eBPF isn't "watching the watchers" it's just a tool that lets other tools access low-level things in the kernel via a very picky sandbox. Think of it like this:
Old way: Load kernel driver, hook into bazillions of system calls (doing whatever it is you want to do), pray you don't screw anything up (otherwise you can get a panic though not necessarily--Linux is quite robust).
eBPF way: Just ask eBPF to tell you what you want by giving it some eBPF-specific instructions.
Old way: Load kernel driver, hook into bazillions of system calls (doing whatever it is you want to do), pray you don't screw anything up (otherwise you can get a panic though not necessarily--Linux is quite robust).
eBPF way: Just ask eBPF to tell you what you want by giving it some eBPF-specific instructions.
There's a rundown on how it works here: https://ebpf.io/what-is-ebpf/