perf-security.rst - OpenGrok cross reference for /linux/Documentation/admin-guide/perf-security.rst

Lines Matching +full:- +full:_
7 --------
9 Usage of Performance Counters for Linux (perf_events) [1]_ , [2]_ , [3]_
12 direct usage of perf_events system call API [2]_ and over data files
13 generated by Perf tool user mode utility (Perf) [3]_ , [4]_ . The risk
15 units (PMU) [2]_ and Perf collect and expose for performance analysis.
31    (PMC) [8]_ and machine specific registers (MSR) [9]_ that provide
47 the subject for security access control management [5]_ .
50 -------------------------------
53 into two categories [6]_ : a) privileged processes (whose effective user
61 based on the process's credentials [5]_ (usually: effective UID,
65 into distinct units, known as capabilities [6]_ , which can be
66 independently enabled and disabled on per-thread basis for processes and
73 privilege [13]_ (POSIX 1003.1e: 2.2.2.39) for performance monitoring and
81 If system audit records [14]_ for a process using perf_events system call
89 [7]_ , whose outcome determines whether monitoring is permitted.
103 ---------------------------------
105 Mechanisms of capabilities, privileged capability-dumb files [6]_,
106 file system ACLs [10]_ and sudo [15]_ utility can be used to create
118    # ls -alhF
119    -rwxr-xr-x  2 root root  11M Oct 19 15:12 perf
121    # ls -alhF
122    -rwxr-xr-x  2 root perf_users  11M Oct 19 15:12 perf
123    # chmod o-rwx perf
124    # ls -alhF
125    -rwxr-x---  2 root perf_users  11M Oct 19 15:12 perf
129    privileges [6]_ :
134    # setcap -v "cap_perfmon,cap_sys_ptrace,cap_syslog=ep" perf
139 If the libcap [16]_ installed doesn't yet support "cap_perfmon", use "38" instead,
147 'perf top', alternatively use 'perf top -m N', to reduce the memory that
156   # perf top -e cycles
175 1. Create shell script that uses capsh utility [16]_ to assign CAP_PERFMON
184    # ls -alh /usr/local/bin/perf.shell
185    -rwxr-xr-x. 1 root root 83 Oct 13 23:57 /usr/local/bin/perf.shell
187    exec /usr/sbin/capsh --iab=^cap_perfmon --secbits=239 --user=$SUDO_USER -- -l
203 …ups=1004(capsh_test),1000(perf_users) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
212   $ capsh --decode=0000004000000000
220 or root running processes with CAP_SETPCAP, CAP_SETFCAP [6]_
224 -----------------------------------
227 is governed by perf_event_paranoid [2]_ setting:
229 -1:
231      performance monitoring. Per-user per-cpu perf_event_mlock_kb [2]_
238      *scope* includes per-process and system wide performance monitoring
242      analysis. Per-user per-cpu perf_event_mlock_kb locking limit is
244      [6]_ capability.
247      *scope* includes per-process performance monitoring only and
250      monitored and captured for later analysis. Per-user per-cpu
255      *scope* includes per-process performance monitoring only. CPU and
257      monitored and captured for later analysis. Per-user per-cpu
262 ---------------------------------
267 The perf_events system call API [2]_ allocates file descriptors for
268 every configured PMU event. Open file descriptors are a per-process
269 accountable resource governed by the RLIMIT_NOFILE [11]_ limit
270 (ulimit -n), which is usually derived from the login shell process. When
273 configuration. RLIMIT_NOFILE limit can be increased on per-user basis
274 modifying content of the limits.conf file [12]_ . Ordinarily, a Perf
283 performance monitoring data is governed by the perf_event_mlock_kb [2]_
285 per-cpu limits of memory allowed for mapping by the user processes to
287 RLIMIT_MEMLOCK [11]_ limit, but only for memory regions mapped
292 4128 KiB of memory above the RLIMIT_MEMLOCK limit (ulimit -l) for
296 monitoring processes, for example, using the --mmap-pages Perf record
308 ------------
310 .. [1] `<https://lwn.net/Articles/337493/>`_
311 .. [2] `<http://man7.org/linux/man-pages/man2/perf_event_open.2.html>`_
312 .. [3] `<http://web.eece.maine.edu/~vweaver/projects/perf_events/>`_
313 .. [4] `<https://perf.wiki.kernel.org/index.php/Main_Page>`_
314 .. [5] `<https://www.kernel.org/doc/html/latest/security/credentials.html>`_
315 .. [6] `<http://man7.org/linux/man-pages/man7/capabilities.7.html>`_
316 .. [7] `<http://man7.org/linux/man-pages/man2/ptrace.2.html>`_
317 .. [8] `<https://en.wikipedia.org/wiki/Hardware_performance_counter>`_
318 .. [9] `<https://en.wikipedia.org/wiki/Model-specific_register>`_
319 .. [10] `<http://man7.org/linux/man-pages/man5/acl.5.html>`_
320 .. [11] `<http://man7.org/linux/man-pages/man2/getrlimit.2.html>`_
321 .. [12] `<http://man7.org/linux/man-pages/man5/limits.conf.5.html>`_
322 .. [13] `<https://sites.google.com/site/fullycapable>`_
323 .. [14] `<http://man7.org/linux/man-pages/man8/auditd.8.html>`_
324 .. [15] `<https://man7.org/linux/man-pages/man8/sudo.8.html>`_
325 .. [16] `<https://git.kernel.org/pub/scm/libs/libcap/libcap.git/>`_