[PATCH 1/3] prctl.2: document new seccomp options

[PATCH 1/3] prctl.2: document new seccomp options

[Shawn Landden]

the seccomp stuff requires
 #include <linux/seccomp.h>
But I am not sure where/how to specify that.
---
 man2/prctl.2 |  133 +++++++++++++++++++++++++++++++++++++++++++++++-----------
 1 file changed, 108 insertions(+), 25 deletions(-)

diff --git a/man2/prctl.2 b/man2/prctl.2
index eb53aa8..8fb7f58 100644
--- a/man2/prctl.2
+++ b/man2/prctl.2
@@ -41,11 +41,14 @@
 .\" 2012-04 Cyrill Gorcunov, Document PR_SET_MM
 .\" 2012-04-25 Michael Kerrisk, Document PR_TASK_PERF_EVENTS_DISABLE and
 .\"				PR_TASK_PERF_EVENTS_ENABLE
+.\" 2012-08-03 Shawn Landden, Document PR_SET_NO_NEW_PRIVS, PR_GET_NO_NEW_PRIVS,
+.\"       SECCOMP_MODE_STRICT, SECCOMP_MODE_FILTER
+.\"       (thx Andy Lutomirski <luto-kltTT9wpgjJwATOyAt5JVQ@public.gmane.org> 259e5e6c)
 .\"
 .\" FIXME: Document PR_SET_TIMERSLACK and PR_GET_TIMERSLACK (new in 2.6.28)
 .\"		commit 6976675d94042fbd446231d1bd8b7de71a980ada
 .\"
-.TH PRCTL 2 2012-04-23 "Linux" "Linux Programmer's Manual"
+.TH PRCTL 2 2012-08-03 "Linux" "Linux Programmer's Manual"
 .SH NAME
 prctl \- operations on a process
 .SH SYNOPSIS
@@ -231,16 +234,53 @@ Return the current value of the parent process death signal,
 in the location pointed to by
 .IR "(int\ *) arg2" .
 .TP
+.BR PR_SET_NO_NEW_PRIVS " (since Linux 3.4)"
+Takes a boolean argument as
+.IR arg2 .
+After being set, the process and all its children can never gain new privleges.
+Operations that grant new privileges (i.e. execve)
+will either fail or not grant them.  This affects suid/sgid,
+file capabilities, and LSMs.
+
+Operations that merely manipulate or drop existing privileges (
+.BR setresuid (2) ,
+.BR capset (2) ,
+etc.) will still work.  Drop those privileges if you want them gone.
+
+Changing LSM security domain is considered a new privilege.  So, for example,
+asking selinux for a specific new context (e.g. with
+.BR runcon (1))
+will result
+in execve returning
+.BR EPERM .
+See
+.IR Documentation/prctl/no_new_privs.txt
+for more details.
+.TP
+.BR PR_GET_NO_NEW_PRIVS " (since Linux 3.4)"
+Return the no_new_privs status of the calling thread. Returns 1 if set and 0
+if not set.
+.TP
 .BR PR_SET_SECCOMP " (since Linux 2.6.23)"
 .\" See http://thread.gmane.org/gmane.linux.kernel/542632
 .\" [PATCH 0 of 2] seccomp updates
 .\" andrea-Vyt77T80VFVWk0Htik3J/w@public.gmane.org
-Set the secure computing mode for the calling thread.
-In the current implementation,
-.IR arg2
-must be 1.
-After the secure computing mode has been set to 1,
-the only system calls that the thread is permitted to make are
+Set the secure computing mode for the calling thread. Secure computing mode is
+useful for number-crunching applications
+that may need to execute untrusted byte code,
+perhaps obtained by reading from a pipe or socket.
+These operations are only available
+if the kernel is configured with
+.BR CONFIG_SECCOMP
+or
+.BR CONFIG_SECCOMP_FILTER
+enabled, respectively. The value in
+.I arg2
+is one of the options below.
+.RS
+.TP
+.BR SECCOMP_MODE_STRICT
+The only system calls that the thread is permitted to make are
 .BR read (2),
 .BR write (2),
 .BR _exit (2),
@@ -249,24 +289,37 @@ and
 Other system calls result in the delivery of a
 .BR SIGKILL
 signal.
-Secure computing mode is useful for number-crunching applications
-that may need to execute untrusted byte code,
-perhaps obtained by reading from a pipe or socket.
-This operation is only available
-if the kernel is configured with CONFIG_SECCOMP enabled.
+.TP
+.\" See https://lwn.net/Articles/475043/
+.BR SECCOMP_MODE_FILTER " (since Linux 3.5 on x86)"
+Filter syscalls based on a user supplied program in the format of
+.BR "struct seccomp_data"
+in
+.IR arg3 .
+In order to use
+.BR SECCOMP_MODE_FILTER
+without the
+.BR CAP_SYS_ADMIN
+capability, you must
+first set
+.BR PR_SET_NO_NEW_PRIVS
+to 1.
+.RE
 .TP
 .BR PR_GET_SECCOMP " (since Linux 2.6.23)"
-Return the secure computing mode of the calling thread.
-Not very useful for the current implementation (mode equals 1),
-but may be useful for other possible future modes:
-if the caller is not in secure computing mode, this operation returns 0;
-if the caller is in secure computing mode, then the
+Return the secure computing mode of the calling thread. Returns
+.BR SECCOMP_MODE_DISABLED ,
+.BR SECCOMP_MODE_STRICT ,
+or
+.BR SECCOMP_MODE_FILTER .
+If the caller is in secure computing mode, then the
 .BR prctl ()
 call will cause a
 .B SIGKILL
 signal to be sent to the process.
-This operation is only available
-if the kernel is configured with CONFIG_SECCOMP enabled.
+This operation is only available if the kernel is configured with
+.BR CONFIG_SECCOMP
+enabled.
 .TP
 .BR PR_SET_SECUREBITS " (since Linux 2.6.26)"
 Set the "securebits" flags of the calling thread to the value supplied in
@@ -551,6 +604,7 @@ On success,
 .BR PR_GET_TIMING ,
 .BR PR_GET_SECUREBITS ,
 .BR PR_MCE_KILL_GET ,
+.BR PR_GET_NO_NEW_PRIVS ,
 and (if it returns)
 .BR PR_GET_SECCOMP
 return the nonnegative values described above.
@@ -562,6 +616,19 @@ On error, \-1 is returned, and
 is set appropriately.
 .SH ERRORS
 .TP
+.B EACCES
+.I option
+is
+.BR PR_SET_SECCOMP ,
+.I arg2
+is
+.BR SECCOMP_MODE_FILTER ,
+the caller does not have the
+.BR CAP_SYS_ADMIN
+capability, and
+.BR PR_SET_NO_NEW_PRIVS
+has not been set as documented above.
+.TP
 .B EFAULT
 .I arg2
 is an invalid address.
@@ -579,6 +646,10 @@ or
 .BR PR_MCE_KILL_GET
 or
 .BR PR_SET_MM ,
+or
+.BR PR_SET_NO_NEW_PRIVS ,
+or
+.BR PR_GET_NO_NEW_PRIVS ,
 and unused
 .BR prctl ()
 arguments were not specified as zero.
@@ -593,9 +664,15 @@ is not valid value for this
 is
 .BR PR_SET_SECCOMP
 or
-.BR PR_SET_SECCOMP ,
+.BR PR_GET_SECCOMP ,
 and the kernel was not configured with
 .BR CONFIG_SECCOMP .
+(or
+.BR CONFIG_SECCOMP_FILTER
+if
+.I arg2
+is
+.BR SECCOMP_MODE_FILTER )
 .TP
 .B EINVAL
 .I option
@@ -603,11 +680,6 @@ is
 .BR PR_SET_MM ,
 and one of the following is true
 .RS
-.IP * 3
-.I arg4
-or
-.I arg5
-is nonzero;
 .IP *
 .I arg3
 is greater than
@@ -637,6 +709,17 @@ or specifies a value that would cause the
 resource limit to be exceeded.
 .RE
 .TP
+.B EINVAL
+.I option
+is
+.BR PR_SET_SECCOMP ,
+.I arg2
+is
+.BR SECCOMP_MODE_FILTER ,
+and
+.I arg3
+is not a valid filter program.
+.TP
 .B EPERM
 .I option
 is
-- 
1.7.9.5

--
To unsubscribe from this list: send the line "unsubscribe linux-man" in
the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[PATCH 2/3] prctl.2: document PR_GET_TIMESLACK and PR_SET_TIMESLACK

[Shawn Landden]

---
 man2/prctl.2 |   22 +++++++++++++++++++---
 1 file changed, 19 insertions(+), 3 deletions(-)

diff --git a/man2/prctl.2 b/man2/prctl.2
index 8fb7f58..f4db191 100644
--- a/man2/prctl.2
+++ b/man2/prctl.2
@@ -44,9 +44,7 @@
 .\" 2012-08-03 Shawn Landden, Document PR_SET_NO_NEW_PRIVS, PR_GET_NO_NEW_PRIVS,
 .\"       SECCOMP_MODE_STRICT, SECCOMP_MODE_FILTER
 .\"       (thx Andy Lutomirski <luto-kltTT9wpgjJwATOyAt5JVQ@public.gmane.org> 259e5e6c)
-.\"
-.\" FIXME: Document PR_SET_TIMERSLACK and PR_GET_TIMERSLACK (new in 2.6.28)
-.\"		commit 6976675d94042fbd446231d1bd8b7de71a980ada
+.\"       PR_SET_TIMERSLACK, PR_GET_TIMESLACK
 .\"
 .TH PRCTL 2 2012-08-03 "Linux" "Linux Programmer's Manual"
 .SH NAME
@@ -417,6 +415,24 @@ for information on versions and architectures)
 Return unaligned access control bits, in the location pointed to by
 .IR "(int\ *) arg2" .
 .TP
+.BR PR_SET_TIMERSLACK " (since Linux 2.6.27)"
+.\" see commit 6976675d94042fbd446231d1bd8b7de71a980ada
+Controls the "rounding" that is used by
+.BR select (2)
+and
+.BR poll (2)
+and friends.
+If
+.I arg2
+is a positive integer, set timer slack to
+.IR arg2 .
+Otherwise reset to timer stack to its value when the process was created.
+(default 50 usec) This setting inherits on
+.BR fork (2) .
+.TP
+.BR PR_GET_TIMESLACK " (since Linux 2.6.27)"
+Returns the current timer slack.
+.TP
 .BR PR_MCE_KILL " (since Linux 2.6.32)"
 Set the machine check memory corruption kill policy for the current thread.
 If
-- 
1.7.9.5

--
To unsubscribe from this list: send the line "unsubscribe linux-man" in
the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[PATCH 3/3] prctl.2, proc.5: document arm alignment trap via /proc/apu/alignment

[Shawn Landden]

---
 man2/prctl.2 |    7 +++++--
 man5/proc.5  |   21 ++++++++++++++++++++-
 2 files changed, 25 insertions(+), 3 deletions(-)

diff --git a/man2/prctl.2 b/man2/prctl.2
index f4db191..b68bea2 100644
--- a/man2/prctl.2
+++ b/man2/prctl.2
@@ -44,7 +44,7 @@
 .\" 2012-08-03 Shawn Landden, Document PR_SET_NO_NEW_PRIVS, PR_GET_NO_NEW_PRIVS,
 .\"       SECCOMP_MODE_STRICT, SECCOMP_MODE_FILTER
 .\"       (thx Andy Lutomirski <luto-kltTT9wpgjJwATOyAt5JVQ@public.gmane.org> 259e5e6c)
-.\"       PR_SET_TIMERSLACK, PR_GET_TIMESLACK
+.\"       PR_SET_TIMERSLACK, PR_GET_TIMESLACK, ARM alignment trap handler
 .\"
 .TH PRCTL 2 2012-08-03 "Linux" "Linux Programmer's Manual"
 .SH NAME
@@ -406,7 +406,10 @@ Pass
 \fBPR_UNALIGN_NOPRINT\fP to silently fix up unaligned user accesses,
 or \fBPR_UNALIGN_SIGBUS\fP to generate
 .B SIGBUS
-on unaligned user access.
+on unaligned user access. ARM is set system-wide via /proc/cpu/alignment (see
+.IR Documentation/arm/mem_alignment
+or
+.BR proc (5)).
 .TP
 .B PR_GET_UNALIGN
 (see
diff --git a/man5/proc.5 b/man5/proc.5
index 2ba1daa..e7ca611 100644
--- a/man5/proc.5
+++ b/man5/proc.5
@@ -58,7 +58,7 @@
 .\" to see what information could be imported from that file
 .\" into this file.
 .\"
-.TH PROC 5 2012-05-03 "Linux" "Linux Programmer's Manual"
+.TH PROC 5 2012-08-04 "Linux" "Linux Programmer's Manual"
 .SH NAME
 proc \- process information pseudo-file system
 .SH DESCRIPTION
@@ -1229,6 +1229,25 @@ cat /lib/modules/$(uname \-r)/build/.config
 is only provided if the kernel is configured with
 .BR CONFIG_IKCONFIG_PROC .
 .TP
+.IR /proc/cpu/alignment " (ARM only)"
+Set the behavior of the user-mode alignment trap handler. When writing, takes a
+number that is the sum of the fallowing: 1, print message to syslog; (signal) 2,
+fix up the user process performing the unaligned access; (fixup) 4, send a
+.BR SIGBUS
+signal (
+.BR SIGILL
+before 2.6.35) to the user process performing the unaligned access. (signal)
+Signal and fixup cannot be used together. On armv6+ either fixup or signal must
+be used, to prevent possible deadlock.
+
+Reading will provide statistics on fixups performed since boot in user and
+system mode, as well as the current user-mode trap behavior.
+
+Other architectures set this behavior on a per-process level, via
+.B prctl(PR_SET_UNALIGN).
+See
+.BR prctl (2).
+.TP
 .I /proc/cpuinfo
 This is a collection of CPU and system architecture dependent items,
 for each supported architecture a different list.
-- 
1.7.9.5

--
To unsubscribe from this list: send the line "unsubscribe linux-man" in
the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH 3/3] prctl.2, proc.5: document arm alignment trap via /proc/apu/alignment

[shawn]

this interface has been like this from the pre-git days, and I did not
track down the specific version it was added to its present location (it
was once in sysfs)
On Sat, 2012-08-04 at 13:46 -0700, Shawn Landden wrote: 
> ---
>  man2/prctl.2 |    7 +++++--
>  man5/proc.5  |   21 ++++++++++++++++++++-
>  2 files changed, 25 insertions(+), 3 deletions(-)
> 
> diff --git a/man2/prctl.2 b/man2/prctl.2
> index f4db191..b68bea2 100644
> --- a/man2/prctl.2
> +++ b/man2/prctl.2
> @@ -44,7 +44,7 @@
>  .\" 2012-08-03 Shawn Landden, Document PR_SET_NO_NEW_PRIVS, PR_GET_NO_NEW_PRIVS,
>  .\"       SECCOMP_MODE_STRICT, SECCOMP_MODE_FILTER
>  .\"       (thx Andy Lutomirski <luto-kltTT9wpgjJwATOyAt5JVQ@public.gmane.org> 259e5e6c)
> -.\"       PR_SET_TIMERSLACK, PR_GET_TIMESLACK
> +.\"       PR_SET_TIMERSLACK, PR_GET_TIMESLACK, ARM alignment trap handler
>  .\"
>  .TH PRCTL 2 2012-08-03 "Linux" "Linux Programmer's Manual"
>  .SH NAME
> @@ -406,7 +406,10 @@ Pass
>  \fBPR_UNALIGN_NOPRINT\fP to silently fix up unaligned user accesses,
>  or \fBPR_UNALIGN_SIGBUS\fP to generate
>  .B SIGBUS
> -on unaligned user access.
> +on unaligned user access. ARM is set system-wide via /proc/cpu/alignment (see
> +.IR Documentation/arm/mem_alignment
> +or
> +.BR proc (5)).
>  .TP
>  .B PR_GET_UNALIGN
>  (see
> diff --git a/man5/proc.5 b/man5/proc.5
> index 2ba1daa..e7ca611 100644
> --- a/man5/proc.5
> +++ b/man5/proc.5
> @@ -58,7 +58,7 @@
>  .\" to see what information could be imported from that file
>  .\" into this file.
>  .\"
> -.TH PROC 5 2012-05-03 "Linux" "Linux Programmer's Manual"
> +.TH PROC 5 2012-08-04 "Linux" "Linux Programmer's Manual"
>  .SH NAME
>  proc \- process information pseudo-file system
>  .SH DESCRIPTION
> @@ -1229,6 +1229,25 @@ cat /lib/modules/$(uname \-r)/build/.config
>  is only provided if the kernel is configured with
>  .BR CONFIG_IKCONFIG_PROC .
>  .TP
> +.IR /proc/cpu/alignment " (ARM only)"
> +Set the behavior of the user-mode alignment trap handler. When writing, takes a
> +number that is the sum of the fallowing: 1, print message to syslog; (signal) 2,
> +fix up the user process performing the unaligned access; (fixup) 4, send a
> +.BR SIGBUS
> +signal (
> +.BR SIGILL
> +before 2.6.35) to the user process performing the unaligned access. (signal)
> +Signal and fixup cannot be used together. On armv6+ either fixup or signal must
> +be used, to prevent possible deadlock.
> +
> +Reading will provide statistics on fixups performed since boot in user and
> +system mode, as well as the current user-mode trap behavior.
> +
> +Other architectures set this behavior on a per-process level, via
> +.B prctl(PR_SET_UNALIGN).
> +See
> +.BR prctl (2).
> +.TP
>  .I /proc/cpuinfo
>  This is a collection of CPU and system architecture dependent items,
>  for each supported architecture a different list.


-- 
-Shawn Landden

--
To unsubscribe from this list: send the line "unsubscribe linux-man" in
the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH 3/3] prctl.2, proc.5: document arm alignment trap via /proc/apu/alignment

[shawn]

[-- Attachment #1: Type: text/plain, Size: 1 bytes --]



[-- Attachment #2: 0001-prctl.2-note-about-filter-stacking.patch --]
[-- Type: text/x-patch, Size: 687 bytes --]

>From 21c133d764dd8047ad48f79a5adc9d23abdb98db Mon Sep 17 00:00:00 2001
From: Shawn Landden <shawnlandden-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
Date: Sat, 4 Aug 2012 14:39:02 -0700
Subject: [PATCH] prctl.2: note about filter stacking

---
 man2/prctl.2 |    4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/man2/prctl.2 b/man2/prctl.2
index b68bea2..6761a11 100644
--- a/man2/prctl.2
+++ b/man2/prctl.2
@@ -301,7 +301,9 @@ without the
 capability, you must
 first set
 .BR PR_SET_NO_NEW_PRIVS
-to 1.
+to 1. If
+.BR prctl (2)
+is allowed by the attached filter, additional filters may be attached.
 .RE
 .TP
 .BR PR_GET_SECCOMP " (since Linux 2.6.23)"
-- 
1.7.9.5

[PATCH 1/4] prctl.2: document new seccomp options

[Shawn Landden]

the seccomp stuff requires
 #include <linux/seccomp.h>
But I am not sure where/how to specify that.
---
 man2/prctl.2 |  135 +++++++++++++++++++++++++++++++++++++++++++++++-----------
 1 file changed, 110 insertions(+), 25 deletions(-)

diff --git a/man2/prctl.2 b/man2/prctl.2
index eb53aa8..5c829e7 100644
--- a/man2/prctl.2
+++ b/man2/prctl.2
@@ -41,11 +41,14 @@
 .\" 2012-04 Cyrill Gorcunov, Document PR_SET_MM
 .\" 2012-04-25 Michael Kerrisk, Document PR_TASK_PERF_EVENTS_DISABLE and
 .\"				PR_TASK_PERF_EVENTS_ENABLE
+.\" 2012-08-03 Shawn Landden, Document PR_SET_NO_NEW_PRIVS, PR_GET_NO_NEW_PRIVS,
+.\"       SECCOMP_MODE_STRICT, SECCOMP_MODE_FILTER
+.\"       (thx Andy Lutomirski <luto-kltTT9wpgjJwATOyAt5JVQ@public.gmane.org> 259e5e6c)
 .\"
 .\" FIXME: Document PR_SET_TIMERSLACK and PR_GET_TIMERSLACK (new in 2.6.28)
 .\"		commit 6976675d94042fbd446231d1bd8b7de71a980ada
 .\"
-.TH PRCTL 2 2012-04-23 "Linux" "Linux Programmer's Manual"
+.TH PRCTL 2 2012-08-03 "Linux" "Linux Programmer's Manual"
 .SH NAME
 prctl \- operations on a process
 .SH SYNOPSIS
@@ -231,16 +234,53 @@ Return the current value of the parent process death signal,
 in the location pointed to by
 .IR "(int\ *) arg2" .
 .TP
+.BR PR_SET_NO_NEW_PRIVS " (since Linux 3.4)"
+Takes a boolean argument as
+.IR arg2 .
+After being set, the process and all its children can never gain new privleges.
+Operations that grant new privileges (i.e. execve)
+will either fail or not grant them.  This affects suid/sgid,
+file capabilities, and LSMs.
+
+Operations that merely manipulate or drop existing privileges (
+.BR setresuid (2) ,
+.BR capset (2) ,
+etc.) will still work.  Drop those privileges if you want them gone.
+
+Changing LSM security domain is considered a new privilege.  So, for example,
+asking selinux for a specific new context (e.g. with
+.BR runcon (1))
+will result
+in execve returning
+.BR EPERM .
+See
+.IR Documentation/prctl/no_new_privs.txt
+for more details.
+.TP
+.BR PR_GET_NO_NEW_PRIVS " (since Linux 3.4)"
+Return the no_new_privs status of the calling thread. Returns 1 if set and 0
+if not set.
+.TP
 .BR PR_SET_SECCOMP " (since Linux 2.6.23)"
 .\" See http://thread.gmane.org/gmane.linux.kernel/542632
 .\" [PATCH 0 of 2] seccomp updates
 .\" andrea-Vyt77T80VFVWk0Htik3J/w@public.gmane.org
-Set the secure computing mode for the calling thread.
-In the current implementation,
-.IR arg2
-must be 1.
-After the secure computing mode has been set to 1,
-the only system calls that the thread is permitted to make are
+Set the secure computing mode for the calling thread. Secure computing mode is
+useful for number-crunching applications
+that may need to execute untrusted byte code,
+perhaps obtained by reading from a pipe or socket.
+These operations are only available
+if the kernel is configured with
+.BR CONFIG_SECCOMP
+or
+.BR CONFIG_SECCOMP_FILTER
+enabled, respectively. The value in
+.I arg2
+is one of the options below.
+.RS
+.TP
+.BR SECCOMP_MODE_STRICT
+The only system calls that the thread is permitted to make are
 .BR read (2),
 .BR write (2),
 .BR _exit (2),
@@ -249,24 +289,39 @@ and
 Other system calls result in the delivery of a
 .BR SIGKILL
 signal.
-Secure computing mode is useful for number-crunching applications
-that may need to execute untrusted byte code,
-perhaps obtained by reading from a pipe or socket.
-This operation is only available
-if the kernel is configured with CONFIG_SECCOMP enabled.
+.TP
+.\" See https://lwn.net/Articles/475043/
+.BR SECCOMP_MODE_FILTER " (since Linux 3.5 on x86)"
+Filter syscalls based on a user supplied program in the format of
+.BR "struct seccomp_data"
+in
+.IR arg3 .
+In order to use
+.BR SECCOMP_MODE_FILTER
+without the
+.BR CAP_SYS_ADMIN
+capability, you must
+first set
+.BR PR_SET_NO_NEW_PRIVS
+to 1. If
+.BR prctl (2)
+is allowed by the attached filter, additional filters may be attached.
+.RE
 .TP
 .BR PR_GET_SECCOMP " (since Linux 2.6.23)"
-Return the secure computing mode of the calling thread.
-Not very useful for the current implementation (mode equals 1),
-but may be useful for other possible future modes:
-if the caller is not in secure computing mode, this operation returns 0;
-if the caller is in secure computing mode, then the
+Return the secure computing mode of the calling thread. Returns
+.BR SECCOMP_MODE_DISABLED ,
+.BR SECCOMP_MODE_STRICT ,
+or
+.BR SECCOMP_MODE_FILTER .
+If the caller is in secure computing mode, then the
 .BR prctl ()
 call will cause a
 .B SIGKILL
 signal to be sent to the process.
-This operation is only available
-if the kernel is configured with CONFIG_SECCOMP enabled.
+This operation is only available if the kernel is configured with
+.BR CONFIG_SECCOMP
+enabled.
 .TP
 .BR PR_SET_SECUREBITS " (since Linux 2.6.26)"
 Set the "securebits" flags of the calling thread to the value supplied in
@@ -551,6 +606,7 @@ On success,
 .BR PR_GET_TIMING ,
 .BR PR_GET_SECUREBITS ,
 .BR PR_MCE_KILL_GET ,
+.BR PR_GET_NO_NEW_PRIVS ,
 and (if it returns)
 .BR PR_GET_SECCOMP
 return the nonnegative values described above.
@@ -562,6 +618,19 @@ On error, \-1 is returned, and
 is set appropriately.
 .SH ERRORS
 .TP
+.B EACCES
+.I option
+is
+.BR PR_SET_SECCOMP ,
+.I arg2
+is
+.BR SECCOMP_MODE_FILTER ,
+the caller does not have the
+.BR CAP_SYS_ADMIN
+capability, and
+.BR PR_SET_NO_NEW_PRIVS
+has not been set as documented above.
+.TP
 .B EFAULT
 .I arg2
 is an invalid address.
@@ -579,6 +648,10 @@ or
 .BR PR_MCE_KILL_GET
 or
 .BR PR_SET_MM ,
+or
+.BR PR_SET_NO_NEW_PRIVS ,
+or
+.BR PR_GET_NO_NEW_PRIVS ,
 and unused
 .BR prctl ()
 arguments were not specified as zero.
@@ -593,9 +666,15 @@ is not valid value for this
 is
 .BR PR_SET_SECCOMP
 or
-.BR PR_SET_SECCOMP ,
+.BR PR_GET_SECCOMP ,
 and the kernel was not configured with
 .BR CONFIG_SECCOMP .
+(or
+.BR CONFIG_SECCOMP_FILTER
+if
+.I arg2
+is
+.BR SECCOMP_MODE_FILTER )
 .TP
 .B EINVAL
 .I option
@@ -603,11 +682,6 @@ is
 .BR PR_SET_MM ,
 and one of the following is true
 .RS
-.IP * 3
-.I arg4
-or
-.I arg5
-is nonzero;
 .IP *
 .I arg3
 is greater than
@@ -637,6 +711,17 @@ or specifies a value that would cause the
 resource limit to be exceeded.
 .RE
 .TP
+.B EINVAL
+.I option
+is
+.BR PR_SET_SECCOMP ,
+.I arg2
+is
+.BR SECCOMP_MODE_FILTER ,
+and
+.I arg3
+is not a valid filter program.
+.TP
 .B EPERM
 .I option
 is
-- 
1.7.9.5

--
To unsubscribe from this list: send the line "unsubscribe linux-man" in
the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[PATCH 2/4] prctl.2: document PR_GET_TIMESLACK and PR_SET_TIMESLACK

[Shawn Landden]

---
 man2/prctl.2 |   23 ++++++++++++++++++++---
 1 file changed, 20 insertions(+), 3 deletions(-)

diff --git a/man2/prctl.2 b/man2/prctl.2
index 5c829e7..e3b701e 100644
--- a/man2/prctl.2
+++ b/man2/prctl.2
@@ -44,9 +44,7 @@
 .\" 2012-08-03 Shawn Landden, Document PR_SET_NO_NEW_PRIVS, PR_GET_NO_NEW_PRIVS,
 .\"       SECCOMP_MODE_STRICT, SECCOMP_MODE_FILTER
 .\"       (thx Andy Lutomirski <luto-kltTT9wpgjJwATOyAt5JVQ@public.gmane.org> 259e5e6c)
-.\"
-.\" FIXME: Document PR_SET_TIMERSLACK and PR_GET_TIMERSLACK (new in 2.6.28)
-.\"		commit 6976675d94042fbd446231d1bd8b7de71a980ada
+.\"       PR_SET_TIMERSLACK, PR_GET_TIMESLACK
 .\"
 .TH PRCTL 2 2012-08-03 "Linux" "Linux Programmer's Manual"
 .SH NAME
@@ -419,6 +417,25 @@ for information on versions and architectures)
 Return unaligned access control bits, in the location pointed to by
 .IR "(int\ *) arg2" .
 .TP
+.BR PR_SET_TIMERSLACK " (since Linux 2.6.27)"
+.\" see commit 6976675d94042fbd446231d1bd8b7de71a980ada
+Controls the "rounding" that is used by
+.BR select (2)
+and
+.BR poll (2)
+and friends.
+If
+.I arg2
+is a positive integer, set timer slack to
+.IR arg2 .
+(in nanoseconds) Otherwise reset to timer stack to its value when the process
+was created. (default 50 usec) This setting inherits on
+.BR fork (2) .
+Setting this higher may reduce power consumption.
+.TP
+.BR PR_GET_TIMESLACK " (since Linux 2.6.27)"
+Returns the current timer slack.
+.TP
 .BR PR_MCE_KILL " (since Linux 2.6.32)"
 Set the machine check memory corruption kill policy for the current thread.
 If
-- 
1.7.9.5

--
To unsubscribe from this list: send the line "unsubscribe linux-man" in
the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[PATCH 3/4] prctl.2, proc.5: document arm alignment trap via /proc/apu/alignment

[Shawn Landden]

---
 man2/prctl.2 |    7 +++++--
 man5/proc.5  |   21 ++++++++++++++++++++-
 2 files changed, 25 insertions(+), 3 deletions(-)

diff --git a/man2/prctl.2 b/man2/prctl.2
index e3b701e..7f0ac46 100644
--- a/man2/prctl.2
+++ b/man2/prctl.2
@@ -44,7 +44,7 @@
 .\" 2012-08-03 Shawn Landden, Document PR_SET_NO_NEW_PRIVS, PR_GET_NO_NEW_PRIVS,
 .\"       SECCOMP_MODE_STRICT, SECCOMP_MODE_FILTER
 .\"       (thx Andy Lutomirski <luto-kltTT9wpgjJwATOyAt5JVQ@public.gmane.org> 259e5e6c)
-.\"       PR_SET_TIMERSLACK, PR_GET_TIMESLACK
+.\"       PR_SET_TIMERSLACK, PR_GET_TIMESLACK, ARM alignment trap handler
 .\"
 .TH PRCTL 2 2012-08-03 "Linux" "Linux Programmer's Manual"
 .SH NAME
@@ -408,7 +408,10 @@ Pass
 \fBPR_UNALIGN_NOPRINT\fP to silently fix up unaligned user accesses,
 or \fBPR_UNALIGN_SIGBUS\fP to generate
 .B SIGBUS
-on unaligned user access.
+on unaligned user access. ARM is set system-wide via /proc/cpu/alignment (see
+.IR Documentation/arm/mem_alignment
+or
+.BR proc (5)).
 .TP
 .B PR_GET_UNALIGN
 (see
diff --git a/man5/proc.5 b/man5/proc.5
index 2ba1daa..e7ca611 100644
--- a/man5/proc.5
+++ b/man5/proc.5
@@ -58,7 +58,7 @@
 .\" to see what information could be imported from that file
 .\" into this file.
 .\"
-.TH PROC 5 2012-05-03 "Linux" "Linux Programmer's Manual"
+.TH PROC 5 2012-08-04 "Linux" "Linux Programmer's Manual"
 .SH NAME
 proc \- process information pseudo-file system
 .SH DESCRIPTION
@@ -1229,6 +1229,25 @@ cat /lib/modules/$(uname \-r)/build/.config
 is only provided if the kernel is configured with
 .BR CONFIG_IKCONFIG_PROC .
 .TP
+.IR /proc/cpu/alignment " (ARM only)"
+Set the behavior of the user-mode alignment trap handler. When writing, takes a
+number that is the sum of the fallowing: 1, print message to syslog; (signal) 2,
+fix up the user process performing the unaligned access; (fixup) 4, send a
+.BR SIGBUS
+signal (
+.BR SIGILL
+before 2.6.35) to the user process performing the unaligned access. (signal)
+Signal and fixup cannot be used together. On armv6+ either fixup or signal must
+be used, to prevent possible deadlock.
+
+Reading will provide statistics on fixups performed since boot in user and
+system mode, as well as the current user-mode trap behavior.
+
+Other architectures set this behavior on a per-process level, via
+.B prctl(PR_SET_UNALIGN).
+See
+.BR prctl (2).
+.TP
 .I /proc/cpuinfo
 This is a collection of CPU and system architecture dependent items,
 for each supported architecture a different list.
-- 
1.7.9.5

--
To unsubscribe from this list: send the line "unsubscribe linux-man" in
the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[PATCH 4/4] prctl.2: document PR_SET_PTRACER

[Shawn Landden]

---
 man2/prctl.2 |   29 +++++++++++++++++++++++++++++
 1 file changed, 29 insertions(+)

diff --git a/man2/prctl.2 b/man2/prctl.2
index 7f0ac46..f866f04 100644
--- a/man2/prctl.2
+++ b/man2/prctl.2
@@ -45,6 +45,7 @@
 .\"       SECCOMP_MODE_STRICT, SECCOMP_MODE_FILTER
 .\"       (thx Andy Lutomirski <luto-kltTT9wpgjJwATOyAt5JVQ@public.gmane.org> 259e5e6c)
 .\"       PR_SET_TIMERSLACK, PR_GET_TIMESLACK, ARM alignment trap handler
+.\"       PR_SET_PTRACER
 .\"
 .TH PRCTL 2 2012-08-03 "Linux" "Linux Programmer's Manual"
 .SH NAME
@@ -321,6 +322,18 @@ This operation is only available if the kernel is configured with
 .BR CONFIG_SECCOMP
 enabled.
 .TP
+.BR PR_SET_PTRACER " (since Linux 3.3)"
+When using restricted ptrace, permit process of pid
+.I arg2
+to ptrace the current task. A value of 0 means "no process", and the special
+value
+.B PR_SET_PTRACER_ANY
+disables restricted ptrace for this process. Restricted ptrace is set via
+.IR /proc/sys/kernel/yama/ptrace_scope
+when the kernel has been configured with
+.B CONFIG_SECURITY_YAMA
+and the yama LSM is active.
+.TP
 .BR PR_SET_SECUREBITS " (since Linux 2.6.26)"
 Set the "securebits" flags of the calling thread to the value supplied in
 .IR arg2 .
@@ -699,6 +712,16 @@ is
 .B EINVAL
 .I option
 is
+.BR PR_SET_PTRACER
+and
+.I arg2
+is not 0,
+.BR PR_SET_PTRACER_ANY ,
+or the pid of an active process.
+.TP
+.B EINVAL
+.I option
+is
 .BR PR_SET_MM ,
 and one of the following is true
 .RS
@@ -742,6 +765,12 @@ and
 .I arg3
 is not a valid filter program.
 .TP
+.B ENOMEM
+.I option
+is
+.BR PR_SET_PTRACER
+and insufficient memory to set up ptrace relation with given pid.
+.TP
 .B EPERM
 .I option
 is
-- 
1.7.9.5

--
To unsubscribe from this list: send the line "unsubscribe linux-man" in
the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[PATCH] prctl.2: PR_{SET,GET}_CHILD_SUBREAPER

[shawnlandden-Re5JQEeQqe8AvxtiuMwx3w]

From: Shawn Landden <shawnlandden-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>

---
 man2/prctl.2 |   26 +++++++++++++++++++++++++-
 1 file changed, 25 insertions(+), 1 deletion(-)

diff --git a/man2/prctl.2 b/man2/prctl.2
index f866f04..b1a005e 100644
--- a/man2/prctl.2
+++ b/man2/prctl.2
@@ -42,10 +42,12 @@
 .\" 2012-04-25 Michael Kerrisk, Document PR_TASK_PERF_EVENTS_DISABLE and
 .\"				PR_TASK_PERF_EVENTS_ENABLE
 .\" 2012-08-03 Shawn Landden, Document PR_SET_NO_NEW_PRIVS, PR_GET_NO_NEW_PRIVS,
-.\"       SECCOMP_MODE_STRICT, SECCOMP_MODE_FILTER
 .\"       (thx Andy Lutomirski <luto-kltTT9wpgjJwATOyAt5JVQ@public.gmane.org> 259e5e6c)
+.\"       SECCOMP_MODE_STRICT, SECCOMP_MODE_FILTER,
 .\"       PR_SET_TIMERSLACK, PR_GET_TIMESLACK, ARM alignment trap handler
 .\"       PR_SET_PTRACER
+.\"       PR_SET_CHILD_SUBREAPER, PR_GET_CHILD_SUBREAPER
+.\"       (thx Lennart Poettering <lennart-mdGvqq1h2p+GdvJs77BJ7Q@public.gmane.org> ebec18a6)
 .\"
 .TH PRCTL 2 2012-08-03 "Linux" "Linux Programmer's Manual"
 .SH NAME
@@ -323,6 +325,7 @@ This operation is only available if the kernel is configured with
 enabled.
 .TP
 .BR PR_SET_PTRACER " (since Linux 3.3)"
+.\" see commit ebec18a6d3aa1e7d84aab16225e87fd25170ec2b
 When using restricted ptrace, permit process of pid
 .I arg2
 to ptrace the current task. A value of 0 means "no process", and the special
@@ -334,6 +337,27 @@ when the kernel has been configured with
 .B CONFIG_SECURITY_YAMA
 and the yama LSM is active.
 .TP
+.BR PR_SET_CHILD_SUBREAPER " (since Linux 3.3)"
+Sets a process, such as a service manager, such that orphan (double-forking)
+child processes re-parent to this process instead of
+.BR init (8).
+The service manager
+is able to receive
+.B SIGCHLD
+signals and is able to investigate the process until
+it calls
+.BR wait (2).
+All children of this process will inherit a flag if they should
+look for a child_subreaper process at exit. Set
+.I arg2
+to 1 or 0 to enable or disable, respectively.
+.TP
+.BR PR_GET_CHILD_SUBREAPER " (since Linux 3.3)"
+Returns whether calling process is a child subreaper (see
+.BR PR_SET_CHILD_SUBREAPER ),
+in the location pointed to by
+.IR "(int\ *) arg2" .
+.TP
 .BR PR_SET_SECUREBITS " (since Linux 2.6.26)"
 Set the "securebits" flags of the calling thread to the value supplied in
 .IR arg2 .
-- 
1.7.9.5

--
To unsubscribe from this list: send the line "unsubscribe linux-man" in
the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH] prctl.2: PR_{SET,GET}_CHILD_SUBREAPER

[Michael Kerrisk (man-pages)]

[CC=+Lennart et al.]

Lennart,

Could you please review Shawn's patch or provide an alternative?

Thanks,

Michael


On Thu, Aug 9, 2012 at 9:09 PM,  <shawnlandden-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:
> From: Shawn Landden <shawnlandden-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
>
> ---
>  man2/prctl.2 |   26 +++++++++++++++++++++++++-
>  1 file changed, 25 insertions(+), 1 deletion(-)
>
> diff --git a/man2/prctl.2 b/man2/prctl.2
> index f866f04..b1a005e 100644
> --- a/man2/prctl.2
> +++ b/man2/prctl.2
> @@ -42,10 +42,12 @@
>  .\" 2012-04-25 Michael Kerrisk, Document PR_TASK_PERF_EVENTS_DISABLE and
>  .\"                            PR_TASK_PERF_EVENTS_ENABLE
>  .\" 2012-08-03 Shawn Landden, Document PR_SET_NO_NEW_PRIVS, PR_GET_NO_NEW_PRIVS,
> -.\"       SECCOMP_MODE_STRICT, SECCOMP_MODE_FILTER
>  .\"       (thx Andy Lutomirski <luto-kltTT9wpgjJwATOyAt5JVQ@public.gmane.org> 259e5e6c)
> +.\"       SECCOMP_MODE_STRICT, SECCOMP_MODE_FILTER,
>  .\"       PR_SET_TIMERSLACK, PR_GET_TIMESLACK, ARM alignment trap handler
>  .\"       PR_SET_PTRACER
> +.\"       PR_SET_CHILD_SUBREAPER, PR_GET_CHILD_SUBREAPER
> +.\"       (thx Lennart Poettering <lennart-mdGvqq1h2p+GdvJs77BJ7Q@public.gmane.org> ebec18a6)
>  .\"
>  .TH PRCTL 2 2012-08-03 "Linux" "Linux Programmer's Manual"
>  .SH NAME
> @@ -323,6 +325,7 @@ This operation is only available if the kernel is configured with
>  enabled.
>  .TP
>  .BR PR_SET_PTRACER " (since Linux 3.3)"
> +.\" see commit ebec18a6d3aa1e7d84aab16225e87fd25170ec2b
>  When using restricted ptrace, permit process of pid
>  .I arg2
>  to ptrace the current task. A value of 0 means "no process", and the special
> @@ -334,6 +337,27 @@ when the kernel has been configured with
>  .B CONFIG_SECURITY_YAMA
>  and the yama LSM is active.
>  .TP
> +.BR PR_SET_CHILD_SUBREAPER " (since Linux 3.3)"
> +Sets a process, such as a service manager, such that orphan (double-forking)
> +child processes re-parent to this process instead of
> +.BR init (8).
> +The service manager
> +is able to receive
> +.B SIGCHLD
> +signals and is able to investigate the process until
> +it calls
> +.BR wait (2).
> +All children of this process will inherit a flag if they should
> +look for a child_subreaper process at exit. Set
> +.I arg2
> +to 1 or 0 to enable or disable, respectively.
> +.TP
> +.BR PR_GET_CHILD_SUBREAPER " (since Linux 3.3)"
> +Returns whether calling process is a child subreaper (see
> +.BR PR_SET_CHILD_SUBREAPER ),
> +in the location pointed to by
> +.IR "(int\ *) arg2" .
> +.TP
>  .BR PR_SET_SECUREBITS " (since Linux 2.6.26)"
>  Set the "securebits" flags of the calling thread to the value supplied in
>  .IR arg2 .
> --
> 1.7.9.5
>



-- 
Michael Kerrisk
Linux man-pages maintainer; http://www.kernel.org/doc/man-pages/
Author of "The Linux Programming Interface"; http://man7.org/tlpi/
--
To unsubscribe from this list: send the line "unsubscribe linux-man" in
the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH] prctl.2: PR_{SET,GET}_CHILD_SUBREAPER

[Kay Sievers]

On Thu, Jan 10, 2013 at 11:51 PM, Michael Kerrisk (man-pages)
<mtk.manpages-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:

>> +All children of this process will inherit a flag if they should
>> +look for a child_subreaper process at exit. Set
>> +.I arg2

This is a non-interesting kernel implementation detail, a simple
optimization in the kernel code flow, which should not be documented
here.

It actually is a bit misguiding, I think, because it might give the
impression to the reader, that this can be influenced with the prctl.
Children processes cannot escape the sub-reaper parent, they can only
become a new sub-reaper themselves.

I'll check with Lennart later today for a reworded sentence.

Thanks,
Kay
--
To unsubscribe from this list: send the line "unsubscribe linux-man" in
the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH] prctl.2: PR_{SET,GET}_CHILD_SUBREAPER

[Lennart Poettering]

On Thu, 10.01.13 23:51, Michael Kerrisk (man-pages) (mtk.manpages-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org) wrote:


Hey, 

sorry for never doing the doc work! Here are my comments:

> > +.BR PR_SET_CHILD_SUBREAPER " (since Linux 3.3)"
> > +Sets a process, such as a service manager, such that orphan (double-forking)
> > +child processes re-parent to this process instead of
> > +.BR init (8).

I don't like this reference to "double-forking" here. After all, this
also applies to triple-forking, quadruple-forking and even
quintuple-forking... ;-)

Expressing this is difficult, but here's my try:

"Enables that the process becomes a 'subreaper' for all its (immediate
or indirect) offspring processes. Any process whose immediate parent
dies and whose ancestry includes a process where this flag is set will
be reparented to the closest process with this flag set, instead of PID
1. A 'subreaper' hence receives SIGHCLD signals for any orphaned
offspring processes, that otherwise would be received by the init
process."

> > +The service manager
> > +is able to receive
> > +.B SIGCHLD
> > +signals and is able to investigate the process until
> > +it calls
> > +.BR wait (2).

Drop this.

> > +All children of this process will inherit a flag if they should
> > +look for a child_subreaper process at exit. Set

This bit should go, it's an inplementation detail, als Kay already
pointed out.

> > +.I arg2
> > +to 1 or 0 to enable or disable, respectively.
> > +.TP
> > +.BR PR_GET_CHILD_SUBREAPER " (since Linux 3.3)"
> > +Returns whether calling process is a child subreaper (see
> > +.BR PR_SET_CHILD_SUBREAPER ),
> > +in the location pointed to by
> > +.IR "(int\ *) arg2" .
> > +.TP
> >  .BR PR_SET_SECUREBITS " (since Linux 2.6.26)"
> >  Set the "securebits" flags of the calling thread to the value supplied in
> >  .IR arg2 .
> >

Otherwise sounds good.

Lennart

-- 
Lennart Poettering - Red Hat, Inc.
--
To unsubscribe from this list: send the line "unsubscribe linux-man" in
the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[PATCH] prctl.2: PR_{SET,GET}_CHILD_SUBREAPER

[Shawn Landden]

Signed-off-by: Shawn Landden <shawnlandden-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
---
 man2/prctl.2 |   17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/man2/prctl.2 b/man2/prctl.2
index e4a1030..fd78f48 100644
--- a/man2/prctl.2
+++ b/man2/prctl.2
@@ -379,6 +379,23 @@ if the kernel is configured with
 .B CONFIG_SECCOMP
 enabled.
 .TP
+.BR PR_SET_CHILD_SUBREAPER " (since Linux 3.3)"
+Designates this process as a service manager for its' (immediate and
+indirect) offspring processes. Any process whose immediate parent
+dies and whose ancestry includes a process where this flag is set will
+be reparented to the closest process with this flag set, instead of PID
+1. A 'subreaper' hence receives
+.B SIGHCLD
+signals for any orphaned
+offspring processes, that otherwise would be received by
+.BR init (8).
+.TP
+.BR PR_GET_CHILD_SUBREAPER " (since Linux 3.3)"
+Returns whether calling process is a child subreaper (see
+.BR PR_SET_CHILD_SUBREAPER ),
+in the location pointed to by
+.IR "(int\ *) arg2" .
+.TP
 .BR PR_SET_SECUREBITS " (since Linux 2.6.26)"
 Set the "securebits" flags of the calling thread to the value supplied in
 .IR arg2 .
-- 
1.7.9.5

--
To unsubscribe from this list: send the line "unsubscribe linux-man" in
the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH] prctl.2: PR_{SET,GET}_CHILD_SUBREAPER

[Michael Kerrisk (man-pages)]

Shawn, Lennart, Kay,

On Wed, Feb 6, 2013 at 7:33 PM, Shawn Landden <shawnlandden-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:
> Signed-off-by: Shawn Landden <shawnlandden-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
> ---
>  man2/prctl.2 |   17 +++++++++++++++++
>  1 file changed, 17 insertions(+)
>
> diff --git a/man2/prctl.2 b/man2/prctl.2
> index e4a1030..fd78f48 100644
> --- a/man2/prctl.2
> +++ b/man2/prctl.2
> @@ -379,6 +379,23 @@ if the kernel is configured with
>  .B CONFIG_SECCOMP
>  enabled.
>  .TP
> +.BR PR_SET_CHILD_SUBREAPER " (since Linux 3.3)"
> +Designates this process as a service manager for its' (immediate and
> +indirect) offspring processes. Any process whose immediate parent
> +dies and whose ancestry includes a process where this flag is set will
> +be reparented to the closest process with this flag set, instead of PID
> +1. A 'subreaper' hence receives
> +.B SIGHCLD
> +signals for any orphaned
> +offspring processes, that otherwise would be received by
> +.BR init (8).
> +.TP
> +.BR PR_GET_CHILD_SUBREAPER " (since Linux 3.3)"
> +Returns whether calling process is a child subreaper (see
> +.BR PR_SET_CHILD_SUBREAPER ),
> +in the location pointed to by
> +.IR "(int\ *) arg2" .
> +.TP
>  .BR PR_SET_SECUREBITS " (since Linux 2.6.26)"
>  Set the "securebits" flags of the calling thread to the value supplied in
>  .IR arg2 .

Shawn, there was some imprecision in your patch. I've instead come up
with an alternative.

Kay, Lennart, is the following correct?

       PR_SET_CHILD_SUBREAPER (since Linux 3.4)
              If  arg2 is nonzero, set the "child subreaper" attribute
              of the calling process;  if  arg2  is  zero,  unset  the
              attribute.   When  a  process  is marked as a child sub‐
              reaper, all of the children that it creates,  and  their
              descendants,  will  be marked as having a subreaper.  in
              effect, a subreaper fulfills the role of init(1) for its
              descendant  processes.   Upon  termination  of a process
              that is orphaned (i.e., its immediate parent has already
              terminated)  and marked as having a subreaper, the near‐
              est still  living  ancestor  subreaper  will  receive  a
              SIGCHLD  signal and be able to wait(2) on the process to
              diiscover its termination status.

       PR_GET_CHILD_SUBREAPER (since Linux 3.4)
              Return the "child subreaper" setting of the  caller,  in
              the location pointed to by (int *) arg2.

Cheers,

Michael


-- 
Michael Kerrisk
Linux man-pages maintainer; http://www.kernel.org/doc/man-pages/
Author of "The Linux Programming Interface"; http://man7.org/tlpi/
--
To unsubscribe from this list: send the line "unsubscribe linux-man" in
the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH] prctl.2: PR_{SET,GET}_CHILD_SUBREAPER

[Lennart Poettering]

On Fri, 08.02.13 10:35, Michael Kerrisk (man-pages) (mtk.manpages@gmail.com) wrote:

> 
> Shawn, Lennart, Kay,
> 
> On Wed, Feb 6, 2013 at 7:33 PM, Shawn Landden <shawnlandden-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:
> > Signed-off-by: Shawn Landden <shawnlandden-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
> > ---
> >  man2/prctl.2 |   17 +++++++++++++++++
> >  1 file changed, 17 insertions(+)
> >
> > diff --git a/man2/prctl.2 b/man2/prctl.2
> > index e4a1030..fd78f48 100644
> > --- a/man2/prctl.2
> > +++ b/man2/prctl.2
> > @@ -379,6 +379,23 @@ if the kernel is configured with
> >  .B CONFIG_SECCOMP
> >  enabled.
> >  .TP
> > +.BR PR_SET_CHILD_SUBREAPER " (since Linux 3.3)"
> > +Designates this process as a service manager for its' (immediate and
> > +indirect) offspring processes. Any process whose immediate parent
> > +dies and whose ancestry includes a process where this flag is set will
> > +be reparented to the closest process with this flag set, instead of PID
> > +1. A 'subreaper' hence receives
> > +.B SIGHCLD
> > +signals for any orphaned
> > +offspring processes, that otherwise would be received by
> > +.BR init (8).
> > +.TP
> > +.BR PR_GET_CHILD_SUBREAPER " (since Linux 3.3)"
> > +Returns whether calling process is a child subreaper (see
> > +.BR PR_SET_CHILD_SUBREAPER ),
> > +in the location pointed to by
> > +.IR "(int\ *) arg2" .
> > +.TP
> >  .BR PR_SET_SECUREBITS " (since Linux 2.6.26)"
> >  Set the "securebits" flags of the calling thread to the value supplied in
> >  .IR arg2 .
> 
> Shawn, there was some imprecision in your patch. I've instead come up
> with an alternative.
> 
> Kay, Lennart, is the following correct?
> 
>        PR_SET_CHILD_SUBREAPER (since Linux 3.4)
>               If  arg2 is nonzero, set the "child subreaper" attribute
>               of the calling process;  if  arg2  is  zero,  unset  the
>               attribute.   When  a  process  is marked as a child sub‐
>               reaper, all of the children that it creates,  and  their
>               descendants,  will  be marked as having a subreaper.  in
>               effect, a subreaper fulfills the role of init(1) for its
>               descendant  processes.   Upon  termination  of a process
>               that is orphaned (i.e., its immediate parent has already
>               terminated)  and marked as having a subreaper, the near‐
>               est still  living  ancestor  subreaper  will  receive  a
>               SIGCHLD  signal and be able to wait(2) on the process to
>               diiscover its termination status.
> 
>        PR_GET_CHILD_SUBREAPER (since Linux 3.4)
>               Return the "child subreaper" setting of the  caller,  in
>               the location pointed to by (int *) arg2.
> 

Sounds good to me! Though s/in/In/ once in there.

Thanks for putting this together, sorry for never having done this
myself.

Oh, yeah, and I still need to do that book review for you, too!

Lennart

-- 
Lennart Poettering - Red Hat, Inc.
--
To unsubscribe from this list: send the line "unsubscribe linux-man" in
the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH] prctl.2: PR_{SET,GET}_CHILD_SUBREAPER

[Michael Kerrisk (man-pages)]

On Fri, Feb 8, 2013 at 5:05 PM, Lennart Poettering
<lennart-mdGvqq1h2p+GdvJs77BJ7Q@public.gmane.org> wrote:
> On Fri, 08.02.13 10:35, Michael Kerrisk (man-pages) (mtk.manpages@gmail.com) wrote:
>
>>
>> Shawn, Lennart, Kay,
>>
>> On Wed, Feb 6, 2013 at 7:33 PM, Shawn Landden <shawnlandden-Re5JQEeQqe8@public.gmane.orgm> wrote:
>> > Signed-off-by: Shawn Landden <shawnlandden-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
>> > ---
>> >  man2/prctl.2 |   17 +++++++++++++++++
>> >  1 file changed, 17 insertions(+)
>> >
>> > diff --git a/man2/prctl.2 b/man2/prctl.2
>> > index e4a1030..fd78f48 100644
>> > --- a/man2/prctl.2
>> > +++ b/man2/prctl.2
>> > @@ -379,6 +379,23 @@ if the kernel is configured with
>> >  .B CONFIG_SECCOMP
>> >  enabled.
>> >  .TP
>> > +.BR PR_SET_CHILD_SUBREAPER " (since Linux 3.3)"
>> > +Designates this process as a service manager for its' (immediate and
>> > +indirect) offspring processes. Any process whose immediate parent
>> > +dies and whose ancestry includes a process where this flag is set will
>> > +be reparented to the closest process with this flag set, instead of PID
>> > +1. A 'subreaper' hence receives
>> > +.B SIGHCLD
>> > +signals for any orphaned
>> > +offspring processes, that otherwise would be received by
>> > +.BR init (8).
>> > +.TP
>> > +.BR PR_GET_CHILD_SUBREAPER " (since Linux 3.3)"
>> > +Returns whether calling process is a child subreaper (see
>> > +.BR PR_SET_CHILD_SUBREAPER ),
>> > +in the location pointed to by
>> > +.IR "(int\ *) arg2" .
>> > +.TP
>> >  .BR PR_SET_SECUREBITS " (since Linux 2.6.26)"
>> >  Set the "securebits" flags of the calling thread to the value supplied in
>> >  .IR arg2 .
>>
>> Shawn, there was some imprecision in your patch. I've instead come up
>> with an alternative.
>>
>> Kay, Lennart, is the following correct?
>>
>>        PR_SET_CHILD_SUBREAPER (since Linux 3.4)
>>               If  arg2 is nonzero, set the "child subreaper" attribute
>>               of the calling process;  if  arg2  is  zero,  unset  the
>>               attribute.   When  a  process  is marked as a child sub‐
>>               reaper, all of the children that it creates,  and  their
>>               descendants,  will  be marked as having a subreaper.  in
>>               effect, a subreaper fulfills the role of init(1) for its
>>               descendant  processes.   Upon  termination  of a process
>>               that is orphaned (i.e., its immediate parent has already
>>               terminated)  and marked as having a subreaper, the near‐
>>               est still  living  ancestor  subreaper  will  receive  a
>>               SIGCHLD  signal and be able to wait(2) on the process to
>>               diiscover its termination status.
>>
>>        PR_GET_CHILD_SUBREAPER (since Linux 3.4)
>>               Return the "child subreaper" setting of the  caller,  in
>>               the location pointed to by (int *) arg2.
>>
>
> Sounds good to me! Though s/in/In/ once in there.

Thanks. Fixed.

> Thanks for putting this together, sorry for never having done this
> myself.

You'll do better next time, right ;-)

Cheers,

Michael
--
To unsubscribe from this list: send the line "unsubscribe linux-man" in
the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH 4/4] prctl.2: document PR_SET_PTRACER

[Michael Kerrisk (man-pages)]

Shawn,

Following up after a log time having this sit in my queue... Kees Cook
(developer of the PR_SET_PTRACER code) eventually sent me a patch for
this which I've taken instead of yours, but Kees missed documenting
the EINVAL error, and I've taken that piece from you. Thanks!

Michael


On Mon, Aug 6, 2012 at 8:19 AM, Shawn Landden <shawnlandden-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:
> ---
>  man2/prctl.2 |   29 +++++++++++++++++++++++++++++
>  1 file changed, 29 insertions(+)
>
> diff --git a/man2/prctl.2 b/man2/prctl.2
> index 7f0ac46..f866f04 100644
> --- a/man2/prctl.2
> +++ b/man2/prctl.2
> @@ -45,6 +45,7 @@
>  .\"       SECCOMP_MODE_STRICT, SECCOMP_MODE_FILTER
>  .\"       (thx Andy Lutomirski <luto-kltTT9wpgjJwATOyAt5JVQ@public.gmane.org> 259e5e6c)
>  .\"       PR_SET_TIMERSLACK, PR_GET_TIMESLACK, ARM alignment trap handler
> +.\"       PR_SET_PTRACER
>  .\"
>  .TH PRCTL 2 2012-08-03 "Linux" "Linux Programmer's Manual"
>  .SH NAME
> @@ -321,6 +322,18 @@ This operation is only available if the kernel is configured with
>  .BR CONFIG_SECCOMP
>  enabled.
>  .TP
> +.BR PR_SET_PTRACER " (since Linux 3.3)"
> +When using restricted ptrace, permit process of pid
> +.I arg2
> +to ptrace the current task. A value of 0 means "no process", and the special
> +value
> +.B PR_SET_PTRACER_ANY
> +disables restricted ptrace for this process. Restricted ptrace is set via
> +.IR /proc/sys/kernel/yama/ptrace_scope
> +when the kernel has been configured with
> +.B CONFIG_SECURITY_YAMA
> +and the yama LSM is active.
> +.TP
>  .BR PR_SET_SECUREBITS " (since Linux 2.6.26)"
>  Set the "securebits" flags of the calling thread to the value supplied in
>  .IR arg2 .
> @@ -699,6 +712,16 @@ is
>  .B EINVAL
>  .I option
>  is
> +.BR PR_SET_PTRACER
> +and
> +.I arg2
> +is not 0,
> +.BR PR_SET_PTRACER_ANY ,
> +or the pid of an active process.
> +.TP
> +.B EINVAL
> +.I option
> +is
>  .BR PR_SET_MM ,
>  and one of the following is true
>  .RS
> @@ -742,6 +765,12 @@ and
>  .I arg3
>  is not a valid filter program.
>  .TP
> +.B ENOMEM
> +.I option
> +is
> +.BR PR_SET_PTRACER
> +and insufficient memory to set up ptrace relation with given pid.
> +.TP
>  .B EPERM
>  .I option
>  is
> --
> 1.7.9.5
>



-- 
Michael Kerrisk
Linux man-pages maintainer; http://www.kernel.org/doc/man-pages/
Author of "The Linux Programming Interface"; http://man7.org/tlpi/
--
To unsubscribe from this list: send the line "unsubscribe linux-man" in
the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html