new(driver): update exit events PPME_SYSCALL_SETUID_X with enter params

[terror96]

This update is part of the proposal for disabling support for syscall enter events. It implements the following steps:

1. Add enter parameters to the exit event.
2. Adapt sinsp state to work just with exit events.
3. Create a scap-file conversion (in a dedicated scap-file converter) to convert ENTER events into merged EXIT ones.
4. Add some tests replaying scap-files.

for the setuid syscall.

What type of PR is this?

Uncomment one (or more) /kind <> lines:

/kind bug

/kind cleanup

/kind design

/kind documentation

/kind failing-test

/kind feature

Any specific area of the project related to this PR?

Uncomment one (or more) /area <> lines:

/area API-version

/area build

/area CI

/area driver-kmod

/area driver-bpf

/area driver-modern-bpf

/area libscap-engine-bpf

/area libscap-engine-gvisor

/area libscap-engine-kmod

/area libscap-engine-modern-bpf

/area libscap-engine-nodriver

/area libscap-engine-noop

/area libscap-engine-source-plugin

/area libscap-engine-savefile

/area libscap

/area libpman

/area libsinsp

/area tests

/area proposals

Does this PR require a change in the driver versions?

/version driver-API-version-major

/version driver-API-version-minor

/version driver-API-version-patch

/version driver-SCHEMA-version-major

/version driver-SCHEMA-version-minor

/version driver-SCHEMA-version-patch

What this PR does / why we need it:

This PR is part of #2068.

Which issue(s) this PR fixes:

Fixes #

Special notes for your reviewer:

Does this PR introduce a user-facing change?:

NONE

[poiana]

Welcome @terror96! It looks like this is your first PR to falcosecurity/libs 🎉

[terror96]

/cc @leogr @ekoops

[github-actions]

Perf diff from master - unit tests

    34.78%     -4.77%  [.] sinsp_thread_manager::create_thread_dependencies
     4.97%     +1.01%  [.] sinsp_evt::get_type
     5.33%     +0.90%  [.] sinsp_parser::reset
     1.65%     +0.38%  [.] can_query_os_for_thread_info
     0.43%     +0.33%  [.] sinsp_evt::get_direction
     0.50%     -0.30%  [.] scap_next
     1.10%     +0.29%  [.] scap_event_decode_params
     2.60%     -0.28%  [.] sinsp_evt::load_params
     1.22%     +0.21%  [.] user_group_updater::~user_group_updater
     0.25%     +0.21%  [.] sinsp_evt::is_filtered_out

Heap diff from master - unit tests

peak heap memory consumption: -1.52K
peak RSS (including heaptrack overhead): 0B
total memory leaked: 0B

Heap diff from master - scap file

peak heap memory consumption: -146B
peak RSS (including heaptrack overhead): 0B
total memory leaked: 0B

Benchmarks diff from master

Comparing gbench_data.json to /root/actions-runner/_work/libs/libs/build/gbench_data.json
Benchmark                                                         Time             CPU      Time Old      Time New       CPU Old       CPU New
----------------------------------------------------------------------------------------------------------------------------------------------
BM_sinsp_split_mean                                            +0.0290         +0.0290           147           152           147           152
BM_sinsp_split_median                                          +0.0297         +0.0296           147           152           147           152
BM_sinsp_split_stddev                                          +0.0520         +0.0493             1             1             1             1
BM_sinsp_split_cv                                              +0.0224         +0.0198             0             0             0             0
BM_sinsp_concatenate_paths_relative_path_mean                  +0.0866         +0.0865            62            68            62            68
BM_sinsp_concatenate_paths_relative_path_median                +0.0890         +0.0889            63            68            63            68
BM_sinsp_concatenate_paths_relative_path_stddev                -0.0103         -0.0106             1             1             1             1
BM_sinsp_concatenate_paths_relative_path_cv                    -0.0891         -0.0894             0             0             0             0
BM_sinsp_concatenate_paths_empty_path_mean                     -0.0155         -0.0155            24            24            24            24
BM_sinsp_concatenate_paths_empty_path_median                   -0.0137         -0.0138            24            24            24            24
BM_sinsp_concatenate_paths_empty_path_stddev                   -0.7190         -0.7136             0             0             0             0
BM_sinsp_concatenate_paths_empty_path_cv                       -0.7146         -0.7091             0             0             0             0
BM_sinsp_concatenate_paths_absolute_path_mean                  -0.0576         -0.0577            65            61            65            61
BM_sinsp_concatenate_paths_absolute_path_median                -0.0577         -0.0578            65            61            65            61
BM_sinsp_concatenate_paths_absolute_path_stddev                +0.2300         +0.2320             0             0             0             0
BM_sinsp_concatenate_paths_absolute_path_cv                    +0.3052         +0.3075             0             0             0             0

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 77.28%. Comparing base (41f053c) to head (84c49ee).
Report is 1 commits behind head on master.

Additional details and impacted files

@@            Coverage Diff             @@
##           master    #2414      +/-   ##
==========================================
+ Coverage   77.27%   77.28%   +0.01%     
==========================================
  Files         227      227              
  Lines       30343    30357      +14     
  Branches     4642     4642              
==========================================
+ Hits        23448    23462      +14     
  Misses       6895     6895              

Flag	Coverage Δ
libsinsp	77.28% <100.00%> (+0.01%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[ekoops]

Hi @terror96 , thank you for the contribution! It seems that there is one test to fix for all drivers: /test/e2e/tests/test_event_generator/test_non_sudo_setuid.py::test_non_sudo_setuid. At first glance, it looks like these tests correctly receive enter events but not exit events (as you can see, the evt.dir of those ones is <)

[ekoops]

I guess here we should check that the event has the "new format", this means checking that the number of parameter is greater than 1, before accessing the uid:

Suggested change

	if(retval == 0) {
	if(retval == 0 && evt.get_num_params() > 1) {

[terror96]

Hi @terror96 , thank you for the contribution! It seems that there is one test to fix for all drivers: /test/e2e/tests/test_event_generator/test_non_sudo_setuid.py::test_non_sudo_setuid. At first glance, it looks like these tests correctly receive enter events but not exit events (as you can see, the evt.dir of those ones is <)

Yes. Thanks for the pointer, we will look into it.

This is the part of testing which is not completely clear for me. According to other tests, e.g. the drivers are emitting the events correctly and I would assume if libscap and libsinsp unit tests all pass that the new events are also handled correctly in the user space. However, the python test program does not seem to receive the new entry events. Do you have any further suggestions where to start looking for the reason why sinsp.py does not see the new exit events? Is there something that needs to also be modified in the e2e test code to handle the new exit event format correctly?

EDIT: or is it just that the filter's "evt.args" field for '<' events is expecting still only a single parameter?

[terror96]

...and we will also fix those "format code" issues.

[FedeDP]

EDIT: or is it just that the filter's "evt.args" field for '<' events is expecting still only a single parameter?

Most probably that's it! You can see a similar fix in b15675b

[FedeDP]

Btw thanks for opening this PR, great job!
/milestone 0.22.0

[ekoops]

Actually, the schema version should become 3.7.0 😄

[ekoops]

...and we will also fix those "format code" issues.

To make your life easier for this and any feature contribution, you can configure git hooks in your local clone of the repo, using the pre-commit framework, as detailed here: https://github.com/falcosecurity/libs/blob/master/Contributing.md#enforce-the-style-locally

[FedeDP]

Great job! I will trigger our kernel test matrix workflow against this branch to check if we broke any verifier :)

https://github.com/falcosecurity/libs/actions/runs/15158621269
EDIT: will paste here the results once the CI finishes

[terror96]

Great job! I will trigger our kernel test matrix workflow against this branch to check if we broke any verifier :)

https://github.com/falcosecurity/libs/actions/runs/15158621269 EDIT: will paste here the results once the CI finishes

Thank you and thanks for all the help and pointers.

[FedeDP]

ARM64:

KERNEL	CMAKE-CONFIGURE	KMOD BUILD	KMOD SCAP-OPEN	BPF-PROBE BUILD	BPF-PROBE SCAP-OPEN	MODERN-BPF SCAP-OPEN
amazonlinux2-5.4	🟢	🟢	🟢	🟢	🟢	🟡
amazonlinux2022-5.15	🟢	🟢	🟢	🟢	🟢	🟢
fedora-6.2	🟢	🟢	🟢	🟢	🟢	🟢
oraclelinux-4.14	🟢	🟢	🟢	🟡	🟡	🟡
oraclelinux-5.15	🟢	🟢	🟢	🟢	🟢	🟢
ubuntu-6.5	🟢	🟢	🟢	🟢	🟢	🟢

AMD64:

KERNEL	CMAKE-CONFIGURE	KMOD BUILD	KMOD SCAP-OPEN	BPF-PROBE BUILD	BPF-PROBE SCAP-OPEN	MODERN-BPF SCAP-OPEN
amazonlinux2-4.19	🟢	🟢	🟢	🟢	🟢	🟡
amazonlinux2-5.10	🟢	🟢	🟢	🟢	🟢	🟢
amazonlinux2-5.15	🟢	🟢	🟢	🟢	🟢	🟢
amazonlinux2-5.4	🟢	🟢	🟢	🟢	🟢	🟡
amazonlinux2022-5.15	🟢	🟢	🟢	🟢	🟢	🟢
amazonlinux2023-6.1	🟢	🟢	🟢	🟢	🟢	🟢
archlinux-6.0	🟢	🟢	🟢	🟢	🟢	🟢
archlinux-6.7	🟢	🟢	🟢	🟢	🟢	🟢
centos-3.10	🟢	🟢	🟢	🟡	🟡	🟡
centos-4.18	🟢	🟢	🟢	🟢	🟢	🟢
centos-5.14	🟢	🟢	🟢	🟢	🟢	🟢
fedora-5.17	🟢	🟢	🟢	🟢	🟢	🟢
fedora-5.8	🟢	🟢	🟢	🟢	🟢	🟢
fedora-6.2	🟢	🟢	🟢	🟢	🟢	🟢
oraclelinux-3.10	🟢	🟢	🟢	🟡	🟡	🟡
oraclelinux-4.14	🟢	🟢	🟢	🟢	🟢	🟡
oraclelinux-5.15	🟢	🟢	🟢	🟢	🟢	🟢
oraclelinux-5.4	🟢	🟢	🟢	🟢	🟢	🟡
ubuntu-4.15	🟢	🟢	🟢	🟢	🟢	🟡
ubuntu-5.8	🟢	🟢	🟢	🟢	🟢	🟡
ubuntu-6.5	🟢	🟢	🟢	🟢	🟢	🟢

No new issues!

[FedeDP]

LGTM
/approve

[poiana]

LGTM label has been added.

Details

Git tree hash: f08e4f1aaf204b509392dc7c705a96d4cbbbcaaf

[ekoops]

/lgtm
Great job!

[poiana]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: ekoops, FedeDP, terror96

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [FedeDP]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment