.\" the source, must acknowledge the copyright and authors of this work.
.\" %%%LICENSE_END
.\"
-.TH CORE 5 2015-12-05 "Linux" "Linux Programmer's Manual"
+.TH CORE 5 2016-10-08 "Linux" "Linux Programmer's Manual"
.SH NAME
core \- core dump file
.SH DESCRIPTION
(see below)
is nonzero, then .PID will be appended to the core filename.
+Paths are interpreted according to the settings that are active for the
+crashing process.
+That means the crashing process's mount namespace (see
+.BR mount_namespaces (7)),
+its current working directory (found via
+.BR getcwd (2)),
+and its root directory (see
+.BR chroot (2)).
+
Since version 2.4, Linux has also provided
a more primitive method of controlling
the name of the core dump file.
pathname relative to the root directory, \fI/\fP),
and must immediately follow the '|' character.
.IP *
+The program pathname is interpreted with respect to the initial mount namespace
+as it is always executed there.
+It is not affected by the settings
+(e.g., root directory, mount namespace, current working directory)
+of the crashing process.
+.IP *
The process created to run the program runs as user and group
.IR root .
.IP *
+Running as
+.I root
+does not confer any exceptional security bypasses.
+Namely, LSMs (e.g., SELinux) are still active and may prevent the handler
+from accessing details about the crashed process via
+.IR /proc/[pid] .
+.IP *
+The process created runs in the initial namespaces (pid, mount, user, etc...)
+and not in the namespaces of the crashing process.
+One can utilize specifiers such as
+.I %P
+to find the right
+.I /proc/[pid]
+directory and probe/enter the crashing process's namespaces if needed.
+.IP *
Command-line arguments can be supplied to the
program (since Linux 2.6.24),
delimited by white space (up to a total line length of 128 bytes).
When collecting core dumps via a pipe to a user-space program,
it can be useful for the collecting program to gather data about
the crashing process from that process's
-.IR /proc/PID
+.IR /proc/[pid]
directory.
In order to do this safely,
the kernel must wait for the program collecting the core dump to exit,
so as not to remove the crashing process's
-.IR /proc/PID
+.IR /proc/[pid]
files prematurely.
This in turn creates the
possibility that a misbehaving collecting program can block
.\"
.SS Controlling which mappings are written to the core dump
Since kernel 2.6.23, the Linux-specific
-.IR /proc/PID/coredump_filter
+.IR /proc/[pid]/coredump_filter
file can be used to control which memory segments are written to the
core dump file in the event that a core dump is performed for the
process with the corresponding process ID.