cleanup: refactor submit event functions

[Molter73]

Description

A new event_args_t type is added to group together common arguments used by all submit event functions. This reduces the number of arguments that need to be passed into these functions and make it harder to make mistakes in the ordering of the actual arguments.

While implementing this cleanup, a bug in the order of inodes being passed to submit_rename_event was fixed.

Finally, inode handling has also been simplified by removing the possibility of a NULL inode pointer from being used.

Checklist

• Investigated and inspected CI test results
• Updated documentation accordingly

Automated testing

• Added unit tests
• Added integration tests
• Added regression tests

If any of these don't apply, please comment below.

Testing Performed

This is simply a refactoring PR, CI should be enough to validate it works correctly.

[Molter73]

This PR will cause conflicts with #465 which I'm hoping we can merge tomorrow, so I'll hold off on merging for now.

[JoukoVirtanen]

While looking at the PR, I thought about how we have

args->event = bpf_ringbuf_reserve(&rb, sizeof(struct event_t), 0);
  if (args->event == NULL) {
    args->metrics->ringbuffer_full++;
    return;
  }

Many times. Perhaps it would be better if this was its own function.

Then we could have something like

__always_inline static bool prepare_event(struct event_args_t* args,
                                          file_activity_type_t type) {
  args->event = bpf_ringbuf_reserve(&rb, sizeof(struct event_t), 0);
  if (args->event == NULL) {
    args->metrics->ringbuffer_full++;
    return false;
  }
  args->event->type = type;
  return true;
}

__always_inline static void submit_open_event(struct event_args_t* args,
                                              file_activity_type_t event_type) {
  if (!prepare_event(args, event_type)) {
    return;
  }
  __submit_event(args);
}

I think this is outside of the scope of the PR, but something I wanted to mention.

[JoukoVirtanen]

This looks good. I left a couple of comments, but I don't want to block the PR.

[Molter73]

While looking at the PR, I thought about how we have

args->event = bpf_ringbuf_reserve(&rb, sizeof(struct event_t), 0);
  if (args->event == NULL) {
    args->metrics->ringbuffer_full++;
    return;
  }

Many times. Perhaps it would be better if this was its own function.

Then we could have something like

__always_inline static bool prepare_event(struct event_args_t* args,
                                          file_activity_type_t type) {
  args->event = bpf_ringbuf_reserve(&rb, sizeof(struct event_t), 0);
  if (args->event == NULL) {
    args->metrics->ringbuffer_full++;
    return false;
  }
  args->event->type = type;
  return true;
}

__always_inline static void submit_open_event(struct event_args_t* args,
                                              file_activity_type_t event_type) {
  if (!prepare_event(args, event_type)) {
    return;
  }
  __submit_event(args);
}

I think this is outside of the scope of the PR, but something I wanted to mention.

This is a good call, I think it is small enough that I can fit it into this PR.

[Molter73]

I'm getting some verifier errors in #487 due to the use_bpf_d_path argument being moved into the struct, seems the verifier no longer realizes it can remove a branch in the d_path implementation, so I'm gonna go back to have it as a separate argument.

CI run with RHCOS verifier error: https://github.com/stackrox/fact/actions/runs/24244378585/job/70786710312?pr=487

[JoukoVirtanen]

LGTM!