Reputation: 479
linux perf: how to enable perf permission for specific users?
How to setup perf permission for specific user?
(kernel.perf_event_paranoid is not an option because it is global)
Kernel documentation is unclear or incomplete:
https://www.kernel.org/doc/html/latest/admin-guide/perf-security.html#privileged-perf-users-groups
- Documentation mentions group need config, but does not tell how.
- Assign the required capabilities to the Perf tool executable file and enable members of perf_users group with monitoring and observability privileges 6 :
- The section about creating privileged shell environment, is even worse. It does not provide any detailed instruction at all.
Upvotes: 0
Views: 1706
Answers (1)
Reputation: 1068
To quote from this web page. You create a group, perf_users, with this command (run as root, say via sudo -s):
# groupadd perf_users
Then cause a specific program file, perf, to be runnable only by members of that group:
# chgrp perf_users perf
# chmod o-rwx perf
Finally, it shows how to give that file capabilities:
# setcap "cap_perfmon,cap_sys_ptrace,cap_syslog=ep" perf
The document also includes some commands to verify the file is configured as intended: ls -alhF and getcap perf. (There is some discussion of including cap_ipc_lock or equivalently 38 in the capability list.)
At this point anyone, that can successfully execute this perf program, will observe it run with the needed capabilities.
Perhaps you are missing the command to add a user, username, to this newly created group? Try, sudo usermod -G perf_users -a username. That user will need to then log out and log in again for that added group membership to take effect.
As to the section on creating a shell wrapper, it says that a file with this content:
exec /usr/sbin/capsh --user=$SUDO_USER --iab=^cap_perfmon --secbits=239 -- -l
should be created at /usr/local/bin/perf.shell. You can create such content with sudo vi /usr/local/bin/perf.shell, or swap in whatever your favorite editor is in place of vi. The file needs to be made executable. To be explicit: sudo chmod +x /usr/local/bin/perf.shell.
The instructions for enabling this executable script to be invoked, as root, via sudo by members of the perf_users group indicate the state of things when this is done. That is, you have this line is in the /etc/sudoers file:
%perf_users ALL=/usr/local/bin/perf.shell
You will need to sudo vi /etc/sudoers (or via your favorite editor) to insert that line.
Given that edit, that section ends with an example of how to enter this shell environment:
$ sudo perf.shell
From here, every binary executed in this shell context will have the specified capabilities raised.
Upvotes: 2
Related Questions
- How to set file permission bits with Perforce
- Revoke user permission in perforce
- Launching perf from bash script with CAP_SYS_ADMIN and CAP_IPC_LOCK capabilities
- Linux perf tool run issues
- Perforce group privileges
- Edit linux capabilities in Perl
- linux permission group
- Permissions Error in Perl Script for Linux
- What does perf's option to measure events at user and kernel levels mean?
- Prevent perforce from toggling the execute bit for all users when checking in files