Overlay FS flags are now sent in existing flags parameter in the open…

… syscall family

Signed-off-by: Eddy Duer <eddy.duer@sysdig.com>

driver/bpf/fillers.h

@@ -99,6 +99,10 @@ static __always_inline struct inode *get_file_inode(struct file *file)
 
 static __always_inline enum ppm_overlay get_overlay_layer(struct file *file)
 {
+	if (!file)
+	{
+		return PPM_NOT_OVERLAY_FS;
+	}
 	struct dentry* dentry = NULL;
 	bpf_probe_read_kernel(&dentry, sizeof(dentry), &file->f_path.dentry);
 	struct super_block* sb = (struct super_block*)_READ(dentry->d_sb);
@@ -404,7 +408,6 @@ FILLER(sys_open_x, true)
 	long retval;
 	int res;
 	struct file *file = NULL;
-	unsigned short fd_flags = 0;
 
 	/* Parameter 1: ret (type: PT_FD) */
 	retval = bpf_syscall_get_retval(data->ctx);
@@ -416,11 +419,22 @@ FILLER(sys_open_x, true)
 	res = bpf_val_to_ring(data, val);
 	CHECK_RES(res);
 
+	bpf_get_dev_ino_file_from_fd(retval, &dev, &ino, &file);
+
 	/* Parameter 3: flags (type: PT_FLAGS32) */
 	val = bpf_syscall_get_argument(data, 1);
 	flags = open_flags_to_scap(val);
 	/* update flags if file is created*/	
 	flags |= bpf_get_fd_fmode_created(retval);
+	enum ppm_overlay ol = get_overlay_layer(file);
+	if (ol == PPM_OVERLAY_UPPER)
+	{
+		flags |= PPM_O_F_UPPER_LAYER;
+	}
+	else if (ol == PPM_OVERLAY_LOWER)
+	{
+		flags |= PPM_O_F_LOWER_LAYER;
+	}
 	res = bpf_push_u32_to_ring(data, flags);
 	CHECK_RES(res);
 
@@ -430,30 +444,12 @@ FILLER(sys_open_x, true)
 	res = bpf_push_u32_to_ring(data, mode);
 	CHECK_RES(res);
 
-	bpf_get_dev_ino_file_from_fd(retval, &dev, &ino, &file);
-
 	/* Parameter 5: dev (type: PT_UINT32) */
 	res = bpf_push_u32_to_ring(data, (uint32_t)dev);
 	CHECK_RES(res);
 
 	/* Parameter 6: ino (type: PT_UINT64) */
-	res = bpf_push_u64_to_ring(data, (uint64_t)ino);
-	CHECK_RES(res);
-
-	/* Parameter 7: fd_flags (type: PT_FLAGS16) */
-	if (likely(file))
-	{
-		enum ppm_overlay ol = get_overlay_layer(file);
-		if (ol == PPM_OVERLAY_UPPER)
-		{
-			fd_flags |= PPM_FD_UPPER_LAYER;
-		}
-		else if (ol == PPM_OVERLAY_LOWER)
-		{
-			fd_flags |= PPM_FD_LOWER_LAYER;
-		}
-	}
-	return bpf_push_u16_to_ring(data, (uint16_t)fd_flags);
+	return bpf_push_u64_to_ring(data, (uint64_t)ino);
 }
 
 FILLER(sys_read_e, true)
@@ -3215,7 +3211,6 @@ FILLER(sys_openat_x, true)
 	int32_t fd;
 	int res;
 	struct file *file = NULL;
-	unsigned short fd_flags = 0;
 
 	retval = bpf_syscall_get_retval(data->ctx);
 	res = bpf_push_s64_to_ring(data, retval);
@@ -3238,6 +3233,8 @@ FILLER(sys_openat_x, true)
 	res = bpf_val_to_ring(data, val);
 	CHECK_RES(res);
 
+	bpf_get_dev_ino_file_from_fd(retval, &dev, &ino, &file);
+
 	/*
 	 * Flags
 	 * Note that we convert them into the ppm portable representation before pushing them to the ring
@@ -3246,6 +3243,15 @@ FILLER(sys_openat_x, true)
 	flags = open_flags_to_scap(val);
 	/* update flags if file is created*/	
 	flags |= bpf_get_fd_fmode_created(retval);
+	enum ppm_overlay ol = get_overlay_layer(file);
+	if (ol == PPM_OVERLAY_UPPER)
+	{
+		flags |= PPM_O_F_UPPER_LAYER;
+	}
+	else if (ol == PPM_OVERLAY_LOWER)
+	{
+		flags |= PPM_O_F_LOWER_LAYER;
+	}
 	res = bpf_push_u32_to_ring(data, flags);
 	CHECK_RES(res);
 
@@ -3257,8 +3263,6 @@ FILLER(sys_openat_x, true)
 	res = bpf_push_u32_to_ring(data, mode);
 	CHECK_RES(res);
 
-	bpf_get_dev_ino_file_from_fd(retval, &dev, &ino, &file);
-
 	/*
 	 * Device
 	 */
@@ -3268,25 +3272,7 @@ FILLER(sys_openat_x, true)
 	/*
 	 * Ino
 	 */
-	res = bpf_push_u64_to_ring(data, ino);
-	CHECK_RES(res);
-
-	/*
-	 * fd_flags
-	 */
-	if (likely(file))
-	{
-		enum ppm_overlay ol = get_overlay_layer(file);
-		if (ol == PPM_OVERLAY_UPPER)
-		{
-			fd_flags |= PPM_FD_UPPER_LAYER;
-		}
-		else if (ol == PPM_OVERLAY_LOWER)
-		{
-			fd_flags |= PPM_FD_LOWER_LAYER;
-		}
-	}
-	return bpf_push_u16_to_ring(data, (uint16_t)fd_flags);
+	return bpf_push_u64_to_ring(data, ino);
 }
 
 FILLER(sys_openat2_e, true)
@@ -3368,7 +3354,6 @@ FILLER(sys_openat2_x, true)
 	int32_t fd;
 	int res;
 	struct file *file = NULL;
-	unsigned short fd_flags = 0;
 #ifdef __NR_openat2
 	struct open_how how;
 #endif
@@ -3411,12 +3396,23 @@ FILLER(sys_openat2_x, true)
 	resolve = 0;
 #endif
 
+	bpf_get_dev_ino_file_from_fd(retval, &dev, &ino, &file);
+
 	/*
 	 * flags (extracted from open_how structure)
 	 * Note that we convert them into the ppm portable representation before pushing them to the ring
 	 */
 	/* update flags if file is created*/	
 	flags |= bpf_get_fd_fmode_created(retval);
+	enum ppm_overlay ol = get_overlay_layer(file);
+	if (ol == PPM_OVERLAY_UPPER)
+	{
+		flags |= PPM_O_F_UPPER_LAYER;
+	}
+	else if (ol == PPM_OVERLAY_LOWER)
+	{
+		flags |= PPM_O_F_LOWER_LAYER;
+	}
 	res = bpf_push_u32_to_ring(data, flags);
 	CHECK_RES(res);
 
@@ -3434,8 +3430,6 @@ FILLER(sys_openat2_x, true)
 	res = bpf_push_u32_to_ring(data, resolve);
 	CHECK_RES(res);
 
-	bpf_get_dev_ino_file_from_fd(retval, &dev, &ino, &file);
-
 	/*
 	 * dev
 	 */
@@ -3445,31 +3439,15 @@ FILLER(sys_openat2_x, true)
 	/*
 	 * ino
 	 */
-	res = bpf_push_u64_to_ring(data, ino);
-	CHECK_RES(res);
-
-	/*
-	 * fd_flags
-	 */
-	if (likely(file))
-	{
-		enum ppm_overlay ol = get_overlay_layer(file);
-		if (ol == PPM_OVERLAY_UPPER)
-		{
-			fd_flags |= PPM_FD_UPPER_LAYER;
-		}
-		else if (ol == PPM_OVERLAY_LOWER)
-		{
-			fd_flags |= PPM_FD_LOWER_LAYER;
-		}
-	}
-	return bpf_push_u16_to_ring(data, (uint16_t)fd_flags);
+	return bpf_push_u64_to_ring(data, ino);
 }
 
 FILLER(sys_open_by_handle_at_x, true)
 {
-	/* Parameter 1: ret (type: PT_FD) */
 	long retval = bpf_syscall_get_retval(data->ctx);
+	struct file *file = bpf_fget(retval);
+
+	/* Parameter 1: ret (type: PT_FD) */
 	int res = bpf_push_s64_to_ring(data, retval);
 	CHECK_RES(res);
 
@@ -3490,6 +3468,15 @@ FILLER(sys_open_by_handle_at_x, true)
 	flags = (uint32_t)open_flags_to_scap(flags);
 	/* update flags if file is created*/	
 	flags |= bpf_get_fd_fmode_created(retval);
+	enum ppm_overlay ol = get_overlay_layer(file);
+	if (ol == PPM_OVERLAY_UPPER)
+	{
+		flags |= PPM_O_F_UPPER_LAYER;
+	}
+	else if (ol == PPM_OVERLAY_LOWER)
+	{
+		flags |= PPM_O_F_LOWER_LAYER;
+	}
 	res = bpf_val_to_ring(data, flags);
 	CHECK_RES(res);
 
@@ -3509,12 +3496,7 @@ FILLER(sys_open_by_handle_at_x, true)
 	CHECK_RES(res);
 
 	/* Parameter 6: ino (type: PT_UINT64) */
-	res = bpf_push_u64_to_ring(data, 0);
-	CHECK_RES(res);
-
-	/* Parameter 7: fd_flags (type: PT_FLAGS16) */
-	return bpf_push_u16_to_ring(data, 0);
-
+	return bpf_push_u64_to_ring(data, 0);
 }
 
 FILLER(open_by_handle_at_x_extra_tail_1, true)
@@ -3548,23 +3530,7 @@ FILLER(open_by_handle_at_x_extra_tail_1, true)
 	CHECK_RES(res);
 
 	/* Parameter 6: ino (type: PT_UINT64) */
-	res = bpf_push_u64_to_ring(data, ino);
-	CHECK_RES(res);
-
-	/* Parameter 7: fd_flags (type: PT_FLAGS16) */
-	if (likely(f))
-	{
-		enum ppm_overlay ol = get_overlay_layer(f);
-		if (ol == PPM_OVERLAY_UPPER)
-		{
-			fd_flags |= PPM_FD_UPPER_LAYER;
-		}
-		else if (ol == PPM_OVERLAY_LOWER)
-		{
-			fd_flags |= PPM_FD_LOWER_LAYER;
-		}
-	}
-	return bpf_push_u16_to_ring(data, (uint16_t)fd_flags);
+	return bpf_push_u64_to_ring(data, ino);
 }
 
 FILLER(sys_io_uring_setup_x, true)

driver/event_table.c

@@ -53,7 +53,7 @@ const struct ppm_event_info g_event_info[] = {
 	[PPME_GENERIC_E] = {"syscall", EC_OTHER | EC_SYSCALL, EF_NONE, 2, {{"ID", PT_SYSCALLID, PF_DEC}, {"nativeID", PT_UINT16, PF_DEC} } },
 	[PPME_GENERIC_X] = {"syscall", EC_OTHER | EC_SYSCALL, EF_NONE, 1, {{"ID", PT_SYSCALLID, PF_DEC} } },
 	[PPME_SYSCALL_OPEN_E] = {"open", EC_FILE | EC_SYSCALL, EF_CREATES_FD | EF_MODIFIES_STATE, 3, {{"name", PT_FSPATH, PF_NA}, {"flags", PT_FLAGS32, PF_HEX, file_flags}, {"mode", PT_UINT32, PF_OCT} } },
-	[PPME_SYSCALL_OPEN_X] = {"open", EC_FILE | EC_SYSCALL, EF_CREATES_FD | EF_MODIFIES_STATE, 7, {{"fd", PT_FD, PF_DEC}, {"name", PT_FSPATH, PF_NA}, {"flags", PT_FLAGS32, PF_HEX, file_flags}, {"mode", PT_UINT32, PF_OCT}, {"dev", PT_UINT32, PF_HEX}, {"ino", PT_UINT64, PF_DEC}, {"fd_flags", PT_FLAGS16, PF_HEX} } },
+	[PPME_SYSCALL_OPEN_X] = {"open", EC_FILE | EC_SYSCALL, EF_CREATES_FD | EF_MODIFIES_STATE, 6, {{"fd", PT_FD, PF_DEC}, {"name", PT_FSPATH, PF_NA}, {"flags", PT_FLAGS32, PF_HEX, file_flags}, {"mode", PT_UINT32, PF_OCT}, {"dev", PT_UINT32, PF_HEX}, {"ino", PT_UINT64, PF_DEC} } },
 	[PPME_SYSCALL_CLOSE_E] = {"close", EC_IO_OTHER | EC_SYSCALL, EF_DESTROYS_FD | EF_USES_FD | EF_MODIFIES_STATE, 1, {{"fd", PT_FD, PF_DEC} } },
 	[PPME_SYSCALL_CLOSE_X] = {"close", EC_IO_OTHER | EC_SYSCALL, EF_DESTROYS_FD | EF_USES_FD | EF_MODIFIES_STATE, 1, {{"res", PT_ERRNO, PF_DEC} } },
 	[PPME_SYSCALL_READ_E] = {"read", EC_IO_READ | EC_SYSCALL, EF_USES_FD | EF_READS_FROM_FD, 2, {{"fd", PT_FD, PF_DEC}, {"size", PT_UINT32, PF_DEC} } },
@@ -359,7 +359,7 @@ const struct ppm_event_info g_event_info[] = {
 	[PPME_SYSCALL_MKDIRAT_E] = {"mkdirat", EC_FILE | EC_SYSCALL, EF_NONE, 0},
 	[PPME_SYSCALL_MKDIRAT_X] = {"mkdirat", EC_FILE | EC_SYSCALL, EF_NONE, 4, {{"res", PT_ERRNO, PF_DEC}, {"dirfd", PT_FD, PF_DEC}, {"path", PT_FSRELPATH, PF_NA, DIRFD_PARAM(1)}, {"mode", PT_UINT32, PF_HEX} } },
 	[PPME_SYSCALL_OPENAT_2_E] = {"openat", EC_FILE | EC_SYSCALL, EF_CREATES_FD | EF_MODIFIES_STATE, 4, {{"dirfd", PT_FD, PF_DEC}, {"name", PT_FSRELPATH, PF_NA, DIRFD_PARAM(0)}, {"flags", PT_FLAGS32, PF_HEX, file_flags}, {"mode", PT_UINT32, PF_OCT} } },
-	[PPME_SYSCALL_OPENAT_2_X] = {"openat", EC_FILE | EC_SYSCALL, EF_CREATES_FD | EF_MODIFIES_STATE, 8, {{"fd", PT_FD, PF_DEC}, {"dirfd", PT_FD, PF_DEC}, {"name", PT_FSRELPATH, PF_NA, DIRFD_PARAM(1)}, {"flags", PT_FLAGS32, PF_HEX, file_flags}, {"mode", PT_UINT32, PF_OCT}, {"dev", PT_UINT32, PF_HEX}, {"ino", PT_UINT64, PF_DEC}, {"fd_flags", PT_FLAGS16, PF_HEX} } },
+	[PPME_SYSCALL_OPENAT_2_X] = {"openat", EC_FILE | EC_SYSCALL, EF_CREATES_FD | EF_MODIFIES_STATE, 7, {{"fd", PT_FD, PF_DEC}, {"dirfd", PT_FD, PF_DEC}, {"name", PT_FSRELPATH, PF_NA, DIRFD_PARAM(1)}, {"flags", PT_FLAGS32, PF_HEX, file_flags}, {"mode", PT_UINT32, PF_OCT}, {"dev", PT_UINT32, PF_HEX}, {"ino", PT_UINT64, PF_DEC} } },
 	[PPME_SYSCALL_LINK_2_E] = {"link", EC_FILE | EC_SYSCALL, EF_NONE, 0},
 	[PPME_SYSCALL_LINK_2_X] = {"link", EC_FILE | EC_SYSCALL, EF_NONE, 3, {{"res", PT_ERRNO, PF_DEC}, {"oldpath", PT_FSPATH, PF_NA}, {"newpath", PT_FSPATH, PF_NA} } },
 	[PPME_SYSCALL_LINKAT_2_E] = {"linkat", EC_FILE | EC_SYSCALL, EF_NONE, 0},
@@ -379,7 +379,7 @@ const struct ppm_event_info g_event_info[] = {
 	[PPME_CONTAINER_JSON_2_E] = {"container", EC_PROCESS | EC_METAEVENT, EF_MODIFIES_STATE | EF_LARGE_PAYLOAD, 1, {{"json", PT_CHARBUF, PF_NA} } }, /// TODO: do we need SKIPPARSERESET flag?
 	[PPME_CONTAINER_JSON_2_X] = {"NA", EC_UNKNOWN, EF_UNUSED, 0},
 	[PPME_SYSCALL_OPENAT2_E] = {"openat2", EC_FILE | EC_SYSCALL, EF_CREATES_FD | EF_MODIFIES_STATE, 5, {{"dirfd", PT_FD, PF_DEC}, {"name", PT_FSRELPATH, PF_NA, DIRFD_PARAM(1)}, {"flags", PT_FLAGS32, PF_HEX, file_flags}, {"mode", PT_UINT32, PF_OCT}, {"resolve", PT_FLAGS32, PF_HEX, openat2_flags} } },
-	[PPME_SYSCALL_OPENAT2_X] = {"openat2", EC_FILE | EC_SYSCALL, EF_CREATES_FD | EF_MODIFIES_STATE, 9, {{"fd", PT_FD, PF_DEC}, {"dirfd", PT_FD, PF_DEC}, {"name", PT_FSRELPATH, PF_NA, DIRFD_PARAM(1)}, {"flags", PT_FLAGS32, PF_HEX, file_flags}, {"mode", PT_UINT32, PF_OCT}, {"resolve", PT_FLAGS32, PF_HEX, openat2_flags}, {"dev", PT_UINT32, PF_HEX}, {"ino", PT_UINT64, PF_DEC}, {"fd_flags", PT_FLAGS16, PF_HEX} } },
+	[PPME_SYSCALL_OPENAT2_X] = {"openat2", EC_FILE | EC_SYSCALL, EF_CREATES_FD | EF_MODIFIES_STATE, 8, {{"fd", PT_FD, PF_DEC}, {"dirfd", PT_FD, PF_DEC}, {"name", PT_FSRELPATH, PF_NA, DIRFD_PARAM(1)}, {"flags", PT_FLAGS32, PF_HEX, file_flags}, {"mode", PT_UINT32, PF_OCT}, {"resolve", PT_FLAGS32, PF_HEX, openat2_flags}, {"dev", PT_UINT32, PF_HEX}, {"ino", PT_UINT64, PF_DEC} } },
 	[PPME_SYSCALL_MPROTECT_E] = {"mprotect", EC_MEMORY | EC_SYSCALL, EF_NONE, 3, {{"addr", PT_UINT64, PF_HEX}, {"length", PT_UINT64, PF_DEC}, {"prot", PT_FLAGS32, PF_HEX, prot_flags} } },
 	[PPME_SYSCALL_MPROTECT_X] = {"mprotect", EC_MEMORY | EC_SYSCALL, EF_NONE, 1, {{"res", PT_ERRNO, PF_DEC} } },
 	[PPME_SYSCALL_EXECVEAT_E] = {"execveat", EC_PROCESS | EC_SYSCALL, EF_MODIFIES_STATE, 3, {{"dirfd", PT_FD, PF_DEC}, {"pathname", PT_FSRELPATH, PF_NA, DIRFD_PARAM(0)}, {"flags", PT_FLAGS32, PF_HEX, execveat_flags} } },
@@ -389,7 +389,7 @@ const struct ppm_event_info g_event_info[] = {
 	[PPME_SYSCALL_CLONE3_E] = {"clone3", EC_PROCESS | EC_SYSCALL, EF_MODIFIES_STATE, 0},
 	[PPME_SYSCALL_CLONE3_X] = {"clone3", EC_PROCESS | EC_SYSCALL, EF_MODIFIES_STATE, 21, {{"res", PT_PID, PF_DEC}, {"exe", PT_CHARBUF, PF_NA}, {"args", PT_BYTEBUF, PF_NA}, {"tid", PT_PID, PF_DEC}, {"pid", PT_PID, PF_DEC}, {"ptid", PT_PID, PF_DEC}, {"cwd", PT_CHARBUF, PF_NA}, {"fdlimit", PT_INT64, PF_DEC}, {"pgft_maj", PT_UINT64, PF_DEC}, {"pgft_min", PT_UINT64, PF_DEC}, {"vm_size", PT_UINT32, PF_DEC}, {"vm_rss", PT_UINT32, PF_DEC}, {"vm_swap", PT_UINT32, PF_DEC}, {"comm", PT_CHARBUF, PF_NA}, {"cgroups", PT_BYTEBUF, PF_NA}, {"flags", PT_FLAGS32, PF_HEX, clone_flags}, {"uid", PT_UINT32, PF_DEC}, {"gid", PT_UINT32, PF_DEC}, {"vtid", PT_PID, PF_DEC}, {"vpid", PT_PID, PF_DEC}, {"pidns_init_start_ts", PT_UINT64, PF_DEC} } },
 	[PPME_SYSCALL_OPEN_BY_HANDLE_AT_E] = {"open_by_handle_at", EC_FILE | EC_SYSCALL, EF_CREATES_FD | EF_MODIFIES_STATE, 0},
-	[PPME_SYSCALL_OPEN_BY_HANDLE_AT_X] = {"open_by_handle_at", EC_FILE | EC_SYSCALL, EF_CREATES_FD | EF_MODIFIES_STATE, 7, {{"fd", PT_FD, PF_DEC}, {"mountfd", PT_FD, PF_DEC}, {"flags", PT_FLAGS32, PF_HEX, file_flags}, {"path", PT_FSPATH, PF_NA}, {"dev", PT_UINT32, PF_HEX}, {"ino", PT_UINT64, PF_DEC}, {"fd_flags", PT_FLAGS16, PF_HEX} } },
+	[PPME_SYSCALL_OPEN_BY_HANDLE_AT_X] = {"open_by_handle_at", EC_FILE | EC_SYSCALL, EF_CREATES_FD | EF_MODIFIES_STATE, 6, {{"fd", PT_FD, PF_DEC}, {"mountfd", PT_FD, PF_DEC}, {"flags", PT_FLAGS32, PF_HEX, file_flags}, {"path", PT_FSPATH, PF_NA}, {"dev", PT_UINT32, PF_HEX}, {"ino", PT_UINT64, PF_DEC} } },
 	[PPME_SYSCALL_IO_URING_SETUP_E] = {"io_uring_setup", EC_IO_OTHER | EC_SYSCALL, EF_CREATES_FD | EF_MODIFIES_STATE, 0},
 	[PPME_SYSCALL_IO_URING_SETUP_X] = {"io_uring_setup", EC_IO_OTHER | EC_SYSCALL, EF_CREATES_FD | EF_MODIFIES_STATE, 8, {{"res", PT_ERRNO, PF_DEC},  {"entries", PT_UINT32, PF_DEC}, {"sq_entries", PT_UINT32, PF_DEC},{"cq_entries", PT_UINT32, PF_DEC},{"flags", PT_FLAGS32, PF_HEX, io_uring_setup_flags},{"sq_thread_cpu", PT_UINT32, PF_DEC}, {"sq_thread_idle", PT_UINT32, PF_DEC},{"features", PT_FLAGS32, PF_HEX, io_uring_setup_feats}}},
 	[PPME_SYSCALL_IO_URING_ENTER_E] = {"io_uring_enter", EC_IO_OTHER | EC_SYSCALL, EF_NONE, 0},

driver/flags_table.c

@@ -72,6 +72,8 @@ const struct ppm_name_value file_flags[] = {
 	{"O_NONE", PPM_O_NONE},
 	{"O_TMPFILE", PPM_O_TMPFILE},
 	{"O_F_CREATED", PPM_O_F_CREATED},
+	{"O_F_UPPER_LAYER", PPM_O_F_UPPER_LAYER},
+	{"O_F_LOWER_LAYER", PPM_O_F_LOWER_LAYER},
 	{0, 0},
 };
 

driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/open.bpf.c

@@ -65,6 +65,15 @@ int BPF_PROG(open_x,
 
 	/*=============================== COLLECT PARAMETERS  ===========================*/
 
+	dev_t dev = 0;
+	uint64_t ino = 0;
+	enum ppm_overlay ol = PPM_NOT_OVERLAY_FS;
+
+	if(ret > 0)
+	{
+		extract__dev_ino_overlay_from_fd(ret, &dev, &ino, &ol);
+	}
+
 	/* Parameter 1: ret (type: PT_FD) */
 	auxmap__store_s64_param(auxmap, ret);
 
@@ -77,39 +86,26 @@ int BPF_PROG(open_x,
 	uint32_t scap_flags = (uint32_t)open_flags_to_scap(flags);
 	/* update scap flags if file is created */
 	scap_flags |= extract__fmode_created_from_fd(ret);
+	if(ol == PPM_OVERLAY_UPPER)
+	{
+		scap_flags |= PPM_O_F_UPPER_LAYER;
+	}
+	else if(ol == PPM_OVERLAY_LOWER)
+	{
+		scap_flags |= PPM_O_F_LOWER_LAYER;
+	}
 	auxmap__store_u32_param(auxmap, scap_flags);
 
 	/* Parameter 4: mode (type: PT_UINT32) */
 	unsigned long mode = extract__syscall_argument(regs, 2);
 	auxmap__store_u32_param(auxmap, open_modes_to_scap(flags, mode));
 
-	dev_t dev = 0;
-	uint64_t ino = 0;
-	enum ppm_overlay ol = PPM_NOT_OVERLAY_FS;
-	uint16_t fd_flags = 0;
-
-	if(ret > 0)
-	{
-		extract__dev_ino_overlay_from_fd(ret, &dev, &ino, &ol);
-	}
-
 	/* Parameter 5: dev (type: PT_UINT32) */
 	auxmap__store_u32_param(auxmap, dev);
 
 	/* Parameter 6: ino (type: PT_UINT64) */
 	auxmap__store_u64_param(auxmap, ino);
 
-	/* Parameter 7: fd_flags (type: PT_FLAGS16) */
-	if(ol == PPM_OVERLAY_UPPER)
-	{
-		fd_flags |= PPM_FD_UPPER_LAYER;
-	}
-	else if(ol == PPM_OVERLAY_LOWER)
-	{
-		fd_flags |= PPM_FD_LOWER_LAYER;
-	}
-	auxmap__store_u16_param(auxmap, fd_flags);
-
 	/*=============================== COLLECT PARAMETERS  ===========================*/
 
 	auxmap__finalize_event_header(auxmap);