Making it easier to run Adaptyst without sacrificing security

Published: 24 March 2025 (updated to make the post more clear about the effects of the changes)

Until now, it was necessary to set the value of the kernel.perf_event_paranoid kernel setting to -1 and mount /sys/kernel/debug in order for Adaptyst to run. Making a machine meet these requirements is a serious security intervention and therefore can be a real obstacle when trying to adopt the tool in more secure-aware environments.

Having investigated how profiling-related permissions work in Linux, we could safely replace the two prerequisites with just one easier-to-implement requirement of adding the CAP_IPC_LOCK capability to the patched “perf” executable. If there’s a need for kernel symbols in stack traces, the CAP_SYSLOG capability should be added as well.

The documentation has been updated accordingly (see here) and Adaptyst no longer performs checks for /sys/kernel/debug or kernel.perf_event_paranoid.