On Tue, Aug 27, 2019 at 07:21:44PM -0400, Steven Rostedt wrote: > > At least for CAP_TRACING (if it were to allow read/write access > to /sys/kernel/tracing), that would be very useful. It would be useful > to those that basically own their machines, and want to trace their > applications all the way into the kernel without having to run as full > root. +1 The proposal is to have CAP_TRACING to control perf and ftrace. perf and trace-cmd binaries could be installed with CAP_TRACING and that's all they need to do full tracing. I can craft a patch for perf_event_open side and demo CAP_TRACING. Once that cap bit is ready you can use it on ftrace side? > Should we allow CAP_TRACING access to /proc/kallsyms? as it is helpful > to convert perf and trace-cmd's function pointers into names. Once you > allow tracing of the kernel, hiding /proc/kallsyms is pretty useless. yep.
