Question: needed linux capabilities instead of sudo

[mathisloge]

As the documentation states, it is needed to start the application to be analyzed with elevated permissions. However since this changes the user under linux (exec with sudo) and I need the current user, I've tried to set the possible needed permissions to the application: sudo setcap 'CAP_PERFMON=eip CAP_SYS_PTRACE=eip CAP_SYS_ADMIN=eip CAP_SYS_RAWIO=eip CAP_SYSLOG=eip CAP_SYS_NICE=eip' myapp (just set a whole range of caps, to try to get the same behavior as with sudo). But unfortunately I'm not getting the advanced traces as with sudo.

Does anyone has ever tried it and could help me, which capabilities I need to set to get the same behavior as with sudo?

[wolfpld]

sudo -E might solve some problems.

[mathisloge]

Have tried it before, but I unfortunately really need the current user as the executer (The program uses IPC communication with other programs and those need to be started with the current user, too)

But thanks for the fast response!

[wolfpld]

On Linux you can just run the application with no extra privileges and you will get the performance data for the process (but not for any other process on the system). The android section of the manual specifies some commands that take down the security measures to allow non-privileged users to capture system-wide performance data, such as context switches. It almost works, as you need access to /sys/kernel/debug/tracing/events/*/id (well, any tracefs mount point actually, but see #853), so you can setup perf_event_open correctly with the identifiers of the events to capture. These identifiers do vary between distros / kernels. But if you know the values for your machine, you can just enter it them the relevant perf_event_open calls and it should work, as the permissions there are controlled by the perf_event_paranoid value.

[mathisloge]

ah, thanks for the tip.
I had to explicitly allow the user access to /sys/kernel/debug/tracing as (at least for ubuntu) it is only allowed for root users. So had to do this in a super user shell.

But the program needs still the capabilities CAP_PERFMON=ep CAP_SYS_PTRACE=ep CAP_SYSLOG=ep CAP_SYS_NICE=ep then everything works as expected. Thanks!

[farnoy]

For future reference if anyone finds this issue:

$ sudo chmod o+rx -R /sys/kernel/debug
$ sudo echo -1 | tee /proc/sys/kernel/perf_event_paranoid
$ sudo echo 0 | tee /proc/sys/kernel/kptr_restrict
$ sudo -E capsh --caps="cap_perfmon,cap_sys_ptrace,cap_syslog,cap_setuid,cap_setgid,cap_sys_nice+eip" --keep=1 --user=$(whoami) --addamb=cap_perfmon -- -c $SHELL

you can then run your program in this elevated shell, but as your user and with all your environment preserved