lxc/incus
1
0
Fork 0
mirror of https://github.com/lxc/incus.git synced 2026-02-05 09:46:19 +01:00
Code Issues Releases Activity

doc: Add documentation for bpf token delegation

Browse Source 
Signed-off-by: Gwendolyn <me@gwendolyn.dev>
This commit is contained in:
Gwendolyn
2025-05-12 14:54:12 +02:00
committed by Stéphane Graber
parent 6d17c36cd7
commit 1cc5dab6a6
2 changed files with 40 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

39
doc/explanation/bpf-tokens.md Normal file
View File

@@ -0,0 +1,39 @@
(bpf-tokens)=
# BPF token delegation
Incus supports delegating BPF capabilities via [BPF tokens](https://docs.ebpf.io/linux/concepts/token/), introduced in Linux kernel 6.9.
If any of the instance options {config:option}`instance-security:security.bpffs.delegate_cmds`,
{config:option}`instance-security:security.bpffs.delegate_maps`,
{config:option}`instance-security:security.bpffs.delegate_progs` or
{config:option}`instance-security:security.bpffs.delegate_attachs` is set, Incus mounts a BPF file system into the
container at the path specified by the {config:option}`instance-security:security.bpffs.path` option and delegates the
configured capabilities to it.
The permissible values for these options depend on the kernel version and can be found in `enums` in the BPF header file
(`include/uapi/linux/bpf.h` in the kernel tree, `/usr/include/linux/bpf.h` on most distributions if you have the kernel
sources installed):
Key | Kernel `enum` | Remove prefix
:-- |:-- | :--
`security.bpffs.delegate_cmds` | `bpf_cmd` | `BPF_`
`security.bpffs.delegate_maps` | `bpf_map_type` | `BPF_MAP_TYPE_`
`security.bpffs.delegate_progs` | `bpf_prog_type` | `BPF_PROG_TYPE_`
`security.bpffs.delegate_attachs` | `bpf_attach_type` | `BPF_`
Each of these options takes a comma-separated list of values, additionally the value `any` is supported to delegate all
possible values of the type.
## Example
Key | Value
:-- | :--
`security.bpffs.delegate_cmds` | `map_create,obj_get,link_create`
`security.bpffs.delegate_maps` | `hash,array,devmap,queue,stack`
`security.bpffs.delegate_progs` | `socket_filter,kprobe,cgroup_sysctl`
`security.bpffs.delegate_attachs` | `any`
```bash
$ mount -t bpf
none on /sys/fs/bpf type bpf (rw,relatime,delegate_cmds=map_create:obj_get:link_create,delegate_maps=hash:array:devmap:queue:stack,delegate_progs=socket_filter:kprobe:cgroup_sysctl,delegate_attachs=any)
```

1
doc/security.md
View File

@@ -5,6 +5,7 @@
:maxdepth: 1
explanation/security
explanation/bpf-tokens
authentication
authorization
Expose Incus to the network <howto/server_expose>