diff --git a/man/systemd-analyze.xml b/man/systemd-analyze.xml
index 5b7f22c87c..1ea16372fc 100644
--- a/man/systemd-analyze.xml
+++ b/man/systemd-analyze.xml
@@ -1261,6 +1261,9 @@ NR NAME SHA256
CapabilityBoundingSet_CAP_SYS_TTY_CONFIG
+
+ CapabilityBoundingSet_CAP_BPF
+
UMask
diff --git a/src/analyze/analyze-security.c b/src/analyze/analyze-security.c
index 730f07092e..2745100f5d 100644
--- a/src/analyze/analyze-security.c
+++ b/src/analyze/analyze-security.c
@@ -1249,6 +1249,17 @@ static const struct security_assessor security_assessor_table[] = {
.assess = assess_capability_bounding_set,
.parameter = (UINT64_C(1) << CAP_SYS_PACCT),
},
+ {
+ .id = "CapabilityBoundingSet=~CAP_BPF",
+ .json_field = "CapabilityBoundingSet_CAP_BPF",
+ .description_good = "Service may load BPF programs",
+ .description_bad = "Service may not load BPF programs",
+ .url = "https://www.freedesktop.org/software/systemd/man/systemd.exec.html#CapabilityBoundingSet=",
+ .weight = 25,
+ .range = 1,
+ .assess = assess_capability_bounding_set,
+ .parameter = (UINT64_C(1) << CAP_BPF),
+ },
{
.id = "UMask=",
.json_field = "UMask",
diff --git a/test/units/testsuite-65.sh b/test/units/testsuite-65.sh
index d76eb1a2eb..ae8cd98a4e 100755
--- a/test/units/testsuite-65.sh
+++ b/test/units/testsuite-65.sh
@@ -563,6 +563,12 @@ cat </tmp/testfile.json
"weight": 25,
"range": 1
},
+"CapabilityBoundingSet_CAP_BPF":
+ {"description_good": "Service may load BPF programs",
+ "description_bad": "Service may not load BPF programs",
+ "weight": 25,
+ "range": 1
+ },
"UMask":
{"weight": 100,
"range": 10