Re: [lmi] perf

lmi

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [lmi] perf

From:	Greg Chicares
Subject:	Re: [lmi] perf
Date:	Sat, 3 Oct 2020 10:14:48 +0000
User-agent:	Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.12.0

On 2020-09-28 12:02, Greg Chicares wrote:
[...]
> For the record...I tried the latest official advice:
>   https://www.kernel.org/doc/html/latest/admin-guide/perf-security.html

TL;DR: that advice doesn't work here, so /proc/sys/kernel/perf_event_paranoid
must be tweaked.

Revisiting after an ill-advised reboot and this "Severity: grave" issue:
  https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=966575
fixed by:
  #dpkg-reconfigure grub-pc
kernel release is now:
  #uname -r
  4.19.0-11-amd64

> # cd /usr/bin 
> # groupadd perf_users
> # chgrp perf_users perf
> # chmod o-rwx perf
> # ls -l perf
> -rwxr-x--- 1 root perf_users 528 Jul 20  2018 perf

That's still as intended:

  #ls -alhF /usr/bin/perf
  -rwxr-x--- 1 root perf_users 528 Jul 20  2018 /usr/bin/perf*

> # setcap "cap_perfmon,cap_sys_ptrace,cap_syslog=ep" perf
> fatal error: Invalid argument
> # setcap "38,cap_ipc_lock,cap_sys_ptrace,cap_syslog=ep" perf
> # setcap -v "38,cap_ipc_lock,cap_sys_ptrace,cap_syslog=ep" perf
> perf: OK
> # getcap perf
> perf = cap_ipc_lock,cap_sys_ptrace,cap_syslog,38+ep
> # usermod -aG perf_users greg

The 'setcap' settings persisted, as expected:
  #getcap /usr/bin/perf
  /usr/bin/perf = cap_ipc_lock,cap_sys_ptrace,cap_syslog,38+ep

> My normal user was already logged in, and 'groups' didn't show
> my newly-added membership in 'perf_users', so I tried...
> 
> $ newgrp perf_users

'groups' shows that I'm a member of 'perf_users', so 'newgrp'
is unnecessary now.

> but 'perf' still gave
>   error 13 (Permission denied) ...
>   Consider tweaking /proc/sys/kernel/perf_event_paranoid

Rebooting restored this default, as expected:

  #cat /proc/sys/kernel/perf_event_paranoid
  3

but still...

  $perf record ls xyzzy
  perf_event_open(..., PERF_FLAG_FD_CLOEXEC) failed with unexpected error 13 
(Permission denied)
  perf_event_open(..., 0) failed unexpectedly with error 13 (Permission denied)
  Error:
  You may not have permission to collect stats.

  Consider tweaking /proc/sys/kernel/perf_event_paranoid

> so I fell back on...
> 
> # echo 1 >/proc/sys/kernel/perf_event_paranoid
> 
> and was able to use 'perf'.
> 
> Maybe kernel.org's advice will work when I eventually log out
> and back in again.

Conclusion: the official advice for a privileged group doesn't work,
and /proc/sys/kernel/perf_event_paranoid must still be changed.
I could set it in /etc/sysctl.d/local.conf to make it persist
across reboots, but I don't wish to reboot again anytime soon,
and I hope that someday the official advice will work.

[Prev in Thread]

Current Thread

[Next in Thread]

Re: [lmi] perf, Greg Chicares <=

Prev by Date: [lmi] linux-perf in chroot via .deb abuse [Was: perf]
Next by Date: Re: [lmi] linux-perf in chroot via .deb abuse
Previous by thread: [lmi] linux-perf in chroot via .deb abuse [Was: perf]
Next by thread: [lmi] How to best merge CI configuration fixes?
Index(es):
- Date
- Thread