|
|
|
|
|
|
by riskable
703 days ago
|
|
|
eBPF isn't "watching the watchers" it's just a tool that lets other tools access low-level things in the kernel via a very picky sandbox. Think of it like this: Old way: Load kernel driver, hook into bazillions of system calls (doing whatever it is you want to do), pray you don't screw anything up (otherwise you can get a panic though not necessarily--Linux is quite robust). eBPF way: Just ask eBPF to tell you what you want by giving it some eBPF-specific instructions. There's a rundown on how it works here: https://ebpf.io/what-is-ebpf/ |
|
|
> …via a very picky sandbox…
When the eBPF is a CrowdStrike mechanism, and eBPF is “picky,” it is clearly “watching the watchers.”