> psc uses eBPF iterators to read process and file descriptor information directly from kernel data structures. This bypasses the /proc filesystem entirely, providing visibility that cannot be subverted by userland rootkits or LD_PRELOAD tricks.

Is there a trade off here?

▲

mgaunard 14 hours ago | parent | next [-]

I found this justification dubious. To me the main reason to use eBPF is that it gives more information and is lower overhead.

▲

tempay 14 hours ago | parent | prev [-]

It requires root

▲

mgaunard 14 hours ago | parent [-]

Running eBPF programs doesn't strictly require root.

▲

cpuguy83 13 hours ago | parent [-]

It requires cap_bpf which is considered a high privileged capability.

So yes, it requires root in the sense of what people mean by root.

	▲	mgaunard 9 hours ago \| parent [-]
		You can also enable unpriviledged ebpf.