update(driver): add support to openat2 syscall

[jasondellaluce]

Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
Co-authored-by: Federico Di Pierro <nierro92@gmail.com>
Co-authored-by: Grzegorz Nosek <grzegorz.nosek@sysdig.com>

What type of PR is this?

/kind feature

Any specific area of the project related to this PR?

/area driver-kmod

/area driver-ebpf

/area libscap

/area libsinsp

What this PR does / why we need it:
This adds support for the openat2 system call, along with its transformation flags.

Which issue(s) this PR fixes:
falcosecurity/falco#676

Does this PR introduce a user-facing change?:

update(driver): add support to openat2 syscall

[poiana]

Welcome @jasondellaluce! It looks like this is your first PR to falcosecurity/libs 🎉

[poiana]

Hi @jasondellaluce. Thanks for your PR.

I'm waiting for a falcosecurity member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[ghost]

Sorry for nitpicking but I think that it shouldn't say "Fixes falcosecurity/falco#676" otherwise poiana would close the issue if this PR is merged I think

[leogr]

/ok-to-test

[gnosek]

LGTM! The event names are unfortunate since we have both OPENAT2_[EX] and OPENAT_2_[EX] but I can't see a way around this.

Also, I know openat2 has been added in 5.6 and there's no struct open_how before, but is there e.g. a #define we could use instead of checking the kernel version? Just wondering, but I expect RHEL to backport this syscall into some 2.6.32 or other :D Maybe even #ifdef __NR_openat2 or similar? I rather like the idea of supporting the syscall even if the kernel does not, makes things simpler overall.

[poiana]

LGTM label has been added.

Git tree hash: 02656adf0ed466acef84a0ef2193e5652528430a

[leogr]

/approve

[poiana]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: jasondellaluce, leogr

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [leogr]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[leogr]

Hey @jasondellaluce

Could you rebase, please?

Thanks in advance 🙏

[leogr]

approved again

[poiana]

LGTM label has been added.

Git tree hash: 792ee114700e915d668195cc296879f80f446595