Pretty neat trick. Uprobes are like super-ptrace: they work by creating standard x64 int3 breakpoints, but the kernel handles them internally rather than context switching back to userland with an event. eBPF allows you to attach kernel code to a uprobe to execute logic when one of those breakpoints is hit.
But the probes themselves are just int3 instructions, and userland code can shake them off by unmapping and remapping the memory; what's more, as I understand this: if you remap a uprobe target page writeable, the kernel won't re-install breakpoints there.
Net-net: uprobes are useful for monitoring cooperative processes, but right now probably aren't that trustworthy as a sandboxing primitive.
But the probes themselves are just int3 instructions, and userland code can shake them off by unmapping and remapping the memory; what's more, as I understand this: if you remap a uprobe target page writeable, the kernel won't re-install breakpoints there.
Net-net: uprobes are useful for monitoring cooperative processes, but right now probably aren't that trustworthy as a sandboxing primitive.