lsm: cgroup attachment type support

Author: Altug Bozkurt

Cargo.toml

@@ -92,6 +92,7 @@ rbpf = { version = "0.3.0", default-features = false }
 rustdoc-json = { version = "0.9.0", default-features = false }
 rustup-toolchain = { version = "0.1.5", default-features = false }
 rustversion = { version = "1.0.0", default-features = false }
+scopeguard = { version = "1.2.0" }
 syn = { version = "2", default-features = false }
 tempfile = { version = "3", default-features = false }
 test-case = { version = "3.1.0", default-features = false }

aya-ebpf-macros/src/lib.rs

@@ -10,6 +10,7 @@ mod fentry;
 mod fexit;
 mod kprobe;
 mod lsm;
+mod lsm_cgroup;
 mod map;
 mod perf_event;
 mod raw_tracepoint;
@@ -34,6 +35,7 @@ use fentry::FEntry;
 use fexit::FExit;
 use kprobe::{KProbe, KProbeKind};
 use lsm::Lsm;
+use lsm_cgroup::LsmCgroup;
 use map::Map;
 use perf_event::PerfEvent;
 use proc_macro::TokenStream;
@@ -326,6 +328,49 @@ pub fn lsm(attrs: TokenStream, item: TokenStream) -> TokenStream {
     .into()
 }
 
+/// Marks a function as an LSM program that can be attached to cgroups.
+/// This program will only trigger for workloads in the attached cgroups.
+/// Used to implement security policy and audit logging.
+///
+/// The hook name is the first and only argument to the macro.
+///
+/// LSM probes can be attached to the kernel's security hooks to implement mandatory
+/// access control policy and security auditing.
+///
+/// LSM probes require a kernel compiled with `CONFIG_BPF_LSM=y` and `CONFIG_DEBUG_INFO_BTF=y`.
+/// In order for the probes to fire, you also need the BPF LSM to be enabled through your
+/// kernel's boot paramters (like `lsm=lockdown,yama,bpf`).
+///
+/// # Minimum kernel version
+///
+/// The minimum kernel version required to use this feature is 6.0.
+///
+/// # Examples
+///
+/// ```no_run
+/// use aya_ebpf::{macros::lsm_cgroup, programs::LsmContext};
+///
+/// #[lsm_cgroup(hook = "file_open")]
+/// pub fn file_open(ctx: LsmContext) -> i32 {
+///     match unsafe { try_file_open(ctx) } {
+///         Ok(ret) => ret,
+///         Err(ret) => ret,
+///     }
+/// }
+///
+/// unsafe fn try_file_open(_ctx: LsmContext) -> Result<i32, i32> {
+///     Err(0)
+/// }
+/// ```
+#[proc_macro_attribute]
+pub fn lsm_cgroup(attrs: TokenStream, item: TokenStream) -> TokenStream {
+    match LsmCgroup::parse(attrs.into(), item.into()) {
+        Ok(prog) => prog.expand(),
+        Err(err) => err.into_compile_error(),
+    }
+    .into()
+}
+
 /// Marks a function as a [BTF-enabled raw tracepoint][1] eBPF program that can be attached at
 /// a pre-defined kernel trace point.
 ///

aya-ebpf-macros/src/lsm.rs

@@ -44,10 +44,10 @@ impl Lsm {
         } else {
             section_prefix.into()
         };
+        let fn_name = &sig.ident;
         // LSM probes need to return an integer corresponding to the correct
         // policy decision. Therefore we do not simply default to a return value
         // of 0 as in other program types.
-        let fn_name = &sig.ident;
         quote! {
             #[no_mangle]
             #[link_section = #section_name]

aya-ebpf-macros/src/lsm_cgroup.rs

@@ -0,0 +1,87 @@
+use std::borrow::Cow;
+
+use proc_macro2::TokenStream;
+use quote::quote;
+use syn::{ItemFn, Result};
+
+use crate::args::{err_on_unknown_args, pop_string_arg};
+
+pub(crate) struct LsmCgroup {
+    item: ItemFn,
+    hook: Option<String>,
+}
+
+impl LsmCgroup {
+    pub(crate) fn parse(attrs: TokenStream, item: TokenStream) -> Result<Self> {
+        let item = syn::parse2(item)?;
+        let mut args = syn::parse2(attrs)?;
+        let hook = pop_string_arg(&mut args, "hook");
+        err_on_unknown_args(&args)?;
+
+        Ok(Self { item, hook })
+    }
+
+    pub(crate) fn expand(&self) -> TokenStream {
+        let Self { item, hook } = self;
+        let ItemFn {
+            attrs: _,
+            vis,
+            sig,
+            block: _,
+        } = item;
+        let section_prefix = "lsm_cgroup";
+        let section_name: Cow<'_, _> = if let Some(name) = hook {
+            format!("{}/{}", section_prefix, name).into()
+        } else {
+            section_prefix.into()
+        };
+        let fn_name = &sig.ident;
+        // LSM probes need to return an integer corresponding to the correct
+        // policy decision. Therefore we do not simply default to a return value
+        // of 0 as in other program types.
+        quote! {
+            #[no_mangle]
+            #[link_section = #section_name]
+            #vis fn #fn_name(ctx: *mut ::core::ffi::c_void) -> i32 {
+                return #fn_name(::aya_ebpf::programs::LsmContext::new(ctx));
+
+                #item
+            }
+        }
+    }
+}
+
+#[cfg(test)]
+mod tests {
+    use syn::parse_quote;
+
+    use super::*;
+
+    #[test]
+    fn test_lsm_cgroup() {
+        let prog = LsmCgroup::parse(
+            parse_quote! {
+                hook = "bprm_committed_creds",
+            },
+            parse_quote! {
+                fn bprm_committed_creds(ctx: &mut ::aya_ebpf::programs::LsmContext) -> i32 {
+                    0
+                }
+            },
+        )
+        .unwrap();
+        let expanded = prog.expand();
+        let expected = quote! {
+            #[no_mangle]
+            #[link_section = "lsm_cgroup/bprm_committed_creds"]
+            fn bprm_committed_creds(ctx: *mut ::core::ffi::c_void) -> i32 {
+                return bprm_committed_creds(::aya_ebpf::programs::LsmContext::new(ctx));
+
+                fn bprm_committed_creds(ctx: &mut ::aya_ebpf::programs::LsmContext) -> i32 {
+                    0
+                }
+            }
+        };
+        assert_eq!(expected.to_string(), expanded.to_string());
+    }
+}

aya-obj/src/obj.rs

@@ -275,6 +275,7 @@ pub enum ProgramSection {
     Lsm {
         sleepable: bool,
     },
+    LsmCgroup,
     BtfTracePoint,
     FEntry {
         sleepable: bool,
@@ -436,6 +437,7 @@ impl FromStr for ProgramSection {
             "raw_tp" | "raw_tracepoint" => RawTracePoint,
             "lsm" => Lsm { sleepable: false },
             "lsm.s" => Lsm { sleepable: true },
+            "lsm_cgroup" => LsmCgroup,
             "fentry" => FEntry { sleepable: false },
             "fentry.s" => FEntry { sleepable: true },
             "fexit" => FExit { sleepable: false },
@@ -2186,10 +2188,7 @@ mod tests {
         assert_matches!(
             obj.programs.get("foo"),
             Some(Program {
-                section: ProgramSection::Lsm {
-                    sleepable: false,
-                    ..
-                },
+                section: ProgramSection::Lsm { sleepable: false },
                 ..
             })
         );
@@ -2221,6 +2220,29 @@ mod tests {
         );
     }
 
+    #[test]
+    fn test_parse_section_lsm_cgroup() {
+        let mut obj = fake_obj();
+        fake_sym(&mut obj, 0, 0, "foo", FAKE_INS_LEN);
+
+        assert_matches!(
+            obj.parse_section(fake_section(
+                EbpfSectionKind::Program,
+                "lsm_cgroup/foo",
+                bytes_of(&fake_ins()),
+                None
+            )),
+            Ok(())
+        );
+        assert_matches!(
+            obj.programs.get("foo"),
+            Some(Program {
+                section: ProgramSection::LsmCgroup,
+                ..
+            })
+        );
+    }
+
     #[test]
     fn test_parse_section_btf_tracepoint() {
         let mut obj = fake_obj();

aya/src/bpf.rs

@@ -24,8 +24,9 @@ use crate::{
     programs::{
         BtfTracePoint, CgroupDevice, CgroupSkb, CgroupSkbAttachType, CgroupSock, CgroupSockAddr,
         CgroupSockopt, CgroupSysctl, Extension, FEntry, FExit, Iter, KProbe, LircMode2, Lsm,
-        PerfEvent, ProbeKind, Program, ProgramData, ProgramError, RawTracePoint, SchedClassifier,
-        SkLookup, SkMsg, SkSkb, SkSkbKind, SockOps, SocketFilter, TracePoint, UProbe, Xdp,
+        LsmCgroup, PerfEvent, ProbeKind, Program, ProgramData, ProgramError, RawTracePoint,
+        SchedClassifier, SkLookup, SkMsg, SkSkb, SkSkbKind, SockOps, SocketFilter, TracePoint,
+        UProbe, Xdp,
     },
     sys::{
         bpf_load_btf, is_bpf_cookie_supported, is_bpf_global_data_supported,
@@ -400,6 +401,7 @@ impl<'a> EbpfLoader<'a> {
                                 | ProgramSection::FEntry { sleepable: _ }
                                 | ProgramSection::FExit { sleepable: _ }
                                 | ProgramSection::Lsm { sleepable: _ }
+                                | ProgramSection::LsmCgroup
                                 | ProgramSection::BtfTracePoint
                                 | ProgramSection::Iter { sleepable: _ } => {
                                     return Err(EbpfError::BtfError(err))
@@ -645,6 +647,9 @@ impl<'a> EbpfLoader<'a> {
                             }
                             Program::Lsm(Lsm { data })
                         }
+                        ProgramSection::LsmCgroup => Program::LsmCgroup(LsmCgroup {
+                            data: ProgramData::new(prog_name, obj, btf_fd, *verifier_log_level),
+                        }),
                         ProgramSection::BtfTracePoint => Program::BtfTracePoint(BtfTracePoint {
                             data: ProgramData::new(prog_name, obj, btf_fd, *verifier_log_level),
                         }),

aya/src/programs/lsm_cgroup.rs

@@ -0,0 +1,108 @@
+//! LSM probes.
+
+use std::os::fd::AsFd;
+
+use aya_obj::{
+    btf::{Btf, BtfKind},
+    generated::{bpf_attach_type::BPF_LSM_CGROUP, bpf_prog_type::BPF_PROG_TYPE_LSM},
+};
+
+use crate::{
+    programs::{define_link_wrapper, load_program, FdLink, FdLinkId, ProgramData, ProgramError},
+    sys::{bpf_link_create, BpfLinkCreateArgs, LinkTarget, SyscallError},
+};
+
+/// A program that attaches to Linux LSM hooks with per-cgroup attachment type. Used to implement security policy and
+/// audit logging.
+///
+/// LSM probes can be attached to the kernel's [security hooks][1] to implement mandatory
+/// access control policy and security auditing.
+///
+/// LSM probes require a kernel compiled with `CONFIG_BPF_LSM=y` and `CONFIG_DEBUG_INFO_BTF=y`.
+/// In order for the probes to fire, you also need the BPF LSM to be enabled through your
+/// kernel's boot paramters (like `lsm=lockdown,yama,bpf`).
+///
+/// # Minimum kernel version
+///
+/// The minimum kernel version required to use this feature is 6.0.
+///
+/// # Examples
+///
+/// ```no_run
+/// # #[derive(thiserror::Error, Debug)]
+/// # enum LsmError {
+/// #     #[error(transparent)]
+/// #     BtfError(#[from] aya::BtfError),
+/// #     #[error(transparent)]
+/// #     Program(#[from] aya::programs::ProgramError),
+/// #     #[error(transparent)]
+/// #     Ebpf(#[from] aya::EbpfError),
+/// # }
+/// # let mut bpf = Ebpf::load_file("ebpf_programs.o")?;
+/// use aya::{Ebpf, programs::LsmCgroup, BtfError, Btf};
+/// use std::fs::File;
+///
+/// let btf = Btf::from_sys_fs()?;
+/// let file = File::open("/sys/fs/cgroup/unified").unwrap();
+/// let program: &mut LsmCgroup = bpf.program_mut("lsm_prog").unwrap().try_into()?;
+/// program.load("security_bprm_exec", &btf)?;
+/// program.attach(file)?;
+/// # Ok::<(), LsmError>(())
+/// ```
+///
+/// [1]: https://elixir.bootlin.com/linux/latest/source/include/linux/lsm_hook_defs.h
+#[derive(Debug)]
+#[doc(alias = "BPF_PROG_TYPE_LSM")]
+pub struct LsmCgroup {
+    pub(crate) data: ProgramData<LsmLink>,
+}
+
+impl LsmCgroup {
+    /// Loads the program inside the kernel.
+    ///
+    /// # Arguments
+    ///
+    /// * `lsm_hook_name` - full name of the LSM hook that the program should
+    ///   be attached to
+    pub fn load(&mut self, lsm_hook_name: &str, btf: &Btf) -> Result<(), ProgramError> {
+        self.data.expected_attach_type = Some(BPF_LSM_CGROUP);
+        let type_name = format!("bpf_lsm_{lsm_hook_name}");
+        self.data.attach_btf_id =
+            Some(btf.id_by_type_name_kind(type_name.as_str(), BtfKind::Func)?);
+        load_program(BPF_PROG_TYPE_LSM, &mut self.data)
+    }
+
+    /// Attaches the program.
+    ///
+    /// The returned value can be used to detach, see [LsmCgroup::detach].
+    pub fn attach<T: AsFd>(&mut self, cgroup: T) -> Result<LsmLinkId, ProgramError> {
+        let prog_fd = self.fd()?;
+        let prog_fd = prog_fd.as_fd();
+        let cgroup_fd = cgroup.as_fd();
+        let attach_type = self.data.expected_attach_type.unwrap();
+        let btf_id = self.data.attach_btf_id.ok_or(ProgramError::NotLoaded)?;
+        let link_fd = bpf_link_create(
+            prog_fd,
+            LinkTarget::Fd(cgroup_fd),
+            attach_type,
+            0,
+            Some(BpfLinkCreateArgs::TargetBtfId(btf_id)),
+        )
+        .map_err(|(_, io_error)| SyscallError {
+            call: "bpf_link_create",
+            io_error,
+        })?;
+
+        self.data.links.insert(LsmLink::new(FdLink::new(link_fd)))
+    }
+}
+
+define_link_wrapper!(
+    /// The link used by [LsmCgroup] programs.
+    LsmLink,
+    /// The type returned by [LsmCgroup::attach]. Can be passed to [LsmCgroup::detach].
+    LsmLinkId,
+    FdLink,
+    FdLinkId,
+    LsmCgroup,
+);

aya/src/programs/mod.rs

@@ -56,6 +56,7 @@ pub mod kprobe;
 pub mod links;
 pub mod lirc_mode2;
 pub mod lsm;
+pub mod lsm_cgroup;
 pub mod perf_attach;
 pub mod perf_event;
 pub mod raw_trace_point;
@@ -105,6 +106,7 @@ pub use crate::programs::{
     links::{CgroupAttachMode, Link, LinkOrder},
     lirc_mode2::LircMode2,
     lsm::Lsm,
+    lsm_cgroup::LsmCgroup,
     perf_event::{PerfEvent, PerfEventScope, PerfTypeId, SamplePolicy},
     probe::ProbeKind,
     raw_trace_point::RawTracePoint,
@@ -303,6 +305,8 @@ pub enum Program {
     RawTracePoint(RawTracePoint),
     /// A [`Lsm`] program
     Lsm(Lsm),
+    /// A [`LsmCgroup`] program
+    LsmCgroup(LsmCgroup),
     /// A [`BtfTracePoint`] program
     BtfTracePoint(BtfTracePoint),
     /// A [`FEntry`] program
@@ -340,6 +344,7 @@ impl Program {
             Self::PerfEvent(_) => ProgramType::PerfEvent,
             Self::RawTracePoint(_) => ProgramType::RawTracePoint,
             Self::Lsm(_) => ProgramType::Lsm,
+            Self::LsmCgroup(_) => ProgramType::Lsm,
             // The following program types are a subset of `TRACING` programs:
             //
             // - `BPF_TRACE_RAW_TP` (`BtfTracePoint`)
@@ -379,6 +384,7 @@ impl Program {
             Self::PerfEvent(p) => p.pin(path),
             Self::RawTracePoint(p) => p.pin(path),
             Self::Lsm(p) => p.pin(path),
+            Self::LsmCgroup(p) => p.pin(path),
             Self::BtfTracePoint(p) => p.pin(path),
             Self::FEntry(p) => p.pin(path),
             Self::FExit(p) => p.pin(path),
@@ -410,6 +416,7 @@ impl Program {
             Self::PerfEvent(mut p) => p.unload(),
             Self::RawTracePoint(mut p) => p.unload(),
             Self::Lsm(mut p) => p.unload(),
+            Self::LsmCgroup(mut p) => p.unload(),
             Self::BtfTracePoint(mut p) => p.unload(),
             Self::FEntry(mut p) => p.unload(),
             Self::FExit(mut p) => p.unload(),
@@ -443,6 +450,7 @@ impl Program {
             Self::PerfEvent(p) => p.fd(),
             Self::RawTracePoint(p) => p.fd(),
             Self::Lsm(p) => p.fd(),
+            Self::LsmCgroup(p) => p.fd(),
             Self::BtfTracePoint(p) => p.fd(),
             Self::FEntry(p) => p.fd(),
             Self::FExit(p) => p.fd(),
@@ -477,6 +485,7 @@ impl Program {
             Self::PerfEvent(p) => p.info(),
             Self::RawTracePoint(p) => p.info(),
             Self::Lsm(p) => p.info(),
+            Self::LsmCgroup(p) => p.info(),
             Self::BtfTracePoint(p) => p.info(),
             Self::FEntry(p) => p.info(),
             Self::FExit(p) => p.info(),
@@ -788,6 +797,7 @@ impl_program_unload!(
     LircMode2,
     PerfEvent,
     Lsm,
+    LsmCgroup,
     RawTracePoint,
     BtfTracePoint,
     FEntry,
@@ -829,6 +839,7 @@ impl_fd!(
     LircMode2,
     PerfEvent,
     Lsm,
+    LsmCgroup,
     RawTracePoint,
     BtfTracePoint,
     FEntry,
@@ -935,6 +946,7 @@ impl_program_pin!(
     LircMode2,
     PerfEvent,
     Lsm,
+    LsmCgroup,
     RawTracePoint,
     BtfTracePoint,
     FEntry,
@@ -974,8 +986,9 @@ impl_from_pin!(
     SkMsg,
     CgroupSysctl,
     LircMode2,
-    PerfEvent,
     Lsm,
+    LsmCgroup,
+    PerfEvent,
     RawTracePoint,
     BtfTracePoint,
     FEntry,
@@ -1031,6 +1044,7 @@ impl_try_from_program!(
     LircMode2,
     PerfEvent,
     Lsm,
+    LsmCgroup,
     RawTracePoint,
     BtfTracePoint,
     FEntry,
@@ -1058,6 +1072,7 @@ impl_info!(
     LircMode2,
     PerfEvent,
     Lsm,
+    LsmCgroup,
     RawTracePoint,
     BtfTracePoint,
     FEntry,

init/src/main.rs

@@ -81,6 +81,14 @@ fn run() -> anyhow::Result<()> {
             data: None,
             target_mode: None,
         },
+        Mount {
+            source: "cgroup2",
+            target: "/sys/fs/cgroup",
+            fstype: "cgroup2",
+            flags: nix::mount::MsFlags::empty(),
+            data: None,
+            target_mode: None,
+        },
     ] {
         match target_mode {
             None => {

test/integration-ebpf/src/test.rs

@@ -3,8 +3,8 @@
 
 use aya_ebpf::{
     bindings::xdp_action,
-    macros::{kprobe, kretprobe, tracepoint, uprobe, uretprobe, xdp},
-    programs::{ProbeContext, RetProbeContext, TracePointContext, XdpContext},
+    macros::{kprobe, kretprobe, lsm, lsm_cgroup, tracepoint, uprobe, uretprobe, xdp},
+    programs::{LsmContext, ProbeContext, RetProbeContext, TracePointContext, XdpContext},
 };
 
 #[xdp]
@@ -44,6 +44,16 @@ pub fn test_uretprobe(_ctx: RetProbeContext) -> u32 {
     0
 }
 
+#[lsm_cgroup(hook = "socket_bind")]
+pub fn test_lsmcgroup(_ctx: LsmContext) -> i32 {
+    0
+}
+
+#[lsm(hook = "socket_bind")]
+pub fn test_lsm(_ctx: LsmContext) -> i32 {
+    -1
+}
+
 #[cfg(not(test))]
 #[panic_handler]
 fn panic(_info: &core::panic::PanicInfo) -> ! {

test/integration-test/Cargo.toml

@@ -24,11 +24,13 @@ netns-rs = { workspace = true }
 object = { workspace = true, features = ["elf", "read_core", "std"] }
 rand = { workspace = true, features = ["thread_rng"] }
 rbpf = { workspace = true }
+scopeguard = { workspace = true }
 test-case = { workspace = true }
 test-log = { workspace = true, features = ["log"] }
 tokio = { workspace = true, features = ["macros", "rt-multi-thread", "time"] }
 xdpilone = { workspace = true }
 
+
 [build-dependencies]
 anyhow = { workspace = true }
 aya-build = { path = "../../aya-build" }

test/integration-test/src/tests.rs

@@ -5,6 +5,7 @@ mod info;
 mod iter;
 mod load;
 mod log;
+mod lsm;
 mod raw_tracepoint;
 mod rbpf;
 mod relocations;

test/integration-test/src/tests/lsm.rs

@@ -0,0 +1,83 @@
+use std::{
+    fs::{write, File},
+    io::ErrorKind,
+    net::TcpListener,
+    path::Path,
+};
+
+use aya::{
+    programs::{lsm_cgroup::LsmCgroup, Lsm},
+    util::KernelVersion,
+    Btf, Ebpf,
+};
+#[test]
+#[ignore = "LSM programs need a special kernel config, which is not supported by GitHub runners[waiting on PR: 1063]."]
+fn lsm_cgroup() {
+    const CGROUP_PATH: &str = "/sys/fs/cgroup/lsm_cgroup_test";
+
+    let kernel_version = KernelVersion::current().unwrap();
+    if kernel_version < KernelVersion::new(6, 0, 0) {
+        eprintln!("skipping lsm_cgroup test on kernel {kernel_version:?}");
+        return;
+    }
+
+    let mut bpf: Ebpf = Ebpf::load(crate::TEST).unwrap();
+    let prog: &mut LsmCgroup = bpf
+        .program_mut("test_lsmcgroup")
+        .unwrap()
+        .try_into()
+        .unwrap();
+    let btf = Btf::from_sys_fs().expect("could not get btf from sys");
+    prog.load("socket_bind", &btf).unwrap();
+
+    assert_matches::assert_matches!(TcpListener::bind("127.0.0.1:12345"), Ok(_));
+
+    let cgroup_dir = Path::new(CGROUP_PATH);
+    std::fs::create_dir_all(CGROUP_PATH).expect("could not create cgroup dir");
+
+    let proc_path = cgroup_dir.join("cgroup.procs");
+
+    let _guard = scopeguard::guard((), |()| {
+        std::fs::remove_file(&proc_path).unwrap();
+        std::fs::remove_dir_all(cgroup_dir).unwrap();
+    });
+
+    let link_id = prog.attach(File::open(cgroup_dir).unwrap()).unwrap();
+
+    let _guard = scopeguard::guard((), |()| {
+        prog.detach(link_id).unwrap();
+    });
+    
+    assert_matches::assert_matches!(TcpListener::bind("127.0.0.1:12345"), Ok(_));
+
+    let pid = std::process::id();
+    write(&proc_path, format!("{}\n", pid)).expect("could not write into procs file");
+
+    assert_matches::assert_matches!(TcpListener::bind("127.0.0.1:12345"), Err(e) => assert_eq!(
+        e.kind(), ErrorKind::PermissionDenied));
+
+    
+}
+
+#[test]
+#[ignore = "LSM programs need a special kernel config, which is not supported by GitHub runners[waiting on PR: 1063]."]
+fn lsm() {
+    let kernel_version = KernelVersion::current().unwrap();
+    if kernel_version < KernelVersion::new(5, 7, 0) {
+        eprintln!("skipping lsm test on kernel {kernel_version:?}");
+        return;
+    }
+
+    let mut bpf: Ebpf = Ebpf::load(crate::TEST).unwrap();
+    let prog: &mut Lsm = bpf.program_mut("test_lsm").unwrap().try_into().unwrap();
+    let btf = Btf::from_sys_fs().expect("could not get btf from sys");
+    prog.load("socket_bind", &btf).unwrap();
+
+    assert_matches::assert_matches!(TcpListener::bind("127.0.0.1:12345"), Ok(_));
+
+    prog.attach().unwrap();
+
+    assert_matches::assert_matches!(TcpListener::bind("127.0.0.1:12345"), Err(e) => assert_eq!(
+        e.kind(), ErrorKind::PermissionDenied)
+    );
+}

xtask/public-api/aya-ebpf-macros.txt

@@ -12,6 +12,7 @@ pub proc macro aya_ebpf_macros::#[fexit]
 pub proc macro aya_ebpf_macros::#[kprobe]
 pub proc macro aya_ebpf_macros::#[kretprobe]
 pub proc macro aya_ebpf_macros::#[lsm]
+pub proc macro aya_ebpf_macros::#[lsm_cgroup]
 pub proc macro aya_ebpf_macros::#[map]
 pub proc macro aya_ebpf_macros::#[perf_event]
 pub proc macro aya_ebpf_macros::#[raw_tracepoint]

xtask/public-api/aya-obj.txt

@@ -7658,6 +7658,7 @@ pub aya_obj::obj::ProgramSection::KRetProbe
 pub aya_obj::obj::ProgramSection::LircMode2
 pub aya_obj::obj::ProgramSection::Lsm
 pub aya_obj::obj::ProgramSection::Lsm::sleepable: bool
+pub aya_obj::obj::ProgramSection::LsmCgroup
 pub aya_obj::obj::ProgramSection::PerfEvent
 pub aya_obj::obj::ProgramSection::RawTracePoint
 pub aya_obj::obj::ProgramSection::SchedClassifier
@@ -8520,6 +8521,7 @@ pub aya_obj::ProgramSection::KRetProbe
 pub aya_obj::ProgramSection::LircMode2
 pub aya_obj::ProgramSection::Lsm
 pub aya_obj::ProgramSection::Lsm::sleepable: bool
+pub aya_obj::ProgramSection::LsmCgroup
 pub aya_obj::ProgramSection::PerfEvent
 pub aya_obj::ProgramSection::RawTracePoint
 pub aya_obj::ProgramSection::SchedClassifier

xtask/public-api/aya.txt

@@ -413,6 +413,8 @@ pub fn run(opts: Options) -> Result<()> {
                 //
                 // Heed the advice and boot with noapic. We don't know why this happens.
                 kernel_args.push(" noapic");
+                // We need to enable LSM bpf to be able to run LSM integration tests.
+                kernel_args.push(" lsm=lockdown,capability,bpf");
                 qemu.args(["-no-reboot", "-nographic", "-m", "512M", "-smp", "2"])
                     .arg("-append")
                     .arg(kernel_args)