[PATCH] perf: enable unprivileged syscall tracing with perf trace

[PATCH] perf: enable unprivileged syscall tracing with perf trace

[Anubhav Shelat]

Allow unprivileged users to trace their own processes' syscalls using
perf trace, similar to strace without the intrusive overhead of ptrace().

Currently, perf trace requires CAP_PERFMON or paranoid level ≤ 1 even
though the kernel has existing infrastructure (TRACE_EVENT_FL_CAP_ANY)
specifically designed to mark syscall tracepoints as safe for
unprivileged access. To fix this:

1. Loosen the condition in perf_event_open() which requires priviliges
for all events with exclude_kernel=0. This allows perf_event_open() to
bypass the paranoid check for task-attached tracepoint events.

2. Make the format and id tracefs files world-readable only for tracepoints
   with TRACE_EVENT_FL_CAP_ANY, allowing unprivileged users to see
syscall tracepoint ids without exposing sensitive information.

Example usage after this change:
  $ perf trace ls          # works as unprivileged user
  $ perf trace             # system-wide, still requires privileges
  $ perf trace -p 1234     # requires ptrace permission on pid 1234

Assisted-by: Claude:claude-sonnet-4.5
Signed-off-by: Anubhav Shelat <ashelat@redhat.com>
---
 kernel/events/core.c        | 2 +-
 kernel/trace/trace_events.c | 8 ++++++--
 2 files changed, 7 insertions(+), 3 deletions(-)

diff --git a/kernel/events/core.c b/kernel/events/core.c
index 89b40e439717..71d99ea4bea4 100644
--- a/kernel/events/core.c
+++ b/kernel/events/core.c
@@ -13833,7 +13833,7 @@ SYSCALL_DEFINE5(perf_event_open,
 	if (err)
 		return err;
 
-	if (!attr.exclude_kernel) {
+	if (!attr.exclude_kernel && !(attr.type == PERF_TYPE_TRACEPOINT && pid != -1)) {
 		err = perf_allow_kernel();
 		if (err)
 			return err;
diff --git a/kernel/trace/trace_events.c b/kernel/trace/trace_events.c
index 249d1cba72c0..6250b2529376 100644
--- a/kernel/trace/trace_events.c
+++ b/kernel/trace/trace_events.c
@@ -3051,7 +3051,9 @@ static int event_callback(const char *name, umode_t *mode, void **data,
 	struct trace_event_call *call = file->event_call;
 
 	if (strcmp(name, "format") == 0) {
-		*mode = TRACE_MODE_READ;
+		*mode = (call->flags & TRACE_EVENT_FL_CAP_ANY) ?
+			(TRACE_MODE_READ | 0004) :
+			TRACE_MODE_READ;
 		*fops = &ftrace_event_format_fops;
 		return 1;
 	}
@@ -3087,7 +3089,9 @@ static int event_callback(const char *name, umode_t *mode, void **data,
 #ifdef CONFIG_PERF_EVENTS
 	if (call->event.type && call->class->reg &&
 	    strcmp(name, "id") == 0) {
-		*mode = TRACE_MODE_READ;
+		*mode = (call->flags & TRACE_EVENT_FL_CAP_ANY) ?
+		(TRACE_MODE_READ | 0004) :
+		TRACE_MODE_READ;
 		*data = (void *)(long)call->event.type;
 		*fops = &ftrace_event_id_fops;
 		return 1;
-- 
2.53.0

Re: [PATCH] perf: enable unprivileged syscall tracing with perf trace

[sashiko-bot]

Sashiko AI review found 2 potential issue(s):
- [Critical] Bypassing `perf_allow_kernel()` for task-attached tracepoints allows unprivileged users to leak kernel registers, instruction pointers, and callchains, completely defeating KASLR.
- [Medium] The change to make the tracefs 'id' and 'format' files world-readable is functionally ineffective for unprivileged users due to restrictive parent directory permissions.
--

commit 45a1b7ae91ab57b705592c98cc8fb3677392ba0a
Author: Anubhav Shelat <ashelat@redhat.com>

perf: enable unprivileged syscall tracing with perf trace

This commit allows unprivileged users to trace their own processes' syscalls
using perf trace by loosening the perf_allow_kernel() condition in
perf_event_open() for task-attached tracepoint events. It also makes the format
and id tracefs files world-readable for tracepoints marked safe for
unprivileged access.

> diff --git a/kernel/events/core.c b/kernel/events/core.c
> --- a/kernel/events/core.c
> +++ b/kernel/events/core.c
[ ... ]
> @@ -13832,7 +13832,7 @@ SYSCALL_DEFINE5(perf_event_open,
>  	if (err)
>  		return err;
>  
> -	if (!attr.exclude_kernel) {
> +	if (!attr.exclude_kernel && !(attr.type == PERF_TYPE_TRACEPOINT && pid != -1)) {
>  		err = perf_allow_kernel();

If we bypass the perf_allow_kernel() check here, does this allow unprivileged
users to request PERF_SAMPLE_IP, PERF_SAMPLE_CALLCHAIN, and
PERF_SAMPLE_REGS_INTR for kernel tracepoints?

Since perf_trace_event_perm() skips permission checks when PERF_SAMPLE_RAW is
not requested, an unprivileged user could attach to a tracepoint like
sched:sched_switch, set exclude_kernel=0, and omit PERF_SAMPLE_RAW.

When the tracepoint fires, would the perf core capture the actual kernel
instruction pointer, callchain, and registers into the unprivileged user's
ring buffer, potentially defeating KASLR?

> diff --git a/kernel/trace/trace_events.c b/kernel/trace/trace_events.c
> --- a/kernel/trace/trace_events.c
> +++ b/kernel/trace/trace_events.c
[ ... ]
> @@ -3050,7 +3050,9 @@ static int event_callback(const char *name, umode_t *mode, void **data,
>  	struct trace_event_call *call = file->event_call;
>  
>  	if (strcmp(name, "format") == 0) {
> -		*mode = TRACE_MODE_READ;
> +		*mode = (call->flags & TRACE_EVENT_FL_CAP_ANY) ?
> +			(TRACE_MODE_READ | 0004) :
> +			TRACE_MODE_READ;
>  		*fops = &ftrace_event_format_fops;
>  		return 1;
>  	}

Is making these files world-readable effective for unprivileged users given
the permissions of the parent directories?

The root tracefs directory (e.g., /sys/kernel/tracing/) and its
subdirectories typically have restrictive permissions like 0750 without
world-execute access.

Would an unprivileged user attempting to read the id or format file receive
-EACCES during path resolution at the parent directory level, requiring an
administrator to manually relax permissions?

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260408123947.23779-2-ashelat@redhat.com?part=1