Change check_syscall_source vma type arguments from flags to a string

docs/docs/events/builtin/extra/check_syscall_source.md

@@ -24,9 +24,7 @@ To reduce noise in cases where code with significant syscall activity is being d
 
 * `syscall`:`int`[K] - the syscall which was invoked from an unusual location. The syscall name is parsed if the `parse-arguments` option is specified.
 * `ip`:`void *`[K] - the address from which the syscall was invoked (instruction pointer of the instruction following the syscall instruction).
-* `is_stack`:`bool`[K] - whether the syscall was invoked from the stack. Mutually exclusive with `is_heap` and `is_anon_vma`.
-* `is_heap`:`bool`[K] - whether the syscall was invoked from the heap. Mutually exclusive with `is_stack` and `is_anon_vma`.
-* `is_anon_vma`:`bool`[K] - whether the syscall was invoked from an anonymous (non-file-backed) VMA. Mutually exclusive with `is_stack` and `is_heap`.
+* `vma_type`:`char *`[K] - the type of the VMA which contains the code that triggered the syscall (one of *stack*/*heap*/*anonymous*)
 
 ## Hooks
 

pkg/ebpf/c/tracee.bpf.c

@@ -5253,15 +5253,26 @@ int BPF_KPROBE(check_syscall_source)
         // This key already exists, no need to submit the same syscall-vma-process combination again
         return 0;
 
-    bool is_stack = vma_type == VMA_STACK;
-    bool is_heap = vma_type == VMA_HEAP;
-    bool is_anon = vma_type == VMA_ANON;
+    char *vma_type_str;
+
+    switch (vma_type) {
+        case VMA_STACK:
+            vma_type_str = "stack";
+            break;
+        case VMA_HEAP:
+            vma_type_str = "heap";
+            break;
+        case VMA_ANON:
+            vma_type_str = "anonymous";
+            break;
+        // shouldn't happen
+        default:
+            return 0;
+    }
 
     save_to_submit_buf(&p.event->args_buf, &syscall, sizeof(syscall), 0);
     save_to_submit_buf(&p.event->args_buf, &ip, sizeof(ip), 1);
-    save_to_submit_buf(&p.event->args_buf, &is_stack, sizeof(is_stack), 2);
-    save_to_submit_buf(&p.event->args_buf, &is_heap, sizeof(is_heap), 3);
-    save_to_submit_buf(&p.event->args_buf, &is_anon, sizeof(is_anon), 4);
+    save_str_to_buf(&p.event->args_buf, vma_type_str, 2);
 
     events_perf_submit(&p, 0);
 

pkg/events/core.go

@@ -13069,9 +13069,7 @@ var CoreEvents = map[ID]Definition{
 		params: []trace.ArgMeta{
 			{Type: "int", Name: "syscall"},
 			{Type: "void*", Name: "ip"},
-			{Type: "bool", Name: "is_stack"},
-			{Type: "bool", Name: "is_heap"},
-			{Type: "bool", Name: "is_anon_vma"},
+			{Type: "char*", Name: "vma_type"},
 		},
 	},
 	//

tests/e2e-inst-signatures/e2e-check_syscall_source.go

@@ -48,34 +48,26 @@ func (sig *e2eCheckSyscallSource) OnEvent(event protocol.Event) error {
 
 	switch eventObj.EventName {
 	case "check_syscall_source":
-		syscall, err := helpers.GetTraceeIntArgumentByName(eventObj, "syscall")
+		syscall, err := helpers.ArgVal[int32](eventObj.Args, "syscall")
 		if err != nil {
 			return err
 		}
-		isStack, err := helpers.ArgVal[bool](eventObj.Args, "is_stack")
-		if err != nil {
-			return err
-		}
-		isHeap, err := helpers.ArgVal[bool](eventObj.Args, "is_heap")
-		if err != nil {
-			return err
-		}
-		isAnonVma, err := helpers.ArgVal[bool](eventObj.Args, "is_anon_vma")
+		vma_type, err := helpers.ArgVal[string](eventObj.Args, "vma_type")
 		if err != nil {
 			return err
 		}
 
 		// check expected values from test for detection
 
-		if syscall != int(events.Exit) {
+		if syscall != int32(events.Exit) {
 			return nil
 		}
 
-		if isStack {
+		if vma_type == "stack" {
 			sig.foundStack = true
-		} else if isHeap {
+		} else if vma_type == "heap" {
 			sig.foundHeap = true
-		} else if isAnonVma {
+		} else if vma_type == "anonymous" {
 			sig.foundAnonVma = true
 		} else {
 			return nil