`evt.rawarg.*` doesn't correctly handle all parameter types

[ekoops]

Describe the bug

The current implementation doesn't support the evaluation of evt.rawarg.* filterchecks for parameters having specific underlying types. Specifically, it throws an exception for the followings:

• PT_PID -> fix: evt.rawarg.* raw val eval for pids, uids, gids and socktuples #2552
• PT_UID -> fix: evt.rawarg.* raw val eval for pids, uids, gids and socktuples #2552
• PT_GID -> fix: evt.rawarg.* raw val eval for pids, uids, gids and socktuples #2552
• PT_BYTEBUF
• PT_SOCKTUPLE -> fix: evt.rawarg.* raw val eval for pids, uids, gids and socktuples #2552
• PT_FDLIST
• PT_SYSCALLID
• PT_SIGTYPE
• PT_DYN
• PT_SIGSET
• PT_CHARBUFARRAY
• PT_CHARBUF_PAIR_ARRAY

How to reproduce it

Use the latest available Falco version and configure it with a rule like the following:

- rule: Connect
  desc: >
    Something
  condition: >
    evt.type = connect and evt.dir='<'
  output: Connect raw arg | socktuple=%evt.rawarg.tuple
  priority: NOTICE

Upon the reception of the first connect exit event, it'll crash and report the following message:

...
Error: wrong param type 13

Expected behaviour

Falco doesn't crash and correctly handles the parameter type.

Screenshots

Environment

• Falco version:

Falco version: 0.41.3
Libs version:  0.21.0
Plugin API:    3.11.0
Engine:        0.50.0
Driver:
  API version:    8.0.0
  Schema version: 3.6.0
  Default driver: 8.1.0+driver

• System info:

{
  "machine": "x86_64",
  "nodename": "ekoops-XPS-15-9530",
  "release": "6.8.0-64-generic",
  "sysname": "Linux",
  "version": "#67~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Tue Jun 24 15:19:46 UTC 2"
}

• Cloud provider or hardware configuration:
• OS: pop-os

• Kernel: 6.8.0-64-generic

• Installation method: source

Additional context

[poiana]

Issues go stale after 90d of inactivity.

Mark the issue as fresh with /remove-lifecycle stale.

Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle stale

[ekoops]

/remove-lifecycle stale

[poiana]

Issues go stale after 90d of inactivity.

Mark the issue as fresh with /remove-lifecycle stale.

Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle stale

[poiana]

Stale issues rot after 30d of inactivity.

Mark the issue as fresh with /remove-lifecycle rotten.

Rotten issues close after an additional 30d of inactivity.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle rotten

[ekoops]

/remove-lifecycle rotten