aquasecurity · yanivagman · Nov 5, 2024 · Aug 14, 2025 · Aug 14, 2025
diff --git a/go.mod b/go.mod
@@ -4,6 +4,8 @@ go 1.24
 
 toolchain go1.24.2
 
+replace github.com/aquasecurity/tracee/types => ./types
+
 require (
 	github.com/IBM/fluent-forward-go v0.3.0
 	github.com/Masterminds/sprig/v3 v3.3.0

diff --git a/go.sum b/go.sum
@@ -407,8 +407,6 @@ github.com/aquasecurity/tracee/api v0.0.0-20250423121028-213b81a1b8f5 h1:zseTkmE
 github.com/aquasecurity/tracee/api v0.0.0-20250423121028-213b81a1b8f5/go.mod h1:fCLvZ7yle7SJoMNFSUCNVZo6Qf6xWXUmP0isGvRrIL8=
 github.com/aquasecurity/tracee/signatures/helpers v0.0.0-20250423143044-dcfcaf219805 h1:ZvXdP2rPm+7fTS102MAz/TcW++KalkMVIgQF0x3x5rQ=
 github.com/aquasecurity/tracee/signatures/helpers v0.0.0-20250423143044-dcfcaf219805/go.mod h1:yftFWA6fBKn0r2gCmO8DYKKSpaZjt/LYK7QgUF9XENo=
-github.com/aquasecurity/tracee/types v0.0.0-20250624132442-3fa6c15acc67 h1:APUSeNvyugFPBMNqDATTPXti5Ry2jiHy72JZD3hvikg=
-github.com/aquasecurity/tracee/types v0.0.0-20250624132442-3fa6c15acc67/go.mod h1:Garhl9pem8cnEgD0iHHwGcHn2HD5dteENk3YcOBPYU4=
 github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=
 github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw=
 github.com/cenkalti/backoff/v4 v4.3.0 h1:MyRJ/UdXutAwSAT+s3wNd7MfTIcy71VQueUuFK343L8=

diff --git a/pkg/bufferdecoder/decoder.go b/pkg/bufferdecoder/decoder.go
@@ -159,8 +159,8 @@ func (decoder *EbpfDecoder) DecodeContext(eCtx *EventContext) error {
 	eCtx.Retval = int64(binary.LittleEndian.Uint64(decoder.buffer[offset+120 : offset+128]))
 	eCtx.StackID = binary.LittleEndian.Uint32(decoder.buffer[offset+128 : offset+132])
 	eCtx.ProcessorId = binary.LittleEndian.Uint16(decoder.buffer[offset+132 : offset+134])
-	eCtx.PoliciesVersion = binary.LittleEndian.Uint16(decoder.buffer[offset+134 : offset+136])
-	eCtx.MatchedPolicies = binary.LittleEndian.Uint64(decoder.buffer[offset+136 : offset+144])
+	eCtx.RulesVersion = binary.LittleEndian.Uint16(decoder.buffer[offset+134 : offset+136])
+	eCtx.MatchedRules = binary.LittleEndian.Uint64(decoder.buffer[offset+136 : offset+144])
 	// event_context end
 
 	decoder.cursor += eCtx.GetSizeBytes()

diff --git a/pkg/bufferdecoder/decoder_test.go b/pkg/bufferdecoder/decoder_test.go
@@ -40,8 +40,8 @@ func TestDecodeContext(t *testing.T) {
 		Retval:          0,
 		StackID:         0,
 		ProcessorId:     5,
-		PoliciesVersion: 11,
-		MatchedPolicies: 1917,
+		RulesVersion:    11,
+		MatchedRules:    1917,
 	}
 	err := binary.Write(buf, binary.LittleEndian, eCtxExpected)
 	assert.Equal(t, nil, err)

diff --git a/pkg/bufferdecoder/protocol.go b/pkg/bufferdecoder/protocol.go
@@ -43,13 +43,13 @@ type EventContext struct {
 	ParentStartTime uint64
 	// task_context end
 
-	EventID         events.ID // int32
-	Syscall         int32
-	Retval          int64
-	StackID         uint32
-	ProcessorId     uint16
-	PoliciesVersion uint16
-	MatchedPolicies uint64
+	EventID      events.ID // int32
+	Syscall      int32
+	Retval       int64
+	StackID      uint32
+	ProcessorId  uint16
+	RulesVersion uint16
+	MatchedRules uint64
 }
 
 func (EventContext) GetSizeBytes() int {

diff --git a/pkg/cmd/flags/policy.go b/pkg/cmd/flags/policy.go
@@ -20,10 +20,6 @@ func PrepareFilterMapsFromPolicies(policies []k8s.PolicyInterface) (PolicyScopeM
 		return nil, nil, errfmt.Errorf("no policies provided")
 	}
 
-	if len(policies) > policy.PolicyMax {
-		return nil, nil, errfmt.Errorf("too many policies provided, there is a limit of %d policies", policy.PolicyMax)
-	}
-
 	policyNames := make(map[string]bool)
 
 	for pIdx, p := range policies {
@@ -111,7 +107,7 @@ func CreatePolicies(policyScopeMap PolicyScopeMap, policyEventsMap PolicyEventMa
 			return nil, InvalidFlagEmpty()
 		}
 
-		pol, err := createSinglePolicy(policyIdx, policyScope, policyEvents, newBinary)
+		pol, err := createSinglePolicy(policyScope, policyEvents, newBinary)
 		if err != nil {
 			return nil, err
 		}
@@ -121,9 +117,8 @@ func CreatePolicies(policyScopeMap PolicyScopeMap, policyEventsMap PolicyEventMa
 	return policies, nil
 }
 
-func createSinglePolicy(policyIdx int, policyScope policyScopes, policyEvents policyEvents, newBinary bool) (*policy.Policy, error) {
+func createSinglePolicy(policyScope policyScopes, policyEvents policyEvents, newBinary bool) (*policy.Policy, error) {
 	p := policy.NewPolicy()
-	p.ID = policyIdx
 	p.Name = policyScope.policyName
 
 	if err := parseScopeFilters(p, policyScope.scopeFlags, newBinary); err != nil {

diff --git a/pkg/cmd/flags/policy_test.go b/pkg/cmd/flags/policy_test.go
@@ -2161,7 +2161,6 @@ func TestCreateSinglePolicy(t *testing.T) {
 			},
 			wantPolicy: func() *policy.Policy {
 				p := policy.NewPolicy()
-				p.ID = 1
 				p.Name = "test-policy"
 				p.CommFilter = filters.NewStringFilter(nil)
 				_ = p.CommFilter.Parse("=bash")
@@ -2209,7 +2208,6 @@ func TestCreateSinglePolicy(t *testing.T) {
 			},
 			wantPolicy: func() *policy.Policy {
 				p := policy.NewPolicy()
-				p.ID = 2
 				p.Name = "multi-filter"
 				p.UIDFilter = filters.NewUInt32Filter()
 				_ = p.UIDFilter.Parse("=1000")
@@ -2239,7 +2237,7 @@ func TestCreateSinglePolicy(t *testing.T) {
 		t.Run(tc.name, func(t *testing.T) {
 			t.Parallel()
 
-			got, err := createSinglePolicy(tc.policyIdx, tc.scope, tc.events, tc.newBinary)
+			got, err := createSinglePolicy(tc.scope, tc.events, tc.newBinary)
 
 			if tc.wantErr != nil {
 				require.Error(t, err)

diff --git a/pkg/ebpf/c/common/context.h b/pkg/ebpf/c/common/context.h
@@ -15,7 +15,6 @@ statfunc void init_proc_info_scratch(u32, scratch_t *);
 statfunc proc_info_t *init_proc_info(u32, u32);
 statfunc void init_task_info_scratch(u32, scratch_t *);
 statfunc task_info_t *init_task_info(u32, u32);
-statfunc event_config_t *get_event_config(u32, u16);
 statfunc int init_program_data(program_data_t *, void *, u32);
 statfunc int init_tailcall_program_data(program_data_t *, void *);
 statfunc bool reset_event(event_data_t *, u32);
@@ -103,16 +102,6 @@ statfunc task_info_t *init_task_info(u32 tid, u32 scratch_idx)
     return bpf_map_lookup_elem(&task_info_map, &tid);
 }
 
-statfunc event_config_t *get_event_config(u32 event_id, u16 policies_version)
-{
-    // TODO: we can remove this extra lookup by moving to per event rules_version
-    void *inner_events_map = bpf_map_lookup_elem(&events_map_version, &policies_version);
-    if (inner_events_map == NULL)
-        return NULL;
-
-    return bpf_map_lookup_elem(inner_events_map, &event_id);
-}
-
 // clang-format off
 statfunc int init_program_data(program_data_t *p, void *ctx, u32 event_id)
 {
@@ -182,31 +171,20 @@ statfunc int init_program_data(program_data_t *p, void *ctx, u32 event_id)
         }
     }
 
-    if (unlikely(p->event->context.policies_version != p->config->policies_version)) {
-        // copy policies_config to event data
-        long ret = bpf_probe_read_kernel(
-            &p->event->policies_config, sizeof(policies_config_t), &p->config->policies_config);
-        if (unlikely(ret != 0))
-            return 0;
-
-        p->event->context.policies_version = p->config->policies_version;
-    }
+    event_config_t *event_config = bpf_map_lookup_elem(&events_config_map, &event_id);
+    if (unlikely(event_config == NULL))
+        return 0;
 
-    // default to match all policies until an event is selected
-    p->event->config.submit_for_policies = ~0ULL;
+    // copy event config to event data so we can have a constant event config across the program execution
+    // we do this since event configuration might be updated by userspace
+    long ret = bpf_probe_read_kernel(&p->event->config, sizeof(event_config_t), event_config);
+    if (unlikely(ret != 0))
+        return 0;
 
-    if (event_id != NO_EVENT_SUBMIT) {
-        p->event->config.submit_for_policies = 0;
-        event_config_t *event_config = get_event_config(event_id, p->event->context.policies_version);
-        if (event_config != NULL) {
-            p->event->config.field_types = event_config->field_types;
-            p->event->config.submit_for_policies = event_config->submit_for_policies;
-            p->event->config.data_filter = event_config->data_filter;
-        }
-    }
+    p->event->context.rules_version = p->event->config.rules_version;
 
-    // initialize matched_policies to the policies that actually requested this event
-    p->event->context.matched_policies = p->event->config.submit_for_policies;
+    // initialize active_rules to the rules that actually requested this event
+    p->event->context.active_rules = p->event->config.submit_for_rules;
 
     return 1;
 }
@@ -254,16 +232,17 @@ statfunc bool reset_event(event_data_t *event, u32 event_id)
 {
     event->context.eventid = event_id;
     reset_event_args_buf(event);
-    event->config.submit_for_policies = ~0ULL;
 
-    event_config_t *event_config = get_event_config(event_id, event->context.policies_version);
-    if (event_config == NULL)
+    event_config_t *event_config = bpf_map_lookup_elem(&events_config_map, &event_id);
+    if (unlikely(event_config == NULL))
+        return false;
+
+    long ret = bpf_probe_read_kernel(&event->config, sizeof(event_config_t), event_config);
+    if (unlikely(ret != 0))
         return false;
 
-    event->config.field_types = event_config->field_types;
-    event->config.submit_for_policies = event_config->submit_for_policies;
-    event->context.matched_policies = event_config->submit_for_policies;
-    event->config.data_filter = event_config->data_filter;
+    event->context.rules_version = event->config.rules_version;
+    event->context.active_rules = event->config.submit_for_rules;
 
     return true;
 }