Granting `perf` permission
andryandrew opened this issue · 1 comments
andryandrew commented
Whatever I do, it doesn't seem I can grant perf capabilities to work, i.e.:
$ junest -f -b "--cap-add ALL"
(junest)# which perf
/usr/bin/perf
(junest)# cd /usr/bin
(junest) .../bin# getcap ./perf
(junest) .../bin# setcap 'cap_perfmon,cap_sys_ptrace,cap_sys_admin,cap_syslog=ep' ./perf
(junest) .../bin# getcap ./perf
./perf cap_sys_ptrace,cap_sys_admin,cap_syslog,cap_perfmon=ep
(junest) .../bin# ll ./perf
-rwxr-xr-x 2 root root 26M Dec 22 21:16 perf*
(junest) .../bin# whoami
root
(junest) .../bin# ./perf stat
Error:
Access to performance monitoring and observability operations is limited.
Consider adjusting /proc/sys/kernel/perf_event_paranoid setting to open
access to performance monitoring and observability operations for processes
without CAP_PERFMON, CAP_SYS_PTRACE or CAP_SYS_ADMIN Linux capability.
More information can be found at 'Perf events and tool security' document:
https://www.kernel.org/doc/html/latest/admin-guide/perf-security.html
perf_event_paranoid setting is 4:
-1: Allow use of (almost) all events by all users
Ignore mlock limit after perf_event_mlock_kb without CAP_IPC_LOCK
>= 0: Disallow raw and ftrace function tracepoint access
>= 1: Disallow CPU event access
>= 2: Disallow kernel profiling
To make the adjusted perf_event_paranoid setting permanent preserve it
in /etc/sysctl.conf (e.g. kernel.perf_event_paranoid = <setting>)
(I don't have admin access on the host machine, so I cannot change perf_event_paranoid).
Is this a fundamental limitation of fakeroot? I can get a debugger to work correctly, so ptrace has sufficient permissions.
fsquillace commented
These are kernel params to set and requires root permission to change them. Junest uses the host machine's kernel to work.