[Feature] Replace context structs for tracepoint/syscall programs

[tsint]

Search before asking

• I had searched in the issues and found no similar feature requirement.

Description

Referencing this issue comment, to avoid the impact of buggy kernels, it is recommended to use struct syscall_trace_exit to prevent issues where incorrect offset calculations lead to the verifier rejecting the BPF progs loading.

Use case

replace struct trace_point_common_exit with struct syscall_trace_exit

Related issues

No response

Are you willing to submit a pull request to implement this on your own?

• Yes I am willing to submit a pull request on my own!

Code of Conduct

• I agree to follow this project's Code of Conduct

[wu-sheng]

@mrproliu Here is another proposal.

[mrproliu]

Yes, we can do this. Please go ahead on this, thanks.

[tsint]

Yes, we can do this. Please go ahead on this, thanks.

Don't mention it. The tracepoints for syscalls are quite numerous. To avoid introducing issues with the modifications, I need some additional time to carefully make adjustments.

[wu-sheng]

I could move this as there is not estimated time and plan for this.

[tsint]

I have corrected all the function parameters of the tracepoints, referring to the implementation of the kernel trace module (include/trace/events/) and the modifications in Inspektor Gadget (https://github.com/inspektor-gadget/inspektor-gadget/pull/2546/files#diff-96e60e3018b9a342424db64d9cc8a0f3c3307410932647b7c6e25f5e64c2ef6c).

The parameters based on BTF information ensure that data can be accessed at the correct offset.

A notable case is the modification of syscall group function parameters. Instead of using trace_event_raw_sys_{enter|exit}, the syscall_trace_{enter|exit} is used. This is due to the particularities of syscall calls (as mentioned in the email thread).