bug(syscalls): not receiving events for audited syscalls

[DelusionalOptimist]

NOTE: This bug is also causing frequent failures in ginkgo tests for docker.

Bug Report

General Information

• Environment description: k3s with docker

   vagrant@kubearmor-dev-next:~/accuknox/KubeArmor/tests$ k3s --version
   k3s version v1.23.9+k3s1 (f45cf326)
   go version go1.17.5
   vagrant@kubearmor-dev-next:~/accuknox/KubeArmor/tests$ docker --version
   Docker version 20.10.13, build a224086
  

• Kernel version: Linux kubearmor-dev-next 5.15.0-46-generic #49-Ubuntu SMP Thu Aug 4 18:03:25 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux
• Orchestration system version in use:

   Server Version: version.Info{Major:"1", Minor:"23", GitVersion:"v1.23.9+k3s1", GitCommit:"f45cf3267307b153ed8b418ae5b8ea6c6b9ebaca", GitTreeState:"clean", BuildDate:"2022-07-19T00:42:17Z", GoVersion:"go1.17.5", Compiler:"gc", Platform:"linux/amd64"}
  
  

• Link to relevant artifacts (policies, deployments scripts, ...)
• Target containers/pods

To Reproduce

1. Deploy kubearmor using https://github.com/kubearmor/KubeArmor/blob/main/KubeArmor/build/kubearmor-test-docker.yaml - the kubearmor args in this are a possible cause.
2. Try to generate some events. Generally running ksp test suite should be fine.

   cd tests/
   ginkgo --flake-attempts=5 ksp/ syscalls/
   

3. In the above, syscall test suite might fail. If it doesn't, run karmor logs --gRPC=:32767 --operation=syscall --logFilter=all, try to exec into one of the multiubuntu pods created by the above and run:

   cp `which unlink` /unlink
   touch /dummy
   unlink /dummy
   

4. You won't get a log for syscall=SYS_UNLINK. However, other syscall logs like SETUID, SETGID would be working fine.

Expected behavior

Should receive logs for audited syscalls.

[rksharma95]

syscall test suit is passing in ci for k3s+docker env. https://github.com/kubearmor/KubeArmor/actions/runs/5320142460/jobs/9633972722

[DelusionalOptimist]

@rksharma95 yes, they don't fail all the time. However they fail a lot. See the attempts for this commit for example - https://github.com/kubearmor/KubeArmor/actions/runs/5241501424. Also checkout the ginkgo test runs for main branch, you'll notice that they mostly fail while running the syscalls suite - https://github.com/kubearmor/KubeArmor/actions/workflows/ci-test-ginkgo.yml?query=branch%3Amain
I've also been able to reproduce it locally. Wasn't getting any logs for the SYS_UNLINK syscall. However one needs to generate some events before it happens.

[daemon1024]

Keeping it open, since it's not properly fixed