| .\" Hey Emacs! This file is -*- nroff -*- source. |
| .\" |
| .\" Copyright (C) 1998 Andries Brouwer (aeb@cwi.nl) |
| .\" and Copyright (C) 2002 Michael Kerrisk <mtk.manpages@gmail.com> |
| .\" and Copyright Guillem Jover <guillem@hadrons.org> |
| .\" |
| .\" Permission is granted to make and distribute verbatim copies of this |
| .\" manual provided the copyright notice and this permission notice are |
| .\" preserved on all copies. |
| .\" |
| .\" Permission is granted to copy and distribute modified versions of this |
| .\" manual under the conditions for verbatim copying, provided that the |
| .\" entire resulting derived work is distributed under the terms of a |
| .\" permission notice identical to this one. |
| .\" |
| .\" Since the Linux kernel and libraries are constantly changing, this |
| .\" manual page may be incorrect or out-of-date. The author(s) assume no |
| .\" responsibility for errors or omissions, or for damages resulting from |
| .\" the use of the information contained herein. The author(s) may not |
| .\" have taken the same level of care in the production of this manual, |
| .\" which is licensed free of charge, as they might when working |
| .\" professionally. |
| .\" |
| .\" Formatted or processed versions of this manual, if unaccompanied by |
| .\" the source, must acknowledge the copyright and authors of this work. |
| .\" |
| .\" Modified Thu Nov 11 04:19:42 MET 1999, aeb: added PR_GET_PDEATHSIG |
| .\" Modified 27 Jun 02, Michael Kerrisk |
| .\" Added PR_SET_DUMPABLE, PR_GET_DUMPABLE, |
| .\" PR_SET_KEEPCAPS, PR_GET_KEEPCAPS |
| .\" Modified 2006-08-30 Guillem Jover <guillem@hadrons.org> |
| .\" Updated Linux versions where the options where introduced. |
| .\" Added PR_SET_TIMING, PR_GET_TIMING, PR_SET_NAME, PR_GET_NAME, |
| .\" PR_SET_UNALIGN, PR_GET_UNALIGN, PR_SET_FPEMU, PR_GET_FPEMU, |
| .\" PR_SET_FPEXC, PR_GET_FPEXC |
| .\" 2008-04-29 Serge Hallyn, Document PR_CAPBSET_READ and PR_CAPBSET_DROP |
| .\" 2008-06-13 Erik Bosman, <ejbosman@cs.vu.nl> |
| .\" Document PR_GET_TSC and PR_SET_TSC. |
| .\" 2008-06-15 mtk, Document PR_SET_SECCOMP, PR_GET_SECCOMP |
| .\" 2009-10-03 Andi Kleen, document PR_MCE_KILL |
| .\" 2012-04 Cyrill Gorcunov, Document PR_SET_MM |
| .\" 2012-04-25 Michael Kerrisk, Document PR_TASK_PERF_EVENTS_DISABLE and |
| .\" PR_TASK_PERF_EVENTS_ENABLE |
| .\" 2012-09-20 Kees Cook, update PR_SET_SECCOMP for mode 2 |
| .\" 2012-09-20 Kees Cook, document PR_SET_NO_NEW_PRIVS, PR_GET_NO_NEW_PRIVS |
| .\" 2012-10-25 Michael Kerrisk, Document PR_SET_TIMERSLACK and |
| .\" PR_GET_TIMERSLACK |
| .\" 2013-01-10 Kees Cook, document PR_SET_PTRACER |
| .\" |
| .\" |
| .TH PRCTL 2 2013-01-10 "Linux" "Linux Programmer's Manual" |
| .SH NAME |
| prctl \- operations on a process |
| .SH SYNOPSIS |
| .nf |
| .B #include <sys/prctl.h> |
| .sp |
| .BI "int prctl(int " option ", unsigned long " arg2 ", unsigned long " arg3 , |
| .BI " unsigned long " arg4 ", unsigned long " arg5 ); |
| .fi |
| .SH DESCRIPTION |
| .BR prctl () |
| is called with a first argument describing what to do |
| (with values defined in \fI<linux/prctl.h>\fP), and further |
| arguments with a significance depending on the first one. |
| The first argument can be: |
| .TP |
| .BR PR_CAPBSET_READ " (since Linux 2.6.25)" |
| Return (as the function result) 1 if the capability specified in |
| .I arg2 |
| is in the calling thread's capability bounding set, |
| or 0 if it is not. |
| (The capability constants are defined in |
| .IR <linux/capability.h> .) |
| The capability bounding set dictates |
| whether the process can receive the capability through a |
| file's permitted capability set on a subsequent call to |
| .BR execve (2). |
| |
| If the capability specified in |
| .I arg2 |
| is not valid, then the call fails with the error |
| .BR EINVAL . |
| .TP |
| .BR PR_CAPBSET_DROP " (since Linux 2.6.25)" |
| If the calling thread has the |
| .B CAP_SETPCAP |
| capability, then drop the capability specified by |
| .I arg2 |
| from the calling thread's capability bounding set. |
| Any children of the calling thread will inherit the newly |
| reduced bounding set. |
| |
| The call fails with the error: |
| .B EPERM |
| if the calling thread does not have the |
| .BR CAP_SETPCAP ; |
| .BR EINVAL |
| if |
| .I arg2 |
| does not represent a valid capability; or |
| .BR EINVAL |
| if file capabilities are not enabled in the kernel, |
| in which case bounding sets are not supported. |
| .TP |
| .BR PR_SET_DUMPABLE " (since Linux 2.3.20)" |
| Set the state of the flag determining whether core dumps are produced |
| for this process upon delivery of a signal whose default behavior is |
| to produce a core dump. |
| (Normally this flag is set for a process by default, but it is cleared |
| when a set-user-ID or set-group-ID program is executed and also by |
| various system calls that manipulate process UIDs and GIDs). |
| In kernels up to and including 2.6.12, |
| .I arg2 |
| must be either 0 (process is not dumpable) or 1 (process is dumpable). |
| Between kernels 2.6.13 and 2.6.17, the value 2 was also permitted, |
| which caused any binary which normally would not be dumped |
| to be dumped readable by root only; |
| for security reasons, this feature has been removed. |
| .\" See http://marc.theaimsgroup.com/?l=linux-kernel&m=115270289030630&w=2 |
| .\" Subject: Fix prctl privilege escalation (CVE-2006-2451) |
| .\" From: Marcel Holtmann <marcel () holtmann ! org> |
| .\" Date: 2006-07-12 11:12:00 |
| (See also the description of |
| .I /proc/sys/fs/suid_dumpable |
| in |
| .BR proc (5).) |
| Processes that are not dumpable can not be attached via |
| .BR ptrace (2) |
| .BR PTRACE_ATTACH . |
| .TP |
| .BR PR_GET_DUMPABLE " (since Linux 2.3.20)" |
| Return (as the function result) the current state of the calling |
| process's dumpable flag. |
| .\" Since Linux 2.6.13, the dumpable flag can have the value 2, |
| .\" but in 2.6.13 PR_GET_DUMPABLE simply returns 1 if the dumpable |
| .\" flags has a nonzero value. This was fixed in 2.6.14. |
| .TP |
| .BR PR_SET_ENDIAN " (since Linux 2.6.18, PowerPC only)" |
| Set the endian-ness of the calling process to the value given |
| in \fIarg2\fP, which should be one of the following: |
| .\" Respectively 0, 1, 2 |
| .BR PR_ENDIAN_BIG , |
| .BR PR_ENDIAN_LITTLE , |
| or |
| .B PR_ENDIAN_PPC_LITTLE |
| (PowerPC pseudo little endian). |
| .TP |
| .BR PR_GET_ENDIAN " (since Linux 2.6.18, PowerPC only)" |
| Return the endian-ness of the calling process, |
| in the location pointed to by |
| .IR "(int\ *) arg2" . |
| .TP |
| .BR PR_SET_FPEMU " (since Linux 2.4.18, 2.5.9, only on ia64)" |
| Set floating-point emulation control bits to \fIarg2\fP. |
| Pass \fBPR_FPEMU_NOPRINT\fP to silently emulate fp operations accesses, or |
| \fBPR_FPEMU_SIGFPE\fP to not emulate fp operations and send |
| .B SIGFPE |
| instead. |
| .TP |
| .BR PR_GET_FPEMU " (since Linux 2.4.18, 2.5.9, only on ia64)" |
| Return floating-point emulation control bits, |
| in the location pointed to by |
| .IR "(int\ *) arg2" . |
| .TP |
| .BR PR_SET_FPEXC " (since Linux 2.4.21, 2.5.32, only on PowerPC)" |
| Set floating-point exception mode to \fIarg2\fP. |
| Pass \fBPR_FP_EXC_SW_ENABLE\fP to use FPEXC for FP exception enables, |
| \fBPR_FP_EXC_DIV\fP for floating-point divide by zero, |
| \fBPR_FP_EXC_OVF\fP for floating-point overflow, |
| \fBPR_FP_EXC_UND\fP for floating-point underflow, |
| \fBPR_FP_EXC_RES\fP for floating-point inexact result, |
| \fBPR_FP_EXC_INV\fP for floating-point invalid operation, |
| \fBPR_FP_EXC_DISABLED\fP for FP exceptions disabled, |
| \fBPR_FP_EXC_NONRECOV\fP for async nonrecoverable exception mode, |
| \fBPR_FP_EXC_ASYNC\fP for async recoverable exception mode, |
| \fBPR_FP_EXC_PRECISE\fP for precise exception mode. |
| .TP |
| .BR PR_GET_FPEXC " (since Linux 2.4.21, 2.5.32, only on PowerPC)" |
| Return floating-point exception mode, |
| in the location pointed to by |
| .IR "(int\ *) arg2" . |
| .TP |
| .BR PR_SET_KEEPCAPS " (since Linux 2.2.18)" |
| Set the state of the thread's "keep capabilities" flag, |
| which determines whether the threads's permitted |
| capability set is cleared when a change is made to the threads's user IDs |
| such that the threads's real UID, effective UID, and saved set-user-ID |
| all become nonzero when at least one of them previously had the value 0. |
| By default, the permitted capability set is cleared when such a change is made; |
| setting the "keep capabilities" flag prevents it from being cleared. |
| .I arg2 |
| must be either 0 (permitted capabilities are cleared) |
| or 1 (permitted capabilities are kept). |
| (A thread's |
| .I effective |
| capability set is always cleared when such a credential change is made, |
| regardless of the setting of the "keep capabilities" flag.) |
| The "keep capabilities" value will be reset to 0 on subsequent calls to |
| .BR execve (2). |
| .TP |
| .BR PR_GET_KEEPCAPS " (since Linux 2.2.18)" |
| Return (as the function result) the current state of the calling threads's |
| "keep capabilities" flag. |
| .TP |
| .BR PR_SET_NAME " (since Linux 2.6.9)" |
| Set the process name for the calling thread, |
| using the value in the location pointed to by |
| .IR "(char\ *) arg2" . |
| The name can be up to 16 bytes long, |
| .\" TASK_COMM_LEN in include/linux/sched.h |
| and should be null-terminated if it contains fewer bytes. |
| .TP |
| .BR PR_GET_NAME " (since Linux 2.6.11)" |
| Return the name for the calling thread, |
| in the buffer pointed to by |
| .IR "(char\ *) arg2" . |
| The buffer should allow space for up to 16 bytes; |
| the returned string will be null-terminated if it is shorter than that. |
| .TP |
| .BR PR_SET_NO_NEW_PRIVS " (since Linux 3.5)" |
| Set the calling process's |
| .I no_new_privs |
| bit to the value in |
| .IR arg2 . |
| With |
| .I no_new_privs |
| set to 1, |
| .BR execve (2) |
| promises not to grant privileges to do anything |
| that could not have been done without the |
| .BR execve (2) |
| call (for example, |
| rendering the set-user-ID and set-group-ID permission bits, |
| and file capabilities non-functional). |
| Once set, this bit cannot be unset. |
| The setting of this bit is inherited by children created by |
| .BR fork (2) |
| and |
| .BR clone (2), |
| and preserved across |
| .BR execve (2). |
| |
| For more information, see the kernel source file |
| .IR Documentation/prctl/no_new_privs.txt . |
| .TP |
| .BR PR_GET_NO_NEW_PRIVS " (since Linux 3.5)" |
| Return the value of the |
| .I no_new_privs |
| bit for the current process. |
| A value of 0 indicates the regular |
| .BR execve (2) |
| behavior. |
| A value of 1 indicates |
| .BR execve (2) |
| will operate in the privilege-restricting mode described above. |
| .TP |
| .BR PR_SET_PDEATHSIG " (since Linux 2.1.57)" |
| Set the parent process death signal |
| of the calling process to \fIarg2\fP (either a signal value |
| in the range 1..maxsig, or 0 to clear). |
| This is the signal that the calling process will get when its |
| parent dies. |
| This value is cleared for the child of a |
| .BR fork (2) |
| and (since Linux 2.4.36 / 2.6.23) |
| when executing a set-user-ID or set-group-ID binary. |
| .TP |
| .BR PR_GET_PDEATHSIG " (since Linux 2.3.15)" |
| Return the current value of the parent process death signal, |
| in the location pointed to by |
| .IR "(int\ *) arg2" . |
| .TP |
| .BR PR_SET_PTRACER " (since Linux 3.4)" |
| .\" commit 2d514487faf188938a4ee4fb3464eeecfbdcf8eb |
| .\" commit bf06189e4d14641c0148bea16e9dd24943862215 |
| This is only meaningful when the Yama LSM is enabled and in mode 1 |
| ("restricted ptrace", visible via |
| .IR /proc/sys/kernel/yama/ptrace_scope ). |
| When a "ptracer process ID" is passed in \fIarg2\fP, |
| the caller is declaring that the ptracer process can |
| .BR ptrace (2) |
| the calling process as if it were a direct process ancestor. |
| Each |
| .B PR_SET_PTRACER |
| operation replaces the previous "ptracer process ID". |
| Employing |
| .B PR_SET_PTRACER |
| with |
| .I arg2 |
| set to 0 clears the caller's "ptracer process ID". |
| If |
| .I arg2 |
| is |
| .BR PR_SET_PTRACER_ANY, |
| the ptrace restrictions introduced by Yama are effectively disabled for the |
| calling process. |
| |
| For further information, see the kernel source file |
| .IR Documentation/security/Yama.txt . |
| .TP |
| .BR PR_SET_SECCOMP " (since Linux 2.6.23)" |
| .\" See http://thread.gmane.org/gmane.linux.kernel/542632 |
| .\" [PATCH 0 of 2] seccomp updates |
| .\" andrea@cpushare.com |
| Set the secure computing (seccomp) mode for the calling thread, to limit |
| the available system calls. |
| The seccomp mode is selected via |
| .IR arg2 . |
| (The seccomp constants are defined in |
| .IR <linux/seccomp.h> .) |
| |
| With |
| .IR arg2 |
| set to |
| .BR SECCOMP_MODE_STRICT |
| the only system calls that the thread is permitted to make are |
| .BR read (2), |
| .BR write (2), |
| .BR _exit (2), |
| and |
| .BR sigreturn (2). |
| Other system calls result in the delivery of a |
| .BR SIGKILL |
| signal. |
| Strict secure computing mode is useful for number-crunching applications |
| that may need to execute untrusted byte code, |
| perhaps obtained by reading from a pipe or socket. |
| This operation is only available |
| if the kernel is configured with |
| .B CONFIG_SECCOMP |
| enabled. |
| |
| With |
| .IR arg2 |
| set to |
| .BR SECCOMP_MODE_FILTER " (since Linux 3.5)" |
| the system calls allowed are defined by a pointer |
| to a Berkeley Packet Filter passed in |
| .IR arg3 . |
| This argument is a pointer to |
| .IR "struct sock_fprog" ; |
| it can be designed to filter |
| arbitrary system calls and system call arguments. |
| This mode is only available if the kernel is configured with |
| .B CONFIG_SECCOMP_FILTER |
| enabled. |
| |
| If |
| .BR SECCOMP_MODE_FILTER |
| filters permit |
| .BR fork (2), |
| then the seccomp mode is inherited by children created by |
| .BR fork (2); |
| if |
| .BR execve (2) |
| is permitted, then the seccomp mode is preserved across |
| .BR execve (2). |
| If the filters permit |
| .BR prctl (0 |
| calls, then additional filters can be added; |
| they are run in order until the first non-allow result is seen. |
| |
| For further information, see the kernel source file |
| .IR Documentation/prctl/seccomp_filter.txt . |
| .TP |
| .BR PR_GET_SECCOMP " (since Linux 2.6.23)" |
| Return the secure computing mode of the calling thread. |
| If the caller is not in secure computing mode, this operation returns 0; |
| if the caller is in strict secure computing mode, then the |
| .BR prctl () |
| call will cause a |
| .B SIGKILL |
| signal to be sent to the process. |
| If the caller is in filter mode, and this system call is allowed by the |
| seccomp filters, it returns 2. |
| This operation is only available |
| if the kernel is configured with |
| .B CONFIG_SECCOMP |
| enabled. |
| .TP |
| .BR PR_SET_SECUREBITS " (since Linux 2.6.26)" |
| Set the "securebits" flags of the calling thread to the value supplied in |
| .IR arg2 . |
| See |
| .BR capabilities (7). |
| .TP |
| .BR PR_GET_SECUREBITS " (since Linux 2.6.26)" |
| Return (as the function result) |
| the "securebits" flags of the calling thread. |
| See |
| .BR capabilities (7). |
| .TP |
| .BR PR_SET_TIMERSLACK " (since Linux 2.6.28)" |
| .\" See https://lwn.net/Articles/369549/ |
| .\" commit 6976675d94042fbd446231d1bd8b7de71a980ada |
| Set the current timer slack for the calling thread to the nanosecond value |
| supplied in |
| .IR arg2 . |
| If |
| .I arg2 |
| is less than or equal to zero, |
| .\" It seems that it's not possible to set the timer slack to zero; |
| .\" The minimum value is 1? Seems a little strange. |
| reset the current timer slack to the thread's default timer slack value. |
| The timer slack is used by the kernel to group timer expirations |
| for the calling thread that are close to one another; |
| as a consequence, timer expirations for the thread may be |
| up to the specified number of nanoseconds late (but will never expire early). |
| Grouping timer expirations can help reduce system power consumption |
| by minimizing CPU wake-ups. |
| |
| The timer expirations affected by timer slack are those set by |
| .BR select (2), |
| .BR pselect (2), |
| .BR poll (2), |
| .BR ppoll (2), |
| .BR epoll_wait (2), |
| .BR epoll_pwait (2), |
| .BR clock_nanosleep (2), |
| .BR nanosleep (2), |
| and |
| .BR futex (2) |
| (and thus the library functions implemented via futexes, including |
| .\" List obtained by grepping for futex usage in glibc source |
| .BR pthread_cond_timedwait (3), |
| .BR pthread_mutex_timedlock (3), |
| .BR pthread_rwlock_timedrdlock (3), |
| .BR pthread_rwlock_timedwrlock (3), |
| and |
| .BR sem_timedwait (3)). |
| |
| Timer slack is not applied to threads that are scheduled under |
| a realtime scheduling policy (see |
| .BR sched_setscheduler (2)). |
| |
| Each thread has two associated timer slack values: |
| a "default" value, and a "current" value. |
| The current value is the one that governs grouping |
| of timer expirations. |
| When a new thread is created, |
| the two timer slack values are made the same as the current value |
| of the creating thread. |
| Thereafter, a thread can adjust its current timer slack value via |
| .BR PR_SET_TIMERSLACK |
| (the default value can't be changed). |
| The timer slack values of |
| .IR init |
| (PID 1), the ancestor of all processes, |
| are 50,000 nanoseconds (50 microseconds). |
| The timer slack values are preserved across |
| .BR execve (2). |
| .TP |
| .BR PR_GET_TIMERSLACK " (since Linux 2.6.28)" |
| Return the current timer slack value of the calling thread. |
| .TP |
| .BR PR_SET_TIMING " (since Linux 2.6.0-test4)" |
| Set whether to use (normal, traditional) statistical process timing or |
| accurate timestamp-based process timing, by passing |
| .B PR_TIMING_STATISTICAL |
| .\" 0 |
| or |
| .B PR_TIMING_TIMESTAMP |
| .\" 1 |
| to \fIarg2\fP. |
| .B PR_TIMING_TIMESTAMP |
| is not currently implemented |
| (attempting to set this mode will yield the error |
| .BR EINVAL ). |
| .\" PR_TIMING_TIMESTAMP doesn't do anything in 2.6.26-rc8, |
| .\" and looking at the patch history, it appears |
| .\" that it never did anything. |
| .TP |
| .BR PR_GET_TIMING " (since Linux 2.6.0-test4)" |
| Return (as the function result) which process timing method is currently |
| in use. |
| .TP |
| .BR PR_TASK_PERF_EVENTS_DISABLE " (since Linux 2.6.31)" |
| Disable all performance counters attached to the calling process, |
| regardless of whether the counters were created by |
| this process or another process. |
| Performance counters created by the calling process for other |
| processes are unaffected. |
| For more information on performance counters, see the Linux kernel source file |
| .IR tools/perf/design.txt . |
| .IP |
| Originally called |
| .BR PR_TASK_PERF_COUNTERS_DISABLE ; |
| .\" commit 1d1c7ddbfab358445a542715551301b7fc363e28 |
| renamed (with same numerical value) |
| in Linux 2.6.32. |
| .TP |
| .BR PR_TASK_PERF_EVENTS_ENABLE " (since Linux 2.6.31)" |
| The converse of |
| .BR PR_TASK_PERF_EVENTS_DISABLE ; |
| enable performance counters attached to the calling process. |
| .IP |
| Originally called |
| .BR PR_TASK_PERF_COUNTERS_ENABLE ; |
| .\" commit 1d1c7ddbfab358445a542715551301b7fc363e28 |
| renamed |
| .\" commit cdd6c482c9ff9c55475ee7392ec8f672eddb7be6 |
| in Linux 2.6.32. |
| .TP |
| .BR PR_SET_TSC " (since Linux 2.6.26, x86 only)" |
| Set the state of the flag determining whether the timestamp counter |
| can be read by the process. |
| Pass |
| .B PR_TSC_ENABLE |
| to |
| .I arg2 |
| to allow it to be read, or |
| .B PR_TSC_SIGSEGV |
| to generate a |
| .B SIGSEGV |
| when the process tries to read the timestamp counter. |
| .TP |
| .BR PR_GET_TSC " (since Linux 2.6.26, x86 only)" |
| Return the state of the flag determining whether the timestamp counter |
| can be read, |
| in the location pointed to by |
| .IR "(int\ *) arg2" . |
| .TP |
| .B PR_SET_UNALIGN |
| (Only on: ia64, since Linux 2.3.48; parisc, since Linux 2.6.15; |
| PowerPC, since Linux 2.6.18; Alpha, since Linux 2.6.22) |
| Set unaligned access control bits to \fIarg2\fP. |
| Pass |
| \fBPR_UNALIGN_NOPRINT\fP to silently fix up unaligned user accesses, |
| or \fBPR_UNALIGN_SIGBUS\fP to generate |
| .B SIGBUS |
| on unaligned user access. |
| .TP |
| .B PR_GET_UNALIGN |
| (see |
| .B PR_SET_UNALIGN |
| for information on versions and architectures) |
| Return unaligned access control bits, in the location pointed to by |
| .IR "(int\ *) arg2" . |
| .TP |
| .BR PR_MCE_KILL " (since Linux 2.6.32)" |
| Set the machine check memory corruption kill policy for the current thread. |
| If |
| .I arg2 |
| is |
| .BR PR_MCE_KILL_CLEAR , |
| clear the thread memory corruption kill policy and use the system-wide default. |
| (The system-wide default is defined by |
| .IR /proc/sys/vm/memory_failure_early_kill ; |
| see |
| .BR proc (5).) |
| If |
| .I arg2 |
| is |
| .BR PR_MCE_KILL_SET , |
| use a thread-specific memory corruption kill policy. |
| In this case, |
| .I arg3 |
| defines whether the policy is |
| .I early kill |
| .RB ( PR_MCE_KILL_EARLY ), |
| .I late kill |
| .RB ( PR_MCE_KILL_LATE ), |
| or the system-wide default |
| .RB ( PR_MCE_KILL_DEFAULT ). |
| Early kill means that the thread receives a |
| .B SIGBUS |
| signal as soon as hardware memory corruption is detected inside |
| its address space. |
| In late kill mode, the process is only killed when it accesses a corrupted page. |
| See |
| .BR sigaction (2) |
| for more information on the |
| .BR SIGBUS |
| signal. |
| The policy is inherited by children. |
| The remaining unused |
| .BR prctl () |
| arguments must be zero for future compatibility. |
| .TP |
| .BR PR_MCE_KILL_GET " (since Linux 2.6.32)" |
| Return the current per-process machine check kill policy. |
| All unused |
| .BR prctl () |
| arguments must be zero. |
| .TP |
| .BR PR_SET_MM " (since Linux 3.3)" |
| Modify certain kernel memory map descriptor fields |
| of the calling process. |
| Usually these fields are set by the kernel and dynamic loader (see |
| .BR ld.so (8) |
| for more information) and a regular application should not use this feature. |
| However, there are cases, such as self-modifying programs, |
| where a program might find it useful to change its own memory map. |
| This feature is available only if the kernel is built with the |
| .BR CONFIG_CHECKPOINT_RESTORE |
| option enabled. |
| The calling process must have the |
| .BR CAP_SYS_RESOURCE |
| capability. |
| The value in |
| .I arg2 |
| is one of the options below, while |
| .I arg3 |
| provides a new value for the option. |
| .RS |
| .TP |
| .BR PR_SET_MM_START_CODE |
| Set the address above which the program text can run. |
| The corresponding memory area must be readable and executable, |
| but not writable or sharable (see |
| .BR mprotect (2) |
| and |
| .BR mmap (2) |
| for more information). |
| .TP |
| .BR PR_SET_MM_END_CODE |
| Set the address below which the program text can run. |
| The corresponding memory area must be readable and executable, |
| but not writable or sharable. |
| .TP |
| .BR PR_SET_MM_START_DATA |
| Set the address above which initialized and |
| uninitialized (bss) data are placed. |
| The corresponding memory area must be readable and writable, |
| but not executable or sharable. |
| .TP |
| .B PR_SET_MM_END_DATA |
| Set the address below which initialized and |
| uninitialized (bss) data are placed. |
| The corresponding memory area must be readable and writable, |
| but not executable or sharable. |
| .TP |
| .BR PR_SET_MM_START_STACK |
| Set the start address of the stack. |
| The corresponding memory area must be readable and writable. |
| .TP |
| .BR PR_SET_MM_START_BRK |
| Set the address above which the program heap can be expanded with |
| .BR brk (2) |
| call. |
| The address must be greater than the ending address of |
| the current program data segment. |
| In addition, the combined size of the resulting heap and |
| the size of the data segment can't exceed the |
| .BR RLIMIT_DATA |
| resource limit (see |
| .BR setrlimit (2)). |
| .TP |
| .BR PR_SET_MM_BRK |
| Set the current |
| .BR brk (2) |
| value. |
| The requirements for the address are the same as for the |
| .BR PR_SET_MM_START_BRK |
| option. |
| .\" FIXME The following (until ========) is not yet in mainline kernel, |
| .\" so commented out for the moment. |
| .\" .TP |
| .\" .BR PR_SET_MM_ARG_START |
| .\" Set the address above which the program command line is placed. |
| .\" .TP |
| .\" .BR PR_SET_MM_ARG_END |
| .\" Set the address below which the program command line is placed. |
| .\" .TP |
| .\" .BR PR_SET_MM_ENV_START |
| .\" Set the address above which the program environment is placed. |
| .\" .TP |
| .\" .BR PR_SET_MM_ENV_END |
| .\" Set the address below which the program environment is placed. |
| .\" .IP |
| .\" The address passed with |
| .\" .BR PR_SET_MM_ARG_START , |
| .\" .BR PR_SET_MM_ARG_END , |
| .\" .BR PR_SET_MM_ENV_START , |
| .\" and |
| .\" .BR PR_SET_MM_ENV_END |
| .\" should belong to a process stack area. |
| .\" Thus, the corresponding memory area must be readable, writable, and |
| .\" (depending on the kernel configuration) have the |
| .\" .BR MAP_GROWSDOWN |
| .\" attribute set (see |
| .\" .BR mmap (2)). |
| .\" .TP |
| .\" .BR PR_SET_MM_AUXV |
| .\" Set a new auxiliary vector. |
| .\" The |
| .\" .I arg3 |
| .\" argument should provide the address of the vector. |
| .\" The |
| .\" .I arg4 |
| .\" is the size of the vector. |
| .\" .TP |
| .\" .BR PR_SET_MM_EXE_FILE |
| .\" Supersede the |
| .\" .IR /proc/pid/exe |
| .\" symbolic link with a new one pointing to a new executable file |
| .\" identified by the file descriptor provided in |
| .\" .I arg3 |
| .\" argument. |
| .\" The file descriptor should be obtained with a regular |
| .\" .BR open (2) |
| .\" call. |
| .\" .IP |
| .\" To change the symbolic link, one needs to unmap all existing |
| .\" executable memory areas, including those created by the kernel itself |
| .\" (for example the kernel usually creates at least one executable |
| .\" memory area for the ELF |
| .\" .IR \.text |
| .\" section). |
| .\" .IP |
| .\" The second limitation is that such transitions can be done only once |
| .\" in a process life time. |
| .\" Any further attempts will be rejected. |
| .\" This should help system administrators to monitor unusual |
| .\" symbolic-link transitions over all process running in a system. |
| .\" ========== END FIXME |
| .RE |
| .\" |
| .SH "RETURN VALUE" |
| On success, |
| .BR PR_GET_DUMPABLE , |
| .BR PR_GET_KEEPCAPS , |
| .BR PR_GET_NO_NEW_PRIVS , |
| .BR PR_CAPBSET_READ , |
| .BR PR_GET_TIMING , |
| .BR PR_GET_SECUREBITS , |
| .BR PR_MCE_KILL_GET , |
| and (if it returns) |
| .BR PR_GET_SECCOMP |
| return the nonnegative values described above. |
| All other |
| .I option |
| values return 0 on success. |
| On error, \-1 is returned, and |
| .I errno |
| is set appropriately. |
| .SH ERRORS |
| .TP |
| .B EFAULT |
| .I arg2 |
| is an invalid address. |
| .TP |
| .B EINVAL |
| The value of |
| .I option |
| is not recognized. |
| .TP |
| .B EINVAL |
| .I option |
| is |
| .BR PR_MCE_KILL |
| or |
| .BR PR_MCE_KILL_GET |
| or |
| .BR PR_SET_MM , |
| and unused |
| .BR prctl () |
| arguments were not specified as zero. |
| .TP |
| .B EINVAL |
| .I arg2 |
| is not valid value for this |
| .IR option . |
| .TP |
| .B EINVAL |
| .I option |
| is |
| .BR PR_SET_SECCOMP |
| or |
| .BR PR_SET_SECCOMP , |
| and the kernel was not configured with |
| .BR CONFIG_SECCOMP . |
| .TP |
| .B EINVAL |
| .I option |
| is |
| .BR PR_SET_MM , |
| and one of the following is true |
| .RS |
| .IP * 3 |
| .I arg4 |
| or |
| .I arg5 |
| is nonzero; |
| .IP * |
| .I arg3 |
| is greater than |
| .B TASK_SIZE |
| (the limit on the size of the user address space for this architecture); |
| .IP * |
| .I arg2 |
| is |
| .BR PR_SET_MM_START_CODE , |
| .BR PR_SET_MM_END_CODE , |
| .BR PR_SET_MM_START_DATA , |
| .BR PR_SET_MM_END_DATA , |
| or |
| .BR PR_SET_MM_START_STACK, |
| and the permissions of the corresponding memory area are not as required; |
| .IP * |
| .I arg2 |
| is |
| .BR PR_SET_MM_START_BRK |
| or |
| .BR PR_SET_MM_BRK , |
| and |
| .I arg3 |
| is less than or equal to the end of the data segment |
| or specifies a value that would cause the |
| .B RLIMIT_DATA |
| resource limit to be exceeded. |
| .RE |
| .TP |
| .B EINVAL |
| .I option |
| is |
| .BR PR_SET_PTRACER |
| and |
| .I arg2 |
| is not 0, |
| .BR PR_SET_PTRACER_ANY , |
| or the PID of an existing process. |
| .TP |
| TP |
| .B EPERM |
| .I option |
| is |
| .BR PR_SET_SECUREBITS , |
| and the caller does not have the |
| .B CAP_SETPCAP |
| capability, |
| or tried to unset a "locked" flag, |
| or tried to set a flag whose corresponding locked flag was set |
| (see |
| .BR capabilities (7)). |
| .TP |
| .B EPERM |
| .I option |
| is |
| .BR PR_SET_KEEPCAPS , |
| and the callers's |
| .B SECURE_KEEP_CAPS_LOCKED |
| flag is set |
| (see |
| .BR capabilities (7)). |
| .TP |
| .B EPERM |
| .I option |
| is |
| .BR PR_CAPBSET_DROP , |
| and the caller does not have the |
| .B CAP_SETPCAP |
| capability. |
| .TP |
| .B EPERM |
| .I option |
| is |
| .BR PR_SET_MM , |
| and the caller does not have the |
| .B CAP_SYS_RESOURCE |
| capability. |
| .\" FIXME The following (until ========) is not yet in mainline kernel, |
| .\" so commented out for the moment. |
| .\" .TP |
| .\" .B EACCES |
| .\" .I option |
| .\" is |
| .\" .BR PR_SET_MM , |
| .\" and |
| .\" .I arg3 |
| .\" is |
| .\" .BR PR_SET_MM_EXE_FILE , |
| .\" the file is not executable. |
| .\" .TP |
| .\" .B EBUSY |
| .\" .I option |
| .\" is |
| .\" .BR PR_SET_MM , |
| .\" .I arg3 |
| .\" is |
| .\" .BR PR_SET_MM_EXE_FILE , |
| .\" and this the second attempt to change the |
| .\" .I /proc/pid/exe |
| .\" symbolic link, which is prohibited. |
| .\" .TP |
| .\" .B EBADF |
| .\" .I option |
| .\" is |
| .\" .BR PR_SET_MM , |
| .\" .I arg3 |
| .\" is |
| .\" .BR PR_SET_MM_EXE_FILE , |
| .\" and the file descriptor passed in |
| .\" .I arg4 |
| .\" is not valid. |
| .\" ========== END FIXME |
| .\" The following can't actually happen, because prctl() in |
| .\" seccomp mode will cause SIGKILL. |
| .\" .TP |
| .\" .B EPERM |
| .\" .I option |
| .\" is |
| .\" .BR PR_SET_SECCOMP , |
| .\" and secure computing mode is already 1. |
| .SH VERSIONS |
| The |
| .BR prctl () |
| system call was introduced in Linux 2.1.57. |
| .\" The library interface was added in glibc 2.0.6 |
| .SH "CONFORMING TO" |
| This call is Linux-specific. |
| IRIX has a |
| .BR prctl () |
| system call (also introduced in Linux 2.1.44 |
| as irix_prctl on the MIPS architecture), |
| with prototype |
| .sp |
| .BI "ptrdiff_t prctl(int " option ", int " arg2 ", int " arg3 ); |
| .sp |
| and options to get the maximum number of processes per user, |
| get the maximum number of processors the calling process can use, |
| find out whether a specified process is currently blocked, |
| get or set the maximum stack size, and so on. |
| .SH "SEE ALSO" |
| .BR signal (2), |
| .BR core (5) |