== Why eBPF filter operations are privileged in some distributions ?
eBPF is a mechanism in which local users can tell the Linux kernel to attach pseudocode to tracepoints, kprobes, and perf events in the kernel. This pseudocode is later translated into native instructions and executed. Because of this it is heavily used in performance tuning and benchmarking. As this instrumentation can be carried out without recompiling the kernel, eBPF is very attractive for systems where this could be prohibitive either due to cost, downtime, or complexity.
Using eBPF requires calling a syscall, bpf(2). This syscall is used for all eBPF operations like loading programs attaching them to specific events, creating eBPF maps, and access the map contents from tools. At this time, users with CAP_SYS_ADMIN capability in the initial namespace can use the bpf(2) syscall, which is effectively root level privileges.