From: Ian Rogers <irogers@google.com>
To: namhyung@kernel.org, acme@kernel.org
Cc: abyssmystery@gmail.com, adrian.hunter@intel.com,
irogers@google.com, james.clark@linaro.org, jolsa@kernel.org,
linux-kernel@vger.kernel.org, linux-perf-users@vger.kernel.org,
mingo@redhat.com, peterz@infradead.org
Subject: [PATCH v2] perf cap: Remove used_root parameter and simplify capability checks
Date: Thu, 16 Jul 2026 00:40:28 -0700 [thread overview]
Message-ID: <20260716074028.568999-1-irogers@google.com> (raw)
In-Reply-To: <alFxHPCouXNWkLie@google.com>
Refactor perf_cap__capable() to completely remove the used_root out-parameter
as requested by the maintainer. Relying on an explicit used_root boolean
poisoned sequential capability checks (e.g. failing CAP_SYS_ADMIN checks
poisoning the flag for subsequent CAP_PERFMON evaluations for unprivileged
users) and created redundant complexity across check_ftrace_capable(),
symbol__read_kptr_restrict(), and perf_event_paranoid_check().
Streamline the capability API to perform a pure true/false boolean
evaluation. The function checks the Effective set using SYS_capget; if
the syscall is missing or fails on legacy kernels, it cleanly falls back
to checking EUID == 0. This perfectly preserves modern capability-aware host
sessions, guarantees transparent fallback for older kernels, and correctly
rejects privileged operations for containerized root processes that have
explicitly dropped their capability bounding and permitted sets.
Fixes: e25ebda78e23 ("perf cap: Tidy up and improve capability testing")
Suggested-by: Namhyung Kim <namhyung@kernel.org>
Assisted-by: Antigravity:gemini-3.5-flash
Signed-off-by: Ian Rogers <irogers@google.com>
---
tools/perf/builtin-ftrace.c | 13 +++----------
tools/perf/util/bpf-filter.c | 22 +++++++++-------------
tools/perf/util/cap.c | 4 +---
tools/perf/util/cap.h | 3 +--
tools/perf/util/symbol.c | 3 +--
tools/perf/util/util.c | 12 +++---------
6 files changed, 18 insertions(+), 39 deletions(-)
diff --git a/tools/perf/builtin-ftrace.c b/tools/perf/builtin-ftrace.c
index 9e4c5220d43c..f7126196b092 100644
--- a/tools/perf/builtin-ftrace.c
+++ b/tools/perf/builtin-ftrace.c
@@ -72,18 +72,11 @@ static void ftrace__workload_exec_failed_signal(int signo __maybe_unused,
static bool check_ftrace_capable(void)
{
- bool used_root;
-
- if (perf_cap__capable(CAP_PERFMON, &used_root))
- return true;
-
- if (!used_root && perf_cap__capable(CAP_SYS_ADMIN, &used_root))
+ if (perf_cap__capable(CAP_PERFMON) ||
+ perf_cap__capable(CAP_SYS_ADMIN))
return true;
- pr_err("ftrace only works for %s!\n",
- used_root ? "root"
- : "users with the CAP_PERFMON or CAP_SYS_ADMIN capability"
- );
+ pr_err("ftrace only works for users with the CAP_PERFMON or CAP_SYS_ADMIN capability!\n");
return false;
}
diff --git a/tools/perf/util/bpf-filter.c b/tools/perf/util/bpf-filter.c
index 1a2e7b388d57..bcd81084e342 100644
--- a/tools/perf/util/bpf-filter.c
+++ b/tools/perf/util/bpf-filter.c
@@ -629,24 +629,20 @@ struct perf_bpf_filter_expr *perf_bpf_filter_expr__new(enum perf_bpf_filter_term
static bool check_bpf_filter_capable(void)
{
- bool used_root;
+ int fd;
- if (perf_cap__capable(CAP_BPF, &used_root))
+ if (perf_cap__capable(CAP_BPF))
return true;
- if (!used_root) {
- /* Check if root already pinned the filter programs and maps */
- int fd = get_pinned_fd("filters");
-
- if (fd >= 0) {
- close(fd);
- return true;
- }
+ /* Check if root already pinned the filter programs and maps */
+ fd = get_pinned_fd("filters");
+ if (fd >= 0) {
+ close(fd);
+ return true;
}
- pr_err("Error: BPF filter only works for %s!\n"
- "\tPlease run 'perf record --setup-filter pin' as root first.\n",
- used_root ? "root" : "users with the CAP_BPF capability");
+ pr_err("Error: BPF filter only works for users with the CAP_BPF capability!\n"
+ "\tPlease run 'perf record --setup-filter pin' as root first.\n");
return false;
}
diff --git a/tools/perf/util/cap.c b/tools/perf/util/cap.c
index ac6d1d9a523d..272bd8255ff1 100644
--- a/tools/perf/util/cap.c
+++ b/tools/perf/util/cap.c
@@ -12,7 +12,7 @@
#define MAX_LINUX_CAPABILITY_U32S _LINUX_CAPABILITY_U32S_3
-bool perf_cap__capable(int cap, bool *used_root)
+bool perf_cap__capable(int cap)
{
struct __user_cap_header_struct header = {
.version = _LINUX_CAPABILITY_VERSION_3,
@@ -21,7 +21,6 @@ bool perf_cap__capable(int cap, bool *used_root)
struct __user_cap_data_struct data[MAX_LINUX_CAPABILITY_U32S] = {};
__u32 cap_val;
- *used_root = false;
while (syscall(SYS_capget, &header, &data[0]) == -1) {
/* Retry, first attempt has set the header.version correctly. */
if (errno == EINVAL && header.version != _LINUX_CAPABILITY_VERSION_3 &&
@@ -29,7 +28,6 @@ bool perf_cap__capable(int cap, bool *used_root)
continue;
pr_debug2("capget syscall failed (%m) fall back on root check\n");
- *used_root = true;
return geteuid() == 0;
}
diff --git a/tools/perf/util/cap.h b/tools/perf/util/cap.h
index c1b8ac033ccc..bf09fb20c779 100644
--- a/tools/perf/util/cap.h
+++ b/tools/perf/util/cap.h
@@ -18,7 +18,6 @@
#define CAP_BPF 39
#endif
-/* Query if a capability is supported, used_root is set if the fallback root check was used. */
-bool perf_cap__capable(int cap, bool *used_root);
+bool perf_cap__capable(int cap);
#endif /* __PERF_CAP_H */
diff --git a/tools/perf/util/symbol.c b/tools/perf/util/symbol.c
index a562702b4841..94f9c8faedda 100644
--- a/tools/perf/util/symbol.c
+++ b/tools/perf/util/symbol.c
@@ -2452,8 +2452,7 @@ static bool symbol__read_kptr_restrict(void)
{
bool value = false;
FILE *fp = fopen("/proc/sys/kernel/kptr_restrict", "r");
- bool used_root;
- bool cap_syslog = perf_cap__capable(CAP_SYSLOG, &used_root);
+ bool cap_syslog = perf_cap__capable(CAP_SYSLOG);
if (fp != NULL) {
char line[8];
diff --git a/tools/perf/util/util.c b/tools/perf/util/util.c
index 2c2a5c449ffd..8f7cd32f524d 100644
--- a/tools/perf/util/util.c
+++ b/tools/perf/util/util.c
@@ -378,15 +378,9 @@ int perf_event_paranoid(void)
bool perf_event_paranoid_check(int max_level)
{
- bool used_root;
-
- if (perf_cap__capable(CAP_SYS_ADMIN, &used_root))
- return true;
-
- if (!used_root && perf_cap__capable(CAP_PERFMON, &used_root))
- return true;
-
- return perf_event_paranoid() <= max_level;
+ return perf_cap__capable(CAP_SYS_ADMIN) ||
+ perf_cap__capable(CAP_PERFMON) ||
+ perf_event_paranoid() <= max_level;
}
int perf_tip(char **strp, const char *dirpath)
--
2.55.0.141.g00534a21ce-goog
next prev parent reply other threads:[~2026-07-16 7:40 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-07-10 5:39 [PATCH v1 1/2] perf record: Fix teardown hang on system-wide multi-threaded sessions Ian Rogers
2026-07-10 5:39 ` [PATCH v1 2/2] perf cap: If capability is missing still perform root test Ian Rogers
2026-07-10 5:47 ` sashiko-bot
2026-07-10 22:24 ` Namhyung Kim
2026-07-16 7:40 ` Ian Rogers [this message]
2026-07-10 5:56 ` [PATCH v1 1/2] perf record: Fix teardown hang on system-wide multi-threaded sessions sashiko-bot
2026-07-10 22:02 ` Namhyung Kim
2026-07-12 6:56 ` (subset) " Namhyung Kim
2026-07-16 7:37 ` [PATCH v2] perf record: Fix destructor invocation and event counting in fdarray__filter Ian Rogers
2026-07-16 8:00 ` sashiko-bot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260716074028.568999-1-irogers@google.com \
--to=irogers@google.com \
--cc=abyssmystery@gmail.com \
--cc=acme@kernel.org \
--cc=adrian.hunter@intel.com \
--cc=james.clark@linaro.org \
--cc=jolsa@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-perf-users@vger.kernel.org \
--cc=mingo@redhat.com \
--cc=namhyung@kernel.org \
--cc=peterz@infradead.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox