Hacker News new | ask | show | jobs
by apopapo 156 days ago
> psc uses eBPF iterators to read process and file descriptor information directly from kernel data structures. This bypasses the /proc filesystem entirely, providing visibility that cannot be subverted by userland rootkits or LD_PRELOAD tricks.

Is there a trade off here?
2 comments
mgaunard 156 days ago
I found this justification dubious. To me the main reason to use eBPF is that it gives more information and is lower overhead.
link
tempay 156 days ago
It requires root
link
mgaunard 156 days ago
Running eBPF programs doesn't strictly require root.
link
cpuguy83 156 days ago
It requires cap_bpf which is considered a high privileged capability.

So yes, it requires root in the sense of what people mean by root.

link
mgaunard 155 days ago
You can also enable unpriviledged ebpf.
link