btop: Security wrapper add cap perfmon+ep

[mytagssma]

Summary

This PR adds a small NixOS module that provides an optional security.wrappers setup for btop, granting it the cap_perfmon capability when explicitly enabled.

btop can display CPU and GPU performance counters via Linux perf events, but on NixOS this functionality is unavailable by default because the binary lacks the required capability. Users currently have to either run btop as root or manually apply setcap, which is impermanent and non-declarative.

This module offers a declarative, opt-in solution that aligns with NixOS security practices by:

• avoiding full root privileges,
• limiting escalation to the minimal required capability,
• and making the configuration reproducible.

The module does not change default behavior; it only takes effect when programs.btop.enable = true is set.

---

Things done

• Built on platform:

  • x86_64-linux
  • aarch64-linux
  • x86_64-darwin
  • aarch64-darwin

• Tested, as applicable:

  • NixOS tests in nixos/tests (not applicable for a simple wrapper module)
  • Package tests at passthru.tests
  • Tests in lib/tests or pkgs/test

• Ran nixpkgs-review on this PR

• Tested basic functionality of the wrapped binary (btop):

  • Verified GPU and perf counters are visible without running as root

• Nixpkgs Release Notes

  • Package update

• NixOS Release Notes

  • Module addition

• Fits CONTRIBUTING.md, pkgs/README.md, maintainers/README.md, and related guidelines

---

Notes for reviewers

• The module is intentionally minimal and opt-in.
• cap_perfmon is required for access to perf events used by btop for detailed CPU and GPU metrics.
• This follows existing patterns for performance tools that rely on Linux capabilities rather than SUID.

[Aleksanaa]

You also need a mkPackageOption as variants like btop-cuda and btop-rocm exist

[mytagssma]

@Aleksanaa can you check now , minor change .
I also thought it would be better if it auto selected the package based on GPU , but i don't know how . I could use cudaSupport and rocmSupport variables and decide based on them , it requires multiple if conditions . Or i could filter out lspci outputs and then decide on btop variant, but that like a over complicated hack. And i didn't find anyone using such methods.

[Aleksanaa]

I think you still need to mention that it applies in some cases and not in others, e.g. enabling this on amd cpu is of no use and btop-rocm should be used. You can probably refer to the source code to see exactly which cases are useful.

[mytagssma]

I think you still need to mention that it applies in some cases and not in others, e.g. enabling this on amd cpu is of no use and btop-rocm should be used. You can probably refer to the source code to see exactly which cases are useful.

It's useless then , since it only fixes for intel GPU . Having it under programs is also of no use , these options generally remove that extra step in setting them up.
What do you suggest :

1. Should there be another package for intel only , something like btop-intel.
2. Should this enable all options ( set wrapper + cudaSupport + rcomSupport ) so , it work anyway.
3. Or Maybe there can be a package like btop-full with all options.
4. Smart way that somehow select appropriate package and options for their config.
5. Or just have separate options like programs.btop.{ intel / amd / nvidia }.

??

[Aleksanaa]

1. It requires SUID bit on Intel which cannot exist in Nix store thus you cannot achieve this by adding a package.
2. I don't know what other situations would require it, this is where I say you should do your research.
3. This does not apply to AMD users. AMD users only need to install btop-rocm and then, it works, no other settings are required. And your method doesn't work for them either. In accordance with the principle of least privilege and to avoid confusing users, you should remind users of its scope.

[Aleksanaa]

btop can display CPU and GPU performance counters via Linux perf events

Could you elaborate more on that? Is it only for CPU wattage and Intel GPU wattage?

I'm using an AMD CPU with integrated GPU and GPU wattage does show up but CPU doesn't.

[mytagssma]

btop can display CPU and GPU performance counters via Linux perf events

Could you elaborate more on that? Is it only for CPU wattage and Intel GPU wattage?

I'm using an AMD CPU with integrated GPU and GPU wattage does show up but CPU doesn't.

i only have a intel cpu with iGPU , so i can't tell weather it will work , it does fix not showing gpu usage.
you can try add this security.wrapper snippet from this or maybe you have tried

i found this issues
#424986
#297487 ( i think this is what you mean )

[mytagssma]

@Aleksanaa do you have pkg.rocm-smi installed

[Aleksanaa]

I've installed your wrapper locally. The left is btop with the wrapper and the right is without. Both are normal variant, not -rocm one. I don't see any difference, and also haven't found any settings controlling extra functionalities.

This is the rocm variant that I use daily, without security wrapper.

@Aleksanaa do you have pkg.rocm-smi installed

I don't, but we have it linked in rocm variant: https://github.com/NixOS/nixpkgs/blob/nixos-unstable/pkgs/by-name/bt/btop/package.nix#L52

[mytagssma]

@Aleksanaa are you using these overrides :
nixpkgs.config.cudaSupport = false; nixpkgs.config.rocmSupport = true;
or
pkgs.btop.override { cudaSupport = false; rocmSupport = true; }

[Aleksanaa]

pkgs.btop.override { cudaSupport = false; rocmSupport = true; }

Yes although it's called btop-rocm. But I have also tested the normal variant, and they are the same as what I said above, and I don’t see any difference.