linux perf: how to enable perf permission for specific users?

Question

How to setup perf permission for specific user?
(kernel.perf_event_paranoid is not an option because it is global)

Kernel documentation is unclear or incomplete:
https://www.kernel.org/doc/html/latest/admin-guide/perf-security.html#privileged-perf-users-groups

• Documentation mentions group need config, but does not tell how.

2. Assign the required capabilities to the Perf tool executable file and enable members of perf_users group with monitoring and observability privileges 6 :

• The section about creating privileged shell environment, is even worse. It does not provide any detailed instruction at all.

Answer 1

To quote from this web page. You create a group, perf_users, with this command (run as root, say via sudo -s):

# groupadd perf_users

Then cause a specific program file, perf, to be runnable only by members of that group:

# chgrp perf_users perf
# chmod o-rwx perf

Finally, it shows how to give that file capabilities:

# setcap "cap_perfmon,cap_sys_ptrace,cap_syslog=ep" perf

The document also includes some commands to verify the file is configured as intended: ls -alhF and getcap perf. (There is some discussion of including cap_ipc_lock or equivalently 38 in the capability list.)

At this point anyone, that can successfully execute this perf program, will observe it run with the needed capabilities.

Perhaps you are missing the command to add a user, username, to this newly created group? Try, sudo usermod -G perf_users -a username. That user will need to then log out and log in again for that added group membership to take effect.

As to the section on creating a shell wrapper, it says that a file with this content:

exec /usr/sbin/capsh --iab=^cap_perfmon --secbits=239 --user=$SUDO_USER -- -l

should be created at /usr/local/bin/perf.shell. You can create such content with sudo vi /usr/local/bin/perf.shell, or swap in whatever your favorite editor is in place of vi. The file needs to be made executable. To be explicit: sudo chmod +x /usr/local/bin/perf.shell.

The instructions for enabling this executable script to be invoked, as root, via sudo by members of the perf_users group indicate the state of things when this is done. That is, you have this line is in the /etc/sudoers file:

%perf_users    ALL=/usr/local/bin/perf.shell

You will need to sudo vi /etc/sudoers (or via your favorite editor) to insert that line.

Given that edit, that section ends with an example of how to enter this shell environment:

$ sudo perf.shell

From here, every binary executed in this shell context will have the specified capabilities raised.