Skip to content

feat: poc of bpf token delegation#1926

Draft
anryko wants to merge 4 commits intocilium:mainfrom
anryko:feature/bpf-token_1
Draft

feat: poc of bpf token delegation#1926
anryko wants to merge 4 commits intocilium:mainfrom
anryko:feature/bpf-token_1

Conversation

@anryko
Copy link
Copy Markdown

@anryko anryko commented Jan 2, 2026

A minimal implementation of privilege delegation via BPF token feature. I only implemented the functionality which was required to test my specific usecase. I'm not sure if this is a good idea to implement it as I did, via a fallback action to try on permission error. But I did not want to introduce API changes while testing basic functionality.

Please help out and advice on how to proceed with moving forward with this feature.

Relates to: #1921

@anryko
feat: poc of bpf token delegation
6215fc5 
Signed-off-by: Andrej Svenke <anryko@nebius.com>
@dylandreimerink dylandreimerink mentioned this pull request Jan 5, 2026
Open
@anryko
token: use coll opts for setup
685f83d 
Signed-off-by: Andrej Svenke <anryko@nebius.com>
@anryko anryko force-pushed the feature/bpf-token_1 branch from d68a9a2 to 685f83d Compare January 5, 2026 22:06
@anryko
token: switch to bpffs obj
ac41438 
Signed-off-by: Andrej Svenke <anryko@nebius.com>
@anryko anryko force-pushed the feature/bpf-token_1 branch from 1cb2253 to 43129ea Compare January 12, 2026 16:26
@anryko
Copy link
Copy Markdown
Author

anryko commented Jan 12, 2026

Summary

  • The FeatureTestFn signature was changed to support configurable NewFeatureTest(), required to setup BPF Token FD and MountPath.

  • BPFFS token is created by Collection based on CollectionOptions configuration and added as obj.BpffsTokenFD to the Map and Program Specs. On Map and Program creation it is duplicated and stored in obj.tokenFd to make obj.Copy() work. The LoadPinOptions has BpffsTokenFd as well. Token has to be provided in unprivileged mode, to work with the objects loaded from FD.

  • To the entities that make a copy and hold on to tokenFd it is passed as *sys.FD. To everything that just uses the token and doesn't manage its lifetime it's passed as int32. Usually the token is needed only for feature detections, as those are attempting to load the dummy program or create a dummy map and check the result. BPF token related documentation will have to inform the user that BPFFS delegate_progs list has to include the socket_filter and kprobe, otherwise feature detection will not work. Maybe we could consider allowing user to provide their own dummy BPF program to be used for feature detection to avoid mandatory allowing socket_filter and kprobe.

Please let me know if these changes make sense and I'm looking forward to your feedback.

@anryko anryko force-pushed the feature/bpf-token_1 branch from 43129ea to 9f104eb Compare January 12, 2026 16:42
@anryko
token: feature detection
a6e3718 
Signed-off-by: Andrej Svenke <anryko@nebius.com>
@anryko anryko force-pushed the feature/bpf-token_1 branch from 9f104eb to a6e3718 Compare January 12, 2026 16:56
@javiercardona-work
Copy link
Copy Markdown

javiercardona-work commented Feb 12, 2026

Hi @anryko

It looks like we are both interested in getting ebpf to work with BPF token. I have #1948 out which I believe implements what you already have, plus a test program to confirm that probes and ebpf operations work with dropped privileges. I would really appreciate your comments on it and whether that would meet your needs.

Cheers,
Javier

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@dylandreimerink dylandreimerink Awaiting requested review from dylandreimerink dylandreimerink will be requested when the pull request is marked ready for review dylandreimerink is a code owner

@mmat11 mmat11 Awaiting requested review from mmat11 mmat11 will be requested when the pull request is marked ready for review mmat11 is a code owner

@rgo3 rgo3 Awaiting requested review from rgo3 rgo3 will be requested when the pull request is marked ready for review rgo3 is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@anryko @javiercardona-work