Michael Kerrisk
8bdcf4bf81
unix.7: There is a limit on the size of the file descriptor array for SCM_RIGHTS
...
The limit is defined in the kernel as SCM_MAX_FD (253).
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2018-07-08 10:38:44 +02:00
Michael Kerrisk
f1081bdc42
unix.7: Fix a minor imprecision in description of SCM_CREDENTIALS
...
To spoof credentials requires privilege (i.e., capabilities),
not UID 0.
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2018-07-08 10:21:43 +02:00
Michael Kerrisk
b66d5714b1
unix.7: grfix
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2018-07-08 10:20:52 +02:00
Michael Kerrisk
bdef802116
unix.7: ffix
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2018-07-08 10:20:32 +02:00
Michael Kerrisk
2c77e8de08
capabilities.7: Note that v3 security.attributes are transparently created/retrieved
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2018-07-02 09:59:21 +02:00
Michael Kerrisk
00ae99b028
capabilities.7: Fix some imprecisions in discussion of namespaced file capabilities
...
The file UID does not come into play when creating a v3
security.capability extended attribute.
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2018-07-01 11:42:13 +02:00
Michael Kerrisk
9b2c207a33
capabilities.7: wfix
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2018-07-01 11:42:13 +02:00
Michael Kerrisk
c281d0505d
capabilities.7: wfix
...
Fix some confusion between "mask" and "extended attribute"
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2018-07-01 11:42:13 +02:00
Michael Kerrisk
54254ef33a
capabilities.7: srcfix: Removed FIXME
...
No credential match of file UID and namespace creator UID
is needed to create a v3 security extended attribute.
Verified by experiment using my userns_child_exec.c and
show_creds.c programs (available on http://man7.org/tlpi/code ):
$ sudo setcap cap_setuid,cap_dac_override=pe \
./userns_child_exec
$ ./userns_child_exec -U -r setcap cap_kill=pe show_creds
$ ./userns_child_exec -U -M '0 1000 10' -G '0 1000 1' \
-s 1 ./show_creds
eUID = 1; eGID = 0; capabilities: = cap_kill+ep
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2018-07-01 11:42:07 +02:00
Michael Kerrisk
ffea2c14f2
capabilities.7: wfix
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2018-06-24 08:54:17 +02:00
Michael Kerrisk
a607673bb8
epoll.7: Consistently use the term "interest list" rather than "epoll set"
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2018-06-22 12:21:56 +02:00
Michael Kerrisk
d1d90ea54d
epoll.7: Expand the discussion of the implications of file descriptor duplication
...
In particular, note that it may be difficult for an application
to know about the existence of duplicate file descriptors.
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2018-06-22 12:20:25 +02:00
Michael Kerrisk
a3961b2fd5
epoll.7: Note that edge-triggered notification wakes up only one waiter
...
Note a useful performance benefit of EPOLLET: ensuring that
only one of multiple waiters (in epoll_wait()) is woken
up when a file descriptor becomes ready.
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2018-06-22 12:20:25 +02:00
Michael Kerrisk
0409116028
epoll.7: Introduce the terms "interest list" and "ready list"
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2018-06-22 12:20:25 +02:00
Michael Kerrisk
4524285a71
epoll.7: ffix
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2018-06-22 09:41:16 +02:00
Michael Kerrisk
1e79ad8cd8
epoll.7: ffix
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2018-06-22 09:30:02 +02:00
Michael Kerrisk
b4ebb4ee79
epoll.7: tfix
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2018-06-22 09:27:46 +02:00
Michael Kerrisk
6832efaf3c
epoll.7: Reformat Q&A list
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2018-06-22 09:27:24 +02:00
Helge Deller
0201f48246
vdso.7: Fix parisc gateway page description
...
The parisc gateway page currently only exports 3 functions:
The lws_entry for CAS operations (at 0xb0), the set_thread_pointer
function for usage in glibc (at 0xe0) and the Linux syscall entry
(at 0x100).
All other symbols in the manpage are internal labels and
shouldn't be used directly by userspace or glibc, so drop them
from the man page documentation.
Signed-off-by: Helge Deller <deller@gmx.de>
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2018-05-28 11:04:33 +02:00
Michael Kerrisk
0cec24722b
signal.7: Clarify that sigsuspend() and pause() suspend the calling *thread*
...
Reported-by: Robin Kuzmin <kuzmin.robin@gmail.com>
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2018-05-18 10:04:37 +02:00
Michael Kerrisk
390795d76a
inotify.7: Note ENOTDIR error that can occur for IN_ONLYDIR
...
Note ENOTDIR error that occurs when requesting a watch on a
nondirectory with IN_ONLYDIR.
Reported-by: Paul Millar <paul.millar@desy.de>
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2018-05-06 10:22:13 +02:00
Michael Kerrisk
0a719e9411
capabilities.7: tfix
...
Reported-by: Jann Horn <jannh@google.com>
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2018-05-02 21:16:20 +02:00
Michael Kerrisk
c87cbea10f
capabilities.7: ffix
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2018-05-02 11:37:29 +02:00
Michael Kerrisk
c2b279afb7
capabilities.7: ffix
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2018-05-01 13:55:37 +02:00
Michael Kerrisk
ddc1ad3079
capabilities.7: Add background details on capability transformations during execve(2)
...
Add background details on ambient and bounding set when
discussing capability transformations during execve(2).
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2018-05-01 13:55:37 +02:00
Michael Kerrisk
7c957134f1
capabilities.7: Minor rewording
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2018-05-01 13:55:37 +02:00
Michael Kerrisk
bb1f24fab8
capabilities.7: Reorder text on capability bounding set
...
Reverse order of text blocks describing pre- and
post-2.6.25 bounding set. No content changes.
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2018-05-01 13:55:37 +02:00
Michael Kerrisk
2e87ced3b5
capabilities.7: Rework bounding set as per-thread set in transformation rules
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2018-05-01 13:55:37 +02:00
Michael Kerrisk
36de80b984
capabilities.7: Add text introducing bounding set along with other thread capability sets
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2018-05-01 13:55:37 +02:00
Michael Kerrisk
daf8312704
capabilities.7: Clarify which capability sets capset(2) and capget(2) apply to
...
capset(2) and capget(2) apply operate only on the permitted,
effective, and inheritable process capability sets.
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2018-05-01 12:46:48 +02:00
Michael Kerrisk
1db1d36d82
capabilities.7: wfix
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2018-05-01 12:40:14 +02:00
Michael Kerrisk
09b8afdc04
execve.2, fallocate.2, getrlimit.2, io_submit.2, membarrier.2, mmap.2, msgget.2, open.2, ptrace.2, readv.2, semget.2, shmget.2, shutdown.2, syscall.2, wait.2, wait4.2, crypt.3, encrypt.3, fseek.3, getcwd.3, makedev.3, pthread_create.3, puts.3, tsearch.3, elf.5, filesystems.5, group.5, passwd.5, sysfs.5, mount_namespaces.7, posixoptions.7, time.7, unix.7, vdso.7, xattr.7, ld.so.8: tstamp
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2018-04-30 17:41:31 +02:00
Michael Kerrisk
29c0586f51
bpf.2, sched_setattr.2, crypt.3, elf.5, proc.5, fanotify.7, feature_test_macros.7, sched.7: spfix
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2018-04-27 14:48:33 +02:00
Michael Kerrisk
075f5e6592
namespaces.7: Mention that device ID should also be checked when comparing NS symlinks
...
When comparing two namespaces symlinks to see if they refer to
the same namespace, both the inode number and the device ID
should be compared. This point was already made clear in
ioctl_ns(2), but was missing from this page.
Reported-by: Konstantin Khlebnikov <khlebnikov@yandex-team.ru>
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2018-04-27 14:10:32 +02:00
Jakub Wilk
3eb078c52f
unix.7: tfix
...
Signed-off-by: Jakub Wilk <jwilk@jwilk.net>
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2018-04-27 14:01:50 +02:00
Jakub Wilk
90ef0f7bf8
capabilities.7: tfix
...
Signed-off-by: Jakub Wilk <jwilk@jwilk.net>
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2018-04-27 14:01:43 +02:00
Michael Kerrisk
314d88f611
vdso.7: VDSO symbols (system calls) are not visible to seccomp(2) filters
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2018-04-24 18:25:44 +02:00
Michael Kerrisk
115c1eb46c
capabilities.7: tfix
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2018-04-19 11:18:31 +02:00
Michael Kerrisk
690e62da71
capabilities.7: srcfix: FIXME
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2018-04-13 21:23:28 +02:00
Michael Kerrisk
bcaa30c985
capabilities.7: Rework file capability versioning and namespaced file caps text
...
There was some confused missing of concepts between the
two subsections, and some other details that needed fixing up.
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2018-04-13 21:23:28 +02:00
Michael Kerrisk
6442c03b68
capabilities.7: Explain when VFS_CAP_REVISION_3 file capabilities have effect
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2018-04-13 21:23:28 +02:00
Michael Kerrisk
7b45f4b2ad
capabilities.7: Explain rules that determine version of security.capability xattr
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2018-04-13 21:23:28 +02:00
Michael Kerrisk
7da0c87a78
capabilities.7: Explain term "namespace root user ID"
...
Confirmed with Serge Hallyn that: "nsroot" means the UID 0
in the namespace as it would be mapped into the initial userns.
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2018-04-13 21:23:28 +02:00
Michael Kerrisk
12dce73121
capabilities.7: Document namespaced-file capabilities
...
Cowritten-by: Serge E. Hallyn <serge@hallyn.com>
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2018-04-13 21:23:28 +02:00
Michael Kerrisk
b684870410
capabilities.7: Describe file capability versioning
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2018-04-13 21:23:28 +02:00
Michael Kerrisk
873727f44a
posixoptions.7: tfix
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2018-04-13 17:02:28 +02:00
Michael Kerrisk
11e9d8f890
posixoptions.7: Use a more consistent, less cluttered layout for option lists
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2018-04-13 17:02:18 +02:00
Michael Kerrisk
17282a589f
posixoptions.7: Make function lists more consistent and less cluttered
...
Use more consistent layout for lists of functions, and
remove punctuation from the lists to make them less cluttered.
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2018-04-13 10:44:01 +02:00
Michael Kerrisk
5a9ef49145
posixoptions.7: tfix
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2018-04-13 10:25:11 +02:00
Michael Kerrisk
6f131a899a
posixoptions.7: wfix
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2018-04-13 10:25:11 +02:00