1 .\" Hey Emacs! This file is -*- nroff -*- source.
3 .\" Copyright (C) 1998 Andries Brouwer (aeb@cwi.nl)
4 .\" and Copyright (C) 2002 Michael Kerrisk <mtk.manpages@gmail.com>
5 .\" and Copyright Guillem Jover <guillem@hadrons.org>
7 .\" Permission is granted to make and distribute verbatim copies of this
8 .\" manual provided the copyright notice and this permission notice are
9 .\" preserved on all copies.
11 .\" Permission is granted to copy and distribute modified versions of this
12 .\" manual under the conditions for verbatim copying, provided that the
13 .\" entire resulting derived work is distributed under the terms of a
14 .\" permission notice identical to this one.
16 .\" Since the Linux kernel and libraries are constantly changing, this
17 .\" manual page may be incorrect or out-of-date. The author(s) assume no
18 .\" responsibility for errors or omissions, or for damages resulting from
19 .\" the use of the information contained herein. The author(s) may not
20 .\" have taken the same level of care in the production of this manual,
21 .\" which is licensed free of charge, as they might when working
24 .\" Formatted or processed versions of this manual, if unaccompanied by
25 .\" the source, must acknowledge the copyright and authors of this work.
27 .\" Modified Thu Nov 11 04:19:42 MET 1999, aeb: added PR_GET_PDEATHSIG
28 .\" Modified 27 Jun 02, Michael Kerrisk
29 .\" Added PR_SET_DUMPABLE, PR_GET_DUMPABLE,
30 .\" PR_SET_KEEPCAPS, PR_GET_KEEPCAPS
31 .\" Modified 2006-08-30 Guillem Jover <guillem@hadrons.org>
32 .\" Updated Linux versions where the options where introduced.
33 .\" Added PR_SET_TIMING, PR_GET_TIMING, PR_SET_NAME, PR_GET_NAME,
34 .\" PR_SET_UNALIGN, PR_GET_UNALIGN, PR_SET_FPEMU, PR_GET_FPEMU,
35 .\" PR_SET_FPEXC, PR_GET_FPEXC
36 .\" 2008-04-29 Serge Hallyn, Document PR_CAPBSET_READ and PR_CAPBSET_DROP
37 .\" 2008-06-13 Erik Bosman, <ejbosman@cs.vu.nl>
38 .\" Document PR_GET_TSC and PR_SET_TSC.
39 .\" 2008-06-15 mtk, Document PR_SET_SECCOMP, PR_GET_SECCOMP
40 .\" 2009-10-03 Andi Kleen, document PR_MCE_KILL_*
42 .\" FIXME: Document PR_SET_TIMERSLACK and PR_GET_TIMERSLACK (new in 2.6.28)
43 .\" FIXME: Document PR_TASK_PERF_EVENTS_DISABLE and
44 .\" PR_TASK_PERF_EVENTS_ENABLE (new in 2.6.32)
46 .TH PRCTL 2 2012-04-14 "Linux" "Linux Programmer's Manual"
48 prctl \- operations on a process
51 .B #include <sys/prctl.h>
53 .BI "int prctl(int " option ", unsigned long " arg2 ", unsigned long " arg3 ,
54 .BI " unsigned long " arg4 ", unsigned long " arg5 );
58 is called with a first argument describing what to do
59 (with values defined in \fI<linux/prctl.h>\fP), and further
60 arguments with a significance depending on the first one.
61 The first argument can be:
63 .BR PR_CAPBSET_READ " (since Linux 2.6.25)"
64 Return (as the function result) 1 if the capability specified in
66 is in the calling thread's capability bounding set,
68 (The capability constants are defined in
69 .IR <linux/capability.h> .)
70 The capability bounding set dictates
71 whether the process can receive the capability through a
72 file's permitted capability set on a subsequent call to
75 If the capability specified in
77 is not valid, then the call fails with the error
80 .BR PR_CAPBSET_DROP " (since Linux 2.6.25)"
81 If the calling thread has the
83 capability, then drop the capability specified by
85 from the calling thread's capability bounding set.
86 Any children of the calling thread will inherit the newly
89 The call fails with the error:
91 if the calling thread does not have the
96 does not represent a valid capability; or
98 if file capabilities are not enabled in the kernel,
99 in which case bounding sets are not supported.
101 .BR PR_SET_DUMPABLE " (since Linux 2.3.20)"
102 Set the state of the flag determining whether core dumps are produced
103 for this process upon delivery of a signal whose default behavior is
104 to produce a core dump.
105 (Normally this flag is set for a process by default, but it is cleared
106 when a set-user-ID or set-group-ID program is executed and also by
107 various system calls that manipulate process UIDs and GIDs).
108 In kernels up to and including 2.6.12,
110 must be either 0 (process is not dumpable) or 1 (process is dumpable).
111 Between kernels 2.6.13 and 2.6.17, the value 2 was also permitted,
112 which caused any binary which normally would not be dumped
113 to be dumped readable by root only;
114 for security reasons, this feature has been removed.
115 .\" See http://marc.theaimsgroup.com/?l=linux-kernel&m=115270289030630&w=2
116 .\" Subject: Fix prctl privilege escalation (CVE-2006-2451)
117 .\" From: Marcel Holtmann <marcel () holtmann ! org>
118 .\" Date: 2006-07-12 11:12:00
119 (See also the description of
120 .I /proc/sys/fs/suid_dumpable
123 Processes that are not dumpable can not be attached via
127 .BR PR_GET_DUMPABLE " (since Linux 2.3.20)"
128 Return (as the function result) the current state of the calling
129 process's dumpable flag.
130 .\" Since Linux 2.6.13, the dumpable flag can have the value 2,
131 .\" but in 2.6.13 PR_GET_DUMPABLE simply returns 1 if the dumpable
132 .\" flags has a nonzero value. This was fixed in 2.6.14.
134 .BR PR_SET_ENDIAN " (since Linux 2.6.18, PowerPC only)"
135 Set the endian-ness of the calling process to the value given
136 in \fIarg2\fP, which should be one of the following:
137 .\" Respectively 0, 1, 2
139 .BR PR_ENDIAN_LITTLE ,
141 .B PR_ENDIAN_PPC_LITTLE
142 (PowerPC pseudo little endian).
144 .BR PR_GET_ENDIAN " (since Linux 2.6.18, PowerPC only)"
145 Return the endian-ness of the calling process,
146 in the location pointed to by
147 .IR "(int\ *) arg2" .
149 .BR PR_SET_FPEMU " (since Linux 2.4.18, 2.5.9, only on ia64)"
150 Set floating-point emulation control bits to \fIarg2\fP.
151 Pass \fBPR_FPEMU_NOPRINT\fP to silently emulate fp operations accesses, or
152 \fBPR_FPEMU_SIGFPE\fP to not emulate fp operations and send
156 .BR PR_GET_FPEMU " (since Linux 2.4.18, 2.5.9, only on ia64)"
157 Return floating-point emulation control bits,
158 in the location pointed to by
159 .IR "(int\ *) arg2" .
161 .BR PR_SET_FPEXC " (since Linux 2.4.21, 2.5.32, only on PowerPC)"
162 Set floating-point exception mode to \fIarg2\fP.
163 Pass \fBPR_FP_EXC_SW_ENABLE\fP to use FPEXC for FP exception enables,
164 \fBPR_FP_EXC_DIV\fP for floating-point divide by zero,
165 \fBPR_FP_EXC_OVF\fP for floating-point overflow,
166 \fBPR_FP_EXC_UND\fP for floating-point underflow,
167 \fBPR_FP_EXC_RES\fP for floating-point inexact result,
168 \fBPR_FP_EXC_INV\fP for floating-point invalid operation,
169 \fBPR_FP_EXC_DISABLED\fP for FP exceptions disabled,
170 \fBPR_FP_EXC_NONRECOV\fP for async nonrecoverable exception mode,
171 \fBPR_FP_EXC_ASYNC\fP for async recoverable exception mode,
172 \fBPR_FP_EXC_PRECISE\fP for precise exception mode.
174 .BR PR_GET_FPEXC " (since Linux 2.4.21, 2.5.32, only on PowerPC)"
175 Return floating-point exception mode,
176 in the location pointed to by
177 .IR "(int\ *) arg2" .
179 .BR PR_SET_KEEPCAPS " (since Linux 2.2.18)"
180 Set the state of the thread's "keep capabilities" flag,
181 which determines whether the threads's permitted
182 capability set is cleared when a change is made to the threads's user IDs
183 such that the threads's real UID, effective UID, and saved set-user-ID
184 all become nonzero when at least one of them previously had the value 0.
185 By default, the permitted capability set is cleared when such a change is made;
186 setting the "keep capabilities" flag prevents it from being cleared.
188 must be either 0 (permitted capabilities are cleared)
189 or 1 (permitted capabilities are kept).
192 capability set is always cleared when such a credential change is made,
193 regardless of the setting of the "keep capabilities" flag.)
194 The "keep capabilities" value will be reset to 0 on subsequent calls to
197 .BR PR_GET_KEEPCAPS " (since Linux 2.2.18)"
198 Return (as the function result) the current state of the calling threads's
199 "keep capabilities" flag.
201 .BR PR_SET_NAME " (since Linux 2.6.9)"
202 Set the process name for the calling process,
203 using the value in the location pointed to by
204 .IR "(char\ *) arg2" .
205 The name can be up to 16 bytes long,
206 .\" TASK_COMM_LEN in include/linux/sched.h
207 and should be null-terminated if it contains fewer bytes.
209 .BR PR_GET_NAME " (since Linux 2.6.11)"
210 Return the process name for the calling process,
211 in the buffer pointed to by
212 .IR "(char\ *) arg2" .
213 The buffer should allow space for up to 16 bytes;
214 the returned string will be null-terminated if it is shorter than that.
216 .BR PR_SET_PDEATHSIG " (since Linux 2.1.57)"
217 Set the parent process death signal
218 of the calling process to \fIarg2\fP (either a signal value
219 in the range 1..maxsig, or 0 to clear).
220 This is the signal that the calling process will get when its
222 This value is cleared for the child of a
225 .BR PR_GET_PDEATHSIG " (since Linux 2.3.15)"
226 Return the current value of the parent process death signal,
227 in the location pointed to by
228 .IR "(int\ *) arg2" .
230 .BR PR_SET_SECCOMP " (since Linux 2.6.23)"
231 .\" See http://thread.gmane.org/gmane.linux.kernel/542632
232 .\" [PATCH 0 of 2] seccomp updates
233 .\" andrea@cpushare.com
234 Set the secure computing mode for the calling thread.
235 In the current implementation,
238 After the secure computing mode has been set to 1,
239 the only system calls that the thread is permitted to make are
245 Other system calls result in the delivery of a
248 Secure computing mode is useful for number-crunching applications
249 that may need to execute untrusted byte code,
250 perhaps obtained by reading from a pipe or socket.
251 This operation is only available
252 if the kernel is configured with CONFIG_SECCOMP enabled.
254 .BR PR_GET_SECCOMP " (since Linux 2.6.23)"
255 Return the secure computing mode of the calling thread.
256 Not very useful for the current implementation (mode equals 1),
257 but may be useful for other possible future modes:
258 if the caller is not in secure computing mode, this operation returns 0;
259 if the caller is in secure computing mode, then the
263 signal to be sent to the process.
264 This operation is only available
265 if the kernel is configured with CONFIG_SECCOMP enabled.
267 .BR PR_SET_SECUREBITS " (since Linux 2.6.26)"
268 Set the "securebits" flags of the calling thread to the value supplied in
271 .BR capabilities (7).
273 .BR PR_GET_SECUREBITS " (since Linux 2.6.26)"
274 Return (as the function result)
275 the "securebits" flags of the calling thread.
277 .BR capabilities (7).
279 .BR PR_SET_TIMING " (since Linux 2.6.0-test4)"
280 Set whether to use (normal, traditional) statistical process timing or
281 accurate timestamp-based process timing, by passing
282 .B PR_TIMING_STATISTICAL
285 .B PR_TIMING_TIMESTAMP
288 .B PR_TIMING_TIMESTAMP
289 is not currently implemented
290 (attempting to set this mode will yield the error
292 .\" PR_TIMING_TIMESTAMP doesn't do anything in 2.6.26-rc8,
293 .\" and looking at the patch history, it appears
294 .\" that it never did anything.
296 .BR PR_GET_TIMING " (since Linux 2.6.0-test4)"
297 Return (as the function result) which process timing method is currently
300 .BR PR_SET_TSC " (since Linux 2.6.26, x86 only)"
301 Set the state of the flag determining whether the timestamp counter
302 can be read by the process.
307 to allow it to be read, or
311 when the process tries to read the timestamp counter.
313 .BR PR_GET_TSC " (since Linux 2.6.26, x86 only)"
314 Return the state of the flag determining whether the timestamp counter
316 in the location pointed to by
317 .IR "(int\ *) arg2" .
320 (Only on: ia64, since Linux 2.3.48; parisc, since Linux 2.6.15;
321 PowerPC, since Linux 2.6.18; Alpha, since Linux 2.6.22)
322 Set unaligned access control bits to \fIarg2\fP.
324 \fBPR_UNALIGN_NOPRINT\fP to silently fix up unaligned user accesses,
325 or \fBPR_UNALIGN_SIGBUS\fP to generate
327 on unaligned user access.
332 for information on versions and architectures)
333 Return unaligned access control bits, in the location pointed to by
334 .IR "(int\ *) arg2" .
336 .BR PR_MCE_KILL " (since Linux 2.6.32)"
337 Set the machine check memory corruption kill policy for the current thread.
341 .BR PR_MCE_KILL_CLEAR ,
342 clear the thread memory corruption kill policy and use the system-wide default.
343 (The system-wide default is defined by
344 .IR /proc/sys/vm/memory_failure_early_kill ;
350 .BR PR_MCE_KILL_SET ,
351 use a thread-specific memory corruption kill policy.
354 defines whether the policy is
356 .RB ( PR_MCE_KILL_EARLY ),
358 .RB ( PR_MCE_KILL_LATE ),
359 or the system-wide default
360 .RB ( PR_MCE_KILL_DEFAULT ).
361 Early kill means that the thread receives a
363 signal as soon as hardware memory corruption is detected inside
365 In late kill mode, the process is only killed when it accesses a corrupted page.
368 for more information on the
371 The policy is inherited by children.
374 arguments must be zero for future compatibility.
376 .BR PR_MCE_KILL_GET " (since Linux 2.6.32)"
377 Return the current per-process machine check kill policy.
380 arguments must be zero.
382 .BR PR_SET_MM " (since Linux 3.3)"
383 Modify certain kernel memory map descriptor fields
384 of the calling process.
385 Usually these fields are set by the kernel and dynamic loader (see
387 for more information) and a regular application should not use this feature.
388 However, there are cases, such as self-modifying programs,
389 where a program might find it useful to change its own memory map.
390 This feature is available only if the kernel is built with the
391 .BR CONFIG_CHECKPOINT_RESTORE
393 The calling process must have the
398 is one of the options below, while
400 provides a new value for the option.
403 .BR PR_SET_MM_START_CODE
404 Set the address above which the program text can run.
405 The corresponding memory area must be readable and executable,
406 but not writable or sharable (see
410 for more information).
412 .BR PR_SET_MM_END_CODE
413 Set the address below which the program text can run.
414 The corresponding memory area must be readable and executable,
415 but not writable or sharable.
417 .BR PR_SET_MM_START_DATA
418 Set the address above which initialized and
419 uninitialized (bss) data are placed.
420 The corresponding memory area must be readable and writable,
421 but not executable or sharable.
423 .B PR_SET_MM_END_DATA
424 Set the address below which initialized and
425 uninitialized (bss) data are placed.
426 The corresponding memory area must be readable and writable,
427 but not executable or sharable.
429 .BR PR_SET_MM_START_STACK
430 Set the start address of the stack.
431 The corresponding memory area must be readable and writable.
433 .BR PR_SET_MM_START_BRK
434 Set the address above which the program heap can be expanded with
437 The address must be greater than the ending address of
438 the current program data segment.
439 In addition, the combined size of the resulting heap and
440 the size of the data segment can't exceed the
449 The requirements for the address are the same as for the
450 .BR PR_SET_MM_START_BRK
452 .\" FIXME The following (until ========) is not yet in mainline kernel,
453 .\" so commented out for the moment.
455 .\" .BR PR_SET_MM_ARG_START
456 .\" Set the address above which the program command line is placed.
458 .\" .BR PR_SET_MM_ARG_END
459 .\" Set the address below which the program command line is placed.
461 .\" .BR PR_SET_MM_ENV_START
462 .\" Set the address above which the program environment is placed.
464 .\" .BR PR_SET_MM_ENV_END
465 .\" Set the address below which the program environment is placed.
467 .\" The address passed with
468 .\" .BR PR_SET_MM_ARG_START ,
469 .\" .BR PR_SET_MM_ARG_END ,
470 .\" .BR PR_SET_MM_ENV_START ,
472 .\" .BR PR_SET_MM_ENV_END
473 .\" should belong to a process stack area.
474 .\" Thus, the corresponding memory area must be readable, writable, and
475 .\" (depending on the kernel configuration) have the
476 .\" .BR MAP_GROWSDOWN
477 .\" attribute set (see
480 .\" .BR PR_SET_MM_AUXV
481 .\" Set a new auxiliary vector.
484 .\" argument should provide the address of the vector.
487 .\" is the size of the vector.
489 .\" .BR PR_SET_MM_EXE_FILE
491 .\" .IR /proc/pid/exe
492 .\" symbolic link with a new one pointing to a new executable file
493 .\" identified by the file descriptor provided in
496 .\" The file descriptor should be obtained with a regular
500 .\" To change the symbolic link, one needs to unmap all existing
501 .\" executable memory areas, including those created by the kernel itself
502 .\" (for example the kernel usually creates at least one executable
503 .\" memory area for the ELF
507 .\" The second limitation is that such transitions can be done only once
508 .\" in a process life time.
509 .\" Any further attempts will be rejected.
510 .\" This should help system administrators to monitor unusual
511 .\" symbolic-link transitions over all process running in a system.
512 .\" ========== END FIXME
517 .BR PR_GET_DUMPABLE ,
518 .BR PR_GET_KEEPCAPS ,
519 .BR PR_CAPBSET_READ ,
521 .BR PR_GET_SECUREBITS ,
522 .BR PR_MCE_KILL_GET ,
525 return the nonnegative values described above.
528 values return 0 on success.
529 On error, \-1 is returned, and
531 is set appropriately.
536 is an invalid address.
553 arguments were not specified as zero.
557 is not valid value for this
566 and the kernel was not configured with
573 and one of the following is true
584 (the limit on the size of the user address space for this architecture);
588 .BR PR_SET_MM_START_CODE ,
589 .BR PR_SET_MM_END_CODE ,
590 .BR PR_SET_MM_START_DATA ,
591 .BR PR_SET_MM_END_DATA ,
593 .BR PR_SET_MM_START_STACK,
594 and the permissions of the corresponding memory area are not as required;
598 .BR PR_SET_MM_START_BRK
603 is less than or equal to the end of the data segment
604 or specifies a value that would cause the
606 resource limit to be exceeded.
612 .BR PR_SET_SECUREBITS ,
613 and the caller does not have the
616 or tried to unset a "locked" flag,
617 or tried to set a flag whose corresponding locked flag was set
619 .BR capabilities (7)).
624 .BR PR_SET_KEEPCAPS ,
626 .B SECURE_KEEP_CAPS_LOCKED
629 .BR capabilities (7)).
634 .BR PR_CAPBSET_DROP ,
635 and the caller does not have the
643 and the caller does not have the
646 .\" FIXME The following (until ========) is not yet in mainline kernel,
647 .\" so commented out for the moment.
656 .\" .BR PR_SET_MM_EXE_FILE ,
657 .\" the file is not executable.
665 .\" .BR PR_SET_MM_EXE_FILE ,
666 .\" and this the second attempt to change the
668 .\" symbolic link, which is prohibited.
676 .\" .BR PR_SET_MM_EXE_FILE ,
677 .\" and the file descriptor passed in
680 .\" ========== END FIXME
681 .\" The following can't actually happen, because prctl() in
682 .\" seccomp mode will cause SIGKILL.
687 .\" .BR PR_SET_SECCOMP ,
688 .\" and secure computing mode is already 1.
692 system call was introduced in Linux 2.1.57.
693 .\" The library interface was added in glibc 2.0.6
695 This call is Linux-specific.
698 system call (also introduced in Linux 2.1.44
699 as irix_prctl on the MIPS architecture),
702 .BI "ptrdiff_t prctl(int " option ", int " arg2 ", int " arg3 );
704 and options to get the maximum number of processes per user,
705 get the maximum number of processors the calling process can use,
706 find out whether a specified process is currently blocked,
707 get or set the maximum stack size, etc.