Matteo Croce
I'm a Software Engineer working for Meta.
I work mainly on systemd and other user space programs, but I also keep an eye on kernel development and networking.
Session
09-30
10:45
25min
BPF Tokens in systemd
Matteo Croce
Running BPF programs today requires CAP_BPF capability, which is an all or nothing BPF capability, and it's ignored in containers anyway.
But BPF nowadays spans a large area, from simple monitoring to potentially invasive fields like network or tracing.
BPF Tokens aims to add fine grained BPF capabilities to systemd units and containers, avoiding to give the whole CAP_BPF capability or even worse running the service as privileged user.
References:
https://lwn.net/Articles/947173/
https://github.com/systemd/systemd/pull/36134
Loft