]>
Commit | Line | Data |
---|---|---|
fea681da | 1 | .\" Copyright (C) 1998 Andries Brouwer (aeb@cwi.nl) |
73d3ac53 | 2 | .\" and Copyright (C) 2002, 2006, 2008, 2012, 2013 Michael Kerrisk <mtk.manpages@gmail.com> |
af5f9508 | 3 | .\" and Copyright Guillem Jover <guillem@hadrons.org> |
3cd5e983 | 4 | .\" and Copyright (C) 2014 Dave Hansen / Intel |
fea681da | 5 | .\" |
93015253 | 6 | .\" %%%LICENSE_START(VERBATIM) |
fea681da MK |
7 | .\" Permission is granted to make and distribute verbatim copies of this |
8 | .\" manual provided the copyright notice and this permission notice are | |
9 | .\" preserved on all copies. | |
10 | .\" | |
11 | .\" Permission is granted to copy and distribute modified versions of this | |
12 | .\" manual under the conditions for verbatim copying, provided that the | |
13 | .\" entire resulting derived work is distributed under the terms of a | |
14 | .\" permission notice identical to this one. | |
c13182ef | 15 | .\" |
fea681da MK |
16 | .\" Since the Linux kernel and libraries are constantly changing, this |
17 | .\" manual page may be incorrect or out-of-date. The author(s) assume no | |
18 | .\" responsibility for errors or omissions, or for damages resulting from | |
19 | .\" the use of the information contained herein. The author(s) may not | |
20 | .\" have taken the same level of care in the production of this manual, | |
21 | .\" which is licensed free of charge, as they might when working | |
22 | .\" professionally. | |
c13182ef | 23 | .\" |
fea681da MK |
24 | .\" Formatted or processed versions of this manual, if unaccompanied by |
25 | .\" the source, must acknowledge the copyright and authors of this work. | |
4b72fb64 | 26 | .\" %%%LICENSE_END |
fea681da MK |
27 | .\" |
28 | .\" Modified Thu Nov 11 04:19:42 MET 1999, aeb: added PR_GET_PDEATHSIG | |
29 | .\" Modified 27 Jun 02, Michael Kerrisk | |
c13182ef | 30 | .\" Added PR_SET_DUMPABLE, PR_GET_DUMPABLE, |
fea681da | 31 | .\" PR_SET_KEEPCAPS, PR_GET_KEEPCAPS |
e87fdd92 MK |
32 | .\" Modified 2006-08-30 Guillem Jover <guillem@hadrons.org> |
33 | .\" Updated Linux versions where the options where introduced. | |
34 | .\" Added PR_SET_TIMING, PR_GET_TIMING, PR_SET_NAME, PR_GET_NAME, | |
35 | .\" PR_SET_UNALIGN, PR_GET_UNALIGN, PR_SET_FPEMU, PR_GET_FPEMU, | |
36 | .\" PR_SET_FPEXC, PR_GET_FPEXC | |
8ab8b43f MK |
37 | .\" 2008-04-29 Serge Hallyn, Document PR_CAPBSET_READ and PR_CAPBSET_DROP |
38 | .\" 2008-06-13 Erik Bosman, <ejbosman@cs.vu.nl> | |
39 | .\" Document PR_GET_TSC and PR_SET_TSC. | |
40 | .\" 2008-06-15 mtk, Document PR_SET_SECCOMP, PR_GET_SECCOMP | |
bc02b3ea | 41 | .\" 2009-10-03 Andi Kleen, document PR_MCE_KILL |
06afe673 | 42 | .\" 2012-04 Cyrill Gorcunov, Document PR_SET_MM |
bc02b3ea MK |
43 | .\" 2012-04-25 Michael Kerrisk, Document PR_TASK_PERF_EVENTS_DISABLE and |
44 | .\" PR_TASK_PERF_EVENTS_ENABLE | |
34447828 | 45 | .\" 2012-09-20 Kees Cook, update PR_SET_SECCOMP for mode 2 |
f83fe154 | 46 | .\" 2012-09-20 Kees Cook, document PR_SET_NO_NEW_PRIVS, PR_GET_NO_NEW_PRIVS |
934487a0 MK |
47 | .\" 2012-10-25 Michael Kerrisk, Document PR_SET_TIMERSLACK and |
48 | .\" PR_GET_TIMERSLACK | |
491b2e75 | 49 | .\" 2013-01-10 Kees Cook, document PR_SET_PTRACER |
73d3ac53 | 50 | .\" 2012-02-04 Michael kerrisk, document PR_{SET,GET}_CHILD_SUBREAPER |
03979794 | 51 | .\" 2014-11-10 Dave Hansen, document PR_MPX_{EN,DIS}ABLE_MANAGEMENT |
fea681da | 52 | .\" |
e14baeeb | 53 | .\" |
9dc53e71 | 54 | .TH PRCTL 2 2015-02-01 "Linux" "Linux Programmer's Manual" |
fea681da MK |
55 | .SH NAME |
56 | prctl \- operations on a process | |
57 | .SH SYNOPSIS | |
521bf584 | 58 | .nf |
fea681da MK |
59 | .B #include <sys/prctl.h> |
60 | .sp | |
521bf584 MK |
61 | .BI "int prctl(int " option ", unsigned long " arg2 ", unsigned long " arg3 , |
62 | .BI " unsigned long " arg4 ", unsigned long " arg5 ); | |
63 | .fi | |
fea681da | 64 | .SH DESCRIPTION |
e511ffb6 | 65 | .BR prctl () |
fea681da | 66 | is called with a first argument describing what to do |
1a329b56 | 67 | (with values defined in \fI<linux/prctl.h>\fP), and further |
c4bb193f | 68 | arguments with a significance depending on the first one. |
fea681da MK |
69 | The first argument can be: |
70 | .TP | |
2e781e20 | 71 | .BR PR_CAPBSET_READ " (since Linux 2.6.25)" |
8ab8b43f MK |
72 | Return (as the function result) 1 if the capability specified in |
73 | .I arg2 | |
74 | is in the calling thread's capability bounding set, | |
75 | or 0 if it is not. | |
76 | (The capability constants are defined in | |
77 | .IR <linux/capability.h> .) | |
78 | The capability bounding set dictates | |
79 | whether the process can receive the capability through a | |
2914a14d | 80 | file's permitted capability set on a subsequent call to |
8ab8b43f MK |
81 | .BR execve (2). |
82 | ||
83 | If the capability specified in | |
84 | .I arg2 | |
85 | is not valid, then the call fails with the error | |
86 | .BR EINVAL . | |
87 | .TP | |
88 | .BR PR_CAPBSET_DROP " (since Linux 2.6.25)" | |
89 | If the calling thread has the | |
90 | .B CAP_SETPCAP | |
91 | capability, then drop the capability specified by | |
92 | .I arg2 | |
93 | from the calling thread's capability bounding set. | |
94 | Any children of the calling thread will inherit the newly | |
95 | reduced bounding set. | |
96 | ||
97 | The call fails with the error: | |
98 | .B EPERM | |
2914a14d | 99 | if the calling thread does not have the |
8ab8b43f MK |
100 | .BR CAP_SETPCAP ; |
101 | .BR EINVAL | |
102 | if | |
103 | .I arg2 | |
104 | does not represent a valid capability; or | |
105 | .BR EINVAL | |
106 | if file capabilities are not enabled in the kernel, | |
107 | in which case bounding sets are not supported. | |
73d3ac53 MK |
108 | .TP |
109 | .BR PR_SET_CHILD_SUBREAPER " (since Linux 3.4)" | |
110 | .\" commit ebec18a6d3aa1e7d84aab16225e87fd25170ec2b | |
111 | If | |
112 | .I arg2 | |
113 | is nonzero, | |
114 | set the "child subreaper" attribute of the calling process; | |
115 | if | |
116 | .I arg2 | |
117 | is zero, unset the attribute. | |
36127c0e | 118 | When a process is marked as a child subreaper, |
73d3ac53 MK |
119 | all of the children that it creates, and their descendants, |
120 | will be marked as having a subreaper. | |
121 | In effect, a subreaper fulfills the role of | |
122 | .BR init (1) | |
123 | for its descendant processes. | |
124 | Upon termination of a process | |
125 | that is orphaned (i.e., its immediate parent has already terminated) | |
126 | and marked as having a subreaper, | |
127 | the nearest still living ancestor subreaper | |
128 | will receive a | |
129 | .BR SIGCHLD | |
130 | signal and be able to | |
131 | .BR wait (2) | |
132 | on the process to discover its termination status. | |
73d3ac53 MK |
133 | .TP |
134 | .BR PR_GET_CHILD_SUBREAPER " (since Linux 3.4)" | |
135 | Return the "child subreaper" setting of the caller, | |
136 | in the location pointed to by | |
137 | .IR "(int\ *) arg2" . | |
8ab8b43f | 138 | .TP |
88989295 MK |
139 | .BR PR_SET_DUMPABLE " (since Linux 2.3.20)" |
140 | Set the state of the flag determining whether core dumps are produced | |
6f620318 | 141 | for the calling process upon delivery of a signal whose default behavior is |
88989295 | 142 | to produce a core dump. |
4a3713a4 MK |
143 | |
144 | Normally, this flag is set for a process by default, but it is cleared | |
13f296bc MK |
145 | when a set-user-ID or set-group-ID program, |
146 | or a program that has file capabilities associated with it (see | |
147 | .BR capabilities (7)), | |
4a3713a4 MK |
148 | is executed. |
149 | It is also set by various system calls that manipulate process UIDs and GIDs. | |
150 | ||
88989295 | 151 | In kernels up to and including 2.6.12, |
8ab8b43f | 152 | .I arg2 |
88989295 MK |
153 | must be either 0 (process is not dumpable) or 1 (process is dumpable). |
154 | Between kernels 2.6.13 and 2.6.17, the value 2 was also permitted, | |
155 | which caused any binary which normally would not be dumped | |
156 | to be dumped readable by root only; | |
157 | for security reasons, this feature has been removed. | |
158 | .\" See http://marc.theaimsgroup.com/?l=linux-kernel&m=115270289030630&w=2 | |
159 | .\" Subject: Fix prctl privilege escalation (CVE-2006-2451) | |
160 | .\" From: Marcel Holtmann <marcel () holtmann ! org> | |
161 | .\" Date: 2006-07-12 11:12:00 | |
162 | (See also the description of | |
163 | .I /proc/sys/fs/suid_dumpable | |
164 | in | |
165 | .BR proc (5).) | |
4a3713a4 | 166 | |
cadcf1b1 | 167 | Processes that are not dumpable can not be attached via |
6fdbc779 | 168 | .BR ptrace (2) |
cadcf1b1 | 169 | .BR PTRACE_ATTACH . |
64536a1b | 170 | .TP |
88989295 MK |
171 | .BR PR_GET_DUMPABLE " (since Linux 2.3.20)" |
172 | Return (as the function result) the current state of the calling | |
173 | process's dumpable flag. | |
174 | .\" Since Linux 2.6.13, the dumpable flag can have the value 2, | |
175 | .\" but in 2.6.13 PR_GET_DUMPABLE simply returns 1 if the dumpable | |
c7094399 | 176 | .\" flags has a nonzero value. This was fixed in 2.6.14. |
64536a1b | 177 | .TP |
8ab8b43f | 178 | .BR PR_SET_ENDIAN " (since Linux 2.6.18, PowerPC only)" |
c13182ef | 179 | Set the endian-ness of the calling process to the value given |
64536a1b | 180 | in \fIarg2\fP, which should be one of the following: |
8ab8b43f | 181 | .\" Respectively 0, 1, 2 |
64536a1b MK |
182 | .BR PR_ENDIAN_BIG , |
183 | .BR PR_ENDIAN_LITTLE , | |
184 | or | |
0daa9e92 | 185 | .B PR_ENDIAN_PPC_LITTLE |
64536a1b | 186 | (PowerPC pseudo little endian). |
e87fdd92 | 187 | .TP |
8ab8b43f MK |
188 | .BR PR_GET_ENDIAN " (since Linux 2.6.18, PowerPC only)" |
189 | Return the endian-ness of the calling process, | |
190 | in the location pointed to by | |
191 | .IR "(int\ *) arg2" . | |
192 | .TP | |
8ab8b43f | 193 | .BR PR_SET_FPEMU " (since Linux 2.4.18, 2.5.9, only on ia64)" |
e87fdd92 MK |
194 | Set floating-point emulation control bits to \fIarg2\fP. |
195 | Pass \fBPR_FPEMU_NOPRINT\fP to silently emulate fp operations accesses, or | |
8bd58774 MK |
196 | \fBPR_FPEMU_SIGFPE\fP to not emulate fp operations and send |
197 | .B SIGFPE | |
198 | instead. | |
e87fdd92 | 199 | .TP |
8ab8b43f MK |
200 | .BR PR_GET_FPEMU " (since Linux 2.4.18, 2.5.9, only on ia64)" |
201 | Return floating-point emulation control bits, | |
202 | in the location pointed to by | |
203 | .IR "(int\ *) arg2" . | |
e87fdd92 | 204 | .TP |
8ab8b43f | 205 | .BR PR_SET_FPEXC " (since Linux 2.4.21, 2.5.32, only on PowerPC)" |
1c44bd5b MK |
206 | Set floating-point exception mode to \fIarg2\fP. |
207 | Pass \fBPR_FP_EXC_SW_ENABLE\fP to use FPEXC for FP exception enables, | |
c45bd688 MK |
208 | \fBPR_FP_EXC_DIV\fP for floating-point divide by zero, |
209 | \fBPR_FP_EXC_OVF\fP for floating-point overflow, | |
210 | \fBPR_FP_EXC_UND\fP for floating-point underflow, | |
211 | \fBPR_FP_EXC_RES\fP for floating-point inexact result, | |
212 | \fBPR_FP_EXC_INV\fP for floating-point invalid operation, | |
e87fdd92 | 213 | \fBPR_FP_EXC_DISABLED\fP for FP exceptions disabled, |
b28f6e56 | 214 | \fBPR_FP_EXC_NONRECOV\fP for async nonrecoverable exception mode, |
e87fdd92 MK |
215 | \fBPR_FP_EXC_ASYNC\fP for async recoverable exception mode, |
216 | \fBPR_FP_EXC_PRECISE\fP for precise exception mode. | |
217 | .TP | |
8ab8b43f MK |
218 | .BR PR_GET_FPEXC " (since Linux 2.4.21, 2.5.32, only on PowerPC)" |
219 | Return floating-point exception mode, | |
220 | in the location pointed to by | |
221 | .IR "(int\ *) arg2" . | |
222 | .TP | |
88989295 MK |
223 | .BR PR_SET_KEEPCAPS " (since Linux 2.2.18)" |
224 | Set the state of the thread's "keep capabilities" flag, | |
028cb080 MK |
225 | which determines whether the threads's permitted |
226 | capability set is cleared when a change is made to the threads's user IDs | |
88989295 | 227 | such that the threads's real UID, effective UID, and saved set-user-ID |
c7094399 | 228 | all become nonzero when at least one of them previously had the value 0. |
028cb080 MK |
229 | By default, the permitted capability set is cleared when such a change is made; |
230 | setting the "keep capabilities" flag prevents it from being cleared. | |
88989295 | 231 | .I arg2 |
028cb080 MK |
232 | must be either 0 (permitted capabilities are cleared) |
233 | or 1 (permitted capabilities are kept). | |
234 | (A thread's | |
235 | .I effective | |
236 | capability set is always cleared when such a credential change is made, | |
237 | regardless of the setting of the "keep capabilities" flag.) | |
238 | The "keep capabilities" value will be reset to 0 on subsequent calls to | |
88989295 MK |
239 | .BR execve (2). |
240 | .TP | |
241 | .BR PR_GET_KEEPCAPS " (since Linux 2.2.18)" | |
242 | Return (as the function result) the current state of the calling threads's | |
243 | "keep capabilities" flag. | |
244 | .TP | |
245 | .BR PR_SET_NAME " (since Linux 2.6.9)" | |
c420fde2 | 246 | Set the name of the calling thread, |
88989295 MK |
247 | using the value in the location pointed to by |
248 | .IR "(char\ *) arg2" . | |
249 | The name can be up to 16 bytes long, | |
250 | .\" TASK_COMM_LEN in include/linux/sched.h | |
db6d60b3 | 251 | including the terminating null byte. |
ea55bc7b MK |
252 | (If the length of the string, including the terminating null byte, |
253 | exceeds 16 bytes, the string is silently truncated.) | |
7b6de6f6 MK |
254 | This is the same attribute that can be set via |
255 | .BR pthread_setname_np (3) | |
256 | and retrieved using | |
257 | .BR pthread_getname_np (3). | |
258 | The attribute is likewise accessible via | |
259 | .IR /proc/self/task/[tid]/comm , | |
260 | where | |
261 | .I tid | |
262 | is the name of the calling thread. | |
88989295 MK |
263 | .TP |
264 | .BR PR_GET_NAME " (since Linux 2.6.11)" | |
c420fde2 | 265 | Return the name of the calling thread, |
88989295 MK |
266 | in the buffer pointed to by |
267 | .IR "(char\ *) arg2" . | |
268 | The buffer should allow space for up to 16 bytes; | |
db6d60b3 | 269 | the returned string will be null-terminated. |
88989295 | 270 | .TP |
f83fe154 | 271 | .BR PR_SET_NO_NEW_PRIVS " (since Linux 3.5)" |
0fcc276f MK |
272 | Set the calling process's |
273 | .I no_new_privs | |
274 | bit to the value in | |
275 | .IR arg2 . | |
276 | With | |
b1df3071 | 277 | .I no_new_privs |
0fcc276f MK |
278 | set to 1, |
279 | .BR execve (2) | |
b1df3071 MK |
280 | promises not to grant privileges to do anything |
281 | that could not have been done without the | |
0fcc276f | 282 | .BR execve (2) |
b1df3071 MK |
283 | call (for example, |
284 | rendering the set-user-ID and set-group-ID permission bits, | |
285 | and file capabilities non-functional). | |
286 | Once set, this bit cannot be unset. | |
287 | The setting of this bit is inherited by children created by | |
288 | .BR fork (2) | |
0fcc276f | 289 | and |
b1df3071 MK |
290 | .BR clone (2), |
291 | and preserved across | |
292 | .BR execve (2). | |
19593937 MK |
293 | |
294 | For more information, see the kernel source file | |
295 | .IR Documentation/prctl/no_new_privs.txt . | |
f83fe154 KC |
296 | .TP |
297 | .BR PR_GET_NO_NEW_PRIVS " (since Linux 3.5)" | |
adea52c7 | 298 | Return (as the function result) the value of the |
0fcc276f MK |
299 | .I no_new_privs |
300 | bit for the current process. | |
301 | A value of 0 indicates the regular | |
302 | .BR execve (2) | |
303 | behavior. | |
304 | A value of 1 indicates | |
305 | .BR execve (2) | |
b1df3071 | 306 | will operate in the privilege-restricting mode described above. |
f83fe154 | 307 | .TP |
88989295 MK |
308 | .BR PR_SET_PDEATHSIG " (since Linux 2.1.57)" |
309 | Set the parent process death signal | |
310 | of the calling process to \fIarg2\fP (either a signal value | |
311 | in the range 1..maxsig, or 0 to clear). | |
312 | This is the signal that the calling process will get when its | |
313 | parent dies. | |
314 | This value is cleared for the child of a | |
c7c7235c | 315 | .BR fork (2) |
46b7f60e | 316 | and (since Linux 2.4.36 / 2.6.23) |
840a2b86 MK |
317 | when executing a set-user-ID or set-group-ID binary, |
318 | or a binary that has associated capabilities (see | |
319 | .BR capabilities (7)). | |
92cfcaf7 MK |
320 | This value is preserved across |
321 | .BR execve (2). | |
88989295 MK |
322 | .TP |
323 | .BR PR_GET_PDEATHSIG " (since Linux 2.3.15)" | |
324 | Return the current value of the parent process death signal, | |
325 | in the location pointed to by | |
326 | .IR "(int\ *) arg2" . | |
327 | .TP | |
491b2e75 | 328 | .BR PR_SET_PTRACER " (since Linux 3.4)" |
ff03be9a MK |
329 | .\" commit 2d514487faf188938a4ee4fb3464eeecfbdcf8eb |
330 | .\" commit bf06189e4d14641c0148bea16e9dd24943862215 | |
33a0ccb2 | 331 | This is meaningful only when the Yama LSM is enabled and in mode 1 |
491b2e75 KC |
332 | ("restricted ptrace", visible via |
333 | .IR /proc/sys/kernel/yama/ptrace_scope ). | |
2c7d476b MK |
334 | When a "ptracer process ID" is passed in \fIarg2\fP, |
335 | the caller is declaring that the ptracer process can | |
336 | .BR ptrace (2) | |
337 | the calling process as if it were a direct process ancestor. | |
9f4cec52 MK |
338 | Each |
339 | .B PR_SET_PTRACER | |
340 | operation replaces the previous "ptracer process ID". | |
2c7d476b MK |
341 | Employing |
342 | .B PR_SET_PTRACER | |
343 | with | |
344 | .I arg2 | |
345 | set to 0 clears the caller's "ptracer process ID". | |
346 | If | |
347 | .I arg2 | |
348 | is | |
c367cd59 | 349 | .BR PR_SET_PTRACER_ANY , |
491b2e75 | 350 | the ptrace restrictions introduced by Yama are effectively disabled for the |
2c7d476b | 351 | calling process. |
491b2e75 KC |
352 | |
353 | For further information, see the kernel source file | |
354 | .IR Documentation/security/Yama.txt . | |
355 | .TP | |
8ab8b43f MK |
356 | .BR PR_SET_SECCOMP " (since Linux 2.6.23)" |
357 | .\" See http://thread.gmane.org/gmane.linux.kernel/542632 | |
358 | .\" [PATCH 0 of 2] seccomp updates | |
359 | .\" andrea@cpushare.com | |
d6ef3d57 MK |
360 | Set the secure computing (seccomp) mode for the calling thread, to limit |
361 | the available system calls. | |
25813394 MK |
362 | The more recent |
363 | .BR seccomp (2) | |
364 | system call provides a superset of the functionality of | |
365 | .BR PR_SET_SECCOMP . | |
366 | ||
34447828 KC |
367 | The seccomp mode is selected via |
368 | .IR arg2 . | |
369 | (The seccomp constants are defined in | |
370 | .IR <linux/seccomp.h> .) | |
371 | ||
372 | With | |
8ab8b43f | 373 | .IR arg2 |
34447828 | 374 | set to |
b1248a9d | 375 | .BR SECCOMP_MODE_STRICT , |
8ab8b43f MK |
376 | the only system calls that the thread is permitted to make are |
377 | .BR read (2), | |
378 | .BR write (2), | |