libs [FEATURE] Address last inconsistencies in our syscalls

Motivation

Today an event pair could be associated with more than one syscall/ppm_sc ! This is a wrong behavior because any syscall should have its dedicated event pair in order to correctly manage all its params (pipe2/pipe and inotify_init/inotify_init1 are an example of possible issues that this approach could generate https://github.com/falcosecurity/libs/issues/515).

This is the list of syscalls that use an event pair already associated with another syscall:

-> means: "uses an event pair already associated with"

[ ] __NR_ugetrlimit -> __NR_getrlimit
[ ] __NR_fcntl64 -> __NR_fcntl
[ ] __NR_sendfile64 -> __NR_sendfile
[ ] __NR_setresuid32 -> __NR_setresuid
[ ] __NR_setresgid32 -> __NR_setresgid
[ ] __NR_setuid32 -> __NR_setuid
[ ] __NR_setgid32 -> __NR_setgid
[ ] __NR_getuid32 -> __NR_getuid
[ ] __NR_geteuid32 -> __NR_geteuid
[ ] __NR_getgid32 -> __NR_getgid
[ ] __NR_getegid32 -> __NR_getegid
[ ] __NR_getresuid32 -> __NR_getresuid
[ ] __NR_getresgid32 -> __NR_getresgid

Extracted from: #911

Due to this inconsistency, we didn't implement them yet into the modern bpf probe! More in detail these are the syscalls that still miss a filler into the modern bpf:

[ ] fcntl64
[ ] stat64
[ ] fstat64
[ ] sendfile64
[ ] setresuid32
[ ] setresgid32
[ ] setuid32
[ ] setgid32
[ ] getuid32
[ ] geteuid32
[ ] getgid32
[ ] getegid32
[ ] getresuid32
[ ] getresgid32

Extracted from: #723

As you can notice the 2 sets are almost identical so the idea here is to create a new dedicated event pair for each syscall and add it into the modern bpf probe

Please note: These syscalls should be never compiled unless you have the following kernel config enabled: CONFIG_64BIT.

Mar 25 '23 13:03 Andreagit97

I've used milestone /next-driver but we will probably focus on that in the next release

Mar 25 '23 13:03 Andreagit97

/milestone next-driver

Apr 27 '23 09:04 FedeDP

Issues go stale after 90d of inactivity.

Mark the issue as fresh with /remove-lifecycle stale.

Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle stale

Dec 03 '23 09:12 poiana

/remove-lifecycle stale

Dec 04 '23 10:12 Andreagit97

Issues go stale after 90d of inactivity.

Mark the issue as fresh with /remove-lifecycle stale.

Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle stale

Mar 03 '24 15:03 poiana

/remove-lifecycle stale

Mar 05 '24 10:03 Andreagit97

Issues go stale after 90d of inactivity.

Mark the issue as fresh with /remove-lifecycle stale.

Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle stale

Jun 03 '24 15:06 poiana

/remove-lifecycle stale

Jun 04 '24 07:06 Andreagit97

Issues go stale after 90d of inactivity.

Mark the issue as fresh with /remove-lifecycle stale.

Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle stale

Sep 02 '24 10:09 poiana

Stale issues rot after 30d of inactivity.

Mark the issue as fresh with /remove-lifecycle rotten.

Rotten issues close after an additional 30d of inactivity.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle rotten

Oct 02 '24 10:10 poiana

/remove-lifecycle rotten

Oct 02 '24 12:10 Andreagit97

Issues go stale after 90d of inactivity.

Mark the issue as fresh with /remove-lifecycle stale.

Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle stale

Dec 31 '24 16:12 poiana

/remove-lifecycle stale

Jan 02 '25 09:01 FedeDP

Issues go stale after 90d of inactivity.

Mark the issue as fresh with /remove-lifecycle stale.

Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle stale

Apr 13 '25 16:04 poiana

/remove-lifecycle stale

Apr 14 '25 07:04 FedeDP

Issues go stale after 90d of inactivity.

Mark the issue as fresh with /remove-lifecycle stale.

Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle stale

Jul 13 '25 10:07 poiana

/remove-lifecycle stale

Jul 21 '25 07:07 FedeDP

Issues go stale after 90d of inactivity.

Mark the issue as fresh with /remove-lifecycle stale.

Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle stale

Oct 19 '25 10:10 poiana

Stale issues rot after 30d of inactivity.

Mark the issue as fresh with /remove-lifecycle rotten.

Rotten issues close after an additional 30d of inactivity.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle rotten

Nov 18 '25 10:11 poiana

libs libs copied to clipboard

[FEATURE] Address last inconsistencies in our syscalls

libs
libs copied to clipboard