« Back to kernel

kernel.perf_event_paranoid

This sysctl key controls the use of the performance events system. It restricts what actions an unprivileged user can do when using the perf tools. This setting is useful to limit the access to possibly sensitive information that can be gathered from the kernel and processes.

Debian-based systems may have higher numbers available than the current upper limit of 2, which is also the default value.

Values

  • -1 - Allow use of (almost) all events by all users. Ignore mlock limit after perf_event_mlock_kb without CAP_IPC_LOCK.
  • >=0 - Disallow ftrace function tracepoint by users without CAP_SYS_ADMIN. Disallow raw tracepoint access by users without CAP_SYS_ADMIN.
  • >=1 - Disallow CPU event access by users without CAP_SYS_ADMIN.
  • >=2 - Disallow kernel profiling by users without CAP_SYS_ADMIN.

Show current value

The value of the kernel.perf_event_paranoid can be retrieved using the sysctl command.

sysctl kernel.perf_event_paranoid

or using the proc file system:

sysctl /proc/sys/kernel/perf_event_paranoid

Configure new value

To apply a new value, use the option --write, followed by the key and value.

sysctl --write kernel.perf_event_paranoid=NEWVALUE

To ensure that these changes are also applied during the next boot, add them to a configuration file, typically something like /etc/sysctl.d/99-custom.conf.

Feedback

Small picture of Michael Boelen

This article has been written by our Linux security expert Michael Boelen. With focus on creating high-quality articles and relevant examples, he wants to improve the field of Linux security. No more web full of copy-pasted blog posts.

Discovered outdated information or have a question? Share your thoughts. Thanks for your contribution.

Mastodon icon