[staticassertion]

The threat model is that I want to deploy ebpf programs to my base amis and let devs load them as-needed without root, basically.

[mdaverde]

Does loading the eBPF programs and then letting devs attach them later work for your use case?

I wrote about the possibility of this with fd passing in a recent blog post: https://mdaverde.com/posts/cap-bpf/

I'm also working on agent that allows for this at https://bpfdeploy.io/