aya-rs · heeen · Jan 20, 2026 · Jan 20, 2026 · Jan 5, 2026 · Jan 5, 2026
diff --git a/aya-ebpf-macros/src/hid_bpf.rs b/aya-ebpf-macros/src/hid_bpf.rs
@@ -0,0 +1,131 @@
+use std::borrow::Cow;
+
+use proc_macro2::TokenStream;
+use quote::quote;
+use syn::{ItemFn, Result};
+
+use crate::args::err_on_unknown_args;
+
+/// The type of HID-BPF callback.
+#[derive(Debug, Clone, Copy)]
+pub(crate) enum HidBpfKind {
+    /// Called for each HID input report.
+    DeviceEvent,
+    /// Called to fix report descriptor at probe time.
+    RdescFixup,
+    /// Called for hardware requests (feature reports, etc).
+    HwRequest,
+    /// Called for output reports.
+    HwOutputReport,
+}
+
+impl HidBpfKind {
+    fn section_name(&self) -> &'static str {
+        match self {
+            Self::DeviceEvent => "struct_ops/hid_device_event",
+            Self::RdescFixup => "struct_ops/hid_rdesc_fixup",
+            Self::HwRequest => "struct_ops/hid_hw_request",
+            Self::HwOutputReport => "struct_ops/hid_hw_output_report",
+        }
+    }
+}
+
+pub(crate) struct HidBpf {
+    kind: HidBpfKind,
+    item: ItemFn,
+}
+
+impl HidBpf {
+    pub(crate) fn parse(kind: HidBpfKind, attrs: TokenStream, item: TokenStream) -> Result<Self> {
+        let item = syn::parse2(item)?;
+        let args = syn::parse2(attrs)?;
+        err_on_unknown_args(&args)?;
+        Ok(Self { kind, item })
+    }
+
+    pub(crate) fn expand(&self) -> TokenStream {
+        let Self { kind, item } = self;
+        let ItemFn {
+            attrs: _,
+            vis,
+            sig,
+            block: _,
+        } = item;
+        let fn_name = &sig.ident;
+        let section_name: Cow<'_, _> = kind.section_name().into();
+
+        // IMPORTANT: The entry point MUST use *mut hid_bpf_ctx (not c_void)
+        // to generate correct BTF for kfuncs like hid_bpf_get_data.
+        // The kernel verifier checks that kfunc args match BTF struct types.
+        quote! {
+            #[unsafe(no_mangle)]
+            #[unsafe(link_section = #section_name)]
+            #vis fn #fn_name(ctx: *mut ::aya_ebpf::programs::hid_bpf::hid_bpf_ctx) -> i32 {
+                return #fn_name(unsafe { ::aya_ebpf::programs::HidBpfContext::new(ctx) });
+
+                #item
+            }
+        }
+    }
+}
+
+#[cfg(test)]
+mod tests {
+    use syn::parse_quote;
+
+    use super::*;
+
+    #[test]
+    fn test_hid_device_event() {
+        let prog = HidBpf::parse(
+            HidBpfKind::DeviceEvent,
+            parse_quote! {},
+            parse_quote! {
+                fn device_event(ctx: HidBpfContext) -> i32 {
+                    0
+                }
+            },
+        )
+        .unwrap();
+        let expanded = prog.expand();
+        let expected = quote! {
+            #[unsafe(no_mangle)]
+            #[unsafe(link_section = "struct_ops/hid_device_event")]
+            fn device_event(ctx: *mut ::aya_ebpf::programs::hid_bpf::hid_bpf_ctx) -> i32 {
+                return device_event(unsafe { ::aya_ebpf::programs::HidBpfContext::new(ctx) });
+
+                fn device_event(ctx: HidBpfContext) -> i32 {
+                    0
+                }
+            }
+        };
+        assert_eq!(expected.to_string(), expanded.to_string());
+    }
+
+    #[test]
+    fn test_hid_rdesc_fixup() {
+        let prog = HidBpf::parse(
+            HidBpfKind::RdescFixup,
+            parse_quote! {},
+            parse_quote! {
+                fn rdesc_fixup(ctx: HidBpfContext) -> i32 {
+                    0
+                }
+            },
+        )
+        .unwrap();
+        let expanded = prog.expand();
+        let expected = quote! {
+            #[unsafe(no_mangle)]
+            #[unsafe(link_section = "struct_ops/hid_rdesc_fixup")]
+            fn rdesc_fixup(ctx: *mut ::aya_ebpf::programs::hid_bpf::hid_bpf_ctx) -> i32 {
+                return rdesc_fixup(unsafe { ::aya_ebpf::programs::HidBpfContext::new(ctx) });
+
+                fn rdesc_fixup(ctx: HidBpfContext) -> i32 {
+                    0
+                }
+            }
+        };
+        assert_eq!(expected.to_string(), expanded.to_string());
+    }
+}
diff --git a/aya-ebpf-macros/src/lib.rs b/aya-ebpf-macros/src/lib.rs
@@ -12,6 +12,7 @@ mod cgroup_sysctl;
 mod fentry;
 mod fexit;
 mod flow_dissector;
+mod hid_bpf;
 mod kprobe;
 mod lsm;
 mod lsm_cgroup;
@@ -23,6 +24,7 @@ mod sk_msg;
 mod sk_skb;
 mod sock_ops;
 mod socket_filter;
+mod struct_ops;
 mod tc;
 mod tracepoint;
 mod uprobe;
@@ -39,6 +41,7 @@ use cgroup_sysctl::CgroupSysctl;
 use fentry::FEntry;
 use fexit::FExit;
 use flow_dissector::FlowDissector;
+use hid_bpf::{HidBpf, HidBpfKind};
 use kprobe::{KProbe, KProbeKind};
 use lsm::Lsm;
 use lsm_cgroup::LsmCgroup;
@@ -51,6 +54,7 @@ use sk_msg::SkMsg;
 use sk_skb::{SkSkb, SkSkbKind};
 use sock_ops::SockOps;
 use socket_filter::SocketFilter;
+use struct_ops::StructOps;
 use tc::SchedClassifier;
 use tracepoint::TracePoint;
 use uprobe::{UProbe, UProbeKind};
@@ -601,6 +605,154 @@ pub fn fexit(attrs: TokenStream, item: TokenStream) -> TokenStream {
     .into()
 }
 
+/// Marks a function as an eBPF struct_ops program.
+///
+/// Struct ops programs implement kernel interfaces like `hid_bpf_ops` for
+/// HID device handling or `sched_ext_ops` for custom schedulers.
+///
+/// # Arguments
+///
+/// * `name` - Optional name for the struct_ops callback. If not specified,
+///   the function name is used.
+/// * `sleepable` - Mark the program as sleepable.
+///
+/// # Minimum kernel version
+///
+/// The minimum kernel version required to use this feature is 5.6.
+///
+/// # Example
+///
+/// ```no_run
+/// use aya_ebpf::{macros::struct_ops, programs::StructOpsContext};
+///
+/// #[struct_ops]
+/// fn my_callback(ctx: StructOpsContext) -> i32 {
+///     0
+/// }
+/// ```
+#[proc_macro_attribute]
+pub fn struct_ops(attrs: TokenStream, item: TokenStream) -> TokenStream {
+    match StructOps::parse(attrs.into(), item.into()) {
+        Ok(prog) => prog.expand(),
+        Err(err) => err.into_compile_error(),
+    }
+    .into()
+}
+
+/// Marks a function as an HID-BPF device event handler.
+///
+/// This callback is invoked for each HID input report received from the device.
+/// The function should return 0 to pass the event through, or modify the report
+/// data and return a new size.
+///
+/// # Minimum kernel version
+///
+/// The minimum kernel version required to use this feature is 6.3.
+///
+/// # Example
+///
+/// ```no_run
+/// use aya_ebpf::{macros::hid_device_event, programs::HidBpfContext};
+///
+/// #[hid_device_event]
+/// fn device_event(ctx: HidBpfContext) -> i32 {
+///     0
+/// }
+/// ```
+#[proc_macro_attribute]
+pub fn hid_device_event(attrs: TokenStream, item: TokenStream) -> TokenStream {
+    match HidBpf::parse(HidBpfKind::DeviceEvent, attrs.into(), item.into()) {
+        Ok(prog) => prog.expand(),
+        Err(err) => err.into_compile_error(),
+    }
+    .into()
+}
+
+/// Marks a function as an HID-BPF report descriptor fixup handler.
+///
+/// This callback is invoked once at device probe time to allow modifying the
+/// HID report descriptor. The function should return 0 to keep the original
+/// descriptor, or return a positive value indicating the new descriptor size.
+///
+/// # Minimum kernel version
+///
+/// The minimum kernel version required to use this feature is 6.3.
+///
+/// # Example
+///
+/// ```no_run
+/// use aya_ebpf::{macros::hid_rdesc_fixup, programs::HidBpfContext};
+///
+/// #[hid_rdesc_fixup]
+/// fn rdesc_fixup(ctx: HidBpfContext) -> i32 {
+///     0
+/// }
+/// ```
+#[proc_macro_attribute]
+pub fn hid_rdesc_fixup(attrs: TokenStream, item: TokenStream) -> TokenStream {
+    match HidBpf::parse(HidBpfKind::RdescFixup, attrs.into(), item.into()) {
+        Ok(prog) => prog.expand(),
+        Err(err) => err.into_compile_error(),
+    }
+    .into()
+}
+
+/// Marks a function as an HID-BPF hardware request handler.
+///
+/// This callback is invoked when the kernel sends hardware requests like
+/// GET_REPORT or SET_REPORT. Useful for intercepting and modifying feature
+/// reports.
+///
+/// # Minimum kernel version
+///
+/// The minimum kernel version required to use this feature is 6.3.
+///
+/// # Example
+///
+/// ```no_run
+/// use aya_ebpf::{macros::hid_hw_request, programs::HidBpfContext};
+///
+/// #[hid_hw_request]
+/// fn hw_request(ctx: HidBpfContext) -> i32 {
+///     0
+/// }
+/// ```
+#[proc_macro_attribute]
+pub fn hid_hw_request(attrs: TokenStream, item: TokenStream) -> TokenStream {
+    match HidBpf::parse(HidBpfKind::HwRequest, attrs.into(), item.into()) {
+        Ok(prog) => prog.expand(),
+        Err(err) => err.into_compile_error(),
+    }
+    .into()
+}
+
+/// Marks a function as an HID-BPF output report handler.
+///
+/// This callback is invoked when an output report is sent to the device.
+///
+/// # Minimum kernel version
+///
+/// The minimum kernel version required to use this feature is 6.3.
+///
+/// # Example
+///
+/// ```no_run
+/// use aya_ebpf::{macros::hid_hw_output_report, programs::HidBpfContext};
+///
+/// #[hid_hw_output_report]
+/// fn hw_output_report(ctx: HidBpfContext) -> i32 {
+///     0
+/// }
+/// ```
+#[proc_macro_attribute]
+pub fn hid_hw_output_report(attrs: TokenStream, item: TokenStream) -> TokenStream {
+    match HidBpf::parse(HidBpfKind::HwOutputReport, attrs.into(), item.into()) {
+        Ok(prog) => prog.expand(),
+        Err(err) => err.into_compile_error(),
+    }
+    .into()
+}
+
 /// Marks a function as an eBPF Flow Dissector program.
 ///
 /// Flow dissector is a program type that parses metadata out of the packets.