The modern approach to collect statistics and events of the kernel is by using eBPF programs. These programs can be written and loaded in
user-mode and securely executed in kernel-mode (the kernel's memory will remain coherent and the kernel's execution will not block). After it has been loaded, the eBPF program is
attached to an "hook", when the execution of the kernel pass through the hook the program starts and when it ends the kernel continues the normal execution flow.
Usually an eBPF program can read any part of the kernel and user memory. In some applications an OS could load and attach an untrusted eBPF program to collect and send statistics to a different system, in these situations the eBPF program could read sensitive information about the OS. In this cases it is necessary to give to the application a way to control which memory parts a certain eBPF program can and cannot read.