Yes to both of those.
The kernel has a bunch of extension points that can run eBPF code in a VM. That code can make decisions for the kernel and/or track events.
eBPF code can do basically any calculation you want, but it can't have infinite loops.
It's loaded as bytecode, with a spec for how it's formatted and what the instructions do and what data structures are built in to the VM.
The main benefit is that it runs in the kernel, so it can be triggered very very often with minimal performance impact.
Yes to both of those.
The kernel has a bunch of extension points that can run eBPF code in a VM. That code can make decisions for the kernel and/or track events.
eBPF code can do basically any calculation you want, but it can't have infinite loops.
It's loaded as bytecode, with a spec for how it's formatted and what the instructions do and what data structures are built in to the VM.
The main benefit is that it runs in the kernel, so it can be triggered very very often with minimal performance impact.