbuf__store_s64(&ringbuf, (int64_t)oldfd);
 
 	/*=============================== COLLECT PARAMETERS  ===========================*/
 

driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/dup2.bpf.c

@@ -21,9 +21,9 @@ int BPF_PROG(dup2_e, struct pt_regs *regs, long id) {
 
 	/*=============================== COLLECT PARAMETERS  ===========================*/
 
-	/* Parameter 1: fd (type: PT_FD) */
+	/* Parameter 1: oldfd (type: PT_FD) */
-	int64_t oldfd = (int64_t)(int32_t)extract__syscall_argument(regs, 0);
+	int32_t oldfd = (int32_t)extract__syscall_argument(regs, 0);
-	ringbuf__store_s64(&ringbuf, oldfd);
+	ringbuf__store_s64(&ringbuf, (int64_t)oldfd);
 
 	/*=============================== COLLECT PARAMETERS  ===========================*/
 
@@ -48,15 +48,15 @@ int BPF_PROG(dup2_x, struct pt_regs *regs, long ret) {
 	/*=============================== COLLECT PARAMETERS  ===========================*/
 
 	/* Parameter 1: res (type: PT_FD)*/
-	ringbuf__store_s64(&ringbuf, (int64_t)(int32_t)ret);
+	ringbuf__store_s64(&ringbuf, ret);
 
 	/* Parameter 2: oldfd (type: PT_FD) */
-	int64_t oldfd = (int64_t)(int32_t)extract__syscall_argument(regs, 0);
+	int32_t oldfd = (int32_t)extract__syscall_argument(regs, 0);
-	ringbuf__store_s64(&ringbuf, oldfd);
+	ringbuf__store_s64(&ringbuf, (int64_t)oldfd);
 
 	/* Parameter 3: newfd (type: PT_FD) */
-	int64_t newfd = (int64_t)(int32_t)extract__syscall_argument(regs, 1);
+	int32_t newfd = (int32_t)extract__syscall_argument(regs, 1);
-	ringbuf__store_s64(&ringbuf, newfd);
+	ringbuf__store_s64(&ringbuf, (int64_t)newfd);
 
 	/*=============================== COLLECT PARAMETERS  ===========================*/
 

driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/dup3.bpf.c

@@ -21,9 +21,9 @@ int BPF_PROG(dup3_e, struct pt_regs *regs, long id) {
 
 	/*=============================== COLLECT PARAMETERS  ===========================*/
 
-	/* Parameter 1: fd (type: PT_FD) */
+	/* Parameter 1: oldfd (type: PT_FD) */
-	int64_t oldfd = (int64_t)(int32_t)extract__syscall_argument(regs, 0);
+	int32_t oldfd = (int32_t)extract__syscall_argument(regs, 0);
-	ringbuf__store_s64(&ringbuf, oldfd);
+	ringbuf__store_s64(&ringbuf, (int64_t)oldfd);
 
 	/*=============================== COLLECT PARAMETERS  ===========================*/
 
@@ -48,15 +48,15 @@ int BPF_PROG(dup3_x, struct pt_regs *regs, long ret) {
 	/*=============================== COLLECT PARAMETERS  ===========================*/
 
 	/* Parameter 1: res (type: PT_FD)*/
-	ringbuf__store_s64(&ringbuf, (int64_t)(int32_t)ret);
+	ringbuf__store_s64(&ringbuf, ret);
 
 	/* Parameter 2: oldfd (type: PT_FD) */
-	int64_t oldfd = (int64_t)(int32_t)extract__syscall_argument(regs, 0);
+	int32_t oldfd = (int32_t)extract__syscall_argument(regs, 0);
-	ringbuf__store_s64(&ringbuf, oldfd);
+	ringbuf__store_s64(&ringbuf, (int64_t)oldfd);
 
 	/* Parameter 3: newfd (type: PT_FD) */
-	int64_t newfd = (int64_t)(int32_t)extract__syscall_argument(regs, 1);
+	int32_t newfd = (int32_t)extract__syscall_argument(regs, 1);
-	ringbuf__store_s64(&ringbuf, newfd);
+	ringbuf__store_s64(&ringbuf, (int64_t)newfd);
 
 	/* Parameter 4: flags (type: PT_FLAGS32) */
 	int32_t flags = extract__syscall_argument(regs, 2);

driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/epoll_create.bpf.c

@@ -50,10 +50,6 @@ int BPF_PROG(epoll_create_x, struct pt_regs *regs, long ret) {
 	/* Parameter 1: res (type: PT_ERRNO)*/
 	ringbuf__store_s64(&ringbuf, ret);
 
-	/* Parameter 2: size (type: PT_INT32) */
-	int32_t size = (int32_t)extract__syscall_argument(regs, 0);
-	ringbuf__store_s32(&ringbuf, size);
-
 	/*=============================== COLLECT PARAMETERS  ===========================*/
 
 	ringbuf__submit_event(&ringbuf);

driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/epoll_create1.bpf.c

@@ -50,10 +50,6 @@ int BPF_PROG(epoll_create1_x, struct pt_regs *regs, long ret) {
 	/* Parameter 1: res (type: PT_ERRNO)*/
 	ringbuf__store_s64(&ringbuf, ret);
 
-	/* Parameter 2: flags (type: PT_FLAGS32) */
-	int32_t flags = (int32_t)extract__syscall_argument(regs, 0);
-	ringbuf__store_u32(&ringbuf, epoll_create1_flags_to_scap(flags));
-
 	/*=============================== COLLECT PARAMETERS  ===========================*/
 
 	ringbuf__submit_event(&ringbuf);

driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/epoll_wait.bpf.c

@@ -50,10 +50,6 @@ int BPF_PROG(epoll_wait_x, struct pt_regs *regs, long ret) {
 	/* Parameter 1: res (type: PT_ERRNO) */
 	ringbuf__store_s64(&ringbuf, ret);
 
-	/* Parameter 2: maxevents (type: PT_ERRNO) */
-	int maxevents = (int)extract__syscall_argument(regs, 2);
-	ringbuf__store_s64(&ringbuf, (int64_t)maxevents);
-
 	/*=============================== COLLECT PARAMETERS  ===========================*/
 
 	ringbuf__submit_event(&ringbuf);

driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/eventfd.bpf.c

@@ -22,8 +22,8 @@ int BPF_PROG(eventfd_e, struct pt_regs *regs, long id) {
 	/*=============================== COLLECT PARAMETERS  ===========================*/
 
 	/* Parameter 1: initval (type: PT_UINT64) */
-	uint64_t initval = (uint64_t)extract__syscall_argument(regs, 0);
+	uint32_t initval = (uint32_t)extract__syscall_argument(regs, 0);
-	ringbuf__store_u64(&ringbuf, initval);
+	ringbuf__store_u64(&ringbuf, (uint64_t)initval);
 
 	/* Parameter 2: flags (type: PT_UINT32) */
 	/* The syscall eventfd has no flags! only `eventfd2` has the `flags` param.
@@ -56,16 +56,6 @@ int BPF_PROG(eventfd_x, struct pt_regs *regs, long ret) {
 	/* Parameter 1: res (type: PT_FD)*/
 	ringbuf__store_s64(&ringbuf, ret);
 
-	/* Parameter 2: initval (type: PT_UINT64) */
-	uint64_t initval = (uint64_t)extract__syscall_argument(regs, 0);
-	ringbuf__store_u64(&ringbuf, initval);
-
-	/* Parameter 3: flags (type: PT_UINT32) */
-	/* The syscall eventfd has no flags! only `eventfd2` has the `flags` param.
-	 * For compatibility with the event definition here we send `0` as flags.
-	 */
-	ringbuf__store_u32(&ringbuf, 0);
-
 	/*=============================== COLLECT PARAMETERS  ===========================*/
 
 	ringbuf__submit_event(&ringbuf);

driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/eventfd2.bpf.c

@@ -54,10 +54,6 @@ int BPF_PROG(eventfd2_x, struct pt_regs *regs, long ret) {
 	int32_t flags = (int32_t)extract__syscall_argument(regs, 1);
 	ringbuf__store_u16(&ringbuf, eventfd2_flags_to_scap(flags));
 
-	/* Parameter 3: initval (type: PT_UINT64) */
-	uint32_t initval = (uint32_t)extract__syscall_argument(regs, 0);
-	ringbuf__store_u64(&ringbuf, (uint64_t)initval);
-
 	/*=============================== COLLECT PARAMETERS  ===========================*/
 
 	ringbuf__submit_event(&ringbuf);

driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/execve.bpf.c

@@ -198,9 +198,9 @@ int BPF_PROG(t1_execve_x, struct pt_regs *regs, long ret) {
 	uint32_t tty = exctract__tty(task);
 	auxmap__store_u32_param(auxmap, (uint32_t)tty);
 
-	/* Parameter 18: vpgid (type: PT_PID) */
+	/* Parameter 18: pgid (type: PT_PID) */
-	pid_t vpgid = extract__task_xid_vnr(task, PIDTYPE_PGID);
+	pid_t pgid = extract__task_xid_vnr(task, PIDTYPE_PGID);
-	auxmap__store_s64_param(auxmap, (int64_t)vpgid);
+	auxmap__store_s64_param(auxmap, (int64_t)pgid);
 
 	/* Parameter 19: loginuid (type: PT_UID) */
 	uint32_t loginuid;

driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/fchdir.bpf.c

@@ -50,10 +50,6 @@ int BPF_PROG(fchdir_x, struct pt_regs *regs, long ret) {
 	/* Parameter 1: res (type: PT_ERRNO)*/
 	ringbuf__store_s64(&ringbuf, ret);
 
-	/* Parameter 2: fd (type: PT_FD) */
-	int32_t fd = (int32_t)extract__syscall_argument(regs, 0);
-	ringbuf__store_s64(&ringbuf, (int64_t)fd);
-
 	/*=============================== COLLECT PARAMETERS  ===========================*/
 
 	ringbuf__submit_event(&ringbuf);

driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/flock.bpf.c

@@ -22,8 +22,8 @@ int BPF_PROG(flock_e, struct pt_regs *regs, long id) {
 	/*=============================== COLLECT PARAMETERS  ===========================*/
 
 	/* Parameter 1: fd (type: PT_FD) */
-	int64_t fd = (int64_t)(int32_t)extract__syscall_argument(regs, 0);
+	int32_t fd = (int32_t)extract__syscall_argument(regs, 0);
-	ringbuf__store_s64(&ringbuf, fd);
+	ringbuf__store_s64(&ringbuf, (int64_t)fd);
 
 	/* Parameter 2: operation (type: PT_FLAGS32) */
 	unsigned long operation = extract__syscall_argument(regs, 1);
@@ -54,14 +54,6 @@ int BPF_PROG(flock_x, struct pt_regs *regs, long ret) {
 	/* Parameter 1: res (type: PT_ERRNO)*/
 	ringbuf__store_s64(&ringbuf, ret);
 
-	/* Parameter 2: fd (type: PT_FD) */
-	int64_t fd = (int64_t)(int32_t)extract__syscall_argument(regs, 0);
-	ringbuf__store_s64(&ringbuf, fd);
-
-	/* Parameter 3: operation (type: PT_FLAGS32) */
-	unsigned long operation = extract__syscall_argument(regs, 1);
-	ringbuf__store_u32(&ringbuf, flock_flags_to_scap((int)operation));
-
 	/*=============================== COLLECT PARAMETERS  ===========================*/
 
 	ringbuf__submit_event(&ringbuf);

driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/fstat.bpf.c

@@ -50,10 +50,6 @@ int BPF_PROG(fstat_x, struct pt_regs *regs, long ret) {
 	/* Parameter 1: res (type: PT_ERRNO) */
 	ringbuf__store_s64(&ringbuf, ret);
 
-	/* Parameter 2: fd (type: PT_FD) */
-	int32_t fd = (int32_t)extract__syscall_argument(regs, 0);
-	ringbuf__store_s64(&ringbuf, (int64_t)fd);
-
 	/*=============================== COLLECT PARAMETERS  ===========================*/
 
 	ringbuf__submit_event(&ringbuf);

driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/futex.bpf.c

@@ -58,18 +58,6 @@ int BPF_PROG(futex_x, struct pt_regs *regs, long ret) {
 	/* Parameter 1: res (type: PT_ERRNO) */
 	ringbuf__store_s64(&ringbuf, (int64_t)ret);
 
-	/* Parameter 2: addr (type: PT_UINT64) */
-	uint64_t addr = extract__syscall_argument(regs, 0);
-	ringbuf__store_u64(&ringbuf, addr);
-
-	/* Parameter 3: op (type: PT_ENUMFLAGS16) */
-	int32_t op = (int32_t)extract__syscall_argument(regs, 1);
-	ringbuf__store_u16(&ringbuf, futex_op_to_scap((unsigned long)op));
-
-	/* Parameter 4: val (type: PT_UINT64) */
-	uint64_t val = extract__syscall_argument(regs, 2);
-	ringbuf__store_u64(&ringbuf, val);
-
 	/*=============================== COLLECT PARAMETERS  ===========================*/
 
 	ringbuf__submit_event(&ringbuf);

driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/getdents.bpf.c

@@ -22,8 +22,8 @@ int BPF_PROG(getdents_e, struct pt_regs *regs, long id) {
 	/*=============================== COLLECT PARAMETERS  ===========================*/
 
 	/* Parameter 1: fd (type: PT_FD)*/
-	int64_t fd = (int64_t)(int32_t)extract__syscall_argument(regs, 0);
+	int32_t fd = (int32_t)extract__syscall_argument(regs, 0);
-	ringbuf__store_s64(&ringbuf, fd);
+	ringbuf__store_s64(&ringbuf, (int64_t)fd);
 
 	/*=============================== COLLECT PARAMETERS  ===========================*/
 
@@ -50,10 +50,6 @@ int BPF_PROG(getdents_x, struct pt_regs *regs, long ret) {
 	/* Parameter 1: res (type: PT_ERRNO)*/
 	ringbuf__store_s64(&ringbuf, ret);
 
-	/* Parameter 2: fd (type: PT_FD) */
-	int64_t fd = (int64_t)(int32_t)extract__syscall_argument(regs, 0);
-	ringbuf__store_s64(&ringbuf, fd);
-
 	/*=============================== COLLECT PARAMETERS  ===========================*/
 
 	ringbuf__submit_event(&ringbuf);

driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/getdents64.bpf.c

@@ -22,8 +22,8 @@ int BPF_PROG(getdents64_e, struct pt_regs *regs, long id) {
 	/*=============================== COLLECT PARAMETERS  ===========================*/
 
 	/* Parameter 1: fd (type: PT_FD)*/
-	int64_t fd = (int64_t)(int32_t)extract__syscall_argument(regs, 0);
+	int32_t fd = (int32_t)extract__syscall_argument(regs, 0);
-	ringbuf__store_s64(&ringbuf, fd);
+	ringbuf__store_s64(&ringbuf, (int64_t)fd);
 
 	/*=============================== COLLECT PARAMETERS  ===========================*/
 
@@ -50,10 +50,6 @@ int BPF_PROG(getdents64_x, struct pt_regs *regs, long ret) {
 	/* Parameter 1: res (type: PT_ERRNO)*/
 	ringbuf__store_s64(&ringbuf, ret);
 
-	/* Parameter 2: fd (type: PT_FD) */
-	int64_t fd = (int64_t)(int32_t)extract__syscall_argument(regs, 0);
-	ringbuf__store_s64(&ringbuf, fd);
-
 	/*=============================== COLLECT PARAMETERS  ===========================*/
 
 	ringbuf__submit_event(&ringbuf);

driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/getrlimit.bpf.c

@@ -71,10 +71,6 @@ int BPF_PROG(getrlimit_x, struct pt_regs *regs, long ret) {
 		ringbuf__store_s64(&ringbuf, -1);
 	}
 
-	/* Parameter 4: resource (type: PT_ENUMFLAGS8) */
-	unsigned long resource = extract__syscall_argument(regs, 0);
-	ringbuf__store_u8(&ringbuf, rlimit_resource_to_scap(resource));
-
 	/*=============================== COLLECT PARAMETERS  ===========================*/
 
 	ringbuf__submit_event(&ringbuf);

driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/inotify_init.bpf.c

@@ -53,11 +53,6 @@ int BPF_PROG(inotify_init_x, struct pt_regs *regs, long ret) {
 	/* Parameter 1: res (type: PT_FD) */
 	ringbuf__store_s64(&ringbuf, ret);
 
-	/* Parameter 2: flags (type: PT_UINT8) */
-	/* Send `0` to unify handling with inotify_init1. */
-	uint8_t flags = 0;
-	ringbuf__store_u8(&ringbuf, flags);
-
 	/*=============================== COLLECT PARAMETERS  ===========================*/
 
 	ringbuf__submit_event(&ringbuf);

driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/ioctl.bpf.c

@@ -58,18 +58,6 @@ int BPF_PROG(ioctl_x, struct pt_regs *regs, long ret) {
 	/* Parameter 1: res (type: PT_ERRNO)*/
 	ringbuf__store_s64(&ringbuf, ret);
 
-	/* Parameter 2: fd (type: PT_FD) */
-	int32_t fd = (int32_t)extract__syscall_argument(regs, 0);
-	ringbuf__store_s64(&ringbuf, (int64_t)fd);
-
-	/* Parameter 3: request (type: PT_UINT64) */
-	uint64_t request = extract__syscall_argument(regs, 1);
-	ringbuf__store_u64(&ringbuf, request);
-
-	/* Parameter 4: argument (type: PT_UINT64) */
-	uint64_t argument = extract__syscall_argument(regs, 2);
-	ringbuf__store_u64(&ringbuf, argument);
-
 	/*=============================== COLLECT PARAMETERS  ===========================*/
 
 	ringbuf__submit_event(&ringbuf);

driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/kill.bpf.c

@@ -54,14 +54,6 @@ int BPF_PROG(kill_x, struct pt_regs *regs, long ret) {
 	/* Parameter 1: res (type: PT_ERRNO)*/
 	ringbuf__store_s64(&ringbuf, ret);
 
-	/* Parameter 2: pid (type: PT_PID) */
-	pid_t pid = (int32_t)extract__syscall_argument(regs, 0);
-	ringbuf__store_s64(&ringbuf, (int64_t)pid);
-
-	/* Parameter 3: sig (type: PT_SIGTYPE) */
-	uint8_t sig = (uint8_t)extract__syscall_argument(regs, 1);
-	ringbuf__store_u8(&ringbuf, sig);
-
 	/*=============================== COLLECT PARAMETERS  ===========================*/
 
 	ringbuf__submit_event(&ringbuf);

driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/llseek.bpf.c

@@ -58,20 +58,6 @@ int BPF_PROG(llseek_x, struct pt_regs *regs, long ret) {
 	/* Parameter 1: res (type: PT_ERRNO) */
 	ringbuf__store_s64(&ringbuf, (int64_t)ret);
 
-	/* Parameter 2: fd (type: PT_FD) */
-	int32_t fd = (int32_t)extract__syscall_argument(regs, 0);
-	ringbuf__store_s64(&ringbuf, (int64_t)fd);
-
-	/* Parameter 3: offset (type: PT_UINT64) */
-	unsigned long oh = extract__syscall_argument(regs, 1);
-	unsigned long ol = extract__syscall_argument(regs, 2);
-	unsigned long offset = (oh << 32) + ol;
-	ringbuf__store_u64(&ringbuf, offset);
-
-	/* Parameter 4: whence (type: PT_ENUMFLAGS8) */
-	unsigned long whence = extract__syscall_argument(regs, 3);
-	ringbuf__store_u8(&ringbuf, lseek_whence_to_scap(whence));
-
 	/*=============================== COLLECT PARAMETERS  ===========================*/
 
 	ringbuf__submit_event(&ringbuf);

driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/lseek.bpf.c

@@ -22,8 +22,8 @@ int BPF_PROG(lseek_e, struct pt_regs *regs, long id) {
 	/*=============================== COLLECT PARAMETERS  ===========================*/
 
 	/* Parameter 1: fd (type: PT_FD) */
-	int64_t fd = (int64_t)(int32_t)extract__syscall_argument(regs, 0);
+	int32_t fd = (int32_t)extract__syscall_argument(regs, 0);
-	ringbuf__store_s64(&ringbuf, fd);
+	ringbuf__store_s64(&ringbuf, (int64_t)fd);
 
 	/* Parameter 2: offset (type: PT_UINT64) */
 	unsigned long offset = extract__syscall_argument(regs, 1);
@@ -56,18 +56,6 @@ int BPF_PROG(lseek_x, struct pt_regs *regs, long ret) {
 	/* Parameter 1: res (type: PT_ERRNO) */
 	ringbuf__store_s64(&ringbuf, (int64_t)ret);
 
-	/* Parameter 2: fd (type: PT_FD) */
-	int64_t fd = (int64_t)(int32_t)extract__syscall_argument(regs, 0);
-	ringbuf__store_s64(&ringbuf, fd);
-
-	/* Parameter 3: offset (type: PT_UINT64) */
-	unsigned long offset = extract__syscall_argument(regs, 1);
-	ringbuf__store_u64(&ringbuf, offset);
-
-	/* Parameter 4: whence (type: PT_ENUMFLAGS8) */
-	unsigned long whence = extract__syscall_argument(regs, 2);
-	ringbuf__store_u8(&ringbuf, lseek_whence_to_scap(whence));
-
 	/*=============================== COLLECT PARAMETERS  ===========================*/
 
 	ringbuf__submit_event(&ringbuf);

driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/mkdir.bpf.c

@@ -55,10 +55,6 @@ int BPF_PROG(mkdir_x, struct pt_regs *regs, long ret) {
 	unsigned long path_pointer = extract__syscall_argument(regs, 0);
 	auxmap__store_charbuf_param(auxmap, path_pointer, MAX_PATH, USER);
 
-	/* Parameter 3: mode (type: PT_UINT32) */
-	uint32_t mode = (uint32_t)extract__syscall_argument(regs, 1);
-	auxmap__store_u32_param(auxmap, mode);
-
 	/*=============================== COLLECT PARAMETERS  ===========================*/
 
 	auxmap__finalize_event_header(auxmap);

driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/mmap.bpf.c

@@ -87,30 +87,6 @@ int BPF_PROG(mmap_x, struct pt_regs *regs, long ret) {
 	/* Parameter 4: vm_swap (type: PT_UINT32) */
 	ringbuf__store_u32(&ringbuf, swap_size);
 
-	/* Parameter 5: addr (type: PT_UINT64) */
-	unsigned long addr = extract__syscall_argument(regs, 0);
-	ringbuf__store_u64(&ringbuf, addr);
-
-	/* Parameter 6: length (type: PT_UINT64) */
-	unsigned long length = extract__syscall_argument(regs, 1);
-	ringbuf__store_u64(&ringbuf, length);
-
-	/* Parameter 7: prot (type: PT_FLAGS32) */
-	unsigned long prot = extract__syscall_argument(regs, 2);
-	ringbuf__store_u32(&ringbuf, prot_flags_to_scap(prot));
-
-	/* Parameter 8: flags (type: PT_FLAGS32) */
-	unsigned long flags = extract__syscall_argument(regs, 3);
-	ringbuf__store_u32(&ringbuf, mmap_flags_to_scap(flags));
-
-	/* Paremeter 9: fd (type: PT_FD) */
-	int32_t fd = (int32_t)extract__syscall_argument(regs, 4);
-	ringbuf__store_s64(&ringbuf, (int64_t)fd);
-
-	/* Parameter 10: offset (type: PT_UINT64) */
-	unsigned long offset = extract__syscall_argument(regs, 5);
-	ringbuf__store_u64(&ringbuf, offset);
-
 	/*=============================== COLLECT PARAMETERS  ===========================*/
 
 	ringbuf__submit_event(&ringbuf);

driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/mmap2.bpf.c

@@ -87,30 +87,6 @@ int BPF_PROG(mmap2_x, struct pt_regs *regs, long ret) {
 	/* Parameter 4: vm_swap (type: PT_UINT32) */
 	ringbuf__store_u32(&ringbuf, swap_size);
 
-	/* Parameter 5: addr (type: PT_UINT64) */
-	unsigned long addr = extract__syscall_argument(regs, 0);
-	ringbuf__store_u64(&ringbuf, addr);
-
-	/* Parameter 6: length (type: PT_UINT64) */
-	unsigned long length = extract__syscall_argument(regs, 1);
-	ringbuf__store_u64(&ringbuf, length);
-
-	/* Parameter 7: prot (type: PT_FLAGS32) */
-	unsigned long prot = extract__syscall_argument(regs, 2);
-	ringbuf__store_u32(&ringbuf, prot_flags_to_scap(prot));
-
-	/* Parameter 8: flags (type: PT_FLAGS32) */
-	unsigned long flags = extract__syscall_argument(regs, 3);
-	ringbuf__store_u32(&ringbuf, mmap_flags_to_scap(flags));
-
-	/* Paremeter 9: fd (type: PT_FD) */
-	int32_t fd = (int32_t)extract__syscall_argument(regs, 4);
-	ringbuf__store_s64(&ringbuf, (int64_t)fd);
-
-	/* Parameter 10: pgoffset (type: PT_UINT64) */
-	unsigned long offset = extract__syscall_argument(regs, 5);
-	ringbuf__store_u64(&ringbuf, offset);
-
 	/*=============================== COLLECT PARAMETERS  ===========================*/
 
 	ringbuf__submit_event(&ringbuf);

driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/mount.bpf.c

@@ -75,22 +75,6 @@ int BPF_PROG(mount_x, struct pt_regs *regs, long ret) {
 	unsigned long fstype_pointer = extract__syscall_argument(regs, 2);
 	auxmap__store_charbuf_param(auxmap, fstype_pointer, MAX_PARAM_SIZE, USER);
 
-	/* Parameter 5: flags (type: PT_FLAGS32) */
-	uint32_t flags = (uint32_t)extract__syscall_argument(regs, 3);
-
-	/* The `mountflags` argument may have the magic number 0xC0ED
-	 * (MS_MGC_VAL) in the top 16 bits. (All of the other flags
-	 * occupy the low order 16 bits of `mountflags`.)
-	 * Specifying MS_MGC_VAL was required in kernel
-	 * versions prior to 2.4, but since Linux 2.4 is no longer required
-	 * and is ignored if specified.
-	 */
-	/* Check the magic number 0xC0ED in the top 16 bits and ignore it if specified. */
-	if((flags & PPM_MS_MGC_MSK) == PPM_MS_MGC_VAL) {
-		flags &= ~PPM_MS_MGC_MSK;
-	}
-	auxmap__store_u32_param(auxmap, flags);
-
 	/*=============================== COLLECT PARAMETERS  ===========================*/
 
 	auxmap__finalize_event_header(auxmap);

driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/mprotect.bpf.c

@@ -58,18 +58,6 @@ int BPF_PROG(mprotect_x, struct pt_regs *regs, long ret) {
 	/* Parameter 1: res (type: PT_ERRNO) */
 	ringbuf__store_s64(&ringbuf, ret);
 
-	/* Parameter 2: addr (type: PT_UINT64) */
-	uint64_t addr = extract__syscall_argument(regs, 0);
-	ringbuf__store_u64(&ringbuf, addr);
-
-	/* Parameter 3: length (type: PT_UINT64) */
-	uint64_t length = extract__syscall_argument(regs, 1);
-	ringbuf__store_u64(&ringbuf, length);
-
-	/* Parameter 4: prot (type: PT_FLAGS32) */
-	uint32_t flags = extract__syscall_argument(regs, 2);
-	ringbuf__store_u32(&ringbuf, prot_flags_to_scap(flags));
-
 	/*=============================== COLLECT PARAMETERS  ===========================*/
 
 	ringbuf__submit_event(&ringbuf);

driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/munmap.bpf.c

@@ -71,14 +71,6 @@ int BPF_PROG(munmap_x, struct pt_regs *regs, long ret) {
 	/* Parameter 4: vm_swap (type: PT_UINT32) */
 	ringbuf__store_u32(&ringbuf, swap_size);
 
-	/* Parameter 5: addr (type: PT_UINT64) */
-	unsigned long val = extract__syscall_argument(regs, 0);
-	ringbuf__store_u64(&ringbuf, val);
-
-	/* Parameter 6: length (type: PT_UINT64) */
-	val = extract__syscall_argument(regs, 1);
-	ringbuf__store_u64(&ringbuf, val);
-
 	/*=============================== COLLECT PARAMETERS  ===========================*/
 
 	ringbuf__submit_event(&ringbuf);

driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/nanosleep.bpf.c

@@ -21,7 +21,7 @@ int BPF_PROG(nanosleep_e, struct pt_regs *regs, long id) {
 
 	/*=============================== COLLECT PARAMETERS  ===========================*/
 
-	/* Parameter 1: interval (type: PT_RELTIME) */
+	/* Parameter 1: req (type: PT_RELTIME) */
 	uint64_t nanosec = 0;
 	unsigned long ts_pointer = extract__syscall_argument(regs, 0);
 	if(bpf_core_type_exists(struct __kernel_timespec)) {
@@ -60,20 +60,6 @@ int BPF_PROG(nanosleep_x, struct pt_regs *regs, long ret) {
 	/* Parameter 1: res (type: PT_ERRNO) */
 	ringbuf__store_s64(&ringbuf, ret);
 
-	/* Parameter 2: interval (type: PT_RELTIME) */
-	uint64_t nanosec = 0;
-	unsigned long ts_pointer = extract__syscall_argument(regs, 0);
-	if(bpf_core_type_exists(struct __kernel_timespec)) {
-		struct __kernel_timespec ts = {0};
-		bpf_probe_read_user(&ts, bpf_core_type_size(struct __kernel_timespec), (void *)ts_pointer);
-		nanosec = ((uint64_t)ts.tv_sec) * SECOND_TO_NS + ts.tv_nsec;
-	} else {
-		struct modern_bpf__kernel_timespec ts = {0};
-		bpf_probe_read_user(&ts, sizeof(ts), (void *)ts_pointer);
-		nanosec = ((uint64_t)ts.tv_sec) * SECOND_TO_NS + ts.tv_nsec;
-	}
-	ringbuf__store_u64(&ringbuf, nanosec);
-
 	/*=============================== COLLECT PARAMETERS  ===========================*/
 
 	ringbuf__submit_event(&ringbuf);

driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/poll.bpf.c

@@ -70,11 +70,6 @@ int BPF_PROG(poll_x, struct pt_regs *regs, long ret) {
 	/* Parameter 2: fds (type: PT_FDLIST) */
 	auxmap__store_fdlist_param(auxmap, fds_pointer, nfds, RETURNED_EVENTS);
 
-	/* Parameter 3: timeout (type: PT_INT64) */
-	/* This is an `int` in the syscall signature but we push it as an `int64` */
-	uint32_t timeout_msecs = (int32_t)extract__syscall_argument(regs, 2);
-	auxmap__store_s64_param(auxmap, (int64_t)timeout_msecs);
-
 	/*=============================== COLLECT PARAMETERS  ===========================*/
 
 	auxmap__finalize_event_header(auxmap);

driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/ppoll.bpf.c

@@ -87,7 +87,7 @@ int BPF_PROG(ppoll_x, struct pt_regs *regs, long ret) {
 
 	/*=============================== COLLECT PARAMETERS  ===========================*/
 
-	/* Parameter 1: res (type: PT_ERRNO) */
+	/* Parameter 1: ret (type: PT_FD) */
 	auxmap__store_s64_param(auxmap, ret);
 
 	/* Get the `fds_pointer` and the number of `fds` from the syscall arguments */
@@ -97,38 +97,6 @@ int BPF_PROG(ppoll_x, struct pt_regs *regs, long ret) {
 	/* Parameter 2: fds (type: PT_FDLIST) */
 	auxmap__store_fdlist_param(auxmap, fds_pointer, nfds, RETURNED_EVENTS);
 
-	/* Parameter 3: timeout (type: PT_RELTIME) */
-	uint64_t nanosec = 0;
-	unsigned long ts_pointer = extract__syscall_argument(regs, 2);
-	if(!bpf_in_ia32_syscall()) {
-		if(bpf_core_type_exists(struct __kernel_timespec)) {
-			struct __kernel_timespec ts = {0};
-			bpf_probe_read_user(&ts,
-			                    bpf_core_type_size(struct __kernel_timespec),
-			                    (void *)ts_pointer);
-			nanosec = ((uint64_t)ts.tv_sec) * SECOND_TO_NS + ts.tv_nsec;
-		} else {
-			struct modern_bpf__kernel_timespec ts = {0};
-			bpf_probe_read_user(&ts, sizeof(ts), (void *)ts_pointer);
-			nanosec = ((uint64_t)ts.tv_sec) * SECOND_TO_NS + ts.tv_nsec;
-		}
-	} else {
-		struct modern_bpf__kernel_timespec_ia32 ts = {0};
-		bpf_probe_read_user(&ts, sizeof(ts), (void *)ts_pointer);
-		nanosec = ((uint32_t)ts.tv_sec) * SECOND_TO_NS + ts.tv_nsec;
-	}
-	auxmap__store_u64_param(auxmap, nanosec);
-
-	/* Parameter 4: sigmask (type: PT_SIGSET) */
-	long unsigned int sigmask[1] = {0};
-	unsigned long sigmask_pointer = extract__syscall_argument(regs, 3);
-	if(bpf_probe_read_user(&sigmask, sizeof(sigmask), (void *)sigmask_pointer)) {
-		/* In case of invalid pointer, return 0 */
-		auxmap__store_u32_param(auxmap, (uint32_t)0);
-	} else {
-		auxmap__store_u32_param(auxmap, (uint32_t)sigmask[0]);
-	}
-
 	/*=============================== COLLECT PARAMETERS  ===========================*/
 
 	auxmap__finalize_event_header(auxmap);

driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/preadv.bpf.c

@@ -23,8 +23,8 @@ int BPF_PROG(preadv_e, struct pt_regs *regs, long id) {
 	/*=============================== COLLECT PARAMETERS  ===========================*/
 
 	/* Parameter 1: fd (type: PT_FD) */
-	int64_t fd = (int64_t)(int32_t)extract__syscall_argument(regs, 0);
+	int32_t fd = (int32_t)extract__syscall_argument(regs, 0);
-	ringbuf__store_s64(&ringbuf, fd);
+	ringbuf__store_s64(&ringbuf, (int64_t)fd);
 
 	/* Parameter 2: pos (type: PT_UINT64) */
 	uint64_t pos = (uint64_t)extract__syscall_argument(regs, 3);
@@ -85,14 +85,6 @@ int BPF_PROG(preadv_x, struct pt_regs *regs, long ret) {
 		auxmap__store_empty_param(auxmap);
 	}
 
-	/* Parameter 4: fd (type: PT_FD) */
-	int64_t fd = (int64_t)(int32_t)extract__syscall_argument(regs, 0);
-	auxmap__store_s64_param(auxmap, fd);
-
-	/* Parameter 5: pos (type: PT_UINT64) */
-	uint64_t pos = (uint64_t)extract__syscall_argument(regs, 3);
-	auxmap__store_u64_param(auxmap, pos);
-
 	/*=============================== COLLECT PARAMETERS  ===========================*/
 
 	auxmap__finalize_event_header(auxmap);

driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/ptrace.bpf.c

@@ -67,13 +67,6 @@ int BPF_PROG(ptrace_x, struct pt_regs *regs, long ret) {
 	uint64_t data_pointer = (uint64_t)extract__syscall_argument(regs, 3);
 	auxmap__store_ptrace_data_param(auxmap, ret, scap_ptrace_request, data_pointer);
 
-	/* Parameter 4: request (type: PT_FLAGS16) */
-	auxmap__store_u16_param(auxmap, scap_ptrace_request);
-
-	/* Parameter 5: pid (type: PT_PID) */
-	pid_t pid = (int32_t)extract__syscall_argument(regs, 1);
-	auxmap__store_s64_param(auxmap, (int64_t)pid);
-
 	/*=============================== COLLECT PARAMETERS  ===========================*/
 
 	auxmap__finalize_event_header(auxmap);

driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/pwritev.bpf.c

@@ -23,8 +23,8 @@ int BPF_PROG(pwritev_e, struct pt_regs *regs, long id) {
 	/*=============================== COLLECT PARAMETERS  ===========================*/
 
 	/* Parameter 1: fd (type: PT_FD) */
-	int64_t fd = (int64_t)(int32_t)extract__syscall_argument(regs, 0);
+	int32_t fd = (int32_t)extract__syscall_argument(regs, 0);
-	ringbuf__store_s64(&ringbuf, fd);
+	ringbuf__store_s64(&ringbuf, (int64_t)fd);
 
 	unsigned long iov_pointer = extract__syscall_argument(regs, 1);
 	unsigned long iov_cnt = extract__syscall_argument(regs, 2);
@@ -82,17 +82,6 @@ int BPF_PROG(pwritev_x, struct pt_regs *regs, long ret) {
 	/* Parameter 2: data (type: PT_BYTEBUF) */
 	auxmap__store_iovec_data_param(auxmap, iov_pointer, iov_cnt, snaplen);
 
-	/* Parameter 3: fd (type: PT_FD) */
-	int64_t fd = (int64_t)(int32_t)extract__syscall_argument(regs, 0);
-	auxmap__store_s64_param(auxmap, fd);
-
-	/* Parameter 4: size (type: PT_UINT32) */
-	auxmap__store_iovec_size_param(auxmap, iov_pointer, iov_cnt);
-
-	/* Parameter 5: pos (type: PT_UINT64) */
-	uint64_t pos = (uint64_t)extract__syscall_argument(regs, 3);
-	auxmap__store_u64_param(auxmap, pos);
-
 	/*=============================== COLLECT PARAMETERS  ===========================*/
 
 	auxmap__finalize_event_header(auxmap);

driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/quotactl.bpf.c

@@ -205,29 +205,6 @@ int BPF_PROG(quotactl_x, struct pt_regs *regs, long ret) {
 	}
 	auxmap__store_u8_param(auxmap, quota_fmt_out);
 
-	/* Parameter 15: cmd (type: PT_FLAGS16) */
-	auxmap__store_u16_param(auxmap, scap_cmd);
-
-	/* Parameter 16: type (type: PT_FLAGS8) */
-	auxmap__store_u8_param(auxmap, quotactl_type_to_scap(cmd));
-
-	/* Parameter 17: id (type: PT_UINT32) */
-	uint32_t id = (uint32_t)extract__syscall_argument(regs, 2);
-	if(scap_cmd != PPM_Q_GETQUOTA && scap_cmd != PPM_Q_SETQUOTA && scap_cmd != PPM_Q_XGETQUOTA &&
-	   scap_cmd != PPM_Q_XSETQLIM) {
-		/* In this case `id` don't represent a `userid` or a `groupid` */
-		auxmap__store_u32_param(auxmap, 0);
-	} else {
-		auxmap__store_u32_param(auxmap, id);
-	}
-
-	/* Parameter 18: quota_fmt (type: PT_FLAGS8) */
-	uint8_t quota_fmt = PPM_QFMT_NOT_USED;
-	if(scap_cmd == PPM_Q_QUOTAON) {
-		quota_fmt = quotactl_fmt_to_scap(id);
-	}
-	auxmap__store_u8_param(auxmap, quota_fmt);
-
 	/*=============================== COLLECT PARAMETERS  ===========================*/
 
 	auxmap__finalize_event_header(auxmap);

driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/readv.bpf.c

@@ -23,8 +23,8 @@ int BPF_PROG(readv_e, struct pt_regs *regs, long id) {
 	/*=============================== COLLECT PARAMETERS  ===========================*/
 
 	/* Parameter 1: fd (type: PT_FD) */
-	int64_t fd = (int64_t)(int32_t)extract__syscall_argument(regs, 0);
+	int32_t fd = (int32_t)extract__syscall_argument(regs, 0);
-	ringbuf__store_s64(&ringbuf, fd);
+	ringbuf__store_s64(&ringbuf, (int64_t)fd);
 
 	/*=============================== COLLECT PARAMETERS  ===========================*/
 
@@ -81,10 +81,6 @@ int BPF_PROG(readv_x, struct pt_regs *regs, long ret) {
 		auxmap__store_empty_param(auxmap);
 	}
 
-	/* Parameter 4: fd (type: PT_FD) */
-	int64_t fd = (int64_t)(int32_t)extract__syscall_argument(regs, 0);
-	auxmap__store_s64_param(auxmap, fd);
-
 	/*=============================== COLLECT PARAMETERS  ===========================*/
 
 	auxmap__finalize_event_header(auxmap);

driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/recv.bpf.c

@@ -29,8 +29,8 @@ int BPF_PROG(recv_e, struct pt_regs *regs, long id) {
 	/*=============================== COLLECT PARAMETERS  ===========================*/
 
 	/* Parameter 1: fd (type: PT_FD) */
-	int64_t fd = (int32_t)args[0];
+	int32_t fd = (int32_t)args[0];
-	ringbuf__store_s64(&ringbuf, fd);
+	ringbuf__store_s64(&ringbuf, (int64_t)fd);
 
 	/* Parameter 2: size (type: PT_UINT32) */
 	uint32_t size = (uint32_t)args[2];
@@ -61,15 +61,11 @@ int BPF_PROG(recv_x, struct pt_regs *regs, long ret) {
 	/* Parameter 1: res (type: PT_ERRNO) */
 	auxmap__store_s64_param(auxmap, ret);
 
-	/* Collect parameters at the beginning to manage socketcalls */
-	unsigned long args[5] = {0};
-	extract__network_args(args, 5, regs);
-
-	/* Parameter 2: data (type: PT_BYTEBUF) */
-	/* Send an empty parameter if the syscall failed (or the return value is zero): indeed, in this
-	 * case, the content of the buffer provided by the user remains untouched, and is not important.
-	 */
 	if(ret > 0) {
+		/* Collect parameters at the beginning to manage socketcalls */
+		unsigned long args[2] = {0};
+		extract__network_args(args, 2, regs);
+
 		dynamic_snaplen_args snaplen_args = {
 		        .only_port_range = false,
 		        .evt_type = PPME_SOCKET_RECV_X,
@@ -79,27 +75,12 @@ int BPF_PROG(recv_x, struct pt_regs *regs, long ret) {
 		if(snaplen > ret) {
 			snaplen = ret;
 		}
-		unsigned long received_data_pointer = args[1];
+
-		auxmap__store_bytebuf_param(auxmap, received_data_pointer, snaplen, USER);
+		/* Parameter 2: data (type: PT_BYTEBUF) */
-	} else {
+		unsigned long data_pointer = args[1];
-		auxmap__store_empty_param(auxmap);
+		auxmap__store_bytebuf_param(auxmap, data_pointer, snaplen, USER);
-	}
-
-	/* Parameter 3: fd (type: PT_FD) */
-	int64_t fd = (int32_t)args[0];
-	auxmap__store_s64_param(auxmap, fd);
-
-	/* Parameter 4: size (type: PT_UINT32) */
-	uint32_t size = (uint32_t)args[2];
-	auxmap__store_u32_param(auxmap, size);
-
-	/* Parameter 5: tuple (type: PT_SOCKTUPLE) */
-	if(ret >= 0) {
-		struct sockaddr *usrsockaddr = (struct sockaddr *)args[4];
-		/* Notice: the following will push an empty parameter if
-		 * something goes wrong (e.g.: fd not valid) */
-		auxmap__store_socktuple_param(auxmap, fd, INBOUND, NULL);
 	} else {
+		/* Parameter 2: data (type: PT_BYTEBUF) */
 		auxmap__store_empty_param(auxmap);
 	}
 

driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/recvfrom.bpf.c

@@ -29,8 +29,8 @@ int BPF_PROG(recvfrom_e, struct pt_regs *regs, long id) {
 	/*=============================== COLLECT PARAMETERS  ===========================*/
 
 	/* Parameter 1: fd (type: PT_FD) */
-	int64_t socket_fd = (int32_t)args[0];
+	int32_t socket_fd = (int32_t)args[0];
-	ringbuf__store_s64(&ringbuf, socket_fd);
+	ringbuf__store_s64(&ringbuf, (int64_t)socket_fd);
 
 	/* Parameter 2: size (type: PT_UINT32) */
 	uint32_t size = (uint32_t)args[2];
@@ -61,12 +61,6 @@ int BPF_PROG(recvfrom_x, struct pt_regs *regs, long ret) {
 	/* Parameter 1: res (type: PT_ERRNO) */
 	auxmap__store_s64_param(auxmap, ret);
 
-	/* Collect parameters at the beginning to manage socketcalls */
-	unsigned long args[5] = {0};
-	extract__network_args(args, 5, regs);
-
-	int64_t socket_fd = (int32_t)args[0];
-
 	if(ret >= 0) {
 		/* We read the minimum between `snaplen` and what we really
 		 * have in the buffer.
@@ -81,14 +75,17 @@ int BPF_PROG(recvfrom_x, struct pt_regs *regs, long ret) {
 			snaplen = ret;
 		}
 
+		/* Collect parameters at the beginning to manage socketcalls */
+		unsigned long args[5] = {0};
+		extract__network_args(args, 5, regs);
+
 		/* Parameter 2: data (type: PT_BYTEBUF) */
 		unsigned long received_data_pointer = args[1];
 		auxmap__store_bytebuf_param(auxmap, received_data_pointer, snaplen, USER);
 
 		/* Parameter 3: tuple (type: PT_SOCKTUPLE) */
+		uint32_t socket_fd = (uint32_t)args[0];
 		struct sockaddr *usrsockaddr = (struct sockaddr *)args[4];
-		/* Notice: the following will push an empty parameter if something goes wrong (e.g.: fd not
-		 * valid) */
 		auxmap__store_socktuple_param(auxmap, socket_fd, INBOUND, usrsockaddr);
 	} else {
 		/* Parameter 2: data (type: PT_BYTEBUF) */
@@ -98,13 +95,6 @@ int BPF_PROG(recvfrom_x, struct pt_regs *regs, long ret) {
 		auxmap__store_empty_param(auxmap);
 	}
 
-	/* Parameter 4: fd (type: PT_FD) */
-	auxmap__store_s64_param(auxmap, socket_fd);
-
-	/* Parameter 5: size (type: PT_UINT32) */
-	uint32_t size = (uint32_t)args[2];
-	auxmap__store_u32_param(auxmap, size);
-
 	/*=============================== COLLECT PARAMETERS  ===========================*/
 
 	auxmap__finalize_event_header(auxmap);

driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/recvmmsg.bpf.c

@@ -161,7 +161,7 @@ int BPF_PROG(recvmmsg_x, struct pt_regs *regs, long ret) {
 	        .args = args,
 	};
 
-	uint32_t nr_loops = ret < MAX_SENDMMSG_RECVMMSG_SIZE ? ret : MAX_SENDMMSG_RECVMMSG_SIZE;
+	uint32_t nr_loops = ret < 1024 ? ret : 1024;
 	bpf_loop(nr_loops, handle_exit, &data, 0);
 
 	return 0;

driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/recvmsg.bpf.c

@@ -16,8 +16,8 @@ int BPF_PROG(recvmsg_e, struct pt_regs *regs, long id) {
 	/* We need to keep this at the beginning of the program because otherwise we alter the state of
 	 * the ebpf registers causing a verifier issue.
 	 */
-	unsigned long fd = 0;
+	unsigned long socket_fd = 0;
-	extract__network_args(&fd, 1, regs);
+	extract__network_args(&socket_fd, 1, regs);
 
 	struct ringbuf_struct ringbuf;
 	if(!ringbuf__reserve_space(&ringbuf, RECVMSG_E_SIZE, PPME_SOCKET_RECVMSG_E)) {
@@ -29,7 +29,7 @@ int BPF_PROG(recvmsg_e, struct pt_regs *regs, long id) {
 	/*=============================== COLLECT PARAMETERS  ===========================*/
 
 	/* Parameter 1: fd (type: PT_FD)*/
-	ringbuf__store_s64(&ringbuf, (int64_t)(int32_t)fd);
+	ringbuf__store_s64(&ringbuf, (int64_t)(int32_t)socket_fd);
 
 	/*=============================== COLLECT PARAMETERS  ===========================*/
 
@@ -56,13 +56,6 @@ int BPF_PROG(recvmsg_x, struct pt_regs *regs, long ret) {
 	/* Parameter 1: res (type: PT_ERRNO) */
 	auxmap__store_s64_param(auxmap, ret);
 
-	/* Collect parameters at the beginning to manage socketcalls. */
-	unsigned long args[2] = {0};
-	extract__network_args(args, 2, regs);
-
-	/* Get file descriptor. */
-	int64_t fd = (int32_t)args[0];
-
 	if(ret >= 0) {
 		/* Parameter 2: size (type: PT_UINT32) */
 		auxmap__store_u32_param(auxmap, (uint32_t)ret);
@@ -80,13 +73,18 @@ int BPF_PROG(recvmsg_x, struct pt_regs *regs, long ret) {
 			snaplen = ret;
 		}
 
+		/* Collect parameters at the beginning to manage socketcalls */
+		unsigned long args[2] = {0};
+		extract__network_args(args, 2, regs);
+
 		/* Parameter 3: data (type: PT_BYTEBUF) */
 		unsigned long msghdr_pointer = args[1];
 		struct user_msghdr msghhdr =
 		        auxmap__store_msghdr_data_param(auxmap, msghdr_pointer, snaplen);
 
 		/* Parameter 4: tuple (type: PT_SOCKTUPLE) */
-		auxmap__store_socktuple_param(auxmap, (uint32_t)fd, INBOUND, msghhdr.msg_name);
+		uint32_t socket_fd = (uint32_t)args[0];
+		auxmap__store_socktuple_param(auxmap, socket_fd, INBOUND, msghhdr.msg_name);
 
 		/* Parameter 5: msg_control (type: PT_BYTEBUF) */
 		/* We are limited to UINT16_MAX bytes of control data due to the size parameter in
@@ -114,9 +112,6 @@ int BPF_PROG(recvmsg_x, struct pt_regs *regs, long ret) {
 		auxmap__store_empty_param(auxmap);
 	}
 
-	/* Parameter 6: fd (type: PT_FD) */
-	auxmap__store_s64_param(auxmap, fd);
-
 	/*=============================== COLLECT PARAMETERS  ===========================*/
 
 	auxmap__finalize_event_header(auxmap);

driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/seccomp.bpf.c

@@ -21,11 +21,10 @@ int BPF_PROG(seccomp_e, struct pt_regs *regs, long id) {
 
 	/*=============================== COLLECT PARAMETERS  ===========================*/
 
-	/* Parameter 1: op (type: PT_UINT64) */
+	/* Parameter 1: operation (type: PT_UINT64)*/
 	uint64_t operation = (uint64_t)extract__syscall_argument(regs, 0);
 	ringbuf__store_u64(&ringbuf, operation);
 
-	/* Parameter 2: flags (type: PT_UINT64) */
 	uint32_t flags = (uint32_t)extract__syscall_argument(regs, 1);
 	ringbuf__store_u64(&ringbuf, (uint64_t)flags);
 
@@ -54,14 +53,6 @@ int BPF_PROG(seccomp_x, struct pt_regs *regs, long ret) {
 	/* Parameter 1: res (type: PT_ERRNO)*/
 	ringbuf__store_s64(&ringbuf, ret);
 
-	/* Parameter 2: op (type: PT_UINT64) */
-	uint64_t operation = (uint64_t)extract__syscall_argument(regs, 0);
-	ringbuf__store_u64(&ringbuf, operation);
-
-	/* Parameter 2: flags (type: PT_UINT64) */
-	uint32_t flags = (uint32_t)extract__syscall_argument(regs, 1);
-	ringbuf__store_u64(&ringbuf, (uint64_t)flags);
-
 	/*=============================== COLLECT PARAMETERS  ===========================*/
 
 	ringbuf__submit_event(&ringbuf);

driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/semctl.bpf.c

@@ -61,25 +61,6 @@ int BPF_PROG(semctl_x, struct pt_regs *regs, long ret) {
 	/* Parameter 1: res (type: PT_ERRNO) */
 	ringbuf__store_s64(&ringbuf, (int64_t)ret);
 
-	/* Parameter 2: semid (type: PT_INT32) */
-	int32_t semid = (int32_t)extract__syscall_argument(regs, 0);
-	ringbuf__store_s32(&ringbuf, semid);
-
-	/* Parameter 3: semnum (type: PT_INT32) */
-	int32_t semnum = (int32_t)extract__syscall_argument(regs, 1);
-	ringbuf__store_s32(&ringbuf, semnum);
-
-	/* Parameter 4: cmd (type: PT_FLAGS16) */
-	uint16_t cmd = (uint16_t)extract__syscall_argument(regs, 2);
-	ringbuf__store_u16(&ringbuf, semctl_cmd_to_scap(cmd));
-
-	/* Parameter 5: val (type: PT_INT32) */
-	int32_t val = 0;
-	if(cmd == SETVAL) {
-		val = (int32_t)extract__syscall_argument(regs, 3);
-	}
-	ringbuf__store_s32(&ringbuf, val);
-
 	/*=============================== COLLECT PARAMETERS  ===========================*/
 
 	ringbuf__submit_event(&ringbuf);

driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/semget.bpf.c

@@ -54,18 +54,6 @@ int BPF_PROG(semget_x, struct pt_regs *regs, long ret) {
 	/* Parameter 1: res (type: PT_ERRNO) */
 	ringbuf__store_s64(&ringbuf, (int64_t)ret);
 
-	/* Parameter 2: key (type: PT_INT32) */
-	int32_t key = (int32_t)extract__syscall_argument(regs, 0);
-	ringbuf__store_s32(&ringbuf, key);
-
-	/* Parameter 3: nsems (type: PT_INT32) */
-	int32_t nsems = (int32_t)extract__syscall_argument(regs, 1);
-	ringbuf__store_s32(&ringbuf, nsems);
-
-	/* Parameter 4: semflg (type: PT_FLAGS32) */
-	uint32_t semflg = (uint32_t)extract__syscall_argument(regs, 2);
-	ringbuf__store_u32(&ringbuf, semget_flags_to_scap(semflg));
-
 	/*=============================== COLLECT PARAMETERS  ===========================*/
 
 	ringbuf__submit_event(&ringbuf);

driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/semop.bpf.c

@@ -92,10 +92,6 @@ int BPF_PROG(semop_x, struct pt_regs *regs, long ret) {
 	/* Parameter 8: sem_flg_1 (type: PT_FLAGS16) */
 	ringbuf__store_u16(&ringbuf, semop_flags_to_scap(sops[1].sem_flg));
 
-	/* Parameter 9: semid (type: PT_INT32) */
-	int32_t semid = (int32_t)extract__syscall_argument(regs, 0);
-	ringbuf__store_s32(&ringbuf, semid);
-
 	/*=============================== COLLECT PARAMETERS  ===========================*/
 
 	ringbuf__submit_event(&ringbuf);

driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/send.bpf.c

@@ -29,8 +29,8 @@ int BPF_PROG(send_e, struct pt_regs *regs, long id) {
 	/*=============================== COLLECT PARAMETERS  ===========================*/
 
 	/* Parameter 1: fd (type: PT_FD) */
-	int64_t fd = (int32_t)args[0];
+	int32_t fd = (int32_t)args[0];
-	ringbuf__store_s64(&ringbuf, fd);
+	ringbuf__store_s64(&ringbuf, (int64_t)fd);
 
 	/* Parameter 2: size (type: PT_UINT32) */
 	uint32_t size = (uint32_t)args[2];
@@ -62,23 +62,16 @@ int BPF_PROG(send_x, struct pt_regs *regs, long ret) {
 	auxmap__store_s64_param(auxmap, ret);
 
 	/* Collect parameters at the beginning to manage socketcalls */
-	unsigned long args[5] = {0};
+	unsigned long args[3] = {0};
-	extract__network_args(args, 5, regs);
+	extract__network_args(args, 3, regs);
 
 	dynamic_snaplen_args snaplen_args = {
 	        .only_port_range = false,
 	        .evt_type = PPME_SOCKET_SEND_X,
 	};
+	int64_t bytes_to_read = ret > 0 ? ret : args[2];
 	uint16_t snaplen = maps__get_snaplen();
 	apply_dynamic_snaplen(regs, &snaplen, &snaplen_args);
-
-	/* Extract size syscall parameter */
-	uint32_t size = (uint32_t)args[2];
-
-	/* If the syscall doesn't fail we use the return value as `size`
-	 * otherwise we need to rely on the syscall parameter provided by the user */
-	int64_t bytes_to_read = ret > 0 ? ret : (int64_t)size;
-
 	if((int64_t)snaplen > bytes_to_read) {
 		snaplen = bytes_to_read;
 	}
@@ -87,23 +80,6 @@ int BPF_PROG(send_x, struct pt_regs *regs, long ret) {
 	unsigned long sent_data_pointer = args[1];
 	auxmap__store_bytebuf_param(auxmap, sent_data_pointer, snaplen, USER);
 
-	/* Parameter 3: fd (type: PT_FD) */
-	int64_t fd = (int32_t)args[0];
-	auxmap__store_s64_param(auxmap, fd);
-
-	/* Parameter 4: size (type: PT_UINT32) */
-	auxmap__store_u32_param(auxmap, size);
-
-	/* Parameter 5: tuple (type: PT_SOCKTUPLE) */
-	if(ret >= 0) {
-		struct sockaddr *usrsockaddr = (struct sockaddr *)args[4];
-		/* Notice: the following will push an empty parameter if
-		 * something goes wrong (e.g.: fd not valid) */
-		auxmap__store_socktuple_param(auxmap, fd, OUTBOUND, NULL);
-	} else {
-		auxmap__store_empty_param(auxmap);
-	}
-
 	/*=============================== COLLECT PARAMETERS  ===========================*/
 
 	auxmap__finalize_event_header(auxmap);

driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/sendfile.bpf.c

@@ -22,12 +22,12 @@ int BPF_PROG(sendfile_e, struct pt_regs *regs, long id) {
 	/*=============================== COLLECT PARAMETERS  ===========================*/
 
 	/* Parameter 1: out_fd (type: PT_FD) */
-	int64_t out_fd = (int64_t)(int32_t)extract__syscall_argument(regs, 0);
+	int32_t out_fd = (int32_t)extract__syscall_argument(regs, 0);
-	ringbuf__store_s64(&ringbuf, out_fd);
+	ringbuf__store_s64(&ringbuf, (int64_t)out_fd);
 
 	/* Parameter 2: in_fd (type: PT_FD) */
-	int64_t in_fd = (int64_t)(int32_t)extract__syscall_argument(regs, 1);
+	int32_t in_fd = (int32_t)extract__syscall_argument(regs, 1);
-	ringbuf__store_s64(&ringbuf, in_fd);
+	ringbuf__store_s64(&ringbuf, (int64_t)in_fd);
 
 	/* Parameter 3: offset (type: PT_UINT64) */
 	unsigned long offset = 0;
@@ -70,18 +70,6 @@ int BPF_PROG(sendfile_x, struct pt_regs *regs, long ret) {
 	bpf_probe_read_user((void *)&offset, sizeof(offset), (void *)offset_pointer);
 	ringbuf__store_u64(&ringbuf, offset);
 
-	/* Parameter 3: out_fd (type: PT_FD) */
-	int64_t out_fd = (int64_t)(int32_t)extract__syscall_argument(regs, 0);
-	ringbuf__store_s64(&ringbuf, out_fd);
-
-	/* Parameter 4: in_fd (type: PT_FD) */
-	int64_t in_fd = (int64_t)(int32_t)extract__syscall_argument(regs, 1);
-	ringbuf__store_s64(&ringbuf, in_fd);
-
-	/* Parameter 5: size (type: PT_UINT64) */
-	uint64_t size = extract__syscall_argument(regs, 3);
-	ringbuf__store_u64(&ringbuf, size);
-
 	/*=============================== COLLECT PARAMETERS  ===========================*/
 
 	ringbuf__submit_event(&ringbuf);

driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/sendmmsg.bpf.c

@@ -147,7 +147,7 @@ int BPF_PROG(sendmmsg_x, struct pt_regs *regs, long ret) {
 	        .args = args,
 	};
 
-	uint32_t nr_loops = ret < MAX_SENDMMSG_RECVMMSG_SIZE ? ret : MAX_SENDMMSG_RECVMMSG_SIZE;
+	uint32_t nr_loops = ret < 1024 ? ret : 1024;
 	bpf_loop(nr_loops, handle_exit, &data, 0);
 
 	return 0;

driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/sendmsg.bpf.c

@@ -75,29 +75,10 @@ int BPF_PROG(sendmsg_x, struct pt_regs *regs, long ret) {
 	/* Parameter 1: res (type: PT_ERRNO) */
 	auxmap__store_s64_param(auxmap, ret);
 
-	/* Collect parameters at the beginning to manage socketcalls. */
+	/* Collect parameters at the beginning to manage socketcalls */
 	unsigned long args[2] = {0};
 	extract__network_args(args, 2, regs);
 
-	/* Extract socket fd and msghdr pointer syscall parameters. */
-	int64_t fd = (int32_t)args[0];
-	unsigned long msghdr_pointer = args[1];
-
-	/* Extract the content of msghdr and use it to derive the parameters. */
-	struct user_msghdr msghdr = {0};
-	if(unlikely(extract__msghdr(&msghdr, msghdr_pointer) < 0)) {
-		/* Parameter 2: data (type: PT_BYTEBUF) */
-		auxmap__store_empty_param(auxmap);
-
-		/* Parameter 3: fd (type: PT_FD) */
-		auxmap__store_s64_param(auxmap, fd);
-
-		/* Parameter 4: size (type: PT_UINT32) */
-		auxmap__store_empty_param(auxmap);
-
-		/* Parameter 5: tuple (type: PT_SOCKTUPLE) */
-		auxmap__store_empty_param(auxmap);
-	} else {
 	/* In case of failure `bytes_to_read` could be also lower than `snaplen`
 	 * but we will discover it directly into `auxmap__store_iovec_data_param`
 	 * otherwise we need to extract it now and it has a cost. Here we check just
@@ -113,33 +94,9 @@ int BPF_PROG(sendmsg_x, struct pt_regs *regs, long ret) {
 		snaplen = ret;
 	}
 
-		unsigned long iov_pointer = (unsigned long)msghdr.msg_iov;
-		uint32_t iov_cnt = msghdr.msg_iovlen;
-
 	/* Parameter 2: data (type: PT_BYTEBUF) */
-		auxmap__store_iovec_data_param(auxmap, (unsigned long)iov_pointer, iov_cnt, snaplen);
+	unsigned long msghdr_pointer = args[1];
-
+	auxmap__store_msghdr_data_param(auxmap, msghdr_pointer, snaplen);
-		/* Parameter 3: fd (type: PT_FD) */
-		auxmap__store_s64_param(auxmap, fd);
-
-		/* Parameter 4: size (type: PT_UINT32) */
-		/* Use the second part of our auxmap as a scratch space for the `extract__iovec_size` helper
-		 * to read the iovec structs in. */
-		void *scratch_space = (void *)&auxmap->data[MAX_PARAM_SIZE];
-		uint32_t scratch_space_size = SAFE_ACCESS(iov_cnt * bpf_core_type_size(struct iovec));
-		uint32_t size =
-		        extract__iovec_size(scratch_space, scratch_space_size, iov_pointer, iov_cnt);
-		auxmap__store_u32_param(auxmap, size);
-
-		/* Parameter 5: tuple (type: PT_SOCKTUPLE) */
-		if(ret >= 0) {
-			struct sockaddr *usrsockaddr = (struct sockaddr *)msghdr.msg_name;
-			/* Notice: the following will push an empty parameter if something goes wrong. */
-			auxmap__store_socktuple_param(auxmap, fd, OUTBOUND, usrsockaddr);
-		} else {
-			auxmap__store_empty_param(auxmap);
-		}
-	}
 
 	/*=============================== COLLECT PARAMETERS  ===========================*/
 

driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/sendto.bpf.c

@@ -25,8 +25,8 @@ int BPF_PROG(sendto_e, struct pt_regs *regs, long id) {
 	extract__network_args(args, 5, regs);
 
 	/* Parameter 1: fd (type: PT_FD) */
-	int64_t socket_fd = (int32_t)args[0];
+	int32_t socket_fd = (int32_t)args[0];
-	auxmap__store_s64_param(auxmap, socket_fd);
+	auxmap__store_s64_param(auxmap, (int64_t)socket_fd);
 
 	/* Parameter 2: size (type: PT_UINT32) */
 	uint32_t size = (uint32_t)args[2];
@@ -36,13 +36,15 @@ int BPF_PROG(sendto_e, struct pt_regs *regs, long id) {
 	/* TODO: Here we don't know if this fd is a socket or not,
 	 * since we are in the enter event and the syscall could fail.
 	 * This shouldn't be a problem since if it is not a socket fd
-	 *   the `bpf_probe_read()` call will fail. Probably we have to move it
+	 * the `bpf_probe_read()` call we fail. Probably we have to move it
 	 * in the exit event.
 	 */
+	if(socket_fd >= 0) {
 		struct sockaddr *usrsockaddr = (struct sockaddr *)args[4];
-	/* Notice: the following will push an empty parameter if
-	 * something goes wrong (e.g.: fd not valid) */
 		auxmap__store_socktuple_param(auxmap, socket_fd, OUTBOUND, usrsockaddr);
+	} else {
+		auxmap__store_empty_param(auxmap);
+	}
 
 	/*=============================== COLLECT PARAMETERS  ===========================*/
 
@@ -72,23 +74,19 @@ int BPF_PROG(sendto_x, struct pt_regs *regs, long ret) {
 	auxmap__store_s64_param(auxmap, ret);
 
 	/* Collect parameters at the beginning to manage socketcalls */
-	unsigned long args[5] = {0};
+	unsigned long args[3] = {0};
-	extract__network_args(args, 5, regs);
+	extract__network_args(args, 3, regs);
 
+	/* If the syscall doesn't fail we use the return value as `size`
+	 * otherwise we need to rely on the syscall parameter provided by the user.
+	 */
 	dynamic_snaplen_args snaplen_args = {
 	        .only_port_range = false,
 	        .evt_type = PPME_SOCKET_SENDTO_X,
 	};
+	int64_t bytes_to_read = ret > 0 ? ret : args[2];
 	uint16_t snaplen = maps__get_snaplen();
 	apply_dynamic_snaplen(regs, &snaplen, &snaplen_args);
-
-	/* Extract size syscall parameter */
-	uint32_t size = (uint32_t)args[2];
-
-	/* If the syscall doesn't fail we use the return value as `size`
-	 * otherwise we need to rely on the syscall parameter provided by the user.  */
-	int64_t bytes_to_read = ret > 0 ? ret : (int64_t)size;
-
 	if((int64_t)snaplen > bytes_to_read) {
 		snaplen = bytes_to_read;
 	}
@@ -97,23 +95,6 @@ int BPF_PROG(sendto_x, struct pt_regs *regs, long ret) {
 	unsigned long sent_data_pointer = args[1];
 	auxmap__store_bytebuf_param(auxmap, sent_data_pointer, snaplen, USER);
 
-	/* Parameter 3: fd (type: PT_FD) */
-	int64_t socket_fd = (int32_t)args[0];
-	auxmap__store_s64_param(auxmap, socket_fd);
-
-	/* Parameter 4: size (type: PT_UINT32) */
-	auxmap__store_u32_param(auxmap, size);
-
-	/* Parameter 5: tuple (type: PT_SOCKTUPLE) */
-	if(ret >= 0) {
-		struct sockaddr *usrsockaddr = (struct sockaddr *)args[4];
-		/* Notice: the following will push an empty parameter if
-		 * something goes wrong (e.g.: fd not valid) */
-		auxmap__store_socktuple_param(auxmap, socket_fd, OUTBOUND, usrsockaddr);
-	} else {
-		auxmap__store_empty_param(auxmap);
-	}
-
 	/*=============================== COLLECT PARAMETERS  ===========================*/
 
 	auxmap__finalize_event_header(auxmap);

driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/setgid.bpf.c

@@ -50,10 +50,6 @@ int BPF_PROG(setgid_x, struct pt_regs *regs, long ret) {
 	/* Parameter 1: res (type: PT_ERRNO) */
 	ringbuf__store_s64(&ringbuf, ret);
 
-	/* Parameter 2: gid (type: PT_GID) */
-	uint32_t gid = (uint32_t)extract__syscall_argument(regs, 0);
-	ringbuf__store_u32(&ringbuf, gid);
-
 	/*=============================== COLLECT PARAMETERS  ===========================*/
 
 	ringbuf__submit_event(&ringbuf);

driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/setns.bpf.c

@@ -54,14 +54,6 @@ int BPF_PROG(setns_x, struct pt_regs *regs, long ret) {
 	/* Parameter 1: res (type: PT_FD)*/
 	ringbuf__store_s64(&ringbuf, ret);
 
-	/* Parameter 2: fd (type: PT_FD) */
-	int32_t fd = (int32_t)extract__syscall_argument(regs, 0);
-	ringbuf__store_s64(&ringbuf, (int64_t)fd);
-
-	/* Parameter 3: nstype (type: PT_FLAGS32) */
-	unsigned long nstype = extract__syscall_argument(regs, 1);
-	ringbuf__store_u32(&ringbuf, clone_flags_to_scap((int)nstype));
-
 	/*=============================== COLLECT PARAMETERS  ===========================*/
 
 	ringbuf__submit_event(&ringbuf);

driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/setpgid.bpf.c

@@ -51,17 +51,9 @@ int BPF_PROG(setpgid_x, struct pt_regs *regs, long ret) {
 
 	/*=============================== COLLECT PARAMETERS  ===========================*/
 
-	/* Parameter 1: res (type: PT_ERRNO)*/
+	/* Parameter 1: res (type: PT_PID)*/
 	ringbuf__store_s64(&ringbuf, ret);
 
-	/* Parameter 2: pid (type: PT_FD) */
-	pid_t pid = (int32_t)extract__syscall_argument(regs, 0);
-	ringbuf__store_s64(&ringbuf, (int64_t)pid);
-
-	/* Parameter 3: pgid (type: PT_PID) */
-	pid_t pgid = (int32_t)extract__syscall_argument(regs, 1);
-	ringbuf__store_s64(&ringbuf, (int64_t)pgid);
-
 	/*=============================== COLLECT PARAMETERS  ===========================*/
 
 	ringbuf__submit_event(&ringbuf);

driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/setresgid.bpf.c

@@ -58,18 +58,6 @@ int BPF_PROG(setresgid_x, struct pt_regs *regs, long ret) {
 	/* Parameter 1: res (type: PT_ERRNO)*/
 	ringbuf__store_s64(&ringbuf, ret);
 
-	/* Parameter 2: rgid (type: PT_GID) */
-	gid_t rgid = (uint32_t)extract__syscall_argument(regs, 0);
-	ringbuf__store_u32(&ringbuf, rgid);
-
-	/* Parameter 3: egid (type: PT_GID) */
-	gid_t egid = (uint32_t)extract__syscall_argument(regs, 1);
-	ringbuf__store_u32(&ringbuf, egid);
-
-	/* Parameter 4: sgid (type: PT_GID) */
-	gid_t sgid = (uint32_t)extract__syscall_argument(regs, 2);
-	ringbuf__store_u32(&ringbuf, sgid);
-
 	/*=============================== COLLECT PARAMETERS  ===========================*/
 
 	ringbuf__submit_event(&ringbuf);

driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/setresuid.bpf.c

@@ -58,18 +58,6 @@ int BPF_PROG(setresuid_x, struct pt_regs *regs, long ret) {
 	/* Parameter 1: res (type: PT_ERRNO)*/
 	ringbuf__store_s64(&ringbuf, ret);
 
-	/* Parameter 2: ruid (type: PT_GID) */
-	uid_t ruid = (uint32_t)extract__syscall_argument(regs, 0);
-	ringbuf__store_u32(&ringbuf, ruid);
-
-	/* Parameter 3: euid (type: PT_GID) */
-	uid_t euid = (uint32_t)extract__syscall_argument(regs, 1);
-	ringbuf__store_u32(&ringbuf, euid);
-
-	/* Parameter 4: suid (type: PT_GID) */
-	uid_t suid = (uint32_t)extract__syscall_argument(regs, 2);
-	ringbuf__store_u32(&ringbuf, suid);
-
 	/*=============================== COLLECT PARAMETERS  ===========================*/
 
 	ringbuf__submit_event(&ringbuf);

driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/setuid.bpf.c

@@ -50,10 +50,6 @@ int BPF_PROG(setuid_x, struct pt_regs *regs, long ret) {
 	/* Parameter 1: res (type: PT_ERRNO) */
 	ringbuf__store_s64(&ringbuf, ret);
 
-	/* Parameter 2: uid (type: PT_UID) */
-	uid_t uid = (uint32_t)extract__syscall_argument(regs, 0);
-	ringbuf__store_u32(&ringbuf, uid);
-
 	/*=============================== COLLECT PARAMETERS  ===========================*/
 
 	ringbuf__submit_event(&ringbuf);

driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/shutdown.bpf.c

@@ -28,8 +28,8 @@ int BPF_PROG(shutdown_e, struct pt_regs *regs, long id) {
 	/*=============================== COLLECT PARAMETERS  ===========================*/
 
 	/* Parameter 1: fd (type: PT_FD) */
-	int64_t fd = (int32_t)args[0];
+	int32_t fd = (int32_t)args[0];
-	ringbuf__store_s64(&ringbuf, fd);
+	ringbuf__store_s64(&ringbuf, (int64_t)fd);
 
 	/* Parameter 2: how (type: PT_ENUMFLAGS8) */
 	int how = (int32_t)args[1];
@@ -48,12 +48,6 @@ int BPF_PROG(shutdown_e, struct pt_regs *regs, long id) {
 
 SEC("tp_btf/sys_exit")
 int BPF_PROG(shutdown_x, struct pt_regs *regs, long ret) {
-	/* We need to keep this at the beginning of the program because otherwise we alter the state of
-	 * the ebpf registers causing a verifier issue.
-	 */
-	unsigned long args[2] = {0};
-	extract__network_args(args, 2, regs);
-
 	struct ringbuf_struct ringbuf;
 	if(!ringbuf__reserve_space(&ringbuf, SHUTDOWN_X_SIZE, PPME_SOCKET_SHUTDOWN_X)) {
 		return 0;
@@ -66,14 +60,6 @@ int BPF_PROG(shutdown_x, struct pt_regs *regs, long ret) {
 	/* Parameter 1: res (type: PT_ERRNO)*/
 	ringbuf__store_s64(&ringbuf, ret);
 
-	/* Parameter 2: fd (type: PT_FD) */
-	int64_t fd = (int32_t)args[0];
-	ringbuf__store_s64(&ringbuf, fd);
-
-	/* Parameter 3: how (type: PT_ENUMFLAGS8) */
-	int how = (int32_t)args[1];
-	ringbuf__store_u8(&ringbuf, (uint8_t)shutdown_how_to_scap(how));
-
 	/*=============================== COLLECT PARAMETERS  ===========================*/
 
 	ringbuf__submit_event(&ringbuf);

driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/signalfd.bpf.c

@@ -22,8 +22,8 @@ int BPF_PROG(signalfd_e, struct pt_regs *regs, long id) {
 	/*=============================== COLLECT PARAMETERS  ===========================*/
 
 	/* Parameter 1: fd (type: PT_FD) */
-	int64_t fd = (int64_t)(int32_t)extract__syscall_argument(regs, 0);
+	int32_t fd = (int32_t)extract__syscall_argument(regs, 0);
-	ringbuf__store_s64(&ringbuf, fd);
+	ringbuf__store_s64(&ringbuf, (int64_t)fd);
 
 	/* Parameter 2: mask (type: PT_UINT32) */
 	/* Right now we are not interested in the `sigmask`, we can populate it if we need */
@@ -60,20 +60,6 @@ int BPF_PROG(signalfd_x, struct pt_regs *regs, long ret) {
 	/* Parameter 1: res (type: PT_FD)*/
 	ringbuf__store_s64(&ringbuf, ret);
 
-	/* Parameter 2: fd (type: PT_FD) */
-	int64_t fd = (int64_t)(int32_t)extract__syscall_argument(regs, 0);
-	ringbuf__store_s64(&ringbuf, fd);
-
-	/* Parameter 3: mask (type: PT_UINT32) */
-	/* Right now we are not interested in the `sigmask`, we can populate it if we need */
-	ringbuf__store_u32(&ringbuf, 0);
-
-	/* Parameter 4: flags (type: PT_UINT8) */
-	/* The syscall `signalfd` has no flags! only `signalfd4` has the `flags` param.
-	 * For compatibility with the event definition here we send `0` as flags.
-	 */
-	ringbuf__store_u8(&ringbuf, 0);
-
 	/*=============================== COLLECT PARAMETERS  ===========================*/
 
 	ringbuf__submit_event(&ringbuf);

driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/signalfd4.bpf.c

@@ -22,8 +22,8 @@ int BPF_PROG(signalfd4_e, struct pt_regs *regs, long id) {
 	/*=============================== COLLECT PARAMETERS  ===========================*/
 
 	/* Parameter 1: fd (type: PT_FD) */
-	int64_t fd = (int64_t)(int32_t)extract__syscall_argument(regs, 0);
+	int32_t fd = (int32_t)extract__syscall_argument(regs, 0);
-	ringbuf__store_s64(&ringbuf, fd);
+	ringbuf__store_s64(&ringbuf, (int64_t)fd);
 
 	/* Parameter 2: mask (type: PT_UINT32) */
 	/* Right now we are not interested in the `sigmask`, we can populate it if we need */
@@ -52,20 +52,12 @@ int BPF_PROG(signalfd4_x, struct pt_regs *regs, long ret) {
 	/*=============================== COLLECT PARAMETERS  ===========================*/
 
 	/* Parameter 1: res (type: PT_FD)*/
-	ringbuf__store_s64(&ringbuf, (int64_t)(int32_t)ret);
+	ringbuf__store_s64(&ringbuf, ret);
 
 	/* Parameter 2: flags (type: PT_FLAGS16) */
 	int32_t flags = (int32_t)extract__syscall_argument(regs, 3);
 	ringbuf__store_u16(&ringbuf, signalfd4_flags_to_scap(flags));
 
-	/* Parameter 3: fd (type: PT_FD) */
-	int64_t fd = (int64_t)(int32_t)extract__syscall_argument(regs, 0);
-	ringbuf__store_s64(&ringbuf, fd);
-
-	/* Parameter 4: mask (type: PT_UINT32) */
-	/* Right now we are not interested in the `sigmask`, we can populate it if we need */
-	ringbuf__store_u32(&ringbuf, 0);
-
 	/*=============================== COLLECT PARAMETERS  ===========================*/
 
 	ringbuf__submit_event(&ringbuf);

driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/socket.bpf.c

@@ -76,7 +76,7 @@ int BPF_PROG(socket_x, struct pt_regs *regs, long ret) {
 	/* Just called once by our scap process */
 	if(ret >= 0 && maps__get_socket_file_ops() == NULL) {
 		struct task_struct *task = get_current_task();
-		/* Please note that in `settings.scap_tid` scap will put its virtual tid
+		/* Please note that in `g_settings.scap_tid` scap will put its virtual tid
 		 * if it is running inside a container. If we want to extract the same information
 		 * in the kernel we need to extract the virtual tid of the task.
 		 */

driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/socketpair.bpf.c

@@ -28,17 +28,17 @@ int BPF_PROG(socketpair_e, struct pt_regs *regs, long id) {
 	/*=============================== COLLECT PARAMETERS  ===========================*/
 
 	/* Parameter 1: domain (type: PT_ENUMFLAGS32) */
-	/* Why to send 32 bits if we need only 8 bits? */
+	/* why to send 32 bits if we need only 8 bits? */
 	uint8_t domain = (uint8_t)args[0];
 	ringbuf__store_u32(&ringbuf, (uint32_t)socket_family_to_scap(domain));
 
 	/* Parameter 2: type (type: PT_UINT32) */
-	/* This should be an int, not an uint32. */
+	/* this should be an int, not a uint32 */
 	uint32_t type = (uint32_t)args[1];
 	ringbuf__store_u32(&ringbuf, type);
 
 	/* Parameter 3: proto (type: PT_UINT32) */
-	/* This should be an int, not an uint32. */
+	/* this should be an int, not a uint32 */
 	uint32_t proto = (uint32_t)args[2];
 	ringbuf__store_u32(&ringbuf, proto);
 
@@ -55,12 +55,6 @@ int BPF_PROG(socketpair_e, struct pt_regs *regs, long id) {
 
 SEC("tp_btf/sys_exit")
 int BPF_PROG(socketpair_x, struct pt_regs *regs, long ret) {
-	/* We need to keep this at the beginning of the program because otherwise we alter the state of
-	 * the ebpf registers causing a verifier issue.
-	 */
-	unsigned long args[4] = {0};
-	extract__network_args(args, 4, regs);
-
 	struct ringbuf_struct ringbuf;
 	if(!ringbuf__reserve_space(&ringbuf, SOCKETPAIR_X_SIZE, PPME_SOCKET_SOCKETPAIR_X)) {
 		return 0;
@@ -74,13 +68,18 @@ int BPF_PROG(socketpair_x, struct pt_regs *regs, long ret) {
 	ringbuf__store_s64(&ringbuf, ret);
 
 	int32_t fds[2] = {-1, -1};
-	uint64_t source = 0;
+	unsigned long source = 0;
-	uint64_t peer = 0;
+	unsigned long peer = 0;
+	unsigned long fds_pointer = 0;
 
 	/* In case of success we have 0. */
 	if(ret == 0) {
+		/* Collect parameters at the beginning to manage socketcalls */
+		unsigned long args[4] = {0};
+		extract__network_args(args, 4, regs);
+
 		/* Get new sockets. */
-		void *fds_pointer = (void *)args[3];
+		fds_pointer = args[3];
 		bpf_probe_read_user((void *)fds, 2 * sizeof(int32_t), (void *)fds_pointer);
 
 		/* Get source and peer. */
@@ -105,21 +104,6 @@ int BPF_PROG(socketpair_x, struct pt_regs *regs, long ret) {
 	/* Parameter 5: peer (type: PT_UINT64) */
 	ringbuf__store_u64(&ringbuf, peer);
 
-	/* Parameter 6: domain (type: PT_ENUMFLAGS32) */
-	/* Why to send 32 bits if we need only 8 bits? */
-	uint8_t domain = (uint8_t)args[0];
-	ringbuf__store_u32(&ringbuf, (uint32_t)socket_family_to_scap(domain));
-
-	/* Parameter 7: type (type: PT_UINT32) */
-	/* This should be an int, not an uint32. */
-	uint32_t type = (uint32_t)args[1];
-	ringbuf__store_u32(&ringbuf, type);
-
-	/* Parameter 8: proto (type: PT_UINT32) */
-	/* This should be an int, not an uint32. */
-	uint32_t proto = (uint32_t)args[2];
-	ringbuf__store_u32(&ringbuf, proto);
-
 	/*=============================== COLLECT PARAMETERS  ===========================*/
 
 	ringbuf__submit_event(&ringbuf);

driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/splice.bpf.c

@@ -22,12 +22,12 @@ int BPF_PROG(splice_e, struct pt_regs *regs, long id) {
 	/*=============================== COLLECT PARAMETERS  ===========================*/
 
 	/* Parameter 1: fd_in (type: PT_FD) */
-	int64_t fd_in = (int64_t)(int32_t)extract__syscall_argument(regs, 0);
+	int32_t fd_in = (int32_t)extract__syscall_argument(regs, 0);
-	ringbuf__store_s64(&ringbuf, fd_in);
+	ringbuf__store_s64(&ringbuf, (int64_t)fd_in);
 
 	/* Parameter 2: fd_out (type: PT_FD) */
-	int64_t fd_out = (int64_t)(int32_t)extract__syscall_argument(regs, 2);
+	int32_t fd_out = (int32_t)extract__syscall_argument(regs, 2);
-	ringbuf__store_s64(&ringbuf, fd_out);
+	ringbuf__store_s64(&ringbuf, (int64_t)fd_out);
 
 	/* Parameter 3: size (type: PT_UINT64) */
 	uint64_t size = extract__syscall_argument(regs, 4);
@@ -62,22 +62,6 @@ int BPF_PROG(splice_x, struct pt_regs *regs, long ret) {
 	/* Parameter 1: res (type: PT_ERRNO) */
 	ringbuf__store_s64(&ringbuf, (int64_t)ret);
 
-	/* Parameter 2: fd_in (type: PT_FD) */
-	int64_t fd_in = (int64_t)(int32_t)extract__syscall_argument(regs, 0);
-	ringbuf__store_s64(&ringbuf, fd_in);
-
-	/* Parameter 3: fd_out (type: PT_FD) */
-	int64_t fd_out = (int64_t)(int32_t)extract__syscall_argument(regs, 2);
-	ringbuf__store_s64(&ringbuf, fd_out);
-
-	/* Parameter 4: size (type: PT_UINT64) */
-	uint64_t size = extract__syscall_argument(regs, 4);
-	ringbuf__store_u64(&ringbuf, size);
-
-	/* Parameter 5: flags (type: PT_FLAGS32) */
-	uint32_t flags = extract__syscall_argument(regs, 5);
-	ringbuf__store_u32(&ringbuf, splice_flags_to_scap(flags));
-
 	/*=============================== COLLECT PARAMETERS  ===========================*/
 
 	ringbuf__submit_event(&ringbuf);

driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/tgkill.bpf.c

@@ -57,18 +57,6 @@ int BPF_PROG(tgkill_x, struct pt_regs *regs, long ret) {
 	/* Parameter 1: res (type: PT_ERRNO)*/
 	ringbuf__store_s64(&ringbuf, ret);
 
-	/* Parameter 2: pid (type: PT_PID) */
-	pid_t pid = (int32_t)extract__syscall_argument(regs, 0);
-	ringbuf__store_s64(&ringbuf, (int64_t)pid);
-
-	/* Parameter 3: tid (type: PT_PID) */
-	pid_t tid = (int32_t)extract__syscall_argument(regs, 1);
-	ringbuf__store_s64(&ringbuf, (int64_t)tid);
-
-	/* Parameter 4: sig (type: PT_SIGTYPE) */
-	uint8_t sig = (uint8_t)extract__syscall_argument(regs, 2);
-	ringbuf__store_u8(&ringbuf, sig);
-
 	/*=============================== COLLECT PARAMETERS  ===========================*/
 
 	ringbuf__submit_event(&ringbuf);

driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/timerfd_create.bpf.c

@@ -54,14 +54,6 @@ int BPF_PROG(timerfd_create_x, struct pt_regs *regs, long ret) {
 	/* Parameter 1: res (type: PT_FD)*/
 	ringbuf__store_s64(&ringbuf, ret);
 
-	/* Parameter 2: clockid (type: PT_UINT8) */
-	/* Like in the old probe we send `0` */
-	ringbuf__store_u8(&ringbuf, 0);
-
-	/* Parameter 3: flags (type: PT_UINT8) */
-	/* Like in the old probe we send `0` */
-	ringbuf__store_u8(&ringbuf, 0);
-
 	/*=============================== COLLECT PARAMETERS  ===========================*/
 
 	ringbuf__submit_event(&ringbuf);

driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/tkill.bpf.c

@@ -53,14 +53,6 @@ int BPF_PROG(tkill_x, struct pt_regs *regs, long ret) {
 	/* Parameter 1: res (type: PT_ERRNO)*/
 	ringbuf__store_s64(&ringbuf, ret);
 
-	/* Parameter 2: tid (type: PT_PID) */
-	pid_t tid = (int32_t)extract__syscall_argument(regs, 0);
-	ringbuf__store_s64(&ringbuf, (int64_t)tid);
-
-	/* Parameter 3: sig (type: PT_SIGTYPE) */
-	uint8_t sig = (uint8_t)extract__syscall_argument(regs, 1);
-	ringbuf__store_u8(&ringbuf, sig);
-
 	/*=============================== COLLECT PARAMETERS  ===========================*/
 
 	ringbuf__submit_event(&ringbuf);

driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/umount2.bpf.c

@@ -55,10 +55,6 @@ int BPF_PROG(umount2_x, struct pt_regs *regs, long ret) {
 	unsigned long target_pointer = extract__syscall_argument(regs, 0);
 	auxmap__store_charbuf_param(auxmap, target_pointer, MAX_PATH, USER);
 
-	/* Parameter 3: flags (type: PT_FLAGS32) */
-	int flags = (int)extract__syscall_argument(regs, 1);
-	auxmap__store_u32_param(auxmap, umount2_flags_to_scap(flags));
-
 	/*=============================== COLLECT PARAMETERS  ===========================*/
 
 	auxmap__finalize_event_header(auxmap);

driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/unshare.bpf.c

@@ -50,10 +50,6 @@ int BPF_PROG(unshare_x, struct pt_regs *regs, long ret) {
 	/* Parameter 1: res (type: PT_ERRNO)*/
 	ringbuf__store_s64(&ringbuf, ret);
 
-	/* Parameter 2: flags (type: PT_FLAGS32) */
-	unsigned long flags = extract__syscall_argument(regs, 0);
-	ringbuf__store_u32(&ringbuf, clone_flags_to_scap((int)flags));
-
 	/*=============================== COLLECT PARAMETERS  ===========================*/
 
 	ringbuf__submit_event(&ringbuf);

driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/writev.bpf.c

@@ -23,8 +23,8 @@ int BPF_PROG(writev_e, struct pt_regs *regs, long id) {
 	/*=============================== COLLECT PARAMETERS  ===========================*/
 
 	/* Parameter 1: fd (type: PT_FD) */
-	int64_t fd = (int64_t)(int32_t)extract__syscall_argument(regs, 0);
+	int32_t fd = (int32_t)extract__syscall_argument(regs, 0);
-	ringbuf__store_s64(&ringbuf, fd);
+	ringbuf__store_s64(&ringbuf, (int64_t)fd);
 
 	unsigned long iov_pointer = extract__syscall_argument(regs, 1);
 	unsigned long iov_cnt = extract__syscall_argument(regs, 2);
@@ -78,13 +78,6 @@ int BPF_PROG(writev_x, struct pt_regs *regs, long ret) {
 	/* Parameter 2: data (type: PT_BYTEBUF) */
 	auxmap__store_iovec_data_param(auxmap, iov_pointer, iov_cnt, snaplen);
 
-	/* Parameter 3: fd (type: PT_FD) */
-	int64_t fd = (int64_t)(int32_t)extract__syscall_argument(regs, 0);
-	auxmap__store_s64_param(auxmap, fd);
-
-	/* Parameter 4: size (type: PT_UINT32) */
-	auxmap__store_iovec_size_param(auxmap, iov_pointer, iov_cnt);
-
 	/*=============================== COLLECT PARAMETERS  ===========================*/
 
 	auxmap__finalize_event_header(auxmap);