Michael Kerrisk
0bef253ec5
cgroups.7: Add more detail on v2 'cpu' controller and realtime threads
...
Explicitly note the scheduling policies that are relevant for the
v2 'cpu' controller.
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2018-10-09 11:45:43 +02:00
Michael Kerrisk
4644794c1e
cgroups.7: Minor wording fix
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2018-10-05 08:49:15 +02:00
Michael Kerrisk
6c9aa5ad5f
cgroups.7: Rework discussion of writing to cgroup.type file
...
In particular, it is possible to write "threaded" to a
cgroup.type file if the current type is "domain threaded".
Previously, the text had implied that this was not possible.
Verified by experiment on Linux 4.15 and 4.19-rc.
Reported-by: Leah Hanson <lhanson@pivotal.io>
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2018-10-05 08:22:10 +02:00
Michael Kerrisk
df0a41dfe3
pid_namespaces.7: Note a detail of /proc/PID/ns/pid_for_children behavior
...
After clone(CLONE_NEWPID), /proc/PID/ns/pid_for_children is empty
until the first child is created. Verified by experiment.
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2018-10-01 14:49:08 +02:00
Michael Kerrisk
e5cd406d8e
pid_namespaces.7: Note that a process can do unshare(CLONE_NEWPID) only once
...
(See the recent commit to the unshare(2) manual page.)
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2018-10-01 14:42:07 +02:00
Michael Kerrisk
3acd70581d
capabilities.7: Update URL for location of POSIX.1e draft standard
...
Reported-by: Allison Randal <allison@lohutok.net>
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2018-09-29 00:02:44 +02:00
Michael Kerrisk
37894e514e
sched.7: SEE ALSO: add chcpu(1), lscpu(1)
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2018-09-28 18:38:48 +02:00
Michael Kerrisk
396761eee3
cgroups.7: Minor clarification to remove possible ambiguity
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2018-09-20 12:25:00 +02:00
Michael Kerrisk
5367a9aba9
capabilities.7: Ambient capabilities do not trigger secure-execution mode
...
Reported-by: Pierre Chifflier <pollux@debian.org>
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2018-09-13 11:41:08 +02:00
Michael Kerrisk
96123f413d
signal.7: SEE ALSO: add clone(2)
...
Because of the discussion of trheads and signals in clone(2)/
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2018-09-10 11:18:06 +02:00
Michael Kerrisk
c2df769494
cgroups.7: tfix
...
Reported-by: Mike Weilgart <mike.weilgart@verticalsysadmin.com>
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2018-09-06 23:19:36 +02:00
Lucas Werkmeister
8bd6881ea9
user_namespaces.7: wfix
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2018-08-18 09:45:06 +02:00
Jakub Wilk
68bd4ad98c
namespaces.7: tfix
...
Signed-off-by: Jakub Wilk <jwilk@jwilk.net>
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2018-08-12 14:08:19 +02:00
Tobias Klauser
5a2ed9eebe
namespaces.7: tfix
...
Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2018-08-06 21:42:42 +02:00
Michael Kerrisk
0d59d0c8bf
capabilities.7: tfix
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2018-08-03 16:07:59 +02:00
Michael Kerrisk
50c7074665
posixoptions.7: ffix
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2018-08-03 15:53:03 +02:00
Michael Kerrisk
3426f62cea
namespaces.7: Mention ioctl(2) in discussion of namespaces APIs
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2018-08-03 07:36:48 +02:00
Michael Kerrisk
9a6d888cb6
namespaces.7: List factors that may pin a namespace into existence
...
Various factors may pin a namespace into existence, even when it
has no member processes.
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2018-08-03 07:30:17 +02:00
Michael Kerrisk
7df0e773c7
unix.7: wfix: s/foreign process/peer process/
...
The more common parlance these days is, I think, "peer".
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2018-07-28 12:30:44 +02:00
Michael Kerrisk
94950b9a68
socket.7, unix.7: Move text describing SO_PEERCRED from socket(7) to unix(7)
...
This is, AFAIK, an option specific to UNIX domain sockets, so
place it in unix(7).
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2018-07-28 12:30:44 +02:00
Michael Kerrisk
ffab8460c6
unix.7: Refer reader to socket(7) for information about SO_PEEK_OFF
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2018-07-28 12:30:44 +02:00
Michael Kerrisk
2fc7c74cc5
socket.7: Refer reader to unix(7) for information on SO_PASSSEC
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2018-07-28 12:30:44 +02:00
Michael Kerrisk
48c2b7065d
tcp.7, udp.7: Add a reference to socket(7) noting existence of further socket options
...
Some other socket options that are applicable for TCP and UDP sockets
are documented in socket(7), so help the reader by pointing them at
that page.
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2018-07-28 12:30:44 +02:00
Michael Kerrisk
670387c122
udp.7: srcfix: add FIXME
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2018-07-28 12:30:44 +02:00
Michael Kerrisk
1221abb60e
unix.7: tfix
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2018-07-28 12:30:44 +02:00
Michael Kerrisk
ffad6a017f
unix.7: Document SCM_SECURITY ancillary data
...
And fix a wording error in the description of SO_PASSSEC.
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2018-07-28 12:30:44 +02:00
Michael Kerrisk
366a9bffc8
unix.7: Document SO_PASSSEC
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2018-07-28 11:50:11 +02:00
Michael Kerrisk
5af0f223d1
unix.7: Ancillary data forms a barrier when receiving on a stream socket
...
Thanks to a tip from Keith Packard:
https://keithp.com/blogs/fd-passing/
(Also verified by experiment.)
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2018-07-17 09:39:56 +02:00
Michael Kerrisk
5219daec26
unix.7: One must send at least one byte of real data with ancillary data
...
When sending ancillary data, at least one byte of real data should
also be sent. This is strictly necessary for stream sockets
(verified by experiment). It is not required for datagram sockets
on Linux (verified by experiment), but portable applications
should do so.
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2018-07-15 10:33:42 +02:00
Michael Kerrisk
c0e56ed687
unix.7: Clarify treatment of incoming ancillary data if 'msg_control' is NULL
...
If no buffer is supplied for incoming ancillary data, then
the data is lost.
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2018-07-15 10:33:32 +02:00
Michael Kerrisk
4564dd1fee
unix.7: If the buffer to receive SCM_RIGHTS FDs is too small, FDs are closed
...
If the ancillary data buffer for receiving SCM_RIGHTS file
descriptors is too small, then the excess file descriptors are
automatically closed in the receiving process. Verified by
experiment.
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2018-07-15 10:16:49 +02:00
Michael Kerrisk
b65f4c691d
unix.7: tfix
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2018-07-15 10:16:49 +02:00
Michael Kerrisk
879962006f
unix.7: ffix
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2018-07-15 09:50:30 +02:00
Michael Kerrisk
93f5b0f8f4
mount_namespaces.7: SEE ALSO: add findmnt(8)
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2018-07-13 07:08:28 +02:00
Michael Kerrisk
5b5cb19580
unix.7: When sending ancillary data, only one item of each type may be sent
...
Verified by experiment and reading the source code (although
the SCM_RIGHTS case is not so clear to me in the source code).
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2018-07-10 07:14:50 +02:00
Michael Kerrisk
52900faab3
unix.7: tfix
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2018-07-10 07:14:50 +02:00
Michael Kerrisk
311bf2f694
unix.7: Minor wording fixes
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2018-07-10 07:14:50 +02:00
Michael Kerrisk
05bf3361a6
unix.7: grfix
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2018-07-10 07:14:50 +02:00
Michael Kerrisk
c87721467e
unix.7: Note behavior if buffer to receive ancillary data is too small
...
If the buffer supplied to recvmsg() to receive ancillary data is
too small, then the data is truncated and the MSG_CTRUNC flag is
set.
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2018-07-08 21:13:08 +02:00
Michael Kerrisk
13600496d3
unix.7: Enhance the description of SCM_RIGHTS
...
The existing description is rather thin. More can be said.
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2018-07-08 10:57:27 +02:00
Michael Kerrisk
8bdcf4bf81
unix.7: There is a limit on the size of the file descriptor array for SCM_RIGHTS
...
The limit is defined in the kernel as SCM_MAX_FD (253).
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2018-07-08 10:38:44 +02:00
Michael Kerrisk
f1081bdc42
unix.7: Fix a minor imprecision in description of SCM_CREDENTIALS
...
To spoof credentials requires privilege (i.e., capabilities),
not UID 0.
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2018-07-08 10:21:43 +02:00
Michael Kerrisk
b66d5714b1
unix.7: grfix
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2018-07-08 10:20:52 +02:00
Michael Kerrisk
bdef802116
unix.7: ffix
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2018-07-08 10:20:32 +02:00
Michael Kerrisk
2c77e8de08
capabilities.7: Note that v3 security.attributes are transparently created/retrieved
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2018-07-02 09:59:21 +02:00
Michael Kerrisk
00ae99b028
capabilities.7: Fix some imprecisions in discussion of namespaced file capabilities
...
The file UID does not come into play when creating a v3
security.capability extended attribute.
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2018-07-01 11:42:13 +02:00
Michael Kerrisk
9b2c207a33
capabilities.7: wfix
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2018-07-01 11:42:13 +02:00
Michael Kerrisk
c281d0505d
capabilities.7: wfix
...
Fix some confusion between "mask" and "extended attribute"
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2018-07-01 11:42:13 +02:00
Michael Kerrisk
54254ef33a
capabilities.7: srcfix: Removed FIXME
...
No credential match of file UID and namespace creator UID
is needed to create a v3 security extended attribute.
Verified by experiment using my userns_child_exec.c and
show_creds.c programs (available on http://man7.org/tlpi/code ):
$ sudo setcap cap_setuid,cap_dac_override=pe \
./userns_child_exec
$ ./userns_child_exec -U -r setcap cap_kill=pe show_creds
$ ./userns_child_exec -U -M '0 1000 10' -G '0 1000 1' \
-s 1 ./show_creds
eUID = 1; eGID = 0; capabilities: = cap_kill+ep
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2018-07-01 11:42:07 +02:00
Michael Kerrisk
ffea2c14f2
capabilities.7: wfix
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2018-06-24 08:54:17 +02:00