.\" Automatically generated by Pod::Man 4.07 (Pod::Simple 3.32) .\" .\" Standard preamble: .\" ======================================================================== .de Sp \" Vertical space (when we can't use .PP) .if t .sp .5v .if n .sp .. .de Vb \" Begin verbatim text .ft CW .nf .ne \\$1 .. .de Ve \" End verbatim text .ft R .fi .. .\" Set up some character translations and predefined strings. \*(-- will .\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left .\" double quote, and \*(R" will give a right double quote. \*(C+ will .\" give a nicer C++. Capital omega is used to do unbreakable dashes and .\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, .\" nothing in troff, for use with C<>. .tr \(*W- .ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' .ie n \{\ . ds -- \(*W- . ds PI pi . if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch . if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch . ds L" "" . ds R" "" . ds C` "" . ds C' "" 'br\} .el\{\ . ds -- \|\(em\| . ds PI \(*p . ds L" `` . ds R" '' . ds C` . ds C' 'br\} .\" .\" Escape single quotes in literal strings from groff's Unicode transform. .ie \n(.g .ds Aq \(aq .el .ds Aq ' .\" .\" If the F register is >0, we'll generate index entries on stderr for .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index .\" entries marked with X<> in POD. Of course, you'll have to process the .\" output yourself in some meaningful fashion. .\" .\" Avoid warning from groff about undefined register 'F'. .de IX .. .if !\nF .nr F 0 .if \nF>0 \{\ . de IX . tm Index:\\$1\t\\n%\t"\\$2" .. . if !\nF==2 \{\ . nr % 0 . nr F 2 . \} .\} .\" ======================================================================== .\" .IX Title "Linux::Prctl 3pm" .TH Linux::Prctl 3pm "2016-05-20" "perl v5.24.1" "User Contributed Perl Documentation" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" Linux::Prctl \- Perl extension for controlling process characteristics .SH "SYNOPSIS" .IX Header "SYNOPSIS" .Vb 1 \& use Linux::Prctl; .Ve .SH "DESCRIPTION" .IX Header "DESCRIPTION" The linux prctl function allows you to control specific characteristics of a process' behaviour. Usage of the function is fairly messy though, due to limitations in C and linux. This module provides a nice non-messy interface. Most of the text in this documentation is based on text from the linux manpages \&\fIprctl\fR\|(2) and \fIcapabilities\fR\|(7) .PP Besides prctl, this library also wraps libcap for complete capability handling. .SS "\s-1EXPORTS\s0" .IX Subsection "EXPORTS" There are 2 export tags: :constants and :functions. These export what you think they will. .PP \fIset_dumpable(flag)\fR .IX Subsection "set_dumpable(flag)" .PP Set the state of the flag determining whether core dumps are produced for this process upon delivery of a signal whose default behavior is to produce a core dump. (Normally this flag is set for a process by default, but it is cleared when a set-user-ID or set-group-ID program is executed and also by various system calls that manipulate process UIDs and GIDs). .PP \fI\fIget_dumpable()\fI\fR .IX Subsection "get_dumpable()" .PP Return the state of the dumpable flag. .PP \fIset_endian(endiannes)\fR .IX Subsection "set_endian(endiannes)" .PP Set the endian-ness of the calling process. Valid values are \s-1ENDIAN_BIG, ENDIAN_LITTLE\s0 and \s-1ENDIAN_PPC_LITTLE \s0(PowerPC pseudo little endian). .PP This function only works on PowerPC systems. .PP \fI\fIget_endian()\fI\fR .IX Subsection "get_endian()" .PP Return the endian-ness of the calling process, see set_endian .PP \fIset_fpemu(flag)\fR .IX Subsection "set_fpemu(flag)" .PP Set floating-point emulation control flag. Pass \s-1FPEMU_NOPRINT\s0 to silently emulate fp operations accesses, or \s-1FPEMU_SIGFPE\s0 to not emulate fp operations and send \s-1SIGFPE\s0 instead. .PP This function only works on ia64 systems. .PP \fI\fIget_fpemu()\fI\fR .IX Subsection "get_fpemu()" .PP Get floating-point emulation control flag. See set_fpemu. .PP \fIset_fpexc(mode)\fR .IX Subsection "set_fpexc(mode)" .PP Set floating-point exception mode. Pass \s-1FP_EXC_SW_ENABLE\s0 to use \s-1FPEXC\s0 for \s-1FP\s0 exception, \s-1FP_EXC_DIV\s0 for floating-point divide by zero, \s-1FP_EXC_OVF\s0 for floating-point overflow, \s-1FP_EXC_UND\s0 for floating-point underflow, \s-1FP_EXC_RES\s0 for floating-point inexact result, \s-1FP_EXC_INV\s0 for floating-point invalid operation, \s-1FP_EXC_DISABLED\s0 for \s-1FP\s0 exceptions disabled, \s-1FP_EXC_NONRECOV\s0 for async non-recoverable exception mode, \s-1FP_EXC_ASYNC\s0 for async recoverable exception mode, \s-1FP_EXC_PRECISE\s0 for precise exception mode. Modes can be combined with the | operator. .PP This function only works on PowerPC systems. .PP \fI\fIget_fpexc()\fI\fR .IX Subsection "get_fpexc()" .PP Return the floating-point exception mode as a bitmap of enabled modes. See set_fpexc. .PP \fIset_keepcaps(flag)\fR .IX Subsection "set_keepcaps(flag)" .PP Set the state of the thread's \*(L"keep capabilities\*(R" flag, which determines whether the threads's effective and permitted capability sets are cleared when a change is made to the threads's user IDs such that the threads's real \s-1UID,\s0 effective \s-1UID,\s0 and saved set-user-ID all become non-zero when at least one of them previously had the value 0. (By default, these credential sets are cleared). This value will be reset to False on subsequent calls to execve. .PP \fI\fIget_keepcaps()\fI\fR .IX Subsection "get_keepcaps()" .PP Return the current state of the calling threads's \*(L"keep capabilities\*(R" flag. .PP \fIset_mce_kill(policy)\fR .IX Subsection "set_mce_kill(policy)" .PP Set the machine check memory corruption kill policy for the current thread. The policy can be early kill (\s-1MCE_KILL_EARLY\s0), late kill (\s-1MCE_KILL_LATE\s0), or the system-wide default (\s-1MCE_KILL_DEFAULT\s0). Early kill means that the task receives a \s-1SIGBUS\s0 signal as soon as hardware memory corruption is detected inside its address space. In late kill mode, the process is only killed when it accesses a corrupted page. The policy is inherited by children. use the system-wide default. The system-wide default is defined by /proc/sys/vm/memory_failure_early_kill .PP This function is only available for kernel 2.6.32 and newer .PP \fI\fIget_mce_kill()\fI\fR .IX Subsection "get_mce_kill()" .PP Return the current per-process machine check kill policy. .PP This function is only available for kernel 2.6.32 and newer .PP \fIset_name(name)\fR .IX Subsection "set_name(name)" .PP Set the process name for the calling process, the name can be up to 16 bytes long. This name is displayed in the output of ps and top. The initial value is the name of the executable. For perl applications this will likely be perl. As of perl 5.14, assigning to \f(CW$0\fR also sets the process name. .PP \fI\fIget_name()\fI\fR .IX Subsection "get_name()" .PP Return the (first 16 bytes of) the name for the calling process. .PP \fIset_pdeathsig(signal)\fR .IX Subsection "set_pdeathsig(signal)" .PP Set the parent process death signal of the calling process (either a valid signal value from the :mod:signal module, or 0 to clear). This is the signal that the calling process will get when its parent dies. This value is cleared for the child of a fork. .PP \fI\fIget_pdeathsig()\fI\fR .IX Subsection "get_pdeathsig()" .PP Return the current value of the parent process death signal. See set_pdeathsig. .PP \fIset_ptracer(pid)\fR .IX Subsection "set_ptracer(pid)" .PP Sets the top of the process tree that is allowed to use \s-1PTRACE\s0 on the calling process, assuming other requirements are met (matching uid, wasn't setuid, etc). Use pid 0 to disallow all processes. For more details, see /etc/sysctl.d/10\-ptrace.conf. .PP This function is only available for kernel 3.4 and newer, or Ubuntu 10.10 and newer. .PP \fIget_ptracer(pid)\fR .IX Subsection "get_ptracer(pid)" .PP Returns the top of the process tree that is allowed to use \s-1PTRACE\s0 on the calling process. See set_ptracer. .PP This function is only available for kernel 3.4 and newer, or Ubuntu 10.10 and newer. .PP \fIset_seccomp(mode)\fR .IX Subsection "set_seccomp(mode)" .PP Set the secure computing mode for the calling thread. In the current implementation, mode must be True. After the secure computing mode has been set to True, the only system calls that the thread is permitted to make are read, write, _exit, and sigreturn. Other system calls result in the delivery of a \&\s-1SIGKILL\s0 signal. Secure computing mode is useful for number-crunching applications that may need to execute untrusted byte code, perhaps obtained by reading from a pipe or socket. This operation is only available if the kernel is configured with \s-1CONFIG_SECCOMP\s0 enabled. .PP \fI\fIget_seccomp()\fI\fR .IX Subsection "get_seccomp()" .PP Return the secure computing mode of the calling thread. Not very useful for the current implementation, but may be useful for other possible future modes: if the caller is not in secure computing mode, this operation returns False; if the caller is in secure computing mode, then the prctl call will cause a \&\s-1SIGKILL\s0 signal to be sent to the process. This operation is only available if the kernel is configured with \s-1CONFIG_SECCOMP\s0 enabled. .PP \fI\fIset_timerslack()\fI\fR .IX Subsection "set_timerslack()" .PP Control the default \*(L"rounding\*(R" in nanoseconds that is used by select, poll and friends. .PP The default value of the slack is 50 microseconds; this is significantly less than the kernels average timing error but still allows the kernel to group timers somewhat to preserve power behavior. .PP This function is only available for kernel 2.6.28 and newer .PP \fIget_timerslack(value)\fR .IX Subsection "get_timerslack(value)" .PP Return the current timing slack, see get_timing_slack .PP This function is only available for kernel 2.6.28 and newer .PP \fIset_timing(flag)\fR .IX Subsection "set_timing(flag)" .PP Set whether to use (normal, traditional) statistical process timing or accurate timestamp based process timing, by passing \s-1TIMING_STATISTICAL\s0 or \&\s-1PR_TIMING_TIMESTAMP. TIMING_TIMESTAMP\s0 is not currently implemented .PP \fI\fIget_timing()\fI\fR .IX Subsection "get_timing()" .PP Return which process timing method is currently in use. .PP \fIset_tsc(flag)\fR .IX Subsection "set_tsc(flag)" .PP Set the state of the flag determining whether the timestamp counter can be read by the process. Pass \s-1TSC_ENABLE\s0 to allow it to be read, or \s-1TSC_SIGSEGV\s0 to generate a \s-1SIGSEGV\s0 when the process tries to read the timestamp counter. .PP This function only works on x86 systems. .PP \fI\fIget_tsc()\fI\fR .IX Subsection "get_tsc()" .PP Return the state of the flag determining whether the timestamp counter can be read, see set_tsc. .PP \fIset_unalign(flag)\fR .IX Subsection "set_unalign(flag)" .PP Set unaligned access control flag. Pass \s-1UNALIGN_NOPRINT\s0 to silently fix up unaligned user accesses, or \s-1UNALIGN_SIGBUS\s0 to generate \s-1SIGBUS\s0 on unaligned user access. .PP This function only works on ia64, parisc, PowerPC and Alpha systems. .PP \fIget_unalign\fR .IX Subsection "get_unalign" .PP Return unaligned access control bits, see set_unalign. .PP \fIset_securebits(bitmap)\fR .IX Subsection "set_securebits(bitmap)" .PP Set the \*(L"securebits\*(R" flags of the calling thread. .PP It is not recommended to use this function directly, use the \&\f(CW%Linux::Prctl::securebits\fR hash instead. .PP \fI\fIget_securebits()\fI\fR .IX Subsection "get_securebits()" .PP Get the \*(L"securebits\*(R" flags of the calling thread. .PP As with set_securebits, it is not recommended to use this function directly, use the \f(CW%Linux::Prctl::securebits\fR hash instead. .PP \fIcapbset_read(capability)\fR .IX Subsection "capbset_read(capability)" .PP Return whether the specified capability is in the calling thread's capability bounding set. The capability bounding set dictates whether the process can receive the capability through a file's permitted capability set on a subsequent call to execve. .PP It is not recommended to use this function directly, use the \&\f(CW%Linux::Prctl::cap_\fR* hashes instead. .PP \fIcapbset_drop(capability)\fR .IX Subsection "capbset_drop(capability)" .PP If the calling thread has the \s-1CAP_SETPCAP\s0 capability, then drop the specified capability specified by from the calling thread's capability bounding set. Any children of the calling thread will inherit the newly reduced bounding set. .PP As with capbset_read, it is not recommended to use this function directly, use the \f(CW%Linux::Prctl::cap_\fR* hashes instead. .SS "Capabilities and the capability bounding set" .IX Subsection "Capabilities and the capability bounding set" For the purpose of performing permission checks, traditional Unix implementations distinguish two categories of processes: privileged processes (whose effective user \s-1ID\s0 is 0, referred to as superuser or root), and unprivileged processes (whose effective \s-1UID\s0 is non-zero). Privileged processes bypass all kernel permission checks, while unprivileged processes are subject to full permission checking based on the process's credentials (usually: effective \s-1UID,\s0 effective \s-1GID,\s0 and supplementary group list). .PP Starting with kernel 2.2, Linux divides the privileges traditionally associated with superuser into distinct units, known as capabilities, which can be independently enabled and disabled. Capabilities are a per-thread attribute. .PP Each thread has three capability sets containing zero or more of the capabilities described below .PP \fIPermitted (the \f(CI%Linux::Prctl::cap_permitted\fI hash):\fR .IX Subsection "Permitted (the %Linux::Prctl::cap_permitted hash):" .PP This is a limiting superset for the effective capabilities that the thread may assume. It is also a limiting superset for the capabilities that may be added to the inheritable set by a thread that does not have the setpcap capability in its effective set. .PP If a thread drops a capability from its permitted set, it can never re-acquire that capability (unless it execve s either a set-user-ID-root program, or a program whose associated file capabilities grant that capability). .PP \fIInheritabe (the \f(CI%Linux::Prctl::cap_inheritable\fI hash):\fR .IX Subsection "Inheritabe (the %Linux::Prctl::cap_inheritable hash):" .PP This is a set of capabilities preserved across an execve. It provides a mechanism for a process to assign capabilities to the permitted set of the new program during an execve. .PP \fIEffective (the \f(CI%Linux::Prctl::cap_effective\fI hash):\fR .IX Subsection "Effective (the %Linux::Prctl::cap_effective hash):" .PP This is the set of capabilities used by the kernel to perform permission checks for the thread. .PP A child created via fork inherits copies of its parent's capability sets. See below for a discussion of the treatment of capabilities during :func:`execve`. .PP The \f(CW$Linux::Prctl::capbset\fR hash represents the current capability bounding sets of the process. The capability bounding set dictates whether the process can receive the capability through a file's permitted capability set on a subsequent call to execve. All items of this hash are true by default, unless a parent process already removed them from the bounding set. .PP These four hashes have a number of keys. For the capability bounding set and the effective capabilities, these can only be set to False, this drops them from the corresponding set. .PP All details about capabilities and capability bounding sets can be found in the \&\fIcapabilities\fR\|(7) manpage, on which most text below is based. .PP These are the keys of the hashes: .PP \fIaudit_control\fR .IX Subsection "audit_control" .PP Enable and disable kernel auditing; change auditing filter rules; retrieve auditing status and filtering rules. .PP \fIaudit_write\fR .IX Subsection "audit_write" .PP Write records to kernel auditing log. .PP \fIchown\fR .IX Subsection "chown" .PP Make arbitrary changes to file UIDs and GIDs (see \fIchown\fR\|(2)). .PP \fIdac_override\fR .IX Subsection "dac_override" .PP Bypass file read, write, and execute permission checks. (\s-1DAC\s0 is an abbreviation of \*(L"discretionary access control\*(R".) .PP \fIdac_read_search\fR .IX Subsection "dac_read_search" .PP Bypass file read permission checks and directory read and execute permission checks. .PP \fIfowner\fR .IX Subsection "fowner" .IP "Bypass permission checks on operations that normally require the file system \s-1UID\s0 of the process to match the \s-1UID\s0 of the file (e.g., chmod, utime), excluding those operations covered by dac_override and dac_read_search." 1 .IX Item "Bypass permission checks on operations that normally require the file system UID of the process to match the UID of the file (e.g., chmod, utime), excluding those operations covered by dac_override and dac_read_search." .PD 0 .IP "Set extended file attributes (see \fIchattr\fR\|(1)) on arbitrary files." 1 .IX Item "Set extended file attributes (see chattr) on arbitrary files." .IP "Set Access Control Lists (ACLs) on arbitrary files." 1 .IX Item "Set Access Control Lists (ACLs) on arbitrary files." .IP "Ignore directory sticky bit on file deletion." 1 .IX Item "Ignore directory sticky bit on file deletion." .IP "Specify O_NOATIME for arbitrary files in open and fcntl." 1 .IX Item "Specify O_NOATIME for arbitrary files in open and fcntl." .PD .PP \fIfsetid\fR .IX Subsection "fsetid" .PP Don't clear set-user-ID and set-group-ID permission bits when a file is modified; set the set-group-ID bit for a file whose \s-1GID \s0 does not match the file system or any of the supplementary GIDs of the calling process. .PP \fIipc_lock\fR .IX Subsection "ipc_lock" .PP Lock memory (mlock, mlockall, mmap, shmctl). .PP \fIipc_owner\fR .IX Subsection "ipc_owner" .PP Bypass permission checks for operations on System V \s-1IPC\s0 objects. .PP \fIkill\fR .IX Subsection "kill" .PP Bypass permission checks for sending signals (see \fIkill\fR\|(2)). This includes use of the ioctl \s-1KDSIGACCEPT\s0 operation. .PP \fIlease\fR .IX Subsection "lease" .PP Establish leases on arbitrary files (see \fIfcntl\fR\|(2)). .PP \fIlinux_immutable\fR .IX Subsection "linux_immutable" .PP Set the \s-1FS_APPEND_FL\s0 and \s-1FS_IMMUTABLE_FL\s0 i\-node flags (see \fIchattr\fR\|(1)). .PP \fImac_admin\fR .IX Subsection "mac_admin" .PP Override Mandatory Access Control (\s-1MAC\s0). Implemented for the Smack Linux Security Module (\s-1LSM\s0). .PP \fImac_override\fR .IX Subsection "mac_override" .PP Allow \s-1MAC\s0 configuration or state changes. Implemented for the Smack \s-1LSM.\s0 .PP \fImknod\fR .IX Subsection "mknod" .PP Create special files using mknod. .PP \fInet_admin\fR .IX Subsection "net_admin" .PP Perform various network-related operations (e.g., setting privileged socket options, enabling multicasting, interface configuration, modifying routing tables). .PP \fInet_bind_service\fR .IX Subsection "net_bind_service" .PP Bind a socket to Internet domain privileged ports (port numbers less than 1024). .PP \fInet_broadcast\fR .IX Subsection "net_broadcast" .PP (Unused) Make socket broadcasts, and listen to multicasts. .PP \fInet_raw\fR .IX Subsection "net_raw" .PP Use \s-1RAW\s0 and \s-1PACKET\s0 sockets. .PP \fIsetgid\fR .IX Subsection "setgid" .PP Make arbitrary manipulations of process GIDs and supplementary \s-1GID\s0 list; forge \&\s-1GID\s0 when passing socket credentials via Unix domain sockets. .PP \fIsetfcap\fR .IX Subsection "setfcap" .PP Set file capabilities. .PP \fIsetpcap\fR .IX Subsection "setpcap" .PP If file capabilities are not supported: grant or remove any capability in the caller's permitted capability set to or from any other process. (This property of setpcap is not available when the kernel is configured to support file capabilities, since setpcap has entirely different semantics for such kernels.) .PP If file capabilities are supported: add any capability from the calling thread's bounding set to its inheritable set; drop capabilities from the bounding set (via capbset_drop); make changes to the securebits flags. .PP \fIsetuid\fR .IX Subsection "setuid" .PP Make arbitrary manipulations of process UIDs (setuid, setreuid, setresuid, setfsuid); make forged \s-1UID\s0 when passing socket credentials via Unix domain sockets. .PP \fIsyslog\fR .IX Subsection "syslog" .PP Allow configuring the kernel's syslog (printk behaviour). Before linux 2.6.38 the sys_admin capability was needed for this. .PP This is only available in linux 2.6.38 and newer. .PP \fIsys_admin\fR .IX Subsection "sys_admin" .IP "Perform a range of system administration operations including: quotactl, mount, umount, swapon, swapoff, sethostname, and setdomainname." 1 .IX Item "Perform a range of system administration operations including: quotactl, mount, umount, swapon, swapoff, sethostname, and setdomainname." .PD 0 .IP "Perform \s-1IPC_SET\s0 and \s-1IPC_RMID\s0 operations on arbitrary System V \s-1IPC\s0 objects." 1 .IX Item "Perform IPC_SET and IPC_RMID operations on arbitrary System V IPC objects." .IP "Perform operations on trusted and security Extended Attributes (see \fIattr\fR\|(5))." 1 .IX Item "Perform operations on trusted and security Extended Attributes (see attr)." .IP "Use lookup_dcookie." 1 .IX Item "Use lookup_dcookie." .IP "Use ioprio_set to assign the \s-1IOPRIO_CLASS_RT\s0 scheduling class." 1 .IX Item "Use ioprio_set to assign the IOPRIO_CLASS_RT scheduling class." .IP "Forge \s-1UID\s0 when passing socket credentials." 1 .IX Item "Forge UID when passing socket credentials." .IP "Exceed /proc/sys/fs/file\-max, the system-wide limit on the number of open files, in system calls that open files (e.g., accept, execve, open, pipe)." 1 .IX Item "Exceed /proc/sys/fs/file-max, the system-wide limit on the number of open files, in system calls that open files (e.g., accept, execve, open, pipe)." .IP "Employ \s-1CLONE_NEWNS\s0 flag with clone and unshare." 1 .IX Item "Employ CLONE_NEWNS flag with clone and unshare." .IP "Perform \s-1KEYCTL_CHOWN\s0 and \s-1KEYCTL_SETPERM\s0 keyctl operations." 1 .IX Item "Perform KEYCTL_CHOWN and KEYCTL_SETPERM keyctl operations." .PD .PP \fIsys_boot\fR .IX Subsection "sys_boot" .PP Use reboot and kexec_load. .PP \fIsys_chroot\fR .IX Subsection "sys_chroot" .PP Use chroot. .PP \fIsys_module\fR .IX Subsection "sys_module" .PP Load and unload kernel modules (see \fIinit_module\fR\|(2) and \fIdelete_module\fR\|(2)). .PP \fIsys_nice\fR .IX Subsection "sys_nice" .IP "Raise process nice value (nice, setpriority) and change the nice value for arbitrary processes." 1 .IX Item "Raise process nice value (nice, setpriority) and change the nice value for arbitrary processes." .PD 0 .IP "Set real-time scheduling policies for calling process, and set scheduling policies and priorities for arbitrary processes (sched_setscheduler, sched_setparam)." 1 .IX Item "Set real-time scheduling policies for calling process, and set scheduling policies and priorities for arbitrary processes (sched_setscheduler, sched_setparam)." .IP "Set \s-1CPU\s0 affinity for arbitrary processes (sched_setaffinity)" 1 .IX Item "Set CPU affinity for arbitrary processes (sched_setaffinity)" .IP "Set I/O scheduling class and priority for arbitrary processes (ioprio_set)." 1 .IX Item "Set I/O scheduling class and priority for arbitrary processes (ioprio_set)." .IP "Apply migrate_pages to arbitrary processes and allow processes to be migrated to arbitrary nodes." 1 .IX Item "Apply migrate_pages to arbitrary processes and allow processes to be migrated to arbitrary nodes." .IP "Apply move_pages to arbitrary processes." 1 .IX Item "Apply move_pages to arbitrary processes." .IP "Use the \s-1MPOL_MF_MOVE_ALL\s0 flag with mbind and move_pages." 1 .IX Item "Use the MPOL_MF_MOVE_ALL flag with mbind and move_pages." .PD .PP \fIsys_pacct\fR .IX Subsection "sys_pacct" .PP Use acct. .PP \fIsys_ptrace\fR .IX Subsection "sys_ptrace" .PP Trace arbitrary processes using ptrace. .PP \fIsys_rawio\fR .IX Subsection "sys_rawio" .PP Perform I/O port operations (iopl and ioperm); access /proc/kcore. .PP \fIsys_resource\fR .IX Subsection "sys_resource" .IP "Use reserved space on ext2 file systems." 1 .IX Item "Use reserved space on ext2 file systems." .PD 0 .IP "Make ioctl calls controlling ext3 journaling." 1 .IX Item "Make ioctl calls controlling ext3 journaling." .IP "Override disk quota limits." 1 .IX Item "Override disk quota limits." .IP "Increase resource limits (see \fIsetrlimit\fR\|(2))." 1 .IX Item "Increase resource limits (see setrlimit)." .IP "Override \s-1RLIMIT_NPROC\s0 resource limit." 1 .IX Item "Override RLIMIT_NPROC resource limit." .IP "Raise msg_qbytes limit for a System V message queue above the limit in /proc/sys/kernel/msgmnb (see \fImsgop\fR\|(2) and \fImsgctl\fR\|(2))." 1 .IX Item "Raise msg_qbytes limit for a System V message queue above the limit in /proc/sys/kernel/msgmnb (see msgop and msgctl)." .PD .PP \fIsys_time\fR .IX Subsection "sys_time" .PP Set system clock (settimeofday, stime, adjtimex); set real-time (hardware) clock. .PP \fIsys_tty_config\fR .IX Subsection "sys_tty_config" .PP Use vhangup. .PP \fIwake_alarm\fR .IX Subsection "wake_alarm" .PP Allow triggering something that will wake the system. .PP This is only available in linux 3.0 and newer .PP The four capabilities hashes also have two additional methods, to make dropping many capabilities at the same time easier: .PP \fIdrop(cap [, ...])\fR .IX Subsection "drop(cap [, ...])" .PP Drop all capabilities given as arguments from the set. .PP \fIlimit(cap [, ...])\fR .IX Subsection "limit(cap [, ...])" .PP Drop all but the given capabilities from the set. .PP These function accept both names of capabilities as given above and the \s-1CAP_\s0 constants as defined in capabilities.h. These constants are available as \&\s-1CAP_SYS_ADMIN\s0 et cetera. .SS "Capabilities and execve" .IX Subsection "Capabilities and execve" During an \fIexecve\fR\|(2), the kernel calculates the new capabilities of the process using the following algorithm: .PP * P'(permitted) = (P(inheritable) & F(inheritable)) | (F(permitted) & cap_bset) * P'(effective) = F(effective) ? P'(permitted) : 0 * P'(inheritable) = P(inheritable) [i.e., unchanged] .PP Where: .PP * P denotes the value of a thread capability set before the execve * P' denotes the value of a capability set after the execve * F denotes a file capability set * cap_bset is the value of the capability bounding set .PP The downside of this is that you need to set file capabilities if you want to make applications capabilities-friendly via wrappers. For instance, to allow an http daemon to listen on port 80 without it needing root privileges, you could do the following: .PP .Vb 3 \& %Linux::Prctl.cap_inheritable{net_bind_service} = 1; \& $< = 1000; \& exec "/usr/sbin/httpd"; .Ve .PP This only works if /usr/sbin/httpd has \s-1CAP_NET_BIND_SOCK\s0 in its inheritable and effective sets. You can do this with the \fIsetcap\fR\|(8) tool shipped with libcap. .PP .Vb 3 \& $ sudo setcap cap_net_bind_service=ie /usr/sbin/httpd \& $ getcap /usr/sbin/httpd \& /usr/sbin/httpd = cap_net_bind_service+ei .Ve .PP Note that it only sets the capability in the inheritable set, so this capability is only granted if the program calling execve has it in its inheritable set too. The effective set of file capabilities does not exist in linux, it is a single bit that specifies whether capabilities in the permitted set are automatically raised in the effective set upon execve. .SS "Establishing a capabilities-only environment with securebits" .IX Subsection "Establishing a capabilities-only environment with securebits" With a kernel in which file capabilities are enabled, Linux implements a set of per-thread securebits flags that can be used to disable special handling of capabilities for \s-1UID 0 \s0(root). The securebits flags are inherited by child processes. During an execve, all of the flags are preserved, except keep_caps which is always cleared. .PP These capabilities are available via get_securebits, but are easier accessed via the \f(CW$Linux::prctl::securebits\fR hash. This hash has keys that tell you whether specific securebits are set, or unset. .PP The following keys are available: .PP \fIkeep_caps\fR .IX Subsection "keep_caps" .PP Setting this flag allows a thread that has one or more 0 UIDs to retain its capabilities when it switches all of its UIDs to a non-zero value. If this flag is not set, then such a \s-1UID\s0 switch causes the thread to lose all capabilities. This flag is always cleared on an execve. .PP \fIno_setuid_fixup\fR .IX Subsection "no_setuid_fixup" .PP Setting this flag stops the kernel from adjusting capability sets when the threads's effective and file system UIDs are switched between zero and non-zero values. (See the subsection Effect of User \s-1ID\s0 Changes on Capabilities in \&\fIcapabilities\fR\|(7)) .PP \fInoroot\fR .IX Subsection "noroot" .PP If this bit is set, then the kernel does not grant capabilities when a set-user-ID-root program is executed, or when a process with an effective or real \s-1UID\s0 of 0 calls execve. (See the subsection Capabilities and execution of programs by root in \fIcapabilities\fR\|(7)) .PP \fIkeep_caps_locked\fR .IX Subsection "keep_caps_locked" .PP Like keep_caps, but irreversible .PP \fIno_setuid_fixup_locked\fR .IX Subsection "no_setuid_fixup_locked" .PP Like no_setuid_fixup, but irreversible .PP \fInoroot_locked\fR .IX Subsection "noroot_locked" .PP Like noroot, but irreversible .SH "TODO" .IX Header "TODO" \&\- None of the capability stuff is actually implemented at the moment .SH "SEE ALSO" .IX Header "SEE ALSO" Manpages: \fIcapabilities\fR\|(7) and \fIprctl\fR\|(2) .PP Github source: .SH "AUTHOR" .IX Header "AUTHOR" Dennis Kaarsemaker, .SH "COPYRIGHT AND LICENSE" .IX Header "COPYRIGHT AND LICENSE" Copyright (C) 2011 by Dennis Kaarsemaker .PP This program is free software: you can redistribute it and/or modify it under the terms of the \s-1GNU\s0 General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.