O_CREAT flag missing in File Flow OpenFlags

[dcarolloz]

Indicate project libsysflow

Describe the bug File Flows OpenFlags sometimes do not report O_CREAT (64) flag

To reproduce Steps to reproduce the behavior:

1. Build and run sf-collector example
2. create a file
3. copy the file to a new file using cp

Expected behavior OpenFlags should report O_CREAT flag usage. In the example, OpenFlags is expected to be > 64.

Environment:

• OS: Ubuntu 20.04.4 LTS
• kernel: 5.4.0-128-generic
• SysFlow version: v0.5.1 (from master branch)
• Configurations: eBPF driver

strace of cp execution

stat("newfile", 0x7fff362a3020)         = -1 ENOENT (No such file or directory)
stat("testfile", {st_mode=S_IFREG|0664, st_size=0, ...}) = 0
newfstatat(AT_FDCWD, "newfile", 0x7fff362a2db0, 0) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "testfile", O_RDONLY)  = 3
fstat(3, {st_mode=S_IFREG|0664, st_size=0, ...}) = 0
openat(AT_FDCWD, "newfile", O_WRONLY|O_CREAT|O_EXCL, 0664) = 4
fstat(4, {st_mode=S_IFREG|0664, st_size=0, ...}) = 0
fadvise64(3, 0, 0, POSIX_FADV_SEQUENTIAL) = 0
mmap(NULL, 139264, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7ff6fdc3a000
read(3, "", 131072)                     = 0
close(4)                                = 0
close(3)                                = 0

sf-collector example log

****************************************************************
Header: Exporter , IP , File name 
Process: PID 18755 Creation Time, 1688466601525995515, Exe /usr/bin/cp, Exe Args testfile newfile, User Name vagrant, Group Name vagrant, TTY 1
File: Type 102, Path /home/vagrant/newfile
File Flow: TID 18755, OpFlags: 1152, OpenFlags 38, FD 4
****************************************************************

[gentooise]

We are now using the new PPM_O_F_CREATED to detect file creations, on our side we don't need this for now.