3

I'd like to use the perf utility. I was following instructions to set up a privileged group of users who are permitted to execute performance monitoring and observability without limits (as instructed here: https://www.kernel.org/doc/html/latest/admin-guide/perf-security.html). I added the group and limited access to users not in the group. I started having problems when assigning capabilities to the perf tool:

setcap cap_sys_admin,cap_sys_ptrace,cap_syslog=ep perf

I get an invalid arguments error saying

fatal error: Invalid argument
usage: setcap [-q] [-v] [-n <rootid>] (-r|-|<caps>) <filename> [ ... (-r|-|<capsN>) <filenameN> ]

Note <filename> must be a regular (non-symlink) file.

But running stats perf gives me this

  File: ./perf
  Size: 1622        Blocks: 8          IO Block: 4096   regular file
Device: 10307h/66311d   Inode: 35260925    Links: 1
Access: (0750/-rwxr-x---)  Uid: (    0/    root)   Gid: ( 1001/perf_users)
Access: 2021-12-03 13:08:48.923220351 +0100
Modify: 2021-11-05 17:02:56.000000000 +0100
Change: 2021-12-03 12:31:49.451991980 +0100
 Birth: -

which says the file is a regular file. What could be the problem? How can I set the capabilities for the Perf tool?

Linux distribution: Ubuntu 20.04

EDIT: Last 20 output lines of strace setcap cap_sys_admin,cap_sys_ptrace,cap_syslog=ep perf:

munmap(0x7f825054c000, 90581)           = 0
prctl(PR_CAPBSET_READ, CAP_MAC_OVERRIDE) = 1
prctl(PR_CAPBSET_READ, 0x30 /* CAP_??? */) = -1 EINVAL (Invalid argument)
prctl(PR_CAPBSET_READ, 0x28 /* CAP_??? */) = 1
prctl(PR_CAPBSET_READ, 0x2c /* CAP_??? */) = -1 EINVAL (Invalid argument)
prctl(PR_CAPBSET_READ, 0x2a /* CAP_??? */) = -1 EINVAL (Invalid argument)
prctl(PR_CAPBSET_READ, 0x29 /* CAP_??? */) = -1 EINVAL (Invalid argument)
brk(NULL)                               = 0x55de3e858000
brk(0x55de3e879000)                     = 0x55de3e879000
capget({version=_LINUX_CAPABILITY_VERSION_3, pid=0}, NULL) = 0
capget({version=_LINUX_CAPABILITY_VERSION_3, pid=0}, {effective=0, permitted=0, inheritable=0}) = 0
capget({version=_LINUX_CAPABILITY_VERSION_3, pid=0}, NULL) = 0
capset({version=_LINUX_CAPABILITY_VERSION_3, pid=0}, {effective=1<<CAP_SETFCAP, permitted=0, inheritable=0}) = -1 EPERM (Operation not permitted)
dup(2)                                  = 3
fcntl(3, F_GETFL)                       = 0x2 (flags O_RDWR)
fstat(3, {st_mode=S_IFCHR|0620, st_rdev=makedev(0x88, 0x1), ...}) = 0
write(3, "unable to set CAP_SETFCAP effect"..., 72unable to set CAP_SETFCAP effective capability: Operation not permitted
) = 72
close(3)                                = 0
exit_group(1)                           = ?
+++ exited with 1 +++
levente.nas
  • 33
  • 5

1 Answers1

3

I was experiencing this too, and was able to get it working by building and installing the latest version of libcap from source. This may not be the best solution, but it worked for me.

libcap-2.53

$ git clone https://kernel.googlesource.com/pub/scm/linux/kernel/git/morgan/libcap
$ cd libcap
$ git checkout libcap-2.53
$ make
$ make test
$ make sudotest
$ sudo make install

I ran the tests to confirm everything was working before install.

Once it had been installed I was able to run the commands listed in the perf-security doc as expected.

Tom Clarke
  • 46
  • 1