Linux - BPF

Usage

• BPF-LSM: BPF based Linux Security Moduel.
• seccomp-bpf: This is a kernel feature that allows a process to restrict its own system calls. With the addition of eBPF, you can create very expressive and dynamic filters to define which syscalls an application is allowed to use and with what arguments. This is a key tool for container runtimes to provide a strong isolation boundary.
• eBPF-based observability tools: A huge part of security is being able to see what's happening on your system. Projects like Falco use eBPF to monitor system calls and other kernel events to detect anomalous behavior. These tools provide deep, in-kernel visibility with minimal performance overhead, which is a significant improvement over traditional auditing systems like auditd.
• Network security with eBPF: Tools like Cilium use eBPF to implement networking and security policies for containerized workloads. By operating directly in the kernel's networking data path, they can perform highly efficient packet filtering and enforce network policies with a deep understanding of application context.

What is BTF

BTF stands for BPF Type Format. It's a metadata format that provides crucial debugging information about BPF programs and maps. Think of it as a compact, streamlined version of the debug information (like DWARF) that's used to compile and run BPF programs more efficiently.