Andrea Terzolo

Obviously not in this PR but we can start thinking to add also the modern probe to these tests, I've quickly checked the syscalls required and they seem to be...

we need to remember to rebase before merging this kind of PR :rofl:

Thanks to @incertum fixes I've added also 2 tests for `execve` and `execveat` success cases to avoid future issues like the one reported here https://github.com/falcosecurity/libs/pull/633

@hbrueckner could you try the last commit? I've seen strange behaviors... on kernel 5.4 clone child exit events are not generated while on recent kernel they seem to be generated...

@hbrueckner yeah there is something strange the child event is here but the arguments no :thinking: ``` ------------------ EVENT: 335 TID:39942

> Hi @Andreagit97 > > > ``` > > bpf_test-82749 [000] d.... 1539123.252912: bpf_trace_printk: start: 3fffd9fa572 end: 3fffd9fa5b6 len=68 > > bpf_test-82749 [000] d.... 1539123.252915: bpf_trace_printk: exe_len=27 > > bpf_test-82750...

hey @hbrueckner the problem is even worst, the `kmod` is not able to catch the clone child event while the modern bpf probe yes, but the tracepoint is exactly the...

> Hi @Andreagit97 > > > hey @hbrueckner the problem is even worst, the `kmod` is not able to catch the clone child event while the modern bpf probe yes,...

the good news is that this PR should be the last one to have a full working implementation of the modern bpf probe :partying_face:

Tested on all three architectures (x86, aarch64, s390x) and it should work!