feat(ebpf): make security_socket_setsockopt not rely on sys_enter/exit

pkg/ebpf/c/tracee.bpf.c

@@ -2815,22 +2815,18 @@ int BPF_KPROBE(trace_security_socket_setsockopt)
     int level = (int) PT_REGS_PARM2(ctx);
     int optname = (int) PT_REGS_PARM3(ctx);
 
-    // Load the arguments given to the setsockopt syscall (which eventually invokes this function)
-    syscall_data_t *sys = &p.task_info->syscall_data;
-    if (sys == NULL) {
-        return -1;
-    }
-
-    if (!p.task_info->syscall_traced)
-        return 0;
-
-    switch (sys->id) {
+    struct pt_regs *task_regs = get_task_pt_regs((struct task_struct *) bpf_get_current_task());
+    int sockfd;
+    u64 sockfd_addr;
+    switch (p.event->context.syscall) {
         case SYSCALL_SETSOCKOPT:
-            save_to_submit_buf(&p.event->args_buf, (void *) &sys->args.args[0], sizeof(u32), 0);
+            sockfd = PT_REGS_PARM1_CORE_SYSCALL(task_regs);
+            save_to_submit_buf(&p.event->args_buf, (void *) &sockfd, sizeof(u32), 0);
             break;
 #if defined(bpf_target_x86) // armhf makes use of SYSCALL_SETSOCKOPT
         case SYSCALL_SOCKETCALL:
-            save_to_submit_buf(&p.event->args_buf, (void *) sys->args.args[1], sizeof(u32), 0);
+            sockfd_addr = PT_REGS_PARM2_CORE_SYSCALL(task_regs);
+            save_to_submit_buf(&p.event->args_buf, (void *) sockfd_addr, sizeof(u32), 0);
             break;
 #endif
         default:

pkg/events/core.go

@@ -11688,10 +11688,6 @@ var CoreEvents = map[ID]Definition{
 		dependencies: Dependencies{
 			probes: []Probe{
 				{handle: probes.SecuritySocketSetsockopt, required: true},
-				{handle: probes.SyscallEnter__Internal, required: true},
-			},
-			tailCalls: []TailCall{
-				{"sys_enter_init_tail", "sys_enter_init", []uint32{uint32(Setsockopt)}},
 			},
 		},
 		sets: []string{"lsm_hooks", "net", "net_sock"},