feat: Add cgroup eBPF policy guard with TCP, device, and sysctl controls

- Implemented cgroup-based access control using eBPF with three main functionalities:
  1. Block TCP connections to specified ports.
  2. Deny access to specified devices.
  3. Control sysctl read/write operations.
- Added necessary Makefile and documentation for building and running the policy guard.

Author: github-actions[bot]

src/cgroup/.gitignore

@@ -0,0 +1,20 @@
+# Build artifacts
+*.o
+*.skel.h
+*.skel.json
+.output/
+cgroup_guard
+
+# Test artifacts
+*.tmp
+*.err
+
+# IDE
+.vscode/
+.idea/
+*.swp
+*.swo
+
+# OS
+.DS_Store
+Thumbs.db

src/cgroup/Makefile

@@ -0,0 +1,112 @@
+# SPDX-License-Identifier: (LGPL-2.1 OR BSD-2-Clause)
+OUTPUT := .output
+CLANG ?= clang
+LIBBPF_SRC := $(abspath ../third_party/libbpf/src)
+BPFTOOL_SRC := $(abspath ../third_party/bpftool/src)
+LIBBPF_OBJ := $(abspath $(OUTPUT)/libbpf.a)
+BPFTOOL_OUTPUT ?= $(abspath $(OUTPUT)/bpftool)
+BPFTOOL ?= $(BPFTOOL_OUTPUT)/bootstrap/bpftool
+ARCH ?= $(shell uname -m | sed 's/x86_64/x86/' \
+			 | sed 's/arm.*/arm/' \
+			 | sed 's/aarch64/arm64/' \
+			 | sed 's/ppc64le/powerpc/' \
+			 | sed 's/mips.*/mips/' \
+			 | sed 's/riscv64/riscv/' \
+			 | sed 's/loongarch64/loongarch/')
+VMLINUX := ../third_party/vmlinux/$(ARCH)/vmlinux.h
+# Use our own libbpf API headers and Linux UAPI headers distributed with
+# libbpf to avoid dependency on system-wide headers, which could be missing or
+# outdated
+INCLUDES := -I$(OUTPUT) -I../third_party/libbpf/include/uapi -I$(dir $(VMLINUX))
+CFLAGS := -g -Wall
+ALL_LDFLAGS := $(LDFLAGS) $(EXTRA_LDFLAGS)
+
+APPS = cgroup_guard
+
+# Get Clang's default includes on this system. We'll explicitly add these dirs
+# to the includes list when compiling with `-target bpf` because otherwise some
+# architecture-specific dirs will be "missing" on some architectures/distros -
+# headers such as asm/types.h, asm/byteorder.h, asm/socket.h, asm/sockios.h,
+# sys/cdefs.h etc. might be missing.
+#
+# Use '-idirafter': Don't interfere with include mechanics except where the
+# build would have failed anyways.
+CLANG_BPF_SYS_INCLUDES ?= $(shell $(CLANG) -v -E - </dev/null 2>&1 \
+	| sed -n '/<...> search starts here:/,/End of search list./{ s| \(/.*\)|-idirafter \1|p }')
+
+ifeq ($(V),1)
+	Q =
+	msg =
+else
+	Q = @
+	msg = @printf '  %-8s %s%s\n'					\
+		      "$(1)"						\
+		      "$(patsubst $(abspath $(OUTPUT))/%,%,$(2))"	\
+		      "$(if $(3), $(3))";
+	MAKEFLAGS += --no-print-directory
+endif
+
+define allow-override
+  $(if $(or $(findstring environment,$(origin $(1))),\
+            $(findstring command line,$(origin $(1)))),,\
+    $(eval $(1) = $(2)))
+endef
+
+$(call allow-override,CC,$(CROSS_COMPILE)cc)
+$(call allow-override,LD,$(CROSS_COMPILE)ld)
+
+.PHONY: all
+all: $(APPS)
+
+.PHONY: clean
+clean:
+	$(call msg,CLEAN)
+	$(Q)rm -rf $(OUTPUT) $(APPS)
+
+$(OUTPUT) $(OUTPUT)/libbpf $(BPFTOOL_OUTPUT):
+	$(call msg,MKDIR,$@)
+	$(Q)mkdir -p $@
+
+# Build libbpf
+$(LIBBPF_OBJ): $(wildcard $(LIBBPF_SRC)/*.[ch] $(LIBBPF_SRC)/Makefile) | $(OUTPUT)/libbpf
+	$(call msg,LIB,$@)
+	$(Q)$(MAKE) -C $(LIBBPF_SRC) BUILD_STATIC_ONLY=1		      \
+		    OBJDIR=$(dir $@)/libbpf DESTDIR=$(dir $@)		      \
+		    INCLUDEDIR= LIBDIR= UAPIDIR=			      \
+		    install
+
+# Build bpftool
+$(BPFTOOL): | $(BPFTOOL_OUTPUT)
+	$(call msg,BPFTOOL,$@)
+	$(Q)$(MAKE) ARCH= CROSS_COMPILE= OUTPUT=$(BPFTOOL_OUTPUT)/ -C $(BPFTOOL_SRC) bootstrap
+
+# Build BPF code
+$(OUTPUT)/%.bpf.o: %.bpf.c $(LIBBPF_OBJ) $(wildcard %.h) $(VMLINUX) | $(OUTPUT) $(BPFTOOL)
+	$(call msg,BPF,$@)
+	$(Q)$(CLANG) -g -O2 -target bpf -D__TARGET_ARCH_$(ARCH)		      \
+		     $(INCLUDES) $(CLANG_BPF_SYS_INCLUDES)		      \
+		     -c $(filter %.c,$^) -o $(patsubst %.bpf.o,%.tmp.bpf.o,$@)
+	$(Q)$(BPFTOOL) gen object $@ $(patsubst %.bpf.o,%.tmp.bpf.o,$@)
+
+# Generate BPF skeletons
+$(OUTPUT)/%.skel.h: $(OUTPUT)/%.bpf.o | $(OUTPUT) $(BPFTOOL)
+	$(call msg,GEN-SKEL,$@)
+	$(Q)$(BPFTOOL) gen skeleton $< > $@
+
+# Build user-space code
+$(patsubst %,$(OUTPUT)/%.o,$(APPS)): %.o: %.skel.h
+
+$(OUTPUT)/%.o: %.c $(wildcard %.h) | $(OUTPUT)
+	$(call msg,CC,$@)
+	$(Q)$(CC) $(CFLAGS) $(INCLUDES) -c $(filter %.c,$^) -o $@
+
+# Build application binary
+$(APPS): %: $(OUTPUT)/%.o $(LIBBPF_OBJ) | $(OUTPUT)
+	$(call msg,BINARY,$@)
+	$(Q)$(CC) $(CFLAGS) $^ $(ALL_LDFLAGS) -lelf -lz -o $@
+
+# delete failed targets
+.DELETE_ON_ERROR:
+
+# keep intermediate (.skel.h, .bpf.o, etc) targets
+.SECONDARY:

src/cgroup/README.md

@@ -0,0 +1,193 @@
+# eBPF Tutorial: cgroup-based Policy Control
+
+This tutorial demonstrates how to use cgroup eBPF programs to implement per-cgroup policy controls for networking, device access, and sysctl operations.
+
+## What is cgroup eBPF?
+
+**cgroup eBPF** allows you to attach eBPF programs to cgroups (control groups) to enforce policies based on process/container membership. Unlike XDP/tc which work on network interfaces, cgroup eBPF works at the process level:
+
+- Policies only affect processes in the target cgroup
+- Perfect for container/multi-tenant/sandbox isolation
+- Covers: network access control, socket options, sysctl access, device access
+
+When a cgroup eBPF program denies an operation, userspace typically sees `EPERM` (Operation not permitted).
+
+## cgroup eBPF Hook Points
+
+### 1. `BPF_PROG_TYPE_CGROUP_SOCK_ADDR` - Socket Address Hooks
+
+Triggered on socket address syscalls (bind/connect/sendmsg/recvmsg):
+
+| Hook | Section Name | Description |
+|------|--------------|-------------|
+| IPv4 bind | `cgroup/bind4` | Filter bind() calls |
+| IPv6 bind | `cgroup/bind6` | Filter bind() calls |
+| IPv4 connect | `cgroup/connect4` | Filter connect() calls |
+| IPv6 connect | `cgroup/connect6` | Filter connect() calls |
+| UDP sendmsg | `cgroup/sendmsg4`, `cgroup/sendmsg6` | Filter UDP sends |
+| UDP recvmsg | `cgroup/recvmsg4`, `cgroup/recvmsg6` | Filter UDP receives |
+| Unix connect | `cgroup/connect_unix` | Filter Unix socket connect |
+
+**Context**: `struct bpf_sock_addr` - contains `user_ip4`, `user_port` (network byte order)
+
+**Return semantics**: `return 1` = allow, `return 0` = deny (EPERM)
+
+### 2. `BPF_PROG_TYPE_CGROUP_DEVICE` - Device Access Control
+
+| Hook | Section Name | Description |
+|------|--------------|-------------|
+| Device access | `cgroup/dev` | Filter device open/read/write/mknod |
+
+**Context**: `struct bpf_cgroup_dev_ctx` - contains `major`, `minor`, `access_type`
+
+**Return semantics**: `return 0` = deny (EPERM), non-zero = allow
+
+### 3. `BPF_PROG_TYPE_CGROUP_SYSCTL` - Sysctl Access Control
+
+| Hook | Section Name | Description |
+|------|--------------|-------------|
+| Sysctl access | `cgroup/sysctl` | Filter /proc/sys reads/writes |
+
+**Context**: `struct bpf_sysctl` - use `bpf_sysctl_get_name()` to get sysctl name
+
+**Return semantics**: `return 0` = reject (EPERM), `return 1` = proceed
+
+### 4. Other cgroup Hooks
+
+- `cgroup_skb/ingress`, `cgroup_skb/egress` - Packet-level filtering
+- `cgroup/getsockopt`, `cgroup/setsockopt` - Socket option filtering
+- `cgroup/sock_create`, `cgroup/sock_release` - Socket lifecycle
+- `sockops` - TCP-level optimization (attached via `BPF_CGROUP_SOCK_OPS`)
+
+## This Tutorial: cgroup Policy Guard
+
+We implement a single eBPF object with three programs:
+
+1. **Network (TCP)**: Block `connect()` to a specified destination port
+2. **Device**: Block access to a specified `major:minor` device
+3. **Sysctl**: Block reading a specified sysctl (read-only, safer for testing)
+
+Events are sent to userspace via ringbuf for observability.
+
+## Building
+
+```bash
+cd src/49-cgroup
+make
+```
+
+## Running
+
+### Terminal A: Start the loader
+
+```bash
+# Block: TCP port 9090, /dev/null (1:3), reading kernel/hostname
+sudo ./cgroup_guard \
+  --cgroup /sys/fs/cgroup/ebpf_demo \
+  --block-port 9090 \
+  --deny-device 1:3 \
+  --deny-sysctl kernel/hostname
+```
+
+You should see:
+```
+Attached to cgroup: /sys/fs/cgroup/ebpf_demo
+Config: block_port=9090, deny_device=1:3, deny_sysctl_read=kernel/hostname
+Press Ctrl-C to stop.
+```
+
+### Terminal B: Start test servers (outside cgroup)
+
+```bash
+# Start two HTTP servers
+python3 -m http.server 8080 --bind 127.0.0.1 &
+python3 -m http.server 9090 --bind 127.0.0.1 &
+```
+
+### Terminal C: Test from within the cgroup
+
+```bash
+sudo bash -c '
+echo $$ > /sys/fs/cgroup/ebpf_demo/cgroup.procs
+
+echo "== TCP test =="
+curl -s http://127.0.0.1:8080 >/dev/null && echo "8080 OK"
+curl -s http://127.0.0.1:9090 >/dev/null && echo "9090 OK (unexpected)" || echo "9090 BLOCKED (expected)"
+
+echo
+echo "== Device test =="
+cat /dev/null && echo "/dev/null OK (unexpected)" || echo "/dev/null BLOCKED (expected)"
+
+echo
+echo "== Sysctl test =="
+cat /proc/sys/kernel/hostname && echo "sysctl read OK (unexpected)" || echo "sysctl read BLOCKED (expected)"
+'
+```
+
+Expected output:
+- `8080 OK` - Port 8080 is allowed
+- `9090 BLOCKED (expected)` - Port 9090 is blocked
+- `/dev/null BLOCKED (expected)` - Device 1:3 is blocked
+- `sysctl read BLOCKED (expected)` - Reading kernel/hostname is blocked
+
+### Terminal A output (events)
+
+```
+[DENY connect4] pid=12345 comm=curl daddr=127.0.0.1 dport=9090 proto=6
+[DENY device]   pid=12346 comm=cat major=1 minor=3 access_type=0x...
+[DENY sysctl]   pid=12347 comm=cat write=0 name=kernel/hostname
+```
+
+## Verifying with bpftool
+
+```bash
+sudo bpftool cgroup tree /sys/fs/cgroup/ebpf_demo
+```
+
+## Key Implementation Details
+
+### 1. Network byte order for sock_addr
+
+```c
+// user_port is network byte order, must convert
+__u16 dport = bpf_ntohs((__u16)ctx->user_port);
+```
+
+### 2. Return value semantics
+
+```c
+// For sock_addr (connect4/bind4/etc):
+return 1;  // allow
+return 0;  // deny -> EPERM
+
+// For device:
+return 0;  // deny -> EPERM
+return 1;  // allow
+
+// For sysctl:
+return 0;  // reject -> EPERM
+return 1;  // proceed
+```
+
+### 3. Configuration via .rodata
+
+```c
+// BPF side - const volatile for CO-RE
+const volatile __u16 blocked_tcp_dport = 0;
+
+// Userspace - set before load
+skel->rodata->blocked_tcp_dport = (__u16)port;
+```
+
+## Files
+
+- `cgroup_guard.h` - Shared data structures
+- `cgroup_guard.bpf.c` - eBPF programs (connect4, device, sysctl hooks)
+- `cgroup_guard.c` - Userspace loader
+- `Makefile` - Build system
+
+## References
+
+- [Kernel docs: libbpf program types](https://docs.kernel.org/bpf/libbpf/program_types.html)
+- [eBPF docs: CGROUP_SOCK_ADDR](https://docs.ebpf.io/linux/program-type/BPF_PROG_TYPE_CGROUP_SOCK_ADDR/)
+- [eBPF docs: CGROUP_DEVICE](https://docs.ebpf.io/linux/program-type/BPF_PROG_TYPE_CGROUP_DEVICE/)