feat: run memtrack memory profiling without sudo via file capabilities

[not-matthias]

No description provided.

[codspeed-hq]

Merging this PR will not alter performance

⚠️ Unknown Walltime execution environment detected

Using the Walltime instrument on standard Hosted Runners will lead to inconsistent data.

For the most accurate results, we recommend using CodSpeed Macro Runners: bare-metal machines fine-tuned for performance measurement consistency.

✅ 7 untouched benchmarks

---

_{Comparing feat/memtrack-sudoless (e2da80a) with main (66037be)}

[greptile-apps]

Greptile Summary

This PR replaces the previous sudo-wrapped memtrack launch with Linux file capabilities (setcap), allowing codspeed-memtrack to load its eBPF programs without requiring the calling process to run as root. A one-time setcap grant happens during codspeed setup --mode memory (or lazily on the first run), verified via a hand-rolled security.capability xattr decoder.

• Core capability flow: ensure_memtrack_capabilities() derives the setcap grammar string directly from MEMTRACK_REQUIRED_CAPS at runtime, eliminating the manual-sync hazard that the previous static string constant introduced. binary_has_capabilities() cross-checks the granted set via the xattr before any run, and the whole approach degrades gracefully (with warnings) on filesystems that don't support file capabilities.
• Memtrack changes: bump_memlock_rlimit now logs-and-continues instead of failing hard, correctly reflecting that kernels ≥ 5.11 account BPF memory via cgroups; the no-IPC code path enables tracking upfront since no signal would otherwise toggle it.
• Platform hygiene: memtrack, ipc-channel, and caps are moved to [target.'cfg(target_os = \"linux\")'.dependencies]; RunnerMode::Memory and related match arms are all #[cfg(target_os = \"linux\")]-gated.

Confidence Score: 5/5

Safe to merge. The capability grant is idempotent, best-effort, and falls back to root-mode if setcap or the filesystem don't cooperate; all changed code paths are well-tested.

The xattr decoder correctly handles all three VFS capability revisions, the setcap spec is now derived from the same constant that drives verification (eliminating drift), and the run-time ensure_privileges() guard provides a hard stop before any eBPF load attempt. The only observations are style nits.

No files require special attention. The Cargo.toml has a minor dependency-placement inconsistency (xattr in the wrong section), but it has no effect on correctness or macOS builds.

Important Files Changed

Filename	Overview
src/executor/helpers/capabilities.rs	New file: custom xattr-based capability check with correct v1/v2/v3 layout parsing and solid unit tests.
src/executor/memory/setup.rs	Replaces static MEMTRACK_SETCAP_SPEC constant with a derived memtrack_setcap_spec() function, eliminating the caps-string / caps-array sync hazard; also introduces has/ensure capability helpers.
src/executor/memory/executor.rs	Drops wrap_with_sudo in favour of file-capability check; adds ensure_privileges() safety guard, privilege_status(), and grant_privileges() Executor trait implementations.
src/executor/mod.rs	Adds PrivilegeStatus enum and privilege_status/grant_privileges default-noop trait methods; calls grant_privileges() in the normal run path after setup.
Cargo.toml	Moves memtrack/ipc-channel to Linux-specific deps correctly; adds caps to Linux deps, but adds xattr to the unconditional [dependencies] block even though it is only used in Linux-gated code.
crates/memtrack/src/ebpf/tracker.rs	bump_memlock_rlimit now degrades gracefully instead of bailing, with a doc comment explaining the kernel-5.11 boundary.
.github/workflows/ci.yml	Adds Grant memtrack file capabilities step before the test run; capabilities are idempotently re-granted by the test itself anyway.
src/cli/setup.rs	Calls grant_privileges() after executor.setup() and adds privilege_status display in setup status output.

Sequence Diagram

%%{init: {'theme': 'neutral'}}%%
sequenceDiagram
    participant User
    participant run_executor
    participant MemoryExecutor
    participant ensure_caps as ensure_memtrack_capabilities
    participant setcap as sudo setcap
    participant xattr as binary_has_capabilities (xattr)

    User->>run_executor: codspeed exec --mode memory
    run_executor->>MemoryExecutor: setup() → install_memtrack()
    run_executor->>MemoryExecutor: grant_privileges()
    MemoryExecutor->>ensure_caps: ensure_memtrack_capabilities()
    ensure_caps->>xattr: check security.capability xattr
    alt caps already present
        xattr-->>ensure_caps: satisfied
        ensure_caps-->>MemoryExecutor: Ok(())
    else caps missing
        ensure_caps->>setcap: sudo setcap cap_bpf,cap_perfmon,...+ep /path/to/codspeed-memtrack
        setcap-->>ensure_caps: success / failure (warn-only)
        ensure_caps->>xattr: re-verify
        xattr-->>ensure_caps: pass / fail (warn if fail)
        ensure_caps-->>MemoryExecutor: Ok(())
    end
    run_executor->>MemoryExecutor: run(execution_context)
    MemoryExecutor->>MemoryExecutor: ensure_privileges() last-resort check
    alt root OR caps present
        MemoryExecutor-->>MemoryExecutor: proceed
    else neither
        MemoryExecutor-->>User: bail capabilities could not be granted
    end
    MemoryExecutor->>MemoryExecutor: build_memtrack_command() no sudo wrap
    MemoryExecutor-->>User: benchmark results

Loading

%%{init: {'theme': 'base', 'themeVariables': {"darkMode": true, "background": "#0d1117", "primaryColor": "#21262d", "primaryTextColor": "#e6edf3", "primaryBorderColor": "#8b949e", "lineColor": "#8b949e", "textColor": "#e6edf3", "edgeLabelBackground": "#161b22", "actorBkg": "#21262d", "actorBorder": "#8b949e", "actorTextColor": "#e6edf3", "actorLineColor": "#8b949e", "signalColor": "#8b949e", "signalTextColor": "#e6edf3", "noteBkgColor": "#373320", "noteBorderColor": "#d4a72c", "noteTextColor": "#f0e6c0", "labelBoxBkgColor": "#21262d", "labelBoxBorderColor": "#8b949e", "labelTextColor": "#e6edf3", "loopTextColor": "#e6edf3", "activationBkgColor": "#30363d", "activationBorderColor": "#8b949e"}}}%%
sequenceDiagram
    participant User
    participant run_executor
    participant MemoryExecutor
    participant ensure_caps as ensure_memtrack_capabilities
    participant setcap as sudo setcap
    participant xattr as binary_has_capabilities (xattr)

    User->>run_executor: codspeed exec --mode memory
    run_executor->>MemoryExecutor: setup() → install_memtrack()
    run_executor->>MemoryExecutor: grant_privileges()
    MemoryExecutor->>ensure_caps: ensure_memtrack_capabilities()
    ensure_caps->>xattr: check security.capability xattr
    alt caps already present
        xattr-->>ensure_caps: satisfied
        ensure_caps-->>MemoryExecutor: Ok(())
    else caps missing
        ensure_caps->>setcap: sudo setcap cap_bpf,cap_perfmon,...+ep /path/to/codspeed-memtrack
        setcap-->>ensure_caps: success / failure (warn-only)
        ensure_caps->>xattr: re-verify
        xattr-->>ensure_caps: pass / fail (warn if fail)
        ensure_caps-->>MemoryExecutor: Ok(())
    end
    run_executor->>MemoryExecutor: run(execution_context)
    MemoryExecutor->>MemoryExecutor: ensure_privileges() last-resort check
    alt root OR caps present
        MemoryExecutor-->>MemoryExecutor: proceed
    else neither
        MemoryExecutor-->>User: bail capabilities could not be granted
    end
    MemoryExecutor->>MemoryExecutor: build_memtrack_command() no sudo wrap
    MemoryExecutor-->>User: benchmark results

Loading

_{Reviews (10): Last reviewed commit: "ci: grant memtrack file capabilities bef..." | Re-trigger Greptile}

[GuillaumeLagrange]

olgtm

[GuillaumeLagrange]

olgtm