Comment 6 for bug 2034448

For Juju something like /sys/fs/bpf probably falls into a trust category. It is plausible that you would want to deploy something into a container that still needs *some* amount of elevated privileges to operate, but you don't want to give it full root on the host. Juju doesn't yet model finer grained privileges, but we have absolutely been discussing it. (Equivalent to the slots/plugs model of snaps where they are contained, but still given enough permissions to do what they need to get the job done, with that vetted by a Canonical assertion that this snap is safe to automatically connect its plugs.)

That is probably at least a year off. It also is something that we should discuss whether it actually does make sense to run in a container, given that you can mess up the host machine with bad rules here.