2025-09-30 –, Main
Running BPF programs today requires CAP_BPF capability, which is an all or nothing BPF capability.
But BPF nowadays spans a large area, from simple monitoring to potentially invasive fields like network or tracing.
BPF Tokens aims to add fine grained BPF capabilities to systemd units and containers, avoiding to give the whole CAP_BPF capability or even worse running the service as priviledged user.
References:
https://lwn.net/Articles/947173/
https://github.com/systemd/systemd/pull/36134
I'm a Software Engineer working for Meta.
I work mainly on systemd and other user space programs, but I also keep an eye on kernel development and networking.