Tag - 2025 - Dawid Macek

eBPF offers unparalleled observability into the Linux kernel. Mechanisms such as LSM probes, bpf_override_return and bpf_send_signal extend it beyond just a visibility provider, giving it the power to act as a policy enforcer. However, building sophisticated policies in eBPF is challenging due to constraints imposed by the verifier, making it difficult to implement complex matching logic. In this post, I’ll explore a generic approach to bridging that gap by bringing the Rust regex library directly into the eBPF context.

User-space stacks can grow to considerable sizes - megabytes and more. The size of the stack is not really a limitation there. However, it can still become a problem for low-level environments such as kernel space, firmware, and embedded OSes. Such targets typically come with tiny, fixed-size stacks - not more than a few pages of memory. This post explores a last-resort technique to bypass such a limitation.

LSM (Linux Security Modules) hooks offer a way to synchronously hook certain actions taking place in a Linux kernel. This capability is widely adopted by various security products. Since Linux 5.7, these hooks became available as eBPF probes. Let’s explore a simple use-case scenario of blocking execution of pre-configured executables stored on the filesystem.