mount.2: SEE ALSO: s/namespaces(7)/mount_namespaces(7)/

Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>

namespaces.7: Refer to new mount_namespaces(7) for information on mount namespaces

Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>

mount_namespaces.7: Minor tweaks

Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>

mount_namespaces.7: New page describing mount namespaces

Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>

proc.5: /proc/PID/mountinfo 'propagate_from' always appears with 'master' tag

Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>

proc.5: Rework /proc/PID/mountinfo text on dominant peer groups

Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>

proc.5: ffix + wfix

Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>

user_namespaces.7: Correct kernel version where XFS added support for user namespaces

Linux 3.12, not 3.11.

Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>

ptrace.2: Minor fixes after review by Kees Cook

Reviewed-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>

ptrace.2: tfix

Reported-by: Jann Horn <jann@thejh.net>
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>

ptrace.2: Note that user namespaces can be used to bypass Yama protections

Cowrittten-by: Jann Horn <jann@thejh.net>
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>

user_namespaces.7: SEE ALSO: add ptrace(2)

Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>

ptrace.2: Update Yama ptrace_scope documentation

Reframe the discussion in terms of PTRACE_MODE_ATTACH checks,
and make a few other minor tweaks and additions.

Reviewed-by: Jann Horn <jann@thejh.net>
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>

ptrace.2: wfix

Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>

ptrace.2: srcfix: add 2015 copyright notice for mtk

(Yama ptrace_scope text added in 2015.)

Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>

ptrace.2: Add an introductory paragraph to the Ptrace access mode checks" section

Reported-by: Eric W. Biederman <ebiederm@xmission.com>
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>

ptrace.2: tfix

Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>

ptrace.2: wfix

Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>

ptrace.2: Relocate text noting that PTRACE_MODE_* constants are kernel-internal

(No content changes.)

Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>

ptrace.2: wfix

Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>

ptrace.2: srcfix

Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>

ptrace.2: Describe PTRACE_MODE_NOAUDIT in more detail

Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>

ptrace.2: Further fixes after review from Jann Horn

Reported-by: Jann Horn <jann@thejh.net>
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>

ptrace.2: Minor improvements to ptrace access mode text

Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>

ptrace.2: Various fixes after review by Jann Horn

Among other things, Jann pointed out that the commoncap LSM
is always invoked, and Kees Cook pointed out the relevant
kernel code:

===
> BTW, can you point me at the piece(s) of kernel code that show that
> "commoncap" is always invoked in addition to any other LSM that has
> been installed?

It's not entirely obvious, but the bottom of security/commoncap.c shows:

struct security_hook_list capability_hooks[] = {
        LSM_HOOK_INIT(capable, cap_capable),
...
};

void __init capability_add_hooks(void)
{
        security_add_hooks(capability_hooks, ARRAY_SIZE(capability_hooks));
}

And security/security.c shows the initialization order of the LSMs:

int __init security_init(void)
{
        pr_info("Security Framework initialized\n");

        /*
         * Load minor LSMs, with the capability module always first.
         */
        capability_add_hooks();
        yama_add_hooks();
        loadpin_add_hooks();

        /*
         * Load all the remaining security modules.
         */
        do_security_initcalls();

        return 0;
}
===

Reported-by: Jann Horn <jann@thejh.net>
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>

kcmp.2, ptrace.2: tfix

Reported-by: Jann Horn <jann@thejh.net>
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>

ptrace.2: Clarify the purpose of mentioning the kernel PTRACE_MODE_* constants

The "ptrace access mode" text is about user-space-visible
behavior, but in order to explain that behavior at what I
believe is a sufficient level of detail (e.g., to differentiate
the various types of checks that are performed for various
system calls and pseudofile accesses), one needs (1) to discuss
the MODE flag details as implemented in the kernel, and (2) to
have a shorthand way to refer to the various cases from other
pages. It's not absolutely necessary to name the flags for (1),
but using the flag names is certainly a handy shorthand for (2).

Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>

proc.5: ffix

Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>

kcmp.2: kcmp() is governed by PTRACE_MODE_READ_REALCREDS

Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>

get_robust_list.2: get_robust_list() is governed by PTRACE_MODE_READ_REALCREDS

Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>

perf_event_open.2: If pid > 0, the operation is governed by PTRACE_MODE_READ_REALCREDS

Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>

ptrace.2: Note that PTRACE_SEIZE is subject to a ptrace access mode check

Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>

ptrace.2: Rephrase PTRACE_ATTACH permissions in terms of ptrace access mode check

Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>

process_vm_readv.2: Rephrase permission rules in terms of a ptrace access mode check

Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>

proc.5: Note /proc/PID/stat fields that are governed by PTRACE_MODE_READ_FSCREDS

Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>

proc.5: /proc/PID/fd/* are governed by PTRACE_MODE_READ_FSCREDS

Permission to dereference/readlink /proc/PID/fd/* symlinks is
governed by a PTRACE_MODE_READ_FSCREDS ptrace access mode check.

Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>

namespaces.7: /proc/PID/ns/* are governed by PTRACE_MODE_READ_FSCREDS

Permission to dereference/readlink /proc/PID/ns/* symlinks is
governed by a PTRACE_MODE_READ_FSCREDS ptrace access mode check.

Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>

proc.5: /proc/PID/{cwd,exe,root} are governed by PTRACE_MODE_READ_FSCREDS

Permission to dereference/readlink /proc/PID/{cwd,exe,root} is
governed by a PTRACE_MODE_READ_FSCREDS ptrace access mode check.

Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>

proc.5: /proc/PID/{personality,stack,syscall} are governed by PTRACE_MODE_ATTACH_FSCREDS

Permission to access /proc/PID/{personality,stack,syscall} is
governed by a PTRACE_MODE_ATTACH_FSCREDS ptrace access mode check.

Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>

proc.5: /proc/PID/io is governed by PTRACE_MODE_READ_FSCREDS

Permission to access /proc/PID/io is governed by
a PTRACE_MODE_READ_FSCREDS ptrace access mode check.

Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>

proc.5: /proc/PID/timerslack_ns is governed by PTRACE_MODE_ATTACH_FSCREDS

Permission to access /proc/PID/timerslack_ns is governed by
a PTRACE_MODE_ATTACH_FSCREDS ptrace access mode check.

Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>

proc.5: /proc/PID/{auxv,environ,wchan} are governed by PTRACE_MODE_READ_FSCREDS

Permission to access /proc/PID/{auxv,environ,wchan} is governed by
a PTRACE_MODE_READ_FSCREDS ptrace access mode check.

Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>

proc.5: Document /proc/PID/{maps,mem,pagemap} access mode checks

Permission to access /proc/PID/{maps,pagemap} is governed by a
PTRACE_MODE_READ_FSCREDS ptrace access mode check.

Permission to access /proc/PID/mem is governed by a
PTRACE_MODE_ATTACH_FSCREDS ptrace access mode check.

Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>

ptrace.2: Document ptrace access modes

Reviewed-by: Kees Cook <keescook@chromium.org>
Reviewed-by: Jann Horn <jann@thejh.net>
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>

cgroups.7: ERRORS: add mount(2) EBUSY error

Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>

user_namespaces.7: Correct user namespace rules for mounting /proc

Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>

user_namespaces.7: CAP_SYS_ADMIN allows mounting cgroup filesystems

See https://bugzilla.kernel.org/show_bug.cgi?id=120671

Reported-by: Michał Zegan <webczat_200@poczta.onet.pl>
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>

user_namespaces.7: Clarify CAP_SYS_ADMIN details for mounting FS_USERNS_MOUNT filesystems

Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>

acct.2, chmod.2, fcntl.2, mmap.2, mprotect.2, rmdir.2, times.2: tfix

Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>

ctime.3, error.3, getmntent.3, getnetent_r.3, getrpcent_r.3, getservent_r.3, pthread_attr_init.3, pthread_getattr_np.3, pthread_tryjoin_np.3, rpc.3, setaliasent.3, setenv.3, unlocked_stdio.3: srcfix: Eliminate some groff warnings

Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>

futex.2: Explain how to get equivalent of FUTEX_WAIT with an absolute timeout

Reviewed-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>

futex.2: Describe FUTEX_BITSET_MATCH_ANY

Describe FUTEX_BITSET_MATCH_ANY and FUTEX_WAIT and FUTEX_WAKE
equivalences.

Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>

futex.2: Note that at least one bit must be set in mask for BITSET operations

At least one bit must be set in the 'val3' mask supplied for the
FUTEX_WAIT_BITSET and FUTEX_WAKE_BITSET operations.

Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>

futex.2: wfix

Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>

futex.2: ffix

Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>

futex.2: wfix

Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>

futex.2: wfix

Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>

futex.2: ffix

Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>

futex.2: wfix

Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>

futex.2: Clarify clock default and choices for FUTEX_WAIT

Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>

charmap.5: ffix

futex.2: Fix descriptions of various timeouts

Reported-by: Thomas Gleixner <tglx@linutronix.de>
Reported-by: Darren Hart <dvhart@infradead.org>
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>

futex.2: Correct an ENOSYS error description

Since Linux 4.5, FUTEX_CLOCK_REALTIME is allowed with with FUTEX_WAIT.

Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>

futex.2: Remove crufty text about FUTEX_WAIT_BITSET interpretation of timeout

Since Linux 4.5, FUTEX_WAIT also understands
FUTEX_CLOCK_REALTIME.

Reported-by: Darren Hart <dvhart@infradead.org>
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>

termio.7: wfix

Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>

boot.7: Minor SEE ALSO fixes

Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>

statfs.2: tfix

Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>

fmax.3, fmin.3: SEE ALSO: add fdim(3)

Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>

strtoul.3: SEE ALSO: add a64l(3)

Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>

vhangup.2: wfix

Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>

chroot.2: SEE ALSO: add pivot_root(2)

Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>

lookup_dcookie.2: ffix / wfix

Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>

lookup_dcookie.2: SEE ALSO: add oprofile(1)

Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>

cacheflush.2: wfix

Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>

strcat.3: Add a program that shows the performance characteristics of strcat()

In honor of Joel Spolksy's visit to Munich, let's start educating
Schlemiel The Painter.

Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>

user_namespaces.7: List the mount operations permitted by CAP_SYS_ADMIN

List the mount operations permitted by CAP_SYS_ADMIN in a
noninitial userns.

See https://bugzilla.kernel.org/show_bug.cgi?id=120671

Reported-by: Michał Zegan <webczat_200@poczta.onet.pl>
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>

user_namespaces.7: Add a subsection heading for effects of capabilities in user NS

Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>

user_namespaces.7: Clarify meaning of privilege in a user namespace

Having privilege in a user NS only allows privileged
operations on resources governed by that user NS. Many
privileged operations relate to resources that have no
association with any namespace type, and only processes
with privilege in the initial user NS can perform those
operations.

See https://bugzilla.kernel.org/show_bug.cgi?id=120671

Reported-by: Michał Zegan <webczat_200@poczta.onet.pl>
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>

cgroup_namespaces.7: tfix

Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>

user_namespaces.7: SEE ALSO: add cgroup_namespaces(7)

Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>

user_namespaces.7: Describe a concrete example of capability checking

Add a concrete example of how the kernel checks capabilities in
an associated user namespace when a process attempts a privileged
operation.

Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>

user_namespaces.7: Minor wording fix

Avoid listing all namespace types in a couple of places,
since such a list is subject to bit rot as the number
of namespace types grows.

Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>

user_namespaces.7: wfix: reword a long, difficult to understand sentence

Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>

netlink.7: wfix

Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>

netlink.7: Rework version information

(No changes in technical details.)

Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>

cgroups.7: wfix

Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>

kcmp.2: tfix

Signed-off-by: Jakub Wilk <jwilk@jwilk.net>

unix.7: Update text on socket permissions on other systems

At least some of the modern BSDs seem to check for write
permission on a socket. (I tested OpenBSD 5.9.) On Solaris 10,
some light testing suggested that write permission is still
not checked on that system.

See https://bugzilla.kernel.org/show_bug.cgi?id=120061  (and
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-1999-1402)

Reported-by: Carsten Grohmann <carstengrohmann@gmx.de>
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>

unix.7: Note that umask / permissions have no effect for abstract sockets

Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>

unix.7: Move some abstract socket details to a separate subsection

Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>

unix.7: Move discussion on pathname socket permissions to DESCRIPTION

Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>

unix.7: Minor wording fixes

Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>

unix.7: Note that abstract sockets automatically disappear when FDs are closed

Added after I ran across this question:
http://unix.stackexchange.com/questions/216784/does-linux-automatically-clean-up-abstract-domain-sockets

Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>

unix.7: Minor wording fix

Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>

unix.7: Clarify ownership and permissions assigned during socket creation

Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>

unix.7: Expand discussion of socket permissions

Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>

unix.7: Enhance statement about changing sockets ownership and permissions

Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>

unix.7: Fix statement about permissions needed to connect to a UNIX doain socket

Read permission is not required (verified by experiment).

Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>

unix.7: grfix

Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>

getaddrinfo_a.3: srcfix

Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>