Post Syndicated from original https://lwn.net/Articles/935195/

The quest to enable limited use of BPF features in unprivileged processes
continues. In the previous episode, an
attempt to use authoritative Linux security module (LSM) hooks for this
purpose was strongly rejected by the LSM developers. BPF developer Andrii
Nakryiko has now returned with a new mechanism based on a
privilege-conveying token. That approach, too, has run into some
resistance, but a solution for the strongest concerns might be in sight.