# SOME DESCRIPTIVE TITLE # Copyright (C) YEAR Free Software Foundation, Inc. # This file is distributed under the same license as the PACKAGE package. # FIRST AUTHOR , YEAR. # msgid "" msgstr "" "Project-Id-Version: PACKAGE VERSION\n" "POT-Creation-Date: 2015-01-23 22:25+0900\n" "PO-Revision-Date: 2015-01-25 07:22+0900\n" "Last-Translator: FULL NAME \n" "Language-Team: LANGUAGE \n" "Language: \n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=UTF-8\n" "Content-Transfer-Encoding: 8bit\n" #. type: TH #: build/C/man2/acct.2:31 build/C/man5/acct.5:25 #, no-wrap msgid "ACCT" msgstr "ACCT" #. type: TH #: build/C/man2/acct.2:31 #, no-wrap msgid "2008-06-16" msgstr "2008-06-16" #. type: TH #: build/C/man2/acct.2:31 build/C/man5/acct.5:25 #: build/C/man7/capabilities.7:48 build/C/man2/capget.2:15 #: build/C/man7/cpuset.7:25 build/C/man7/credentials.7:27 #: build/C/man2/getgid.2:25 build/C/man2/getgroups.2:31 #: build/C/man2/getpid.2:25 build/C/man2/getpriority.2:45 #: build/C/man2/getresuid.2:28 build/C/man2/getrlimit.2:64 #: build/C/man2/getrusage.2:39 build/C/man2/getsid.2:26 #: build/C/man2/getuid.2:26 build/C/man2/iopl.2:33 #: build/C/man2/ioprio_set.2:24 build/C/man2/ipc.2:25 #: build/C/man7/namespaces.7:27 build/C/man7/pid_namespaces.7:27 #: build/C/man2/seteuid.2:29 build/C/man2/setfsgid.2:31 #: build/C/man2/setfsuid.2:31 build/C/man2/setgid.2:29 #: build/C/man2/setpgid.2:48 build/C/man2/setresuid.2:26 #: build/C/man2/setreuid.2:45 build/C/man2/setsid.2:31 #: build/C/man2/setuid.2:30 build/C/man7/svipc.7:40 build/C/man3/ulimit.3:27 #: build/C/man7/user_namespaces.7:27 build/C/man2/seccomp.2:27 #, no-wrap msgid "Linux" msgstr "Linux" #. type: TH #: build/C/man2/acct.2:31 build/C/man5/acct.5:25 #: build/C/man7/capabilities.7:48 build/C/man2/capget.2:15 #: build/C/man7/cpuset.7:25 build/C/man7/credentials.7:27 #: build/C/man2/getgid.2:25 build/C/man2/getgroups.2:31 #: build/C/man2/getpid.2:25 build/C/man2/getpriority.2:45 #: build/C/man2/getresuid.2:28 build/C/man2/getrlimit.2:64 #: build/C/man2/getrusage.2:39 build/C/man2/getsid.2:26 #: build/C/man2/getuid.2:26 build/C/man3/group_member.3:25 #: build/C/man2/iopl.2:33 build/C/man2/ioprio_set.2:24 build/C/man2/ipc.2:25 #: build/C/man7/namespaces.7:27 build/C/man7/pid_namespaces.7:27 #: build/C/man2/seteuid.2:29 build/C/man2/setfsgid.2:31 #: build/C/man2/setfsuid.2:31 build/C/man2/setgid.2:29 #: build/C/man2/setpgid.2:48 build/C/man2/setresuid.2:26 #: build/C/man2/setreuid.2:45 build/C/man2/setsid.2:31 #: build/C/man2/setuid.2:30 build/C/man7/svipc.7:40 build/C/man3/ulimit.3:27 #: build/C/man7/user_namespaces.7:27 build/C/man2/seccomp.2:27 #, no-wrap msgid "Linux Programmer's Manual" msgstr "Linux Programmer's Manual" #. type: SH #: build/C/man2/acct.2:32 build/C/man5/acct.5:26 #: build/C/man7/capabilities.7:49 build/C/man2/capget.2:16 #: build/C/man7/cpuset.7:26 build/C/man7/credentials.7:28 #: build/C/man2/getgid.2:26 build/C/man2/getgroups.2:32 #: build/C/man2/getpid.2:26 build/C/man2/getpriority.2:46 #: build/C/man2/getresuid.2:29 build/C/man2/getrlimit.2:65 #: build/C/man2/getrusage.2:40 build/C/man2/getsid.2:27 #: build/C/man2/getuid.2:27 build/C/man3/group_member.3:26 #: build/C/man2/iopl.2:34 build/C/man2/ioprio_set.2:25 build/C/man2/ipc.2:26 #: build/C/man7/namespaces.7:28 build/C/man7/pid_namespaces.7:28 #: build/C/man2/seteuid.2:30 build/C/man2/setfsgid.2:32 #: build/C/man2/setfsuid.2:32 build/C/man2/setgid.2:30 #: build/C/man2/setpgid.2:49 build/C/man2/setresuid.2:27 #: build/C/man2/setreuid.2:46 build/C/man2/setsid.2:32 #: build/C/man2/setuid.2:31 build/C/man7/svipc.7:41 build/C/man3/ulimit.3:28 #: build/C/man7/user_namespaces.7:28 build/C/man2/seccomp.2:28 #, no-wrap msgid "NAME" msgstr "名前" #. type: Plain text #: build/C/man2/acct.2:34 msgid "acct - switch process accounting on or off" msgstr "acct - プロセスアカウントのオンとオフを切り換える" #. type: SH #: build/C/man2/acct.2:34 build/C/man5/acct.5:28 build/C/man2/capget.2:18 #: build/C/man2/getgid.2:28 build/C/man2/getgroups.2:34 #: build/C/man2/getpid.2:28 build/C/man2/getpriority.2:48 #: build/C/man2/getresuid.2:31 build/C/man2/getrlimit.2:67 #: build/C/man2/getrusage.2:42 build/C/man2/getsid.2:29 #: build/C/man2/getuid.2:29 build/C/man3/group_member.3:28 #: build/C/man2/iopl.2:36 build/C/man2/ioprio_set.2:27 build/C/man2/ipc.2:28 #: build/C/man2/seteuid.2:32 build/C/man2/setfsgid.2:34 #: build/C/man2/setfsuid.2:34 build/C/man2/setgid.2:32 #: build/C/man2/setpgid.2:51 build/C/man2/setresuid.2:29 #: build/C/man2/setreuid.2:48 build/C/man2/setsid.2:34 #: build/C/man2/setuid.2:33 build/C/man7/svipc.7:43 build/C/man3/ulimit.3:30 #: build/C/man2/seccomp.2:30 #, no-wrap msgid "SYNOPSIS" msgstr "書式" #. type: Plain text #: build/C/man2/acct.2:38 #, no-wrap msgid "B<#include Eunistd.hE>\n" msgstr "B<#include Eunistd.hE>\n" #. type: Plain text #: build/C/man2/acct.2:40 #, no-wrap msgid "BIB<);>\n" msgstr "BIB<);>\n" #. type: Plain text #: build/C/man2/acct.2:46 build/C/man2/getgroups.2:48 #: build/C/man2/getrlimit.2:84 build/C/man2/getsid.2:37 #: build/C/man3/group_member.3:36 build/C/man2/seteuid.2:44 #: build/C/man2/setpgid.2:71 build/C/man2/setreuid.2:60 msgid "Feature Test Macro Requirements for glibc (see B(7)):" msgstr "glibc 向けの機能検査マクロの要件 (B(7) 参照):" #. type: Plain text #: build/C/man2/acct.2:50 msgid "B(): _BSD_SOURCE || (_XOPEN_SOURCE && _XOPEN_SOURCE\\ E\\ 500)" msgstr "B(): _BSD_SOURCE || (_XOPEN_SOURCE && _XOPEN_SOURCE\\ E\\ 500)" #. type: SH #: build/C/man2/acct.2:50 build/C/man5/acct.5:30 #: build/C/man7/capabilities.7:51 build/C/man2/capget.2:24 #: build/C/man7/cpuset.7:28 build/C/man7/credentials.7:30 #: build/C/man2/getgid.2:36 build/C/man2/getgroups.2:52 #: build/C/man2/getpid.2:36 build/C/man2/getpriority.2:56 #: build/C/man2/getresuid.2:39 build/C/man2/getrlimit.2:88 #: build/C/man2/getrusage.2:48 build/C/man2/getsid.2:50 #: build/C/man2/getuid.2:37 build/C/man3/group_member.3:40 #: build/C/man2/iopl.2:40 build/C/man2/ioprio_set.2:35 build/C/man2/ipc.2:34 #: build/C/man7/namespaces.7:30 build/C/man7/pid_namespaces.7:30 #: build/C/man2/seteuid.2:53 build/C/man2/setfsgid.2:38 #: build/C/man2/setfsuid.2:38 build/C/man2/setgid.2:38 #: build/C/man2/setpgid.2:100 build/C/man2/setresuid.2:37 #: build/C/man2/setreuid.2:70 build/C/man2/setsid.2:41 #: build/C/man2/setuid.2:39 build/C/man7/svipc.7:49 build/C/man3/ulimit.3:34 #: build/C/man7/user_namespaces.7:30 build/C/man2/seccomp.2:43 #, no-wrap msgid "DESCRIPTION" msgstr "説明" #. type: Plain text #: build/C/man2/acct.2:60 msgid "The B() system call enables or disables process accounting. If called with the name of an existing file as its argument, accounting is turned on, and records for each terminating process are appended to I as it terminates. An argument of NULL causes accounting to be turned off." msgstr "B() システムコールは、プロセスアカウントの有効・無効を切り替える。 既存のファイルの名前を引き数に指定して呼び出されたら、 アカウント (account) が有効になり、 終了したプロセスの記録が I に追記される。 NULL を引き数として呼び出されたらアカウントをオフにする。" #. type: SH #: build/C/man2/acct.2:60 build/C/man2/capget.2:160 #: build/C/man2/getgroups.2:92 build/C/man2/getpriority.2:104 #: build/C/man2/getresuid.2:50 build/C/man2/getrlimit.2:461 #: build/C/man2/getrusage.2:188 build/C/man2/getsid.2:58 #: build/C/man3/group_member.3:48 build/C/man2/iopl.2:66 #: build/C/man2/ioprio_set.2:149 build/C/man2/seteuid.2:67 #: build/C/man2/setfsgid.2:68 build/C/man2/setfsuid.2:68 #: build/C/man2/setgid.2:53 build/C/man2/setpgid.2:195 #: build/C/man2/setresuid.2:64 build/C/man2/setreuid.2:93 #: build/C/man2/setsid.2:54 build/C/man2/setuid.2:70 build/C/man3/ulimit.3:67 #: build/C/man2/seccomp.2:342 #, no-wrap msgid "RETURN VALUE" msgstr "返り値" #. type: Plain text #: build/C/man2/acct.2:65 build/C/man2/capget.2:165 #: build/C/man2/getresuid.2:55 build/C/man2/getrusage.2:193 #: build/C/man2/iopl.2:71 build/C/man2/seteuid.2:72 build/C/man2/setgid.2:58 #: build/C/man2/setresuid.2:69 build/C/man2/setreuid.2:98 #: build/C/man2/setuid.2:75 msgid "On success, zero is returned. On error, -1 is returned, and I is set appropriately." msgstr "成功した場合は 0 が返される。エラーの場合は -1 が返され、 I が適切に設定される。" #. type: SH #: build/C/man2/acct.2:65 build/C/man2/capget.2:179 build/C/man7/cpuset.7:1100 #: build/C/man2/getgid.2:42 build/C/man2/getgroups.2:106 #: build/C/man2/getpid.2:44 build/C/man2/getpriority.2:117 #: build/C/man2/getresuid.2:55 build/C/man2/getrlimit.2:466 #: build/C/man2/getrusage.2:193 build/C/man2/getsid.2:63 #: build/C/man2/getuid.2:43 build/C/man2/iopl.2:71 #: build/C/man2/ioprio_set.2:169 build/C/man2/seteuid.2:79 #: build/C/man2/setgid.2:58 build/C/man2/setpgid.2:216 #: build/C/man2/setresuid.2:76 build/C/man2/setreuid.2:105 #: build/C/man2/setsid.2:61 build/C/man2/setuid.2:82 build/C/man3/ulimit.3:74 #: build/C/man2/seccomp.2:358 #, no-wrap msgid "ERRORS" msgstr "エラー" #. type: TP #: build/C/man2/acct.2:66 build/C/man7/cpuset.7:1116 #: build/C/man7/cpuset.7:1123 build/C/man7/cpuset.7:1129 #: build/C/man7/cpuset.7:1137 build/C/man7/cpuset.7:1144 #: build/C/man2/getpriority.2:137 build/C/man2/setpgid.2:217 #, no-wrap msgid "B" msgstr "B" #. type: Plain text #: build/C/man2/acct.2:77 msgid "Write permission is denied for the specified file, or search permission is denied for one of the directories in the path prefix of I (see also B(7)), or I is not a regular file." msgstr "指定したファイルへの書き込み許可がなく、書き込みが拒否された。 または I のディレクトリ部分の何れかのディレクトリに検索許可がなく拒否された (B(7) も参照すること)。 または I が通常 (regular) のファイルでない。" #. type: TP #: build/C/man2/acct.2:77 build/C/man2/capget.2:180 build/C/man7/cpuset.7:1172 #: build/C/man2/getgroups.2:107 build/C/man2/getresuid.2:56 #: build/C/man2/getrlimit.2:467 build/C/man2/getrusage.2:194 #: build/C/man2/seccomp.2:369 #, no-wrap msgid "B" msgstr "B" #. type: Plain text #: build/C/man2/acct.2:81 msgid "I points outside your accessible address space." msgstr "アクセスできるアドレス空間の外を I が指している。" #. type: TP #: build/C/man2/acct.2:81 build/C/man7/cpuset.7:1238 #: build/C/man7/cpuset.7:1246 #, no-wrap msgid "B" msgstr "B" #. type: Plain text #: build/C/man2/acct.2:85 msgid "Error writing to the file I." msgstr "I への書き込みにエラーが発生した。" #. type: TP #: build/C/man2/acct.2:85 #, no-wrap msgid "B" msgstr "B" #. type: Plain text #: build/C/man2/acct.2:89 msgid "I is a directory." msgstr "I がディレクトリである。" #. type: TP #: build/C/man2/acct.2:89 #, no-wrap msgid "B" msgstr "B" #. type: Plain text #: build/C/man2/acct.2:93 msgid "Too many symbolic links were encountered in resolving I." msgstr "I の実体にたどり着くまでのシンボリックリンクの数が多すぎる。" #. type: TP #: build/C/man2/acct.2:93 build/C/man7/cpuset.7:1251 #: build/C/man7/cpuset.7:1258 build/C/man7/cpuset.7:1263 #, no-wrap msgid "B" msgstr "B" #. type: Plain text #: build/C/man2/acct.2:97 msgid "I was too long." msgstr "I が長すぎる。" #. type: TP #: build/C/man2/acct.2:97 #, no-wrap msgid "B" msgstr "B" #. type: Plain text #: build/C/man2/acct.2:100 msgid "The system limit on the total number of open files has been reached." msgstr "オープンされたファイルの総数がシステム制限に達した。" #. type: TP #: build/C/man2/acct.2:100 build/C/man7/cpuset.7:1275 #: build/C/man7/cpuset.7:1280 #, no-wrap msgid "B" msgstr "B" #. type: Plain text #: build/C/man2/acct.2:103 msgid "The specified filename does not exist." msgstr "指定されたファイルが存在しない。" #. type: TP #: build/C/man2/acct.2:103 build/C/man7/cpuset.7:1287 #: build/C/man2/getgroups.2:127 build/C/man2/seccomp.2:413 #: build/C/man2/seccomp.2:416 #, no-wrap msgid "B" msgstr "B" #. type: Plain text #: build/C/man2/acct.2:106 build/C/man2/getgroups.2:130 #: build/C/man2/seccomp.2:416 msgid "Out of memory." msgstr "メモリー不足。" #. type: TP #: build/C/man2/acct.2:106 build/C/man2/iopl.2:76 #, no-wrap msgid "B" msgstr "B" #. type: Plain text #: build/C/man2/acct.2:112 msgid "BSD process accounting has not been enabled when the operating system kernel was compiled. The kernel configuration parameter controlling this feature is B." msgstr "カーネルをコンパイルした時に BSD プロセスアカウントが有効になっていない。 この機能はカーネルのコンフィグの B パラメーターによって制御される。" #. type: TP #: build/C/man2/acct.2:112 build/C/man7/cpuset.7:1314 #, no-wrap msgid "B" msgstr "B" #. type: Plain text #: build/C/man2/acct.2:117 msgid "A component used as a directory in I is not in fact a directory." msgstr "I の中でディレクトリして扱われている要素が、 実際はディレクトリでない。" #. type: TP #: build/C/man2/acct.2:117 build/C/man2/capget.2:191 build/C/man2/capget.2:196 #: build/C/man7/cpuset.7:1319 build/C/man2/getgroups.2:130 #: build/C/man2/getpriority.2:149 build/C/man2/getrlimit.2:483 #: build/C/man2/getrlimit.2:488 build/C/man2/getrlimit.2:496 #: build/C/man2/getsid.2:64 build/C/man2/iopl.2:79 #: build/C/man2/ioprio_set.2:179 build/C/man2/seteuid.2:83 #: build/C/man2/setgid.2:64 build/C/man2/setpgid.2:231 #: build/C/man2/setresuid.2:103 build/C/man2/setreuid.2:132 #: build/C/man2/setsid.2:62 build/C/man2/setuid.2:110 build/C/man3/ulimit.3:75 #, no-wrap msgid "B" msgstr "B" #. type: Plain text #: build/C/man2/acct.2:123 msgid "The calling process has insufficient privilege to enable process accounting. On Linux the B capability is required." msgstr "呼び出したプロセスにはプロセスアカウントを有効にするのに十分な特権がない。 Linux では B ケーパビリティ (capability) が必要である。" #. type: TP #: build/C/man2/acct.2:123 #, no-wrap msgid "B" msgstr "B" #. type: Plain text #: build/C/man2/acct.2:127 msgid "I refers to a file on a read-only filesystem." msgstr "読み込みだけのファイルシステム上のファイルを I が参照している。" #. type: TP #: build/C/man2/acct.2:127 #, no-wrap msgid "B" msgstr "B" #. type: Plain text #: build/C/man2/acct.2:130 msgid "There are no more free file structures or we ran out of memory." msgstr "使用可能なファイル構造体がないか、メモリーが足りない。" #. type: SH #: build/C/man2/acct.2:130 build/C/man5/acct.5:153 #: build/C/man7/capabilities.7:1120 build/C/man2/capget.2:218 #: build/C/man7/credentials.7:287 build/C/man2/getgid.2:44 #: build/C/man2/getgroups.2:133 build/C/man2/getpid.2:46 #: build/C/man2/getpriority.2:157 build/C/man2/getresuid.2:67 #: build/C/man2/getrlimit.2:511 build/C/man2/getrusage.2:202 #: build/C/man2/getsid.2:79 build/C/man2/getuid.2:45 #: build/C/man3/group_member.3:55 build/C/man2/iopl.2:87 #: build/C/man2/ioprio_set.2:196 build/C/man2/ipc.2:45 #: build/C/man7/namespaces.7:359 build/C/man7/pid_namespaces.7:351 #: build/C/man2/seteuid.2:99 build/C/man2/setfsgid.2:75 #: build/C/man2/setfsuid.2:75 build/C/man2/setgid.2:71 #: build/C/man2/setpgid.2:250 build/C/man2/setresuid.2:109 #: build/C/man2/setreuid.2:148 build/C/man2/setsid.2:68 #: build/C/man2/setuid.2:117 build/C/man3/ulimit.3:78 #: build/C/man7/user_namespaces.7:645 build/C/man2/seccomp.2:435 #, no-wrap msgid "CONFORMING TO" msgstr "準拠" #. SVr4 documents an EBUSY error condition, but no EISDIR or ENOSYS. #. Also AIX and HP-UX document EBUSY (attempt is made #. to enable accounting when it is already enabled), as does Solaris #. (attempt is made to enable accounting using the same file that is #. currently being used). #. type: Plain text #: build/C/man2/acct.2:137 msgid "SVr4, 4.3BSD (but not POSIX)." msgstr "SVr4, 4.3BSD (POSIX ではない)。" #. type: SH #: build/C/man2/acct.2:137 build/C/man5/acct.5:157 #: build/C/man7/capabilities.7:1126 build/C/man2/capget.2:220 #: build/C/man7/cpuset.7:1341 build/C/man7/credentials.7:293 #: build/C/man2/getgid.2:46 build/C/man2/getgroups.2:141 #: build/C/man2/getpid.2:48 build/C/man2/getpriority.2:160 #: build/C/man2/getresuid.2:70 build/C/man2/getrlimit.2:534 #: build/C/man2/getrusage.2:213 build/C/man2/getsid.2:81 #: build/C/man2/getuid.2:47 build/C/man2/iopl.2:91 #: build/C/man2/ioprio_set.2:198 build/C/man2/ipc.2:49 #: build/C/man2/seteuid.2:101 build/C/man2/setfsgid.2:79 #: build/C/man2/setfsuid.2:79 build/C/man2/setgid.2:73 #: build/C/man2/setpgid.2:272 build/C/man2/setresuid.2:112 #: build/C/man2/setreuid.2:154 build/C/man2/setsid.2:70 #: build/C/man2/setuid.2:122 build/C/man7/user_namespaces.7:648 #: build/C/man2/seccomp.2:439 #, no-wrap msgid "NOTES" msgstr "注意" #. type: Plain text #: build/C/man2/acct.2:140 msgid "No accounting is produced for programs running when a system crash occurs. In particular, nonterminating processes are never accounted for." msgstr "システムがクラッシュした時に実行中だったプログラムのアカウントは生成されない。 特に、終了しないプログラムがアカウントされることはない。" #. type: Plain text #: build/C/man2/acct.2:143 msgid "The structure of the records written to the accounting file is described in B(5)." msgstr "アカウント用ファイルに書き込まれるレコードの構造体については B(5) に説明がある。" #. type: SH #: build/C/man2/acct.2:143 build/C/man5/acct.5:174 #: build/C/man7/capabilities.7:1183 build/C/man2/capget.2:228 #: build/C/man7/cpuset.7:1488 build/C/man7/credentials.7:304 #: build/C/man2/getgid.2:62 build/C/man2/getgroups.2:178 #: build/C/man2/getpid.2:100 build/C/man2/getpriority.2:232 #: build/C/man2/getresuid.2:86 build/C/man2/getrlimit.2:766 #: build/C/man2/getrusage.2:253 build/C/man2/getsid.2:84 #: build/C/man2/getuid.2:73 build/C/man3/group_member.3:57 #: build/C/man2/iopl.2:100 build/C/man2/ioprio_set.2:346 build/C/man2/ipc.2:57 #: build/C/man7/namespaces.7:364 build/C/man7/pid_namespaces.7:356 #: build/C/man2/seteuid.2:141 build/C/man2/setfsgid.2:123 #: build/C/man2/setfsuid.2:131 build/C/man2/setgid.2:83 #: build/C/man2/setpgid.2:340 build/C/man2/setresuid.2:132 #: build/C/man2/setreuid.2:194 build/C/man2/setsid.2:93 #: build/C/man2/setuid.2:145 build/C/man7/svipc.7:335 build/C/man3/ulimit.3:83 #: build/C/man7/user_namespaces.7:1011 build/C/man2/seccomp.2:662 #, no-wrap msgid "SEE ALSO" msgstr "関連項目" #. type: Plain text #: build/C/man2/acct.2:145 msgid "B(5)" msgstr "B(5)" #. type: SH #: build/C/man2/acct.2:145 build/C/man5/acct.5:179 #: build/C/man7/capabilities.7:1205 build/C/man2/capget.2:232 #: build/C/man7/cpuset.7:1506 build/C/man7/credentials.7:340 #: build/C/man2/getgid.2:67 build/C/man2/getgroups.2:186 #: build/C/man2/getpid.2:111 build/C/man2/getpriority.2:241 #: build/C/man2/getresuid.2:92 build/C/man2/getrlimit.2:784 #: build/C/man2/getrusage.2:260 build/C/man2/getsid.2:88 #: build/C/man2/getuid.2:78 build/C/man3/group_member.3:62 #: build/C/man2/iopl.2:104 build/C/man2/ioprio_set.2:354 build/C/man2/ipc.2:70 #: build/C/man7/namespaces.7:377 build/C/man7/pid_namespaces.7:365 #: build/C/man2/seteuid.2:149 build/C/man2/setfsgid.2:128 #: build/C/man2/setfsuid.2:136 build/C/man2/setgid.2:90 #: build/C/man2/setpgid.2:347 build/C/man2/setresuid.2:142 #: build/C/man2/setreuid.2:203 build/C/man2/setsid.2:100 #: build/C/man2/setuid.2:153 build/C/man7/svipc.7:353 build/C/man3/ulimit.3:88 #: build/C/man7/user_namespaces.7:1027 build/C/man2/seccomp.2:679 #, no-wrap msgid "COLOPHON" msgstr "この文書について" #. type: Plain text #: build/C/man2/acct.2:153 build/C/man5/acct.5:187 #: build/C/man7/capabilities.7:1213 build/C/man2/capget.2:240 #: build/C/man7/cpuset.7:1514 build/C/man7/credentials.7:348 #: build/C/man2/getgid.2:75 build/C/man2/getgroups.2:194 #: build/C/man2/getpid.2:119 build/C/man2/getpriority.2:249 #: build/C/man2/getresuid.2:100 build/C/man2/getrlimit.2:792 #: build/C/man2/getrusage.2:268 build/C/man2/getsid.2:96 #: build/C/man2/getuid.2:86 build/C/man3/group_member.3:70 #: build/C/man2/iopl.2:112 build/C/man2/ioprio_set.2:362 build/C/man2/ipc.2:78 #: build/C/man7/namespaces.7:385 build/C/man7/pid_namespaces.7:373 #: build/C/man2/seteuid.2:157 build/C/man2/setfsgid.2:136 #: build/C/man2/setfsuid.2:144 build/C/man2/setgid.2:98 #: build/C/man2/setpgid.2:355 build/C/man2/setresuid.2:150 #: build/C/man2/setreuid.2:211 build/C/man2/setsid.2:108 #: build/C/man2/setuid.2:161 build/C/man7/svipc.7:361 build/C/man3/ulimit.3:96 #: build/C/man7/user_namespaces.7:1035 build/C/man2/seccomp.2:687 msgid "This page is part of release 3.78 of the Linux I project. A description of the project, information about reporting bugs, and the latest version of this page, can be found at \\%http://www.kernel.org/doc/man-pages/." msgstr "" "この man ページは Linux I プロジェクトのリリース 3.78 の一部\n" "である。プロジェクトの説明とバグ報告に関する情報は\n" "http://www.kernel.org/doc/man-pages/ に書かれている。" #. type: TH #: build/C/man5/acct.5:25 #, no-wrap msgid "2008-06-15" msgstr "2008-06-15" #. type: Plain text #: build/C/man5/acct.5:28 msgid "acct - process accounting file" msgstr "acct - プロセスアカウンティングファイル" #. type: Plain text #: build/C/man5/acct.5:30 msgid "B<#include Esys/acct.hE>" msgstr "B<#include Esys/acct.hE>" #. type: Plain text #: build/C/man5/acct.5:36 msgid "If the kernel is built with the process accounting option enabled (B), then calling B(2) starts process accounting, for example:" msgstr "カーネルがプロセスアカウンティングのオプション (B) を有効にして作成されていると、以下のように B(2) を呼び出すとプロセスアカウンティングが開始される。" #. type: Plain text #: build/C/man5/acct.5:39 msgid "acct(\"/var/log/pacct\");" msgstr "acct(\"/var/log/pacct\");" #. type: Plain text #: build/C/man5/acct.5:47 msgid "When process accounting is enabled, the kernel writes a record to the accounting file as each process on the system terminates. This record contains information about the terminated process, and is defined in Isys/acct.hE> as follows:" msgstr "プロセスアカウンティングが有効になっていると、カーネルは システム上の各プロセスが終了するたびにアカウンティングファイルに レコードを書き込む。 このレコードは、終了したプロセスに関する情報を保持するもので、 Isys/acct.hE> で以下のように定義されている。" #. type: Plain text #: build/C/man5/acct.5:51 #, no-wrap msgid "#define ACCT_COMM 16\n" msgstr "#define ACCT_COMM 16\n" #. type: Plain text #: build/C/man5/acct.5:53 #, no-wrap msgid "typedef u_int16_t comp_t;\n" msgstr "typedef u_int16_t comp_t;\n" #. type: Plain text #: build/C/man5/acct.5:77 #, no-wrap msgid "" "struct acct {\n" " char ac_flag; /* Accounting flags */\n" " u_int16_t ac_uid; /* Accounting user ID */\n" " u_int16_t ac_gid; /* Accounting group ID */\n" " u_int16_t ac_tty; /* Controlling terminal */\n" " u_int32_t ac_btime; /* Process creation time\n" " (seconds since the Epoch) */\n" " comp_t ac_utime; /* User CPU time */\n" " comp_t ac_stime; /* System CPU time */\n" " comp_t ac_etime; /* Elapsed time */\n" " comp_t ac_mem; /* Average memory usage (kB) */\n" " comp_t ac_io; /* Characters transferred (unused) */\n" " comp_t ac_rw; /* Blocks read or written (unused) */\n" " comp_t ac_minflt; /* Minor page faults */\n" " comp_t ac_majflt; /* Major page faults */\n" " comp_t ac_swaps; /* Number of swaps (unused) */\n" " u_int32_t ac_exitcode; /* Process termination status\n" " (see wait(2)) */\n" " char ac_comm[ACCT_COMM+1];\n" " /* Command name (basename of last\n" " executed command; null-terminated) */\n" " char ac_pad[I]; /* padding bytes */\n" "};\n" msgstr "" "struct acct {\n" " char ac_flag; /* Accounting flags */\n" " u_int16_t ac_uid; /* Accounting user ID */\n" " u_int16_t ac_gid; /* Accounting group ID */\n" " u_int16_t ac_tty; /* Controlling terminal */\n" " u_int32_t ac_btime; /* Process creation time\n" " (seconds since the Epoch) */\n" " comp_t ac_utime; /* User CPU time */\n" " comp_t ac_stime; /* System CPU time */\n" " comp_t ac_etime; /* Elapsed time */\n" " comp_t ac_mem; /* Average memory usage (kB) */\n" " comp_t ac_io; /* Characters transferred (unused) */\n" " comp_t ac_rw; /* Blocks read or written (unused) */\n" " comp_t ac_minflt; /* Minor page faults */\n" " comp_t ac_majflt; /* Major page faults */\n" " comp_t ac_swaps; /* Number of swaps (unused) */\n" " u_int32_t ac_exitcode; /* Process termination status\n" " (see wait(2)) */\n" " char ac_comm[ACCT_COMM+1];\n" " /* Command name (basename of last\n" " executed command; null-terminated) */\n" " char ac_pad[I]; /* padding bytes */\n" "};\n" #. type: Plain text #: build/C/man5/acct.5:84 #, no-wrap msgid "" "enum { /* Bits that may be set in ac_flag field */\n" " AFORK = 0x01, /* Has executed fork, but no exec */\n" " ASU = 0x02, /* Used superuser privileges */\n" " ACORE = 0x08, /* Dumped core */\n" " AXSIG = 0x10 /* Killed by a signal */\n" "};\n" msgstr "" "enum { /* Bits that may be set in ac_flag field */\n" " AFORK = 0x01, /* Has executed fork, but no exec */\n" " ASU = 0x02, /* Used superuser privileges */\n" " ACORE = 0x08, /* Dumped core */\n" " AXSIG = 0x10 /* Killed by a signal */\n" "};\n" #. type: Plain text #: build/C/man5/acct.5:94 msgid "The I data type is a floating-point value consisting of a 3-bit, base-8 exponent, and a 13-bit mantissa. A value, I, of this type can be converted to a (long) integer as follows:" msgstr "データ型 I は浮動小数点値で、3 ビット幅の基数が 8 の指数部と 13 ビット幅の仮数部から 構成される。 I 型の値 I は以下のようにして (long 型の) 整数に変換できる。" #. type: Plain text #: build/C/man5/acct.5:97 #, no-wrap msgid " v = (c & 0x1fff) EE (((c EE 13) & 0x7) * 3);\n" msgstr " v = (c & 0x1fff) EE (((c EE 13) & 0x7) * 3);\n" #. type: Plain text #: build/C/man5/acct.5:107 msgid "The I, I, and I fields measure time in \"clock ticks\"; divide these values by I to convert them to seconds." msgstr "フィールド I, I, I は \"clock ticks\" 単位で計測した時間である。 これらの値を I で割ると、秒に変換できる。" #. type: SS #: build/C/man5/acct.5:107 #, no-wrap msgid "Version 3 accounting file format" msgstr "バージョン 3 のアカウンティングファイルのフォーマット" #. type: Plain text #: build/C/man5/acct.5:122 msgid "Since kernel 2.6.8, an optional alternative version of the accounting file can be produced if the B option is set when building the kernel. With this option is set, the records written to the accounting file contain additional fields, and the width of I and I fields is widened from 16 to 32 bits (in line with the increased size of UID and GIDs in Linux 2.4 and later). The records are defined as follows:" msgstr "カーネル 2.6.8 以降では、 別のバージョンのアカウンティングファイルを生成することができ、 これを使うにはカーネル構築時に B オプションが有効になっている必要がある。 このオプションが設定されると、アカウンティングファイルに書き込まれる レコードにフィールドが追加される。 また、フィールド I と I の幅が 16 ビットから 32 ビットに拡張される (これは Linux 2.4 以降で UID と GID のサイズが増えているのに 対応したものである)。 このレコードは以下のように定義されている。" #. type: Plain text #: build/C/man5/acct.5:147 #, no-wrap msgid "" "struct acct_v3 {\n" " char ac_flag; /* Flags */\n" " char ac_version; /* Always set to ACCT_VERSION (3) */\n" " u_int16_t ac_tty; /* Controlling terminal */\n" " u_int32_t ac_exitcode; /* Process termination status */\n" " u_int32_t ac_uid; /* Real user ID */\n" " u_int32_t ac_gid; /* Real group ID */\n" " u_int32_t ac_pid; /* Process ID */\n" " u_int32_t ac_ppid; /* Parent process ID */\n" " u_int32_t ac_btime; /* Process creation time */\n" " float ac_etime; /* Elapsed time */\n" " comp_t ac_utime; /* User CPU time */\n" " comp_t ac_stime; /* System time */\n" " comp_t ac_mem; /* Average memory usage (kB) */\n" " comp_t ac_io; /* Characters transferred (unused) */\n" " comp_t ac_rw; /* Blocks read or written\n" " (unused) */\n" " comp_t ac_minflt; /* Minor page faults */\n" " comp_t ac_majflt; /* Major page faults */\n" " comp_t ac_swaps; /* Number of swaps (unused) */\n" " char ac_comm[ACCT_COMM]; /* Command name */\n" "};\n" msgstr "" "struct acct_v3 {\n" " char ac_flag; /* Flags */\n" " char ac_version; /* Always set to ACCT_VERSION (3) */\n" " u_int16_t ac_tty; /* Controlling terminal */\n" " u_int32_t ac_exitcode; /* Process termination status */\n" " u_int32_t ac_uid; /* Real user ID */\n" " u_int32_t ac_gid; /* Real group ID */\n" " u_int32_t ac_pid; /* Process ID */\n" " u_int32_t ac_ppid; /* Parent process ID */\n" " u_int32_t ac_btime; /* Process creation time */\n" " float ac_etime; /* Elapsed time */\n" " comp_t ac_utime; /* User CPU time */\n" " comp_t ac_stime; /* System time */\n" " comp_t ac_mem; /* Average memory usage (kB) */\n" " comp_t ac_io; /* Characters transferred (unused) */\n" " comp_t ac_rw; /* Blocks read or written\n" " (unused) */\n" " comp_t ac_minflt; /* Minor page faults */\n" " comp_t ac_majflt; /* Major page faults */\n" " comp_t ac_swaps; /* Number of swaps (unused) */\n" " char ac_comm[ACCT_COMM]; /* Command name */\n" "};\n" #. type: SH #: build/C/man5/acct.5:149 build/C/man7/cpuset.7:1338 #: build/C/man2/getresuid.2:60 build/C/man2/getrlimit.2:506 #: build/C/man2/getsid.2:75 build/C/man2/ioprio_set.2:193 #: build/C/man2/setfsgid.2:71 build/C/man2/setfsuid.2:71 #: build/C/man2/setresuid.2:107 build/C/man2/seccomp.2:430 #, no-wrap msgid "VERSIONS" msgstr "バージョン" #. type: Plain text #: build/C/man5/acct.5:153 msgid "The I structure is defined in glibc since version 2.6." msgstr "I 構造体はバージョン 2.6 以降の glibc で定義されている。" #. type: Plain text #: build/C/man5/acct.5:157 msgid "Process accounting originated on BSD. Although it is present on most systems, it is not standardized, and the details vary somewhat between systems." msgstr "プロセスアカウンティングは BSD 由来である。 この機能はほとんどのシステムに存在するが、標準化されておらず、 その詳細はシステムによりいくらか異なる。" #. type: Plain text #: build/C/man5/acct.5:160 msgid "Records in the accounting file are ordered by termination time of the process." msgstr "アカウンティングファイルのレコードは、プロセスの終了時刻の順序となる。" #. type: Plain text #: build/C/man5/acct.5:167 msgid "In kernels up to and including 2.6.9, a separate accounting record is written for each thread created using the NPTL threading library; since Linux 2.6.10, a single accounting record is written for the entire process on termination of the last thread in the process." msgstr "バージョン 2.6.9 以前のカーネルでは、 NPTL スレッドライブラリを使って作成されたスレッドでは スレッド毎に別々のアカウンティングレコードが書き込まれていた。 Linux 2.6.10 以降では、プロセス内の最後のスレッドが終了すると、 プロセス全体についてのアカウンティングレコードが一つだけ書き込まれる。" #. type: Plain text #: build/C/man5/acct.5:174 msgid "The I file, described in B(5), defines settings that control the behavior of process accounting when disk space runs low." msgstr "I ファイル (B(5) で説明されている) は、ディスク容量の残りが少なくなった際の プロセスアカウンティングの動作を制御する設定を保持している。" #. type: Plain text #: build/C/man5/acct.5:179 msgid "B(1), B(2), B(8), B(8)" msgstr "B(1), B(2), B(8), B(8)" #. type: TH #: build/C/man7/capabilities.7:48 #, no-wrap msgid "CAPABILITIES" msgstr "CAPABILITIES" #. type: TH #: build/C/man7/capabilities.7:48 build/C/man2/getpid.2:25 #: build/C/man7/namespaces.7:27 build/C/man2/seteuid.2:29 #: build/C/man2/setgid.2:29 build/C/man2/setresuid.2:26 #: build/C/man2/setreuid.2:45 build/C/man2/setuid.2:30 build/C/man7/svipc.7:40 #: build/C/man7/user_namespaces.7:27 #, no-wrap msgid "2014-09-21" msgstr "2014-09-21" #. type: Plain text #: build/C/man7/capabilities.7:51 msgid "capabilities - overview of Linux capabilities" msgstr "capabilities - Linux のケーパビリティ (capability) の概要" #. type: Plain text #: build/C/man7/capabilities.7:63 msgid "For the purpose of performing permission checks, traditional UNIX implementations distinguish two categories of processes: I processes (whose effective user ID is 0, referred to as superuser or root), and I processes (whose effective UID is nonzero). Privileged processes bypass all kernel permission checks, while unprivileged processes are subject to full permission checking based on the process's credentials (usually: effective UID, effective GID, and supplementary group list)." msgstr "権限のチェックを行う観点から見ると、伝統的な UNIX の実装では プロセスは二つのカテゴリに分類できる: I<特権> プロセス (実効ユーザーID が 0 のプロセス。ユーザーID 0 は スーパーユーザーや root と呼ばれる) と I<非特権> プロセス (実効ユーザーID が 0 以外のプロセス) である。 非特権プロセスでは、プロセスの資格情報 (通常は、実効UID 、実効GID と追加のグループリスト) に基づく権限チェックが行われるのに対し、 特権プロセスでは全てのカーネルの権限チェックがバイパスされる。" #. type: Plain text #: build/C/man7/capabilities.7:70 msgid "Starting with kernel 2.2, Linux divides the privileges traditionally associated with superuser into distinct units, known as I, which can be independently enabled and disabled. Capabilities are a per-thread attribute." msgstr "バージョン 2.2 以降の Linux では、 これまでスーパーユーザーに結び付けられてきた権限を、 いくつかのグループに分割している。これらのグループは I<ケーパビリティ>(capability) と呼ばれ、グループ毎に独立に有効、無効を設定できる。 ケーパビリティはスレッド単位の属性である。" #. type: SS #: build/C/man7/capabilities.7:70 #, no-wrap msgid "Capabilities list" msgstr "ケーパビリティのリスト" #. type: Plain text #: build/C/man7/capabilities.7:73 msgid "The following list shows the capabilities implemented on Linux, and the operations or behaviors that each capability permits:" msgstr "以下のリストは、 Linux で実装されているケーパビリティと 各ケーパビリティが許可する操作と動作をまとめたものである。" #. type: TP #: build/C/man7/capabilities.7:73 #, no-wrap msgid "B (since Linux 2.6.11)" msgstr "B (Linux 2.6.11 以降)" #. type: Plain text #: build/C/man7/capabilities.7:77 msgid "Enable and disable kernel auditing; change auditing filter rules; retrieve auditing status and filtering rules." msgstr "カーネル監査 (audit) の有効無効の切り替え、 監査のフィルタルールの変更、 監査の状況やフィルタルールの取得ができる。" #. type: TP #: build/C/man7/capabilities.7:77 #, no-wrap msgid "B (since Linux 3.16)" msgstr "B (Linux 3.16 以降)" #. commit a29b694aa1739f9d76538e34ae25524f9c549d59 #. commit 3a101b8de0d39403b2c7e5c23fd0b005668acf48 #. type: Plain text #: build/C/man7/capabilities.7:82 msgid "Allow reading the audit log via a multicast netlink socket." msgstr "マルチキャスト netlink ソケット経由で監査ログの読み出しができる。" #. type: TP #: build/C/man7/capabilities.7:82 #, no-wrap msgid "B (since Linux 2.6.11)" msgstr "B (Linux 2.6.11 以降)" #. type: Plain text #: build/C/man7/capabilities.7:85 msgid "Write records to kernel auditing log." msgstr "カーネル監査のログにレコードを書き込む。" #. type: TP #: build/C/man7/capabilities.7:85 #, no-wrap msgid "B (since Linux 3.5)" msgstr "B (Linux 3.5 以降)" #. type: Plain text #: build/C/man7/capabilities.7:91 msgid "Employ features that can block system suspend (B(7) B, I)." msgstr "システムのサスペンドをブロックできる機能を使用する (B(7) B, I)。" #. type: TP #: build/C/man7/capabilities.7:91 #, no-wrap msgid "B" msgstr "B" #. type: Plain text #: build/C/man7/capabilities.7:95 msgid "Make arbitrary changes to file UIDs and GIDs (see B(2))." msgstr "ファイルの UID とGID を任意に変更する (B(2) 参照)。" #. type: TP #: build/C/man7/capabilities.7:95 #, no-wrap msgid "B" msgstr "B" #. type: Plain text #: build/C/man7/capabilities.7:99 msgid "Bypass file read, write, and execute permission checks. (DAC is an abbreviation of \"discretionary access control\".)" msgstr "ファイルの読み出し、書き込み、実行の権限チェックをバイパスする (DAC は \"discretionary access control (任意のアクセス制御)\" の略である)。" #. type: TP #: build/C/man7/capabilities.7:99 #, no-wrap msgid "B" msgstr "B" #. type: IP #: build/C/man7/capabilities.7:103 build/C/man7/capabilities.7:106 #: build/C/man7/capabilities.7:116 build/C/man7/capabilities.7:126 #: build/C/man7/capabilities.7:130 build/C/man7/capabilities.7:132 #: build/C/man7/capabilities.7:134 build/C/man7/capabilities.7:204 #: build/C/man7/capabilities.7:206 build/C/man7/capabilities.7:208 #: build/C/man7/capabilities.7:210 build/C/man7/capabilities.7:212 #: build/C/man7/capabilities.7:214 build/C/man7/capabilities.7:216 #: build/C/man7/capabilities.7:218 build/C/man7/capabilities.7:220 #: build/C/man7/capabilities.7:244 build/C/man7/capabilities.7:246 #: build/C/man7/capabilities.7:296 build/C/man7/capabilities.7:306 #: build/C/man7/capabilities.7:312 build/C/man7/capabilities.7:317 #: build/C/man7/capabilities.7:323 build/C/man7/capabilities.7:327 #: build/C/man7/capabilities.7:334 build/C/man7/capabilities.7:337 #: build/C/man7/capabilities.7:345 build/C/man7/capabilities.7:347 #: build/C/man7/capabilities.7:356 build/C/man7/capabilities.7:365 #: build/C/man7/capabilities.7:368 build/C/man7/capabilities.7:372 #: build/C/man7/capabilities.7:380 build/C/man7/capabilities.7:383 #: build/C/man7/capabilities.7:390 build/C/man7/capabilities.7:395 #: build/C/man7/capabilities.7:401 build/C/man7/capabilities.7:405 #: build/C/man7/capabilities.7:409 build/C/man7/capabilities.7:413 #: build/C/man7/capabilities.7:417 build/C/man7/capabilities.7:444 #: build/C/man7/capabilities.7:449 build/C/man7/capabilities.7:455 #: build/C/man7/capabilities.7:458 build/C/man7/capabilities.7:461 #: build/C/man7/capabilities.7:471 build/C/man7/capabilities.7:475 #: build/C/man7/capabilities.7:492 build/C/man7/capabilities.7:495 #: build/C/man7/capabilities.7:499 build/C/man7/capabilities.7:504 #: build/C/man7/capabilities.7:513 build/C/man7/capabilities.7:518 #: build/C/man7/capabilities.7:521 build/C/man7/capabilities.7:526 #: build/C/man7/capabilities.7:529 build/C/man7/capabilities.7:532 #: build/C/man7/capabilities.7:535 build/C/man7/capabilities.7:538 #: build/C/man7/capabilities.7:543 build/C/man7/capabilities.7:545 #: build/C/man7/capabilities.7:551 build/C/man7/capabilities.7:559 #: build/C/man7/capabilities.7:561 build/C/man7/capabilities.7:565 #: build/C/man7/capabilities.7:567 build/C/man7/capabilities.7:570 #: build/C/man7/capabilities.7:574 build/C/man7/capabilities.7:576 #: build/C/man7/capabilities.7:578 build/C/man7/capabilities.7:580 #: build/C/man7/capabilities.7:589 build/C/man7/capabilities.7:596 #: build/C/man7/capabilities.7:601 build/C/man7/capabilities.7:606 #: build/C/man7/capabilities.7:611 build/C/man7/capabilities.7:636 #: build/C/man7/capabilities.7:643 build/C/man7/capabilities.7:844 #: build/C/man7/capabilities.7:852 build/C/man7/capabilities.7:1172 #: build/C/man7/capabilities.7:1177 build/C/man7/cpuset.7:540 #: build/C/man7/cpuset.7:545 build/C/man7/cpuset.7:550 #: build/C/man7/cpuset.7:726 build/C/man7/cpuset.7:730 #: build/C/man7/cpuset.7:927 build/C/man7/cpuset.7:930 #: build/C/man7/cpuset.7:934 build/C/man7/cpuset.7:938 #: build/C/man7/cpuset.7:942 build/C/man7/credentials.7:177 #: build/C/man7/credentials.7:183 build/C/man7/credentials.7:195 #: build/C/man7/credentials.7:217 build/C/man7/credentials.7:234 #: build/C/man7/credentials.7:266 build/C/man7/credentials.7:269 #: build/C/man7/credentials.7:280 build/C/man7/credentials.7:283 #: build/C/man2/getrlimit.2:690 build/C/man2/getrlimit.2:693 #: build/C/man7/namespaces.7:212 build/C/man7/namespaces.7:215 #: build/C/man7/namespaces.7:228 build/C/man7/pid_namespaces.7:233 #: build/C/man7/pid_namespaces.7:241 build/C/man7/pid_namespaces.7:252 #: build/C/man7/user_namespaces.7:261 build/C/man7/user_namespaces.7:266 #: build/C/man7/user_namespaces.7:272 build/C/man7/user_namespaces.7:285 #: build/C/man7/user_namespaces.7:306 build/C/man7/user_namespaces.7:474 #: build/C/man7/user_namespaces.7:477 build/C/man7/user_namespaces.7:479 #: build/C/man7/user_namespaces.7:492 build/C/man7/user_namespaces.7:505 #: build/C/man7/user_namespaces.7:532 build/C/man7/user_namespaces.7:541 #: build/C/man2/seccomp.2:265 build/C/man2/seccomp.2:269 #: build/C/man2/seccomp.2:272 build/C/man2/seccomp.2:277 #: build/C/man2/seccomp.2:281 build/C/man2/seccomp.2:455 #: build/C/man2/seccomp.2:463 build/C/man2/seccomp.2:469 #, no-wrap msgid "*" msgstr "*" #. type: Plain text #: build/C/man7/capabilities.7:106 msgid "Bypass file read permission checks and directory read and execute permission checks;" msgstr "ファイルの読み出し権限のチェックとディレクトリの読み出しと実行 の権限チェックをバイパスする。" #. type: Plain text #: build/C/man7/capabilities.7:109 msgid "Invoke B(2)." msgstr "B(2) を起動する。" #. type: TP #: build/C/man7/capabilities.7:112 #, no-wrap msgid "B" msgstr "B" #. type: Plain text #: build/C/man7/capabilities.7:126 msgid "Bypass permission checks on operations that normally require the filesystem UID of the process to match the UID of the file (e.g., B(2), B(2)), excluding those operations covered by B and B;" msgstr "通常、プロセスのファイルシステム UID がファイルの UID に一致することが 要求される操作 (例えば B(2), B(2)) における権限チェックをバイパスする。 但し、 B か B によりチェックが行われる操作は除く。" #. type: Plain text #: build/C/man7/capabilities.7:130 msgid "set extended file attributes (see B(1)) on arbitrary files;" msgstr "任意のファイルに対して拡張ファイル属性を設定する (B(1) 参照)。" #. type: Plain text #: build/C/man7/capabilities.7:132 msgid "set Access Control Lists (ACLs) on arbitrary files;" msgstr "任意のファイルに対してアクセス制御リスト (ACL) を設定する。" #. type: Plain text #: build/C/man7/capabilities.7:134 msgid "ignore directory sticky bit on file deletion;" msgstr "ファイルの削除の際にディレクトリのスティッキービットを無視する。" #. type: Plain text #: build/C/man7/capabilities.7:141 msgid "specify B for arbitrary files in B(2) and B(2)." msgstr "B(2) や B(2) で任意のファイルに対して B を指定する。" #. type: TP #: build/C/man7/capabilities.7:143 #, no-wrap msgid "B" msgstr "B" #. type: Plain text #: build/C/man7/capabilities.7:149 msgid "Don't clear set-user-ID and set-group-ID permission bits when a file is modified; set the set-group-ID bit for a file whose GID does not match the filesystem or any of the supplementary GIDs of the calling process." msgstr "ファイルが変更されたときに set-user-ID とset-group-ID の許可ビットをクリア しない。呼び出し元プロセスのファイルシステム GID と追加の GID のいずれとも GID が一致しないファイルに対して set-group-ID ビットを設定する。" #. type: TP #: build/C/man7/capabilities.7:149 #, no-wrap msgid "B" msgstr "B" #. FIXME . As at Linux 3.2, there are some strange uses of this capability #. in other places; they probably should be replaced with something else. #. type: Plain text #: build/C/man7/capabilities.7:158 msgid "Lock memory (B(2), B(2), B(2), B(2))." msgstr "メモリーのロック (B(2), B(2), B(2), B(2)) を行う。" #. type: TP #: build/C/man7/capabilities.7:158 #, no-wrap msgid "B" msgstr "B" #. type: Plain text #: build/C/man7/capabilities.7:161 msgid "Bypass permission checks for operations on System V IPC objects." msgstr "System V IPC オブジェクトに対する操作に関して権限チェックをバイパスする。" #. type: TP #: build/C/man7/capabilities.7:161 #, no-wrap msgid "B" msgstr "B" #. FIXME . CAP_KILL also has an effect for threads + setting child #. termination signal to other than SIGCHLD: without this #. capability, the termination signal reverts to SIGCHLD #. if the child does an exec(). What is the rationale #. for this? #. type: Plain text #: build/C/man7/capabilities.7:174 msgid "Bypass permission checks for sending signals (see B(2)). This includes use of the B(2) B operation." msgstr "シグナルを送信する際に権限チェックをバイパスする (B(2) 参照)。これには B(2) の B 操作の使用も含まれる。" #. type: TP #: build/C/man7/capabilities.7:174 #, no-wrap msgid "B (since Linux 2.4)" msgstr "B (Linux 2.4 以降)" #. type: Plain text #: build/C/man7/capabilities.7:178 msgid "Establish leases on arbitrary files (see B(2))." msgstr "任意のファイルに対して ファイルリースを設定する (B(2) 参照)。" #. type: TP #: build/C/man7/capabilities.7:178 #, no-wrap msgid "B" msgstr "B" #. These attributes are now available on ext2, ext3, Reiserfs, XFS, JFS #. type: Plain text #: build/C/man7/capabilities.7:187 msgid "Set the B and B inode flags (see B(1))." msgstr "inode フラグ B と B を設定する (B(1) 参照)。" #. type: TP #: build/C/man7/capabilities.7:187 #, no-wrap msgid "B (since Linux 2.6.25)" msgstr "B (Linux 2.6.25 以降)" #. type: Plain text #: build/C/man7/capabilities.7:191 msgid "Override Mandatory Access Control (MAC). Implemented for the Smack Linux Security Module (LSM)." msgstr "強制アクセス制御 (MAC) を上書きする。 Smack Linux Security Module (LSM) 用に実装されている。" #. type: TP #: build/C/man7/capabilities.7:191 #, no-wrap msgid "B (since Linux 2.6.25)" msgstr "B (Linux 2.6.25 以降)" #. type: Plain text #: build/C/man7/capabilities.7:195 msgid "Allow MAC configuration or state changes. Implemented for the Smack LSM." msgstr "MAC の設定や状態を変更する。 Smack LSM 用に実装されている。" #. type: TP #: build/C/man7/capabilities.7:195 #, no-wrap msgid "B (since Linux 2.4)" msgstr "B (Linux 2.4 以降)" #. type: Plain text #: build/C/man7/capabilities.7:199 msgid "Create special files using B(2)." msgstr "(Linux 2.4 以降) B(2) を使用してスペシャルファイルを作成する。" #. type: TP #: build/C/man7/capabilities.7:199 #, no-wrap msgid "B" msgstr "B" #. type: Plain text #: build/C/man7/capabilities.7:202 msgid "Perform various network-related operations:" msgstr "各種のネットワーク関係の操作を実行する:" #. type: Plain text #: build/C/man7/capabilities.7:206 msgid "interface configuration;" msgstr "インターフェースの設定" #. type: Plain text #: build/C/man7/capabilities.7:208 msgid "administration of IP firewall, masquerading, and accounting;" msgstr "IP のファイアウォール、マスカレード、アカウンティング" #. type: Plain text #: build/C/man7/capabilities.7:210 msgid "modify routing tables;" msgstr "ルーティングテーブルの変更" #. type: Plain text #: build/C/man7/capabilities.7:212 msgid "bind to any address for transparent proxying;" msgstr "透過的プロキシでの任意のアドレスの割り当て (bind)" #. type: Plain text #: build/C/man7/capabilities.7:214 msgid "set type-of-service (TOS)" msgstr "サービス種別 (type-of-service; TOS) のセット" #. type: Plain text #: build/C/man7/capabilities.7:216 msgid "clear driver statistics;" msgstr "ドライバの統計情報のクリア" #. type: Plain text #: build/C/man7/capabilities.7:218 msgid "set promiscuous mode;" msgstr "promiscuous モードをセットする" #. type: Plain text #: build/C/man7/capabilities.7:220 msgid "enabling multicasting;" msgstr "マルチキャストを有効にする" #. type: Plain text #: build/C/man7/capabilities.7:231 msgid "use B(2) to set the following socket options: B, B, B (for a priority outside the range 0 to 6), B, and B." msgstr "" "B(2) を使って以下のソケットオプションを設定する:\n" "B, B, \n" "B (優先度を 0 から 6 以外に設定する場合),\n" "B, and B" #. type: TP #: build/C/man7/capabilities.7:233 #, no-wrap msgid "B" msgstr "B" #. type: Plain text #: build/C/man7/capabilities.7:237 msgid "Bind a socket to Internet domain privileged ports (port numbers less than 1024)." msgstr "インターネットドメインの特権ポート (ポート番号が 1024 番未満) をバインドできる。" #. type: TP #: build/C/man7/capabilities.7:237 #, no-wrap msgid "B" msgstr "B" #. type: Plain text #: build/C/man7/capabilities.7:240 msgid "(Unused) Make socket broadcasts, and listen to multicasts." msgstr "(未使用) ソケットのブロードキャストと、マルチキャストの待ち受けを行う。" #. type: TP #: build/C/man7/capabilities.7:240 #, no-wrap msgid "B" msgstr "B" #. type: Plain text #: build/C/man7/capabilities.7:246 msgid "use RAW and PACKET sockets;" msgstr "RAW ソケットと PACKET ソケットを使用する。" #. type: Plain text #: build/C/man7/capabilities.7:248 msgid "bind to any address for transparent proxying." msgstr "透過的プロキシでの任意のアドレスの割り当て (bind)" #. type: TP #: build/C/man7/capabilities.7:251 #, no-wrap msgid "B" msgstr "B" #. type: Plain text #: build/C/man7/capabilities.7:257 msgid "Make arbitrary manipulations of process GIDs and supplementary GID list; forge GID when passing socket credentials via UNIX domain sockets; write a group ID mapping in a user namespace (see B(7))." msgstr "プロセスの GID と追加の GID リストに対する任意の操作を行う。 UNIX ドメインソケット経由でソケットの資格情報 (credential) を渡す際に 偽の GID を渡すことができる。 ユーザー名前空間にグループ ID マッピングを書き込むことができる (B(7) 参照)。" #. type: TP #: build/C/man7/capabilities.7:257 #, no-wrap msgid "B (since Linux 2.6.24)" msgstr "B (Linux 2.6.24 以降)" #. type: Plain text #: build/C/man7/capabilities.7:260 msgid "Set file capabilities." msgstr "ファイルケーパビリティを設定する。" #. type: TP #: build/C/man7/capabilities.7:260 #, no-wrap msgid "B" msgstr "B" #. type: Plain text #: build/C/man7/capabilities.7:271 msgid "If file capabilities are not supported: grant or remove any capability in the caller's permitted capability set to or from any other process. (This property of B is not available when the kernel is configured to support file capabilities, since B has entirely different semantics for such kernels.)" msgstr "ファイルケーパビリティがサポートされていない場合: 呼び出し元が許可されているケーパビリティセットに含まれる任意のケーパビリティを、 他のプロセスに付与したり、削除したりできる。 (カーネルがファイルケーパビリティをサポートしている場合、 B はこの役割を持たない。 なぜなら、ファイルケーパビリティをサポートしているカーネルでは B は全く別の意味を持つからである。)" #. type: Plain text #: build/C/man7/capabilities.7:281 msgid "If file capabilities are supported: add any capability from the calling thread's bounding set to its inheritable set; drop capabilities from the bounding set (via B(2) B); make changes to the I flags." msgstr "ファイルケーパビリティがサポートされている場合: 呼び出し元スレッドのバウンディングセットの任意のケーパビリティを 自身の継承可能ケーパビリティセットに追加できる。 (B(2) B を使って) バウンディングセットからケーパビリティを削除できる。 I フラグを変更できる。" #. type: TP #: build/C/man7/capabilities.7:281 #, no-wrap msgid "B" msgstr "B" #. FIXME CAP_SETUID also an effect in exec(); document this. #. type: Plain text #: build/C/man7/capabilities.7:292 msgid "Make arbitrary manipulations of process UIDs (B(2), B(2), B(2), B(2)); forge UID when passing socket credentials via UNIX domain sockets; write a user ID mapping in a user namespace (see B(7))." msgstr "プロセスの UID に対する任意の操作 (B(2), B(2), B(2), B(2)) を行う。 UNIX ドメインソケット経由でソケットの資格情報 (credential) を渡す際に 偽の UID を渡すことができる。 ユーザー名前空間にユーザー ID マッピングを書き込むことができる (B(7) 参照)。" #. type: TP #: build/C/man7/capabilities.7:292 #, no-wrap msgid "B" msgstr "B" #. type: Plain text #: build/C/man7/capabilities.7:306 msgid "Perform a range of system administration operations including: B(2), B(2), B(2), B(2), B(2), B(2), and B(2);" msgstr "以下のシステム管理用の操作を実行する: B(2), B(2), B(2), B(2), B(2), B(2), B(2)." #. type: Plain text #: build/C/man7/capabilities.7:312 msgid "perform privileged B(2) operations (since Linux 2.6.37, B should be used to permit such operations);" msgstr "" "特権が必要な B(2) の操作を実行する\n" "(Linux 2.6.37 以降では、このような操作を許可するには\n" "B を使うべきである)" #. type: Plain text #: build/C/man7/capabilities.7:317 msgid "perform B B(2) command;" msgstr "B B(2) コマンドを実行する。" #. type: Plain text #: build/C/man7/capabilities.7:323 msgid "perform B and B operations on arbitrary System V IPC objects;" msgstr "任意の System V IPC オブジェクトに対する B と B 操作を実行する。" #. type: Plain text #: build/C/man7/capabilities.7:327 build/C/man7/capabilities.7:574 msgid "override B resource limit;" msgstr "B リソース制限を上書きする。" #. type: Plain text #: build/C/man7/capabilities.7:334 msgid "perform operations on I and I Extended Attributes (see B(5));" msgstr "拡張属性 I と I に対する操作を実行する (B(5) 参照)。" #. type: Plain text #: build/C/man7/capabilities.7:337 msgid "use B(2);" msgstr "B(2) を呼び出す。" #. type: Plain text #: build/C/man7/capabilities.7:345 msgid "use B(2) to assign B and (before Linux 2.6.25) B I/O scheduling classes;" msgstr "B(2) を使って I/O スケジューリングクラス B, B を割り当てる (B は Linux 2.6.25 より前のバージョンのみ)。" #. type: Plain text #: build/C/man7/capabilities.7:347 msgid "forge PID when passing socket credentials via UNIX domain sockets;" msgstr "UNIX ドメインソケットでソケットの資格情報 (credential) を渡す際に偽の UID を渡す。" #. type: Plain text #: build/C/man7/capabilities.7:356 msgid "exceed I, the system-wide limit on the number of open files, in system calls that open files (e.g., B(2), B(2), B(2), B(2));" msgstr "ファイルをオープンするシステムコール (例えば B(2), B(2), B(2), B(2)) でシステム全体でオープンできるファイル数の上限 I を超過する。" #. type: Plain text #: build/C/man7/capabilities.7:365 msgid "employ B flags that create new namespaces with B(2) and B(2) (but, since Linux 3.8, creating user namespaces does not require any capability);" msgstr "B(2) と B(2) で新しい名前空間を作成する B フラグを利用する (ただし、 Linux 3.8 以降では、ユーザー名前空間の作成にどのケーパビリティも必要としない)。" #. type: Plain text #: build/C/man7/capabilities.7:368 msgid "call B(2);" msgstr "B(2) を呼び出す。" #. type: Plain text #: build/C/man7/capabilities.7:372 msgid "access privileged I event information;" msgstr "特権が必要な I イベントの情報にアクセスする。" #. type: Plain text #: build/C/man7/capabilities.7:380 msgid "call B(2) (requires B in the I namespace);" msgstr "B(2) を呼び出す (I 名前空間での B が必要)。" #. type: Plain text #: build/C/man7/capabilities.7:383 msgid "call B(2);" msgstr "B(2) を呼び出す。" #. type: Plain text #: build/C/man7/capabilities.7:390 msgid "perform B and B B(2) operations;" msgstr "B(2) の B と B 操作を実行する。" #. type: Plain text #: build/C/man7/capabilities.7:395 msgid "perform B(2) B operation;" msgstr "B(2) の B 操作を実行する。" #. type: Plain text #: build/C/man7/capabilities.7:401 msgid "employ the B B(2) to insert characters into the input queue of a terminal other than the caller's controlling terminal;" msgstr "" "B B(2) を使って、\n" "呼び出し元の制御端末以外の端末の入力キューに文字を挿入する。" #. type: Plain text #: build/C/man7/capabilities.7:405 msgid "employ the obsolete B(2) system call;" msgstr "廃止予定の B(2) システムコールを使用する。" #. type: Plain text #: build/C/man7/capabilities.7:409 msgid "employ the obsolete B(2) system call;" msgstr "廃止予定の B(2) システムコールを使用する。" #. type: Plain text #: build/C/man7/capabilities.7:413 msgid "perform various privileged block-device B(2) operations;" msgstr "" "特権が必要なブロックデバイスに対する各種の B(2) 操作を\n" "実行する。" #. type: Plain text #: build/C/man7/capabilities.7:417 msgid "perform various privileged filesystem B(2) operations;" msgstr "" "特権が必要なファイルシステムに対する各種の B(2) 操作を\n" "実行する。" #. type: Plain text #: build/C/man7/capabilities.7:419 msgid "perform administrative operations on many device drivers." msgstr "多くのデバイスドライバに対する管理命令を実行する。" #. type: TP #: build/C/man7/capabilities.7:421 #, no-wrap msgid "B" msgstr "B" #. type: Plain text #: build/C/man7/capabilities.7:427 msgid "Use B(2) and B(2)." msgstr "B(2) と B(2) を呼び出す。" #. type: TP #: build/C/man7/capabilities.7:427 #, no-wrap msgid "B" msgstr "B" #. type: Plain text #: build/C/man7/capabilities.7:431 msgid "Use B(2)." msgstr "B(2). を呼び出す。" #. type: TP #: build/C/man7/capabilities.7:431 #, no-wrap msgid "B" msgstr "B" #. type: Plain text #: build/C/man7/capabilities.7:440 msgid "Load and unload kernel modules (see B(2) and B(2)); in kernels before 2.6.25: drop capabilities from the system-wide capability bounding set." msgstr "カーネルモジュールのロード、アンロードを行う (B(2) と B(2) を参照のこと)。 バージョン 2.6.25 より前のカーネルで、 システム全体のケーパビリティバウンディングセット (capability bounding set) からケーパビリティを外す。" #. type: TP #: build/C/man7/capabilities.7:440 #, no-wrap msgid "B" msgstr "B" #. type: Plain text #: build/C/man7/capabilities.7:449 msgid "Raise process nice value (B(2), B(2)) and change the nice value for arbitrary processes;" msgstr "プロセスの nice 値の引き上げ (B(2), B(2)) や、任意のプロセスの nice 値の変更を行う。" #. type: Plain text #: build/C/man7/capabilities.7:455 msgid "set real-time scheduling policies for calling process, and set scheduling policies and priorities for arbitrary processes (B(2), B(2), B(2));" msgstr "呼び出し元プロセスに対するリアルタイムスケジューリングポリシーと、 任意のプロセスに対するスケジューリングポリシーと優先度を設定する (B(2), B(2), B(2))。" #. type: Plain text #: build/C/man7/capabilities.7:458 msgid "set CPU affinity for arbitrary processes (B(2));" msgstr "任意のプロセスに対する CPU affinity を設定できる (B(2))。" #. type: Plain text #: build/C/man7/capabilities.7:461 msgid "set I/O scheduling class and priority for arbitrary processes (B(2));" msgstr "任意のプロセスに対して I/O スケジューリングクラスと優先度を設定できる (B(2))。" #. FIXME CAP_SYS_NICE also has the following effect for #. migrate_pages(2): #. do_migrate_pages(mm, &old, &new, #. capable(CAP_SYS_NICE) ? MPOL_MF_MOVE_ALL : MPOL_MF_MOVE); #. Document this. #. type: Plain text #: build/C/man7/capabilities.7:471 msgid "apply B(2) to arbitrary processes and allow processes to be migrated to arbitrary nodes;" msgstr "B(2) を任意のプロセスに適用し、プロセスを任意のノードに移動する。" #. type: Plain text #: build/C/man7/capabilities.7:475 msgid "apply B(2) to arbitrary processes;" msgstr "B(2) を任意のプロセスに対して行う。" #. type: Plain text #: build/C/man7/capabilities.7:482 msgid "use the B flag with B(2) and B(2)." msgstr "B(2) と B(2) で B フラグを使用する。" #. type: TP #: build/C/man7/capabilities.7:484 #, no-wrap msgid "B" msgstr "B" #. type: Plain text #: build/C/man7/capabilities.7:488 msgid "Use B(2)." msgstr "B(2) を呼び出す。" #. type: TP #: build/C/man7/capabilities.7:488 #, no-wrap msgid "B" msgstr "B" #. type: Plain text #: build/C/man7/capabilities.7:495 msgid "Trace arbitrary processes using B(2);" msgstr "B(2) を使って任意のプロセスをトレースする。" #. type: Plain text #: build/C/man7/capabilities.7:499 msgid "apply B(2) to arbitrary processes;" msgstr "B(2) を任意のプロセスに対して行う。" #. type: Plain text #: build/C/man7/capabilities.7:504 msgid "transfer data to or from the memory of arbitrary processes using B(2) and B(2)." msgstr "B(2) と B(2) を使って任意のプロセスのメモリーとの間でデータの送受信を行う。" #. type: Plain text #: build/C/man7/capabilities.7:507 msgid "inspect processes using B(2)." msgstr "B(2) を使ってプロセス内部を調査する。" #. type: TP #: build/C/man7/capabilities.7:509 #, no-wrap msgid "B" msgstr "B" #. type: Plain text #: build/C/man7/capabilities.7:518 msgid "Perform I/O port operations (B(2) and B(2));" msgstr "I/O ポート操作を実行する (B(2)、 B(2))。" #. type: Plain text #: build/C/man7/capabilities.7:521 msgid "access I;" msgstr "I にアクセスする。" #. type: Plain text #: build/C/man7/capabilities.7:526 msgid "employ the B B(2) operation;" msgstr "B B(2) 操作を使用する。" #. type: Plain text #: build/C/man7/capabilities.7:529 msgid "open devices for accessing x86 model-specific registers (MSRs, see B(4))" msgstr "x86 モデルに固有のレジスター (MSR レジスター群、 B(4) 参照) にアクセスするためのデバイスをオープンする。" #. type: Plain text #: build/C/man7/capabilities.7:532 msgid "update I;" msgstr "I を更新する。" #. type: Plain text #: build/C/man7/capabilities.7:535 msgid "create memory mappings at addresses below the value specified by I;" msgstr "I で指定された値よりも小さなアドレスにメモリーマッピングを作成する。" #. type: Plain text #: build/C/man7/capabilities.7:538 msgid "map files in I;" msgstr "I にあるファイルをマップする。" #. type: Plain text #: build/C/man7/capabilities.7:543 msgid "open I and I;" msgstr "I や I をオープンする。" #. type: Plain text #: build/C/man7/capabilities.7:545 msgid "perform various SCSI device commands;" msgstr "各種の SCSI デバイスコマンドを実行する。" #. type: Plain text #: build/C/man7/capabilities.7:551 msgid "perform certain operations on B(4) and B(4) devices;" msgstr "B(4) デバイスや B(4) デバイスの特定の操作を実行する。" #. type: Plain text #: build/C/man7/capabilities.7:553 msgid "perform a range of device-specific operations on other devices." msgstr "他のデバイスに対して各種のデバイス固有命令を実行する。" #. type: TP #: build/C/man7/capabilities.7:555 #, no-wrap msgid "B" msgstr "B" #. type: Plain text #: build/C/man7/capabilities.7:561 msgid "Use reserved space on ext2 filesystems;" msgstr "ext2 ファイルシステム上の予約されている領域を使用する。" #. type: Plain text #: build/C/man7/capabilities.7:565 msgid "make B(2) calls controlling ext3 journaling;" msgstr "ext3 のジャーナル機能を制御する B(2) を使用する。" #. type: Plain text #: build/C/man7/capabilities.7:567 msgid "override disk quota limits;" msgstr "ディスク quota の上限を上書きする。" #. type: Plain text #: build/C/man7/capabilities.7:570 msgid "increase resource limits (see B(2));" msgstr "リソース上限を増やす (B(2))。" #. type: Plain text #: build/C/man7/capabilities.7:576 msgid "override maximum number of consoles on console allocation;" msgstr "コンソール割り当てにおいてコンソールの最大数を上書きする。" #. type: Plain text #: build/C/man7/capabilities.7:578 msgid "override maximum number of keymaps;" msgstr "キーマップの最大数を上書きする。" #. type: Plain text #: build/C/man7/capabilities.7:580 msgid "allow more than 64hz interrupts from the real-time clock;" msgstr "リアルタイムクロックから秒間 64 回を越える回数の割り当てが許可する。" #. type: Plain text #: build/C/man7/capabilities.7:589 msgid "raise I limit for a System V message queue above the limit in I (see B(2) and B(2));" msgstr "" "メッセージキューに関する上限 I を \n" "I に指定されている上限よりも大きく設定する\n" "(B(2) と B(2) 参照)。" #. type: Plain text #: build/C/man7/capabilities.7:596 msgid "override the I limit when setting the capacity of a pipe using the B B(2) command." msgstr "" "B B(2) を使ってパイプの容量を設定する際に\n" "上限 I を上書きする。" #. type: Plain text #: build/C/man7/capabilities.7:601 msgid "use B to increase the capacity of a pipe above the limit specified by I;" msgstr "" "I に指定されている上限を超えてパイプの容量\n" "を増やすのに B を使用する。" #. type: Plain text #: build/C/man7/capabilities.7:606 msgid "override I limit when creating POSIX message queues (see B(7));" msgstr "" "POSIX メッセージキューを作成する際に、\n" "上限 I を上書きする\n" "(B(7) 参照)。" #. type: Plain text #: build/C/man7/capabilities.7:611 msgid "employ B(2) B operation;" msgstr "B(2) B 操作を使用する。" #. type: Plain text #: build/C/man7/capabilities.7:616 msgid "set I to a value lower than the value last set by a process with B." msgstr "B を持ったプロセスによって最後に設定された値よりも小さな値を I に設定する。" #. type: TP #: build/C/man7/capabilities.7:618 #, no-wrap msgid "B" msgstr "B" #. type: Plain text #: build/C/man7/capabilities.7:625 msgid "Set system clock (B(2), B(2), B(2)); set real-time (hardware) clock." msgstr "システムクロックを変更する (B(2), B(2), B(2))。 リアルタイム (ハードウェア) クロックを変更する。" #. type: TP #: build/C/man7/capabilities.7:625 #, no-wrap msgid "B" msgstr "B" #. type: Plain text #: build/C/man7/capabilities.7:632 msgid "Use B(2); employ various privileged B(2) operations on virtual terminals." msgstr "" "B(2) を使用する。\n" "特権が必要な仮想端末に関する各種の B(2) 操作を利用できる。" #. type: TP #: build/C/man7/capabilities.7:632 #, no-wrap msgid "B (since Linux 2.6.37)" msgstr "B (Linux 2.6.37 以降)" #. type: Plain text #: build/C/man7/capabilities.7:643 msgid "Perform privileged B(2) operations. See B(2) for information on which operations require privilege." msgstr "" "特権が必要な B(2) 操作を実行できる。\n" "どの操作が特権が必要かについての情報は B(2) を参照。" #. type: Plain text #: build/C/man7/capabilities.7:653 msgid "View kernel addresses exposed via I and other interfaces when I has the value 1. (See the discussion of the I in B(5).)" msgstr "I の値が 1 の場合、 I や他のインターフェース経由で公開されているカーネルアドレスを参照する (B(5) の I の議論を参照)。" #. type: TP #: build/C/man7/capabilities.7:655 #, no-wrap msgid "B (since Linux 3.0)" msgstr "B (Linux 3.0 以降)" #. type: Plain text #: build/C/man7/capabilities.7:663 msgid "Trigger something that will wake up the system (set B and B timers)." msgstr "" "システムを起こすトリガーを有効にする (タイマー B\n" "や B を設定する)。" #. type: SS #: build/C/man7/capabilities.7:663 #, no-wrap msgid "Past and current implementation" msgstr "過去と現在の実装" #. type: Plain text #: build/C/man7/capabilities.7:665 msgid "A full implementation of capabilities requires that:" msgstr "完全な形のケーパビリティを実装するには、以下の要件を満たす必要がある:" #. type: IP #: build/C/man7/capabilities.7:665 build/C/man7/capabilities.7:816 #: build/C/man7/capabilities.7:963 build/C/man7/capabilities.7:1016 #: build/C/man7/user_namespaces.7:173 build/C/man7/user_namespaces.7:515 #, no-wrap msgid "1." msgstr "1." #. type: Plain text #: build/C/man7/capabilities.7:669 msgid "For all privileged operations, the kernel must check whether the thread has the required capability in its effective set." msgstr "全ての特権操作について、カーネルはそのスレッドの実効ケーパビリティセットに 必要なケーパビリティがあるかを確認する。" #. type: IP #: build/C/man7/capabilities.7:669 build/C/man7/capabilities.7:821 #: build/C/man7/capabilities.7:969 build/C/man7/capabilities.7:1022 #: build/C/man7/user_namespaces.7:189 build/C/man7/user_namespaces.7:521 #, no-wrap msgid "2." msgstr "2." #. type: Plain text #: build/C/man7/capabilities.7:672 msgid "The kernel must provide system calls allowing a thread's capability sets to be changed and retrieved." msgstr "カーネルで、あるスレッドのケーパビリティセットを変更したり、 取得したりできるシステムコールが提供される。" #. type: IP #: build/C/man7/capabilities.7:672 build/C/man7/capabilities.7:972 #: build/C/man7/capabilities.7:1026 build/C/man7/user_namespaces.7:193 #: build/C/man7/user_namespaces.7:526 #, no-wrap msgid "3." msgstr "3." #. type: Plain text #: build/C/man7/capabilities.7:675 msgid "The filesystem must support attaching capabilities to an executable file, so that a process gains those capabilities when the file is executed." msgstr "ファイルシステムが、実行可能ファイルにケーパビリティを付与でき、ファイル 実行時にそのケーパビリティをプロセスが取得できるような機能をサポートする。" #. type: Plain text #: build/C/man7/capabilities.7:679 msgid "Before kernel 2.6.24, only the first two of these requirements are met; since kernel 2.6.24, all three requirements are met." msgstr "カーネル 2.6.24 より前では、最初の 2つの要件のみが満たされている。 カーネル 2.6.24 以降では、3つの要件すべてが満たされている。" #. type: SS #: build/C/man7/capabilities.7:679 #, no-wrap msgid "Thread capability sets" msgstr "スレッドケーパビリティセット" #. type: Plain text #: build/C/man7/capabilities.7:682 msgid "Each thread has three capability sets containing zero or more of the above capabilities:" msgstr "各スレッドは以下の 3種類のケーパビリティセットを持つ。各々のケーパビリティセットは 上記のケーパビリティの組み合わせである (全てのケーパビリティが無効でもよい)。" #. type: TP #: build/C/man7/capabilities.7:682 #, no-wrap msgid "I:" msgstr "I<許可 (permitted)>:" #. type: Plain text #: build/C/man7/capabilities.7:690 msgid "This is a limiting superset for the effective capabilities that the thread may assume. It is also a limiting superset for the capabilities that may be added to the inheritable set by a thread that does not have the B capability in its effective set." msgstr "そのスレッドが持つことになっている実効ケーパビリティの 限定的なスーパーセットである。 これは、実効ケーパビリティセットに B ケーパビリティを持っていないスレッドが継承可能ケーパビリティセットに 追加可能なケーパビリティの限定的なスーパーセットでもある。" #. type: Plain text #: build/C/man7/capabilities.7:696 msgid "If a thread drops a capability from its permitted set, it can never reacquire that capability (unless it B(2)s either a set-user-ID-root program, or a program whose associated file capabilities grant that capability)." msgstr "許可ケーパビリティセットから削除してしまったケーパビリティは、 (set-user-ID-root プログラムか、 そのケーパビリティをファイルケーパビリティで許可しているプログラムを B(2) しない限りは) もう一度獲得することはできない。" #. type: TP #: build/C/man7/capabilities.7:696 #, no-wrap msgid "I:" msgstr "I<継承可能 (inheritable)>:" #. type: Plain text #: build/C/man7/capabilities.7:703 msgid "This is a set of capabilities preserved across an B(2). It provides a mechanism for a process to assign capabilities to the permitted set of the new program during an B(2)." msgstr "B(2) を前後で保持されるケーパビリティセットである。 この仕組みを使うことで、あるプロセスが B(2) を行う際に新しいプログラムの許可ケーパビリティセットとして 割り当てるケーパビリティを指定することができる。" #. type: TP #: build/C/man7/capabilities.7:703 build/C/man7/capabilities.7:753 #, no-wrap msgid "I:" msgstr "I<実効 (effective)>:" #. type: Plain text #: build/C/man7/capabilities.7:707 msgid "This is the set of capabilities used by the kernel to perform permission checks for the thread." msgstr "カーネルがスレッドの権限 (permission) をチェックするときに 使用するケーパビリティセットである。" #. type: Plain text #: build/C/man7/capabilities.7:713 msgid "A child created via B(2) inherits copies of its parent's capability sets. See below for a discussion of the treatment of capabilities during B(2)." msgstr "B(2) で作成される子プロセスは、親のケーパビリティセットのコピーを継承する。 B(2) 中のケーパビリティの扱いについては下記を参照のこと。" #. type: Plain text #: build/C/man7/capabilities.7:717 msgid "Using B(2), a thread may manipulate its own capability sets (see below)." msgstr "B(2) を使うと、プロセスは自分自身のケーパビリティセット を操作することができる (下記参照)。" #. commit 73efc0394e148d0e15583e13712637831f926720 #. type: Plain text #: build/C/man7/capabilities.7:726 msgid "Since Linux 3.2, the file I exposes the numerical value of the highest capability supported by the running kernel; this can be used to determine the highest bit that may be set in a capability set." msgstr "Linux 3.2 以降では、 ファイル I で、 実行中のカーネルでサポートされているケーパビリティの最大値を参照できる。 この情報を使って、 ケーパビリティセットに設定される可能性がある最上位ビットを判定することができる。" #. type: SS #: build/C/man7/capabilities.7:726 #, no-wrap msgid "File capabilities" msgstr "ファイルケーパビリティ" #. type: Plain text #: build/C/man7/capabilities.7:741 msgid "Since kernel 2.6.24, the kernel supports associating capability sets with an executable file using B(8). The file capability sets are stored in an extended attribute (see B(2)) named I. Writing to this extended attribute requires the B capability. The file capability sets, in conjunction with the capability sets of the thread, determine the capabilities of a thread after an B(2)." msgstr "カーネル 2.6.24 以降では、 B(8) を使って実行ファイルにケーパビリティセットを対応付けることができる。 ファイルケーパビリティセットは I という名前の拡張属性に保存される (B(2) 参照)。この拡張属性への書き込みには B ケーパビリティが必要である。 ファイルケーパビリティセットとスレッドのケーパビリティセットの両方が 考慮され、 B(2) 後のスレッドのケーパビリティセットが決定される。" #. type: Plain text #: build/C/man7/capabilities.7:743 msgid "The three file capability sets are:" msgstr "3 つのファイルケーパビリティセットが定義されている。" #. type: TP #: build/C/man7/capabilities.7:743 #, no-wrap msgid "I (formerly known as I):" msgstr "I<許可 (Permitted)> (以前のI<強制 (Forced)>):" #. type: Plain text #: build/C/man7/capabilities.7:747 msgid "These capabilities are automatically permitted to the thread, regardless of the thread's inheritable capabilities." msgstr "スレッドの継承可能ケーパビリティに関わらず、そのスレッドに自動的に 認められるケーパビリティ。" #. type: TP #: build/C/man7/capabilities.7:747 #, no-wrap msgid "I (formerly known as I):" msgstr "I<継承可能 (Inheritable)> (以前の I<許容 (Allowed)>):" #. type: Plain text #: build/C/man7/capabilities.7:753 msgid "This set is ANDed with the thread's inheritable set to determine which inheritable capabilities are enabled in the permitted set of the thread after the B(2)." msgstr "このセットと、スレッドの継承可能ケーパビリティセットとの 論理積 (AND) がとられ、 B(2) の後にそのスレッドの許可ケーパビリティセットで有効となる 継承可能ケーパビリティが決定される。" #. type: Plain text #: build/C/man7/capabilities.7:763 msgid "This is not a set, but rather just a single bit. If this bit is set, then during an B(2) all of the new permitted capabilities for the thread are also raised in the effective set. If this bit is not set, then after an B(2), none of the new permitted capabilities is in the new effective set." msgstr "これは集合ではなく、1 ビットの情報である。 このビットがセットされていると、 B(2) 実行中に、そのスレッドの新しい許可ケーパビリティが全て 実効ケーパビリティ集合においてもセットされる。 このビットがセットされていない場合、 B(2) 後には新しい許可ケーパビリティのどれも新しい実効ケーパビリティ集合 にセットされない。" #. type: Plain text #: build/C/man7/capabilities.7:779 msgid "Enabling the file effective capability bit implies that any file permitted or inheritable capability that causes a thread to acquire the corresponding permitted capability during an B(2) (see the transformation rules described below) will also acquire that capability in its effective set. Therefore, when assigning capabilities to a file (B(8), B(3), B(3)), if we specify the effective flag as being enabled for any capability, then the effective flag must also be specified as enabled for all other capabilities for which the corresponding permitted or inheritable flags is enabled." msgstr "ファイルの実効ケーパビリティビットを有効にするというのは、 B(2) 実行時に、ファイルの許可ケーパビリティと継承ケーパビリティに対応するものが スレッドの許可ケーパビリティセットとしてセットされるが、 これが実効ケーパビリティセットにもセットされるということである (ケーパビリティの変換ルールは下記参照)。 したがって、ファイルにケーパビリティを割り当てる際 (B(8), B(3), B(3))、 いずれかのケーパビリティに対して実効フラグを有効と指定する場合、 許可フラグや継承可能フラグを有効にした他の全てのケーパビリティ についても実効フラグを有効と指定しなければならない。" #. type: SS #: build/C/man7/capabilities.7:779 #, no-wrap msgid "Transformation of capabilities during execve()" msgstr "execve() 中のケーパビリティの変換" #. type: Plain text #: build/C/man7/capabilities.7:785 msgid "During an B(2), the kernel calculates the new capabilities of the process using the following algorithm:" msgstr "B(2) 実行時に、カーネルはプロセスの新しいケーパビリティを次の アルゴリズムを用いて計算する:" #. type: Plain text #: build/C/man7/capabilities.7:790 #, no-wrap msgid "" "P'(permitted) = (P(inheritable) & F(inheritable)) |\n" " (F(permitted) & cap_bset)\n" msgstr "" "P'(permitted) = (P(inheritable) & F(inheritable)) |\n" " (F(permitted) & cap_bset)\n" #. type: Plain text #: build/C/man7/capabilities.7:792 #, no-wrap msgid "P'(effective) = F(effective) ? P'(permitted) : 0\n" msgstr "P'(effective) = F(effective) ? P'(permitted) : 0\n" #. type: Plain text #: build/C/man7/capabilities.7:794 #, no-wrap msgid "P'(inheritable) = P(inheritable) [i.e., unchanged]\n" msgstr "P'(inheritable) = P(inheritable) [つまり、変更されない]\n" #. type: Plain text #: build/C/man7/capabilities.7:798 msgid "where:" msgstr "各変数の意味は以下の通り:" #. type: IP #: build/C/man7/capabilities.7:799 #, no-wrap msgid "P" msgstr "P" #. type: Plain text #: build/C/man7/capabilities.7:802 msgid "denotes the value of a thread capability set before the B(2)" msgstr "B(2) 前のスレッドのケーパビリティセットの値" #. type: IP #: build/C/man7/capabilities.7:802 #, no-wrap msgid "P'" msgstr "P'" #. type: Plain text #: build/C/man7/capabilities.7:805 msgid "denotes the value of a capability set after the B(2)" msgstr "B(2) 後のスレッドのケーパビリティセットの値" #. type: IP #: build/C/man7/capabilities.7:805 #, no-wrap msgid "F" msgstr "F" #. type: Plain text #: build/C/man7/capabilities.7:807 msgid "denotes a file capability set" msgstr "ファイルケーパビリティセットの値" #. type: IP #: build/C/man7/capabilities.7:807 #, no-wrap msgid "cap_bset" msgstr "cap_bset" #. type: Plain text #: build/C/man7/capabilities.7:809 msgid "is the value of the capability bounding set (described below)." msgstr "ケーパビリティバウンディングセットの値 (下記参照)" #. type: SS #: build/C/man7/capabilities.7:811 #, no-wrap msgid "Capabilities and execution of programs by root" msgstr "ケーパビリティと、ルートによるプログラムの実行" #. type: Plain text #: build/C/man7/capabilities.7:816 msgid "In order to provide an all-powerful I using capability sets, during an B(2):" msgstr "B(2) 時に、ケーパビリティセットを使って、全ての権限を持った I を実現するには、以下のようにする。" #. type: Plain text #: build/C/man7/capabilities.7:821 msgid "If a set-user-ID-root program is being executed, or the real user ID of the process is 0 (root) then the file inheritable and permitted sets are defined to be all ones (i.e., all capabilities enabled)." msgstr "set-user-ID-root プログラムが実行される場合、 またはプロセスの実ユーザー ID が 0 (root) の場合、 ファイルの継承可能セットと許可セットを全て 1 (全てのケーパビリティが有効) に定義する。" #. type: Plain text #: build/C/man7/capabilities.7:824 msgid "If a set-user-ID-root program is being executed, then the file effective bit is defined to be one (enabled)." msgstr "set-user-ID-root プログラムが実行される場合、 ファイルの実効ケーパビリティビットを 1 (enabled) に定義する。" #. If a process with real UID 0, and nonzero effective UID does an #. exec(), then it gets all capabilities in its #. permitted set, and no effective capabilities #. type: Plain text #: build/C/man7/capabilities.7:839 msgid "The upshot of the above rules, combined with the capabilities transformations described above, is that when a process B(2)s a set-user-ID-root program, or when a process with an effective UID of 0 B(2)s a program, it gains all capabilities in its permitted and effective capability sets, except those masked out by the capability bounding set. This provides semantics that are the same as those provided by traditional UNIX systems." msgstr "上記のルールにケーパビリティ変換を適用した結果をまとめると、 プロセスが set-user-ID-root プログラムを B(2) する場合、または実効 UID が 0 のプロセスがプログラムを B(2) する場合、許可と実効のケーパビリティセットの全ケーパビリティ (正確には、ケーパビリティバウンディングセットによるマスクで除外されるもの 以外の全てのケーパビリティ) を取得するということである。 これにより、伝統的な UNIX システムと同じ振る舞いができるようになっている。" #. type: SS #: build/C/man7/capabilities.7:839 #, no-wrap msgid "Capability bounding set" msgstr "ケーパビリティバウンディングセット" #. type: Plain text #: build/C/man7/capabilities.7:844 msgid "The capability bounding set is a security mechanism that can be used to limit the capabilities that can be gained during an B(2). The bounding set is used in the following ways:" msgstr "ケーパビリティバウンディングセット (capability bounding set) は、 B(2) 時に獲得できるケーパビリティを制限するために使われる セキュリティ機構である。 バウンディングセットは以下のように使用される。" #. type: Plain text #: build/C/man7/capabilities.7:852 msgid "During an B(2), the capability bounding set is ANDed with the file permitted capability set, and the result of this operation is assigned to the thread's permitted capability set. The capability bounding set thus places a limit on the permitted capabilities that may be granted by an executable file." msgstr "B(2) 実行時に、ケーパビリティバウンディングセットと ファイルの許可ケーパビリティセットの論理和 (AND) を取ったものが、 そのスレッドの許可ケーパビリティセットに割り当てられる。 つまり、ケーパビリティバウンディングセットは、 実行ファイルが認めている許可ケーパビリティに対して 制限を課す働きをする。" #. type: Plain text #: build/C/man7/capabilities.7:864 msgid "(Since Linux 2.6.25) The capability bounding set acts as a limiting superset for the capabilities that a thread can add to its inheritable set using B(2). This means that if a capability is not in the bounding set, then a thread can't add this capability to its inheritable set, even if it was in its permitted capabilities, and thereby cannot have this capability preserved in its permitted set when it B(2)s a file that has the capability in its inheritable set." msgstr "(Linux 2.6.25 以降) ケーパビリティバウンディングセットは、スレッドが B(2) により自身の継承可能セットに追加可能なケーパビリティの母集団を 制限する役割を持つ。 スレッドに許可されたケーパビリティであっても、バウンディングセットに 含まれていなければ、スレッドはそのケーパビリティは自身の継承可能セットに 追加できず、その結果、継承可能セットにそのケーパビリティを含むファイルを B(2) する場合、そのケーパビリティを許可セットに持ち続けることができない、 ということである。" #. type: Plain text #: build/C/man7/capabilities.7:871 msgid "Note that the bounding set masks the file permitted capabilities, but not the inherited capabilities. If a thread maintains a capability in its inherited set that is not in its bounding set, then it can still gain that capability in its permitted set by executing a file that has the capability in its inherited set." msgstr "バウンディングセットがマスクを行うのは、継承可能ケーパビリティではなく、 ファイルの許可ケーパビリティのマスクを行う点に注意すること。 あるスレッドの継承可能セットにそのスレッドのバウンディングセットに 存在しないケーパビリティが含まれている場合、そのスレッドは、 継承可能セットに含まれるケーパビリティを持つファイルを実行することにより、 許可セットに含まれるケーパビリティも獲得できるということである。" #. type: Plain text #: build/C/man7/capabilities.7:874 msgid "Depending on the kernel version, the capability bounding set is either a system-wide attribute, or a per-process attribute." msgstr "カーネルのバージョンにより、ケーパビリティバウンディングセットは システム共通の属性の場合と、プロセス単位の属性の場合がある。" #. type: Plain text #: build/C/man7/capabilities.7:876 msgid "B" msgstr "B" #. type: Plain text #: build/C/man7/capabilities.7:884 msgid "In kernels before 2.6.25, the capability bounding set is a system-wide attribute that affects all threads on the system. The bounding set is accessible via the file I. (Confusingly, this bit mask parameter is expressed as a signed decimal number in I.)" msgstr "2.6.25 より前のカーネルでは、ケーパビリティバウンディングセットは システム共通の属性で、システム上の全てのスレッドに適用される。 バウンディングセットは I ファイル経由で参照できる。 (間違えやすいが、このビットマスク形式のパラメーターは、 I では符号付きの十進数で表現される。)" #. type: Plain text #: build/C/man7/capabilities.7:891 msgid "Only the B process may set capabilities in the capability bounding set; other than that, the superuser (more precisely: programs with the B capability) may only clear capabilities from this set." msgstr "B プロセスだけがケーパビリティバウンディングセットで ケーパビリティをセットすることができる。 それ以外では、スーパーユーザー (より正確には、 B ケーパビリティを持ったプログラム) が、 ケーパビリティバウンディングセットのケーパビリティのクリアが できるだけである。" #. type: Plain text #: build/C/man7/capabilities.7:900 msgid "On a standard system the capability bounding set always masks out the B capability. To remove this restriction (dangerous!), modify the definition of B in I and rebuild the kernel." msgstr "通常のシステムでは、ケーパビリティバウンディングセットは、 B が無効になっている。 この制限を取り去るには (取り去るのは危険!)、 I 内の B の定義を修正し、カーネルを再構築する必要がある。" #. type: Plain text #: build/C/man7/capabilities.7:904 msgid "The system-wide capability bounding set feature was added to Linux starting with kernel version 2.2.11." msgstr "システム共通のケーパビリティバウンディングセット機能は、 カーネル 2.2.11 以降で Linux に追加された。" #. type: Plain text #: build/C/man7/capabilities.7:906 msgid "B" msgstr "B" #. type: Plain text #: build/C/man7/capabilities.7:911 msgid "From Linux 2.6.25, the I is a per-thread attribute. (There is no longer a system-wide capability bounding set.)" msgstr "Linux 2.6.25 以降では、 「ケーパビリティバウンディングセット」はスレッド単位の属性である (システム共通のケーパビリティバウンディングセットはもはや存在しない)。" #. type: Plain text #: build/C/man7/capabilities.7:916 msgid "The bounding set is inherited at B(2) from the thread's parent, and is preserved across an B(2)." msgstr "バウンディングセットは B(2) 時にはスレッドの親プロセスから継承され、 B(2) の前後では保持される。" #. type: Plain text #: build/C/man7/capabilities.7:929 msgid "A thread may remove capabilities from its capability bounding set using the B(2) B operation, provided it has the B capability. Once a capability has been dropped from the bounding set, it cannot be restored to that set. A thread can determine if a capability is in its bounding set using the B(2) B operation." msgstr "スレッドが B ケーパビリティを持っている場合、そのスレッドは B(2) の B 操作を使って自身のケーパビリティバウンディングセットから ケーパビリティを削除することができる。 いったんケーパビリティをバウンディングセットから削除してしまうと、 スレッドはそのケーパビリティを再度セットすることはできない。 B(2) の B 操作を使うことで、スレッドがあるケーパビリティが自身のバウンディングセット に含まれているかを知ることができる。" #. type: Plain text #: build/C/man7/capabilities.7:947 msgid "Removing capabilities from the bounding set is supported only if file capabilities are compiled into the kernel. In kernels before Linux 2.6.33, file capabilities were an optional feature configurable via the B option. Since Linux 2.6.33, the configuration option has been removed and file capabilities are always part of the kernel. When file capabilities are compiled into the kernel, the B process (the ancestor of all processes) begins with a full bounding set. If file capabilities are not compiled into the kernel, then B begins with a full bounding set minus B, because this capability has a different meaning when there are no file capabilities." msgstr "" "バウンディングセットからのケーパビリティの削除がサポートされるのは、\n" "カーネルのコンパイル時にファイルケーパビリティが有効になっている場合\n" "だけである。Linux 2.6.33 より前のカーネルでは、ファイルケーパビリティは\n" "設定オプション B で切り替えられる追加の\n" "機能であった。Linux 2.6.33 以降では、この設定オプションは削除され、\n" "ファイルケーパビリティは常にカーネルに組込まれるようになった。\n" "ファイルケーパビリティがカーネルにコンパイル時に組み込まれている場合、\n" "(全てのプロセスの先祖である) I プロセスはバウンディングセットで\n" "全てのケーパビリティが セットされた状態で開始する。ファイルケーパビリティ\n" "が有効になっていない場合には、 I はバウンディングセットで\n" "B 以外の全てのケーパビリティがセットされた状態で開始する。\n" "このようになっているのは、 B ケーパビリティがファイルケー\n" "パビリティがサポートされていない場合には 違った意味を持つからである。" #. type: Plain text #: build/C/man7/capabilities.7:954 msgid "Removing a capability from the bounding set does not remove it from the thread's inherited set. However it does prevent the capability from being added back into the thread's inherited set in the future." msgstr "バウンディングセットからケーパビリティを削除しても、 スレッドの継承可能セットからはそのケーパビリティは削除されない。 しかしながら、バウンディングセットからの削除により、 この先そのケーパビリティをスレッドの継承可能セットに追加すること はできなくなる。" #. type: SS #: build/C/man7/capabilities.7:954 #, no-wrap msgid "Effect of user ID changes on capabilities" msgstr "ユーザー ID 変更のケーパビリティへの影響" #. type: Plain text #: build/C/man7/capabilities.7:963 msgid "To preserve the traditional semantics for transitions between 0 and nonzero user IDs, the kernel makes the following changes to a thread's capability sets on changes to the thread's real, effective, saved set, and filesystem user IDs (using B(2), B(2), or similar):" msgstr "ユーザー ID が 0 と 0 以外の間で変化する際の振る舞いを従来と同じにするため、 スレッドの実 UID、実効 UID、保存 set-user-ID、ファイルシステム UID が (B(2), B(2) などを使って) 変更された際に、カーネルはそのスレッドのケーパビリティセットに 以下の変更を行う:" #. type: Plain text #: build/C/man7/capabilities.7:969 msgid "If one or more of the real, effective or saved set user IDs was previously 0, and as a result of the UID changes all of these IDs have a nonzero value, then all capabilities are cleared from the permitted and effective capability sets." msgstr "UID の変更前には実 UID、実効 UID、保存 set-user-ID のうち 少なくとも一つが 0 で、変更後に実 UID、実効 UID、保存 set-user-ID が すべて 0 以外の値になった場合、許可と実効のケーパビリティセットの 全ケーパビリティをクリアする。" #. type: Plain text #: build/C/man7/capabilities.7:972 msgid "If the effective user ID is changed from 0 to nonzero, then all capabilities are cleared from the effective set." msgstr "実効 UID が 0 から 0 以外に変更された場合、 実効ケーパビリティセットの全ケーパビリティをクリアする。" #. type: Plain text #: build/C/man7/capabilities.7:975 msgid "If the effective user ID is changed from nonzero to 0, then the permitted set is copied to the effective set." msgstr "実効 UID が 0 以外から 0 に変更された場合、 許可ケーパビリティセットの内容を実効ケーパビリティセットにコピーする。" #. type: IP #: build/C/man7/capabilities.7:975 build/C/man7/capabilities.7:1030 #: build/C/man7/user_namespaces.7:529 #, no-wrap msgid "4." msgstr "4." #. type: Plain text #: build/C/man7/capabilities.7:993 msgid "If the filesystem user ID is changed from 0 to nonzero (see B(2)), then the following capabilities are cleared from the effective set: B, B, B, B, B, B (since Linux 2.6.30), B, and B (since Linux 2.6.30). If the filesystem UID is changed from nonzero to 0, then any of these capabilities that are enabled in the permitted set are enabled in the effective set." msgstr "ファイルシステム UID が 0 から 0 以外に変更された場合 (B(2) 参照)、実効ケーパビリティセットの以下のケーパビリティがクリアされる: B, B, B, B, B, B (Linux 2.6.30 以降), B, B (Linux 2.6.30 以降)。 ファイルシステム UID が 0 以外から 0 に変更された場合、 上記のケーパビリティのうち許可ケーパビリティセットで有効になっているものが 実効ケーパビリティセットで有効にされる。" #. type: Plain text #: build/C/man7/capabilities.7:1001 msgid "If a thread that has a 0 value for one or more of its user IDs wants to prevent its permitted capability set being cleared when it resets all of its user IDs to nonzero values, it can do so using the B(2) B operation." msgstr "各種 UID のうち少なくとも一つが 0 であるスレッドが、 その UID の全てが 0 以外になったときに許可ケーパビリティセットが クリアされないようにしたい場合には、 B(2) の B 操作を使えばよい。" #. type: SS #: build/C/man7/capabilities.7:1001 #, no-wrap msgid "Programmatically adjusting capability sets" msgstr "プログラムでケーパビリティセットを調整する" #. type: Plain text #: build/C/man7/capabilities.7:1016 msgid "A thread can retrieve and change its capability sets using the B(2) and B(2) system calls. However, the use of B(3) and B(3), both provided in the I package, is preferred for this purpose. The following rules govern changes to the thread capability sets:" msgstr "各スレッドは、 B(2) や B(2) を使って、自身のケーパビリティセットを取得したり変更したりできる。 ただし、これを行うには、 I パッケージで提供されている B(3) や B(3) を使うのが望ましい。 スレッドのケーパビリティセットの変更には以下のルールが適用される。" #. type: Plain text #: build/C/man7/capabilities.7:1022 msgid "If the caller does not have the B capability, the new inheritable set must be a subset of the combination of the existing inheritable and permitted sets." msgstr "呼び出し側が B ケーパビリティを持っていない場合、新しい継承可能セットは、 既存の継承可能セットと許可セットの積集合 (AND) の部分集合で なければならない。" #. type: Plain text #: build/C/man7/capabilities.7:1026 msgid "(Since Linux 2.6.25) The new inheritable set must be a subset of the combination of the existing inheritable set and the capability bounding set." msgstr "(Linux 2.6.25 以降) 新しい継承可能セットは、既存の継承可能セットとケーパビリティ バウンディングセットの積集合 (AND) の部分集合でなければならない。" #. type: Plain text #: build/C/man7/capabilities.7:1030 msgid "The new permitted set must be a subset of the existing permitted set (i.e., it is not possible to acquire permitted capabilities that the thread does not currently have)." msgstr "新しい許可セットは、既存の許可セットの部分集合でなければならない (つまり、そのスレッドが現在持っていない許可ケーパビリティを 獲得することはできない)。" #. type: Plain text #: build/C/man7/capabilities.7:1032 msgid "The new effective set must be a subset of the new permitted set." msgstr "新しい実効ケーパビリティセットは新しい許可ケーパビリティセットの 部分集合になっていなければならない。" #. type: SS #: build/C/man7/capabilities.7:1032 #, no-wrap msgid "The securebits flags: establishing a capabilities-only environment" msgstr "securebits フラグ: ケーパビリティだけの環境を構築する" #. For some background: #. see http://lwn.net/Articles/280279/ and #. http://article.gmane.org/gmane.linux.kernel.lsm/5476/ #. type: Plain text #: build/C/man7/capabilities.7:1043 msgid "Starting with kernel 2.6.26, and with a kernel in which file capabilities are enabled, Linux implements a set of per-thread I flags that can be used to disable special handling of capabilities for UID 0 (I). These flags are as follows:" msgstr "カーネル 2.6.26 以降で、 ファイルケーパビリティが有効になったカーネルでは、 スレッド単位の I フラグが実装されており、このフラグを使うと UID 0 (I) に対するケーパビリティの特別扱いを無効することができる。 以下のようなフラグがある。" #. type: TP #: build/C/man7/capabilities.7:1043 #, no-wrap msgid "B" msgstr "B" #. type: Plain text #: build/C/man7/capabilities.7:1055 msgid "Setting this flag allows a thread that has one or more 0 UIDs to retain its capabilities when it switches all of its UIDs to a nonzero value. If this flag is not set, then such a UID switch causes the thread to lose all capabilities. This flag is always cleared on an B(2). (This flag provides the same functionality as the older B(2) B operation.)" msgstr "このフラグをセットされている場合、UID が 0 のスレッドの UID が 0 以外の値に 切り替わる際に、そのスレッドはケーパビリティを維持することができる。 このフラグがセットされていない場合には、UID が 0 から 0 以外の値に 切り替わると、そのスレッドは全てのケーパビリティを失う。 このフラグは B(2) 時には全てクリアされる (このフラグは、以前の B(2) の B 操作と同じ機能を提供するものである)。" #. type: TP #: build/C/man7/capabilities.7:1055 #, no-wrap msgid "B" msgstr "B" #. type: Plain text #: build/C/man7/capabilities.7:1062 msgid "Setting this flag stops the kernel from adjusting capability sets when the threads's effective and filesystem UIDs are switched between zero and nonzero values. (See the subsection I.)" msgstr "このフラグをセットすると、スレッドの実効 UID とファイルシステム UID が 0 と 0 以外の間で切り替わった場合に、 カーネルはケーパビリティセットの調整を行わなくなる (「ユーザー ID 変更のケーパビリティへの影響」の節を参照)。" #. type: TP #: build/C/man7/capabilities.7:1062 #, no-wrap msgid "B" msgstr "B" #. type: Plain text #: build/C/man7/capabilities.7:1070 msgid "If this bit is set, then the kernel does not grant capabilities when a set-user-ID-root program is executed, or when a process with an effective or real UID of 0 calls B(2). (See the subsection I.)" msgstr "このビットがセットされている場合、 set-user-ID-root プログラムの実行時や、 実効 UID か 実 UID が 0 のプロセスが B(2) を呼び出した時に、カーネルはケーパビリティを許可しない (「ケーパビリティと、ルートによるプログラムの実行」の節を参照)。" #. type: Plain text #: build/C/man7/capabilities.7:1080 msgid "Each of the above \"base\" flags has a companion \"locked\" flag. Setting any of the \"locked\" flags is irreversible, and has the effect of preventing further changes to the corresponding \"base\" flag. The locked flags are: B, B, and B." msgstr "上記の \"base\" フラグの各々には対応する \"locked\" フラグが存在する。 いずれの \"locked\" フラグも一度セットされると戻すことはできず、 それ以降は対応する \"base\" フラグを変更することができなくなる。 \"locked\" フラグは B, B, B という名前である。" #. type: Plain text #: build/C/man7/capabilities.7:1092 msgid "The I flags can be modified and retrieved using the B(2) B and B operations. The B capability is required to modify the flags." msgstr "I フラグは、 B(2) の操作 B や B を使うことで変更したり取得したりできる。 フラグを変更するには B ケーパビリティが必要である。" #. type: Plain text #: build/C/man7/capabilities.7:1101 msgid "The I flags are inherited by child processes. During an B(2), all of the flags are preserved, except B which is always cleared." msgstr "" "I フラグは子プロセスに継承される。 B(2) においては、\n" "B が常にクリアされる以外は、全てのフラグが保持される。" #. type: Plain text #: build/C/man7/capabilities.7:1106 msgid "An application can use the following call to lock itself, and all of its descendants, into an environment where the only way of gaining capabilities is by executing a program with associated file capabilities:" msgstr "アプリケーションは、以下の呼び出しを行うことにより、 自分自身および子孫となるプロセス全てに対して、 必要なファイルケーパビリティを持ったプログラムを実行しない限り、 対応するケーパビリティを獲得できないような状況に閉じこめることができる。" #. type: Plain text #: build/C/man7/capabilities.7:1115 #, no-wrap msgid "" "prctl(PR_SET_SECUREBITS,\n" " SECBIT_KEEP_CAPS_LOCKED |\n" " SECBIT_NO_SETUID_FIXUP |\n" " SECBIT_NO_SETUID_FIXUP_LOCKED |\n" " SECBIT_NOROOT |\n" " SECBIT_NOROOT_LOCKED);\n" msgstr "" "prctl(PR_SET_SECUREBITS,\n" " SECBIT_KEEP_CAPS_LOCKED |\n" " SECBIT_NO_SETUID_FIXUP |\n" " SECBIT_NO_SETUID_FIXUP_LOCKED |\n" " SECBIT_NOROOT |\n" " SECBIT_NOROOT_LOCKED);\n" #. type: SS #: build/C/man7/capabilities.7:1117 #, no-wrap msgid "Interaction with user namespaces" msgstr "ユーザー名前空間との相互作用" #. type: Plain text #: build/C/man7/capabilities.7:1120 msgid "For a discussion of the interaction of capabilities and user namespaces, see B(7)." msgstr "ケーパリビティとユーザー名前空間の相互の影響に関する議論は B(7) を参照。" #. type: Plain text #: build/C/man7/capabilities.7:1126 msgid "No standards govern capabilities, but the Linux capability implementation is based on the withdrawn POSIX.1e draft standard; see E<.UR http://wt.tuxomania.net\\:/publications\\:/posix.1e/> E<.UE .>" msgstr "ケーパビリティに関する標準はないが、 Linux のケーパビリティは廃案になった POSIX.1e 草案に基づいて実装されている。 E<.UR http://wt.xpilot.org\\:/publications\\:/posix.1e/> E<.UE> を参照。" #. type: Plain text #: build/C/man7/capabilities.7:1131 msgid "Since kernel 2.5.27, capabilities are an optional kernel component, and can be enabled/disabled via the B kernel configuration option." msgstr "カーネル 2.5.27 以降、ケーパビリティは選択式のカーネルコンポーネント となっており、カーネル設定オプション B により有効/無効を切り替えることができる。" #. 7b9a7ec565505699f503b4fcf61500dceb36e744 #. type: Plain text #: build/C/man7/capabilities.7:1145 msgid "The I file can be used to view the capability sets of a thread. The I file shows the capability sets of a process's main thread. Before Linux 3.8, nonexistent capabilities were shown as being enabled (1) in these sets. Since Linux 3.8, all nonexistent capabilities (above B) are shown as disabled (0)." msgstr "I ファイルを使うと、スレッドのケーパビリティセットを見ることができる。 I ファイルには、プロセスのメインスレッドのケーパビリティセットが表示される。 Linux 3.8 より前では、 これらのケーパビリティセットの表示で、 存在しないケーパビリティはすべて有効 (1) として表示される。 Linux 3.8 以降では、 存在しないケーパビリティはすべて無効 (0) として表示される。 (B より大きい値を持つケーパビリティが存在しないケーパビリティである)。" #. type: Plain text #: build/C/man7/capabilities.7:1160 msgid "The I package provides a suite of routines for setting and getting capabilities that is more comfortable and less likely to change than the interface provided by B(2) and B(2). This package also provides the B(8) and B(8) programs. It can be found at" msgstr "I パッケージは、ケーパビリティを設定・取得するための ルーチン群を提供している。これらのインターフェースは、 B(2) と B(2) が提供するインターフェースと比べて、より使いやすく、変更される可能性が少ない。 このパッケージでは、 B(8), B(8) というプログラムも提供されている。 パッケージは以下で入手できる。" #. type: Plain text #: build/C/man7/capabilities.7:1163 msgid "E<.UR http://www.kernel.org\\:/pub\\:/linux\\:/libs\\:/security\\:/linux-privs> E<.UE .>" msgstr "E<.UR http://www.kernel.org\\:/pub\\:/linux\\:/libs\\:/security\\:/linux-privs> E<.UE .>" #. type: Plain text #: build/C/man7/capabilities.7:1172 msgid "Before kernel 2.6.24, and since kernel 2.6.24 if file capabilities are not enabled, a thread with the B capability can manipulate the capabilities of threads other than itself. However, this is only theoretically possible, since no thread ever has B in either of these cases:" msgstr "バージョン 2.6.24 より前、およびファイルケーパビリティが 有効になっていない2.6.24 以降のカーネルでは、 B ケーパビリティを持ったスレッドは自分以外のスレッドの ケーパビリティを操作できる。 しかしながら、これは理論的に可能というだけである。 以下のいずれかの場合においても、どのスレッドも B ケーパビリティを持つことはないからである。" #. type: Plain text #: build/C/man7/capabilities.7:1177 msgid "In the pre-2.6.25 implementation the system-wide capability bounding set, I, always masks out this capability, and this can not be changed without modifying the kernel source and rebuilding." msgstr "2.6.25 より前の実装では、システム共通のケーパビリティバウンディングセット I ではこのケーパビリティは常に無効になっており、 ソースを変更してカーネルを再コンパイルしない限り、 これを変更することはできない。" #. type: Plain text #: build/C/man7/capabilities.7:1183 msgid "If file capabilities are disabled in the current implementation, then B starts out with this capability removed from its per-process bounding set, and that bounding set is inherited by all other processes created on the system." msgstr "現在の実装ではファイルケーパビリティが無効になっている場合、 プロセス毎のバウンディングセットからこのケーパビリティを抜いて B は開始され、 システム上で生成される他の全てのプロセスでこのバウンディングセットが 継承される。" #. type: Plain text #: build/C/man7/capabilities.7:1202 msgid "B(1), B(2), B(2), B(2), B(3), B(3), B(3), B(3), B(3), B(3), B(3), B(3), B(3), B(7), B(7), B(7), B(8), B(8)" msgstr "B(1), B(2), B(2), B(2), B(3), B(3), B(3), B(3), B(3), B(3), B(3), B(3), B(3), B(7), B(7), B(7), B(8), B(8)" #. type: Plain text #: build/C/man7/capabilities.7:1205 msgid "I in the Linux kernel source tree" msgstr "Linux カーネルソース内の I" #. type: TH #: build/C/man2/capget.2:15 #, no-wrap msgid "CAPGET" msgstr "CAPGET" #. type: TH #: build/C/man2/capget.2:15 #, no-wrap msgid "2013-03-11" msgstr "2013-03-11" #. type: Plain text #: build/C/man2/capget.2:18 msgid "capget, capset - set/get capabilities of thread(s)" msgstr "capget, capset - スレッドのケーパビリティを設定/取得する" #. type: Plain text #: build/C/man2/capget.2:20 msgid "B<#include Esys/capability.hE>" msgstr "B<#include Esys/capability.hE>" #. type: Plain text #: build/C/man2/capget.2:22 msgid "BIB<, cap_user_data_t >IB<);>" msgstr "BIB<, cap_user_data_t >IB<);>" #. type: Plain text #: build/C/man2/capget.2:24 msgid "BIB<, const cap_user_data_t >IB<);>" msgstr "BIB<, const cap_user_data_t >IB<);>" #. type: Plain text #: build/C/man2/capget.2:35 msgid "As of Linux 2.2, the power of the superuser (root) has been partitioned into a set of discrete capabilities. Each thread has a set of effective capabilities identifying which capabilities (if any) it may currently exercise. Each thread also has a set of inheritable capabilities that may be passed through an B(2) call, and a set of permitted capabilities that it can make effective or inheritable." msgstr "Linux 2.2 で、スーパーユーザー (root) の権限は、個別のケーパビリティ (capabilities) へと分割され、その集合として表現されるようになった。 各スレッドは「実効ケーパビリティ (effective capability) の集合」を持ち、 それによって現在どの操作が実行可能かを識別できる。 また、各スレッドは、 「継承可能ケーパビリティ (inheritable capability) の集合」と 「許可ケーパビリティ (permitted capability) の集合」を持つ。 「継承可能ケーパビリティの集合」は B(2) を通じて渡すことができるケーパビリティの集合であり、 「許可ケーパビリティ (permitted capability) の集合」は 実効ケーパビリティや継承可能ケーパビリティとして有効にできる ケーパビリティを規定するものである。" #. type: Plain text #: build/C/man2/capget.2:44 msgid "These two system calls are the raw kernel interface for getting and setting thread capabilities. Not only are these system calls specific to Linux, but the kernel API is likely to change and use of these system calls (in particular the format of the I types) is subject to extension with each kernel revision, but old programs will keep working." msgstr "この二つのシステムコールはスレッドのケーパビリティを取得したり設定したりするための 生のカーネルインターフェースである。 これらのシステムコールは Linux 特有であるというだけでなく、 カーネル API は変更されるかもしれず、これらのシステムコールの使用法 (特に I 型という書式) はカーネルのリビジョン毎に拡張されるかもしれないが、 以前のプログラムはそのまま動作する。" #. type: Plain text #: build/C/man2/capget.2:55 msgid "The portable interfaces are B(3) and B(3); if possible, you should use those interfaces in applications. If you wish to use the Linux extensions in applications, you should use the easier-to-use interfaces B(3) and B(3)." msgstr "移植性のあるインターフェースは B(3) と B(3) である。 可能ならばアプリケーションはこれらの関数を使用すべきである。 アプリケーションに Linux 拡張を使用したい場合には、より簡単に 使えるインターフェースである B(3) と B(3) を使用すべきである。" #. type: SS #: build/C/man2/capget.2:55 #, no-wrap msgid "Current details" msgstr "現在の詳細" #. type: Plain text #: build/C/man2/capget.2:58 msgid "Now that you have been warned, some current kernel details. The structures are defined as follows." msgstr "現在のカーネルの詳細について注意を述べておく。 構造体は以下のように定義される。" #. type: Plain text #: build/C/man2/capget.2:63 #, no-wrap msgid "" "#define _LINUX_CAPABILITY_VERSION_1 0x19980330\n" "#define _LINUX_CAPABILITY_U32S_1 1\n" msgstr "" "#define _LINUX_CAPABILITY_VERSION_1 0x19980330\n" "#define _LINUX_CAPABILITY_U32S_1 1\n" #. type: Plain text #: build/C/man2/capget.2:66 #, no-wrap msgid "" "#define _LINUX_CAPABILITY_VERSION_2 0x20071026\n" "#define _LINUX_CAPABILITY_U32S_2 2\n" msgstr "" "#define _LINUX_CAPABILITY_VERSION_2 0x20071026\n" "#define _LINUX_CAPABILITY_U32S_2 2\n" #. type: Plain text #: build/C/man2/capget.2:71 #, no-wrap msgid "" "typedef struct __user_cap_header_struct {\n" " __u32 version;\n" " int pid;\n" "} *cap_user_header_t;\n" msgstr "" "typedef struct __user_cap_header_struct {\n" " __u32 version;\n" " int pid;\n" "} *cap_user_header_t;\n" #. type: Plain text #: build/C/man2/capget.2:77 #, no-wrap msgid "" "typedef struct __user_cap_data_struct {\n" " __u32 effective;\n" " __u32 permitted;\n" " __u32 inheritable;\n" "} *cap_user_data_t;\n" msgstr "" "typedef struct __user_cap_data_struct {\n" " __u32 effective;\n" " __u32 permitted;\n" " __u32 inheritable;\n" "} *cap_user_data_t;\n" #. type: Plain text #: build/C/man2/capget.2:96 msgid "The I, I, and I fields are bit masks of the capabilities defined in B(7). Note the B values are bit indexes and need to be bit-shifted before ORing into the bit fields. To define the structures for passing to the system call you have to use the I and I names because the typedefs are only pointers." msgstr "フィールド I, I, I は、 B(7) で定義されるケーパビリティのビットマスクである。 I はビット番号を表すインデックス値であり、 ビットフィールドに OR を行う前に I の値の分だけビットシフトを行う必要がある。 typedef の方はポインターなので、 このシステムコールに渡す構造体を定義するには、 I と I という名前を使用しなければならない。" #. type: Plain text #: build/C/man2/capget.2:108 msgid "Kernels prior to 2.6.25 prefer 32-bit capabilities with version B<_LINUX_CAPABILITY_VERSION_1>, and kernels 2.6.25+ prefer 64-bit capabilities with version B<_LINUX_CAPABILITY_VERSION_2>. Note, 64-bit capabilities use I[0] and I[1], whereas 32-bit capabilities use only I[0]." msgstr "カーネル 2.6.25 より前では、バージョン B<_LINUX_CAPABILITY_VERSION_1> の 32 ビットケーパビリティが推奨である。 カーネル 2.6.25 以降では、バージョン B<_LINUX_CAPABILITY_VERSION_2> の 64 ビットケーパビリティが推奨である。 64 ビットケーパビリティでは I[0] と I[1] が使用されるのに対し、 32 ビットケーパビリティでは I[0] だけが使用される。" #. type: Plain text #: build/C/man2/capget.2:112 msgid "Another change affecting the behavior of these system calls is kernel support for file capabilities (VFS capability support). This support is currently a compile time option (added in kernel 2.6.24)." msgstr "これらのシステムコールの挙動に影響があるもう一つの変更点は、 ファイルケーパビリティ (file capabilities) のカーネルによるサポート (VFS ケーパビリティのサポート) である。 VFS ケーパビリティのサポートは現在のところコンパイル時のオプションである (カーネル 2.6.24 で追加された)。" #. type: Plain text #: build/C/man2/capget.2:119 msgid "For B() calls, one can probe the capabilities of any process by specifying its process ID with the Ipid> field value." msgstr "B() では、 Ipid> のフィールド値にケーパビリティを知りたいプロセスのプロセス ID を 指定することで、任意のプロセスのケーパビリティを調べることができる。" #. type: SS #: build/C/man2/capget.2:119 #, no-wrap msgid "With VFS capability support" msgstr "VFS ケーパビリティがサポートされている場合" #. type: Plain text #: build/C/man2/capget.2:131 msgid "VFS Capability support creates a file-attribute method for adding capabilities to privileged executables. This privilege model obsoletes kernel support for one process asynchronously setting the capabilities of another. That is, with VFS support, for B() calls the only permitted values for Ipid> are 0 or B(2), which are equivalent." msgstr "VFS ケーパビリティのサポートでは、特権実行ファイルにケーパビリティを 追加するためのファイル属性メソッドが作成された。 この特権モデルの導入により、あるプロセスにより別のプロセスのケーパビリティ を非同期に設定する機能のカーネルによるサポートは廃止される。 つまり、VFS サポートでは、 B() を呼び出す際に Ipid> の値として許されるのは 0 と B(2) が返す値だけとなる (どちらの値でも等価である)。" #. type: SS #: build/C/man2/capget.2:131 #, no-wrap msgid "Without VFS capability support" msgstr "VFS ケーパビリティがサポートされていない場合" #. type: Plain text #: build/C/man2/capget.2:157 msgid "When the kernel does not support VFS capabilities, B() calls can operate on the capabilities of the thread specified by the I field of I when that is nonzero, or on the capabilities of the calling thread if I is 0. If I refers to a single-threaded process, then I can be specified as a traditional process ID; operating on a thread of a multithreaded process requires a thread ID of the type returned by B(2). For B(), I can also be: -1, meaning perform the change on all threads except the caller and B(1); or a value less than -1, in which case the change is applied to all members of the process group whose ID is -I." msgstr "カーネルが VFS ケーパビリティをサポートしていない場合、 I の I フィールドが 0 以外であれば、 B() の操作対象は I で指定されたスレッドのケーパビリティになる。 I が 0 の場合は呼び出し元のスレッドのケーパビリティが操作対象となる。 I がシングルスレッドプロセスを参照している場合、 I は以前から使われているプロセスID を使って指定できる。 マルチスレッドプロセス内のあるスレッドを対象にする場合は、 B(2) が返すスレッドID を用いて指定する必要がある。 また、 B() では -1 や -1 より小さな値を指定することもできる。 -1 は呼び出し元と B(1) を除く全てのスレッドを対象として変更を行うことを、 -1 より小さな値は ID が -I のプロセスグループの全メンバ を対象として変更を行うことを意味する。" #. type: Plain text #: build/C/man2/capget.2:160 msgid "For details on the data, see B(7)." msgstr "このデータの詳細は B(7) を参照すること。" #. type: Plain text #: build/C/man2/capget.2:179 msgid "The calls will fail with the error B, and set the I field of I to the kernel preferred value of B<_LINUX_CAPABILITY_VERSION_?> when an unsupported I value is specified. In this way, one can probe what the current preferred capability revision is." msgstr "I のフィールド I にサポートされていない値が指定された場合、 呼び出しはエラー B で失敗し、 I にカーネル推奨の B<_LINUX_CAPABILITY_VERSION_?> を設定する。 このようにして、現在の推奨ケーパビリティリビジョンが何かを 調べることができる。" #. type: Plain text #: build/C/man2/capget.2:188 msgid "Bad memory address. I must not be NULL. I may be NULL only when the user is trying to determine the preferred capability version format supported by the kernel." msgstr "不正なメモリーアドレス。 I は NULL であってはならない。 I に NULL を指定してよいのは、ユーザーがカーネルがサポートしている 推奨のケーパビリティバージョンを判定しようとしているときだけである。" #. type: TP #: build/C/man2/capget.2:188 build/C/man7/cpuset.7:1180 #: build/C/man7/cpuset.7:1189 build/C/man7/cpuset.7:1198 #: build/C/man7/cpuset.7:1208 build/C/man7/cpuset.7:1217 #: build/C/man7/cpuset.7:1224 build/C/man7/cpuset.7:1231 #: build/C/man2/getgroups.2:114 build/C/man2/getgroups.2:121 #: build/C/man2/getpriority.2:118 build/C/man2/getrlimit.2:471 #: build/C/man2/getrusage.2:198 build/C/man2/iopl.2:72 #: build/C/man2/ioprio_set.2:170 build/C/man2/seteuid.2:80 #: build/C/man2/setgid.2:59 build/C/man2/setpgid.2:225 #: build/C/man2/setresuid.2:99 build/C/man2/setreuid.2:128 #: build/C/man2/setuid.2:105 build/C/man2/seccomp.2:373 #: build/C/man2/seccomp.2:380 build/C/man2/seccomp.2:387 #: build/C/man2/seccomp.2:393 build/C/man2/seccomp.2:402 #, no-wrap msgid "B" msgstr "B" #. type: Plain text #: build/C/man2/capget.2:191 msgid "One of the arguments was invalid." msgstr "引き数のどれかが無効である。" #. type: Plain text #: build/C/man2/capget.2:196 msgid "An attempt was made to add a capability to the Permitted set, or to set a capability in the Effective or Inheritable sets that is not in the Permitted set." msgstr "「許可ケーパビリティセット」にケーパビリティを追加しようとしているか、 もしくは「許可ケーパビリティセット」に含まれないケーパビリティを 「実効ケーパビリティセット」や「継承可能ケーパビリティセット」に セットしようとしている。" #. type: Plain text #: build/C/man2/capget.2:215 msgid "The caller attempted to use B() to modify the capabilities of a thread other than itself, but lacked sufficient privilege. For kernels supporting VFS capabilities, this is never permitted. For kernels lacking VFS support, the B capability is required. (A bug in kernels before 2.6.11 meant that this error could also occur if a thread without this capability tried to change its own capabilities by specifying the I field as a nonzero value (i.e., the value returned by B(2)) instead of 0.)" msgstr "呼び出し元が自分以外のスレッドのケーパビリティを B() を使って修正しようとしたが、十分な特権がなかった。 VFS ケーパビリティをサポートしているカーネルでは、 この操作が許可されることは決してない。 VFS ケーパビリティをサポートしていないカーネルでは、 B ケーパビリティが必要である。 (バージョン 2.6.11 より前のカーネルには、 このケーパビリティを持たないスレッドが I フィールドに 0 でない値 (つまり、0 の代わりに B(2) が返す値) を指定して自分自身のケーパビリティを変更しようとした場合にも、 このエラーが発生するというバグがあった。)" #. type: TP #: build/C/man2/capget.2:215 build/C/man7/cpuset.7:1330 #: build/C/man2/getpriority.2:126 build/C/man2/getrlimit.2:502 #: build/C/man2/getsid.2:70 build/C/man2/ioprio_set.2:187 #: build/C/man2/setpgid.2:240 build/C/man2/seccomp.2:426 #, no-wrap msgid "B" msgstr "B" #. type: Plain text #: build/C/man2/capget.2:218 msgid "No such thread." msgstr "そのようなスレッドが存在しない。" #. type: Plain text #: build/C/man2/capget.2:220 build/C/man2/ioprio_set.2:198 msgid "These system calls are Linux-specific." msgstr "これらのシステムコールは Linux 独自である。" #. type: Plain text #: build/C/man2/capget.2:225 msgid "The portable interface to the capability querying and setting functions is provided by the I library and is available here:" msgstr "ケーパビリティを設定したり取得したりする機能のための移植性ある インターフェースは I ライブラリによって提供される。 このライブラリは以下から入手できる:" #. type: Plain text #: build/C/man2/capget.2:228 msgid "E<.UR http://git.kernel.org/cgit\\:/linux\\:/kernel\\:/git\\:/morgan\\:\\:/libcap.git> E<.UE>" msgstr "E<.UR http://git.kernel.org/cgit\\:/linux\\:/kernel\\:/git\\:/morgan\\:\\:/libcap.git> E<.UE>" #. type: Plain text #: build/C/man2/capget.2:232 msgid "B(2), B(2), B(7)" msgstr "B(2), B(2), B(7)" #. type: TH #: build/C/man7/cpuset.7:25 #, no-wrap msgid "CPUSET" msgstr "CPUSET" #. type: TH #: build/C/man7/cpuset.7:25 #, no-wrap msgid "2014-05-21" msgstr "2014-05-21" #. type: Plain text #: build/C/man7/cpuset.7:28 msgid "cpuset - confine processes to processor and memory node subsets" msgstr "" #. type: Plain text #: build/C/man7/cpuset.7:35 msgid "The cpuset filesystem is a pseudo-filesystem interface to the kernel cpuset mechanism, which is used to control the processor placement and memory placement of processes. It is commonly mounted at I." msgstr "" #. type: Plain text #: build/C/man7/cpuset.7:52 msgid "On systems with kernels compiled with built in support for cpusets, all processes are attached to a cpuset, and cpusets are always present. If a system supports cpusets, then it will have the entry B in the file I. By mounting the cpuset filesystem (see the B section below), the administrator can configure the cpusets on a system to control the processor and memory placement of processes on that system. By default, if the cpuset configuration on a system is not modified or if the cpuset filesystem is not even mounted, then the cpuset mechanism, though present, has no affect on the system's behavior." msgstr "" #. type: Plain text #: build/C/man7/cpuset.7:54 msgid "A cpuset defines a list of CPUs and memory nodes." msgstr "" #. type: Plain text #: build/C/man7/cpuset.7:63 msgid "The CPUs of a system include all the logical processing units on which a process can execute, including, if present, multiple processor cores within a package and Hyper-Threads within a processor core. Memory nodes include all distinct banks of main memory; small and SMP systems typically have just one memory node that contains all the system's main memory, while NUMA (non-uniform memory access) systems have multiple memory nodes." msgstr "" #. type: Plain text #: build/C/man7/cpuset.7:73 msgid "Cpusets are represented as directories in a hierarchical pseudo-filesystem, where the top directory in the hierarchy (I) represents the entire system (all online CPUs and memory nodes) and any cpuset that is the child (descendant) of another parent cpuset contains a subset of that parent's CPUs and memory nodes. The directories and files representing cpusets have normal filesystem permissions." msgstr "" #. type: Plain text #: build/C/man7/cpuset.7:84 msgid "Every process in the system belongs to exactly one cpuset. A process is confined to run only on the CPUs in the cpuset it belongs to, and to allocate memory only on the memory nodes in that cpuset. When a process B(2)s, the child process is placed in the same cpuset as its parent. With sufficient privilege, a process may be moved from one cpuset to another and the allowed CPUs and memory nodes of an existing cpuset may be changed." msgstr "" #. type: Plain text #: build/C/man7/cpuset.7:92 msgid "When the system begins booting, a single cpuset is defined that includes all CPUs and memory nodes on the system, and all processes are in that cpuset. During the boot process, or later during normal system operation, other cpusets may be created, as subdirectories of this top cpuset, under the control of the system administrator, and processes may be placed in these other cpusets." msgstr "" #. type: Plain text #: build/C/man7/cpuset.7:114 msgid "Cpusets are integrated with the B(2) scheduling affinity mechanism and the B(2) and B(2) memory-placement mechanisms in the kernel. Neither of these mechanisms let a process make use of a CPU or memory node that is not allowed by that process's cpuset. If changes to a process's cpuset placement conflict with these other mechanisms, then cpuset placement is enforced even if it means overriding these other mechanisms. The kernel accomplishes this overriding by silently restricting the CPUs and memory nodes requested by these other mechanisms to those allowed by the invoking process's cpuset. This can result in these other calls returning an error, if for example, such a call ends up requesting an empty set of CPUs or memory nodes, after that request is restricted to the invoking process's cpuset." msgstr "" #. type: Plain text #: build/C/man7/cpuset.7:120 msgid "Typically, a cpuset is used to manage the CPU and memory-node confinement for a set of cooperating processes such as a batch scheduler job, and these other mechanisms are used to manage the placement of individual processes or memory regions within that set or job." msgstr "" #. type: SH #: build/C/man7/cpuset.7:120 #, no-wrap msgid "FILES" msgstr "ファイル" #. type: Plain text #: build/C/man7/cpuset.7:125 msgid "Each directory below I represents a cpuset and contains a fixed set of pseudo-files describing the state of that cpuset." msgstr "" #. type: Plain text #: build/C/man7/cpuset.7:135 msgid "New cpusets are created using the B(2) system call or the B(1) command. The properties of a cpuset, such as its flags, allowed CPUs and memory nodes, and attached processes, are queried and modified by reading or writing to the appropriate file in that cpuset's directory, as listed below." msgstr "" #. type: Plain text #: build/C/man7/cpuset.7:141 msgid "The pseudo-files in each cpuset directory are automatically created when the cpuset is created, as a result of the B(2) invocation. It is not possible to directly add or remove these pseudo-files." msgstr "" #. type: Plain text #: build/C/man7/cpuset.7:149 msgid "A cpuset directory that contains no child cpuset directories, and has no attached processes, can be removed using B(2) or B(1). It is not necessary, or possible, to remove the pseudo-files inside the directory before removing it." msgstr "" #. type: Plain text #: build/C/man7/cpuset.7:163 msgid "The pseudo-files in each cpuset directory are small text files that may be read and written using traditional shell utilities such as B(1), and B(1), or from a program by using file I/O library functions or system calls, such as B(2), B(2), B(2), and B(2)." msgstr "" #. ====================== tasks ====================== #. type: Plain text #: build/C/man7/cpuset.7:168 msgid "The pseudo-files in a cpuset directory represent internal kernel state and do not have any persistent image on disk. Each of these per-cpuset files is listed and described below." msgstr "" #. type: TP #: build/C/man7/cpuset.7:168 #, no-wrap msgid "I" msgstr "I" #. type: Plain text #: build/C/man7/cpuset.7:178 msgid "List of the process IDs (PIDs) of the processes in that cpuset. The list is formatted as a series of ASCII decimal numbers, each followed by a newline. A process may be added to a cpuset (automatically removing it from the cpuset that previously contained it) by writing its PID to that cpuset's I file (with or without a trailing newline)." msgstr "" #. =================== notify_on_release =================== #. type: Plain text #: build/C/man7/cpuset.7:186 msgid "B only one PID may be written to the I file at a time. If a string is written that contains more than one PID, only the first one will be used." msgstr "" #. type: TP #: build/C/man7/cpuset.7:186 #, no-wrap msgid "I" msgstr "I" #. ====================== cpus ====================== #. type: Plain text #: build/C/man7/cpuset.7:195 msgid "Flag (0 or 1). If set (1), that cpuset will receive special handling after it is released, that is, after all processes cease using it (i.e., terminate or are moved to a different cpuset) and all child cpuset directories have been removed. See the B section, below." msgstr "" #. type: TP #: build/C/man7/cpuset.7:195 #, no-wrap msgid "I" msgstr "I" #. type: Plain text #: build/C/man7/cpuset.7:202 msgid "List of the physical numbers of the CPUs on which processes in that cpuset are allowed to execute. See B below for a description of the format of I." msgstr "" #. ==================== cpu_exclusive ==================== #. type: Plain text #: build/C/man7/cpuset.7:208 msgid "The CPUs allowed to a cpuset may be changed by writing a new list to its I file." msgstr "" #. type: TP #: build/C/man7/cpuset.7:208 #, no-wrap msgid "I" msgstr "I" #. type: Plain text #: build/C/man7/cpuset.7:215 msgid "Flag (0 or 1). If set (1), the cpuset has exclusive use of its CPUs (no sibling or cousin cpuset may overlap CPUs). By default this is off (0). Newly created cpusets also initially default this to off (0)." msgstr "" #. ====================== mems ====================== #. type: Plain text #: build/C/man7/cpuset.7:237 msgid "Two cpusets are I cpusets if they share the same parent cpuset in the I hierarchy. Two cpusets are I cpusets if neither is the ancestor of the other. Regardless of the I setting, if one cpuset is the ancestor of another, and if both of these cpusets have nonempty I, then their I must overlap, because the I of any cpuset are always a subset of the I of its parent cpuset." msgstr "" #. type: TP #: build/C/man7/cpuset.7:237 #, no-wrap msgid "I" msgstr "I" #. ==================== mem_exclusive ==================== #. type: Plain text #: build/C/man7/cpuset.7:245 msgid "List of memory nodes on which processes in this cpuset are allowed to allocate memory. See B below for a description of the format of I." msgstr "" #. type: TP #: build/C/man7/cpuset.7:245 #, no-wrap msgid "I" msgstr "I" #. type: Plain text #: build/C/man7/cpuset.7:253 msgid "Flag (0 or 1). If set (1), the cpuset has exclusive use of its memory nodes (no sibling or cousin may overlap). Also if set (1), the cpuset is a B cpuset (see below). By default this is off (0). Newly created cpusets also initially default this to off (0)." msgstr "" #. ==================== mem_hardwall ==================== #. type: Plain text #: build/C/man7/cpuset.7:261 msgid "Regardless of the I setting, if one cpuset is the ancestor of another, then their memory nodes must overlap, because the memory nodes of any cpuset are always a subset of the memory nodes of that cpuset's parent cpuset." msgstr "" #. type: TP #: build/C/man7/cpuset.7:261 #, no-wrap msgid "I (since Linux 2.6.26)" msgstr "I (Linux 2.6.26 以降)" #. ==================== memory_migrate ==================== #. type: Plain text #: build/C/man7/cpuset.7:272 msgid "Flag (0 or 1). If set (1), the cpuset is a B cpuset (see below). Unlike B, there is no constraint on whether cpusets marked B may have overlapping memory nodes with sibling or cousin cpusets. By default this is off (0). Newly created cpusets also initially default this to off (0)." msgstr "" #. type: TP #: build/C/man7/cpuset.7:272 #, no-wrap msgid "I (since Linux 2.6.16)" msgstr "I (Linux 2.6.16 以降)" #. ==================== memory_pressure ==================== #. type: Plain text #: build/C/man7/cpuset.7:279 msgid "Flag (0 or 1). If set (1), then memory migration is enabled. By default this is off (0). See the B section, below." msgstr "" #. type: TP #: build/C/man7/cpuset.7:279 #, no-wrap msgid "I (since Linux 2.6.16)" msgstr "I (Linux 2.6.16 以降)" #. ================= memory_pressure_enabled ================= #. type: Plain text #: build/C/man7/cpuset.7:292 msgid "A measure of how much memory pressure the processes in this cpuset are causing. See the B section, below. Unless I is enabled, always has value zero (0). This file is read-only. See the B section, below." msgstr "" #. type: TP #: build/C/man7/cpuset.7:292 #, no-wrap msgid "I (since Linux 2.6.16)" msgstr "I (Linux 2.6.16 以降)" #. ================== memory_spread_page ================== #. type: Plain text #: build/C/man7/cpuset.7:304 msgid "Flag (0 or 1). This file is present only in the root cpuset, normally I. If set (1), the I calculations are enabled for all cpusets in the system. By default this is off (0). See the B section, below." msgstr "" #. type: TP #: build/C/man7/cpuset.7:304 #, no-wrap msgid "I (since Linux 2.6.17)" msgstr "I (Linux 2.6.17 以降)" #. ================== memory_spread_slab ================== #. type: Plain text #: build/C/man7/cpuset.7:314 msgid "Flag (0 or 1). If set (1), pages in the kernel page cache (filesystem buffers) are uniformly spread across the cpuset. By default this is off (0) in the top cpuset, and inherited from the parent cpuset in newly created cpusets. See the B section, below." msgstr "" #. type: TP #: build/C/man7/cpuset.7:314 #, no-wrap msgid "I (since Linux 2.6.17)" msgstr "I (Linux 2.6.17 以降)" #. ================== sched_load_balance ================== #. type: Plain text #: build/C/man7/cpuset.7:325 msgid "Flag (0 or 1). If set (1), the kernel slab caches for file I/O (directory and inode structures) are uniformly spread across the cpuset. By default this is off (0) in the top cpuset, and inherited from the parent cpuset in newly created cpusets. See the B section, below." msgstr "" #. type: TP #: build/C/man7/cpuset.7:325 #, no-wrap msgid "I (since Linux 2.6.24)" msgstr "I (Linux 2.6.24 以降)" #. ================== sched_relax_domain_level ================== #. type: Plain text #: build/C/man7/cpuset.7:339 msgid "Flag (0 or 1). If set (1, the default) the kernel will automatically load balance processes in that cpuset over the allowed CPUs in that cpuset. If cleared (0) the kernel will avoid load balancing processes in this cpuset, I some other cpuset with overlapping CPUs has its I flag set. See B, below, for further details." msgstr "" #. type: TP #: build/C/man7/cpuset.7:339 #, no-wrap msgid "I (since Linux 2.6.26)" msgstr "I (Linux 2.6.26 以降)" #. ================== proc cpuset ================== #. type: Plain text #: build/C/man7/cpuset.7:359 msgid "Integer, between -1 and a small positive value. The I controls the width of the range of CPUs over which the kernel scheduler performs immediate rebalancing of runnable tasks across CPUs. If I is disabled, then the setting of I does not matter, as no such load balancing is done. If I is enabled, then the higher the value of the I, the wider the range of CPUs over which immediate load balancing is attempted. See B, below, for further details." msgstr "" #. ================== proc status ================== #. type: Plain text #: build/C/man7/cpuset.7:367 msgid "In addition to the above pseudo-files in each directory below I, each process has a pseudo-file, IpidE/cpuset>, that displays the path of the process's cpuset directory relative to the root of the cpuset filesystem." msgstr "" #. type: Plain text #: build/C/man7/cpuset.7:378 msgid "Also the IpidE/status> file for each process has four added lines, displaying the process's I (on which CPUs it may be scheduled) and I (on which memory nodes it may obtain memory), in the two formats B and B (see below) as shown in the following example:" msgstr "" #. type: Plain text #: build/C/man7/cpuset.7:385 #, no-wrap msgid "" "Cpus_allowed: ffffffff,ffffffff,ffffffff,ffffffff\n" "Cpus_allowed_list: 0-127\n" "Mems_allowed: ffffffff,ffffffff\n" "Mems_allowed_list: 0-63\n" msgstr "" "Cpus_allowed: ffffffff,ffffffff,ffffffff,ffffffff\n" "Cpus_allowed_list: 0-127\n" "Mems_allowed: ffffffff,ffffffff\n" "Mems_allowed_list: 0-63\n" #. ================== EXTENDED CAPABILITIES ================== #. type: Plain text #: build/C/man7/cpuset.7:391 msgid "The \"allowed\" fields were added in Linux 2.6.24; the \"allowed_list\" fields were added in Linux 2.6.26." msgstr "" #. type: SH #: build/C/man7/cpuset.7:391 #, no-wrap msgid "EXTENDED CAPABILITIES" msgstr "拡張ケーパビリティ" #. ================== Exclusive Cpusets ================== #. type: Plain text #: build/C/man7/cpuset.7:399 msgid "In addition to controlling which I and I a process is allowed to use, cpusets provide the following extended capabilities." msgstr "" #. type: SS #: build/C/man7/cpuset.7:399 #, no-wrap msgid "Exclusive cpusets" msgstr "" #. type: Plain text #: build/C/man7/cpuset.7:406 msgid "If a cpuset is marked I or I, no other cpuset, other than a direct ancestor or descendant, may share any of the same CPUs or memory nodes." msgstr "" #. ================== Hardwall ================== #. type: Plain text #: build/C/man7/cpuset.7:432 msgid "A cpuset that is I restricts kernel allocations for buffer cache pages and other internal kernel data pages commonly shared by the kernel across multiple users. All cpusets, whether I or not, restrict allocations of memory for user space. This enables configuring a system so that several independent jobs can share common kernel data, while isolating each job's user allocation in its own cpuset. To do this, construct a large I cpuset to hold all the jobs, and construct child, non-I cpusets for each individual job. Only a small amount of kernel memory, such as requests from interrupt handlers, is allowed to be placed on memory nodes outside even a I cpuset." msgstr "" #. type: SS #: build/C/man7/cpuset.7:432 #, no-wrap msgid "Hardwall" msgstr "" #. type: Plain text #: build/C/man7/cpuset.7:447 msgid "A cpuset that has I or I set is a I cpuset. A I cpuset restricts kernel allocations for page, buffer, and other data commonly shared by the kernel across multiple users. All cpusets, whether I or not, restrict allocations of memory for user space." msgstr "" #. type: Plain text #: build/C/man7/cpuset.7:458 msgid "This enables configuring a system so that several independent jobs can share common kernel data, such as filesystem pages, while isolating each job's user allocation in its own cpuset. To do this, construct a large I cpuset to hold all the jobs, and construct child cpusets for each individual job which are not I cpusets." msgstr "" #. ================== Notify On Release ================== #. type: Plain text #: build/C/man7/cpuset.7:464 msgid "Only a small amount of kernel memory, such as requests from interrupt handlers, is allowed to be taken outside even a I cpuset." msgstr "" #. type: SS #: build/C/man7/cpuset.7:464 #, no-wrap msgid "Notify on release" msgstr "" #. type: Plain text #: build/C/man7/cpuset.7:476 msgid "If the I flag is enabled (1) in a cpuset, then whenever the last process in the cpuset leaves (exits or attaches to some other cpuset) and the last child cpuset of that cpuset is removed, the kernel will run the command I, supplying the pathname (relative to the mount point of the cpuset filesystem) of the abandoned cpuset. This enables automatic removal of abandoned cpusets." msgstr "" #. type: Plain text #: build/C/man7/cpuset.7:484 msgid "The default value of I in the root cpuset at system boot is disabled (0). The default value of other cpusets at creation is the current value of their parent's I setting." msgstr "" #. type: Plain text #: build/C/man7/cpuset.7:492 msgid "The command I is invoked, with the name (I relative path) of the to-be-released cpuset in I." msgstr "" #. type: Plain text #: build/C/man7/cpuset.7:496 msgid "The usual contents of the command I is simply the shell script:" msgstr "" #. type: Plain text #: build/C/man7/cpuset.7:501 #, no-wrap msgid "" "#!/bin/sh\n" "rmdir /dev/cpuset/$1\n" msgstr "" "#!/bin/sh\n" "rmdir /dev/cpuset/$1\n" #. ================== Memory Pressure ================== #. type: Plain text #: build/C/man7/cpuset.7:509 msgid "As with other flag values below, this flag can be changed by writing an ASCII number 0 or 1 (with optional trailing newline) into the file, to clear or set the flag, respectively." msgstr "" #. type: SS #: build/C/man7/cpuset.7:509 #, no-wrap msgid "Memory pressure" msgstr "" #. type: Plain text #: build/C/man7/cpuset.7:515 msgid "The I of a cpuset provides a simple per-cpuset running average of the rate that the processes in a cpuset are attempting to free up in-use memory on the nodes of the cpuset to satisfy additional memory requests." msgstr "" #. type: Plain text #: build/C/man7/cpuset.7:519 msgid "This enables batch managers that are monitoring jobs running in dedicated cpusets to efficiently detect what level of memory pressure that job is causing." msgstr "" #. type: Plain text #: build/C/man7/cpuset.7:526 msgid "This is useful both on tightly managed systems running a wide mix of submitted jobs, which may choose to terminate or reprioritize jobs that are trying to use more memory than allowed on the nodes assigned them, and with tightly coupled, long-running, massively parallel scientific computing jobs that will dramatically fail to meet required performance goals if they start to use more memory than allowed to them." msgstr "" #. type: Plain text #: build/C/man7/cpuset.7:531 msgid "This mechanism provides a very economical way for the batch manager to monitor a cpuset for signs of memory pressure. It's up to the batch manager or other user code to decide what action to take if it detects signs of memory pressure." msgstr "" #. type: Plain text #: build/C/man7/cpuset.7:538 msgid "Unless memory pressure calculation is enabled by setting the pseudo-file I, it is not computed for any cpuset, and reads from any I always return zero, as represented by the ASCII string \"0\\en\". See the B section, below." msgstr "" #. type: Plain text #: build/C/man7/cpuset.7:540 msgid "A per-cpuset, running average is employed for the following reasons:" msgstr "" #. type: Plain text #: build/C/man7/cpuset.7:545 msgid "Because this meter is per-cpuset rather than per-process or per virtual memory region, the system load imposed by a batch scheduler monitoring this metric is sharply reduced on large systems, because a scan of the tasklist can be avoided on each set of queries." msgstr "" #. type: Plain text #: build/C/man7/cpuset.7:550 msgid "Because this meter is a running average rather than an accumulating counter, a batch scheduler can detect memory pressure with a single read, instead of having to read and accumulate results for a period of time." msgstr "" #. type: Plain text #: build/C/man7/cpuset.7:556 msgid "Because this meter is per-cpuset rather than per-process, the batch scheduler can obtain the key information\\(emmemory pressure in a cpuset\\(emwith a single read, rather than having to query and accumulate results over all the (dynamically changing) set of processes in the cpuset." msgstr "" #. type: Plain text #: build/C/man7/cpuset.7:564 msgid "The I of a cpuset is calculated using a per-cpuset simple digital filter that is kept within the kernel. For each cpuset, this filter tracks the recent rate at which processes attached to that cpuset enter the kernel direct reclaim code." msgstr "" #. type: Plain text #: build/C/man7/cpuset.7:573 msgid "The kernel direct reclaim code is entered whenever a process has to satisfy a memory page request by first finding some other page to repurpose, due to lack of any readily available already free pages. Dirty filesystem pages are repurposed by first writing them to disk. Unmodified filesystem buffer pages are repurposed by simply dropping them, though if that page is needed again, it will have to be reread from disk." msgstr "" #. ================== Memory Spread ================== #. type: Plain text #: build/C/man7/cpuset.7:581 msgid "The I file provides an integer number representing the recent (half-life of 10 seconds) rate of entries to the direct reclaim code caused by any process in the cpuset, in units of reclaims attempted per second, times 1000." msgstr "" #. type: SS #: build/C/man7/cpuset.7:581 #, no-wrap msgid "Memory spread" msgstr "" #. type: Plain text #: build/C/man7/cpuset.7:589 msgid "There are two Boolean flag files per cpuset that control where the kernel allocates pages for the filesystem buffers and related in-kernel data structures. They are called I and I." msgstr "" #. type: Plain text #: build/C/man7/cpuset.7:596 msgid "If the per-cpuset Boolean flag file I is set, then the kernel will spread the filesystem buffers (page cache) evenly over all the nodes that the faulting process is allowed to use, instead of preferring to put those pages on the node where the process is running." msgstr "" #. type: Plain text #: build/C/man7/cpuset.7:604 msgid "If the per-cpuset Boolean flag file I is set, then the kernel will spread some filesystem-related slab caches, such as those for inodes and directory entries, evenly over all the nodes that the faulting process is allowed to use, instead of preferring to put those pages on the node where the process is running." msgstr "" #. type: Plain text #: build/C/man7/cpuset.7:609 msgid "The setting of these flags does not affect the data segment (see B(2)) or stack segment pages of a process." msgstr "" #. type: Plain text #: build/C/man7/cpuset.7:617 msgid "By default, both kinds of memory spreading are off and the kernel prefers to allocate memory pages on the node local to where the requesting process is running. If that node is not allowed by the process's NUMA memory policy or cpuset configuration or if there are insufficient free memory pages on that node, then the kernel looks for the nearest node that is allowed and has sufficient free memory." msgstr "" #. type: Plain text #: build/C/man7/cpuset.7:620 msgid "When new cpusets are created, they inherit the memory spread settings of their parent." msgstr "" #. type: Plain text #: build/C/man7/cpuset.7:635 msgid "Setting memory spreading causes allocations for the affected page or slab caches to ignore the process's NUMA memory policy and be spread instead. However, the effect of these changes in memory placement caused by cpuset-specified memory spreading is hidden from the B(2) or B(2) calls. These two NUMA memory policy calls always appear to behave as if no cpuset-specified memory spreading is in effect, even if it is. If cpuset memory spreading is subsequently turned off, the NUMA memory policy most recently specified by these calls is automatically reapplied." msgstr "" #. type: Plain text #: build/C/man7/cpuset.7:644 msgid "Both I and I are Boolean flag files. By default they contain \"0\", meaning that the feature is off for that cpuset. If a \"1\" is written to that file, that turns the named feature on." msgstr "" #. type: Plain text #: build/C/man7/cpuset.7:647 msgid "Cpuset-specified memory spreading behaves similarly to what is known (in other contexts) as round-robin or interleave memory placement." msgstr "" #. type: Plain text #: build/C/man7/cpuset.7:650 msgid "Cpuset-specified memory spreading can provide substantial performance improvements for jobs that:" msgstr "" #. type: IP #: build/C/man7/cpuset.7:650 build/C/man7/user_namespaces.7:384 #, no-wrap msgid "a)" msgstr "a)" #. type: Plain text #: build/C/man7/cpuset.7:654 msgid "need to place thread-local data on memory nodes close to the CPUs which are running the threads that most frequently access that data; but also" msgstr "" #. type: IP #: build/C/man7/cpuset.7:654 build/C/man7/user_namespaces.7:389 #, no-wrap msgid "b)" msgstr "b)" #. type: Plain text #: build/C/man7/cpuset.7:657 msgid "need to access large filesystem data sets that must to be spread across the several nodes in the job's cpuset in order to fit." msgstr "" #. ================== Memory Migration ================== #. type: Plain text #: build/C/man7/cpuset.7:664 msgid "Without this policy, the memory allocation across the nodes in the job's cpuset can become very uneven, especially for jobs that might have just a single thread initializing or reading in the data set." msgstr "" #. type: SS #: build/C/man7/cpuset.7:664 #, no-wrap msgid "Memory migration" msgstr "" #. type: Plain text #: build/C/man7/cpuset.7:673 msgid "Normally, under the default setting (disabled) of I, once a page is allocated (given a physical page of main memory), then that page stays on whatever node it was allocated, so long as it remains allocated, even if the cpuset's memory-placement policy I subsequently changes." msgstr "" #. type: Plain text #: build/C/man7/cpuset.7:679 msgid "When memory migration is enabled in a cpuset, if the I setting of the cpuset is changed, then any memory page in use by any process in the cpuset that is on a memory node that is no longer allowed will be migrated to a memory node that is allowed." msgstr "" #. type: Plain text #: build/C/man7/cpuset.7:685 msgid "Furthermore, if a process is moved into a cpuset with I enabled, any memory pages it uses that were on memory nodes allowed in its previous cpuset, but which are not allowed in its new cpuset, will be migrated to a memory node allowed in the new cpuset." msgstr "" #. ================== Scheduler Load Balancing ================== #. type: Plain text #: build/C/man7/cpuset.7:693 msgid "The relative placement of a migrated page within the cpuset is preserved during these migration operations if possible. For example, if the page was on the second valid node of the prior cpuset, then the page will be placed on the second valid node of the new cpuset, if possible." msgstr "" #. type: SS #: build/C/man7/cpuset.7:693 #, no-wrap msgid "Scheduler load balancing" msgstr "" #. type: Plain text #: build/C/man7/cpuset.7:700 msgid "The kernel scheduler automatically load balances processes. If one CPU is underutilized, the kernel will look for processes on other more overloaded CPUs and move those processes to the underutilized CPU, within the constraints of such placement mechanisms as cpusets and B(2)." msgstr "" #. type: Plain text #: build/C/man7/cpuset.7:713 msgid "The algorithmic cost of load balancing and its impact on key shared kernel data structures such as the process list increases more than linearly with the number of CPUs being balanced. For example, it costs more to load balance across one large set of CPUs than it does to balance across two smaller sets of CPUs, each of half the size of the larger set. (The precise relationship between the number of CPUs being balanced and the cost of load balancing depends on implementation details of the kernel process scheduler, which is subject to change over time, as improved kernel scheduler algorithms are implemented.)" msgstr "" #. type: Plain text #: build/C/man7/cpuset.7:719 msgid "The per-cpuset flag I provides a mechanism to suppress this automatic scheduler load balancing in cases where it is not needed and suppressing it would have worthwhile performance benefits." msgstr "" #. type: Plain text #: build/C/man7/cpuset.7:723 msgid "By default, load balancing is done across all CPUs, except those marked isolated using the kernel boot time \"isolcpus=\" argument. (See B, below, to change this default.)" msgstr "" #. type: Plain text #: build/C/man7/cpuset.7:726 msgid "This default load balancing across all CPUs is not well suited to the following two situations:" msgstr "" #. type: Plain text #: build/C/man7/cpuset.7:730 msgid "On large systems, load balancing across many CPUs is expensive. If the system is managed using cpusets to place independent jobs on separate sets of CPUs, full load balancing is unnecessary." msgstr "" #. type: Plain text #: build/C/man7/cpuset.7:734 msgid "Systems supporting real-time on some CPUs need to minimize system overhead on those CPUs, including avoiding process load balancing if that is not needed." msgstr "" #. type: Plain text #: build/C/man7/cpuset.7:744 msgid "When the per-cpuset flag I is enabled (the default setting), it requests load balancing across all the CPUs in that cpuset's allowed CPUs, ensuring that load balancing can move a process (not otherwise pinned, as by B(2)) from any CPU in that cpuset to any other." msgstr "" #. type: Plain text #: build/C/man7/cpuset.7:753 msgid "When the per-cpuset flag I is disabled, then the scheduler will avoid load balancing across the CPUs in that cpuset, I in so far as is necessary because some overlapping cpuset has I enabled." msgstr "" #. type: Plain text #: build/C/man7/cpuset.7:761 msgid "So, for example, if the top cpuset has the flag I enabled, then the scheduler will load balance across all CPUs, and the setting of the I flag in other cpusets has no effect, as we're already fully load balancing." msgstr "" #. type: Plain text #: build/C/man7/cpuset.7:766 msgid "Therefore in the above two situations, the flag I should be disabled in the top cpuset, and only some of the smaller, child cpusets would have this flag enabled." msgstr "" #. type: Plain text #: build/C/man7/cpuset.7:774 msgid "When doing this, you don't usually want to leave any unpinned processes in the top cpuset that might use nontrivial amounts of CPU, as such processes may be artificially constrained to some subset of CPUs, depending on the particulars of this flag setting in descendant cpusets. Even if such a process could use spare CPU cycles in some other CPUs, the kernel scheduler might not consider the possibility of load balancing that process to the underused CPU." msgstr "" #. ================== Scheduler Relax Domain Level ================== #. type: Plain text #: build/C/man7/cpuset.7:780 msgid "Of course, processes pinned to a particular CPU can be left in a cpuset that disables I as those processes aren't going anywhere else anyway." msgstr "" #. type: SS #: build/C/man7/cpuset.7:780 #, no-wrap msgid "Scheduler relax domain level" msgstr "" #. type: Plain text #: build/C/man7/cpuset.7:801 msgid "The kernel scheduler performs immediate load balancing whenever a CPU becomes free or another task becomes runnable. This load balancing works to ensure that as many CPUs as possible are usefully employed running tasks. The kernel also performs periodic load balancing off the software clock described in B