Fix/create ebpf/userland types

[geyslan]

Description

While working on the proc package, I've encountered an issue again regarding the appropriate types to use for specific fields across Tracee (both in BPF and userspace).

To summarize, focusing on the pid field. In BPF, we retrieve it using bpf_get_current_pid_tgid:
https://elixir.bootlin.com/linux/v6.12.6/source/kernel/bpf/helpers.c#L222

We typically extract pid and tgid as u32 each, which is a misconception induced by the helper function.

In reality, both are defined as pid_t:
https://elixir.bootlin.com/linux/v6.12.6/source/include/linux/sched.h#L1018

pid_t is, in turn, defined as __kernel_pid_t:
https://elixir.bootlin.com/linux/v6.12.6/source/include/linux/types.h#L27

which is an int or s32:
https://elixir.bootlin.com/linux/v6.12.6/source/include/uapi/asm-generic/posix_types.h#L28.

This means we've been treating them as unsigned when they should be signed, or as int in Go which has an unnecessary int64 footprint. Beyond interpreting values incorrectly, this also leads to unnecessary conversions throughout the code.

The kernel itself makes use of pid_t as -1:

https://elixir.bootlin.com/linux/v6.12.6/source/kernel/exit.c#L1832
https://elixir.bootlin.com/linux/v6.12.6/source/kernel/pid_namespace.c#L222
https://elixir.bootlin.com/linux/v6.12.6/source/kernel/trace/trace_functions_graph.c#L1333
...

Additional details

Related:

#4504
#3690
#4484 (comment)
#4353

[geyslan]

This is being addressed through iterative efforts, as 7471ae2 and #4564. @NDStrahilevitz @rscampos FYI.

[yanivagman]

@geyslan #4540 and #4564 were merged into main.
Is there any action item left here or we can close this?

[geyslan]

All ebpf and related userspace code need to be checked again regarding the size and signedness of the types.

--- EDIT

Before we agreed that we should do these fixes opportunistically (when touching types/files with misaligned types).