new(driver): update exit events PPME_SYSCALL_SETRESGID_X with enter params

[terror96]

This update is part of the implementation for disabling support for
syscall enter events. It implements the following steps:

1. Adds enter parameters to the exit event
2. Adapt sinsp state to work just with exit events.
3. Create a scap-file conversion (in a dedicated scap-file converter)
   to convert ENTER events into merged EXIT ones.
4. Add some tests replaying scap-files.

for the setresgid syscall.

This pull request also adds a missing setgid parsing test file.

What type of PR is this?

Uncomment one (or more) /kind <> lines:

/kind bug

/kind cleanup

/kind design

/kind documentation

/kind failing-test

/kind test

/kind feature

Any specific area of the project related to this PR?

Uncomment one (or more) /area <> lines:

/area API-version

/area build

/area CI

/area driver-kmod

/area driver-bpf

/area driver-modern-bpf

/area libscap-engine-bpf

/area libscap-engine-gvisor

/area libscap-engine-kmod

/area libscap-engine-modern-bpf

/area libscap-engine-nodriver

/area libscap-engine-noop

/area libscap-engine-source-plugin

/area libscap-engine-savefile

/area libscap

/area libpman

/area libsinsp

/area tests

/area proposals

Does this PR require a change in the driver versions?

/version driver-API-version-major

/version driver-API-version-minor

/version driver-API-version-patch

/version driver-SCHEMA-version-major

/version driver-SCHEMA-version-minor

/version driver-SCHEMA-version-patch

What this PR does / why we need it:

This PR is part of #2068.

Which issue(s) this PR fixes:

Fixes #

Special notes for your reviewer:

Does this PR introduce a user-facing change?:

NONE

[FedeDP]

/milestone 0.22.0

[github-actions]

Perf diff from master - unit tests

     6.28%     +0.76%  [.] sinsp::next
     2.29%     +0.65%  [.] sinsp_thread_manager::get_thread_ref
    21.16%     -0.63%  [.] sinsp_thread_manager::create_thread_dependencies
     5.36%     -0.33%  [.] sinsp_parser::reset
     0.97%     -0.32%  [.] sinsp_evt::get_ts
     1.03%     +0.25%  [.] sinsp::fetch_next_event
     3.72%     +0.22%  [.] next_event_from_file
     5.37%     +0.22%  [.] sinsp_evt::get_type
     1.41%     +0.22%  [.] next
     0.33%     +0.19%  [.] scap_next

Heap diff from master - unit tests

peak heap memory consumption: -1.73K
peak RSS (including heaptrack overhead): 0B
total memory leaked: 0B

Heap diff from master - scap file

peak heap memory consumption: -118B
peak RSS (including heaptrack overhead): 0B
total memory leaked: 0B

Benchmarks diff from master

Comparing gbench_data.json to /root/actions-runner/_work/libs/libs/build/gbench_data.json
Benchmark                                                         Time             CPU      Time Old      Time New       CPU Old       CPU New
----------------------------------------------------------------------------------------------------------------------------------------------
BM_sinsp_split_mean                                            -0.0115         -0.0116           146           144           146           144
BM_sinsp_split_median                                          -0.0118         -0.0120           145           144           145           144
BM_sinsp_split_stddev                                          -0.0415         -0.0421             1             1             1             1
BM_sinsp_split_cv                                              -0.0304         -0.0309             0             0             0             0
BM_sinsp_concatenate_paths_relative_path_mean                  -0.0590         -0.0591            62            58            62            58
BM_sinsp_concatenate_paths_relative_path_median                -0.0571         -0.0571            62            58            62            58
BM_sinsp_concatenate_paths_relative_path_stddev                +7.7665         +7.7692             0             2             0             2
BM_sinsp_concatenate_paths_relative_path_cv                    +8.3162         +8.3200             0             0             0             0
BM_sinsp_concatenate_paths_empty_path_mean                     +0.0070         +0.0069            24            24            24            24
BM_sinsp_concatenate_paths_empty_path_median                   +0.0063         +0.0062            24            24            24            24
BM_sinsp_concatenate_paths_empty_path_stddev                   +0.9076         +0.8859             0             0             0             0
BM_sinsp_concatenate_paths_empty_path_cv                       +0.8943         +0.8730             0             0             0             0
BM_sinsp_concatenate_paths_absolute_path_mean                  -0.1043         -0.1044            65            58            65            58
BM_sinsp_concatenate_paths_absolute_path_median                -0.0970         -0.0971            65            58            65            58
BM_sinsp_concatenate_paths_absolute_path_stddev                +3.7539         +3.7578             0             2             0             2
BM_sinsp_concatenate_paths_absolute_path_cv                    +4.3076         +4.3126             0             0             0             0

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 77.99%. Comparing base (71b46c1) to head (88b53e4).
Report is 2 commits behind head on master.

Additional details and impacted files

@@            Coverage Diff             @@
##           master    #2474      +/-   ##
==========================================
+ Coverage   77.97%   77.99%   +0.02%     
==========================================
  Files         253      255       +2     
  Lines       31125    31154      +29     
  Branches     4645     4645              
==========================================
+ Hits        24269    24298      +29     
  Misses       6856     6856              

Flag	Coverage Δ
libsinsp	77.99% <100.00%> (+0.02%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[terror96]

I replaced gid_ts with uint32_t otherwise the windows build failed.

[FedeDP]

triggered kernel-testing: https://github.com/falcosecurity/libs/actions/runs/15608390780

[github-actions]

Please double check driver/SCHEMA_VERSION file. See versioning.

/hold

[terror96]

I replaced _gid_t_s with uint32_t otherwise the windows build failed.

And then I made a typo :(

[ekoops]

I re-run the kernel testing CI: https://github.com/falcosecurity/libs/actions/runs/15707488682

[ekoops]

Hey @terror96 , could you please rebase onto the new libs master? In this way, your branch will include the changes introduced in #2477 and the kernel testing CI will not fail for errors in completely unrelated fillers.

[ekoops]

/approve
/hold

[poiana]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: ekoops, terror96

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [ekoops]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[poiana]

LGTM label has been added.

Details

Git tree hash: 6905844468cceaef943d6e105ff94236551a81cd

[ekoops]

Kernel testing CI re-run: https://github.com/falcosecurity/libs/actions/runs/15726646968

[ekoops]

arm64:

KERNEL	CMAKE-CONFIGURE	KMOD BUILD	KMOD SCAP-OPEN	BPF-PROBE BUILD	BPF-PROBE SCAP-OPEN	MODERN-BPF SCAP-OPEN
amazonlinux2-5.4	🟢	🟢	🟢	🟢	🟢	🟡
amazonlinux2022-5.15	🟢	🟢	🟢	🟢	🟢	🟢
fedora-6.2	🟢	🟢	🟢	🟢	🟢	🟢
oraclelinux-4.14	🟢	🟢	🟢	🟡	🟡	🟡
oraclelinux-5.15	🟢	🟢	🟢	🟢	🟢	🟢
ubuntu-6.5	🟢	🟢	🟢	🟢	🟢	🟢

amd64:

KERNEL	CMAKE-CONFIGURE	KMOD BUILD	KMOD SCAP-OPEN	BPF-PROBE BUILD	BPF-PROBE SCAP-OPEN	MODERN-BPF SCAP-OPEN
amazonlinux2-4.19	🟢	🟢	🟢	🟢	🟢	🟡
amazonlinux2-5.10	🟢	🟢	🟢	🟢	🟢	🟢
amazonlinux2-5.15	🟢	🟢	🟢	🟢	🟢	🟢
amazonlinux2-5.4	🟢	🟢	🟢	🟢	🟢	🟡
amazonlinux2022-5.15	🟢	🟢	🟢	🟢	🟢	🟢
amazonlinux2023-6.1	🟢	🟢	🟢	🟢	🟢	🟢
archlinux-6.0	🟢	🟢	🟢	🟢	🟢	🟢
archlinux-6.7	🟢	🟢	🟢	🟢	🟢	🟢
centos-3.10	🟢	🟢	🟢	🟡	🟡	🟡
centos-4.18	🟢	🟢	🟢	🟢	🟢	🟢
centos-5.14	🟢	🟢	🟢	🟢	🟢	🟢
fedora-5.17	🟢	🟢	🟢	🟢	🟢	🟢
fedora-5.8	🟢	🟢	🟢	🟢	🟢	🟢
fedora-6.2	🟢	🟢	🟢	🟢	🟢	🟢
oraclelinux-3.10	🟢	🟢	🟢	🟡	🟡	🟡
oraclelinux-4.14	🟢	🟢	🟢	🟢	🟢	🟡
oraclelinux-5.15	🟢	🟢	🟢	🟢	🟢	🟢
oraclelinux-5.4	🟢	🟢	🟢	🟢	🟢	🟡
ubuntu-4.15	🟢	🟢	🟢	🟢	🟢	🟡
ubuntu-5.8	🟢	🟢	🟢	🟢	🟢	🟡
ubuntu-6.5	🟢	🟢	🟢	🟢	🟢	🟢

[poiana]

LGTM label has been added.

Details

Git tree hash: 8431dc6d728bdb5b43f6210992def7a2ee94d5f0

[ekoops]

/unhold