From a9408abb6b5120b70245cf15e5f8e6c9994e6e00 Mon Sep 17 00:00:00 2001
From: Andrea Terzolo <andrea.terzolo@polito.it>
Date: Wed, 1 Mar 2023 17:40:27 +0100
Subject: [PATCH 1/5] fix: solve some inconsistencies with `PPM_SC_UMOUNT` and
 `PPM_SC_LSTAT64`

before this commit these two syscalls were considered "generic" but they had an associate event in the event table. Now these two syscalls use specific events and are no more generic. Please note that we need to craft new events for `PPM_SC_UMOUNT` and `PPM_SC_UMOUNT2` since `PPM_SC_UMOUNT` cannot use `PPME_SYSCALL_UMOUNT_E`, this is just a tmp patch.

Signed-off-by: Andrea Terzolo <andrea.terzolo@polito.it>
---
 driver/event_table.c                          |  4 ++--
 driver/syscall_table.c                        | 24 +++++++++----------
 .../libscap/examples/01-open/scap_open.c      |  1 +
 .../libsinsp/events/sinsp_events_ppm_sc.cpp   |  3 ++-
 .../public_sinsp_API/interesting_syscalls.cpp |  4 ++++
 5 files changed, 21 insertions(+), 15 deletions(-)

diff --git a/driver/event_table.c b/driver/event_table.c
index d6ca6ae94b..5b94b4b33a 100644
--- a/driver/event_table.c
+++ b/driver/event_table.c
@@ -270,7 +270,7 @@ const struct ppm_event_info g_event_info[] = {
 	[PPME_SYSCALL_PPOLL_X] = {"ppoll", EC_WAIT | EC_SYSCALL, EF_WAITS, 2, {{"res", PT_ERRNO, PF_DEC}, {"fds", PT_FDLIST, PF_DEC} } },
 	[PPME_SYSCALL_MOUNT_E] = {"mount", EC_FILE | EC_SYSCALL, EF_MODIFIES_STATE, 1, {{"flags", PT_FLAGS32, PF_HEX, mount_flags} } },
 	[PPME_SYSCALL_MOUNT_X] = {"mount", EC_FILE | EC_SYSCALL, EF_MODIFIES_STATE, 4, {{"res", PT_ERRNO, PF_DEC}, {"dev", PT_CHARBUF, PF_NA}, {"dir", PT_FSPATH, PF_NA}, {"type", PT_CHARBUF, PF_NA} } },
-	[PPME_SYSCALL_UMOUNT_E] = {"umount", EC_FILE | EC_SYSCALL, EF_MODIFIES_STATE, 1, {{"flags", PT_FLAGS32, PF_HEX, umount_flags} } },
+	[PPME_SYSCALL_UMOUNT_E] = {"umount", EC_FILE | EC_SYSCALL, EF_MODIFIES_STATE, 1, {{"flags", PT_FLAGS32, PF_HEX, umount_flags} } }, // we need to create separate events for umount and umount2, umount doesn't have the flag parameter!!
 	[PPME_SYSCALL_UMOUNT_X] = {"umount", EC_FILE | EC_SYSCALL, EF_MODIFIES_STATE, 2, {{"res", PT_ERRNO, PF_DEC}, {"name", PT_FSPATH, PF_NA} } },
 	[PPME_K8S_E] = {"k8s", EC_INTERNAL | EC_METAEVENT, EF_SKIPPARSERESET | EF_MODIFIES_STATE, 1, {{"json", PT_CHARBUF, PF_NA} } },
 	[PPME_K8S_X] = {"NA3", EC_UNKNOWN, EF_UNUSED, 0},
@@ -416,4 +416,4 @@ const struct ppm_event_info g_event_info[] = {
 // Make sure to be on gcc or that the c standard is >= c11
 #if defined __GNUC__ || __STDC_VERSION__ >= 201112L
 _Static_assert(sizeof(g_event_info) / sizeof(*g_event_info) == PPM_EVENT_MAX, "Missing event entries in event table.");
-#endif
\ No newline at end of file
+#endif
diff --git a/driver/syscall_table.c b/driver/syscall_table.c
index 52b7040e14..c0509d745b 100644
--- a/driver/syscall_table.c
+++ b/driver/syscall_table.c
@@ -420,6 +420,12 @@ const struct syscall_evt_pair g_syscall_table[SYSCALL_TABLE_SIZE] = {
 #endif
 #ifdef __NR_epoll_create1
 	[__NR_epoll_create1 - SYSCALL_TABLE_ID0] = {UF_USED | UF_NEVER_DROP, PPME_SYSCALL_EPOLL_CREATE1_E, PPME_SYSCALL_EPOLL_CREATE1_X, PPM_SC_EPOLL_CREATE1},
+#endif
+#ifdef __NR_lstat64
+	[__NR_lstat64 - SYSCALL_TABLE_ID0] = {UF_USED, PPME_SYSCALL_LSTAT64_E, PPME_SYSCALL_LSTAT64_X, PPM_SC_LSTAT64},
+#endif
+#ifdef __NR_umount
+	[__NR_umount - SYSCALL_TABLE_ID0] = {UF_USED, PPME_SYSCALL_UMOUNT_E, PPME_SYSCALL_UMOUNT_X, PPM_SC_UMOUNT},
 #endif
 	[__NR_restart_syscall - SYSCALL_TABLE_ID0] = { .ppm_sc = PPM_SC_RESTART_SYSCALL },
 	[__NR_exit - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_EXIT},
@@ -636,9 +642,6 @@ const struct syscall_evt_pair g_syscall_table[SYSCALL_TABLE_SIZE] = {
 #ifdef __NR_ipc
 	[__NR_ipc - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_IPC},
 #endif
-#ifdef __NR_lstat64
-	[__NR_lstat64 - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_LSTAT64},
-#endif
 #ifdef __NR__newselect
 	[__NR__newselect - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC__NEWSELECT},
 #endif
@@ -654,9 +657,6 @@ const struct syscall_evt_pair g_syscall_table[SYSCALL_TABLE_SIZE] = {
 #ifdef __NR_olduname
 	[__NR_olduname - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_OLDUNAME},
 #endif
-#ifdef __NR_umount
-	[__NR_umount - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_UMOUNT},
-#endif
 #ifdef __NR_signal
 	[__NR_signal - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_SIGNAL},
 #endif
@@ -1227,6 +1227,12 @@ const struct syscall_evt_pair g_syscall_ia32_table[SYSCALL_TABLE_SIZE] = {
 #endif
 #ifdef __NR_ia32_epoll_create1
 	[__NR_ia32_epoll_create1 - SYSCALL_TABLE_ID0] = {UF_USED | UF_NEVER_DROP, PPME_SYSCALL_EPOLL_CREATE1_E, PPME_SYSCALL_EPOLL_CREATE1_X, PPM_SC_EPOLL_CREATE1},
+#endif
+#ifdef __NR_ia32_lstat64
+	[__NR_ia32_lstat64 - SYSCALL_TABLE_ID0] = {UF_USED, PPME_SYSCALL_LSTAT64_E, PPME_SYSCALL_LSTAT64_X, PPM_SC_LSTAT64},
+#endif
+#ifdef __NR_ia32_umount
+	[__NR_ia32_umount - SYSCALL_TABLE_ID0] = {UF_USED, PPME_SYSCALL_UMOUNT_E, PPME_SYSCALL_UMOUNT_X, PPM_SC_UMOUNT},
 #endif
 	[__NR_ia32_restart_syscall - SYSCALL_TABLE_ID0] = { .ppm_sc = PPM_SC_RESTART_SYSCALL },
 	[__NR_ia32_exit - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_EXIT},
@@ -1443,9 +1449,6 @@ const struct syscall_evt_pair g_syscall_ia32_table[SYSCALL_TABLE_SIZE] = {
 #ifdef __NR_ia32_ipc
 	[__NR_ia32_ipc - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_IPC},
 #endif
-#ifdef __NR_ia32_lstat64
-	[__NR_ia32_lstat64 - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_LSTAT64},
-#endif
 #ifdef __NR_ia32__newselect
 	[__NR_ia32__newselect - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC__NEWSELECT},
 #endif
@@ -1461,9 +1464,6 @@ const struct syscall_evt_pair g_syscall_ia32_table[SYSCALL_TABLE_SIZE] = {
 #ifdef __NR_ia32_olduname
 	[__NR_ia32_olduname - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_OLDUNAME},
 #endif
-#ifdef __NR_ia32_umount
-	[__NR_ia32_umount - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_UMOUNT},
-#endif
 #ifdef __NR_ia32_signal
 	[__NR_ia32_signal - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_SIGNAL},
 #endif
diff --git a/userspace/libscap/examples/01-open/scap_open.c b/userspace/libscap/examples/01-open/scap_open.c
index 3013404d24..b6deda0848 100644
--- a/userspace/libscap/examples/01-open/scap_open.c
+++ b/userspace/libscap/examples/01-open/scap_open.c
@@ -139,6 +139,7 @@ static int simple_set[] = {
 	PPM_SC_TGKILL,
 	PPM_SC_TIMERFD_CREATE,
 	PPM_SC_TKILL,
+	PPM_SC_UMOUNT,
 	PPM_SC_UMOUNT2,
 	PPM_SC_UNLINK,
 	PPM_SC_UNLINKAT,
diff --git a/userspace/libsinsp/events/sinsp_events_ppm_sc.cpp b/userspace/libsinsp/events/sinsp_events_ppm_sc.cpp
index 2498b86378..719c336618 100644
--- a/userspace/libsinsp/events/sinsp_events_ppm_sc.cpp
+++ b/userspace/libsinsp/events/sinsp_events_ppm_sc.cpp
@@ -122,6 +122,7 @@ libsinsp::events::set<ppm_sc_code> libsinsp::events::enforce_simple_sc_set(libsi
 		PPM_SC_TGKILL,
 		PPM_SC_TIMERFD_CREATE,
 		PPM_SC_TKILL,
+		PPM_SC_UMOUNT,
 		PPM_SC_UMOUNT2,
 		PPM_SC_UNLINK,
 		PPM_SC_UNLINKAT,
@@ -301,4 +302,4 @@ std::unordered_set<std::string> libsinsp::events::sc_set_to_names(const libsinsp
 	    ppm_sc_names_set.insert(ppm_sc_name);
 	}
 	return ppm_sc_names_set;
-}
\ No newline at end of file
+}
diff --git a/userspace/libsinsp/test/public_sinsp_API/interesting_syscalls.cpp b/userspace/libsinsp/test/public_sinsp_API/interesting_syscalls.cpp
index 5957df7f8d..8dbfe92351 100644
--- a/userspace/libsinsp/test/public_sinsp_API/interesting_syscalls.cpp
+++ b/userspace/libsinsp/test/public_sinsp_API/interesting_syscalls.cpp
@@ -252,6 +252,10 @@ libsinsp::events::set<ppm_sc_code> state_sc_set_truth = {
 	PPM_SC_TIMERFD_CREATE,
 #endif
 
+#ifdef __NR_umount
+	PPM_SC_UMOUNT,
+#endif
+
 #ifdef __NR_umount2
 	PPM_SC_UMOUNT2,
 #endif

From 96174ef5f964295a00787a91cd63f0e48673768c Mon Sep 17 00:00:00 2001
From: Andrea Terzolo <andrea.terzolo@polito.it>
Date: Wed, 1 Mar 2023 17:47:10 +0100
Subject: [PATCH 2/5] fix: add 2 new syscalls `PPM_SC_RECV` and `PPM_SC_SEND`

Before this commit we just had event pairs to instrument these syscalls but not a real code to identify them, for this reason their event pairs were associated to `PPM_SC_UNKNOWN`.

Signed-off-by: Andrea Terzolo <andrea.terzolo@polito.it>
---
 driver/ppm_events_public.h |  4 +++-
 driver/syscall_table.c     | 12 ++++++++++++
 2 files changed, 15 insertions(+), 1 deletion(-)

diff --git a/driver/ppm_events_public.h b/driver/ppm_events_public.h
index 337e8334c6..2d7d21974b 100644
--- a/driver/ppm_events_public.h
+++ b/driver/ppm_events_public.h
@@ -1617,7 +1617,9 @@ enum extra_event_prog_code
 	PPM_SC_X(MEMBARRIER, 390) \
 	PPM_SC_X(IOPL, 391) \
 	PPM_SC_X(CLOSE_RANGE, 392) \
-	PPM_SC_X(FANOTIFY_MARK, 393)
+	PPM_SC_X(FANOTIFY_MARK, 393) \
+	PPM_SC_X(RECV, 394) \
+	PPM_SC_X(SEND, 395)
 
 typedef enum {
 #define PPM_SC_X(name, value) PPM_SC_##name = value,
diff --git a/driver/syscall_table.c b/driver/syscall_table.c
index c0509d745b..9120a8f3c2 100644
--- a/driver/syscall_table.c
+++ b/driver/syscall_table.c
@@ -426,6 +426,12 @@ const struct syscall_evt_pair g_syscall_table[SYSCALL_TABLE_SIZE] = {
 #endif
 #ifdef __NR_umount
 	[__NR_umount - SYSCALL_TABLE_ID0] = {UF_USED, PPME_SYSCALL_UMOUNT_E, PPME_SYSCALL_UMOUNT_X, PPM_SC_UMOUNT},
+#endif
+#ifdef __NR_recv
+	[__NR_recv - SYSCALL_TABLE_ID0] = {UF_USED, PPME_SOCKET_RECV_E, PPME_SOCKET_RECV_X, PPM_SC_RECV},
+#endif
+#ifdef __NR_send
+	[__NR_send - SYSCALL_TABLE_ID0] = {UF_USED, PPME_SOCKET_SEND_E, PPME_SOCKET_SEND_X, PPM_SC_SEND},
 #endif
 	[__NR_restart_syscall - SYSCALL_TABLE_ID0] = { .ppm_sc = PPM_SC_RESTART_SYSCALL },
 	[__NR_exit - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_EXIT},
@@ -1233,6 +1239,12 @@ const struct syscall_evt_pair g_syscall_ia32_table[SYSCALL_TABLE_SIZE] = {
 #endif
 #ifdef __NR_ia32_umount
 	[__NR_ia32_umount - SYSCALL_TABLE_ID0] = {UF_USED, PPME_SYSCALL_UMOUNT_E, PPME_SYSCALL_UMOUNT_X, PPM_SC_UMOUNT},
+#endif
+#ifdef __NR_ia32_recv
+	[__NR_ia32_recv - SYSCALL_TABLE_ID0] = {UF_USED, PPME_SOCKET_RECV_E, PPME_SOCKET_RECV_X, PPM_SC_RECV},
+#endif
+#ifdef __NR_ia32_send
+	[__NR_ia32_send - SYSCALL_TABLE_ID0] = {UF_USED, PPME_SOCKET_SEND_E, PPME_SOCKET_SEND_X, PPM_SC_SEND},
 #endif
 	[__NR_ia32_restart_syscall - SYSCALL_TABLE_ID0] = { .ppm_sc = PPM_SC_RESTART_SYSCALL },
 	[__NR_ia32_exit - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_EXIT},

From 8f66fc63f8fe606c02f0394cd85d14ddc0fd6b1c Mon Sep 17 00:00:00 2001
From: Andrea Terzolo <andrea.terzolo@polito.it>
Date: Wed, 1 Mar 2023 18:38:57 +0100
Subject: [PATCH 3/5] cleanup: use "NA" as unknown event name

Signed-off-by: Andrea Terzolo <andrea.terzolo@polito.it>
---
 driver/event_table.c | 44 ++++++++++++++++++++++----------------------
 1 file changed, 22 insertions(+), 22 deletions(-)

diff --git a/driver/event_table.c b/driver/event_table.c
index 5b94b4b33a..245af18d00 100644
--- a/driver/event_table.c
+++ b/driver/event_table.c
@@ -27,7 +27,7 @@ const struct ppm_event_info g_event_info[] = {
 	[PPME_SYSCALL_CLONE_11_E] = {"clone", EC_PROCESS | EC_SYSCALL, EF_MODIFIES_STATE | EF_OLD_VERSION, 0},
 	[PPME_SYSCALL_CLONE_11_X] = {"clone", EC_PROCESS | EC_SYSCALL, EF_MODIFIES_STATE | EF_OLD_VERSION, 11, {{"res", PT_PID, PF_DEC}, {"exe", PT_CHARBUF, PF_NA}, {"args", PT_BYTEBUF, PF_NA}, {"tid", PT_PID, PF_DEC}, {"pid", PT_PID, PF_DEC}, {"ptid", PT_PID, PF_DEC}, {"cwd", PT_CHARBUF, PF_NA}, {"fdlimit", PT_INT64, PF_DEC}, {"flags", PT_FLAGS32, PF_HEX, clone_flags}, {"uid", PT_UINT32, PF_DEC}, {"gid", PT_UINT32, PF_DEC} } },
 	[PPME_PROCEXIT_E] = {"procexit", EC_PROCESS | EC_TRACEPOINT, EF_MODIFIES_STATE | EF_OLD_VERSION, 0},
-	[PPME_PROCEXIT_X] = {"NA1", EC_UNKNOWN, EF_UNUSED, 0},
+	[PPME_PROCEXIT_X] = {"NA", EC_UNKNOWN, EF_UNUSED | EF_OLD_VERSION, 0},
 	[PPME_SOCKET_SOCKET_E] = {"socket", EC_NET | EC_SYSCALL, EF_CREATES_FD | EF_MODIFIES_STATE, 3, {{"domain", PT_ENUMFLAGS32, PF_DEC, socket_families}, {"type", PT_UINT32, PF_DEC}, {"proto", PT_UINT32, PF_DEC} } },
 	[PPME_SOCKET_SOCKET_X] = {"socket", EC_NET | EC_SYSCALL, EF_CREATES_FD | EF_MODIFIES_STATE, 1, {{"fd", PT_FD, PF_DEC} } },
 	[PPME_SOCKET_BIND_E] = {"bind", EC_NET | EC_SYSCALL, EF_USES_FD | EF_MODIFIES_STATE, 1, {{"fd", PT_FD, PF_DEC} } },
@@ -94,8 +94,8 @@ const struct ppm_event_info g_event_info[] = {
 	[PPME_SYSCALL_POLL_X] = {"poll", EC_WAIT | EC_SYSCALL, EF_WAITS, 2, {{"res", PT_ERRNO, PF_DEC}, {"fds", PT_FDLIST, PF_DEC} } },
 	[PPME_SYSCALL_SELECT_E] = {"select", EC_WAIT | EC_SYSCALL, EF_WAITS, 0},
 	[PPME_SYSCALL_SELECT_X] = {"select", EC_WAIT | EC_SYSCALL, EF_WAITS, 1, {{"res", PT_ERRNO, PF_DEC} } },
-	[PPME_SYSCALL_NEWSELECT_E] = {"select", EC_WAIT | EC_SYSCALL, EF_WAITS, 0},
-	[PPME_SYSCALL_NEWSELECT_X] = {"select", EC_WAIT | EC_SYSCALL, EF_WAITS, 1, {{"res", PT_ERRNO, PF_DEC} } },
+	[PPME_SYSCALL_NEWSELECT_E] = {"select", EC_WAIT | EC_SYSCALL, EF_WAITS | EF_OLD_VERSION, 0},
+	[PPME_SYSCALL_NEWSELECT_X] = {"select", EC_WAIT | EC_SYSCALL, EF_WAITS | EF_OLD_VERSION, 1, {{"res", PT_ERRNO, PF_DEC} } },
 	[PPME_SYSCALL_LSEEK_E] = {"lseek", EC_FILE | EC_SYSCALL, EF_USES_FD, 3, {{"fd", PT_FD, PF_DEC}, {"offset", PT_UINT64, PF_DEC}, {"whence", PT_ENUMFLAGS8, PF_DEC, lseek_whence} } },
 	[PPME_SYSCALL_LSEEK_X] = {"lseek", EC_FILE | EC_SYSCALL, EF_USES_FD, 1, {{"res", PT_ERRNO, PF_DEC} } },
 	[PPME_SYSCALL_LLSEEK_E] = {"llseek", EC_FILE | EC_SYSCALL, EF_USES_FD, 3, {{"fd", PT_FD, PF_DEC}, {"offset", PT_UINT64, PF_DEC}, {"whence", PT_ENUMFLAGS8, PF_DEC, lseek_whence} } },
@@ -159,13 +159,13 @@ const struct ppm_event_info g_event_info[] = {
 	[PPME_SYSCALL_PRLIMIT_E] = {"prlimit", EC_PROCESS | EC_SYSCALL, EF_NONE, 2, {{"pid", PT_PID, PF_DEC}, {"resource", PT_ENUMFLAGS8, PF_DEC, rlimit_resources} } },
 	[PPME_SYSCALL_PRLIMIT_X] = {"prlimit", EC_PROCESS | EC_SYSCALL, EF_NONE, 5, {{"res", PT_ERRNO, PF_DEC}, {"newcur", PT_INT64, PF_DEC}, {"newmax", PT_INT64, PF_DEC}, {"oldcur", PT_INT64, PF_DEC}, {"oldmax", PT_INT64, PF_DEC} } },
 	[PPME_SCHEDSWITCH_1_E] = {"switch", EC_SCHEDULER | EC_TRACEPOINT, EF_SKIPPARSERESET | EF_OLD_VERSION, 1, {{"next", PT_PID, PF_DEC} } },
-	[PPME_SCHEDSWITCH_1_X] = {"NA2", EC_UNKNOWN, EF_SKIPPARSERESET | EF_UNUSED | EF_OLD_VERSION, 0},
+	[PPME_SCHEDSWITCH_1_X] = {"NA", EC_UNKNOWN, EF_SKIPPARSERESET | EF_UNUSED | EF_OLD_VERSION, 0},
 	[PPME_DROP_E] = {"drop", EC_INTERNAL | EC_METAEVENT, EF_SKIPPARSERESET, 1, {{"ratio", PT_UINT32, PF_DEC} } },
 	[PPME_DROP_X] = {"drop", EC_INTERNAL | EC_METAEVENT, EF_SKIPPARSERESET, 1, {{"ratio", PT_UINT32, PF_DEC} } },
 	[PPME_SYSCALL_FCNTL_E] = {"fcntl", EC_IO_OTHER | EC_SYSCALL, EF_USES_FD | EF_MODIFIES_STATE, 2, {{"fd", PT_FD, PF_DEC}, {"cmd", PT_ENUMFLAGS8, PF_DEC, fcntl_commands} } },
 	[PPME_SYSCALL_FCNTL_X] = {"fcntl", EC_IO_OTHER | EC_SYSCALL, EF_USES_FD | EF_MODIFIES_STATE, 1, {{"res", PT_FD, PF_DEC} } },
 	[PPME_SCHEDSWITCH_6_E] = {"switch", EC_SCHEDULER | EC_TRACEPOINT, EF_NONE, 6, {{"next", PT_PID, PF_DEC}, {"pgft_maj", PT_UINT64, PF_DEC}, {"pgft_min", PT_UINT64, PF_DEC}, {"vm_size", PT_UINT32, PF_DEC}, {"vm_rss", PT_UINT32, PF_DEC}, {"vm_swap", PT_UINT32, PF_DEC} } }, /// TODO: do we need SKIPPARSERESET flag?
-	[PPME_SCHEDSWITCH_6_X] = {"NA2", EC_UNKNOWN, EF_UNUSED, 0},
+	[PPME_SCHEDSWITCH_6_X] = {"NA", EC_UNKNOWN, EF_UNUSED, 0},
 	[PPME_SYSCALL_EXECVE_13_E] = {"execve", EC_PROCESS | EC_SYSCALL, EF_MODIFIES_STATE | EF_OLD_VERSION, 0},
 	[PPME_SYSCALL_EXECVE_13_X] = {"execve", EC_PROCESS | EC_SYSCALL, EF_MODIFIES_STATE | EF_OLD_VERSION, 13, {{"res", PT_ERRNO, PF_DEC}, {"exe", PT_CHARBUF, PF_NA}, {"args", PT_BYTEBUF, PF_NA}, {"tid", PT_PID, PF_DEC}, {"pid", PT_PID, PF_DEC}, {"ptid", PT_PID, PF_DEC}, {"cwd", PT_CHARBUF, PF_NA}, {"fdlimit", PT_UINT64, PF_DEC}, {"pgft_maj", PT_UINT64, PF_DEC}, {"pgft_min", PT_UINT64, PF_DEC}, {"vm_size", PT_UINT32, PF_DEC}, {"vm_rss", PT_UINT32, PF_DEC}, {"vm_swap", PT_UINT32, PF_DEC} } },
 	[PPME_SYSCALL_CLONE_16_E] = {"clone", EC_PROCESS | EC_SYSCALL, EF_MODIFIES_STATE | EF_OLD_VERSION, 0},
@@ -199,7 +199,7 @@ const struct ppm_event_info g_event_info[] = {
 	[PPME_SYSCALL_VFORK_E] = {"vfork", EC_PROCESS | EC_SYSCALL, EF_MODIFIES_STATE | EF_OLD_VERSION, 0},
 	[PPME_SYSCALL_VFORK_X] = {"vfork", EC_PROCESS | EC_SYSCALL, EF_MODIFIES_STATE | EF_OLD_VERSION, 16, {{"res", PT_PID, PF_DEC}, {"exe", PT_CHARBUF, PF_NA}, {"args", PT_BYTEBUF, PF_NA}, {"tid", PT_PID, PF_DEC}, {"pid", PT_PID, PF_DEC}, {"ptid", PT_PID, PF_DEC}, {"cwd", PT_CHARBUF, PF_NA}, {"fdlimit", PT_INT64, PF_DEC}, {"pgft_maj", PT_UINT64, PF_DEC}, {"pgft_min", PT_UINT64, PF_DEC}, {"vm_size", PT_UINT32, PF_DEC}, {"vm_rss", PT_UINT32, PF_DEC}, {"vm_swap", PT_UINT32, PF_DEC}, {"flags", PT_FLAGS32, PF_HEX, clone_flags}, {"uid", PT_UINT32, PF_DEC}, {"gid", PT_UINT32, PF_DEC} } },
 	[PPME_PROCEXIT_1_E] = {"procexit", EC_PROCESS | EC_TRACEPOINT, EF_MODIFIES_STATE, 4, {{"status", PT_ERRNO, PF_DEC}, {"ret", PT_ERRNO, PF_DEC}, {"sig", PT_SIGTYPE, PF_DEC}, {"core", PT_UINT8, PF_DEC} } },
-	[PPME_PROCEXIT_1_X] = {"NA1", EC_UNKNOWN, EF_UNUSED, 0},
+	[PPME_PROCEXIT_1_X] = {"NA", EC_UNKNOWN, EF_UNUSED, 0},
 	[PPME_SYSCALL_SENDFILE_E] = {"sendfile", EC_IO_WRITE | EC_SYSCALL, EF_USES_FD, 4, {{"out_fd", PT_FD, PF_DEC}, {"in_fd", PT_FD, PF_DEC}, {"offset", PT_UINT64, PF_DEC}, {"size", PT_UINT64, PF_DEC} } },
 	[PPME_SYSCALL_SENDFILE_X] = {"sendfile", EC_IO_WRITE | EC_SYSCALL, EF_USES_FD, 2, {{"res", PT_ERRNO, PF_DEC}, {"offset", PT_UINT64, PF_DEC} } },
 	[PPME_SYSCALL_QUOTACTL_E] = {"quotactl", EC_USER | EC_SYSCALL, EF_NONE, 4, {{"cmd", PT_FLAGS16, PF_DEC, quotactl_cmds }, {"type", PT_FLAGS8, PF_DEC, quotactl_types}, {"id", PT_UINT32, PF_DEC}, {"quota_fmt", PT_FLAGS8, PF_DEC, quotactl_quota_fmts } } },
@@ -241,13 +241,13 @@ const struct ppm_event_info g_event_info[] = {
 	[PPME_SYSCALL_VFORK_20_E] = {"vfork", EC_PROCESS | EC_SYSCALL, EF_MODIFIES_STATE, 0},
 	[PPME_SYSCALL_VFORK_20_X] = {"vfork", EC_PROCESS | EC_SYSCALL, EF_MODIFIES_STATE, 21, {{"res", PT_PID, PF_DEC}, {"exe", PT_CHARBUF, PF_NA}, {"args", PT_BYTEBUF, PF_NA}, {"tid", PT_PID, PF_DEC}, {"pid", PT_PID, PF_DEC}, {"ptid", PT_PID, PF_DEC}, {"cwd", PT_CHARBUF, PF_NA}, {"fdlimit", PT_INT64, PF_DEC}, {"pgft_maj", PT_UINT64, PF_DEC}, {"pgft_min", PT_UINT64, PF_DEC}, {"vm_size", PT_UINT32, PF_DEC}, {"vm_rss", PT_UINT32, PF_DEC}, {"vm_swap", PT_UINT32, PF_DEC}, {"comm", PT_CHARBUF, PF_NA}, {"cgroups", PT_BYTEBUF, PF_NA}, {"flags", PT_FLAGS32, PF_HEX, clone_flags}, {"uid", PT_UINT32, PF_DEC}, {"gid", PT_UINT32, PF_DEC}, {"vtid", PT_PID, PF_DEC}, {"vpid", PT_PID, PF_DEC}, {"pidns_init_start_ts", PT_UINT64, PF_DEC} } },
 	[PPME_CONTAINER_E] = {"container", EC_INTERNAL | EC_METAEVENT, EF_SKIPPARSERESET | EF_MODIFIES_STATE | EF_OLD_VERSION, 4, {{"id", PT_CHARBUF, PF_NA}, {"type", PT_UINT32, PF_DEC}, {"name", PT_CHARBUF, PF_NA}, {"image", PT_CHARBUF, PF_NA} } },
-	[PPME_CONTAINER_X] = {"container", EC_UNKNOWN, EF_UNUSED | EF_OLD_VERSION, 0},
+	[PPME_CONTAINER_X] = {"NA", EC_UNKNOWN, EF_UNUSED | EF_OLD_VERSION, 0},
 	[PPME_SYSCALL_EXECVE_16_E] = {"execve", EC_PROCESS | EC_SYSCALL, EF_MODIFIES_STATE | EF_OLD_VERSION, 0},
 	[PPME_SYSCALL_EXECVE_16_X] = {"execve", EC_PROCESS | EC_SYSCALL, EF_MODIFIES_STATE | EF_OLD_VERSION, 16, {{"res", PT_ERRNO, PF_DEC}, {"exe", PT_CHARBUF, PF_NA}, {"args", PT_BYTEBUF, PF_NA}, {"tid", PT_PID, PF_DEC}, {"pid", PT_PID, PF_DEC}, {"ptid", PT_PID, PF_DEC}, {"cwd", PT_CHARBUF, PF_NA}, {"fdlimit", PT_UINT64, PF_DEC}, {"pgft_maj", PT_UINT64, PF_DEC}, {"pgft_min", PT_UINT64, PF_DEC}, {"vm_size", PT_UINT32, PF_DEC}, {"vm_rss", PT_UINT32, PF_DEC}, {"vm_swap", PT_UINT32, PF_DEC}, {"comm", PT_CHARBUF, PF_NA}, {"cgroups", PT_BYTEBUF, PF_NA}, {"env", PT_BYTEBUF, PF_NA} } },
 	[PPME_SIGNALDELIVER_E] = {"signaldeliver", EC_SIGNAL | EC_TRACEPOINT, EF_NONE, 3, {{"spid", PT_PID, PF_DEC}, {"dpid", PT_PID, PF_DEC}, {"sig", PT_SIGTYPE, PF_DEC} } },
-	[PPME_SIGNALDELIVER_X] = {"signaldeliver", EC_UNKNOWN, EF_UNUSED, 0 },
+	[PPME_SIGNALDELIVER_X] = {"NA", EC_UNKNOWN, EF_UNUSED, 0 },
 	[PPME_PROCINFO_E] = {"procinfo", EC_INTERNAL | EC_METAEVENT, EF_SKIPPARSERESET, 2, {{"cpu_usr", PT_UINT64, PF_DEC}, {"cpu_sys", PT_UINT64, PF_DEC} } },
-	[PPME_PROCINFO_X] = {"NA2", EC_UNKNOWN, EF_UNUSED, 0},
+	[PPME_PROCINFO_X] = {"NA", EC_UNKNOWN, EF_UNUSED, 0},
 	[PPME_SYSCALL_GETDENTS_E] = {"getdents", EC_FILE | EC_SYSCALL, EF_USES_FD, 1, {{"fd", PT_FD, PF_NA} } },
 	[PPME_SYSCALL_GETDENTS_X] = {"getdents", EC_FILE | EC_SYSCALL, EF_USES_FD, 1, {{"res", PT_ERRNO, PF_DEC} } },
 	[PPME_SYSCALL_GETDENTS64_E] = {"getdents64", EC_FILE | EC_SYSCALL, EF_USES_FD, 1, {{"fd", PT_FD, PF_NA} } },
@@ -257,7 +257,7 @@ const struct ppm_event_info g_event_info[] = {
 	[PPME_SYSCALL_FLOCK_E] = {"flock", EC_FILE | EC_SYSCALL, EF_USES_FD, 2, {{"fd", PT_FD, PF_NA}, {"operation", PT_FLAGS32, PF_HEX, flock_flags} } },
 	[PPME_SYSCALL_FLOCK_X] = {"flock", EC_FILE | EC_SYSCALL, EF_USES_FD, 1, {{"res", PT_ERRNO, PF_DEC} } },
 	[PPME_CPU_HOTPLUG_E] = {"cpu_hotplug", EC_SYSTEM | EC_METAEVENT, EF_SKIPPARSERESET | EF_MODIFIES_STATE, 2, {{"cpu", PT_UINT32, PF_DEC}, {"action", PT_UINT32, PF_DEC} } },
-	[PPME_CPU_HOTPLUG_X] = {"NA2", EC_UNKNOWN, EF_UNUSED, 0},
+	[PPME_CPU_HOTPLUG_X] = {"NA", EC_UNKNOWN, EF_UNUSED, 0},
 	[PPME_SOCKET_ACCEPT_5_E] = {"accept", EC_NET | EC_SYSCALL, EF_CREATES_FD | EF_MODIFIES_STATE, 0},
 	[PPME_SOCKET_ACCEPT_5_X] = {"accept", EC_NET | EC_SYSCALL, EF_CREATES_FD | EF_MODIFIES_STATE, 5, {{"fd", PT_FD, PF_DEC}, {"tuple", PT_SOCKTUPLE, PF_NA}, {"queuepct", PT_UINT8, PF_DEC}, {"queuelen", PT_UINT32, PF_DEC}, {"queuemax", PT_UINT32, PF_DEC} } },
 	[PPME_SOCKET_ACCEPT4_5_E] = {"accept", EC_NET | EC_SYSCALL, EF_CREATES_FD | EF_MODIFIES_STATE, 1, {{"flags", PT_INT32, PF_HEX} } },
@@ -273,7 +273,7 @@ const struct ppm_event_info g_event_info[] = {
 	[PPME_SYSCALL_UMOUNT_E] = {"umount", EC_FILE | EC_SYSCALL, EF_MODIFIES_STATE, 1, {{"flags", PT_FLAGS32, PF_HEX, umount_flags} } }, // we need to create separate events for umount and umount2, umount doesn't have the flag parameter!!
 	[PPME_SYSCALL_UMOUNT_X] = {"umount", EC_FILE | EC_SYSCALL, EF_MODIFIES_STATE, 2, {{"res", PT_ERRNO, PF_DEC}, {"name", PT_FSPATH, PF_NA} } },
 	[PPME_K8S_E] = {"k8s", EC_INTERNAL | EC_METAEVENT, EF_SKIPPARSERESET | EF_MODIFIES_STATE, 1, {{"json", PT_CHARBUF, PF_NA} } },
-	[PPME_K8S_X] = {"NA3", EC_UNKNOWN, EF_UNUSED, 0},
+	[PPME_K8S_X] = {"NA", EC_UNKNOWN, EF_UNUSED, 0},
 	[PPME_SYSCALL_SEMGET_E] = {"semget", EC_PROCESS | EC_SYSCALL, EF_NONE, 3, {{"key", PT_INT32, PF_HEX}, {"nsems", PT_INT32, PF_DEC}, {"semflg", PT_FLAGS32, PF_HEX, semget_flags} } },
 	[PPME_SYSCALL_SEMGET_X] = {"semget", EC_PROCESS | EC_SYSCALL, EF_NONE, 1, {{"res", PT_ERRNO, PF_DEC} } },
 	[PPME_SYSCALL_ACCESS_E] = {"access", EC_FILE | EC_SYSCALL, EF_NONE, 1, {{"mode", PT_FLAGS32, PF_HEX, access_flags} } },
@@ -283,9 +283,9 @@ const struct ppm_event_info g_event_info[] = {
 	[PPME_TRACER_E] = {"tracer", EC_OTHER | EC_METAEVENT, EF_NONE, 3, {{"id", PT_INT64, PF_DEC}, {"tags", PT_CHARBUFARRAY, PF_NA}, {"args", PT_CHARBUF_PAIR_ARRAY, PF_NA} } },
 	[PPME_TRACER_X] = { "tracer", EC_OTHER | EC_METAEVENT, EF_NONE, 3, { { "id", PT_INT64, PF_DEC }, { "tags", PT_CHARBUFARRAY, PF_NA }, { "args", PT_CHARBUF_PAIR_ARRAY, PF_NA } } },
 	[PPME_MESOS_E] = {"mesos", EC_INTERNAL | EC_METAEVENT, EF_SKIPPARSERESET | EF_MODIFIES_STATE, 1, {{"json", PT_CHARBUF, PF_NA} } },
-	[PPME_MESOS_X] = {"NA4", EC_UNKNOWN, EF_UNUSED, 0},
+	[PPME_MESOS_X] = {"NA", EC_UNKNOWN, EF_UNUSED, 0},
 	[PPME_CONTAINER_JSON_E] = {"container", EC_PROCESS | EC_METAEVENT, EF_MODIFIES_STATE | EF_OLD_VERSION, 1, {{"json", PT_CHARBUF, PF_NA} } }, /// TODO: do we need SKIPPARSERESET flag?
-	[PPME_CONTAINER_JSON_X] = {"container", EC_UNKNOWN, EF_UNUSED, 0},
+	[PPME_CONTAINER_JSON_X] = {"NA", EC_UNKNOWN, EF_UNUSED | EF_OLD_VERSION, 0},
 	[PPME_SYSCALL_SETSID_E] = {"setsid", EC_PROCESS | EC_SYSCALL, EF_MODIFIES_STATE, 0},
 	[PPME_SYSCALL_SETSID_X] = {"setsid", EC_PROCESS | EC_SYSCALL, EF_MODIFIES_STATE, 1, {{"res", PT_PID, PF_DEC} } },
 	[PPME_SYSCALL_MKDIR_2_E] = {"mkdir", EC_FILE | EC_SYSCALL, EF_NONE, 1, {{"mode", PT_UINT32, PF_HEX} } },
@@ -293,17 +293,17 @@ const struct ppm_event_info g_event_info[] = {
 	[PPME_SYSCALL_RMDIR_2_E] = {"rmdir", EC_FILE | EC_SYSCALL, EF_NONE, 0},
 	[PPME_SYSCALL_RMDIR_2_X] = {"rmdir", EC_FILE | EC_SYSCALL, EF_NONE, 2, {{"res", PT_ERRNO, PF_DEC}, {"path", PT_FSPATH, PF_NA} } },
 	[PPME_NOTIFICATION_E] = {"notification", EC_OTHER | EC_METAEVENT, EF_SKIPPARSERESET, 2, {{"id", PT_CHARBUF, PF_DEC}, {"desc", PT_CHARBUF, PF_NA}, } },
-	[PPME_NOTIFICATION_X] = {"NA4", EC_UNKNOWN, EF_UNUSED, 0},
+	[PPME_NOTIFICATION_X] = {"NA", EC_UNKNOWN, EF_UNUSED, 0},
 	[PPME_SYSCALL_EXECVE_17_E] = {"execve", EC_PROCESS | EC_SYSCALL, EF_MODIFIES_STATE | EF_OLD_VERSION, 0},
 	[PPME_SYSCALL_EXECVE_17_X] = {"execve", EC_PROCESS | EC_SYSCALL, EF_MODIFIES_STATE | EF_OLD_VERSION, 17, {{"res", PT_ERRNO, PF_DEC}, {"exe", PT_CHARBUF, PF_NA}, {"args", PT_BYTEBUF, PF_NA}, {"tid", PT_PID, PF_DEC}, {"pid", PT_PID, PF_DEC}, {"ptid", PT_PID, PF_DEC}, {"cwd", PT_CHARBUF, PF_NA}, {"fdlimit", PT_UINT64, PF_DEC}, {"pgft_maj", PT_UINT64, PF_DEC}, {"pgft_min", PT_UINT64, PF_DEC}, {"vm_size", PT_UINT32, PF_DEC}, {"vm_rss", PT_UINT32, PF_DEC}, {"vm_swap", PT_UINT32, PF_DEC}, {"comm", PT_CHARBUF, PF_NA}, {"cgroups", PT_BYTEBUF, PF_NA}, {"env", PT_BYTEBUF, PF_NA}, {"tty", PT_INT32, PF_DEC} } },
 	[PPME_SYSCALL_UNSHARE_E] = {"unshare", EC_PROCESS | EC_SYSCALL, EF_NONE, 1, {{"flags", PT_FLAGS32, PF_HEX, clone_flags} } },
 	[PPME_SYSCALL_UNSHARE_X] = {"unshare", EC_PROCESS | EC_SYSCALL, EF_NONE, 1, {{"res", PT_ERRNO, PF_DEC} } },
 	[PPME_INFRASTRUCTURE_EVENT_E] = {"infra", EC_INTERNAL | EC_METAEVENT, EF_SKIPPARSERESET, 4, {{"source", PT_CHARBUF, PF_DEC}, {"name", PT_CHARBUF, PF_NA}, {"description", PT_CHARBUF, PF_NA}, {"scope", PT_CHARBUF, PF_NA} } },
-	[PPME_INFRASTRUCTURE_EVENT_X] = {"NA4", EC_UNKNOWN, EF_UNUSED, 0},
+	[PPME_INFRASTRUCTURE_EVENT_X] = {"NA", EC_UNKNOWN, EF_UNUSED, 0},
 	[PPME_SYSCALL_EXECVE_18_E] = {"execve", EC_PROCESS | EC_SYSCALL, EF_MODIFIES_STATE | EF_OLD_VERSION, 1, {{"filename", PT_FSPATH, PF_NA} } },
 	[PPME_SYSCALL_EXECVE_18_X] = {"execve", EC_PROCESS | EC_SYSCALL, EF_MODIFIES_STATE | EF_OLD_VERSION, 17, {{"res", PT_ERRNO, PF_DEC}, {"exe", PT_CHARBUF, PF_NA}, {"args", PT_BYTEBUF, PF_NA}, {"tid", PT_PID, PF_DEC}, {"pid", PT_PID, PF_DEC}, {"ptid", PT_PID, PF_DEC}, {"cwd", PT_CHARBUF, PF_NA}, {"fdlimit", PT_UINT64, PF_DEC}, {"pgft_maj", PT_UINT64, PF_DEC}, {"pgft_min", PT_UINT64, PF_DEC}, {"vm_size", PT_UINT32, PF_DEC}, {"vm_rss", PT_UINT32, PF_DEC}, {"vm_swap", PT_UINT32, PF_DEC}, {"comm", PT_CHARBUF, PF_NA}, {"cgroups", PT_BYTEBUF, PF_NA}, {"env", PT_BYTEBUF, PF_NA}, {"tty", PT_INT32, PF_DEC} } },
 	[PPME_PAGE_FAULT_E] = {"page_fault", EC_OTHER | EC_TRACEPOINT, EF_SKIPPARSERESET, 3, {{"addr", PT_UINT64, PF_HEX}, {"ip", PT_UINT64, PF_HEX}, {"error", PT_FLAGS32, PF_HEX, pf_flags} } },
-	[PPME_PAGE_FAULT_X] = {"NA5", EC_UNKNOWN, EF_UNUSED, 0},
+	[PPME_PAGE_FAULT_X] = {"NA", EC_UNKNOWN, EF_UNUSED, 0},
 	[PPME_SYSCALL_EXECVE_19_E] = {"execve", EC_PROCESS | EC_SYSCALL, EF_MODIFIES_STATE, 1, {{"filename", PT_FSPATH, PF_NA} } },
 	[PPME_SYSCALL_EXECVE_19_X] = {"execve", EC_PROCESS | EC_SYSCALL, EF_MODIFIES_STATE, 27, {{"res", PT_ERRNO, PF_DEC}, {"exe", PT_CHARBUF, PF_NA}, {"args", PT_BYTEBUF, PF_NA}, {"tid", PT_PID, PF_DEC}, {"pid", PT_PID, PF_DEC}, {"ptid", PT_PID, PF_DEC}, {"cwd", PT_CHARBUF, PF_NA}, {"fdlimit", PT_UINT64, PF_DEC}, {"pgft_maj", PT_UINT64, PF_DEC}, {"pgft_min", PT_UINT64, PF_DEC}, {"vm_size", PT_UINT32, PF_DEC}, {"vm_rss", PT_UINT32, PF_DEC}, {"vm_swap", PT_UINT32, PF_DEC}, {"comm", PT_CHARBUF, PF_NA}, {"cgroups", PT_BYTEBUF, PF_NA}, {"env", PT_BYTEBUF, PF_NA}, {"tty", PT_INT32, PF_DEC}, {"pgid", PT_PID, PF_DEC}, {"loginuid", PT_INT32, PF_DEC}, {"flags", PT_FLAGS32, PF_HEX, execve_flags}, {"cap_inheritable", PT_UINT64, PF_HEX}, {"cap_permitted", PT_UINT64, PF_HEX}, {"cap_effective", PT_UINT64, PF_HEX}, {"exe_ino", PT_UINT64, PF_DEC}, {"exe_ino_ctime", PT_ABSTIME, PF_DEC}, {"exe_ino_mtime", PT_ABSTIME, PF_DEC}, {"uid", PT_INT32, PF_DEC} } },
 	[PPME_SYSCALL_SETPGID_E] = {"setpgid", EC_PROCESS | EC_SYSCALL, EF_MODIFIES_STATE, 2, {{"pid", PT_PID, PF_DEC}, {"pgid", PT_PID, PF_DEC} } },
@@ -335,9 +335,9 @@ const struct ppm_event_info g_event_info[] = {
 	[PPME_SYSCALL_USERFAULTFD_E] = {"userfaultfd", EC_FILE | EC_SYSCALL, EF_CREATES_FD | EF_MODIFIES_STATE, 0},
 	[PPME_SYSCALL_USERFAULTFD_X] = {"userfaultfd", EC_FILE | EC_SYSCALL, EF_CREATES_FD | EF_MODIFIES_STATE, 2, {{"res", PT_ERRNO, PF_DEC}, {"flags", PT_FLAGS32, PF_HEX, file_flags} } },
 	[PPME_PLUGINEVENT_E] = {"pluginevent", EC_OTHER | EC_PLUGIN, EF_LARGE_PAYLOAD, 2, {{"plugin ID", PT_UINT32, PF_DEC}, {"event_data", PT_BYTEBUF, PF_NA} } },
-	[PPME_PLUGINEVENT_X] = {"pluginevent", EC_UNKNOWN, EF_UNUSED, 0},
+	[PPME_PLUGINEVENT_X] = {"NA", EC_UNKNOWN, EF_UNUSED, 0},
 	[PPME_CONTAINER_JSON_2_E] = {"container", EC_PROCESS | EC_METAEVENT, EF_MODIFIES_STATE | EF_LARGE_PAYLOAD, 1, {{"json", PT_CHARBUF, PF_NA} } }, /// TODO: do we need SKIPPARSERESET flag?
-	[PPME_CONTAINER_JSON_2_X] = {"container", EC_UNKNOWN, EF_UNUSED, 0},
+	[PPME_CONTAINER_JSON_2_X] = {"NA", EC_UNKNOWN, EF_UNUSED, 0},
 	[PPME_SYSCALL_OPENAT2_E] = {"openat2", EC_FILE | EC_SYSCALL, EF_CREATES_FD | EF_MODIFIES_STATE, 5, {{"dirfd", PT_FD, PF_DEC}, {"name", PT_FSRELPATH, PF_NA, DIRFD_PARAM(1)}, {"flags", PT_FLAGS32, PF_HEX, file_flags}, {"mode", PT_UINT32, PF_OCT}, {"resolve", PT_FLAGS32, PF_HEX, openat2_flags} } },
 	[PPME_SYSCALL_OPENAT2_X] = {"openat2", EC_FILE | EC_SYSCALL, EF_CREATES_FD | EF_MODIFIES_STATE, 6, {{"fd", PT_FD, PF_DEC}, {"dirfd", PT_FD, PF_DEC}, {"name", PT_FSRELPATH, PF_NA, DIRFD_PARAM(1)}, {"flags", PT_FLAGS32, PF_HEX, file_flags}, {"mode", PT_UINT32, PF_OCT}, {"resolve", PT_FLAGS32, PF_HEX, openat2_flags} } },
 	[PPME_SYSCALL_MPROTECT_E] = {"mprotect", EC_MEMORY | EC_SYSCALL, EF_NONE, 3, {{"addr", PT_UINT64, PF_HEX}, {"length", PT_UINT64, PF_DEC}, {"prot", PT_FLAGS32, PF_HEX, prot_flags} } },
@@ -367,13 +367,13 @@ const struct ppm_event_info g_event_info[] = {
 	[PPME_SYSCALL_CAPSET_E] = {"capset", EC_PROCESS | EC_SYSCALL, EF_MODIFIES_STATE, 0},
 	[PPME_SYSCALL_CAPSET_X] = {"capset", EC_PROCESS | EC_SYSCALL, EF_MODIFIES_STATE, 4, {{"res", PT_ERRNO, PF_DEC}, {"cap_inheritable", PT_UINT64, PF_HEX}, {"cap_permitted", PT_UINT64, PF_HEX}, {"cap_effective", PT_UINT64, PF_HEX} } },
 	[PPME_USER_ADDED_E] = {"useradded", EC_PROCESS | EC_METAEVENT, EF_MODIFIES_STATE, 6, {{"uid", PT_UINT32, PF_DEC}, {"gid", PT_UINT32, PF_DEC}, {"name", PT_CHARBUF, PF_NA}, {"home", PT_CHARBUF, PF_NA}, {"shell", PT_CHARBUF, PF_NA}, {"container_id", PT_CHARBUF, PF_NA} } },
-	[PPME_USER_ADDED_X] = {"useradded", EC_UNKNOWN, EF_UNUSED, 0},
+	[PPME_USER_ADDED_X] = {"NA", EC_UNKNOWN, EF_UNUSED, 0},
 	[PPME_USER_DELETED_E] = {"userdeleted", EC_PROCESS | EC_METAEVENT, EF_MODIFIES_STATE, 6, {{"uid", PT_UINT32, PF_DEC}, {"gid", PT_UINT32, PF_DEC}, {"name", PT_CHARBUF, PF_NA}, {"home", PT_CHARBUF, PF_NA}, {"shell", PT_CHARBUF, PF_NA}, {"container_id", PT_CHARBUF, PF_NA} } },
-	[PPME_USER_DELETED_X] = {"userdeleted", EC_UNKNOWN, EF_UNUSED, 0},
+	[PPME_USER_DELETED_X] = {"NA", EC_UNKNOWN, EF_UNUSED, 0},
 	[PPME_GROUP_ADDED_E] = {"groupadded", EC_PROCESS | EC_METAEVENT, EF_MODIFIES_STATE, 3, {{"gid", PT_UINT32, PF_DEC}, {"name", PT_CHARBUF, PF_NA}, {"container_id", PT_CHARBUF, PF_NA} } },
-	[PPME_GROUP_ADDED_X] = {"groupadded", EC_UNKNOWN, EF_UNUSED, 0},
+	[PPME_GROUP_ADDED_X] = {"NA", EC_UNKNOWN, EF_UNUSED, 0},
 	[PPME_GROUP_DELETED_E] = {"groupdeleted", EC_PROCESS | EC_METAEVENT, EF_MODIFIES_STATE, 3, {{"gid", PT_UINT32, PF_DEC}, {"name", PT_CHARBUF, PF_NA}, {"container_id", PT_CHARBUF, PF_NA} } },
-	[PPME_GROUP_DELETED_X] = {"groupdeleted", EC_UNKNOWN, EF_UNUSED, 0},
+	[PPME_GROUP_DELETED_X] = {"NA", EC_UNKNOWN, EF_UNUSED, 0},
 	[PPME_SYSCALL_DUP2_E] = {"dup2", EC_IO_OTHER | EC_SYSCALL, EF_CREATES_FD | EF_USES_FD | EF_MODIFIES_STATE, 1, {{"fd", PT_FD, PF_DEC} } },
 	[PPME_SYSCALL_DUP2_X] = {"dup2", EC_IO_OTHER | EC_SYSCALL, EF_CREATES_FD | EF_USES_FD | EF_MODIFIES_STATE, 3, {{"res", PT_FD, PF_DEC}, {"oldfd", PT_FD, PF_DEC}, {"newfd", PT_FD, PF_DEC} } },
 	[PPME_SYSCALL_DUP3_E] = {"dup3", EC_IO_OTHER | EC_SYSCALL, EF_CREATES_FD | EF_USES_FD | EF_MODIFIES_STATE, 1, {{"fd", PT_FD, PF_DEC} } },

From 8b4b8b870bd2f19abbfad8db61c1988037da43fd Mon Sep 17 00:00:00 2001
From: Andrea Terzolo <andrea.terzolo@polito.it>
Date: Mon, 6 Mar 2023 21:52:05 +0100
Subject: [PATCH 4/5] update: support new `umount` event pair

Signed-off-by: Andrea Terzolo <andrea.terzolo@polito.it>
---
 driver/bpf/fillers.h                          | 14 ++++
 driver/event_table.c                          |  4 +-
 driver/fillers_table.c                        |  2 +
 driver/main.c                                 |  2 +
 .../definitions/events_dimensions.h           |  1 +
 .../syscall_dispatched_events/umount.bpf.c    | 72 +++++++++++++++++++
 driver/ppm_events_public.h                    |  4 +-
 driver/ppm_fillers.c                          | 19 +++++
 driver/ppm_fillers.h                          |  1 +
 driver/syscall_table.c                        |  4 +-
 .../syscall_enter_suite/umount_e.cpp          | 39 ++++++++++
 .../syscall_exit_suite/umount_x.cpp           | 44 ++++++++++++
 userspace/libpman/src/events_prog_names.h     |  2 +
 userspace/libsinsp/test/events_file.ut.cpp    | 14 ++++
 userspace/libsinsp/test/table/event_table.cpp |  2 +-
 15 files changed, 219 insertions(+), 5 deletions(-)
 create mode 100644 driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/umount.bpf.c
 create mode 100644 test/drivers/test_suites/syscall_enter_suite/umount_e.cpp
 create mode 100644 test/drivers/test_suites/syscall_exit_suite/umount_x.cpp

diff --git a/driver/bpf/fillers.h b/driver/bpf/fillers.h
index 99947e39ce..553ff9e4ae 100644
--- a/driver/bpf/fillers.h
+++ b/driver/bpf/fillers.h
@@ -132,6 +132,7 @@ FILLER_RAW(terminate_filler)
 			case PPME_SYSCALL_MKDIRAT_E:
 			case PPME_SYSCALL_MOUNT_E:
 			case PPME_SYSCALL_UMOUNT_E:
+			case PPME_SYSCALL_UMOUNT_1_E:
 			case PPME_SYSCALL_RENAME_E:
 			case PPME_SYSCALL_RENAMEAT_E:
 			case PPME_SYSCALL_RENAMEAT2_E:
@@ -214,6 +215,7 @@ FILLER_RAW(terminate_filler)
 			case PPME_SYSCALL_MKDIRAT_X:
 			case PPME_SYSCALL_MOUNT_X:
 			case PPME_SYSCALL_UMOUNT_X:
+			case PPME_SYSCALL_UMOUNT_1_X:
 			case PPME_SYSCALL_RENAME_X:
 			case PPME_SYSCALL_RENAMEAT_X:
 			case PPME_SYSCALL_RENAMEAT2_X:
@@ -6126,6 +6128,18 @@ FILLER(sys_dup3_x, true)
 	return res;
 }
 
+FILLER(sys_umount_x, true)
+{
+	/* Parameter 1: ret (type: PT_FD) */
+	long retval = bpf_syscall_get_retval(data->ctx);
+	int res = bpf_val_to_ring_type(data, retval, PT_ERRNO);
+	CHECK_RES(res);
+
+	/* Parameter 2: name (type: PT_FSPATH) */
+	unsigned long target_pointer = bpf_syscall_get_argument(data, 0);
+	return  bpf_val_to_ring(data, target_pointer);
+}
+
 #ifdef CAPTURE_SCHED_PROC_EXEC
 /* We set `is_syscall` flag to `false` since this is not
  * a real syscall, we only send the same event from another
diff --git a/driver/event_table.c b/driver/event_table.c
index 245af18d00..8cdf56426b 100644
--- a/driver/event_table.c
+++ b/driver/event_table.c
@@ -270,7 +270,7 @@ const struct ppm_event_info g_event_info[] = {
 	[PPME_SYSCALL_PPOLL_X] = {"ppoll", EC_WAIT | EC_SYSCALL, EF_WAITS, 2, {{"res", PT_ERRNO, PF_DEC}, {"fds", PT_FDLIST, PF_DEC} } },
 	[PPME_SYSCALL_MOUNT_E] = {"mount", EC_FILE | EC_SYSCALL, EF_MODIFIES_STATE, 1, {{"flags", PT_FLAGS32, PF_HEX, mount_flags} } },
 	[PPME_SYSCALL_MOUNT_X] = {"mount", EC_FILE | EC_SYSCALL, EF_MODIFIES_STATE, 4, {{"res", PT_ERRNO, PF_DEC}, {"dev", PT_CHARBUF, PF_NA}, {"dir", PT_FSPATH, PF_NA}, {"type", PT_CHARBUF, PF_NA} } },
-	[PPME_SYSCALL_UMOUNT_E] = {"umount", EC_FILE | EC_SYSCALL, EF_MODIFIES_STATE, 1, {{"flags", PT_FLAGS32, PF_HEX, umount_flags} } }, // we need to create separate events for umount and umount2, umount doesn't have the flag parameter!!
+	[PPME_SYSCALL_UMOUNT_E] = {"umount", EC_FILE | EC_SYSCALL, EF_MODIFIES_STATE, 1, {{"flags", PT_FLAGS32, PF_HEX, umount_flags} } }, // right now this event pair is used by umount2 syscall, we need to create a new event pair `PPME_SYSCALL_UMOUNT2_E/PPME_SYSCALL_UMOUNT2_X` with name "umount2" we cannot change the name here otherwise we break scap-files compatibility.
 	[PPME_SYSCALL_UMOUNT_X] = {"umount", EC_FILE | EC_SYSCALL, EF_MODIFIES_STATE, 2, {{"res", PT_ERRNO, PF_DEC}, {"name", PT_FSPATH, PF_NA} } },
 	[PPME_K8S_E] = {"k8s", EC_INTERNAL | EC_METAEVENT, EF_SKIPPARSERESET | EF_MODIFIES_STATE, 1, {{"json", PT_CHARBUF, PF_NA} } },
 	[PPME_K8S_X] = {"NA", EC_UNKNOWN, EF_UNUSED, 0},
@@ -398,6 +398,8 @@ const struct ppm_event_info g_event_info[] = {
 	[PPME_SYSCALL_FCHOWN_X] = {"fchown", EC_FILE | EC_SYSCALL, EF_NONE, 4, {{"res", PT_ERRNO, PF_DEC}, {"fd", PT_FD, PF_DEC}, {"uid", PT_UINT32, PF_DEC}, {"gid", PT_UINT32, PF_DEC} } },
 	[PPME_SYSCALL_FCHOWNAT_E] = {"fchownat", EC_FILE | EC_SYSCALL, EF_NONE, 0},
 	[PPME_SYSCALL_FCHOWNAT_X] = {"fchownat", EC_FILE | EC_SYSCALL, EF_NONE, 6, {{"res", PT_ERRNO, PF_DEC}, {"dirfd", PT_FD, PF_DEC}, {"pathname", PT_FSRELPATH, PF_NA, DIRFD_PARAM(1)}, {"uid", PT_UINT32, PF_DEC}, {"gid", PT_UINT32, PF_DEC}, {"flags", PT_FLAGS32, PF_HEX, fchownat_flags}} },
+	[PPME_SYSCALL_UMOUNT_1_E] = {"umount", EC_FILE | EC_SYSCALL, EF_MODIFIES_STATE, 0},
+	[PPME_SYSCALL_UMOUNT_1_X] = {"umount", EC_FILE | EC_SYSCALL, EF_MODIFIES_STATE, 2, {{"res", PT_ERRNO, PF_DEC}, {"name", PT_FSPATH, PF_NA} } },
 
 	/* NB: Starting from scap version 1.2, event types will no longer be changed when an event is modified, and the only kind of change permitted for pre-existent events is adding parameters.
 	 *     New event types are allowed only for new syscalls or new internal events.
diff --git a/driver/fillers_table.c b/driver/fillers_table.c
index c58a1d43b9..e5103e3ac3 100644
--- a/driver/fillers_table.c
+++ b/driver/fillers_table.c
@@ -340,4 +340,6 @@ const struct ppm_event_entry g_ppm_events[PPM_EVENT_MAX] = {
 	[PPME_SYSCALL_FCHOWN_X] = {FILLER_REF(sys_fchown_x)},
 	[PPME_SYSCALL_FCHOWNAT_E] = {FILLER_REF(sys_empty)},
 	[PPME_SYSCALL_FCHOWNAT_X] = {FILLER_REF(sys_fchownat_x)},
+	[PPME_SYSCALL_UMOUNT_1_E] = {FILLER_REF(sys_empty)},
+	[PPME_SYSCALL_UMOUNT_1_X] = {FILLER_REF(sys_umount_x)},
 };
diff --git a/driver/main.c b/driver/main.c
index 6dc3374fc1..784f94d957 100644
--- a/driver/main.c
+++ b/driver/main.c
@@ -1475,6 +1475,7 @@ static inline void drops_buffer_syscall_categories_counters(ppm_event_code event
 	case PPME_SYSCALL_MKDIRAT_E:
 	case PPME_SYSCALL_MOUNT_E:
 	case PPME_SYSCALL_UMOUNT_E:
+	case PPME_SYSCALL_UMOUNT_1_E:
 	case PPME_SYSCALL_RENAME_E:
 	case PPME_SYSCALL_RENAMEAT_E:
 	case PPME_SYSCALL_RENAMEAT2_E:
@@ -1545,6 +1546,7 @@ static inline void drops_buffer_syscall_categories_counters(ppm_event_code event
 	case PPME_SYSCALL_MKDIRAT_X:
 	case PPME_SYSCALL_MOUNT_X:
 	case PPME_SYSCALL_UMOUNT_X:
+	case PPME_SYSCALL_UMOUNT_1_X:
 	case PPME_SYSCALL_RENAME_X:
 	case PPME_SYSCALL_RENAMEAT_X:
 	case PPME_SYSCALL_RENAMEAT2_X:
diff --git a/driver/modern_bpf/definitions/events_dimensions.h b/driver/modern_bpf/definitions/events_dimensions.h
index bb4896eb97..8c823dfcfb 100644
--- a/driver/modern_bpf/definitions/events_dimensions.h
+++ b/driver/modern_bpf/definitions/events_dimensions.h
@@ -103,6 +103,7 @@
 #define UNSHARE_X_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
 #define MOUNT_E_SIZE HEADER_LEN + sizeof(uint32_t) + PARAM_LEN
 #define UMOUNT2_E_SIZE HEADER_LEN + sizeof(uint32_t) + PARAM_LEN
+#define UMOUNT_E_SIZE HEADER_LEN
 #define LINK_E_SIZE HEADER_LEN
 #define LINKAT_E_SIZE HEADER_LEN
 #define SYMLINK_E_SIZE HEADER_LEN
diff --git a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/umount.bpf.c b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/umount.bpf.c
new file mode 100644
index 0000000000..bc26288ab7
--- /dev/null
+++ b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/umount.bpf.c
@@ -0,0 +1,72 @@
+/*
+ * Copyright (C) 2023 The Falco Authors.
+ *
+ * This file is dual licensed under either the MIT or GPL 2. See MIT.txt
+ * or GPL2.txt for full copies of the license.
+ */
+
+#include <helpers/interfaces/fixed_size_event.h>
+#include <helpers/interfaces/variable_size_event.h>
+
+/*=============================== ENTER EVENT ===========================*/
+
+SEC("tp_btf/sys_enter")
+int BPF_PROG(umount_e,
+	     struct pt_regs *regs,
+	     long id)
+{
+	struct ringbuf_struct ringbuf;
+	if(!ringbuf__reserve_space(&ringbuf, UMOUNT_E_SIZE))
+	{
+		return 0;
+	}
+
+	ringbuf__store_event_header(&ringbuf, PPME_SYSCALL_UMOUNT_1_E);
+
+	/*=============================== COLLECT PARAMETERS  ===========================*/
+
+	// Here we have no parameters to collect.
+
+	/*=============================== COLLECT PARAMETERS  ===========================*/
+
+	ringbuf__submit_event(&ringbuf);
+
+	return 0;
+}
+
+/*=============================== ENTER EVENT ===========================*/
+
+/*=============================== EXIT EVENT ===========================*/
+
+SEC("tp_btf/sys_exit")
+int BPF_PROG(umount_x,
+	     struct pt_regs *regs,
+	     long ret)
+{
+	struct auxiliary_map *auxmap = auxmap__get();
+	if(!auxmap)
+	{
+		return 0;
+	}
+
+	auxmap__preload_event_header(auxmap, PPME_SYSCALL_UMOUNT_1_X);
+
+	/*=============================== COLLECT PARAMETERS  ===========================*/
+
+	/* Parameter 1: res (type: PT_ERRNO) */
+	auxmap__store_s64_param(auxmap, ret);
+
+	/* Parameter 2: name (type: PT_FSPATH) */
+	unsigned long target_pointer = extract__syscall_argument(regs, 0);
+	auxmap__store_charbuf_param(auxmap, target_pointer, MAX_PATH, USER);
+
+	/*=============================== COLLECT PARAMETERS  ===========================*/
+
+	auxmap__finalize_event_header(auxmap);
+
+	auxmap__submit_event(auxmap);
+
+	return 0;
+}
+
+/*=============================== EXIT EVENT ===========================*/
diff --git a/driver/ppm_events_public.h b/driver/ppm_events_public.h
index 2d7d21974b..9fc409cab2 100644
--- a/driver/ppm_events_public.h
+++ b/driver/ppm_events_public.h
@@ -1188,7 +1188,9 @@ typedef enum {
 	PPME_SYSCALL_FCHOWN_X = 383,
 	PPME_SYSCALL_FCHOWNAT_E = 384,
 	PPME_SYSCALL_FCHOWNAT_X = 385,
-	PPM_EVENT_MAX = 386
+	PPME_SYSCALL_UMOUNT_1_E = 386,
+	PPME_SYSCALL_UMOUNT_1_X = 387,
+	PPM_EVENT_MAX = 388
 } ppm_event_code;
 /*@}*/
 
diff --git a/driver/ppm_fillers.c b/driver/ppm_fillers.c
index c602bc748e..2e80d5f141 100644
--- a/driver/ppm_fillers.c
+++ b/driver/ppm_fillers.c
@@ -6975,6 +6975,25 @@ int f_sys_splice_e(struct event_filler_arguments *args)
 	return add_sentinel(args);
 }
 
+int f_sys_umount_x(struct event_filler_arguments *args)
+{
+	unsigned long val;
+	int res;
+	int64_t retval;
+
+	/* Parameter 1: res (type: PT_ERRNO) */
+	retval = (int64_t)syscall_get_return_value(current, args->regs);
+	res = val_to_ring(args, retval, 0, false, 0);
+	CHECK_RES(res);
+
+	/* Parameter 2: name (type: PT_FSPATH) */
+	syscall_get_arguments_deprecated(current, args->regs, 0, 1, &val);
+	res = val_to_ring(args, val, 0, true, 0);
+	CHECK_RES(res);
+
+	return add_sentinel(args);
+}
+
 #ifdef CAPTURE_SCHED_PROC_EXEC
 int f_sched_prog_exec(struct event_filler_arguments *args)
 {
diff --git a/driver/ppm_fillers.h b/driver/ppm_fillers.h
index 92dbd7b948..6f53af454c 100644
--- a/driver/ppm_fillers.h
+++ b/driver/ppm_fillers.h
@@ -156,6 +156,7 @@ or GPL2.txt for full copies of the license.
 	FN(sys_recvmsg_e)                 \
 	FN(sys_signalfd_e)                 \
 	FN(sys_splice_e)				\
+	FN(sys_umount_x)				\
 	FN(terminate_filler)
 
 #define FILLER_ENUM_FN(x) PPM_FILLER_##x,
diff --git a/driver/syscall_table.c b/driver/syscall_table.c
index 9120a8f3c2..c1bbb38f42 100644
--- a/driver/syscall_table.c
+++ b/driver/syscall_table.c
@@ -425,7 +425,7 @@ const struct syscall_evt_pair g_syscall_table[SYSCALL_TABLE_SIZE] = {
 	[__NR_lstat64 - SYSCALL_TABLE_ID0] = {UF_USED, PPME_SYSCALL_LSTAT64_E, PPME_SYSCALL_LSTAT64_X, PPM_SC_LSTAT64},
 #endif
 #ifdef __NR_umount
-	[__NR_umount - SYSCALL_TABLE_ID0] = {UF_USED, PPME_SYSCALL_UMOUNT_E, PPME_SYSCALL_UMOUNT_X, PPM_SC_UMOUNT},
+	[__NR_umount - SYSCALL_TABLE_ID0] = {UF_USED, PPME_SYSCALL_UMOUNT_1_E, PPME_SYSCALL_UMOUNT_1_X, PPM_SC_UMOUNT},
 #endif
 #ifdef __NR_recv
 	[__NR_recv - SYSCALL_TABLE_ID0] = {UF_USED, PPME_SOCKET_RECV_E, PPME_SOCKET_RECV_X, PPM_SC_RECV},
@@ -1238,7 +1238,7 @@ const struct syscall_evt_pair g_syscall_ia32_table[SYSCALL_TABLE_SIZE] = {
 	[__NR_ia32_lstat64 - SYSCALL_TABLE_ID0] = {UF_USED, PPME_SYSCALL_LSTAT64_E, PPME_SYSCALL_LSTAT64_X, PPM_SC_LSTAT64},
 #endif
 #ifdef __NR_ia32_umount
-	[__NR_ia32_umount - SYSCALL_TABLE_ID0] = {UF_USED, PPME_SYSCALL_UMOUNT_E, PPME_SYSCALL_UMOUNT_X, PPM_SC_UMOUNT},
+	[__NR_ia32_umount - SYSCALL_TABLE_ID0] = {UF_USED, PPME_SYSCALL_UMOUNT_1_E, PPME_SYSCALL_UMOUNT_1_X, PPM_SC_UMOUNT},
 #endif
 #ifdef __NR_ia32_recv
 	[__NR_ia32_recv - SYSCALL_TABLE_ID0] = {UF_USED, PPME_SOCKET_RECV_E, PPME_SOCKET_RECV_X, PPM_SC_RECV},
diff --git a/test/drivers/test_suites/syscall_enter_suite/umount_e.cpp b/test/drivers/test_suites/syscall_enter_suite/umount_e.cpp
new file mode 100644
index 0000000000..2b92b1ae1d
--- /dev/null
+++ b/test/drivers/test_suites/syscall_enter_suite/umount_e.cpp
@@ -0,0 +1,39 @@
+#include "../../event_class/event_class.h"
+
+#ifdef __NR_umount
+
+TEST(SyscallEnter, umountE)
+{
+	auto evt_test = get_syscall_event_test(__NR_umount, ENTER_EVENT);
+
+	evt_test->enable_capture();
+
+	/*=============================== TRIGGER SYSCALL ===========================*/
+
+	const char* target = "//**null-file-path**//";
+	assert_syscall_state(SYSCALL_FAILURE, "umount", syscall(__NR_umount, target));
+
+	/*=============================== TRIGGER SYSCALL ===========================*/
+
+	evt_test->disable_capture();
+
+	evt_test->assert_event_presence();
+
+	if(HasFatalFailure())
+	{
+		return;
+	}
+
+	evt_test->parse_event();
+
+	evt_test->assert_header();
+
+	/*=============================== ASSERT PARAMETERS  ===========================*/
+
+	// Here we have no parameters to assert.
+
+	/*=============================== ASSERT PARAMETERS  ===========================*/
+
+	evt_test->assert_num_params_pushed(0);
+}
+#endif
diff --git a/test/drivers/test_suites/syscall_exit_suite/umount_x.cpp b/test/drivers/test_suites/syscall_exit_suite/umount_x.cpp
new file mode 100644
index 0000000000..02b232602b
--- /dev/null
+++ b/test/drivers/test_suites/syscall_exit_suite/umount_x.cpp
@@ -0,0 +1,44 @@
+#include "../../event_class/event_class.h"
+
+#ifdef __NR_umount
+
+TEST(SyscallExit, umountX)
+{
+	auto evt_test = get_syscall_event_test(__NR_umount, EXIT_EVENT);
+
+	evt_test->enable_capture();
+
+	/*=============================== TRIGGER SYSCALL ===========================*/
+
+	const char* target = "//**null-file-path**//";
+	assert_syscall_state(SYSCALL_FAILURE, "umount", syscall(__NR_umount, target));
+	int64_t errno_value = -errno;
+
+	/*=============================== TRIGGER SYSCALL ===========================*/
+
+	evt_test->disable_capture();
+
+	evt_test->assert_event_presence();
+
+	if(HasFatalFailure())
+	{
+		return;
+	}
+
+	evt_test->parse_event();
+
+	evt_test->assert_header();
+
+	/*=============================== ASSERT PARAMETERS  ===========================*/
+
+	/* Parameter 1: res (type: PT_ERRNO) */
+	evt_test->assert_numeric_param(1, (int64_t)errno_value);
+
+	/* Parameter 2: name (type: PT_FSPATH) */
+	evt_test->assert_charbuf_param(2, target);
+
+	/*=============================== ASSERT PARAMETERS  ===========================*/
+
+	evt_test->assert_num_params_pushed(2);
+}
+#endif
diff --git a/userspace/libpman/src/events_prog_names.h b/userspace/libpman/src/events_prog_names.h
index 621af1e468..96ec4fe8a7 100644
--- a/userspace/libpman/src/events_prog_names.h
+++ b/userspace/libpman/src/events_prog_names.h
@@ -263,6 +263,8 @@ static const char* event_prog_names[PPM_EVENT_MAX] = {
 	[PPME_SYSCALL_FCHOWNAT_X] = "fchownat_x",
 	[PPME_SYSCALL_NANOSLEEP_E] = "nanosleep_e",
 	[PPME_SYSCALL_NANOSLEEP_X] = "nanosleep_x",
+	[PPME_SYSCALL_UMOUNT_1_E] = "umount_e",
+	[PPME_SYSCALL_UMOUNT_1_X] = "umount_x",
 };
 
 /* Some events can require more than one bpf program to collect all the data. */
diff --git a/userspace/libsinsp/test/events_file.ut.cpp b/userspace/libsinsp/test/events_file.ut.cpp
index 651898dd32..ab56f82ce4 100644
--- a/userspace/libsinsp/test/events_file.ut.cpp
+++ b/userspace/libsinsp/test/events_file.ut.cpp
@@ -183,3 +183,17 @@ TEST_F(sinsp_with_test_input, creates_fd_generic)
 	ASSERT_EQ(get_field_as_string(evt, "fd.num"), "4");
 }
 
+TEST_F(sinsp_with_test_input, umount)
+{
+	add_default_init_thread();
+
+	open_inspector();
+	sinsp_evt* evt = NULL;
+
+	add_event_advance_ts(increasing_ts(), 1, PPME_SYSCALL_UMOUNT_1_E, 0);
+	evt = add_event_advance_ts(increasing_ts(), 1, PPME_SYSCALL_UMOUNT_1_X, 2, 0, "/target_name");
+	ASSERT_EQ(get_field_as_string(evt, "evt.type"), "umount");
+	ASSERT_EQ(get_field_as_string(evt, "evt.category"), "file");
+	ASSERT_EQ(get_field_as_string(evt, "evt.arg.res"), "0");
+	ASSERT_EQ(get_field_as_string(evt, "evt.arg.name"), "/target_name");
+}
diff --git a/userspace/libsinsp/test/table/event_table.cpp b/userspace/libsinsp/test/table/event_table.cpp
index e2db3c5631..f15330e012 100644
--- a/userspace/libsinsp/test/table/event_table.cpp
+++ b/userspace/libsinsp/test/table/event_table.cpp
@@ -2,7 +2,7 @@
 #include <sinsp.h>
 
 /* These numbers must be updated when we add new events */
-#define SYSCALL_EVENTS_NUM 340
+#define SYSCALL_EVENTS_NUM 342
 #define TRACEPOINT_EVENTS_NUM 6
 #define METAEVENTS_NUM 19
 #define PLUGIN_EVENTS_NUM 1

From 0f33f1d22a6d382df895a33aea18e68412c64e97 Mon Sep 17 00:00:00 2001
From: Andrea Terzolo <andrea.terzolo@polito.it>
Date: Mon, 6 Mar 2023 23:47:51 +0100
Subject: [PATCH 5/5] tests: remove `PPME_CONTAINER_X` event

remove `PPME_CONTAINER_X` event from `event_set_to_names_no_generic_events1` test since after this fix it is associated with `NA` name instead of `container`

Signed-off-by: Andrea Terzolo <andrea.terzolo@polito.it>
---
 userspace/libsinsp/test/public_sinsp_API/events_set.cpp | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/userspace/libsinsp/test/public_sinsp_API/events_set.cpp b/userspace/libsinsp/test/public_sinsp_API/events_set.cpp
index 9e9eec2cf4..7cf8abaafd 100644
--- a/userspace/libsinsp/test/public_sinsp_API/events_set.cpp
+++ b/userspace/libsinsp/test/public_sinsp_API/events_set.cpp
@@ -188,7 +188,7 @@ TEST(events_set, event_set_to_names_no_generic_events1)
 {
 	static std::set<std::string> names_truth = {"kill", "dup", "umount", "eventfd", "procexit", "container"};
 	auto names_unordered = libsinsp::events::event_set_to_names(libsinsp::events::set<ppm_event_code>{PPME_SYSCALL_KILL_E, PPME_SYSCALL_KILL_X,
-	PPME_SYSCALL_DUP_1_E, PPME_SYSCALL_DUP_1_X, PPME_SYSCALL_UMOUNT_E, PPME_SYSCALL_UMOUNT_X, PPME_SYSCALL_EVENTFD_E, PPME_SYSCALL_EVENTFD_X, PPME_PROCEXIT_E, PPME_CONTAINER_E, PPME_CONTAINER_X});
+	PPME_SYSCALL_DUP_1_E, PPME_SYSCALL_DUP_1_X, PPME_SYSCALL_UMOUNT_E, PPME_SYSCALL_UMOUNT_X, PPME_SYSCALL_EVENTFD_E, PPME_SYSCALL_EVENTFD_X, PPME_PROCEXIT_E, PPME_CONTAINER_E});
 	auto names = test_utils::unordered_set_to_ordered(names_unordered);
 	ASSERT_NAMES_EQ(names_truth, names);
 	ASSERT_TRUE(unordered_set_intersection(names_unordered, std::unordered_set<std::string> {"syncfs"}).empty());