So a couple of additional notes on the matter
1. We should rename exit_code to syscall_exit_code or something else that better describes the meaning of that value
2. It is possible to capture the program exit code, but that requires additional tracing (exit and exit_group). If you think it could be useful, we could open a feature request/blueprint
3. In the case of Audit, when receiving SYSCALL events we discard everything if the 'success' field is not set to 'yes'. This means that failed execve/execveat should never appear under Audit. I think that BPF should follow what Audit is doing here