我正在跟进管理指南/perf-security.html从内核文档中了解如何使用用户帐户设置 perf。简而言之,我在二进制文件上设置了功能,并将组所有权更改为perf_users。但我的用户似乎无法使用 perf。
在 Debian bookworm 上使用时perf stat $(which ls)出现错误:
Error:
Access to performance monitoring and observability operations is limited.
Consider adjusting /proc/sys/kernel/perf_event_paranoid setting to open
access to performance monitoring and observability operations for processes
without CAP_PERFMON, CAP_SYS_PTRACE or CAP_SYS_ADMIN Linux capability.
More information can be found at 'Perf events and tool security' document:
https://www.kernel.org/doc/html/latest/admin-guide/perf-security.html
perf_event_paranoid setting is 3:
-1: Allow use of (almost) all events by all users
Ignore mlock limit after perf_event_mlock_kb without CAP_IPC_LOCK
>= 0: Disallow raw and ftrace function tracepoint access
>= 1: Disallow CPU event access
>= 2: Disallow kernel profiling
To make the adjusted perf_event_paranoid setting permanent preserve it
in /etc/sysctl.conf (e.g. kernel.perf_event_paranoid = <setting>)
我曾尝试在线研究此问题,但所有答案都提到修改perf_event_paranoid,根据 perf-security.html,修改适用于非特权用户,而perf_users组应该是特权用户。unix.stackexchange 上关于 perf 用户账户的一个问题,跟我的一模一样,还没有得到答复。
复制:
从 root shell 创建perf_users组并修改 perf 二进制文件以修改其组所有权并阻止其他人访问:
PERFBIN=$(which perf)
groupadd perf_users
chgrp perf_users $PERFBIN
chmod o-rxw $PERFBIN
现在启用二进制文件的功能,
setcap "cap_perfmon,cap_sys_ptrace,cap_syslog=ep" $PERFBIN
setcap -v "cap_perfmon,cap_sys_ptrace,cap_syslog=ep" $PERFBIN
getcap $PERFBIN
最后,要么将用户添加到perf_users组usermod -a -G perf_users $USER,要么添加/etc/sudoers.d/perf包含内容的文件$USER ALL = (: perf_users) $PERFBIN并使用sudo -g perf_users perf stat $(which ls)