We have a new BPF PoC here: https://github.com/osquery/osquery/pull/7773 Test packages: https://github.com/osquery/osquery/actions/runs/3132085206 TLDR: With BTF (built-in kernel debug symbols, in kernels >= ~5.3) we can now read kernel structures while also respecting the osquery guidelines of having no external dependencies. This means we no longer need to trace a large amount of system calls, which was solved by auto-generating the BPF probes using LLVM IR. The new probes are written in C! We have some additional advantages compared to other solutions, like being able to inspect private kernel types (thanks to the debug info we are parsing). If there is interest and some spare time during the next office hours, I'll briefly walk over this PR and explain what it contains, how it was built and why. It still requires some work, and it's currently marked as an experiment and not a stable feature (more on this in the PR description). As previously stated it is going to require newer kernels, so we may still have to keep the current implementation for a while

Nice, I'll look at it

Most of the code is actually here: https://github.com/trailofbits/linuxevents/blob/main/linuxevents/bpf/src/sched_process_exec.c

I've been using the cgroup name since not all runtimes use cgroup names that make sense other than as an index into some runtime-specific table and it's possible to have mulitple runtimes installed on a single host