[$] Providing wider access to bpf()

The bpf()system call allows user space to load a BPF program into the kernel forexecution, manipulate BPF maps, and carry out a number of other BPF-relatedfunctions. BPF programs are verified and sandboxed, but they are still running in a privileged context and, depending on the type of programloaded, are capable of creating various types of mayhem. As a result, mostBPF operations, including theloading of almost all types of BPF program, are restricted to processes withthe CAP_SYS_ADMIN capability - those running as root, as a generalrule. BPF programs are useful in many contexts, though, so there has long beeninterest in making access to bpf() more widely available. One step in that direction has been postedby Song Liu; it works by adding a novel security-policy mechanism to thekernel.