Extended Berkeley Packet Filter (eBPF) is a Linux subsystem that allows safely executing untrusted user-defined extensions inside the kernel. It relies on static analysis to protect the kernel against buggy and malicious extensions.
As the eBPF ecosystem evolves to support more complex and diverse extensions, the limitations of its current verifier, including high rate of false positives, poor scalability, and lack of support for loops, have become a major barrier for developers. page
We propose wiki could think about moving beyond Caja to restrain malicious plugins without a sanitizer i.e. eBPF uses, literally new capabilities, introduced in Linux kernel 4.19.
e.g Chromebooks use kernel 4.19 even on Skylake to safely run Linux apps in Crostini containers. 4.x introduced capabilities to Linux page
A silent incremental backfitting of capabilities into computing infrastructure is perhaps guided by people who've been influenced Mark Miller's work.
Also see Extended BPF