fix(ebpf): kernel data filter combine bitmap

pkg/ebpf/c/common/filtering.h

@@ -357,6 +357,9 @@ statfunc u64 match_data_filters(program_data_t *p, u8 index)
     u64 explicit_disable_policies = 0;
     u64 explicit_enable_policies = 0;
     u64 default_enable_policies = 0;
+    // Determine policies that do not use any type of string filter (exact, prefix, suffix)
+    u64 mask_no_str_filter_policies =
+        ~str_filter->exact_enabled & ~str_filter->prefix_enabled & ~str_filter->suffix_enabled;
     void *filter_map = NULL;
 
     // event ID
@@ -434,8 +437,11 @@ statfunc u64 match_data_filters(program_data_t *p, u8 index)
     // 2. Default Enabled Policies: Policies that are enabled by default (default_enable_policies)
     // remain enabled only if they are not explicitly disabled (explicit_disable_policies).
     res = explicit_enable_policies | (default_enable_policies & ~explicit_disable_policies);
+    // Combine policies that use string filters with those that do not
+    res |= mask_no_str_filter_policies;
 
-    return res;
+    // Make sure only enabled policies are set in the bitmap (other bits are invalid)
+    return res & policies_cfg->enabled_policies;
 }
 
 statfunc bool evaluate_scope_filters(program_data_t *p)

tests/integration/event_filters_test.go

@@ -1950,6 +1950,142 @@ func Test_EventFilters(t *testing.T) {
 			coolDown:     0,
 			test:         ExpectAtLeastOneForEach,
 		},
+		{
+			name: "comm: event: data: trace event security_file_open set in multiple policies (with and without in-kernel filter)",
+			policyFiles: []testutils.PolicyFileWithID{
+				{
+					Id: 1,
+					PolicyFile: v1beta1.PolicyFile{
+						Metadata: v1beta1.Metadata{
+							Name: "sfo-pol-1",
+						},
+						Spec: k8s.PolicySpec{
+							Scope: []string{
+								"comm=more",
+							},
+							DefaultActions: []string{"log"},
+							Rules: []k8s.Rule{
+								{
+									Event: "security_file_open",
+									Filters: []string{
+										"data.syscall_pathname=/sys/class/dmi/id*",
+									},
+								},
+							},
+						},
+					},
+				},
+				{
+					Id: 2,
+					PolicyFile: v1beta1.PolicyFile{
+						Metadata: v1beta1.Metadata{
+							Name: "sfo-pol-2",
+						},
+						Spec: k8s.PolicySpec{
+							Scope: []string{
+								"comm=more",
+							},
+							DefaultActions: []string{"log"},
+							Rules: []k8s.Rule{
+								{
+									Event: "security_file_open",
+									Filters: []string{
+										"data.pathname=/etc/pam.d/*",
+									},
+								},
+							},
+						},
+					},
+				},
+			},
+			cmdEvents: []cmdEvents{
+				newCmdEvents(
+					"more /sys/class/dmi/id/bios_date",
+					0,
+					1*time.Second,
+					[]trace.Event{
+						expectEvent(anyHost, "more", testutils.CPUForTests, anyPID, 0, events.SecurityFileOpen, orPolNames("sfo-pol-1"), orPolIDs(1), expectArg("syscall_pathname", "/sys/class/dmi/id/bios_date")),
+					},
+					[]string{},
+				),
+				newCmdEvents(
+					"more /etc/pam.d/other",
+					0,
+					1*time.Second,
+					[]trace.Event{
+						expectEvent(anyHost, "more", testutils.CPUForTests, anyPID, 0, events.SecurityFileOpen, orPolNames("sfo-pol-2"), orPolIDs(2), expectArg("pathname", "/etc/pam.d/other")),
+					},
+					[]string{},
+				),
+			},
+			useSyscaller: false,
+			coolDown:     0,
+			test:         ExpectAtLeastOneForEach,
+		},
+		{
+			name: "comm: event: data: trace event security_file_open set in multiple policies (with and without in-kernel filter) mixed in same policy",
+			policyFiles: []testutils.PolicyFileWithID{
+				{
+					Id: 1,
+					PolicyFile: v1beta1.PolicyFile{
+						Metadata: v1beta1.Metadata{
+							Name: "sfo-pol-1",
+						},
+						Spec: k8s.PolicySpec{
+							Scope: []string{
+								"comm=more",
+							},
+							DefaultActions: []string{"log"},
+							Rules: []k8s.Rule{
+								{
+									Event: "security_file_open",
+									Filters: []string{
+										"data.pathname=/sys/devices/virtual/dmi/id*",
+										"data.syscall_pathname=/sys/class/dmi/id*",
+									},
+								},
+							},
+						},
+					},
+				},
+				{
+					Id: 2,
+					PolicyFile: v1beta1.PolicyFile{
+						Metadata: v1beta1.Metadata{
+							Name: "sfo-pol-2",
+						},
+						Spec: k8s.PolicySpec{
+							Scope: []string{
+								"comm=more",
+							},
+							DefaultActions: []string{"log"},
+							Rules: []k8s.Rule{
+								{
+									Event: "security_file_open",
+									Filters: []string{
+										"data.pathname=/etc/pam.d/*",
+									},
+								},
+							},
+						},
+					},
+				},
+			},
+			cmdEvents: []cmdEvents{
+				newCmdEvents(
+					"more /sys/class/dmi/id/bios_date",
+					0,
+					1*time.Second,
+					[]trace.Event{
+						expectEvent(anyHost, "more", testutils.CPUForTests, anyPID, 0, events.SecurityFileOpen, orPolNames("sfo-pol-1"), orPolIDs(1), expectArg("pathname", "/sys/devices/virtual/dmi/id/bios_date")),
+					},
+					[]string{},
+				),
+			},
+			useSyscaller: false,
+			coolDown:     0,
+			test:         ExpectAtLeastOneForEach,
+		},
 		{
 			name: "comm: event: data: trace event security_mmap_file using multiple filter types",
 			policyFiles: []testutils.PolicyFileWithID{