From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751503AbcGRGrH (ORCPT ); Mon, 18 Jul 2016 02:47:07 -0400 Received: from mail-lf0-f48.google.com ([209.85.215.48]:34092 "EHLO mail-lf0-f48.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1750965AbcGRGrG (ORCPT ); Mon, 18 Jul 2016 02:47:06 -0400 Cc: mtk.manpages@gmail.com To: lkml From: "Michael Kerrisk (man-pages)" Subject: man-pages-4.07 is released Message-ID: Date: Mon, 18 Jul 2016 08:47:02 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.1.1 MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Gidday, The Linux man-pages maintainer proudly announces: man-pages-4.07 - man pages for Linux This release includes input and contributions from around 50 people. Over 140 pages saw changes, ranging from typo fixes through to page rewrites and 4 newly created pages. Tarball download: http://www.kernel.org/doc/man-pages/download.html Git repository: https://git.kernel.org/cgit/docs/man-pages/man-pages.git/ Online changelog: http://man7.org/linux/man-pages/changelog.html#release_4.07 A short summary of the release is blogged at: http://linux-man-pages.blogspot.com/2016/07/man-pages-407-is-released.html The current version of the pages is browsable at: http://man7.org/linux/man-pages/ A selection of changes in this release that may be of interest to readers on LKML is shown below. Cheers, Michael ==================== Changes in man-pages-4.07 ==================== Released: 2016-07-17, Ulm New and rewritten pages ----------------------- ioctl_fideduperange.2 Darrick J. Wong [Christoph Hellwig, Michael Kerrisk] New page documenting the FIDEDUPERANGE ioctl Document the FIDEDUPERANGE ioctl, formerly known as BTRFS_IOC_EXTENT_SAME. ioctl_ficlonerange.2 Darrick J. Wong [Christoph Hellwig, Michael Kerrisk] New page documenting FICLONE and FICLONERANGE ioctls Document the FICLONE and FICLONERANGE ioctls, formerly known as the BTRFS_IOC_CLONE and BTRFS_IOC_CLONE_RANGE ioctls. mount_namespaces.7 Michael Kerrisk [Michael Kerrisk] New page describing mount namespaces Newly documented interfaces in existing pages --------------------------------------------- mount.2 Michael Kerrisk Document flags used to set propagation type Document MS_SHARED, MS_PRIVATE, MS_SLAVE, and MS_UNBINDABLE. Michael Kerrisk Document the MS_REC flag ptrace.2 Michael Kerrisk [Kees Cook, Jann Horn, Eric W. Biederman, Stephen Smalley] Document ptrace access modes proc.5 Michael Kerrisk Document /proc/[pid]/timerslack_ns Michael Kerrisk Document /proc/PID/status 'Ngid' field Michael Kerrisk Document /proc/PID/status fields: 'NStgid', 'NSpid', 'NSpgid', 'NSsid' Michael Kerrisk Document /proc/PID/status 'Umask' field Changes to individual pages --------------------------- ldd.1 Michael Kerrisk Add a little more detail on why ldd is unsafe with untrusted executables futex.2 Michael Kerrisk Correct an ENOSYS error description Since Linux 4.5, FUTEX_CLOCK_REALTIME is allowed with FUTEX_WAIT. Michael Kerrisk [Darren Hart] Remove crufty text about FUTEX_WAIT_BITSET interpretation of timeout Since Linux 4.5, FUTEX_WAIT also understands FUTEX_CLOCK_REALTIME. Michael Kerrisk [Thomas Gleixner] Explain how to get equivalent of FUTEX_WAIT with an absolute timeout Michael Kerrisk Describe FUTEX_BITSET_MATCH_ANY Describe FUTEX_BITSET_MATCH_ANY and FUTEX_WAIT and FUTEX_WAKE equivalences. Michael Kerrisk [Thomas Gleixner, Darren Hart] Fix descriptions of various timeouts Michael Kerrisk Clarify clock default and choices for FUTEX_WAIT kcmp.2 Michael Kerrisk kcmp() is governed by PTRACE_MODE_READ_REALCREDS mount.2 Michael Kerrisk Restructure discussion of 'mountflags' into functional groups The existing text makes no differentiation between different "classes" of mount flags. However, certain flags such as MS_REMOUNT, MS_BIND, MS_MOVE, etc. determine the general type of operation that mount() performs. Furthermore, the choice of which class of operation to perform is performed in a certain order, and that order is significant if multiple flags are specified. Restructure and extend the text to reflect these details. Michael Kerrisk Since Linux 2.6.26, bind mounts can be made read-only process_vm_readv.2 Michael Kerrisk Rephrase permission rules in terms of a ptrace access mode check ptrace.2 Michael Kerrisk [Jann Horn] Update Yama ptrace_scope documentation Reframe the discussion in terms of PTRACE_MODE_ATTACH checks, and make a few other minor tweaks and additions. Michael Kerrisk, Jann Horn Note that user namespaces can be used to bypass Yama protections Michael Kerrisk Note that PTRACE_SEIZE is subject to a ptrace access mode check Michael Kerrisk Rephrase PTRACE_ATTACH permissions in terms of ptrace access mode check wait.2 Michael Kerrisk Since Linux 4.7, __WALL is implied if child being ptraced Michael Kerrisk waitid() now (since Linux 4.7) also supports __WNOTHREAD/__WCLONE/__WALL proc.5 Michael Kerrisk /proc/PID/fd/* are governed by PTRACE_MODE_READ_FSCREDS Permission to dereference/readlink /proc/PID/fd/* symlinks is governed by a PTRACE_MODE_READ_FSCREDS ptrace access mode check. Michael Kerrisk /proc/PID/timerslack_ns is governed by PTRACE_MODE_ATTACH_FSCREDS Permission to access /proc/PID/timerslack_ns is governed by a PTRACE_MODE_ATTACH_FSCREDS ptrace access mode check. Michael Kerrisk Document /proc/PID/{maps,mem,pagemap} access mode checks Permission to access /proc/PID/{maps,pagemap} is governed by a PTRACE_MODE_READ_FSCREDS ptrace access mode check. Permission to access /proc/PID/mem is governed by a PTRACE_MODE_ATTACH_FSCREDS ptrace access mode check. Michael Kerrisk Note /proc/PID/stat fields that are governed by PTRACE_MODE_READ_FSCREDS Michael Kerrisk /proc/PID/{cwd,exe,root} are governed by PTRACE_MODE_READ_FSCREDS Permission to dereference/readlink /proc/PID/{cwd,exe,root} is governed by a PTRACE_MODE_READ_FSCREDS ptrace access mode check. Michael Kerrisk /proc/PID/io is governed by PTRACE_MODE_READ_FSCREDS Permission to access /proc/PID/io is governed by a PTRACE_MODE_READ_FSCREDS ptrace access mode check. Michael Kerrisk /proc/PID/{personality,stack,syscall} are governed by PTRACE_MODE_ATTACH_FSCREDS Permission to access /proc/PID/{personality,stack,syscall} is governed by a PTRACE_MODE_ATTACH_FSCREDS ptrace access mode check. Michael Kerrisk /proc/PID/{auxv,environ,wchan} are governed by PTRACE_MODE_READ_FSCREDS Permission to access /proc/PID/{auxv,environ,wchan} is governed by a PTRACE_MODE_READ_FSCREDS ptrace access mode check. Michael Kerrisk Move shared subtree /proc/PID/mountinfo fields to mount_namespaces(7) Move information on shared subtree fields in /proc/PID/mountinfo to mount_namespaces(7). Michael Kerrisk ["Yuming Ma(马玉明)"] Note that /proc/net is now virtualized per network namespace namespaces.7 Michael Kerrisk /proc/PID/ns/* are governed by PTRACE_MODE_READ_FSCREDS Permission to dereference/readlink /proc/PID/ns/* symlinks is governed by a PTRACE_MODE_READ_FSCREDS ptrace access mode check. Michael Kerrisk Nowadays, file changes in /proc/PID/mounts are notified differently Exceptional condition for select(), (E)POLLPRI for (e)poll netlink.7 Andrey Vagin Describe netlink socket options unix.7 Michael Kerrisk Move discussion on pathname socket permissions to DESCRIPTION Michael Kerrisk Expand discussion of socket permissions Michael Kerrisk Fix statement about permissions needed to connect to a UNIX doain socket Read permission is not required (verified by experiment). Michael Kerrisk Clarify ownership and permissions assigned during socket creation Michael Kerrisk [Carsten Grohmann] Update text on socket permissions on other systems At least some of the modern BSDs seem to check for write permission on a socket. (I tested OpenBSD 5.9.) On Solaris 10, some light testing suggested that write permission is still not checked on that system. Michael Kerrisk Note that umask / permissions have no effect for abstract sockets Michael Kerrisk Note that abstract sockets automatically disappear when FDs are closed user_namespaces.7 Michael Kerrisk [Michał Zegan] Clarify meaning of privilege in a user namespace Having privilege in a user NS only allows privileged operations on resources governed by that user NS. Many privileged operations relate to resources that have no association with any namespace type, and only processes with privilege in the initial user NS can perform those operations. See https://bugzilla.kernel.org/show_bug.cgi?id=120671 Michael Kerrisk [Michał Zegan] List the mount operations permitted by CAP_SYS_ADMIN List the mount operations permitted by CAP_SYS_ADMIN in a noninitial userns. See https://bugzilla.kernel.org/show_bug.cgi?id=120671 Michael Kerrisk Clarify details of CAP_SYS_ADMIN and cgroup v1 mounts With respect to cgroups version 1, CAP_SYS_ADMIN in the user namespace allows only *named* hierarchies to be mounted (and not hierarchies that have a controller). Michael Kerrisk Clarify CAP_SYS_ADMIN details for mounting FS_USERNS_MOUNT filesystems Michael Kerrisk Correct user namespace rules for mounting /proc Michael Kerrisk Describe a concrete example of capability checking Add a concrete example of how the kernel checks capabilities in an associated user namespace when a process attempts a privileged operation. -- Michael Kerrisk Linux man-pages maintainer; http://www.kernel.org/doc/man-pages/ Linux/UNIX System Programming Training: http://man7.org/training/