8bdcf4bf81
unix.7: There is a limit on the size of the file descriptor array for SCM_RIGHTS
...
The limit is defined in the kernel as SCM_MAX_FD (253).
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2018-07-08 10:38:44 +02:00
f1081bdc42
unix.7: Fix a minor imprecision in description of SCM_CREDENTIALS
...
To spoof credentials requires privilege (i.e., capabilities),
not UID 0.
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2018-07-08 10:21:43 +02:00
b66d5714b1
unix.7: grfix
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2018-07-08 10:20:52 +02:00
bdef802116
unix.7: ffix
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2018-07-08 10:20:32 +02:00
2c77e8de08
capabilities.7: Note that v3 security.attributes are transparently created/retrieved
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2018-07-02 09:59:21 +02:00
00ae99b028
capabilities.7: Fix some imprecisions in discussion of namespaced file capabilities
...
The file UID does not come into play when creating a v3
security.capability extended attribute.
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2018-07-01 11:42:13 +02:00
9b2c207a33
capabilities.7: wfix
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2018-07-01 11:42:13 +02:00
c281d0505d
capabilities.7: wfix
...
Fix some confusion between "mask" and "extended attribute"
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2018-07-01 11:42:13 +02:00
54254ef33a
capabilities.7: srcfix: Removed FIXME
...
No credential match of file UID and namespace creator UID
is needed to create a v3 security extended attribute.
Verified by experiment using my userns_child_exec.c and
show_creds.c programs (available on http://man7.org/tlpi/code ):
$ sudo setcap cap_setuid,cap_dac_override=pe \
./userns_child_exec
$ ./userns_child_exec -U -r setcap cap_kill=pe show_creds
$ ./userns_child_exec -U -M '0 1000 10' -G '0 1000 1' \
-s 1 ./show_creds
eUID = 1; eGID = 0; capabilities: = cap_kill+ep
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2018-07-01 11:42:07 +02:00
ffea2c14f2
capabilities.7: wfix
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2018-06-24 08:54:17 +02:00
a607673bb8
epoll.7: Consistently use the term "interest list" rather than "epoll set"
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2018-06-22 12:21:56 +02:00
d1d90ea54d
epoll.7: Expand the discussion of the implications of file descriptor duplication
...
In particular, note that it may be difficult for an application
to know about the existence of duplicate file descriptors.
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2018-06-22 12:20:25 +02:00
a3961b2fd5
epoll.7: Note that edge-triggered notification wakes up only one waiter
...
Note a useful performance benefit of EPOLLET: ensuring that
only one of multiple waiters (in epoll_wait()) is woken
up when a file descriptor becomes ready.
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2018-06-22 12:20:25 +02:00
0409116028
epoll.7: Introduce the terms "interest list" and "ready list"
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2018-06-22 12:20:25 +02:00
4524285a71
epoll.7: ffix
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2018-06-22 09:41:16 +02:00
1e79ad8cd8
epoll.7: ffix
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2018-06-22 09:30:02 +02:00
b4ebb4ee79
epoll.7: tfix
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2018-06-22 09:27:46 +02:00
6832efaf3c
epoll.7: Reformat Q&A list
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2018-06-22 09:27:24 +02:00
0201f48246
vdso.7: Fix parisc gateway page description
...
The parisc gateway page currently only exports 3 functions:
The lws_entry for CAS operations (at 0xb0), the set_thread_pointer
function for usage in glibc (at 0xe0) and the Linux syscall entry
(at 0x100).
All other symbols in the manpage are internal labels and
shouldn't be used directly by userspace or glibc, so drop them
from the man page documentation.
Signed-off-by: Helge Deller <deller@gmx.de>
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2018-05-28 11:04:33 +02:00
0cec24722b
signal.7: Clarify that sigsuspend() and pause() suspend the calling *thread*
...
Reported-by: Robin Kuzmin <kuzmin.robin@gmail.com>
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2018-05-18 10:04:37 +02:00
390795d76a
inotify.7: Note ENOTDIR error that can occur for IN_ONLYDIR
...
Note ENOTDIR error that occurs when requesting a watch on a
nondirectory with IN_ONLYDIR.
Reported-by: Paul Millar <paul.millar@desy.de>
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2018-05-06 10:22:13 +02:00
0a719e9411
capabilities.7: tfix
...
Reported-by: Jann Horn <jannh@google.com>
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2018-05-02 21:16:20 +02:00
c87cbea10f
capabilities.7: ffix
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2018-05-02 11:37:29 +02:00
c2b279afb7
capabilities.7: ffix
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2018-05-01 13:55:37 +02:00
ddc1ad3079
capabilities.7: Add background details on capability transformations during execve(2)
...
Add background details on ambient and bounding set when
discussing capability transformations during execve(2).
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2018-05-01 13:55:37 +02:00
7c957134f1
capabilities.7: Minor rewording
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2018-05-01 13:55:37 +02:00
bb1f24fab8
capabilities.7: Reorder text on capability bounding set
...
Reverse order of text blocks describing pre- and
post-2.6.25 bounding set. No content changes.
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2018-05-01 13:55:37 +02:00
2e87ced3b5
capabilities.7: Rework bounding set as per-thread set in transformation rules
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2018-05-01 13:55:37 +02:00
36de80b984
capabilities.7: Add text introducing bounding set along with other thread capability sets
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2018-05-01 13:55:37 +02:00
daf8312704
capabilities.7: Clarify which capability sets capset(2) and capget(2) apply to
...
capset(2) and capget(2) apply operate only on the permitted,
effective, and inheritable process capability sets.
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2018-05-01 12:46:48 +02:00
1db1d36d82
capabilities.7: wfix
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2018-05-01 12:40:14 +02:00
09b8afdc04
execve.2, fallocate.2, getrlimit.2, io_submit.2, membarrier.2, mmap.2, msgget.2, open.2, ptrace.2, readv.2, semget.2, shmget.2, shutdown.2, syscall.2, wait.2, wait4.2, crypt.3, encrypt.3, fseek.3, getcwd.3, makedev.3, pthread_create.3, puts.3, tsearch.3, elf.5, filesystems.5, group.5, passwd.5, sysfs.5, mount_namespaces.7, posixoptions.7, time.7, unix.7, vdso.7, xattr.7, ld.so.8: tstamp
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2018-04-30 17:41:31 +02:00
29c0586f51
bpf.2, sched_setattr.2, crypt.3, elf.5, proc.5, fanotify.7, feature_test_macros.7, sched.7: spfix
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2018-04-27 14:48:33 +02:00
075f5e6592
namespaces.7: Mention that device ID should also be checked when comparing NS symlinks
...
When comparing two namespaces symlinks to see if they refer to
the same namespace, both the inode number and the device ID
should be compared. This point was already made clear in
ioctl_ns(2), but was missing from this page.
Reported-by: Konstantin Khlebnikov <khlebnikov@yandex-team.ru>
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2018-04-27 14:10:32 +02:00
3eb078c52f
unix.7: tfix
...
Signed-off-by: Jakub Wilk <jwilk@jwilk.net>
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2018-04-27 14:01:50 +02:00
90ef0f7bf8
capabilities.7: tfix
...
Signed-off-by: Jakub Wilk <jwilk@jwilk.net>
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2018-04-27 14:01:43 +02:00
314d88f611
vdso.7: VDSO symbols (system calls) are not visible to seccomp(2) filters
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2018-04-24 18:25:44 +02:00
115c1eb46c
capabilities.7: tfix
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2018-04-19 11:18:31 +02:00
690e62da71
capabilities.7: srcfix: FIXME
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2018-04-13 21:23:28 +02:00
bcaa30c985
capabilities.7: Rework file capability versioning and namespaced file caps text
...
There was some confused missing of concepts between the
two subsections, and some other details that needed fixing up.
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2018-04-13 21:23:28 +02:00
6442c03b68
capabilities.7: Explain when VFS_CAP_REVISION_3 file capabilities have effect
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2018-04-13 21:23:28 +02:00
7b45f4b2ad
capabilities.7: Explain rules that determine version of security.capability xattr
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2018-04-13 21:23:28 +02:00
7da0c87a78
capabilities.7: Explain term "namespace root user ID"
...
Confirmed with Serge Hallyn that: "nsroot" means the UID 0
in the namespace as it would be mapped into the initial userns.
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2018-04-13 21:23:28 +02:00
12dce73121
capabilities.7: Document namespaced-file capabilities
...
Cowritten-by: Serge E. Hallyn <serge@hallyn.com>
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2018-04-13 21:23:28 +02:00
b684870410
capabilities.7: Describe file capability versioning
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2018-04-13 21:23:28 +02:00
873727f44a
posixoptions.7: tfix
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2018-04-13 17:02:28 +02:00
11e9d8f890
posixoptions.7: Use a more consistent, less cluttered layout for option lists
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2018-04-13 17:02:18 +02:00
17282a589f
posixoptions.7: Make function lists more consistent and less cluttered
...
Use more consistent layout for lists of functions, and
remove punctuation from the lists to make them less cluttered.
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2018-04-13 10:44:01 +02:00
5a9ef49145
posixoptions.7: tfix
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2018-04-13 10:25:11 +02:00
6f131a899a
posixoptions.7: wfix
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2018-04-13 10:25:11 +02:00
Michael Kerrisk