From: Matteo Croce Date: Thu, 10 Jul 2025 11:37:27 +0000 (+0200) Subject: man/systemd.exec: explain how BPF token works X-Git-Tag: v258-rc1~107 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=7aefb194e754cae9c166539a103e9fd6b7e59798;p=thirdparty%2Fsystemd.git man/systemd.exec: explain how BPF token works Add a small paragraph explaining how BPF token works, how it's being created and its relationship between the BPF filesystem. Move all the relevant documentation in the PrivateBPF= section and let point all the BPFDelegate* options to that one. --- diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml index f25ae25bcc5..f015590a47a 100644 --- a/man/systemd.exec.xml +++ b/man/systemd.exec.xml @@ -2561,10 +2561,16 @@ RestrictNamespaces=~cgroup net Takes a boolean argument. If set, mount a private instance of the BPF filesystem on /sys/fs/bpf/, effectively hiding the host bpffs which contains information about loaded programs and maps. Otherwise, if ProtectKernelTunables= is set, the - instance from the host is inherited but mounted read-only. + instance from the host is inherited but mounted read-only. Defaults to false. + + This can be used together with the bpffs delegate feature to choose what BPF functions are + available to the unit's processes. When mounting the BPF filesystem with the fsopen() API, four mount + options can be specified to set a list of BPF commands, maps, programs and attachment types that are + allowed to be used. Processes needs to get a file descriptor for the bpffs mountpoint and use that to + get a token which will enable for that user namespace the BPF functionalities choosen upon bpffs mount. + A more detailed explanation of the feature can be found in this + LWN post. - This can be used together with the BPF delegate feature to choose what BPF functions are - available to the unit's processes. Defaults to false. @@ -2575,10 +2581,10 @@ RestrictNamespaces=~cgroup net Accepts a list of BPF commands to allow or any to allow everything. Defaults to none. The accepted values are: - Requires PrivateBPF= enabled to be effective. - This will set the delegate_cmds bpffs mount option. - A more detailed explanation of the feature can be found in this - LWN post. + This will set the delegate_cmds bpffs mount option. + + Requires PrivateBPF=yes to be effective, + see PrivateBPF= more details. @@ -2589,8 +2595,10 @@ RestrictNamespaces=~cgroup net Accepts a list of BPF maps to allow or any to allow everything. Defaults to none. The accepted values are: - This will set the delegate_maps bpffs mount option. - See BPFDelegateCommands= for dependencies and more details. + This will set the delegate_maps bpffs mount option. + + Requires PrivateBPF=yes to be effective, + see PrivateBPF= more details. @@ -2601,8 +2609,10 @@ RestrictNamespaces=~cgroup net Accepts a list of BPF programs to allow or any to allow everything. Defaults to none. The accepted values are: - This will set the delegate_progs bpffs mount option. - See BPFDelegateCommands= for dependencies and more details. + This will set the delegate_progs bpffs mount option. + + Requires PrivateBPF=yes to be effective, + see PrivateBPF= more details. @@ -2613,8 +2623,10 @@ RestrictNamespaces=~cgroup net Accepts a list of BPF attach points to allow or any to allow everything. Defaults to none. The accepted values are: - This will set the delegate_attachs bpffs mount option. - See BPFDelegateCommands= for dependencies and more details. + This will set the delegate_attachs bpffs mount option. + + Requires PrivateBPF=yes to be effective, + see PrivateBPF= more details.