Add BPF token support for program and map loading #1948
Closed
javiercardona-work wants to merge 4 commits intocilium:mainfrom
Closed
Add BPF token support for program and map loading #1948javiercardona-work wants to merge 4 commits intocilium:mainfrom
javiercardona-work wants to merge 4 commits intocilium:mainfrom
Conversation
javiercardona-work
force-pushed
the
pr1
branch
from
700ce01 to
6f625a5
Compare
javiercardona-work
force-pushed
the
pr1
branch
from
6f625a5 to
e474f72
Compare
javiercardona-work
requested review from
dylandreimerink and
mmat11
as code owners
Add TokenFD field to ProgramOptions and MapOptions to support loading BPF programs and creating maps using a BPF token. This enables unprivileged BPF operations in user namespaces with delegated BPF capabilities. When TokenFD is set to a positive value, the token file descriptor is passed to the kernel with the BPF_F_TOKEN_FD flag during program load and map creation syscalls. Also add internal/token package for global token storage and features.SetGlobalToken/GetGlobalToken for setting a default token to be used by feature probes. Signed-off-by: Javier Cardona <jcardona@meta.com>
Add tests for internal/token and features/token packages: - TestGlobalTokenDefault: verify default value is -1 - TestSetGetGlobalToken: verify set/get operations - TestGlobalTokenConcurrent: verify thread safety with concurrent readers and writers - TestGlobalTokenWrapper: verify features package correctly wraps internal/token Signed-off-by: Javier Cardona <jcardona@meta.com>
Pass the global BPF token to all feature probes so that capability detection works correctly inside user namespaces with delegated BPF permissions. Updated probes: - features/map.go: createMap() and probeMapFlag() - features/prog.go: probeProgram(), haveProgramHelper(), Extension probe - btf/feature.go: probeBTF() - features/link.go: uprobe_multi, kprobe_multi, kprobe_session - link/syscalls.go: haveProgAttach, haveProgAttachReplace, haveTCX, haveNetkit Signed-off-by: Javier Cardona <jcardona@meta.com>
Add a standalone test program that validates BPF token support
end-to-end by creating a token, optionally dropping BPF-related
capabilities, and exercising feature probes, program loading, and
map creation.
Usage:
token-test [--drop-caps] [/path/to/bpffs]
With --drop-caps, the program creates the token first, then drops
CAP_BPF, CAP_SYS_ADMIN, and CAP_PERFMON before running probes.
This proves the token is the sole source of BPF access.
Tested on a container with bpf_token delegation enabled (kernel 6.16.1,
unprivileged_bpf_disabled=1):
```
Creating BPF token from /run/tw/bpf...
BPF token created: fd=4
Dropping CAP_BPF, CAP_SYS_ADMIN, CAP_PERFMON...
Capabilities dropped. BPF access now depends solely on token.
=== Feature Probes (with token) ===
prog SocketFilter supported
prog Kprobe supported
prog SchedCLS supported
prog XDP supported
prog TracePoint supported
prog CGroupSKB supported
map Hash supported
map Array supported
map PerfEventArray supported
map LRUHash supported
map RingBuf supported
=== Program Load (with token) ===
program load: OK (fd=3)
=== Map Create (with token) ===
map create: OK (fd=3)
=== Without Token (uncached probe) ===
prog PerfEvent (no token): operation not permitted
map PerCPUHash (no token): operation not permitted
```
Signed-off-by: Javier Cardona <jcardona@meta.com>
javiercardona-work
force-pushed
the
pr1
branch
from
cd58f38 to
64ebd9c
Compare
This was referenced Feb 12, 2026
Author
|
Closing this PR as it is has been superseded by #1953 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Add support for loading BPF programs and creating maps using BPF tokens,
enabling unprivileged BPF operations in user namespaces with delegated
capabilities.
Changes:
features.SetGlobalToken()/GetGlobalToken()for feature probe supportSince the original PR, the following commits were added:
all feature probes (program type, map type, BTF, link, and program
helper probes) so that capability detection works correctly inside user
namespaces with delegated BPF permissions.
(
examples/token_test/) that creates a BPF token, optionally dropsCAP_BPF/CAP_SYS_ADMIN/CAP_PERFMON, and exercises feature probes,program loading, and map creation. Validated on a container with
bpf_token delegation (kernel 6.16.1,
unprivileged_bpf_disabled=1).This is the output of the test program when run on a container with delegated BPF token enabled: