0bef253ec5
cgroups.7: Add more detail on v2 'cpu' controller and realtime threads
...
Explicitly note the scheduling policies that are relevant for the
v2 'cpu' controller.
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2018-10-09 11:45:43 +02:00
4644794c1e
cgroups.7: Minor wording fix
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2018-10-05 08:49:15 +02:00
6c9aa5ad5f
cgroups.7: Rework discussion of writing to cgroup.type file
...
In particular, it is possible to write "threaded" to a
cgroup.type file if the current type is "domain threaded".
Previously, the text had implied that this was not possible.
Verified by experiment on Linux 4.15 and 4.19-rc.
Reported-by: Leah Hanson <lhanson@pivotal.io>
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2018-10-05 08:22:10 +02:00
df0a41dfe3
pid_namespaces.7: Note a detail of /proc/PID/ns/pid_for_children behavior
...
After clone(CLONE_NEWPID), /proc/PID/ns/pid_for_children is empty
until the first child is created. Verified by experiment.
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2018-10-01 14:49:08 +02:00
e5cd406d8e
pid_namespaces.7: Note that a process can do unshare(CLONE_NEWPID) only once
...
(See the recent commit to the unshare(2) manual page.)
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2018-10-01 14:42:07 +02:00
3acd70581d
capabilities.7: Update URL for location of POSIX.1e draft standard
...
Reported-by: Allison Randal <allison@lohutok.net>
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2018-09-29 00:02:44 +02:00
37894e514e
sched.7: SEE ALSO: add chcpu(1), lscpu(1)
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2018-09-28 18:38:48 +02:00
396761eee3
cgroups.7: Minor clarification to remove possible ambiguity
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2018-09-20 12:25:00 +02:00
5367a9aba9
capabilities.7: Ambient capabilities do not trigger secure-execution mode
...
Reported-by: Pierre Chifflier <pollux@debian.org>
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2018-09-13 11:41:08 +02:00
96123f413d
signal.7: SEE ALSO: add clone(2)
...
Because of the discussion of trheads and signals in clone(2)/
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2018-09-10 11:18:06 +02:00
c2df769494
cgroups.7: tfix
...
Reported-by: Mike Weilgart <mike.weilgart@verticalsysadmin.com>
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2018-09-06 23:19:36 +02:00
8bd6881ea9
user_namespaces.7: wfix
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2018-08-18 09:45:06 +02:00
68bd4ad98c
namespaces.7: tfix
...
Signed-off-by: Jakub Wilk <jwilk@jwilk.net>
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2018-08-12 14:08:19 +02:00
5a2ed9eebe
namespaces.7: tfix
...
Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2018-08-06 21:42:42 +02:00
0d59d0c8bf
capabilities.7: tfix
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2018-08-03 16:07:59 +02:00
50c7074665
posixoptions.7: ffix
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2018-08-03 15:53:03 +02:00
3426f62cea
namespaces.7: Mention ioctl(2) in discussion of namespaces APIs
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2018-08-03 07:36:48 +02:00
9a6d888cb6
namespaces.7: List factors that may pin a namespace into existence
...
Various factors may pin a namespace into existence, even when it
has no member processes.
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2018-08-03 07:30:17 +02:00
7df0e773c7
unix.7: wfix: s/foreign process/peer process/
...
The more common parlance these days is, I think, "peer".
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2018-07-28 12:30:44 +02:00
94950b9a68
socket.7, unix.7: Move text describing SO_PEERCRED from socket(7) to unix(7)
...
This is, AFAIK, an option specific to UNIX domain sockets, so
place it in unix(7).
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2018-07-28 12:30:44 +02:00
ffab8460c6
unix.7: Refer reader to socket(7) for information about SO_PEEK_OFF
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2018-07-28 12:30:44 +02:00
2fc7c74cc5
socket.7: Refer reader to unix(7) for information on SO_PASSSEC
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2018-07-28 12:30:44 +02:00
48c2b7065d
tcp.7, udp.7: Add a reference to socket(7) noting existence of further socket options
...
Some other socket options that are applicable for TCP and UDP sockets
are documented in socket(7), so help the reader by pointing them at
that page.
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2018-07-28 12:30:44 +02:00
670387c122
udp.7: srcfix: add FIXME
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2018-07-28 12:30:44 +02:00
1221abb60e
unix.7: tfix
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2018-07-28 12:30:44 +02:00
ffad6a017f
unix.7: Document SCM_SECURITY ancillary data
...
And fix a wording error in the description of SO_PASSSEC.
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2018-07-28 12:30:44 +02:00
366a9bffc8
unix.7: Document SO_PASSSEC
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2018-07-28 11:50:11 +02:00
5af0f223d1
unix.7: Ancillary data forms a barrier when receiving on a stream socket
...
Thanks to a tip from Keith Packard:
https://keithp.com/blogs/fd-passing/
(Also verified by experiment.)
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2018-07-17 09:39:56 +02:00
5219daec26
unix.7: One must send at least one byte of real data with ancillary data
...
When sending ancillary data, at least one byte of real data should
also be sent. This is strictly necessary for stream sockets
(verified by experiment). It is not required for datagram sockets
on Linux (verified by experiment), but portable applications
should do so.
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2018-07-15 10:33:42 +02:00
c0e56ed687
unix.7: Clarify treatment of incoming ancillary data if 'msg_control' is NULL
...
If no buffer is supplied for incoming ancillary data, then
the data is lost.
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2018-07-15 10:33:32 +02:00
4564dd1fee
unix.7: If the buffer to receive SCM_RIGHTS FDs is too small, FDs are closed
...
If the ancillary data buffer for receiving SCM_RIGHTS file
descriptors is too small, then the excess file descriptors are
automatically closed in the receiving process. Verified by
experiment.
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2018-07-15 10:16:49 +02:00
b65f4c691d
unix.7: tfix
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2018-07-15 10:16:49 +02:00
879962006f
unix.7: ffix
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2018-07-15 09:50:30 +02:00
93f5b0f8f4
mount_namespaces.7: SEE ALSO: add findmnt(8)
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2018-07-13 07:08:28 +02:00
5b5cb19580
unix.7: When sending ancillary data, only one item of each type may be sent
...
Verified by experiment and reading the source code (although
the SCM_RIGHTS case is not so clear to me in the source code).
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2018-07-10 07:14:50 +02:00
52900faab3
unix.7: tfix
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2018-07-10 07:14:50 +02:00
311bf2f694
unix.7: Minor wording fixes
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2018-07-10 07:14:50 +02:00
05bf3361a6
unix.7: grfix
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2018-07-10 07:14:50 +02:00
c87721467e
unix.7: Note behavior if buffer to receive ancillary data is too small
...
If the buffer supplied to recvmsg() to receive ancillary data is
too small, then the data is truncated and the MSG_CTRUNC flag is
set.
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2018-07-08 21:13:08 +02:00
13600496d3
unix.7: Enhance the description of SCM_RIGHTS
...
The existing description is rather thin. More can be said.
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2018-07-08 10:57:27 +02:00
8bdcf4bf81
unix.7: There is a limit on the size of the file descriptor array for SCM_RIGHTS
...
The limit is defined in the kernel as SCM_MAX_FD (253).
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2018-07-08 10:38:44 +02:00
f1081bdc42
unix.7: Fix a minor imprecision in description of SCM_CREDENTIALS
...
To spoof credentials requires privilege (i.e., capabilities),
not UID 0.
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2018-07-08 10:21:43 +02:00
b66d5714b1
unix.7: grfix
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2018-07-08 10:20:52 +02:00
bdef802116
unix.7: ffix
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2018-07-08 10:20:32 +02:00
2c77e8de08
capabilities.7: Note that v3 security.attributes are transparently created/retrieved
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2018-07-02 09:59:21 +02:00
00ae99b028
capabilities.7: Fix some imprecisions in discussion of namespaced file capabilities
...
The file UID does not come into play when creating a v3
security.capability extended attribute.
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2018-07-01 11:42:13 +02:00
9b2c207a33
capabilities.7: wfix
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2018-07-01 11:42:13 +02:00
c281d0505d
capabilities.7: wfix
...
Fix some confusion between "mask" and "extended attribute"
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2018-07-01 11:42:13 +02:00
54254ef33a
capabilities.7: srcfix: Removed FIXME
...
No credential match of file UID and namespace creator UID
is needed to create a v3 security extended attribute.
Verified by experiment using my userns_child_exec.c and
show_creds.c programs (available on http://man7.org/tlpi/code ):
$ sudo setcap cap_setuid,cap_dac_override=pe \
./userns_child_exec
$ ./userns_child_exec -U -r setcap cap_kill=pe show_creds
$ ./userns_child_exec -U -M '0 1000 10' -G '0 1000 1' \
-s 1 ./show_creds
eUID = 1; eGID = 0; capabilities: = cap_kill+ep
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2018-07-01 11:42:07 +02:00
ffea2c14f2
capabilities.7: wfix
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2018-06-24 08:54:17 +02:00
Michael Kerrisk