If you can crash Linux with an eBPF program, many more asses will have fires lit under them than just this one vendor.

heh.. Linus would have a fit :-D

I would wager that even most software developers who understand the difference between kernel and user mode aren't going to be aware there is a "third" address space, which is essentially a highly-restricted and verified byte code virtual machine that runs with limited read-only access to kernel memory

Not that it changes your point, and I could be wrong, but I'm pretty sure eBPF bytecode is typically compiled to native code by the kernel and runs in kernel mode with full privileges. Its safety properties entirely depend on the verifier not having bugs.

No, lots of VMs don't have any JIT and just interpret bytecode with a loop around a big switch statement (e.g. Python before 3.13).

fwiw there's like a billion devices out there with cpus that can run java byte code directly - it's hardly experimental. for example, Jazelle for ARM was very widely deployed

Listed in that wiki, along with the much older Picojava

It's what crowdstrike call it. To run falcon sensor as ebpf, you need to set it up as "user mode" which, I agree with you, is poorly named.

We could call it, I don't know, "Protected Mode"?

It'll never catch on.

Hear me out here: Maybe if we split the address space into various use-specific segments...

Call it Ring 0, 1, 2... for good measure

Let's start with 0 because there won't be anything less than 0. Same when using letters, start with A because things will never get better than A

Is this a good moment to relitigate the Tanenbaum-Torvalds debate?