feat : add BPF token support

[MaximeWewer]

Summary

Implements BPF token delegation for unprivileged BPF operations, based on the PR #990 of @dave-tucker, rebased and adapted to current main.

BPF tokens (Linux 6.9+) allow unprivileged userspace programs to perform BPF operations by obtaining a token from a specially-configured BPF filesystem mounted with delegate_* options. This follows the kernel's token implementation : https://docs.kernel.org/bpf/bpf_token.html

What changed

aya crate:

• New aya::token module with BpfToken, FilesystemPermissions, FilesystemPermissionsBuilder, and create_bpf_filesystem
• EbpfLoader::token() builder method to pass a token for loading
• Token-aware feature detection via detect_features_with_token()
• token_fd threaded through bpf_create_map, bpf_load_program, bpf_load_btf syscalls
• Features stored in MapData and ProgramData for correct post-load behavior (cpu_map, dev_map, perf_attach)
• All from_pin / from_pinned_path methods updated to accept token + features

aya-obj crate:

• Clone derive on Features and BtfFeatures
• New type enums: BpfAttachType, BpfCommand, BpfMapType, BpfProgType, BpfLinkType (used by FilesystemPermissionsBuilder)
• New modules: attach, cmd

aya-tool:

• New create-fs subcommand to create a BPFFS with token delegation options

Tests:

• 11 integration tests mirroring the kernel selftests (tools/testing/selftests/bpf/prog_tests/token.c)
• Tests gracefully skip with EOPNOTSUPP when blocked by kernel lockdown (Secure Boot)

API example

  use aya::{EbpfLoader, token::BpfToken};

  // Create token from a BPFFS mounted with delegation options
  let token = BpfToken::create("/sys/fs/bpf")?;

  // Load programs using the token
  let mut bpf = EbpfLoader::new()
      .token(&token)
      .load_file("program.o")?;

Breaking changes

• MapData::create now takes token_fd: Option<BorrowedFd<'_>> and features: Features parameters
• value_size_override is now const fn and takes &Features

Refs: #990

Added/updated tests?

• Yes

Checklist

• Rust code has been formatted with cargo +nightly fmt.
• All clippy lints have been fixed.
• Unit tests are passing locally with cargo test.
• The https://github.com/aya-rs/aya/blob/main/test/README.md are passing locally.
• I have blessed any API changes with cargo xtask public-api --bless.

Note on testing

BPF token creation (BPF_TOKEN_CREATE syscall) is blocked by kernel lockdown in integrity mode, which is enforced by Secure Boot on Ubuntu/Fedora. Integration tests gracefully skip in that case. Full token tests require either:

• A system without Secure Boot (typical CI VMs)
• Kernel booted with lockdown=none

---

This change is 

[netlify]

✅ Deploy Preview for aya-rs-docs ready!

Built without sensitive environment variables

Name	Link
🔨 Latest commit	feb6e77
🔍 Latest deploy log	https://app.netlify.com/projects/aya-rs-docs/deploys/69d608ce81e12f0008270cba
😎 Deploy Preview	https://deploy-preview-1515--aya-rs-docs.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[tamird]

This breaks the build because xtask depends on aya-tool (perhaps it shouldn't) and xtask needs to run on macOS -- aya does not build on macOS.

[MaximeWewer]

Thanks for the hint !

[tamird]

This needs a rebase

[MaximeWewer]

Hi @tamird,

It's done :)

[tamird]

I don't have the bandwidth to review 2kloc of LLM-generated code. Perhaps @alessandrod can help you.