What does perf paranoia level four do?
On my installation of Ubuntu Focal, kernel.perf_event_paranoid is set to 4 by default:
$ sysctl kernel.perf_event_paranoid
kernel.perf_event_paranoid = 4(I've checked /etc/sysctl.conf and the associated config dir, I haven't set this.)
This seems weird to me, because the kernel documentation does not describe any additional effect for values higher than 2:
perf_event_paranoid:
Controls use of the performance events system by unprivileged
users (without CAP_SYS_ADMIN). The default value is 2. -1: Allow use of (almost) all events by all users Ignore mlock limit after perf_event_mlock_kb without CAP_IPC_LOCK
>=0: Disallow ftrace function tracepoint by users without CAP_SYS_ADMIN Disallow raw tracepoint access by users without CAP_SYS_ADMIN
>=1: Disallow CPU event access by users without CAP_SYS_ADMIN
>=2: Disallow kernel profiling by users without CAP_SYS_ADMIN(Source.)
I did quick search of the mainline kernel source code, and I couldn't find any place where perf_event_paranoid was compared to a number higher than 2.
However, setting to 4 does have an effect. I ran the following perf command, with perf_event_paranoid set to 4, as a non-root user:
perf stat -e context-switches,cpu-migrations -r 1 -- sleep 1It shows the following error:
Error:
Access to performance monitoring and observability operations is limited.
Consider adjusting /proc/sys/kernel/perf_event_paranoid setting to open
access to performance monitoring and observability operations for processes
without CAP_PERFMON, CAP_SYS_PTRACE or CAP_SYS_ADMIN Linux capability.
More information can be found at 'Perf events and tool security' document:
perf_event_paranoid setting is 4: -1: Allow use of (almost) all events by all users Ignore mlock limit after perf_event_mlock_kb without CAP_IPC_LOCK
>= 0: Disallow raw and ftrace function tracepoint access
>= 1: Disallow CPU event access
>= 2: Disallow kernel profiling
To make the adjusted perf_event_paranoid setting permanent preserve it
in /etc/sysctl.conf (e.g. kernel.perf_event_paranoid = <setting>)If I change kernel.perf_event_paranoid to 3, and run the same command, I get the following result, again as a non-root user:
Performance counter stats for 'sleep 1': 0 context-switches:u 0 cpu-migrations:u 1.000502603 seconds time elapsed 0.000460000 seconds user 0.000000000 seconds sysSo changing the perf_event_paranoid setting from the default of 4 to 3 has some effect, even if the Linux kernel documentation doesn't say what.
What gives? Does Ubuntu ship with a custom patch that adds a new, more paranoid perf level?
Other distributions
Debian seems to carry a non-standard patch creating a perf_event_paranoid level of 3:
Jeff Vander Stoep posted the patch on July 27. It adds a another value that can be set for the sysctl parameter (i.e.
kernel.perf_event_paranoid=3) that restrictsperf_event_open()to processes with theCAP_SYS_ADMINcapability. Currently,perf_event_paranoidis set to 2 by default, which disallows access to some perf features (raw tracepoint access, CPU event access, and kernel profiling) to processes without the proper capabilities; the patch does not change the default. He also submitted another patch that would allow configuring the kernel to make 3 be the default perf_event_paranoid value.
(Source.)
But it would seem Ubuntu is even more paranoid than that.
1 Answer
Level 4 does exactly the same thing as the Debian patch: it disables unprivileged processes from using perf_event_open(). However, the restriction kicks in at paranoia level 4, instead of paranoia level 3.
The current paranoia levels are documented in a comment in the kernel source, in file kernel/events/core.c.
/* * perf event paranoia level: * -1 - not paranoid at all * 0 - disallow raw tracepoint access for unpriv * 1 - disallow cpu events for unpriv * 2 - disallow kernel profiling for unpriv * 4 - disallow all unpriv perf event use */The commit making this change can be found here. (Note: that the commit message and the kernel comments contradict each other. The kernel comments seem correct to me.)
To summarize:
- Levels -1 through 2: Same as mainline kernel.
- Level 3: Same as level 2? Could not 100% confirm this. There is a constant
PERF_SECURITY_TRACEPOINTset to 3 which is still used some places. - Level 4: Disable perf_event_open entirely for unprivileged users.
