Exclude unneeded progs

[erthalion]

Description

Reduce number of bpf programs we include into the final probe. This helps to reduce the probe size, and as a side effect helps fighting debug log truncation due to its large size (it contains relocations for all of those progs).

Checklist

• [x] Investigated and inspected CI test results
• [ ] Updated documentation accordingly

Automated testing

• [ ] Added unit tests
• [ ] Added integration tests
• [ ] Added regression tests

If any of these don't apply, please comment below.

Testing Performed

Manual testing.

[robbycochran]

How do we keep this synchronized when either new system calls are supported in Falco or new system calls are added to collector (progs_in_use)?

[erthalion]

How do we keep this synchronized when either new system calls are supported in Falco or new system calls are added to collector (progs_in_use)?

Good question, @robbycochran. I've described in the commentary how the list was generated, so what we could do to make it easier is to automate this process, maybe load list of used syscalls from an external file during the build as well (not just define in the header), and add a CI check to verify if there are any differences. This way if:

• New syscalls will be added to Falco, they will not be excluded and built into the probe. The CI check will spin up Collector and complain that the list of loaded progs is different from expected. Having this information, we generate it again.
• New syscalls added to Collector. Since we would load the list from the file, the only way to add it would be to add it into the list. This could be automated via a script that will re-generate excluded list as a post-execution step.