I think there's a TOCTOU in the execveat example of ebpfpub, though there shouldn't be an issue if you use the tracepoint like in linuxevents

Do you mean the kprobe_execsnoop example? I think we are always somehow subject to race conditions, especially when walking dentry structures (because we can't acquire locks from BPF)

Yes, that's what I'm talking about