Your message dated Thu, 01 May 2025 14:45:07 +0200 (CEST)
with message-id <20250501124507.28d6bbe2...@eldamar.lan>
and subject line Closing this bug (BTS maintenance for src:linux bugs)
has caused the Debian Bug report #994044,
regarding CAP_PERFMON should override kernel.perf_event_paranoid=3
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
994044: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=994044
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: linux
Version: 5.10.46-4
(Probably applies to all versions >=5.9)
Hello,
Debian adds kernel.perf_event_paranoid=3 as an additional restriction
level for perf_event_open()
(debian/patches/features/all/security-perf-allow-further-restriction-of-perf_event_open.patch).
This can be overridden by the capability CAP_SYS_ADMIN.
Since the introduction of this patch, Linux introduced the new
capability CAP_PERFMON [1] to guard access the perf_event_open() in a
more granular way than CAT_SYS_ADMIN. Processes with CAP_PERFMON are
intended to not be bound by kernel.perf_event_paranoid restrictions, but
this does not currently work for kernel.perf_event_paranoid=3.
The code patched with
security-perf-allow-further-restriction-of-perf_event_open.patch can be
easily adjusted to also respect CAT_PERFMON by using the helper function
perfmon_capable() in perf_event_open(). (This helper function is what
all the other perf code uses for capability checks):
--- kernel/events/core.c.orig 2021-09-10 13:44:39.926796374 +0200
+++ kernel/events/core.c 2021-09-10 13:44:44.430640895 +0200
@@ -11696,7 +11696,7 @@
if (flags & ~PERF_FLAG_ALL)
return -EINVAL;
- if (perf_paranoid_any() && !capable(CAP_SYS_ADMIN))
+ if (perf_paranoid_any() && !perfmon_capable())
return -EACCES;
/* Do we allow access to perf_event_open(2) ? */
To test if perf_event_open() can be called successfully, a command like
this can be used:
sudo capsh --caps="cap_perfmon+eip
cap_setpcap,cap_setuid,cap_setgid+ep" \
--keep=1 --user=nobody --addamb=cap_perfmon -- perf top
This shows an error and exits if access to perf_event_open() is denied.
/Stephan
[1]:
https://lwn.net/ml/linux-kernel/c8de937a-0b3a-7147-f5ef-69f467e87...@linux.intel.com/
--- End Message ---
--- Begin Message ---
Hi
This bug was filed for a (very) old kernel or the bug is old itself
without resolution. Maybe it was for a feature enablement which nobody
acted on. We are sorry we were not able to timely deal with this issue.
There are many open bugs for the src:linux package and thus we are
closing older bugs where it's unclear if they still occur in newer
versions and are still relevant to the reporter. For an overview see:
https://bugs.debian.org/src:linux .
If you can reproduce your issue with
- the current version in unstable/testing
- the latest kernel from backports
or, if it was a feature addition/wishlist and still consider it
relevant, then:
Please reopen the bug, see https://www.debian.org/Bugs/server-control
for details.
Please try to provide as much fresh details including kernel logs where
relevant. In particular were an issue is coupled with specific hardware we
might ask you to do additional debugging on your side as the owner of the
hardware.
Regards,
Salvatore
--- End Message ---
