BPF token delegation¶

Incus supports delegating BPF capabilities via BPF tokens, introduced in Linux kernel 6.9.

If any of the instance options security.bpffs.delegate_cmds, security.bpffs.delegate_maps, security.bpffs.delegate_progs or security.bpffs.delegate_attachs is set, Incus mounts a BPF file system into the container at the path specified by the security.bpffs.path option and delegates the configured capabilities to it.

The permissible values for these options depend on the kernel version and can be found in enums in the BPF header file (include/uapi/linux/bpf.h in the kernel tree, /usr/include/linux/bpf.h on most distributions if you have the kernel sources installed):

Key	Kernel `enum`	Remove prefix
`security.bpffs.delegate_cmds`	`bpf_cmd`	`BPF_`
`security.bpffs.delegate_maps`	`bpf_map_type`	`BPF_MAP_TYPE_`
`security.bpffs.delegate_progs`	`bpf_prog_type`	`BPF_PROG_TYPE_`
`security.bpffs.delegate_attachs`	`bpf_attach_type`	`BPF_`

Each of these options takes a comma-separated list of values, additionally the value any is supported to delegate all possible values of the type.

Example¶

Key	Value
`security.bpffs.delegate_cmds`	`map_create,obj_get,link_create`
`security.bpffs.delegate_maps`	`hash,array,devmap,queue,stack`
`security.bpffs.delegate_progs`	`socket_filter,kprobe,cgroup_sysctl`
`security.bpffs.delegate_attachs`	`any`

$ mount -t bpf
none on /sys/fs/bpf type bpf (rw,relatime,delegate_cmds=map_create:obj_get:link_create,delegate_maps=hash:array:devmap:queue:stack,delegate_progs=socket_filter:kprobe:cgroup_sysctl,delegate_attachs=any)