Add ambient token support for BTF

This commit adds token support for BTF. It uses the "ambient" token
approach, which means that the token is not explicitly passed by a user
but instead we always attempt to create a token when loading BTF and
fall back to loading without a token if token creation fails.

This commit also adds rich errors for token related failure. If loading
a BTF fails with EPERM we check if the token is missing the BPF command
permission which would explain the failure. If we find an issue, we
enrich the error to assist users in debugging token related issues.

Signed-off-by: Dylan Reimerink <dylan.reimerink@isovalent.com>

Author: dylandreimerink

btf/feature.go

@@ -2,10 +2,13 @@ package btf
 
 import (
 	"errors"
+	"fmt"
 	"math"
 
 	"github.com/cilium/ebpf/internal"
+	"github.com/cilium/ebpf/internal/platform"
 	"github.com/cilium/ebpf/internal/sys"
+	"github.com/cilium/ebpf/internal/token"
 	"github.com/cilium/ebpf/internal/unix"
 )
 
@@ -145,10 +148,25 @@ func probeBTF(typ Type) error {
 		return err
 	}
 
-	fd, err := sys.BtfLoad(&sys.BtfLoadAttr{
+	attr := &sys.BtfLoadAttr{
 		Btf:     sys.SlicePointer(buf),
 		BtfSize: uint32(len(buf)),
-	})
+	}
+
+	if platform.IsLinux {
+		tok, err := token.Create()
+		if err != nil && !errors.Is(err, token.ErrTokenNotAvailable) {
+			return fmt.Errorf("get BPF token: %w", err)
+		}
+
+		if tok != nil {
+			defer tok.Close()
+			attr.BtfTokenFd = int32(tok.Int())
+			attr.BtfFlags |= sys.BPF_F_TOKEN_FD
+		}
+	}
+
+	fd, err := sys.BtfLoad(attr)
 
 	if err == nil {
 		fd.Close()

btf/handle.go

@@ -5,10 +5,12 @@ import (
 	"fmt"
 	"math"
 	"os"
+	"slices"
 
 	"github.com/cilium/ebpf/internal"
 	"github.com/cilium/ebpf/internal/platform"
 	"github.com/cilium/ebpf/internal/sys"
+	"github.com/cilium/ebpf/internal/token"
 	"github.com/cilium/ebpf/internal/unix"
 )
 
@@ -56,6 +58,21 @@ func NewHandleFromRawBTF(btf []byte) (*Handle, error) {
 		BtfSize: uint32(len(btf)),
 	}
 
+	var tok *token.Token
+	if platform.IsLinux {
+		var err error
+		tok, err = token.Create()
+		if err != nil && !errors.Is(err, token.ErrTokenNotAvailable) {
+			return nil, fmt.Errorf("get BPF token: %w", err)
+		}
+
+		if tok != nil {
+			defer tok.Close()
+			attr.BtfTokenFd = int32(tok.Int())
+			attr.BtfFlags |= sys.BPF_F_TOKEN_FD
+		}
+	}
+
 	var (
 		logBuf []byte
 		err    error
@@ -99,6 +116,12 @@ func NewHandleFromRawBTF(btf []byte) (*Handle, error) {
 		attr.BtfLogLevel = 1
 	}
 
+	if errors.Is(err, unix.EPERM) {
+		if tok != nil && !slices.Contains(tok.Mount.Cmds, sys.BPF_BTF_LOAD) {
+			return nil, fmt.Errorf("%w (BPF token does not allow BPF command BPF_BTF_LOAD)", err)
+		}
+	}
+
 	if err := haveBTF(); err != nil {
 		return nil, err
 	}

btf/handle_test.go

@@ -4,8 +4,12 @@ import (
 	"fmt"
 	"testing"
 
+	"github.com/go-quicktest/qt"
+
 	"github.com/cilium/ebpf/btf"
+	"github.com/cilium/ebpf/internal/sys"
 	"github.com/cilium/ebpf/internal/testutils"
+	"github.com/cilium/ebpf/internal/unix"
 )
 
 func TestHandleIterator(t *testing.T) {
@@ -83,6 +87,44 @@ func TestParseModuleSplitSpec(t *testing.T) {
 	}
 }
 
+func TestNewHandleFromBTFWithToken(t *testing.T) {
+	b, err := btf.NewBuilder([]btf.Type{
+		&btf.Int{Name: "example", Size: 4, Encoding: btf.Unsigned},
+	})
+	qt.Assert(t, qt.IsNil(err))
+	buf, err := b.Marshal(nil, nil)
+	qt.Assert(t, qt.IsNil(err))
+
+	t.Run("no-cmd", func(t *testing.T) {
+		if testutils.RunWithToken(t, testutils.Delegated{
+			Cmds: []sys.Cmd{},
+			// We need to delegate at least one permission, so picking a random map type that we don't use in this test.
+			Maps: []sys.MapType{sys.BPF_MAP_TYPE_ARRAY},
+		}) {
+			return
+		}
+
+		h, err := btf.NewHandleFromRawBTF(buf)
+		testutils.SkipIfNotSupported(t, err)
+		qt.Assert(t, qt.ErrorIs(err, unix.EPERM))
+		h.Close()
+	})
+
+	t.Run("success", func(t *testing.T) {
+		if testutils.RunWithToken(t, testutils.Delegated{
+			Cmds: []sys.Cmd{sys.BPF_BTF_LOAD},
+			Maps: []sys.MapType{},
+		}) {
+			return
+		}
+
+		h, err := btf.NewHandleFromRawBTF(buf)
+		testutils.SkipIfNotSupported(t, err)
+		qt.Assert(t, qt.IsNil(err))
+		h.Close()
+	})
+}
+
 func ExampleHandleIterator() {
 	it := new(btf.HandleIterator)
 	defer it.Handle.Close()