2025-09-30 –, Loft
Running BPF programs today requires CAP_BPF capability, which is an all or nothing BPF capability, and it's ignored in containers anyway.
But BPF nowadays spans a large area, from simple monitoring to potentially invasive fields like network or tracing.
BPF Tokens aims to add fine grained BPF capabilities to systemd units and containers, avoiding to give the whole CAP_BPF capability or even worse running the service as privileged user.
References:
https://lwn.net/Articles/947173/
https://github.com/systemd/systemd/pull/36134
I'm a Software Engineer working for Meta.
I work mainly on systemd and other user space programs, but I also keep an eye on kernel development and networking.