Skip to content

Add BPF token support for program and map loading #1948

Open
javiercardona-work wants to merge 2 commits intocilium:mainfrom
javiercardona-work:pr1
Open

Add BPF token support for program and map loading #1948
javiercardona-work wants to merge 2 commits intocilium:mainfrom
javiercardona-work:pr1

Conversation

@javiercardona-work
Copy link

@javiercardona-work javiercardona-work commented Feb 2, 2026

Add support for loading BPF programs and creating maps using BPF tokens,
enabling unprivileged BPF operations in user namespaces with delegated
capabilities.

Changes:

  • Add TokenFD field to ProgramOptions and MapOptions
  • When set, pass token to kernel with BPF_F_TOKEN_FD flag during syscalls
  • Add internal/token package for global token storage
  • Add features.SetGlobalToken()/GetGlobalToken() for feature probe support

This is the first step toward full BPF token support. Future work includes using the global token in feature probes and BTF loading.

@javiercardona-work javiercardona-work requested review from a team and rgo3 as code owners February 2, 2026 18:29
@javiercardona-work
feat: add BPF token support for program and map loading
302c9f0 
Add TokenFD field to ProgramOptions and MapOptions to support
loading BPF programs and creating maps using a BPF token. This
enables unprivileged BPF operations in user namespaces with
delegated BPF capabilities.

When TokenFD is set to a positive value, the token file descriptor
is passed to the kernel with the BPF_F_TOKEN_FD flag during
program load and map creation syscalls.

Also add internal/token package for global token storage and
features.SetGlobalToken/GetGlobalToken for setting a default
token to be used by feature probes.

Signed-off-by: Javier Cardona <jcardona@meta.com>
@javiercardona-work
test: add unit tests for BPF token support
6f625a5 
Add tests for internal/token and features/token packages:

- TestGlobalTokenDefault: verify default value is -1
- TestSetGetGlobalToken: verify set/get operations
- TestGlobalTokenConcurrent: verify thread safety with concurrent
  readers and writers
- TestGlobalTokenWrapper: verify features package correctly wraps
  internal/token

Signed-off-by: Javier Cardona <jcardona@meta.com>
@javiercardona-work javiercardona-work mentioned this pull request Feb 3, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@rgo3 rgo3 Awaiting requested review from rgo3 rgo3 is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@javiercardona-work