BPF Tokens in systemd (asg2025)
Chaos Computer Club - recent events feed · Matteo Croce
September 30, 202523m 50s
Audio is streamed directly from the publisher (cdn.media.ccc.de) as published in their RSS feed. Play Podcasts does not host this file. Rights-holders can request removal through the copyright & takedown page.
Show Notes
Running **BPF** programs today requires *CAP_BPF* capability, which is an all or nothing BPF capability.
But BPF nowadays spans a large area, from simple monitoring to potentially invasive fields like network or tracing.
BPF Tokens aims to add fine grained BPF capabilities to systemd units and containers, avoiding to give the whole *CAP_BPF* capability or even worse running the service as privileged user.
References:
https://lwn.net/Articles/947173/
https://github.com/systemd/systemd/pull/36134
Licensed to the public under https://creativecommons.org/licenses/by/4.0/de/
about this event: https://cfp.all-systems-go.io/all-systems-go-2025/talk/TEH3QN/
Topics
3632025asg2025Loftasg2025-engasg2025Day 1