Re: [PATCH] perf: enable unprivileged syscall tracing with perf trace

[sashiko-bot@kernel.org]

Sashiko AI review found 2 potential issue(s):
- [Critical] Bypassing `perf_allow_kernel()` for task-attached tracepoints allows unprivileged users to leak kernel registers, instruction pointers, and callchains, completely defeating KASLR.
- [Medium] The change to make the tracefs 'id' and 'format' files world-readable is functionally ineffective for unprivileged users due to restrictive parent directory permissions.
--

commit 45a1b7ae91ab57b705592c98cc8fb3677392ba0a
Author: Anubhav Shelat <ashelat@redhat.com>

perf: enable unprivileged syscall tracing with perf trace

This commit allows unprivileged users to trace their own processes' syscalls
using perf trace by loosening the perf_allow_kernel() condition in
perf_event_open() for task-attached tracepoint events. It also makes the format
and id tracefs files world-readable for tracepoints marked safe for
unprivileged access.

> diff --git a/kernel/events/core.c b/kernel/events/core.c
> --- a/kernel/events/core.c
> +++ b/kernel/events/core.c
[ ... ]
> @@ -13832,7 +13832,7 @@ SYSCALL_DEFINE5(perf_event_open,
>  	if (err)
>  		return err;
>  
> -	if (!attr.exclude_kernel) {
> +	if (!attr.exclude_kernel && !(attr.type == PERF_TYPE_TRACEPOINT && pid != -1)) {
>  		err = perf_allow_kernel();

If we bypass the perf_allow_kernel() check here, does this allow unprivileged
users to request PERF_SAMPLE_IP, PERF_SAMPLE_CALLCHAIN, and
PERF_SAMPLE_REGS_INTR for kernel tracepoints?

Since perf_trace_event_perm() skips permission checks when PERF_SAMPLE_RAW is
not requested, an unprivileged user could attach to a tracepoint like
sched:sched_switch, set exclude_kernel=0, and omit PERF_SAMPLE_RAW.

When the tracepoint fires, would the perf core capture the actual kernel
instruction pointer, callchain, and registers into the unprivileged user's
ring buffer, potentially defeating KASLR?

> diff --git a/kernel/trace/trace_events.c b/kernel/trace/trace_events.c
> --- a/kernel/trace/trace_events.c
> +++ b/kernel/trace/trace_events.c
[ ... ]
> @@ -3050,7 +3050,9 @@ static int event_callback(const char *name, umode_t *mode, void **data,
>  	struct trace_event_call *call = file->event_call;
>  
>  	if (strcmp(name, "format") == 0) {
> -		*mode = TRACE_MODE_READ;
> +		*mode = (call->flags & TRACE_EVENT_FL_CAP_ANY) ?
> +			(TRACE_MODE_READ | 0004) :
> +			TRACE_MODE_READ;
>  		*fops = &ftrace_event_format_fops;
>  		return 1;
>  	}

Is making these files world-readable effective for unprivileged users given
the permissions of the parent directories?

The root tracefs directory (e.g., /sys/kernel/tracing/) and its
subdirectories typically have restrictive permissions like 0750 without
world-execute access.

Would an unprivileged user attempting to read the id or format file receive
-EACCES during path resolution at the parent directory level, requiring an
administrator to manually relax permissions?

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260408123947.23779-2-ashelat@redhat.com?part=1