SYSTEM Cited by 1 source
CO-RE (Compile Once – Run Everywhere)¶
CO-RE (Compile Once – Run Everywhere) is the eBPF portability mechanism that lets a single compiled eBPF program adjust to the kernel it's being loaded on — by patching field offsets, type information, and feature probes at load time using BTF (BPF Type Format) metadata provided by the kernel.
Before CO-RE, eBPF programs had to be compiled per-target-kernel (usually via BCC / runtime LLVM compilation on the target host) — heavy dependency, slow startup, brittle across distributions.
Why it matters¶
task_struct alone has undergone so many layout changes over the
years that fields like pid / tgid have no fixed offset. Any
eBPF program that reads kernel structures would otherwise need to
be recompiled or carry hard-coded per-kernel offsets.
CO-RE gives you:
- Write
BPF_CORE_READ(task, pid)once. - At load time, the loader rewrites
pid's offset from the target kernel's BTF. - Same binary runs across kernel versions that differ in layout.
Limits¶
- Kernel support is not universal. CO-RE relies on kernel BTF being present; older kernels / custom distributions may lack it.
- Runtime fallbacks required. Datadog maintains a layered strategy: CO-RE when available → runtime offset-guessing → hardcoded offsets from version-specific analysis. This gives Workload Protection coverage back to kernel 4.14, and further on some CentOS builds (Source: sources/2026-01-07-datadog-hardening-ebpf-for-runtime-security).
Seen in¶
- sources/2026-01-07-datadog-hardening-ebpf-for-runtime-security — preferred mechanism in systems/datadog-workload-protection; fallback chain enables the old-kernel coverage tail.