Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

perf_event_paranoid

Overview

perf_event_paranoid is a kernel tunable that controls access permissions to performance monitoring events. It determines what level of privilege is required to use various perf_event features.

This setting is crucial for security, as unrestricted access to performance counters can potentially leak sensitive information about system behavior and other processes.

Permission Levels

The /proc/sys/kernel/perf_event_paranoid file accepts integer values that define access restrictions:

LevelDescriptionAccess restrictions
-1No restrictionsAll users can access all events, including kernel profiling and CPU-specific events. Not recommended.
0Relaxed (default on some systems)Unprivileged users can perform per-process profiling but cannot profile kernel space or other users’ processes.
1ModerateUnprivileged users can only access CPU events (cycles, instructions). No access to kernel profiling or tracepoints.
2Restricted (common default)Unprivileged users cannot use perf_event_open at all. Only CAP_PERFMON or CAP_SYS_ADMIN capabilities allowed.
3Fully restrictedDenies all access to perf events, even for privileged processes (rarely used).
4Maximum restrictionComplete lockdown of perf subsystem.

Note

The default value varies by distribution but is set to 2 by default on most distro.

Checking Current Setting

# View current paranoid level
cat /proc/sys/kernel/perf_event_paranoid

Configuring perf_event_paranoid

# Set to level 1 (moderate restrictions)
sudo sysctl kernel.perf_event_paranoid=1

# Or directly write to proc
echo 1 | sudo tee /proc/sys/kernel/perf_event_paranoid

Security Implications

Performance counters can expose sensitive information about other processes. An attacker could do a side-channel attack and measure execution time to infer cryptographic keys or other secrets, he could also observe cache behavior to extract data.

Safe Practices

  1. Use capabilities instead of paranoid level:

    # Grant CAP_PERFMON to specific binaries
sudo setcap cap_perfmon=ep /path/to/joule-profiler

  2. Limit access to specific users:

    # Add user to perf_users group (if your distro supports it)
sudo usermod -aG perf_users $USER

  3. Run with sudo when needed:

    sudo perf stat -e cycles ./my_program

Troubleshooting

“Permission denied” errors

Error: perf_event_paranoid level is 1, try setting it to 0 or launch Joule Profiler with root rights

Solution: Either lower perf_event_paranoid level, grant Joule Profiler CAP_PERFMON capability or launch it with root privileges (sudo).

Note

To access RAPL counters using perf_event, you need to set perf_event_paranoid level to 0, or launch the profiler with root privileges.

References