sys: automatically use BPF tokens available to the process

This commit adds support for BPF tokens. When first attempting to create
a map, program or BTF blob, automatically discover all bpffs mounts available
to the process and attempt to create tokens until successful. This has the
benefit of not hardcoding any paths or passing them via environment variables.

Since token info was only added as of 6.17, allow obj_info to fail and always
treat EPERM as ErrTokenCapabilities if tokens are in use and info is missing.
This avoids having to add corner cases and token plumbing to all existing
feature probes and tests.

Signed-off-by: Dylan Reimerink <dylan.reimerink@isovalent.com>
Co-authored-by: Timo Beckers <timo@isovalent.com>

Author: dylandreimerink

btf/handle.go

@@ -99,6 +99,10 @@ func NewHandleFromRawBTF(btf []byte) (*Handle, error) {
 		attr.BtfLogLevel = 1
 	}
 
+	if errors.Is(err, sys.ErrTokenCapabilities) {
+		return nil, fmt.Errorf("load btf: %w", err)
+	}
+
 	if err := haveBTF(); err != nil {
 		return nil, err
 	}

btf/handle_test.go

@@ -4,8 +4,12 @@ import (
 	"fmt"
 	"testing"
 
+	"github.com/go-quicktest/qt"
+
 	"github.com/cilium/ebpf/btf"
+	"github.com/cilium/ebpf/internal/sys"
 	"github.com/cilium/ebpf/internal/testutils"
+	"github.com/cilium/ebpf/internal/unix"
 )
 
 func TestHandleIterator(t *testing.T) {
@@ -83,6 +87,35 @@ func TestParseModuleSplitSpec(t *testing.T) {
 	}
 }
 
+func TestNewHandleFromBTFWithToken(t *testing.T) {
+	b, err := btf.NewBuilder([]btf.Type{&btf.Int{"example", 4, btf.Unsigned}}, nil)
+	qt.Assert(t, qt.IsNil(err))
+
+	buf, err := b.Marshal(nil, nil)
+	qt.Assert(t, qt.IsNil(err))
+
+	testutils.RunWithToken(t, "no-cmd", testutils.Delegated{
+		// Random map type we don't use in this test since we need to delegate at
+		// least one permission.
+		Cmds: []sys.Cmd{},
+		Maps: []sys.MapType{sys.BPF_MAP_TYPE_ARRAY},
+	}, func(t *testing.T) {
+		h, err := btf.NewHandleFromRawBTF(buf)
+		testutils.SkipIfNotSupported(t, err)
+		qt.Assert(t, qt.ErrorIs(err, unix.EPERM))
+		h.Close()
+	})
+
+	testutils.RunWithToken(t, "success", testutils.Delegated{
+		Cmds: []sys.Cmd{sys.BPF_BTF_LOAD},
+	}, func(t *testing.T) {
+		h, err := btf.NewHandleFromRawBTF(buf)
+		testutils.SkipIfNotSupported(t, err)
+		qt.Assert(t, qt.IsNil(err))
+		h.Close()
+	})
+}
+
 func ExampleHandleIterator() {
 	it := new(btf.HandleIterator)
 	defer it.Handle.Close()

internal/sys/syscall_other.go

@@ -3,6 +3,7 @@
 package sys
 
 import (
+	"errors"
 	"fmt"
 	"os"
 	"path/filepath"
@@ -24,6 +25,11 @@ func BPF(cmd Cmd, attr unsafe.Pointer, size uintptr) (uintptr, error) {
 		defer unmaskProfilerSignal()
 	}
 
+	tok, err := tokenAttr(cmd, attr)
+	if err != nil {
+		return 0, fmt.Errorf("apply token attributes: %w", err)
+	}
+
 	for {
 		r1, _, errNo := unix.Syscall(unix.SYS_BPF, uintptr(cmd), uintptr(attr), size)
 		runtime.KeepAlive(attr)
@@ -39,6 +45,24 @@ func BPF(cmd Cmd, attr unsafe.Pointer, size uintptr) (uintptr, error) {
 			err = wrappedErrno{errNo}
 		}
 
+		// Tokens are in use, attempt to enrich EPERM with capability information.
+		if tok != nil && errors.Is(err, unix.EPERM) {
+			// Kernels before 6.17 don't have token info, so we can't return accurate
+			// errors. Make the token error a hint by adding a question mark.
+			//
+			// Returning ErrTokenCapabilities here isn't ideal since it's not
+			// conclusive, but since this behaviour is limited to one LTS release
+			// (6.12), and only when tokens are enabled, it's better than having to
+			// account for it in all existing feature probes and tests.
+			if tok.info == nil {
+				return r1, fmt.Errorf("%w (%w?)", err, ErrTokenCapabilities)
+			}
+
+			if terr := tok.Capable(cmd, attr); terr != nil {
+				return r1, fmt.Errorf("%w: %w", terr, err)
+			}
+		}
+
 		return r1, err
 	}
 }