Re: [PATCH v3 2/3] perf: enable unprivileged syscall tracing with perf trace

[sashiko-bot@kernel.org]

Sashiko AI review found 1 potential issue(s):
- [High] Unconditional rejection of unprivileged tracepoint counting breaks perf_event_paranoid functionality and creates an inverted security policy.
--

commit 741720c90ed77115c5603e05c7d2cdfc3f218082
Author: Anubhav Shelat <ashelat@redhat.com>

perf: enable unprivileged syscall tracing with perf trace

This commit allows unprivileged users to trace their own processes' syscalls
using perf trace without requiring CAP_PERFMON. It loosens the condition in
perf_event_open() for task-attached events that do not expose kernel addresses
and makes format and id files readable for TRACE_EVENT_FL_CAP_ANY tracepoints.

> diff --git a/kernel/trace/trace_event_perf.c b/kernel/trace/trace_event_perf.c
> index a6bb7577e8c596..e8347df7ede5c2 100644
> --- a/kernel/trace/trace_event_perf.c
> +++ b/kernel/trace/trace_event_perf.c
> @@ -73,8 +73,18 @@ static int perf_trace_event_perm(struct trace_event_call *tp_event,
>  	}
>  
>  	/* No tracing, just counting, so no obvious leak */
> -	if (!(p_event->attr.sample_type & PERF_SAMPLE_RAW))
> +	if (!(p_event->attr.sample_type & PERF_SAMPLE_RAW)) {
> +		/*
> +		 * Only allow CAP_ANY tracepoints for unprivileged
> +		 * task-attached events in case kernel context is exposed.
> +		 */
> +		if (!p_event->attr.exclude_kernel && !perfmon_capable()) {
> +			if (!(p_event->attach_state == PERF_ATTACH_TASK &&
> +			      (tp_event->flags & TRACE_EVENT_FL_CAP_ANY)))
> +				return -EACCES;
> +		}
>  		return 0;
> +	}

Does this new check unconditionally block unprivileged tracepoint counting
even when sysctl_perf_event_paranoid is set to allow it?

Before this patch, if sysctl_perf_event_paranoid <= 1, unprivileged users
could count any tracepoint. It appears this check now returns -EACCES for
counting events without exclude_kernel, breaking tools like perf stat for
unprivileged users.

Additionally, if sysctl_perf_event_paranoid == -1, doesn't this create an
inverted security policy?

An unprivileged user requesting simple counting would be rejected here,
but if they request full raw event data via PERF_SAMPLE_RAW, execution
bypasses this block entirely and reaches perf_allow_tracepoint(), which
would succeed.

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260423151746.16258-1-ashelat@redhat.com?part=2