[mynameisvlad]

You’re responding to a hypothetical, not what happened.

Let’s say Linux is the leading OS around the world. How can we be sure that they would actually use eBPF if this was the case?

They would likely choose the fastest option in order to support the platform as quickly as possible. Perhaps eBPF didn’t even exist if they prioritized Linux support and implemented that first, since Falcon was first released in 2013 and eBPF in 2014.

Switching from kernel mode to eBPF would be quite a lift, so if it wasn’t baked in from the start it likely wouldn’t have been added in after the fact.

A decade worth of changes is a lot to confidently say what would have happened. If Linux and MacOS were more popular than Windows, it could have been completely different.

This doesn’t even touch on the massive Debian incident CS had earlier this year, which is not a hypothetical.

[acdha]

They are using eBPF right now. That suggests that they, like everyone else, see benefits in using a platform feature when it exists.

[kchr]

Last time I checked, CS primarily runs in kernel mode on Linux and only fall back to eBPF if the kernel version is not supported. When in eBPF mode, they call it "Reduced Functionality Mode (RFM)".

Has this changed?