(bpf-tokens)=
# BPF token delegation

Incus supports delegating BPF capabilities via [BPF tokens](https://docs.ebpf.io/linux/concepts/token/), introduced in Linux kernel 6.9.

If any of the instance options {config:option}`instance-security:security.bpffs.delegate_cmds`,
{config:option}`instance-security:security.bpffs.delegate_maps`,
{config:option}`instance-security:security.bpffs.delegate_progs` or
{config:option}`instance-security:security.bpffs.delegate_attachs` is set, Incus mounts a BPF file system into the
container at the path specified by the {config:option}`instance-security:security.bpffs.path` option and delegates the
configured capabilities to it.

The permissible values for these options depend on the kernel version and can be found in `enums` in the BPF header file
(`include/uapi/linux/bpf.h` in the kernel tree, `/usr/include/linux/bpf.h` on most distributions if you have the kernel
sources installed):

 Key                               | Kernel `enum`      | Remove prefix
 :--                               |:--                 | :--
 `security.bpffs.delegate_cmds`    | `bpf_cmd`          | `BPF_`
 `security.bpffs.delegate_maps`    | `bpf_map_type`     | `BPF_MAP_TYPE_`
 `security.bpffs.delegate_progs`   | `bpf_prog_type`    | `BPF_PROG_TYPE_`
 `security.bpffs.delegate_attachs` | `bpf_attach_type`  | `BPF_`

Each of these options takes a comma-separated list of values, additionally the value `any` is supported to delegate all
possible values of the type.

## Example

 Key                               | Value
 :--                               | :--
 `security.bpffs.delegate_cmds`    | `map_create,obj_get,link_create`
 `security.bpffs.delegate_maps`    | `hash,array,devmap,queue,stack`
 `security.bpffs.delegate_progs`   | `socket_filter,kprobe,cgroup_sysctl`
 `security.bpffs.delegate_attachs` | `any`

```bash
$ mount -t bpf
none on /sys/fs/bpf type bpf (rw,relatime,delegate_cmds=map_create:obj_get:link_create,delegate_maps=hash:array:devmap:queue:stack,delegate_progs=socket_filter:kprobe:cgroup_sysctl,delegate_attachs=any)
```
