Finer-grained BPF tokens

Ah yes, now that you mention it, I vaguely remember that discussion. Yeah, sadly nothing comprehensive has materialised yet. I would have liked to have a mechanism that just delegates the policy decisions to userspace (similar to seccomp-notify, but bpf-specific so the kernel can ensure consistency and make sure we avoid TOCTOU races), but that didn't fly with upstream either.

For container deployments we are also experimenting with just doing everything in userspace: https://bpfd.dev/
This uses a "system daemon will load BPF on your behalf" model, and will allow arbitrary verification (including through signatures). But of course it requires you to trust the system daemon, and it precludes some of the dynamic code generation stuff that John was talking about in that thread you linked. So again, tradeoffs...