Is there an existing issue for this?

• I have searched the existing issues

Is your feature request related to a problem?

Currently, Tetragon limits the number of concurrent policies to 128 in the ebpf program for policy_filter_maps:

#define POLICY_FILTER_MAX_POLICIES   128

struct {
	__uint(type, BPF_MAP_TYPE_HASH_OF_MAPS);
	__uint(max_entries, POLICY_FILTER_MAX_POLICIES);
	__type(key, u32); /* policy id */
	__array(
		values, struct {
			__uint(type, BPF_MAP_TYPE_HASH);
			__uint(max_entries, 1);
			__type(key, __u64); /* cgroup id */
			__type(value, __u8); /* empty  */
		});
} policy_filter_maps SEC(".maps");

The current cap is too restrictive. Users operating with large policy sets can quickly reach this limit, causing subsequent policies to be dropped or rejected.

Describe the feature you would like

The idea is to make the policy filter map size configurable like execve_map

Describe your proposed solution

• Replace the fixed __uint(max_entries, POLICY_FILTER_MAX_POLICIES) with __uint(max_entries, 1) in bpf/process/policy_filter.h
• Add a new option flag "policy-filter-map-entries" refers to existing implementation for execve-map-entries
• Default the map entries to 128 to remain backward compatible
• Let the agent set spec.Maps["policy_filter_maps"].MaxEntries before program is loaded, based on the new configuration value

This proposal will

• Removes the static 128-policy cap.
• Enables dynamic scaling of policy capacity and gives users the flexibility to configure limits according to their deployment scale.
• No verifier or eBPF logic changes required.
• Backward compatible (defaults remain unchanged).

Code of Conduct

• I agree to follow this project's Code of Conduct