.\" the source, must acknowledge the copyright and authors of this work.
.\" %%%LICENSE_END
.\"
-.TH CORE 5 2014-08-19 "Linux" "Linux Programmer's Manual"
+.TH CORE 5 2016-10-08 "Linux" "Linux Programmer's Manual"
.SH NAME
core \- core dump file
.SH DESCRIPTION
The default value in this file is "core".
For backward compatibility, if
.I /proc/sys/kernel/core_pattern
-does not include "%p" and
+does not include
+.I %p
+and
.I /proc/sys/kernel/core_uses_pid
(see below)
is nonzero, then .PID will be appended to the core filename.
+Paths are interpreted according to the settings that are active for the
+crashing process.
+That means the crashing process's mount namespace (see
+.BR mount_namespaces (7)),
+its current working directory (found via
+.BR getcwd (2)),
+and its root directory (see
+.BR chroot (2)).
+
Since version 2.4, Linux has also provided
a more primitive method of controlling
the name of the core dump file.
.I /proc/sys/kernel/core_pattern
file.
If the first character of this file is a pipe symbol (\fB|\fP),
-then the remainder of the line is interpreted as a program to be
+then the remainder of the line is interpreted as a user-space program to be
executed.
Instead of being written to a disk file, the core dump is given as
standard input to the program.
pathname relative to the root directory, \fI/\fP),
and must immediately follow the '|' character.
.IP *
+The program pathname is interpreted with respect to the initial mount namespace
+as it is always executed there.
+It is not affected by the settings
+(e.g., root directory, mount namespace, current working directory)
+of the crashing process.
+.IP *
The process created to run the program runs as user and group
.IR root .
.IP *
+Running as
+.I root
+does not confer any exceptional security bypasses.
+Namely, LSMs (e.g., SELinux) are still active and may prevent the handler
+from accessing details about the crashed process via
+.IR /proc/[pid] .
+.IP *
+The process created runs in the initial namespaces (pid, mount, user, etc...)
+and not in the namespaces of the crashing process.
+One can utilize specifiers such as
+.I %P
+to find the right
+.I /proc/[pid]
+directory and probe/enter the crashing process's namespaces if needed.
+.IP *
Command-line arguments can be supplied to the
program (since Linux 2.6.24),
delimited by white space (up to a total line length of 128 bytes).
For example, to pass the PID of the process that is being dumped, specify
.I %p
in an argument.
+.\"
+.SS /proc/sys/kernel/core_pipe_limit
+When collecting core dumps via a pipe to a user-space program,
+it can be useful for the collecting program to gather data about
+the crashing process from that process's
+.IR /proc/[pid]
+directory.
+In order to do this safely,
+the kernel must wait for the program collecting the core dump to exit,
+so as not to remove the crashing process's
+.IR /proc/[pid]
+files prematurely.
+This in turn creates the
+possibility that a misbehaving collecting program can block
+the reaping of a crashed process by simply never exiting.
+
+Since Linux 2.6.32,
+.\" commit a293980c2e261bd5b0d2a77340dd04f684caff58
+the
+.I /proc/sys/kernel/core_pipe_limit
+can be used to defend against this possibility.
+The value in this file defines how many concurrent crashing
+processes may be piped to user-space programs in parallel.
+If this value is exceeded, then those crashing processes above this value
+are noted in the kernel log and their core dumps are skipped.
+
+A value of 0 in this file is special.
+It indicates that unlimited processes may be captured in parallel,
+but that no waiting will take place (i.e., the collecting
+program is not guaranteed access to
+.IR /proc/<crashing-PID> ).
+The default value for this file is 0.
+.\"
.SS Controlling which mappings are written to the core dump
Since kernel 2.6.23, the Linux-specific
-.IR /proc/PID/coredump_filter
+.IR /proc/[pid]/coredump_filter
file can be used to control which memory segments are written to the
core dump file in the event that a core dump is performed for the
process with the corresponding process ID.
.TP
bit 6 (since Linux 2.6.28)
Dump shared huge pages.
+.TP
+bit 7 (since Linux 4.4)
+.\" commit ab27a8d04b32b6ee8c30c14c4afd1058e8addc82
+Dump private DAX pages.
+.TP
+bit 8 (since Linux 4.4)
+.\" commit ab27a8d04b32b6ee8c30c14c4afd1058e8addc82
+Dump shared DAX pages.
.RE
.PD
.PP
By default, the following bits are set: 0, 1, 4 (if the
.B CONFIG_CORE_DUMP_DEFAULT_ELF_HEADERS
kernel configuration option is enabled), and 5.
+This default can be modified at boot time using the
+.I coredump_filter
+boot option.
+
The value of this file is displayed in hexadecimal.
(The default value is thus displayed as 33.)
.BR clone (2))
dumps core, then the process ID is always appended to the core filename,
unless the process ID was already included elsewhere in the
-filename via a %p specification in
+filename via a
+.I %p
+specification in
.IR /proc/sys/kernel/core_pattern .
(This is primarily useful when employing the obsolete
LinuxThreads implementation,