fix(driver)!: create dedicated events for umount2 syscall and rename them to "umount2"

driver/bpf/fillers.h

@@ -133,6 +133,7 @@ FILLER_RAW(terminate_filler)
 			case PPME_SYSCALL_MOUNT_E:
 			case PPME_SYSCALL_UMOUNT_E:
 			case PPME_SYSCALL_UMOUNT_1_E:
+			case PPME_SYSCALL_UMOUNT2_E:
 			case PPME_SYSCALL_RENAME_E:
 			case PPME_SYSCALL_RENAMEAT_E:
 			case PPME_SYSCALL_RENAMEAT2_E:
@@ -216,6 +217,7 @@ FILLER_RAW(terminate_filler)
 			case PPME_SYSCALL_MOUNT_X:
 			case PPME_SYSCALL_UMOUNT_X:
 			case PPME_SYSCALL_UMOUNT_1_X:
+			case PPME_SYSCALL_UMOUNT2_X:
 			case PPME_SYSCALL_RENAME_X:
 			case PPME_SYSCALL_RENAMEAT_X:
 			case PPME_SYSCALL_RENAMEAT2_X:
@@ -6204,6 +6206,25 @@ FILLER(sys_umount_x, true)
 	return  bpf_val_to_ring(data, target_pointer);
 }
 
+FILLER(sys_umount2_e, true)
+{
+	/* Parameter 1: flags (type: PT_FLAGS32) */
+	u32 flags = (u32)bpf_syscall_get_argument(data, 1);
+	return bpf_val_to_ring(data, flags);
+}
+
+FILLER(sys_umount2_x, true)
+{
+	/* Parameter 1: res (type: PT_ERRNO) */
+	long retval = bpf_syscall_get_retval(data->ctx);
+	int res = bpf_val_to_ring_type(data, retval, PT_ERRNO);
+	CHECK_RES(res);
+
+	/* Parameter 2: name (type: PT_FSPATH) */
+	unsigned long target_pointer = bpf_syscall_get_argument(data, 0);
+	return  bpf_val_to_ring(data, target_pointer);
+}
+
 #ifdef CAPTURE_SCHED_PROC_EXEC
 /* We set `is_syscall` flag to `false` since this is not
  * a real syscall, we only send the same event from another

driver/event_table.c

@@ -270,8 +270,8 @@ const struct ppm_event_info g_event_info[] = {
 	[PPME_SYSCALL_PPOLL_X] = {"ppoll", EC_WAIT | EC_SYSCALL, EF_WAITS, 2, {{"res", PT_ERRNO, PF_DEC}, {"fds", PT_FDLIST, PF_DEC} } },
 	[PPME_SYSCALL_MOUNT_E] = {"mount", EC_FILE | EC_SYSCALL, EF_MODIFIES_STATE, 1, {{"flags", PT_FLAGS32, PF_HEX, mount_flags} } },
 	[PPME_SYSCALL_MOUNT_X] = {"mount", EC_FILE | EC_SYSCALL, EF_MODIFIES_STATE, 4, {{"res", PT_ERRNO, PF_DEC}, {"dev", PT_CHARBUF, PF_NA}, {"dir", PT_FSPATH, PF_NA}, {"type", PT_CHARBUF, PF_NA} } },
-	[PPME_SYSCALL_UMOUNT_E] = {"umount", EC_FILE | EC_SYSCALL, EF_MODIFIES_STATE, 1, {{"flags", PT_FLAGS32, PF_HEX, umount_flags} } }, // right now this event pair is used by umount2 syscall, we need to create a new event pair `PPME_SYSCALL_UMOUNT2_E/PPME_SYSCALL_UMOUNT2_X` with name "umount2" we cannot change the name here otherwise we break scap-files compatibility.
-	[PPME_SYSCALL_UMOUNT_X] = {"umount", EC_FILE | EC_SYSCALL, EF_MODIFIES_STATE, 2, {{"res", PT_ERRNO, PF_DEC}, {"name", PT_FSPATH, PF_NA} } },
+	[PPME_SYSCALL_UMOUNT_E] = {"umount", EC_FILE | EC_SYSCALL, EF_MODIFIES_STATE | EF_OLD_VERSION, 1, {{"flags", PT_FLAGS32, PF_HEX, umount_flags} } },
+	[PPME_SYSCALL_UMOUNT_X] = {"umount", EC_FILE | EC_SYSCALL, EF_MODIFIES_STATE | EF_OLD_VERSION, 2, {{"res", PT_ERRNO, PF_DEC}, {"name", PT_FSPATH, PF_NA} } },
 	[PPME_K8S_E] = {"k8s", EC_INTERNAL | EC_METAEVENT, EF_SKIPPARSERESET | EF_MODIFIES_STATE, 1, {{"json", PT_CHARBUF, PF_NA} } },
 	[PPME_K8S_X] = {"NA", EC_UNKNOWN, EF_UNUSED, 0},
 	[PPME_SYSCALL_SEMGET_E] = {"semget", EC_PROCESS | EC_SYSCALL, EF_NONE, 3, {{"key", PT_INT32, PF_HEX}, {"nsems", PT_INT32, PF_DEC}, {"semflg", PT_FLAGS32, PF_HEX, semget_flags} } },
@@ -402,6 +402,8 @@ const struct ppm_event_info g_event_info[] = {
 	[PPME_SYSCALL_UMOUNT_1_X] = {"umount", EC_FILE | EC_SYSCALL, EF_MODIFIES_STATE, 2, {{"res", PT_ERRNO, PF_DEC}, {"name", PT_FSPATH, PF_NA} } },
 	[PPME_SOCKET_ACCEPT4_6_E] = {"accept4", EC_NET | EC_SYSCALL, EF_CREATES_FD | EF_MODIFIES_STATE, 1, {{"flags", PT_INT32, PF_HEX} } },
 	[PPME_SOCKET_ACCEPT4_6_X] = {"accept4", EC_NET | EC_SYSCALL, EF_CREATES_FD | EF_MODIFIES_STATE, 5, {{"fd", PT_FD, PF_DEC}, {"tuple", PT_SOCKTUPLE, PF_NA}, {"queuepct", PT_UINT8, PF_DEC}, {"queuelen", PT_UINT32, PF_DEC}, {"queuemax", PT_UINT32, PF_DEC} } },
+	[PPME_SYSCALL_UMOUNT2_E] = {"umount2", EC_FILE | EC_SYSCALL, EF_MODIFIES_STATE, 1, {{"flags", PT_FLAGS32, PF_HEX, umount_flags} } },
+	[PPME_SYSCALL_UMOUNT2_X] = {"umount2", EC_FILE | EC_SYSCALL, EF_MODIFIES_STATE, 2, {{"res", PT_ERRNO, PF_DEC}, {"name", PT_FSPATH, PF_NA} } },
 
 	/* NB: Starting from scap version 1.2, event types will no longer be changed when an event is modified, and the only kind of change permitted for pre-existent events is adding parameters.
 	 *     New event types are allowed only for new syscalls or new internal events.

driver/fillers_table.c

@@ -236,8 +236,6 @@ const struct ppm_event_entry g_ppm_events[PPM_EVENT_MAX] = {
 	[PPME_SYSCALL_PPOLL_X] = {FILLER_REF(sys_poll_x)}, /* exit same for poll() and ppoll() */
 	[PPME_SYSCALL_MOUNT_E] = {FILLER_REF(sys_mount_e)},
 	[PPME_SYSCALL_MOUNT_X] = {FILLER_REF(sys_autofill), 4, APT_REG, {{AF_ID_RETVAL}, {0}, {1}, {2} } },
-	[PPME_SYSCALL_UMOUNT_E] = {FILLER_REF(sys_autofill), 1, APT_REG, {{1} } },
-	[PPME_SYSCALL_UMOUNT_X] = {FILLER_REF(sys_autofill), 2, APT_REG, {{AF_ID_RETVAL}, {0} } },
 	[PPME_SYSCALL_SEMGET_E] = {FILLER_REF(sys_semget_e)},
 	[PPME_SYSCALL_SEMGET_X] = {FILLER_REF(sys_single_x)},
 	[PPME_SYSCALL_ACCESS_E] = {FILLER_REF(sys_access_e)},
@@ -334,4 +332,6 @@ const struct ppm_event_entry g_ppm_events[PPM_EVENT_MAX] = {
 	[PPME_SYSCALL_UMOUNT_1_X] = {FILLER_REF(sys_umount_x)},
 	[PPME_SOCKET_ACCEPT4_6_E] = {FILLER_REF(sys_accept4_e)},
 	[PPME_SOCKET_ACCEPT4_6_X] = {FILLER_REF(sys_accept_x)},
+	[PPME_SYSCALL_UMOUNT2_E] = {FILLER_REF(sys_umount2_e)},
+	[PPME_SYSCALL_UMOUNT2_X] = {FILLER_REF(sys_umount2_x)},
 };

driver/flags_table.c

@@ -179,7 +179,9 @@ const struct ppm_name_value mount_flags[] = {
 	{0, 0},
 };
 
-/* http://lxr.free-electrons.com/source/include/linux/fs.h?v=4.2#L1251 */
+/* There is a 1:1 mapping between `umount2` flags and our `PPM` notation, so we don't
+ * need a dedicated helper for the conversion.
+ */
 const struct ppm_name_value umount_flags[] = {
 	{"FORCE", PPM_MNT_FORCE},
 	{"DETACH", PPM_MNT_DETACH},
@@ -642,4 +644,4 @@ const struct ppm_name_value fsconfig_cmds[] = {
 const struct ppm_name_value epoll_create1_flags[] = {
 	{"EPOLL_CLOEXEC", PPM_EPOLL_CLOEXEC},
 	{0, 0},
-};
+};

driver/main.c

@@ -1476,6 +1476,7 @@ static inline void drops_buffer_syscall_categories_counters(ppm_event_code event
 	case PPME_SYSCALL_MOUNT_E:
 	case PPME_SYSCALL_UMOUNT_E:
 	case PPME_SYSCALL_UMOUNT_1_E:
+	case PPME_SYSCALL_UMOUNT2_E:
 	case PPME_SYSCALL_RENAME_E:
 	case PPME_SYSCALL_RENAMEAT_E:
 	case PPME_SYSCALL_RENAMEAT2_E:
@@ -1547,6 +1548,7 @@ static inline void drops_buffer_syscall_categories_counters(ppm_event_code event
 	case PPME_SYSCALL_MOUNT_X:
 	case PPME_SYSCALL_UMOUNT_X:
 	case PPME_SYSCALL_UMOUNT_1_X:
+	case PPME_SYSCALL_UMOUNT2_X:
 	case PPME_SYSCALL_RENAME_X:
 	case PPME_SYSCALL_RENAMEAT_X:
 	case PPME_SYSCALL_RENAMEAT2_X:

driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/umount2.bpf.c

@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2022 The Falco Authors.
+ * Copyright (C) 2023 The Falco Authors.
  *
  * This file is dual licensed under either the MIT or GPL 2. See MIT.txt
  * or GPL2.txt for full copies of the license.
@@ -21,8 +21,7 @@ int BPF_PROG(umount2_e,
 		return 0;
 	}
 
-	/// TODO: This event should be called `PPME_SYSCALL_UMOUNT2_E`.
-	ringbuf__store_event_header(&ringbuf, PPME_SYSCALL_UMOUNT_E);
+	ringbuf__store_event_header(&ringbuf, PPME_SYSCALL_UMOUNT2_E);
 
 	/*=============================== COLLECT PARAMETERS  ===========================*/
 
@@ -52,8 +51,7 @@ int BPF_PROG(umount2_x,
 		return 0;
 	}
 
-	/// TODO: This event should be called `PPME_SYSCALL_UMOUNT2_X`.
-	auxmap__preload_event_header(auxmap, PPME_SYSCALL_UMOUNT_X);
+	auxmap__preload_event_header(auxmap, PPME_SYSCALL_UMOUNT2_X);
 
 	/*=============================== COLLECT PARAMETERS  ===========================*/
 

driver/ppm_events_public.h

@@ -1192,7 +1192,9 @@ typedef enum {
 	PPME_SYSCALL_UMOUNT_1_X = 387,
 	PPME_SOCKET_ACCEPT4_6_E = 388,
 	PPME_SOCKET_ACCEPT4_6_X = 389,
-	PPM_EVENT_MAX = 390
+	PPME_SYSCALL_UMOUNT2_E = 390,
+	PPME_SYSCALL_UMOUNT2_X = 391,
+	PPM_EVENT_MAX = 392
 } ppm_event_code;
 /*@}*/
 

driver/ppm_fillers.c

@@ -7066,6 +7066,38 @@ int f_sys_umount_x(struct event_filler_arguments *args)
 	return add_sentinel(args);
 }
 
+int f_sys_umount2_e(struct event_filler_arguments *args)
+{
+	unsigned long val;
+	int res;
+
+	/* Parameter 1: flags (type: PT_FLAGS32) */
+	syscall_get_arguments_deprecated(current, args->regs, 1, 1, &val);
+	res = val_to_ring(args, val, 0, true, 0);
+	CHECK_RES(res);
+
+	return add_sentinel(args);
+}
+
+int f_sys_umount2_x(struct event_filler_arguments *args)
+{
+	unsigned long val;
+	int res;
+	int64_t retval;
+
+	/* Parameter 1: res (type: PT_ERRNO) */
+	retval = (int64_t)syscall_get_return_value(current, args->regs);
+	res = val_to_ring(args, retval, 0, false, 0);
+	CHECK_RES(res);
+
+	/* Parameter 2: name (type: PT_FSPATH) */
+	syscall_get_arguments_deprecated(current, args->regs, 0, 1, &val);
+	res = val_to_ring(args, val, 0, true, 0);
+	CHECK_RES(res);
+
+	return add_sentinel(args);
+}
+
 #ifdef CAPTURE_SCHED_PROC_EXEC
 int f_sched_prog_exec(struct event_filler_arguments *args)
 {

driver/ppm_fillers.h

@@ -159,6 +159,8 @@ or GPL2.txt for full copies of the license.
 	FN(sys_signalfd_e)                 \
 	FN(sys_splice_e)				\
 	FN(sys_umount_x)				\
+	FN(sys_umount2_e)				\
+	FN(sys_umount2_x)				\
 	FN(terminate_filler)
 
 #define FILLER_ENUM_FN(x) PPM_FILLER_##x,

driver/syscall_table.c

@@ -178,7 +178,9 @@ const struct syscall_evt_pair g_syscall_table[SYSCALL_TABLE_SIZE] = {
 	[__NR_chmod - SYSCALL_TABLE_ID0] =                      {UF_USED, PPME_SYSCALL_CHMOD_E, PPME_SYSCALL_CHMOD_X, PPM_SC_CHMOD},
 #endif
 	[__NR_mount - SYSCALL_TABLE_ID0] =                      {UF_USED, PPME_SYSCALL_MOUNT_E, PPME_SYSCALL_MOUNT_X, PPM_SC_MOUNT},
-	[__NR_umount2 - SYSCALL_TABLE_ID0] =                    {UF_USED, PPME_SYSCALL_UMOUNT_E, PPME_SYSCALL_UMOUNT_X, PPM_SC_UMOUNT2},
+#ifdef __NR_umount2
+	[__NR_umount2 - SYSCALL_TABLE_ID0] =                    {UF_USED, PPME_SYSCALL_UMOUNT2_E, PPME_SYSCALL_UMOUNT2_X, PPM_SC_UMOUNT2},
+#endif
 	[__NR_ptrace - SYSCALL_TABLE_ID0] =                     {UF_USED, PPME_SYSCALL_PTRACE_E, PPME_SYSCALL_PTRACE_X, PPM_SC_PTRACE},
 #ifdef __NR_socket
 	[__NR_socket - SYSCALL_TABLE_ID0] =                     {UF_USED | UF_NEVER_DROP, PPME_SOCKET_SOCKET_E, PPME_SOCKET_SOCKET_X, PPM_SC_SOCKET},
@@ -1018,7 +1020,9 @@ const struct syscall_evt_pair g_syscall_ia32_table[SYSCALL_TABLE_SIZE] = {
 	[__NR_ia32_chmod - SYSCALL_TABLE_ID0] =                      {UF_USED, PPME_SYSCALL_CHMOD_E, PPME_SYSCALL_CHMOD_X, PPM_SC_CHMOD},
 #endif
 	[__NR_ia32_mount - SYSCALL_TABLE_ID0] =                      {UF_USED, PPME_SYSCALL_MOUNT_E, PPME_SYSCALL_MOUNT_X, PPM_SC_MOUNT},
-	[__NR_ia32_umount2 - SYSCALL_TABLE_ID0] =                    {UF_USED, PPME_SYSCALL_UMOUNT_E, PPME_SYSCALL_UMOUNT_X, PPM_SC_UMOUNT2},
+#ifdef __NR_ia32_umount2
+	[__NR_ia32_umount2 - SYSCALL_TABLE_ID0] =                    {UF_USED, PPME_SYSCALL_UMOUNT2_E, PPME_SYSCALL_UMOUNT2_X, PPM_SC_UMOUNT2},
+#endif
 	[__NR_ia32_ptrace - SYSCALL_TABLE_ID0] =                     {UF_USED, PPME_SYSCALL_PTRACE_E, PPME_SYSCALL_PTRACE_X, PPM_SC_PTRACE},
 
 #ifndef __NR_ia32_socketcall

test/drivers/test_suites/syscall_enter_suite/umount2_e.cpp

@@ -12,8 +12,8 @@ TEST(SyscallEnter, umount2E)
 
 	/*=============================== TRIGGER SYSCALL ===========================*/
 
-	const char* target = "/no_mount_point/xyzk-target";
-	unsigned long flags = MNT_FORCE;
+	const char* target = "//**null-file-path**//";
+	unsigned long flags = MNT_FORCE | MNT_DETACH | MNT_EXPIRE | UMOUNT_NOFOLLOW;
 	assert_syscall_state(SYSCALL_FAILURE, "umount2", syscall(__NR_umount2, target, flags));
 
 	/*=============================== TRIGGER SYSCALL ===========================*/
@@ -34,7 +34,7 @@ TEST(SyscallEnter, umount2E)
 	/*=============================== ASSERT PARAMETERS  ===========================*/
 
 	/* Parameter 1: flags (type: PT_FLAGS32) */
-	evt_test->assert_numeric_param(1, (uint32_t)MNT_FORCE);
+	evt_test->assert_numeric_param(1, (uint32_t)(PPM_MNT_FORCE | PPM_MNT_DETACH | PPM_MNT_EXPIRE | PPM_UMOUNT_NOFOLLOW));
 
 	/*=============================== ASSERT PARAMETERS  ===========================*/
 

test/drivers/test_suites/syscall_exit_suite/umount2_x.cpp

@@ -12,7 +12,7 @@ TEST(SyscallExit, umount2X)
 
 	/*=============================== TRIGGER SYSCALL ===========================*/
 
-	const char* target = "/no_mount_point/xyzk-target";
+	const char* target = "//**null-file-path**//";
 	unsigned long flags = MNT_FORCE;
 	assert_syscall_state(SYSCALL_FAILURE, "umount2", syscall(__NR_umount2, target, flags));
 	int64_t errno_value = -errno;

userspace/libpman/src/events_prog_names.h

@@ -138,9 +138,8 @@ static const char* event_prog_names[PPM_EVENT_MAX] = {
 	[PPME_SYSCALL_UNSHARE_X] = "unshare_x",
 	[PPME_SYSCALL_MOUNT_E] = "mount_e",
 	[PPME_SYSCALL_MOUNT_X] = "mount_x",
-	/* These events should be called `PPME_SYSCALL_UMOUNT2_...` */
-	[PPME_SYSCALL_UMOUNT_E] = "umount2_e",
-	[PPME_SYSCALL_UMOUNT_X] = "umount2_x",
+	[PPME_SYSCALL_UMOUNT2_E] = "umount2_e",
+	[PPME_SYSCALL_UMOUNT2_X] = "umount2_x",
 	[PPME_SYSCALL_LINK_2_E] = "link_e",
 	[PPME_SYSCALL_LINK_2_X] = "link_x",
 	[PPME_SYSCALL_LINKAT_2_E] = "linkat_e",

userspace/libscap/linux/scap_ppm_sc.c

@@ -290,8 +290,8 @@ static const ppm_sc_code *g_events_to_sc_map[] = {
 	[PPME_SYSCALL_PPOLL_X] = (ppm_sc_code[]){PPM_SC_PPOLL, -1},
 	[PPME_SYSCALL_MOUNT_E] = (ppm_sc_code[]){PPM_SC_MOUNT, -1},
 	[PPME_SYSCALL_MOUNT_X] = (ppm_sc_code[]){PPM_SC_MOUNT, -1},
-	[PPME_SYSCALL_UMOUNT_E] = (ppm_sc_code[]){PPM_SC_UMOUNT2, -1},
-	[PPME_SYSCALL_UMOUNT_X] = (ppm_sc_code[]){PPM_SC_UMOUNT2, -1},
+	[PPME_SYSCALL_UMOUNT_E] = (ppm_sc_code[]){PPM_SC_UMOUNT, -1},
+	[PPME_SYSCALL_UMOUNT_X] = (ppm_sc_code[]){PPM_SC_UMOUNT, -1},
 	[PPME_K8S_E] = NULL,
 	[PPME_K8S_X] = NULL,
 	[PPME_SYSCALL_SEMGET_E] = (ppm_sc_code[]){PPM_SC_SEMGET, -1},
@@ -422,6 +422,8 @@ static const ppm_sc_code *g_events_to_sc_map[] = {
 	[PPME_SYSCALL_UMOUNT_1_X] = (ppm_sc_code[]){PPM_SC_UMOUNT, -1},
 	[PPME_SOCKET_ACCEPT4_6_E] = (ppm_sc_code[]){PPM_SC_ACCEPT4, -1},
 	[PPME_SOCKET_ACCEPT4_6_X] = (ppm_sc_code[]){PPM_SC_ACCEPT4, -1},
+	[PPME_SYSCALL_UMOUNT2_E] = (ppm_sc_code[]){PPM_SC_UMOUNT2, -1},
+	[PPME_SYSCALL_UMOUNT2_X] = (ppm_sc_code[]){PPM_SC_UMOUNT2, -1},
 };
 
 _Static_assert(sizeof(g_events_to_sc_map) / sizeof(*g_events_to_sc_map) == PPM_EVENT_MAX, "Missing entries in g_events_to_sc_map table.");

userspace/libsinsp/test/events_file.ut.cpp

@@ -220,3 +220,18 @@ TEST_F(sinsp_with_test_input, umount)
 	ASSERT_EQ(get_field_as_string(evt, "evt.arg.res"), "0");
 	ASSERT_EQ(get_field_as_string(evt, "evt.arg.name"), "/target_name");
 }
+
+TEST_F(sinsp_with_test_input, umount2)
+{
+    add_default_init_thread();
+
+    open_inspector();
+    sinsp_evt* evt = NULL;
+
+    add_event_advance_ts(increasing_ts(), 1, PPME_SYSCALL_UMOUNT2_E, 1, 10);
+    evt = add_event_advance_ts(increasing_ts(), 1, PPME_SYSCALL_UMOUNT2_X, 2, 0, "/target_name");
+    ASSERT_EQ(get_field_as_string(evt, "evt.type"), "umount2");
+    ASSERT_EQ(get_field_as_string(evt, "evt.category"), "file");
+    ASSERT_EQ(get_field_as_string(evt, "evt.arg.res"), "0");
+    ASSERT_EQ(get_field_as_string(evt, "evt.arg.name"), "/target_name");
+}

userspace/libsinsp/test/public_sinsp_API/interesting_syscalls.cpp

@@ -197,14 +197,22 @@ TEST(interesting_syscalls, names_to_sc_set)
 	"signalfd4",
 	});
 	ASSERT_PPM_SC_CODES_EQ(sc_set_truth, sc_set);
+}
+
+/* This test asserts the behavior of `names_to_sc_set` API when corner cases like `accept/accept4` are involved */
+/// todo: @Andreagit97 revisit this test after new APIs to convert from event_names -> sc_set and sc_set -> event_names.
+TEST(interesting_syscalls, names_sc_set_names_corner_cases)
+{
+	/* INCONSISTENCY: `names_to_sc_set` is converting event names to ppm_sc, but this was not its original scope, the original scope was to convert sc_names -> to sc_set  */
+	std::unordered_set<std::string> event_names{"accept", "execve", "syncfs", "eventfd", "umount", "pipe", "signalfd", "umount2"};
+	auto sc_set = libsinsp::events::names_to_sc_set(event_names);
+	libsinsp::events::set<ppm_sc_code> expected_sc_set{PPM_SC_ACCEPT, PPM_SC_ACCEPT4, PPM_SC_EXECVE, PPM_SC_SYNCFS, PPM_SC_EVENTFD, PPM_SC_EVENTFD2, PPM_SC_UMOUNT, PPM_SC_PIPE, PPM_SC_PIPE2, PPM_SC_SIGNALFD, PPM_SC_SIGNALFD4, PPM_SC_UMOUNT2};
+	ASSERT_PPM_SC_CODES_EQ(sc_set, expected_sc_set);
 
-	static std::unordered_set<std::string> sc_set_names_truth = {"accept",
-	"accept4", "execve", "syncfs", "eventfd", "eventfd2", "umount", "umount2",
-	"pipe", "pipe2", "signalfd", "signalfd4"};
-	auto tmp_sc_set = libsinsp::events::names_to_sc_set(std::unordered_set<std::string>{"accept",
-	"execve", "syncfs", "eventfd", "umount", "pipe", "signalfd"});
-	auto sc_set_names = libsinsp::events::sc_set_to_names(tmp_sc_set);
-	ASSERT_NAMES_EQ(sc_set_names_truth, sc_set_names);
+	/* Please note that here we are converting sc_set to sc_names not event_names! */
+	auto sc_names = libsinsp::events::sc_set_to_names(sc_set);	
+	static std::unordered_set<std::string> expected_sc_names = {"accept", "accept4", "execve", "syncfs", "eventfd", "eventfd2", "umount", "pipe", "pipe2", "signalfd", "signalfd4", "umount2"};
+	ASSERT_NAMES_EQ(expected_sc_names, sc_names);
 }
 
 TEST(interesting_syscalls, event_set_to_sc_set)