Debian uses a downstream patch[1] to allow further restriction of perf_event_open, which requires CAP_SYS_ADMIN for all perf_event_open(2) operations. Set the parameter to a value of 2 during the tests and reset afterwards. [1]: https://salsa.debian.org/kernel-team/linux/-/blob/debian/5.17.3-1/debian/patches/features/all/security-perf-allow-further-restriction-of-perf_event_open.patch Signed-off-by: Christian Göttsche <cgzones@xxxxxxxxxxxxxx> --- v2: set parameter to 2 instead of granting CAP_SYS_ADMIN --- tests/perf_event/test | 20 ++++++++++++++++++-- 1 file changed, 18 insertions(+), 2 deletions(-) diff --git a/tests/perf_event/test b/tests/perf_event/test index c336477..cc1247b 100755 --- a/tests/perf_event/test +++ b/tests/perf_event/test @@ -32,12 +32,18 @@ BEGIN { print "\tNot paranoid\n"; } elsif ( $level eq 0 ) { - print "\tDisallow raw tracepoint/ftrace without CAP_SYS_ADMIN\n"; + print +"\tDisallow raw tracepoint/ftrace without CAP_PERFMON or CAP_SYS_ADMIN\n"; } elsif ( $level eq 1 ) { - print "\tDisallow CPU event access without CAP_SYS_ADMIN\n"; + print +"\tDisallow CPU event access without CAP_PERFMON or CAP_SYS_ADMIN\n"; } elsif ( $level eq 2 ) { + print +"\tDisallow kernel profiling without CAP_PERFMON or CAP_SYS_ADMIN\n"; + } + elsif ( $level eq 3 ) { print "\tDisallow kernel profiling without CAP_SYS_ADMIN\n"; } else { @@ -48,6 +54,11 @@ BEGIN { plan tests => $test_count; } +# Downgrade to only require CAP_PERFMON for operations +if ( $level eq 3 ) { + system("echo 2 > /proc/sys/kernel/perf_event_paranoid 2> /dev/null"); +} + # find some CPU that is online for ( $cpu = 0 ; -e "/sys/devices/system/cpu/cpu$cpu" ; $cpu++ ) { @@ -114,4 +125,9 @@ $result = "runcon -t test_perf_no_write_t $basedir/perf_event $v $cpu $event_id 2>&1"; ok( $result >> 8 eq 2 ); +# Reset if downgraded +if ( $level eq 3 ) { + system("echo 3 > /proc/sys/kernel/perf_event_paranoid 2> /dev/null"); +} + exit; -- 2.36.1
