eBPF
eBPF is a technology that can run programs in a privileged context such as the operating system kernel. It is the successor to the Berkeley Packet Filter (BPF) filtering mechanism in Linux, and is also used in other parts of the Linux kernel as well.
| Original author(s) | Alexei Starovoitov, Daniel Borkmann |
|---|---|
| Developer(s) | Open source community, Meta, Google, Isovalent, Microsoft, Netflix |
| Initial release | 2014 |
| Repository | Linux: git Windows: github |
| Written in | C |
| Operating system | Linux, Windows |
| Type | Runtime system |
| License | Linux: GPL Windows: MIT License |
| Website | ebpf.io |
It is used to safely and efficiently extend the capabilities of the kernel at runtime without requiring changes to kernel source code or loading kernel modules. Safety is provided through an in-kernel verifier which performs static code analysis and rejects programs which crash, hang or otherwise interfere with the kernel negatively.
This validation model differs from sandboxed environments, where the execution environment is restricted and the runtime has no insight about the program. Examples of programs that are automatically rejected are programs without strong exit guarantees (i.e. for/while loops without exit conditions) and programs dereferencing pointers without safety checks.