Em Tue, Jul 21, 2020 at 04:06:34PM +0300, Alexey Budankov escreveu: > > On 13.07.2020 21:51, Arnaldo Carvalho de Melo wrote: > > Em Mon, Jul 13, 2020 at 03:37:51PM +0300, Alexey Budankov escreveu: > >> > >> On 13.07.2020 15:17, Arnaldo Carvalho de Melo wrote: > >>> Em Mon, Jul 13, 2020 at 12:48:25PM +0300, Alexey Budankov escreveu: > >> If it had that patch below then message change would not be required. > > Sure, but the tool should continue to work and provide useful messages > > when running on kernels without that change. Pointing to the document is > > valid and should be done, that is an agreed point. But the tool can do > > some checks, narrow down the possible causes for the error message and > > provide something that in most cases will make the user make progress. > >> However this two sentences in the end of whole message would still add up: > >> "Please read the 'Perf events and tool security' document: > >> https://www.kernel.org/doc/html/latest/admin-guide/perf-security.html"; > > We're in violent agreement here. :-) > Here is the message draft mentioning a) CAP_SYS_PTRACE, for kernels prior > v5.8, and b) Perf security document link. The plan is to send a patch extending > perf_events with CAP_PERFMON check [1] for ptrace_may_access() and extending > the tool with this message. > "Access to performance monitoring and observability operations is limited. > Enforced MAC policy settings (SELinux) can limit access to performance > monitoring and observability operations. Inspect system audit records for > more perf_event access control information and adjusting the policy. > Consider adjusting /proc/sys/kernel/perf_event_paranoid setting to open > access to performance monitoring and observability operations for processes > without CAP_PERFMON, CAP_SYS_PTRACE or CAP_SYS_ADMIN Linux capability. > More information can be found at 'Perf events and tool security' document: > https://www.kernel.org/doc/html/latest/admin-guide/perf-security.html > perf_event_paranoid setting is -1: > -1: Allow use of (almost) all events by all users > Ignore mlock limit after perf_event_mlock_kb without CAP_IPC_LOCK > >= 0: Disallow raw and ftrace function tracepoint access > >= 1: Disallow CPU event access > >= 2: Disallow kernel profiling > To make the adjusted perf_event_paranoid setting permanent preserve it > in /etc/sysctl.conf (e.g. kernel.perf_event_paranoid = <setting>)" Looks ok! Lots of knobs to control access as one needs. - Arnaldo > Alexei > > [1] https://lore.kernel.org/lkml/20200713121746.GA7029@xxxxxxxxxx/ _______________________________________________ Intel-gfx mailing list Intel-gfx@xxxxxxxxxxxxxxxxxxxxx https://lists.freedesktop.org/mailman/listinfo/intel-gfx
