aquasecurity · geyslan · Apr 24, 2024 · Apr 15, 2024 · Apr 11, 2024 · Apr 11, 2024
diff --git a/pkg/cmd/cobra/cobra.go b/pkg/cmd/cobra/cobra.go
@@ -247,14 +247,12 @@ func GetTraceeRunner(c *cobra.Command, version string) (cmd.Runner, error) {
 	}
 	cfg.Output = output.TraceeConfig
 
-	if err != nil {
-		return runner, err
-	}
-	cfg.Output = output.TraceeConfig
-
 	// Create printer
 
-	p, err := printer.NewBroadcast(output.PrinterConfigs, cmd.GetContainerMode(cfg))
+	p, err := printer.NewBroadcast(
+		output.PrinterConfigs,
+		cmd.GetContainerMode(policies.ContainerFilterEnabled(), cfg.NoContainersEnrich),
+	)
 	if err != nil {
 		return runner, err
 	}

diff --git a/pkg/cmd/flags/policy.go b/pkg/cmd/flags/policy.go
@@ -21,8 +21,8 @@ func PrepareFilterMapsFromPolicies(policies []k8s.PolicyInterface) (PolicyScopeM
 		return nil, nil, errfmt.Errorf("no policies provided")
 	}
 
-	if len(policies) > policy.MaxPolicies {
-		return nil, nil, errfmt.Errorf("too many policies provided, there is a limit of %d policies", policy.MaxPolicies)
+	if len(policies) > policy.PolicyMax {
+		return nil, nil, errfmt.Errorf("too many policies provided, there is a limit of %d policies", policy.PolicyMax)
 	}
 
 	policyNames := make(map[string]bool)

diff --git a/pkg/cmd/tracee.go b/pkg/cmd/tracee.go
@@ -120,24 +120,18 @@ func (r Runner) Run(ctx context.Context) error {
 	return err
 }
 
-func GetContainerMode(cfg config.Config) config.ContainerMode {
-	containerMode := config.ContainerModeDisabled
-
-	for it := cfg.Policies.CreateAllIterator(); it.HasNext(); {
-		p := it.Next()
-		if p.ContainerFilterEnabled() {
-			// Container Enrichment is enabled by default ...
-			containerMode = config.ContainerModeEnriched
-			if cfg.NoContainersEnrich {
-				// ... but might be disabled as a safeguard measure.
-				containerMode = config.ContainerModeEnabled
-			}
+func GetContainerMode(containerFilterEnabled, noContainersEnrich bool) config.ContainerMode {
+	if !containerFilterEnabled {
+		return config.ContainerModeDisabled
+	}
 
-			break
-		}
+	// If "no-containers" enrichment is set, return just enabled mode ...
+	if noContainersEnrich {
+		return config.ContainerModeEnabled
 	}
 
-	return containerMode
+	// ... otherwise return enriched mode as default.
+	return config.ContainerModeEnriched
 }
 
 const pidFileName = "tracee.pid"

diff --git a/pkg/cmd/urfave/urfave.go b/pkg/cmd/urfave/urfave.go
@@ -129,7 +129,10 @@ func GetTraceeRunner(c *cli.Context, version string) (cmd.Runner, error) {
 	cfg.Policies = policies
 	policy.Snapshots().Store(cfg.Policies)
 
-	broadcast, err := printer.NewBroadcast(output.PrinterConfigs, cmd.GetContainerMode(cfg))
+	broadcast, err := printer.NewBroadcast(
+		output.PrinterConfigs,
+		cmd.GetContainerMode(policies.ContainerFilterEnabled(), cfg.NoContainersEnrich),
+	)
 	if err != nil {
 		return runner, err
 	}

diff --git a/pkg/ebpf/events_pipeline.go b/pkg/ebpf/events_pipeline.go
@@ -466,7 +466,7 @@ func (t *Tracee) processEvents(ctx context.Context, in <-chan *trace.Event) (
 			}
 
 			// Get a bitmap with all policies containing container filters
-			policiesWithContainerFilter := policies.ContainerFilterEnabled()
+			policiesWithContainerFilter := policies.WithContainerFilterEnabled()
 
 			// Filter out events that don't have a container ID from all the policies that
 			// have container filters. This will guarantee that any of those policies

diff --git a/pkg/ebpf/policy_manager_test.go b/pkg/ebpf/policy_manager_test.go
@@ -83,7 +83,7 @@ func TestPolicyManagerEnableAndDisableRuleConcurrent(t *testing.T) {
 
 	wg.Add(1)
 	go func() {
-		for i := 0; i < policy.MaxPolicies; i++ {
+		for i := 0; i < policy.PolicyMax; i++ {
 			for _, e := range eventsToEnable {
 				policyManager.EnableRule(i, e)
 			}
@@ -93,7 +93,7 @@ func TestPolicyManagerEnableAndDisableRuleConcurrent(t *testing.T) {
 
 	wg.Add(1)
 	go func() {
-		for i := 0; i < policy.MaxPolicies; i++ {
+		for i := 0; i < policy.PolicyMax; i++ {
 			for _, e := range eventsToDisable {
 				policyManager.DisableRule(i, e)
 			}
@@ -103,12 +103,12 @@ func TestPolicyManagerEnableAndDisableRuleConcurrent(t *testing.T) {
 
 	wg.Wait()
 
-	for i := 0; i < policy.MaxPolicies; i++ {
+	for i := 0; i < policy.PolicyMax; i++ {
 		for _, e := range eventsToEnable {
-			assert.True(t, policyManager.IsRuleEnabled(policy.AllPoliciesOn, e))
+			assert.True(t, policyManager.IsRuleEnabled(policy.PolicyAll, e))
 		}
 		for _, e := range eventsToDisable {
-			assert.False(t, policyManager.IsRuleEnabled(policy.AllPoliciesOn, e))
+			assert.False(t, policyManager.IsRuleEnabled(policy.PolicyAll, e))
 		}
 	}
 }
@@ -182,7 +182,7 @@ func TestPolicyManagerEnableAndDisableEventConcurrent(t *testing.T) {
 
 	wg.Add(1)
 	go func() {
-		for i := 0; i < policy.MaxPolicies; i++ {
+		for i := 0; i < policy.PolicyMax; i++ {
 			for _, e := range eventsToEnable {
 				policyManager.EnableEvent(e)
 			}
@@ -192,7 +192,7 @@ func TestPolicyManagerEnableAndDisableEventConcurrent(t *testing.T) {
 
 	wg.Add(1)
 	go func() {
-		for i := 0; i < policy.MaxPolicies; i++ {
+		for i := 0; i < policy.PolicyMax; i++ {
 			for _, e := range eventsToDisable {
 				policyManager.DisableEvent(e)
 			}
@@ -202,7 +202,7 @@ func TestPolicyManagerEnableAndDisableEventConcurrent(t *testing.T) {
 
 	wg.Wait()
 
-	for i := 0; i < policy.MaxPolicies; i++ {
+	for i := 0; i < policy.PolicyMax; i++ {
 		for _, e := range eventsToEnable {
 			assert.True(t, policyManager.IsEventEnabled(e))
 		}

diff --git a/pkg/ebpf/tracee.go b/pkg/ebpf/tracee.go
@@ -779,15 +779,6 @@ func (t *Tracee) initDerivationTable() error {
 	return nil
 }
 
-// RegisterEventDerivation registers an event derivation handler for tracee to use in the event pipeline
-func (t *Tracee) RegisterEventDerivation(deriveFrom events.ID, deriveTo events.ID, deriveCondition func() bool, deriveLogic derive.DeriveFunction) error {
-	if t.eventDerivations == nil {
-		return errfmt.Errorf("tracee not initialized yet")
-	}
-
-	return t.eventDerivations.Register(deriveFrom, deriveTo, deriveCondition, deriveLogic)
-}
-
 // options config should match defined values in ebpf code
 const (
 	optExecEnv uint32 = 1 << iota
@@ -1715,7 +1706,7 @@ func (t *Tracee) triggerMemDumpCall(address uint64, length uint64, eventHandle u
 
 // SubscribeAll returns a stream subscribed to all policies
 func (t *Tracee) SubscribeAll() *streams.Stream {
-	return t.subscribe(policy.AllPoliciesOn)
+	return t.subscribe(policy.PolicyAll)
 }
 
 // Subscribe returns a stream subscribed to selected policies

diff --git a/pkg/policy/ebpf.go b/pkg/policy/ebpf.go
@@ -917,10 +917,10 @@ func (ps *Policies) computePoliciesConfig() *PoliciesConfig {
 		cfg.EnabledScopes |= 1 << offset
 	}
 
-	cfg.UidMax = ps.UIDFilterMax()
-	cfg.UidMin = ps.UIDFilterMin()
-	cfg.PidMax = ps.PIDFilterMax()
-	cfg.PidMin = ps.PIDFilterMin()
+	cfg.UidMax = ps.uidFilterMax
+	cfg.UidMin = ps.uidFilterMin
+	cfg.PidMax = ps.pidFilterMax
+	cfg.PidMin = ps.pidFilterMin
 
 	return cfg
 }
diff --git a/pkg/policy/errors.go b/pkg/policy/errors.go
@@ -9,11 +9,11 @@ func PolicyNilError() error {
 }
 
 func PoliciesMaxExceededError() error {
-	return fmt.Errorf("policies maximum exceeded [%d]", MaxPolicies)
+	return fmt.Errorf("policies maximum exceeded [%d]", PolicyMax)
 }
 
 func PoliciesOutOfRangeError(idx int) error {
-	return fmt.Errorf("policies index [%d] out-of-range [0-%d]", idx, MaxPolicies-1)
+	return fmt.Errorf("policies index [%d] out-of-range [0-%d]", idx, PolicyMax-1)
 }
 
 func PolicyAlreadyExistsError(name string, idx int) error {