LDP: Update POT and ja.po to LDP v3.78-git-80a7408

[linuxjm/LDP_man-pages.git] / po4a / process / po / process.pot

# SOME DESCRIPTIVE TITLE
# Copyright (C) YEAR Free Software Foundation, Inc.
# This file is distributed under the same license as the PACKAGE package.
# FIRST AUTHOR <EMAIL@ADDRESS>, YEAR.
#
#, fuzzy
msgid ""
msgstr ""
"Project-Id-Version: PACKAGE VERSION\n"
"POT-Creation-Date: 2015-01-21 20:35+0900\n"
"PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
"Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
"Language-Team: LANGUAGE <LL@li.org>\n"
"Language: \n"
"MIME-Version: 1.0\n"
"Content-Type: text/plain; charset=UTF-8\n"
"Content-Transfer-Encoding: 8bit\n"

#. type: TH
#: build/C/man2/acct.2:31 build/C/man5/acct.5:25
#, no-wrap
msgid "ACCT"
msgstr ""

#. type: TH
#: build/C/man2/acct.2:31
#, no-wrap
msgid "2008-06-16"
msgstr ""

#. type: TH
#: build/C/man2/acct.2:31 build/C/man5/acct.5:25 build/C/man7/capabilities.7:48 build/C/man2/capget.2:15 build/C/man7/cpuset.7:25 build/C/man7/credentials.7:27 build/C/man2/getgid.2:25 build/C/man2/getgroups.2:31 build/C/man2/getpid.2:25 build/C/man2/getpriority.2:45 build/C/man2/getresuid.2:28 build/C/man2/getrlimit.2:64 build/C/man2/getrusage.2:39 build/C/man2/getsid.2:26 build/C/man2/getuid.2:26 build/C/man2/iopl.2:33 build/C/man2/ioprio_set.2:24 build/C/man2/ipc.2:25 build/C/man7/namespaces.7:27 build/C/man7/pid_namespaces.7:27 build/C/man2/seteuid.2:29 build/C/man2/setfsgid.2:31 build/C/man2/setfsuid.2:31 build/C/man2/setgid.2:29 build/C/man2/setpgid.2:48 build/C/man2/setresuid.2:26 build/C/man2/setreuid.2:45 build/C/man2/setsid.2:31 build/C/man2/setuid.2:30 build/C/man7/svipc.7:40 build/C/man3/ulimit.3:27 build/C/man7/user_namespaces.7:27 build/C/man2/seccomp.2:27
#, no-wrap
msgid "Linux"
msgstr ""

#. type: TH
#: build/C/man2/acct.2:31 build/C/man5/acct.5:25 build/C/man7/capabilities.7:48 build/C/man2/capget.2:15 build/C/man7/cpuset.7:25 build/C/man7/credentials.7:27 build/C/man2/getgid.2:25 build/C/man2/getgroups.2:31 build/C/man2/getpid.2:25 build/C/man2/getpriority.2:45 build/C/man2/getresuid.2:28 build/C/man2/getrlimit.2:64 build/C/man2/getrusage.2:39 build/C/man2/getsid.2:26 build/C/man2/getuid.2:26 build/C/man3/group_member.3:25 build/C/man2/iopl.2:33 build/C/man2/ioprio_set.2:24 build/C/man2/ipc.2:25 build/C/man7/namespaces.7:27 build/C/man7/pid_namespaces.7:27 build/C/man2/seteuid.2:29 build/C/man2/setfsgid.2:31 build/C/man2/setfsuid.2:31 build/C/man2/setgid.2:29 build/C/man2/setpgid.2:48 build/C/man2/setresuid.2:26 build/C/man2/setreuid.2:45 build/C/man2/setsid.2:31 build/C/man2/setuid.2:30 build/C/man7/svipc.7:40 build/C/man3/ulimit.3:27 build/C/man7/user_namespaces.7:27 build/C/man2/seccomp.2:27
#, no-wrap
msgid "Linux Programmer's Manual"
msgstr ""

#. type: SH
#: build/C/man2/acct.2:32 build/C/man5/acct.5:26 build/C/man7/capabilities.7:49 build/C/man2/capget.2:16 build/C/man7/cpuset.7:26 build/C/man7/credentials.7:28 build/C/man2/getgid.2:26 build/C/man2/getgroups.2:32 build/C/man2/getpid.2:26 build/C/man2/getpriority.2:46 build/C/man2/getresuid.2:29 build/C/man2/getrlimit.2:65 build/C/man2/getrusage.2:40 build/C/man2/getsid.2:27 build/C/man2/getuid.2:27 build/C/man3/group_member.3:26 build/C/man2/iopl.2:34 build/C/man2/ioprio_set.2:25 build/C/man2/ipc.2:26 build/C/man7/namespaces.7:28 build/C/man7/pid_namespaces.7:28 build/C/man2/seteuid.2:30 build/C/man2/setfsgid.2:32 build/C/man2/setfsuid.2:32 build/C/man2/setgid.2:30 build/C/man2/setpgid.2:49 build/C/man2/setresuid.2:27 build/C/man2/setreuid.2:46 build/C/man2/setsid.2:32 build/C/man2/setuid.2:31 build/C/man7/svipc.7:41 build/C/man3/ulimit.3:28 build/C/man7/user_namespaces.7:28 build/C/man2/seccomp.2:28
#, no-wrap
msgid "NAME"
msgstr ""

#. type: Plain text
#: build/C/man2/acct.2:34
msgid "acct - switch process accounting on or off"
msgstr ""

#. type: SH
#: build/C/man2/acct.2:34 build/C/man5/acct.5:28 build/C/man2/capget.2:18 build/C/man2/getgid.2:28 build/C/man2/getgroups.2:34 build/C/man2/getpid.2:28 build/C/man2/getpriority.2:48 build/C/man2/getresuid.2:31 build/C/man2/getrlimit.2:67 build/C/man2/getrusage.2:42 build/C/man2/getsid.2:29 build/C/man2/getuid.2:29 build/C/man3/group_member.3:28 build/C/man2/iopl.2:36 build/C/man2/ioprio_set.2:27 build/C/man2/ipc.2:28 build/C/man2/seteuid.2:32 build/C/man2/setfsgid.2:34 build/C/man2/setfsuid.2:34 build/C/man2/setgid.2:32 build/C/man2/setpgid.2:51 build/C/man2/setresuid.2:29 build/C/man2/setreuid.2:48 build/C/man2/setsid.2:34 build/C/man2/setuid.2:33 build/C/man7/svipc.7:43 build/C/man3/ulimit.3:30 build/C/man2/seccomp.2:30
#, no-wrap
msgid "SYNOPSIS"
msgstr ""

#. type: Plain text
#: build/C/man2/acct.2:38
#, no-wrap
msgid "B<#include E<lt>unistd.hE<gt>>\n"
msgstr ""

#. type: Plain text
#: build/C/man2/acct.2:40
#, no-wrap
msgid "B<int acct(const char *>I<filename>B<);>\n"
msgstr ""

#. type: Plain text
#: build/C/man2/acct.2:46 build/C/man2/getgroups.2:48 build/C/man2/getrlimit.2:84 build/C/man2/getsid.2:37 build/C/man3/group_member.3:36 build/C/man2/seteuid.2:44 build/C/man2/setpgid.2:71 build/C/man2/setreuid.2:60
msgid "Feature Test Macro Requirements for glibc (see B<feature_test_macros>(7)):"
msgstr ""

#. type: Plain text
#: build/C/man2/acct.2:50
msgid "B<acct>(): _BSD_SOURCE || (_XOPEN_SOURCE && _XOPEN_SOURCE\\ E<lt>\\ 500)"
msgstr ""

#. type: SH
#: build/C/man2/acct.2:50 build/C/man5/acct.5:30 build/C/man7/capabilities.7:51 build/C/man2/capget.2:24 build/C/man7/cpuset.7:28 build/C/man7/credentials.7:30 build/C/man2/getgid.2:36 build/C/man2/getgroups.2:52 build/C/man2/getpid.2:36 build/C/man2/getpriority.2:56 build/C/man2/getresuid.2:39 build/C/man2/getrlimit.2:88 build/C/man2/getrusage.2:48 build/C/man2/getsid.2:50 build/C/man2/getuid.2:37 build/C/man3/group_member.3:40 build/C/man2/iopl.2:40 build/C/man2/ioprio_set.2:35 build/C/man2/ipc.2:34 build/C/man7/namespaces.7:30 build/C/man7/pid_namespaces.7:30 build/C/man2/seteuid.2:53 build/C/man2/setfsgid.2:38 build/C/man2/setfsuid.2:38 build/C/man2/setgid.2:38 build/C/man2/setpgid.2:100 build/C/man2/setresuid.2:37 build/C/man2/setreuid.2:70 build/C/man2/setsid.2:41 build/C/man2/setuid.2:39 build/C/man7/svipc.7:49 build/C/man3/ulimit.3:34 build/C/man7/user_namespaces.7:30 build/C/man2/seccomp.2:43
#, no-wrap
msgid "DESCRIPTION"
msgstr ""

#. type: Plain text
#: build/C/man2/acct.2:60
msgid ""
"The B<acct>()  system call enables or disables process accounting.  If "
"called with the name of an existing file as its argument, accounting is "
"turned on, and records for each terminating process are appended to "
"I<filename> as it terminates.  An argument of NULL causes accounting to be "
"turned off."
msgstr ""

#. type: SH
#: build/C/man2/acct.2:60 build/C/man2/capget.2:160 build/C/man2/getgroups.2:92 build/C/man2/getpriority.2:104 build/C/man2/getresuid.2:50 build/C/man2/getrlimit.2:461 build/C/man2/getrusage.2:188 build/C/man2/getsid.2:58 build/C/man3/group_member.3:48 build/C/man2/iopl.2:66 build/C/man2/ioprio_set.2:149 build/C/man2/seteuid.2:67 build/C/man2/setfsgid.2:68 build/C/man2/setfsuid.2:68 build/C/man2/setgid.2:53 build/C/man2/setpgid.2:195 build/C/man2/setresuid.2:64 build/C/man2/setreuid.2:93 build/C/man2/setsid.2:54 build/C/man2/setuid.2:70 build/C/man3/ulimit.3:67 build/C/man2/seccomp.2:342
#, no-wrap
msgid "RETURN VALUE"
msgstr ""

#. type: Plain text
#: build/C/man2/acct.2:65 build/C/man2/capget.2:165 build/C/man2/getresuid.2:55 build/C/man2/getrusage.2:193 build/C/man2/iopl.2:71 build/C/man2/seteuid.2:72 build/C/man2/setgid.2:58 build/C/man2/setresuid.2:69 build/C/man2/setreuid.2:98 build/C/man2/setuid.2:75
msgid ""
"On success, zero is returned.  On error, -1 is returned, and I<errno> is set "
"appropriately."
msgstr ""

#. type: SH
#: build/C/man2/acct.2:65 build/C/man2/capget.2:179 build/C/man7/cpuset.7:1100 build/C/man2/getgid.2:42 build/C/man2/getgroups.2:106 build/C/man2/getpid.2:44 build/C/man2/getpriority.2:117 build/C/man2/getresuid.2:55 build/C/man2/getrlimit.2:466 build/C/man2/getrusage.2:193 build/C/man2/getsid.2:63 build/C/man2/getuid.2:43 build/C/man2/iopl.2:71 build/C/man2/ioprio_set.2:169 build/C/man2/seteuid.2:79 build/C/man2/setgid.2:58 build/C/man2/setpgid.2:216 build/C/man2/setresuid.2:76 build/C/man2/setreuid.2:105 build/C/man2/setsid.2:61 build/C/man2/setuid.2:82 build/C/man3/ulimit.3:74 build/C/man2/seccomp.2:358
#, no-wrap
msgid "ERRORS"
msgstr ""

#. type: TP
#: build/C/man2/acct.2:66 build/C/man7/cpuset.7:1116 build/C/man7/cpuset.7:1123 build/C/man7/cpuset.7:1129 build/C/man7/cpuset.7:1137 build/C/man7/cpuset.7:1144 build/C/man2/getpriority.2:137 build/C/man2/setpgid.2:217
#, no-wrap
msgid "B<EACCES>"
msgstr ""

#. type: Plain text
#: build/C/man2/acct.2:77
msgid ""
"Write permission is denied for the specified file, or search permission is "
"denied for one of the directories in the path prefix of I<filename> (see "
"also B<path_resolution>(7)), or I<filename> is not a regular file."
msgstr ""

#. type: TP
#: build/C/man2/acct.2:77 build/C/man2/capget.2:180 build/C/man7/cpuset.7:1172 build/C/man2/getgroups.2:107 build/C/man2/getresuid.2:56 build/C/man2/getrlimit.2:467 build/C/man2/getrusage.2:194 build/C/man2/seccomp.2:369
#, no-wrap
msgid "B<EFAULT>"
msgstr ""

#. type: Plain text
#: build/C/man2/acct.2:81
msgid "I<filename> points outside your accessible address space."
msgstr ""

#. type: TP
#: build/C/man2/acct.2:81 build/C/man7/cpuset.7:1238 build/C/man7/cpuset.7:1246
#, no-wrap
msgid "B<EIO>"
msgstr ""

#. type: Plain text
#: build/C/man2/acct.2:85
msgid "Error writing to the file I<filename>."
msgstr ""

#. type: TP
#: build/C/man2/acct.2:85
#, no-wrap
msgid "B<EISDIR>"
msgstr ""

#. type: Plain text
#: build/C/man2/acct.2:89
msgid "I<filename> is a directory."
msgstr ""

#. type: TP
#: build/C/man2/acct.2:89
#, no-wrap
msgid "B<ELOOP>"
msgstr ""

#. type: Plain text
#: build/C/man2/acct.2:93
msgid "Too many symbolic links were encountered in resolving I<filename>."
msgstr ""

#. type: TP
#: build/C/man2/acct.2:93 build/C/man7/cpuset.7:1251 build/C/man7/cpuset.7:1258 build/C/man7/cpuset.7:1263
#, no-wrap
msgid "B<ENAMETOOLONG>"
msgstr ""

#. type: Plain text
#: build/C/man2/acct.2:97
msgid "I<filename> was too long."
msgstr ""

#. type: TP
#: build/C/man2/acct.2:97
#, no-wrap
msgid "B<ENFILE>"
msgstr ""

#. type: Plain text
#: build/C/man2/acct.2:100
msgid "The system limit on the total number of open files has been reached."
msgstr ""

#. type: TP
#: build/C/man2/acct.2:100 build/C/man7/cpuset.7:1275 build/C/man7/cpuset.7:1280
#, no-wrap
msgid "B<ENOENT>"
msgstr ""

#. type: Plain text
#: build/C/man2/acct.2:103
msgid "The specified filename does not exist."
msgstr ""

#. type: TP
#: build/C/man2/acct.2:103 build/C/man7/cpuset.7:1287 build/C/man2/getgroups.2:127 build/C/man2/seccomp.2:413 build/C/man2/seccomp.2:416
#, no-wrap
msgid "B<ENOMEM>"
msgstr ""

#. type: Plain text
#: build/C/man2/acct.2:106 build/C/man2/getgroups.2:130 build/C/man2/seccomp.2:416
msgid "Out of memory."
msgstr ""

#. type: TP
#: build/C/man2/acct.2:106 build/C/man2/iopl.2:76
#, no-wrap
msgid "B<ENOSYS>"
msgstr ""

#. type: Plain text
#: build/C/man2/acct.2:112
msgid ""
"BSD process accounting has not been enabled when the operating system kernel "
"was compiled.  The kernel configuration parameter controlling this feature "
"is B<CONFIG_BSD_PROCESS_ACCT>."
msgstr ""

#. type: TP
#: build/C/man2/acct.2:112 build/C/man7/cpuset.7:1314
#, no-wrap
msgid "B<ENOTDIR>"
msgstr ""

#. type: Plain text
#: build/C/man2/acct.2:117
msgid "A component used as a directory in I<filename> is not in fact a directory."
msgstr ""

#. type: TP
#: build/C/man2/acct.2:117 build/C/man2/capget.2:191 build/C/man2/capget.2:196 build/C/man7/cpuset.7:1319 build/C/man2/getgroups.2:130 build/C/man2/getpriority.2:149 build/C/man2/getrlimit.2:483 build/C/man2/getrlimit.2:488 build/C/man2/getrlimit.2:496 build/C/man2/getsid.2:64 build/C/man2/iopl.2:79 build/C/man2/ioprio_set.2:179 build/C/man2/seteuid.2:83 build/C/man2/setgid.2:64 build/C/man2/setpgid.2:231 build/C/man2/setresuid.2:103 build/C/man2/setreuid.2:132 build/C/man2/setsid.2:62 build/C/man2/setuid.2:110 build/C/man3/ulimit.3:75
#, no-wrap
msgid "B<EPERM>"
msgstr ""

#. type: Plain text
#: build/C/man2/acct.2:123
msgid ""
"The calling process has insufficient privilege to enable process "
"accounting.  On Linux the B<CAP_SYS_PACCT> capability is required."
msgstr ""

#. type: TP
#: build/C/man2/acct.2:123
#, no-wrap
msgid "B<EROFS>"
msgstr ""

#. type: Plain text
#: build/C/man2/acct.2:127
msgid "I<filename> refers to a file on a read-only filesystem."
msgstr ""

#. type: TP
#: build/C/man2/acct.2:127
#, no-wrap
msgid "B<EUSERS>"
msgstr ""

#. type: Plain text
#: build/C/man2/acct.2:130
msgid "There are no more free file structures or we ran out of memory."
msgstr ""

#. type: SH
#: build/C/man2/acct.2:130 build/C/man5/acct.5:153 build/C/man7/capabilities.7:1120 build/C/man2/capget.2:218 build/C/man7/credentials.7:287 build/C/man2/getgid.2:44 build/C/man2/getgroups.2:133 build/C/man2/getpid.2:46 build/C/man2/getpriority.2:157 build/C/man2/getresuid.2:67 build/C/man2/getrlimit.2:511 build/C/man2/getrusage.2:202 build/C/man2/getsid.2:79 build/C/man2/getuid.2:45 build/C/man3/group_member.3:55 build/C/man2/iopl.2:87 build/C/man2/ioprio_set.2:196 build/C/man2/ipc.2:45 build/C/man7/namespaces.7:359 build/C/man7/pid_namespaces.7:351 build/C/man2/seteuid.2:99 build/C/man2/setfsgid.2:75 build/C/man2/setfsuid.2:75 build/C/man2/setgid.2:71 build/C/man2/setpgid.2:250 build/C/man2/setresuid.2:109 build/C/man2/setreuid.2:148 build/C/man2/setsid.2:68 build/C/man2/setuid.2:117 build/C/man3/ulimit.3:78 build/C/man7/user_namespaces.7:645 build/C/man2/seccomp.2:435
#, no-wrap
msgid "CONFORMING TO"
msgstr ""

#.  SVr4 documents an EBUSY error condition, but no EISDIR or ENOSYS.
#.  Also AIX and HP-UX document EBUSY (attempt is made
#.  to enable accounting when it is already enabled), as does Solaris
#.  (attempt is made to enable accounting using the same file that is
#.  currently being used).
#. type: Plain text
#: build/C/man2/acct.2:137
msgid "SVr4, 4.3BSD (but not POSIX)."
msgstr ""

#. type: SH
#: build/C/man2/acct.2:137 build/C/man5/acct.5:157 build/C/man7/capabilities.7:1126 build/C/man2/capget.2:220 build/C/man7/cpuset.7:1341 build/C/man7/credentials.7:293 build/C/man2/getgid.2:46 build/C/man2/getgroups.2:141 build/C/man2/getpid.2:48 build/C/man2/getpriority.2:160 build/C/man2/getresuid.2:70 build/C/man2/getrlimit.2:534 build/C/man2/getrusage.2:213 build/C/man2/getsid.2:81 build/C/man2/getuid.2:47 build/C/man2/iopl.2:91 build/C/man2/ioprio_set.2:198 build/C/man2/ipc.2:49 build/C/man2/seteuid.2:101 build/C/man2/setfsgid.2:79 build/C/man2/setfsuid.2:79 build/C/man2/setgid.2:73 build/C/man2/setpgid.2:272 build/C/man2/setresuid.2:112 build/C/man2/setreuid.2:154 build/C/man2/setsid.2:70 build/C/man2/setuid.2:122 build/C/man7/user_namespaces.7:648 build/C/man2/seccomp.2:439
#, no-wrap
msgid "NOTES"
msgstr ""

#. type: Plain text
#: build/C/man2/acct.2:140
msgid ""
"No accounting is produced for programs running when a system crash occurs.  "
"In particular, nonterminating processes are never accounted for."
msgstr ""

#. type: Plain text
#: build/C/man2/acct.2:143
msgid ""
"The structure of the records written to the accounting file is described in "
"B<acct>(5)."
msgstr ""

#. type: SH
#: build/C/man2/acct.2:143 build/C/man5/acct.5:174 build/C/man7/capabilities.7:1183 build/C/man2/capget.2:228 build/C/man7/cpuset.7:1488 build/C/man7/credentials.7:304 build/C/man2/getgid.2:62 build/C/man2/getgroups.2:178 build/C/man2/getpid.2:100 build/C/man2/getpriority.2:232 build/C/man2/getresuid.2:86 build/C/man2/getrlimit.2:766 build/C/man2/getrusage.2:253 build/C/man2/getsid.2:84 build/C/man2/getuid.2:73 build/C/man3/group_member.3:57 build/C/man2/iopl.2:100 build/C/man2/ioprio_set.2:346 build/C/man2/ipc.2:57 build/C/man7/namespaces.7:364 build/C/man7/pid_namespaces.7:356 build/C/man2/seteuid.2:141 build/C/man2/setfsgid.2:123 build/C/man2/setfsuid.2:131 build/C/man2/setgid.2:83 build/C/man2/setpgid.2:340 build/C/man2/setresuid.2:132 build/C/man2/setreuid.2:194 build/C/man2/setsid.2:93 build/C/man2/setuid.2:145 build/C/man7/svipc.7:335 build/C/man3/ulimit.3:83 build/C/man7/user_namespaces.7:1011 build/C/man2/seccomp.2:662
#, no-wrap
msgid "SEE ALSO"
msgstr ""

#. type: Plain text
#: build/C/man2/acct.2:144
msgid "B<acct>(5)"
msgstr ""

#. type: TH
#: build/C/man5/acct.5:25
#, no-wrap
msgid "2008-06-15"
msgstr ""

#. type: Plain text
#: build/C/man5/acct.5:28
msgid "acct - process accounting file"
msgstr ""

#. type: Plain text
#: build/C/man5/acct.5:30
msgid "B<#include E<lt>sys/acct.hE<gt>>"
msgstr ""

#. type: Plain text
#: build/C/man5/acct.5:36
msgid ""
"If the kernel is built with the process accounting option enabled "
"(B<CONFIG_BSD_PROCESS_ACCT>), then calling B<acct>(2)  starts process "
"accounting, for example:"
msgstr ""

#. type: Plain text
#: build/C/man5/acct.5:39
msgid "acct(\"/var/log/pacct\");"
msgstr ""

#. type: Plain text
#: build/C/man5/acct.5:47
msgid ""
"When process accounting is enabled, the kernel writes a record to the "
"accounting file as each process on the system terminates.  This record "
"contains information about the terminated process, and is defined in "
"I<E<lt>sys/acct.hE<gt>> as follows:"
msgstr ""

#. type: Plain text
#: build/C/man5/acct.5:51
#, no-wrap
msgid "#define ACCT_COMM 16\n"
msgstr ""

#. type: Plain text
#: build/C/man5/acct.5:53
#, no-wrap
msgid "typedef u_int16_t comp_t;\n"
msgstr ""

#. type: Plain text
#: build/C/man5/acct.5:77
#, no-wrap
msgid ""
"struct acct {\n"
"    char ac_flag;           /* Accounting flags */\n"
"    u_int16_t ac_uid;       /* Accounting user ID */\n"
"    u_int16_t ac_gid;       /* Accounting group ID */\n"
"    u_int16_t ac_tty;       /* Controlling terminal */\n"
"    u_int32_t ac_btime;     /* Process creation time\n"
"                               (seconds since the Epoch) */\n"
"    comp_t    ac_utime;     /* User CPU time */\n"
"    comp_t    ac_stime;     /* System CPU time */\n"
"    comp_t    ac_etime;     /* Elapsed time */\n"
"    comp_t    ac_mem;       /* Average memory usage (kB) */\n"
"    comp_t    ac_io;        /* Characters transferred (unused) */\n"
"    comp_t    ac_rw;        /* Blocks read or written (unused) */\n"
"    comp_t    ac_minflt;    /* Minor page faults */\n"
"    comp_t    ac_majflt;    /* Major page faults */\n"
"    comp_t    ac_swaps;     /* Number of swaps (unused) */\n"
"    u_int32_t ac_exitcode;  /* Process termination status\n"
"                               (see wait(2)) */\n"
"    char      ac_comm[ACCT_COMM+1];\n"
"                            /* Command name (basename of last\n"
"                               executed command; null-terminated) */\n"
"    char      ac_pad[I<X>];    /* padding bytes */\n"
"};\n"
msgstr ""

#. type: Plain text
#: build/C/man5/acct.5:84
#, no-wrap
msgid ""
"enum {          /* Bits that may be set in ac_flag field */\n"
"    AFORK = 0x01,           /* Has executed fork, but no exec */\n"
"    ASU   = 0x02,           /* Used superuser privileges */\n"
"    ACORE = 0x08,           /* Dumped core */\n"
"    AXSIG = 0x10            /* Killed by a signal */\n"
"};\n"
msgstr ""

#. type: Plain text
#: build/C/man5/acct.5:94
msgid ""
"The I<comp_t> data type is a floating-point value consisting of a 3-bit, "
"base-8 exponent, and a 13-bit mantissa.  A value, I<c>, of this type can be "
"converted to a (long) integer as follows:"
msgstr ""

#. type: Plain text
#: build/C/man5/acct.5:97
#, no-wrap
msgid "    v = (c & 0x1fff) E<lt>E<lt> (((c E<gt>E<gt> 13) & 0x7) * 3);\n"
msgstr ""

#. type: Plain text
#: build/C/man5/acct.5:107
msgid ""
"The I<ac_utime>, I<ac_stime>, and I<ac_etime> fields measure time in \"clock "
"ticks\"; divide these values by I<sysconf(_SC_CLK_TCK)> to convert them to "
"seconds."
msgstr ""

#. type: SS
#: build/C/man5/acct.5:107
#, no-wrap
msgid "Version 3 accounting file format"
msgstr ""

#. type: Plain text
#: build/C/man5/acct.5:122
msgid ""
"Since kernel 2.6.8, an optional alternative version of the accounting file "
"can be produced if the B<CONFIG_BSD_PROCESS_ACCT_V3> option is set when "
"building the kernel.  With this option is set, the records written to the "
"accounting file contain additional fields, and the width of I<c_uid> and "
"I<ac_gid> fields is widened from 16 to 32 bits (in line with the increased "
"size of UID and GIDs in Linux 2.4 and later).  The records are defined as "
"follows:"
msgstr ""

#. type: Plain text
#: build/C/man5/acct.5:147
#, no-wrap
msgid ""
"struct acct_v3 {\n"
"    char      ac_flag;      /* Flags */\n"
"    char      ac_version;   /* Always set to ACCT_VERSION (3) */\n"
"    u_int16_t ac_tty;       /* Controlling terminal */\n"
"    u_int32_t ac_exitcode;  /* Process termination status */\n"
"    u_int32_t ac_uid;       /* Real user ID */\n"
"    u_int32_t ac_gid;       /* Real group ID */\n"
"    u_int32_t ac_pid;       /* Process ID */\n"
"    u_int32_t ac_ppid;      /* Parent process ID */\n"
"    u_int32_t ac_btime;     /* Process creation time */\n"
"    float     ac_etime;     /* Elapsed time */\n"
"    comp_t    ac_utime;     /* User CPU time */\n"
"    comp_t    ac_stime;     /* System time */\n"
"    comp_t    ac_mem;       /* Average memory usage (kB) */\n"
"    comp_t    ac_io;        /* Characters transferred (unused) */\n"
"    comp_t    ac_rw;        /* Blocks read or written\n"
"                               (unused) */\n"
"    comp_t    ac_minflt;    /* Minor page faults */\n"
"    comp_t    ac_majflt;    /* Major page faults */\n"
"    comp_t    ac_swaps;     /* Number of swaps (unused) */\n"
"    char      ac_comm[ACCT_COMM]; /* Command name */\n"
"};\n"
msgstr ""

#. type: SH
#: build/C/man5/acct.5:149 build/C/man7/cpuset.7:1338 build/C/man2/getresuid.2:60 build/C/man2/getrlimit.2:506 build/C/man2/getsid.2:75 build/C/man2/ioprio_set.2:193 build/C/man2/setfsgid.2:71 build/C/man2/setfsuid.2:71 build/C/man2/setresuid.2:107 build/C/man2/seccomp.2:430
#, no-wrap
msgid "VERSIONS"
msgstr ""

#. type: Plain text
#: build/C/man5/acct.5:153
msgid "The I<acct_v3> structure is defined in glibc since version 2.6."
msgstr ""

#. type: Plain text
#: build/C/man5/acct.5:157
msgid ""
"Process accounting originated on BSD.  Although it is present on most "
"systems, it is not standardized, and the details vary somewhat between "
"systems."
msgstr ""

#. type: Plain text
#: build/C/man5/acct.5:160
msgid ""
"Records in the accounting file are ordered by termination time of the "
"process."
msgstr ""

#. type: Plain text
#: build/C/man5/acct.5:167
msgid ""
"In kernels up to and including 2.6.9, a separate accounting record is "
"written for each thread created using the NPTL threading library; since "
"Linux 2.6.10, a single accounting record is written for the entire process "
"on termination of the last thread in the process."
msgstr ""

#. type: Plain text
#: build/C/man5/acct.5:174
msgid ""
"The I<proc/sys/kernel/acct> file, described in B<proc>(5), defines settings "
"that control the behavior of process accounting when disk space runs low."
msgstr ""

#. type: Plain text
#: build/C/man5/acct.5:178
msgid "B<lastcomm>(1), B<acct>(2), B<accton>(8), B<sa>(8)"
msgstr ""

#. type: TH
#: build/C/man7/capabilities.7:48
#, no-wrap
msgid "CAPABILITIES"
msgstr ""

#. type: TH
#: build/C/man7/capabilities.7:48 build/C/man2/getpid.2:25 build/C/man7/namespaces.7:27 build/C/man2/seteuid.2:29 build/C/man2/setgid.2:29 build/C/man2/setresuid.2:26 build/C/man2/setreuid.2:45 build/C/man2/setuid.2:30 build/C/man7/svipc.7:40 build/C/man7/user_namespaces.7:27
#, no-wrap
msgid "2014-09-21"
msgstr ""

#. type: Plain text
#: build/C/man7/capabilities.7:51
msgid "capabilities - overview of Linux capabilities"
msgstr ""

#. type: Plain text
#: build/C/man7/capabilities.7:63
msgid ""
"For the purpose of performing permission checks, traditional UNIX "
"implementations distinguish two categories of processes: I<privileged> "
"processes (whose effective user ID is 0, referred to as superuser or root), "
"and I<unprivileged> processes (whose effective UID is nonzero).  Privileged "
"processes bypass all kernel permission checks, while unprivileged processes "
"are subject to full permission checking based on the process's credentials "
"(usually: effective UID, effective GID, and supplementary group list)."
msgstr ""

#. type: Plain text
#: build/C/man7/capabilities.7:70
msgid ""
"Starting with kernel 2.2, Linux divides the privileges traditionally "
"associated with superuser into distinct units, known as I<capabilities>, "
"which can be independently enabled and disabled.  Capabilities are a "
"per-thread attribute."
msgstr ""

#. type: SS
#: build/C/man7/capabilities.7:70
#, no-wrap
msgid "Capabilities list"
msgstr ""

#. type: Plain text
#: build/C/man7/capabilities.7:73
msgid ""
"The following list shows the capabilities implemented on Linux, and the "
"operations or behaviors that each capability permits:"
msgstr ""

#. type: TP
#: build/C/man7/capabilities.7:73
#, no-wrap
msgid "B<CAP_AUDIT_CONTROL> (since Linux 2.6.11)"
msgstr ""

#. type: Plain text
#: build/C/man7/capabilities.7:77
msgid ""
"Enable and disable kernel auditing; change auditing filter rules; retrieve "
"auditing status and filtering rules."
msgstr ""

#. type: TP
#: build/C/man7/capabilities.7:77
#, no-wrap
msgid "B<CAP_AUDIT_READ> (since Linux 3.16)"
msgstr ""

#.  commit a29b694aa1739f9d76538e34ae25524f9c549d59
#.  commit 3a101b8de0d39403b2c7e5c23fd0b005668acf48
#. type: Plain text
#: build/C/man7/capabilities.7:82
msgid "Allow reading the audit log via a multicast netlink socket."
msgstr ""

#. type: TP
#: build/C/man7/capabilities.7:82
#, no-wrap
msgid "B<CAP_AUDIT_WRITE> (since Linux 2.6.11)"
msgstr ""

#. type: Plain text
#: build/C/man7/capabilities.7:85
msgid "Write records to kernel auditing log."
msgstr ""

#. type: TP
#: build/C/man7/capabilities.7:85
#, no-wrap
msgid "B<CAP_BLOCK_SUSPEND> (since Linux 3.5)"
msgstr ""

#. type: Plain text
#: build/C/man7/capabilities.7:91
msgid ""
"Employ features that can block system suspend (B<epoll>(7)  B<EPOLLWAKEUP>, "
"I</proc/sys/wake_lock>)."
msgstr ""

#. type: TP
#: build/C/man7/capabilities.7:91
#, no-wrap
msgid "B<CAP_CHOWN>"
msgstr ""

#. type: Plain text
#: build/C/man7/capabilities.7:95
msgid "Make arbitrary changes to file UIDs and GIDs (see B<chown>(2))."
msgstr ""

#. type: TP
#: build/C/man7/capabilities.7:95
#, no-wrap
msgid "B<CAP_DAC_OVERRIDE>"
msgstr ""

#. type: Plain text
#: build/C/man7/capabilities.7:99
msgid ""
"Bypass file read, write, and execute permission checks.  (DAC is an "
"abbreviation of \"discretionary access control\".)"
msgstr ""

#. type: TP
#: build/C/man7/capabilities.7:99
#, no-wrap
msgid "B<CAP_DAC_READ_SEARCH>"
msgstr ""

#. type: IP
#: build/C/man7/capabilities.7:103 build/C/man7/capabilities.7:106 build/C/man7/capabilities.7:116 build/C/man7/capabilities.7:126 build/C/man7/capabilities.7:130 build/C/man7/capabilities.7:132 build/C/man7/capabilities.7:134 build/C/man7/capabilities.7:204 build/C/man7/capabilities.7:206 build/C/man7/capabilities.7:208 build/C/man7/capabilities.7:210 build/C/man7/capabilities.7:212 build/C/man7/capabilities.7:214 build/C/man7/capabilities.7:216 build/C/man7/capabilities.7:218 build/C/man7/capabilities.7:220 build/C/man7/capabilities.7:244 build/C/man7/capabilities.7:246 build/C/man7/capabilities.7:296 build/C/man7/capabilities.7:306 build/C/man7/capabilities.7:312 build/C/man7/capabilities.7:317 build/C/man7/capabilities.7:323 build/C/man7/capabilities.7:327 build/C/man7/capabilities.7:334 build/C/man7/capabilities.7:337 build/C/man7/capabilities.7:345 build/C/man7/capabilities.7:347 build/C/man7/capabilities.7:356 build/C/man7/capabilities.7:365 build/C/man7/capabilities.7:368 build/C/man7/capabilities.7:372 build/C/man7/capabilities.7:380 build/C/man7/capabilities.7:383 build/C/man7/capabilities.7:390 build/C/man7/capabilities.7:395 build/C/man7/capabilities.7:401 build/C/man7/capabilities.7:405 build/C/man7/capabilities.7:409 build/C/man7/capabilities.7:413 build/C/man7/capabilities.7:417 build/C/man7/capabilities.7:444 build/C/man7/capabilities.7:449 build/C/man7/capabilities.7:455 build/C/man7/capabilities.7:458 build/C/man7/capabilities.7:461 build/C/man7/capabilities.7:471 build/C/man7/capabilities.7:475 build/C/man7/capabilities.7:492 build/C/man7/capabilities.7:495 build/C/man7/capabilities.7:499 build/C/man7/capabilities.7:504 build/C/man7/capabilities.7:513 build/C/man7/capabilities.7:518 build/C/man7/capabilities.7:521 build/C/man7/capabilities.7:526 build/C/man7/capabilities.7:529 build/C/man7/capabilities.7:532 build/C/man7/capabilities.7:535 build/C/man7/capabilities.7:538 build/C/man7/capabilities.7:543 build/C/man7/capabilities.7:545 build/C/man7/capabilities.7:551 build/C/man7/capabilities.7:559 build/C/man7/capabilities.7:561 build/C/man7/capabilities.7:565 build/C/man7/capabilities.7:567 build/C/man7/capabilities.7:570 build/C/man7/capabilities.7:574 build/C/man7/capabilities.7:576 build/C/man7/capabilities.7:578 build/C/man7/capabilities.7:580 build/C/man7/capabilities.7:589 build/C/man7/capabilities.7:596 build/C/man7/capabilities.7:601 build/C/man7/capabilities.7:606 build/C/man7/capabilities.7:611 build/C/man7/capabilities.7:636 build/C/man7/capabilities.7:643 build/C/man7/capabilities.7:844 build/C/man7/capabilities.7:852 build/C/man7/capabilities.7:1172 build/C/man7/capabilities.7:1177 build/C/man7/cpuset.7:540 build/C/man7/cpuset.7:545 build/C/man7/cpuset.7:550 build/C/man7/cpuset.7:726 build/C/man7/cpuset.7:730 build/C/man7/cpuset.7:927 build/C/man7/cpuset.7:930 build/C/man7/cpuset.7:934 build/C/man7/cpuset.7:938 build/C/man7/cpuset.7:942 build/C/man7/credentials.7:177 build/C/man7/credentials.7:183 build/C/man7/credentials.7:195 build/C/man7/credentials.7:217 build/C/man7/credentials.7:234 build/C/man7/credentials.7:266 build/C/man7/credentials.7:269 build/C/man7/credentials.7:280 build/C/man7/credentials.7:283 build/C/man2/getrlimit.2:690 build/C/man2/getrlimit.2:693 build/C/man7/namespaces.7:212 build/C/man7/namespaces.7:215 build/C/man7/namespaces.7:228 build/C/man7/pid_namespaces.7:233 build/C/man7/pid_namespaces.7:241 build/C/man7/pid_namespaces.7:252 build/C/man7/user_namespaces.7:261 build/C/man7/user_namespaces.7:266 build/C/man7/user_namespaces.7:272 build/C/man7/user_namespaces.7:285 build/C/man7/user_namespaces.7:306 build/C/man7/user_namespaces.7:474 build/C/man7/user_namespaces.7:477 build/C/man7/user_namespaces.7:479 build/C/man7/user_namespaces.7:492 build/C/man7/user_namespaces.7:505 build/C/man7/user_namespaces.7:532 build/C/man7/user_namespaces.7:541 build/C/man2/seccomp.2:265 build/C/man2/seccomp.2:269 build/C/man2/seccomp.2:272 build/C/man2/seccomp.2:277 build/C/man2/seccomp.2:281 build/C/man2/seccomp.2:455 build/C/man2/seccomp.2:463 build/C/man2/seccomp.2:469
#, no-wrap
msgid "*"
msgstr ""

#. type: Plain text
#: build/C/man7/capabilities.7:106
msgid ""
"Bypass file read permission checks and directory read and execute permission "
"checks;"
msgstr ""

#. type: Plain text
#: build/C/man7/capabilities.7:109
msgid "Invoke B<open_by_handle_at>(2)."
msgstr ""

#. type: TP
#: build/C/man7/capabilities.7:112
#, no-wrap
msgid "B<CAP_FOWNER>"
msgstr ""

#. type: Plain text
#: build/C/man7/capabilities.7:126
msgid ""
"Bypass permission checks on operations that normally require the filesystem "
"UID of the process to match the UID of the file (e.g., B<chmod>(2), "
"B<utime>(2)), excluding those operations covered by B<CAP_DAC_OVERRIDE> and "
"B<CAP_DAC_READ_SEARCH>;"
msgstr ""

#. type: Plain text
#: build/C/man7/capabilities.7:130
msgid "set extended file attributes (see B<chattr>(1))  on arbitrary files;"
msgstr ""

#. type: Plain text
#: build/C/man7/capabilities.7:132
msgid "set Access Control Lists (ACLs) on arbitrary files;"
msgstr ""

#. type: Plain text
#: build/C/man7/capabilities.7:134
msgid "ignore directory sticky bit on file deletion;"
msgstr ""

#. type: Plain text
#: build/C/man7/capabilities.7:141
msgid "specify B<O_NOATIME> for arbitrary files in B<open>(2)  and B<fcntl>(2)."
msgstr ""

#. type: TP
#: build/C/man7/capabilities.7:143
#, no-wrap
msgid "B<CAP_FSETID>"
msgstr ""

#. type: Plain text
#: build/C/man7/capabilities.7:149
msgid ""
"Don't clear set-user-ID and set-group-ID permission bits when a file is "
"modified; set the set-group-ID bit for a file whose GID does not match the "
"filesystem or any of the supplementary GIDs of the calling process."
msgstr ""

#. type: TP
#: build/C/man7/capabilities.7:149
#, no-wrap
msgid "B<CAP_IPC_LOCK>"
msgstr ""

#.  FIXME . As at Linux 3.2, there are some strange uses of this capability
#.  in other places; they probably should be replaced with something else.
#. type: Plain text
#: build/C/man7/capabilities.7:158
msgid "Lock memory (B<mlock>(2), B<mlockall>(2), B<mmap>(2), B<shmctl>(2))."
msgstr ""

#. type: TP
#: build/C/man7/capabilities.7:158
#, no-wrap
msgid "B<CAP_IPC_OWNER>"
msgstr ""

#. type: Plain text
#: build/C/man7/capabilities.7:161
msgid "Bypass permission checks for operations on System V IPC objects."
msgstr ""

#. type: TP
#: build/C/man7/capabilities.7:161
#, no-wrap
msgid "B<CAP_KILL>"
msgstr ""

#.  FIXME . CAP_KILL also has an effect for threads + setting child
#.        termination signal to other than SIGCHLD: without this
#.        capability, the termination signal reverts to SIGCHLD
#.        if the child does an exec().  What is the rationale
#.        for this?
#. type: Plain text
#: build/C/man7/capabilities.7:174
msgid ""
"Bypass permission checks for sending signals (see B<kill>(2)).  This "
"includes use of the B<ioctl>(2)  B<KDSIGACCEPT> operation."
msgstr ""

#. type: TP
#: build/C/man7/capabilities.7:174
#, no-wrap
msgid "B<CAP_LEASE> (since Linux 2.4)"
msgstr ""

#. type: Plain text
#: build/C/man7/capabilities.7:178
msgid "Establish leases on arbitrary files (see B<fcntl>(2))."
msgstr ""

#. type: TP
#: build/C/man7/capabilities.7:178
#, no-wrap
msgid "B<CAP_LINUX_IMMUTABLE>"
msgstr ""

#.  These attributes are now available on ext2, ext3, Reiserfs, XFS, JFS
#. type: Plain text
#: build/C/man7/capabilities.7:187
msgid ""
"Set the B<FS_APPEND_FL> and B<FS_IMMUTABLE_FL> inode flags (see "
"B<chattr>(1))."
msgstr ""

#. type: TP
#: build/C/man7/capabilities.7:187
#, no-wrap
msgid "B<CAP_MAC_ADMIN> (since Linux 2.6.25)"
msgstr ""

#. type: Plain text
#: build/C/man7/capabilities.7:191
msgid ""
"Override Mandatory Access Control (MAC).  Implemented for the Smack Linux "
"Security Module (LSM)."
msgstr ""

#. type: TP
#: build/C/man7/capabilities.7:191
#, no-wrap
msgid "B<CAP_MAC_OVERRIDE> (since Linux 2.6.25)"
msgstr ""

#. type: Plain text
#: build/C/man7/capabilities.7:195
msgid "Allow MAC configuration or state changes.  Implemented for the Smack LSM."
msgstr ""

#. type: TP
#: build/C/man7/capabilities.7:195
#, no-wrap
msgid "B<CAP_MKNOD> (since Linux 2.4)"
msgstr ""

#. type: Plain text
#: build/C/man7/capabilities.7:199
msgid "Create special files using B<mknod>(2)."
msgstr ""

#. type: TP
#: build/C/man7/capabilities.7:199
#, no-wrap
msgid "B<CAP_NET_ADMIN>"
msgstr ""

#. type: Plain text
#: build/C/man7/capabilities.7:202
msgid "Perform various network-related operations:"
msgstr ""

#. type: Plain text
#: build/C/man7/capabilities.7:206
msgid "interface configuration;"
msgstr ""

#. type: Plain text
#: build/C/man7/capabilities.7:208
msgid "administration of IP firewall, masquerading, and accounting;"
msgstr ""

#. type: Plain text
#: build/C/man7/capabilities.7:210
msgid "modify routing tables;"
msgstr ""

#. type: Plain text
#: build/C/man7/capabilities.7:212
msgid "bind to any address for transparent proxying;"
msgstr ""

#. type: Plain text
#: build/C/man7/capabilities.7:214
msgid "set type-of-service (TOS)"
msgstr ""

#. type: Plain text
#: build/C/man7/capabilities.7:216
msgid "clear driver statistics;"
msgstr ""

#. type: Plain text
#: build/C/man7/capabilities.7:218
msgid "set promiscuous mode;"
msgstr ""

#. type: Plain text
#: build/C/man7/capabilities.7:220
msgid "enabling multicasting;"
msgstr ""

#. type: Plain text
#: build/C/man7/capabilities.7:231
msgid ""
"use B<setsockopt>(2)  to set the following socket options: B<SO_DEBUG>, "
"B<SO_MARK>, B<SO_PRIORITY> (for a priority outside the range 0 to 6), "
"B<SO_RCVBUFFORCE>, and B<SO_SNDBUFFORCE>."
msgstr ""

#. type: TP
#: build/C/man7/capabilities.7:233
#, no-wrap
msgid "B<CAP_NET_BIND_SERVICE>"
msgstr ""

#. type: Plain text
#: build/C/man7/capabilities.7:237
msgid ""
"Bind a socket to Internet domain privileged ports (port numbers less than "
"1024)."
msgstr ""

#. type: TP
#: build/C/man7/capabilities.7:237
#, no-wrap
msgid "B<CAP_NET_BROADCAST>"
msgstr ""

#. type: Plain text
#: build/C/man7/capabilities.7:240
msgid "(Unused)  Make socket broadcasts, and listen to multicasts."
msgstr ""

#. type: TP
#: build/C/man7/capabilities.7:240
#, no-wrap
msgid "B<CAP_NET_RAW>"
msgstr ""

#. type: Plain text
#: build/C/man7/capabilities.7:246
msgid "use RAW and PACKET sockets;"
msgstr ""

#. type: Plain text
#: build/C/man7/capabilities.7:248
msgid "bind to any address for transparent proxying."
msgstr ""

#. type: TP
#: build/C/man7/capabilities.7:251
#, no-wrap
msgid "B<CAP_SETGID>"
msgstr ""

#. type: Plain text
#: build/C/man7/capabilities.7:257
msgid ""
"Make arbitrary manipulations of process GIDs and supplementary GID list; "
"forge GID when passing socket credentials via UNIX domain sockets; write a "
"group ID mapping in a user namespace (see B<user_namespaces>(7))."
msgstr ""

#. type: TP
#: build/C/man7/capabilities.7:257
#, no-wrap
msgid "B<CAP_SETFCAP> (since Linux 2.6.24)"
msgstr ""

#. type: Plain text
#: build/C/man7/capabilities.7:260
msgid "Set file capabilities."
msgstr ""

#. type: TP
#: build/C/man7/capabilities.7:260
#, no-wrap
msgid "B<CAP_SETPCAP>"
msgstr ""

#. type: Plain text
#: build/C/man7/capabilities.7:271
msgid ""
"If file capabilities are not supported: grant or remove any capability in "
"the caller's permitted capability set to or from any other process.  (This "
"property of B<CAP_SETPCAP> is not available when the kernel is configured to "
"support file capabilities, since B<CAP_SETPCAP> has entirely different "
"semantics for such kernels.)"
msgstr ""

#. type: Plain text
#: build/C/man7/capabilities.7:281
msgid ""
"If file capabilities are supported: add any capability from the calling "
"thread's bounding set to its inheritable set; drop capabilities from the "
"bounding set (via B<prctl>(2)  B<PR_CAPBSET_DROP>); make changes to the "
"I<securebits> flags."
msgstr ""

#. type: TP
#: build/C/man7/capabilities.7:281
#, no-wrap
msgid "B<CAP_SETUID>"
msgstr ""

#.  FIXME CAP_SETUID also an effect in exec(); document this.
#. type: Plain text
#: build/C/man7/capabilities.7:292
msgid ""
"Make arbitrary manipulations of process UIDs (B<setuid>(2), B<setreuid>(2), "
"B<setresuid>(2), B<setfsuid>(2)); forge UID when passing socket credentials "
"via UNIX domain sockets; write a user ID mapping in a user namespace (see "
"B<user_namespaces>(7))."
msgstr ""

#. type: TP
#: build/C/man7/capabilities.7:292
#, no-wrap
msgid "B<CAP_SYS_ADMIN>"
msgstr ""

#. type: Plain text
#: build/C/man7/capabilities.7:306
msgid ""
"Perform a range of system administration operations including: "
"B<quotactl>(2), B<mount>(2), B<umount>(2), B<swapon>(2), B<swapoff>(2), "
"B<sethostname>(2), and B<setdomainname>(2);"
msgstr ""

#. type: Plain text
#: build/C/man7/capabilities.7:312
msgid ""
"perform privileged B<syslog>(2)  operations (since Linux 2.6.37, "
"B<CAP_SYSLOG> should be used to permit such operations);"
msgstr ""

#. type: Plain text
#: build/C/man7/capabilities.7:317
msgid "perform B<VM86_REQUEST_IRQ> B<vm86>(2)  command;"
msgstr ""

#. type: Plain text
#: build/C/man7/capabilities.7:323
msgid ""
"perform B<IPC_SET> and B<IPC_RMID> operations on arbitrary System V IPC "
"objects;"
msgstr ""

#. type: Plain text
#: build/C/man7/capabilities.7:327 build/C/man7/capabilities.7:574
msgid "override B<RLIMIT_NPROC> resource limit;"
msgstr ""

#. type: Plain text
#: build/C/man7/capabilities.7:334
msgid ""
"perform operations on I<trusted> and I<security> Extended Attributes (see "
"B<attr>(5));"
msgstr ""

#. type: Plain text
#: build/C/man7/capabilities.7:337
msgid "use B<lookup_dcookie>(2);"
msgstr ""

#. type: Plain text
#: build/C/man7/capabilities.7:345
msgid ""
"use B<ioprio_set>(2)  to assign B<IOPRIO_CLASS_RT> and (before Linux 2.6.25)  "
"B<IOPRIO_CLASS_IDLE> I/O scheduling classes;"
msgstr ""

#. type: Plain text
#: build/C/man7/capabilities.7:347
msgid "forge PID when passing socket credentials via UNIX domain sockets;"
msgstr ""

#. type: Plain text
#: build/C/man7/capabilities.7:356
msgid ""
"exceed I</proc/sys/fs/file-max>, the system-wide limit on the number of open "
"files, in system calls that open files (e.g., B<accept>(2), B<execve>(2), "
"B<open>(2), B<pipe>(2));"
msgstr ""

#. type: Plain text
#: build/C/man7/capabilities.7:365
msgid ""
"employ B<CLONE_*> flags that create new namespaces with B<clone>(2)  and "
"B<unshare>(2)  (but, since Linux 3.8, creating user namespaces does not "
"require any capability);"
msgstr ""

#. type: Plain text
#: build/C/man7/capabilities.7:368
msgid "call B<perf_event_open>(2);"
msgstr ""

#. type: Plain text
#: build/C/man7/capabilities.7:372
msgid "access privileged I<perf> event information;"
msgstr ""

#. type: Plain text
#: build/C/man7/capabilities.7:380
msgid "call B<setns>(2)  (requires B<CAP_SYS_ADMIN> in the I<target> namespace);"
msgstr ""

#. type: Plain text
#: build/C/man7/capabilities.7:383
msgid "call B<fanotify_init>(2);"
msgstr ""

#. type: Plain text
#: build/C/man7/capabilities.7:390
msgid "perform B<KEYCTL_CHOWN> and B<KEYCTL_SETPERM> B<keyctl>(2)  operations;"
msgstr ""

#. type: Plain text
#: build/C/man7/capabilities.7:395
msgid "perform B<madvise>(2)  B<MADV_HWPOISON> operation;"
msgstr ""

#. type: Plain text
#: build/C/man7/capabilities.7:401
msgid ""
"employ the B<TIOCSTI> B<ioctl>(2)  to insert characters into the input queue "
"of a terminal other than the caller's controlling terminal;"
msgstr ""

#. type: Plain text
#: build/C/man7/capabilities.7:405
msgid "employ the obsolete B<nfsservctl>(2)  system call;"
msgstr ""

#. type: Plain text
#: build/C/man7/capabilities.7:409
msgid "employ the obsolete B<bdflush>(2)  system call;"
msgstr ""

#. type: Plain text
#: build/C/man7/capabilities.7:413
msgid "perform various privileged block-device B<ioctl>(2)  operations;"
msgstr ""

#. type: Plain text
#: build/C/man7/capabilities.7:417
msgid "perform various privileged filesystem B<ioctl>(2)  operations;"
msgstr ""

#. type: Plain text
#: build/C/man7/capabilities.7:419
msgid "perform administrative operations on many device drivers."
msgstr ""

#. type: TP
#: build/C/man7/capabilities.7:421
#, no-wrap
msgid "B<CAP_SYS_BOOT>"
msgstr ""

#. type: Plain text
#: build/C/man7/capabilities.7:427
msgid "Use B<reboot>(2)  and B<kexec_load>(2)."
msgstr ""

#. type: TP
#: build/C/man7/capabilities.7:427
#, no-wrap
msgid "B<CAP_SYS_CHROOT>"
msgstr ""

#. type: Plain text
#: build/C/man7/capabilities.7:431
msgid "Use B<chroot>(2)."
msgstr ""

#. type: TP
#: build/C/man7/capabilities.7:431
#, no-wrap
msgid "B<CAP_SYS_MODULE>"
msgstr ""

#. type: Plain text
#: build/C/man7/capabilities.7:440
msgid ""
"Load and unload kernel modules (see B<init_module>(2)  and "
"B<delete_module>(2)); in kernels before 2.6.25: drop capabilities from the "
"system-wide capability bounding set."
msgstr ""

#. type: TP
#: build/C/man7/capabilities.7:440
#, no-wrap
msgid "B<CAP_SYS_NICE>"
msgstr ""

#. type: Plain text
#: build/C/man7/capabilities.7:449
msgid ""
"Raise process nice value (B<nice>(2), B<setpriority>(2))  and change the "
"nice value for arbitrary processes;"
msgstr ""

#. type: Plain text
#: build/C/man7/capabilities.7:455
msgid ""
"set real-time scheduling policies for calling process, and set scheduling "
"policies and priorities for arbitrary processes (B<sched_setscheduler>(2), "
"B<sched_setparam>(2), B<shed_setattr>(2));"
msgstr ""

#. type: Plain text
#: build/C/man7/capabilities.7:458
msgid "set CPU affinity for arbitrary processes (B<sched_setaffinity>(2));"
msgstr ""

#. type: Plain text
#: build/C/man7/capabilities.7:461
msgid ""
"set I/O scheduling class and priority for arbitrary processes "
"(B<ioprio_set>(2));"
msgstr ""

#.  FIXME CAP_SYS_NICE also has the following effect for
#.  migrate_pages(2):
#.      do_migrate_pages(mm, &old, &new,
#.          capable(CAP_SYS_NICE) ? MPOL_MF_MOVE_ALL : MPOL_MF_MOVE);
#.  Document this.
#. type: Plain text
#: build/C/man7/capabilities.7:471
msgid ""
"apply B<migrate_pages>(2)  to arbitrary processes and allow processes to be "
"migrated to arbitrary nodes;"
msgstr ""

#. type: Plain text
#: build/C/man7/capabilities.7:475
msgid "apply B<move_pages>(2)  to arbitrary processes;"
msgstr ""

#. type: Plain text
#: build/C/man7/capabilities.7:482
msgid "use the B<MPOL_MF_MOVE_ALL> flag with B<mbind>(2)  and B<move_pages>(2)."
msgstr ""

#. type: TP
#: build/C/man7/capabilities.7:484
#, no-wrap
msgid "B<CAP_SYS_PACCT>"
msgstr ""

#. type: Plain text
#: build/C/man7/capabilities.7:488
msgid "Use B<acct>(2)."
msgstr ""

#. type: TP
#: build/C/man7/capabilities.7:488
#, no-wrap
msgid "B<CAP_SYS_PTRACE>"
msgstr ""

#. type: Plain text
#: build/C/man7/capabilities.7:495
msgid "Trace arbitrary processes using B<ptrace>(2);"
msgstr ""

#. type: Plain text
#: build/C/man7/capabilities.7:499
msgid "apply B<get_robust_list>(2)  to arbitrary processes;"
msgstr ""

#. type: Plain text
#: build/C/man7/capabilities.7:504
msgid ""
"transfer data to or from the memory of arbitrary processes using "
"B<process_vm_readv>(2)  and B<process_vm_writev>(2)."
msgstr ""

#. type: Plain text
#: build/C/man7/capabilities.7:507
msgid "inspect processes using B<kcmp>(2)."
msgstr ""

#. type: TP
#: build/C/man7/capabilities.7:509
#, no-wrap
msgid "B<CAP_SYS_RAWIO>"
msgstr ""

#. type: Plain text
#: build/C/man7/capabilities.7:518
msgid "Perform I/O port operations (B<iopl>(2)  and B<ioperm>(2));"
msgstr ""

#. type: Plain text
#: build/C/man7/capabilities.7:521
msgid "access I</proc/kcore>;"
msgstr ""

#. type: Plain text
#: build/C/man7/capabilities.7:526
msgid "employ the B<FIBMAP> B<ioctl>(2)  operation;"
msgstr ""

#. type: Plain text
#: build/C/man7/capabilities.7:529
msgid ""
"open devices for accessing x86 model-specific registers (MSRs, see "
"B<msr>(4))"
msgstr ""

#. type: Plain text
#: build/C/man7/capabilities.7:532
msgid "update I</proc/sys/vm/mmap_min_addr>;"
msgstr ""

#. type: Plain text
#: build/C/man7/capabilities.7:535
msgid ""
"create memory mappings at addresses below the value specified by "
"I</proc/sys/vm/mmap_min_addr>;"
msgstr ""

#. type: Plain text
#: build/C/man7/capabilities.7:538
msgid "map files in I</proc/bus/pci>;"
msgstr ""

#. type: Plain text
#: build/C/man7/capabilities.7:543
msgid "open I</dev/mem> and I</dev/kmem>;"
msgstr ""

#. type: Plain text
#: build/C/man7/capabilities.7:545
msgid "perform various SCSI device commands;"
msgstr ""

#. type: Plain text
#: build/C/man7/capabilities.7:551
msgid "perform certain operations on B<hpsa>(4)  and B<cciss>(4)  devices;"
msgstr ""

#. type: Plain text
#: build/C/man7/capabilities.7:553
msgid "perform a range of device-specific operations on other devices."
msgstr ""

#. type: TP
#: build/C/man7/capabilities.7:555
#, no-wrap
msgid "B<CAP_SYS_RESOURCE>"
msgstr ""

#. type: Plain text
#: build/C/man7/capabilities.7:561
msgid "Use reserved space on ext2 filesystems;"
msgstr ""

#. type: Plain text
#: build/C/man7/capabilities.7:565
msgid "make B<ioctl>(2)  calls controlling ext3 journaling;"
msgstr ""

#. type: Plain text
#: build/C/man7/capabilities.7:567
msgid "override disk quota limits;"
msgstr ""

#. type: Plain text
#: build/C/man7/capabilities.7:570
msgid "increase resource limits (see B<setrlimit>(2));"
msgstr ""

#. type: Plain text
#: build/C/man7/capabilities.7:576
msgid "override maximum number of consoles on console allocation;"
msgstr ""

#. type: Plain text
#: build/C/man7/capabilities.7:578
msgid "override maximum number of keymaps;"
msgstr ""

#. type: Plain text
#: build/C/man7/capabilities.7:580
msgid "allow more than 64hz interrupts from the real-time clock;"
msgstr ""

#. type: Plain text
#: build/C/man7/capabilities.7:589
msgid ""
"raise I<msg_qbytes> limit for a System V message queue above the limit in "
"I</proc/sys/kernel/msgmnb> (see B<msgop>(2)  and B<msgctl>(2));"
msgstr ""

#. type: Plain text
#: build/C/man7/capabilities.7:596
msgid ""
"override the I</proc/sys/fs/pipe-size-max> limit when setting the capacity "
"of a pipe using the B<F_SETPIPE_SZ> B<fcntl>(2)  command."
msgstr ""

#. type: Plain text
#: build/C/man7/capabilities.7:601
msgid ""
"use B<F_SETPIPE_SZ> to increase the capacity of a pipe above the limit "
"specified by I</proc/sys/fs/pipe-max-size>;"
msgstr ""

#. type: Plain text
#: build/C/man7/capabilities.7:606
msgid ""
"override I</proc/sys/fs/mqueue/queues_max> limit when creating POSIX message "
"queues (see B<mq_overview>(7));"
msgstr ""

#. type: Plain text
#: build/C/man7/capabilities.7:611
msgid "employ B<prctl>(2)  B<PR_SET_MM> operation;"
msgstr ""

#. type: Plain text
#: build/C/man7/capabilities.7:616
msgid ""
"set I</proc/PID/oom_score_adj> to a value lower than the value last set by a "
"process with B<CAP_SYS_RESOURCE>."
msgstr ""

#. type: TP
#: build/C/man7/capabilities.7:618
#, no-wrap
msgid "B<CAP_SYS_TIME>"
msgstr ""

#. type: Plain text
#: build/C/man7/capabilities.7:625
msgid ""
"Set system clock (B<settimeofday>(2), B<stime>(2), B<adjtimex>(2)); set "
"real-time (hardware) clock."
msgstr ""

#. type: TP
#: build/C/man7/capabilities.7:625
#, no-wrap
msgid "B<CAP_SYS_TTY_CONFIG>"
msgstr ""

#. type: Plain text
#: build/C/man7/capabilities.7:632
msgid ""
"Use B<vhangup>(2); employ various privileged B<ioctl>(2)  operations on "
"virtual terminals."
msgstr ""

#. type: TP
#: build/C/man7/capabilities.7:632
#, no-wrap
msgid "B<CAP_SYSLOG> (since Linux 2.6.37)"
msgstr ""

#. type: Plain text
#: build/C/man7/capabilities.7:643
msgid ""
"Perform privileged B<syslog>(2)  operations.  See B<syslog>(2)  for "
"information on which operations require privilege."
msgstr ""

#. type: Plain text
#: build/C/man7/capabilities.7:653
msgid ""
"View kernel addresses exposed via I</proc> and other interfaces when "
"I</proc/sys/kernel/kptr_restrict> has the value 1.  (See the discussion of "
"the I<kptr_restrict> in B<proc>(5).)"
msgstr ""

#. type: TP
#: build/C/man7/capabilities.7:655
#, no-wrap
msgid "B<CAP_WAKE_ALARM> (since Linux 3.0)"
msgstr ""

#. type: Plain text
#: build/C/man7/capabilities.7:663
msgid ""
"Trigger something that will wake up the system (set B<CLOCK_REALTIME_ALARM> "
"and B<CLOCK_BOOTTIME_ALARM> timers)."
msgstr ""

#. type: SS
#: build/C/man7/capabilities.7:663
#, no-wrap
msgid "Past and current implementation"
msgstr ""

#. type: Plain text
#: build/C/man7/capabilities.7:665
msgid "A full implementation of capabilities requires that:"
msgstr ""

#. type: IP
#: build/C/man7/capabilities.7:665 build/C/man7/capabilities.7:816 build/C/man7/capabilities.7:963 build/C/man7/capabilities.7:1016 build/C/man7/user_namespaces.7:173 build/C/man7/user_namespaces.7:515
#, no-wrap
msgid "1."
msgstr ""

#. type: Plain text
#: build/C/man7/capabilities.7:669
msgid ""
"For all privileged operations, the kernel must check whether the thread has "
"the required capability in its effective set."
msgstr ""

#. type: IP
#: build/C/man7/capabilities.7:669 build/C/man7/capabilities.7:821 build/C/man7/capabilities.7:969 build/C/man7/capabilities.7:1022 build/C/man7/user_namespaces.7:189 build/C/man7/user_namespaces.7:521
#, no-wrap
msgid "2."
msgstr ""

#. type: Plain text
#: build/C/man7/capabilities.7:672
msgid ""
"The kernel must provide system calls allowing a thread's capability sets to "
"be changed and retrieved."
msgstr ""

#. type: IP
#: build/C/man7/capabilities.7:672 build/C/man7/capabilities.7:972 build/C/man7/capabilities.7:1026 build/C/man7/user_namespaces.7:193 build/C/man7/user_namespaces.7:526
#, no-wrap
msgid "3."
msgstr ""

#. type: Plain text
#: build/C/man7/capabilities.7:675
msgid ""
"The filesystem must support attaching capabilities to an executable file, so "
"that a process gains those capabilities when the file is executed."
msgstr ""

#. type: Plain text
#: build/C/man7/capabilities.7:679
msgid ""
"Before kernel 2.6.24, only the first two of these requirements are met; "
"since kernel 2.6.24, all three requirements are met."
msgstr ""

#. type: SS
#: build/C/man7/capabilities.7:679
#, no-wrap
msgid "Thread capability sets"
msgstr ""

#. type: Plain text
#: build/C/man7/capabilities.7:682
msgid ""
"Each thread has three capability sets containing zero or more of the above "
"capabilities:"
msgstr ""

#. type: TP
#: build/C/man7/capabilities.7:682
#, no-wrap
msgid "I<Permitted>:"
msgstr ""

#. type: Plain text
#: build/C/man7/capabilities.7:690
msgid ""
"This is a limiting superset for the effective capabilities that the thread "
"may assume.  It is also a limiting superset for the capabilities that may be "
"added to the inheritable set by a thread that does not have the "
"B<CAP_SETPCAP> capability in its effective set."
msgstr ""

#. type: Plain text
#: build/C/man7/capabilities.7:696
msgid ""
"If a thread drops a capability from its permitted set, it can never "
"reacquire that capability (unless it B<execve>(2)s either a set-user-ID-root "
"program, or a program whose associated file capabilities grant that "
"capability)."
msgstr ""

#. type: TP
#: build/C/man7/capabilities.7:696
#, no-wrap
msgid "I<Inheritable>:"
msgstr ""

#. type: Plain text
#: build/C/man7/capabilities.7:703
msgid ""
"This is a set of capabilities preserved across an B<execve>(2).  It provides "
"a mechanism for a process to assign capabilities to the permitted set of the "
"new program during an B<execve>(2)."
msgstr ""

#. type: TP
#: build/C/man7/capabilities.7:703 build/C/man7/capabilities.7:753
#, no-wrap
msgid "I<Effective>:"
msgstr ""

#. type: Plain text
#: build/C/man7/capabilities.7:707
msgid ""
"This is the set of capabilities used by the kernel to perform permission "
"checks for the thread."
msgstr ""

#. type: Plain text
#: build/C/man7/capabilities.7:713
msgid ""
"A child created via B<fork>(2)  inherits copies of its parent's capability "
"sets.  See below for a discussion of the treatment of capabilities during "
"B<execve>(2)."
msgstr ""

#. type: Plain text
#: build/C/man7/capabilities.7:717
msgid ""
"Using B<capset>(2), a thread may manipulate its own capability sets (see "
"below)."
msgstr ""

#.  commit 73efc0394e148d0e15583e13712637831f926720
#. type: Plain text
#: build/C/man7/capabilities.7:726
msgid ""
"Since Linux 3.2, the file I</proc/sys/kernel/cap_last_cap> exposes the "
"numerical value of the highest capability supported by the running kernel; "
"this can be used to determine the highest bit that may be set in a "
"capability set."
msgstr ""

#. type: SS
#: build/C/man7/capabilities.7:726
#, no-wrap
msgid "File capabilities"
msgstr ""

#. type: Plain text
#: build/C/man7/capabilities.7:741
msgid ""
"Since kernel 2.6.24, the kernel supports associating capability sets with an "
"executable file using B<setcap>(8).  The file capability sets are stored in "
"an extended attribute (see B<setxattr>(2))  named I<security.capability>.  "
"Writing to this extended attribute requires the B<CAP_SETFCAP> capability.  "
"The file capability sets, in conjunction with the capability sets of the "
"thread, determine the capabilities of a thread after an B<execve>(2)."
msgstr ""

#. type: Plain text
#: build/C/man7/capabilities.7:743
msgid "The three file capability sets are:"
msgstr ""

#. type: TP
#: build/C/man7/capabilities.7:743
#, no-wrap
msgid "I<Permitted> (formerly known as I<forced>):"
msgstr ""

#. type: Plain text
#: build/C/man7/capabilities.7:747
msgid ""
"These capabilities are automatically permitted to the thread, regardless of "
"the thread's inheritable capabilities."
msgstr ""

#. type: TP
#: build/C/man7/capabilities.7:747
#, no-wrap
msgid "I<Inheritable> (formerly known as I<allowed>):"
msgstr ""

#. type: Plain text
#: build/C/man7/capabilities.7:753
msgid ""
"This set is ANDed with the thread's inheritable set to determine which "
"inheritable capabilities are enabled in the permitted set of the thread "
"after the B<execve>(2)."
msgstr ""

#. type: Plain text
#: build/C/man7/capabilities.7:763
msgid ""
"This is not a set, but rather just a single bit.  If this bit is set, then "
"during an B<execve>(2)  all of the new permitted capabilities for the thread "
"are also raised in the effective set.  If this bit is not set, then after an "
"B<execve>(2), none of the new permitted capabilities is in the new effective "
"set."
msgstr ""

#. type: Plain text
#: build/C/man7/capabilities.7:779
msgid ""
"Enabling the file effective capability bit implies that any file permitted "
"or inheritable capability that causes a thread to acquire the corresponding "
"permitted capability during an B<execve>(2)  (see the transformation rules "
"described below) will also acquire that capability in its effective set.  "
"Therefore, when assigning capabilities to a file (B<setcap>(8), "
"B<cap_set_file>(3), B<cap_set_fd>(3)), if we specify the effective flag as "
"being enabled for any capability, then the effective flag must also be "
"specified as enabled for all other capabilities for which the corresponding "
"permitted or inheritable flags is enabled."
msgstr ""

#. type: SS
#: build/C/man7/capabilities.7:779
#, no-wrap
msgid "Transformation of capabilities during execve()"
msgstr ""

#. type: Plain text
#: build/C/man7/capabilities.7:785
msgid ""
"During an B<execve>(2), the kernel calculates the new capabilities of the "
"process using the following algorithm:"
msgstr ""

#. type: Plain text
#: build/C/man7/capabilities.7:790
#, no-wrap
msgid ""
"P'(permitted) = (P(inheritable) & F(inheritable)) |\n"
"                (F(permitted) & cap_bset)\n"
msgstr ""

#. type: Plain text
#: build/C/man7/capabilities.7:792
#, no-wrap
msgid "P'(effective) = F(effective) ? P'(permitted) : 0\n"
msgstr ""

#. type: Plain text
#: build/C/man7/capabilities.7:794
#, no-wrap
msgid "P'(inheritable) = P(inheritable)    [i.e., unchanged]\n"
msgstr ""

#. type: Plain text
#: build/C/man7/capabilities.7:798
msgid "where:"
msgstr ""

#. type: IP
#: build/C/man7/capabilities.7:799
#, no-wrap
msgid "P"
msgstr ""

#. type: Plain text
#: build/C/man7/capabilities.7:802
msgid "denotes the value of a thread capability set before the B<execve>(2)"
msgstr ""

#. type: IP
#: build/C/man7/capabilities.7:802
#, no-wrap
msgid "P'"
msgstr ""

#. type: Plain text
#: build/C/man7/capabilities.7:805
msgid "denotes the value of a capability set after the B<execve>(2)"
msgstr ""

#. type: IP
#: build/C/man7/capabilities.7:805
#, no-wrap
msgid "F"
msgstr ""

#. type: Plain text
#: build/C/man7/capabilities.7:807
msgid "denotes a file capability set"
msgstr ""

#. type: IP
#: build/C/man7/capabilities.7:807
#, no-wrap
msgid "cap_bset"
msgstr ""

#. type: Plain text
#: build/C/man7/capabilities.7:809
msgid "is the value of the capability bounding set (described below)."
msgstr ""

#. type: SS
#: build/C/man7/capabilities.7:811
#, no-wrap
msgid "Capabilities and execution of programs by root"
msgstr ""

#. type: Plain text
#: build/C/man7/capabilities.7:816
msgid ""
"In order to provide an all-powerful I<root> using capability sets, during an "
"B<execve>(2):"
msgstr ""

#. type: Plain text
#: build/C/man7/capabilities.7:821
msgid ""
"If a set-user-ID-root program is being executed, or the real user ID of the "
"process is 0 (root)  then the file inheritable and permitted sets are "
"defined to be all ones (i.e., all capabilities enabled)."
msgstr ""

#. type: Plain text
#: build/C/man7/capabilities.7:824
msgid ""
"If a set-user-ID-root program is being executed, then the file effective bit "
"is defined to be one (enabled)."
msgstr ""

#.  If a process with real UID 0, and nonzero effective UID does an
#.  exec(), then it gets all capabilities in its
#.  permitted set, and no effective capabilities
#. type: Plain text
#: build/C/man7/capabilities.7:839
msgid ""
"The upshot of the above rules, combined with the capabilities "
"transformations described above, is that when a process B<execve>(2)s a "
"set-user-ID-root program, or when a process with an effective UID of 0 "
"B<execve>(2)s a program, it gains all capabilities in its permitted and "
"effective capability sets, except those masked out by the capability "
"bounding set.  This provides semantics that are the same as those provided "
"by traditional UNIX systems."
msgstr ""

#. type: SS
#: build/C/man7/capabilities.7:839
#, no-wrap
msgid "Capability bounding set"
msgstr ""

#. type: Plain text
#: build/C/man7/capabilities.7:844
msgid ""
"The capability bounding set is a security mechanism that can be used to "
"limit the capabilities that can be gained during an B<execve>(2).  The "
"bounding set is used in the following ways:"
msgstr ""

#. type: Plain text
#: build/C/man7/capabilities.7:852
msgid ""
"During an B<execve>(2), the capability bounding set is ANDed with the file "
"permitted capability set, and the result of this operation is assigned to "
"the thread's permitted capability set.  The capability bounding set thus "
"places a limit on the permitted capabilities that may be granted by an "
"executable file."
msgstr ""

#. type: Plain text
#: build/C/man7/capabilities.7:864
msgid ""
"(Since Linux 2.6.25)  The capability bounding set acts as a limiting "
"superset for the capabilities that a thread can add to its inheritable set "
"using B<capset>(2).  This means that if a capability is not in the bounding "
"set, then a thread can't add this capability to its inheritable set, even if "
"it was in its permitted capabilities, and thereby cannot have this "
"capability preserved in its permitted set when it B<execve>(2)s a file that "
"has the capability in its inheritable set."
msgstr ""

#. type: Plain text
#: build/C/man7/capabilities.7:871
msgid ""
"Note that the bounding set masks the file permitted capabilities, but not "
"the inherited capabilities.  If a thread maintains a capability in its "
"inherited set that is not in its bounding set, then it can still gain that "
"capability in its permitted set by executing a file that has the capability "
"in its inherited set."
msgstr ""

#. type: Plain text
#: build/C/man7/capabilities.7:874
msgid ""
"Depending on the kernel version, the capability bounding set is either a "
"system-wide attribute, or a per-process attribute."
msgstr ""

#. type: Plain text
#: build/C/man7/capabilities.7:876
msgid "B<Capability bounding set prior to Linux 2.6.25>"
msgstr ""

#. type: Plain text
#: build/C/man7/capabilities.7:884
msgid ""
"In kernels before 2.6.25, the capability bounding set is a system-wide "
"attribute that affects all threads on the system.  The bounding set is "
"accessible via the file I</proc/sys/kernel/cap-bound>.  (Confusingly, this "
"bit mask parameter is expressed as a signed decimal number in "
"I</proc/sys/kernel/cap-bound>.)"
msgstr ""

#. type: Plain text
#: build/C/man7/capabilities.7:891
msgid ""
"Only the B<init> process may set capabilities in the capability bounding "
"set; other than that, the superuser (more precisely: programs with the "
"B<CAP_SYS_MODULE> capability) may only clear capabilities from this set."
msgstr ""

#. type: Plain text
#: build/C/man7/capabilities.7:900
msgid ""
"On a standard system the capability bounding set always masks out the "
"B<CAP_SETPCAP> capability.  To remove this restriction (dangerous!), modify "
"the definition of B<CAP_INIT_EFF_SET> in I<include/linux/capability.h> and "
"rebuild the kernel."
msgstr ""

#. type: Plain text
#: build/C/man7/capabilities.7:904
msgid ""
"The system-wide capability bounding set feature was added to Linux starting "
"with kernel version 2.2.11."
msgstr ""

#. type: Plain text
#: build/C/man7/capabilities.7:906
msgid "B<Capability bounding set from Linux 2.6.25 onward>"
msgstr ""

#. type: Plain text
#: build/C/man7/capabilities.7:911
msgid ""
"From Linux 2.6.25, the I<capability bounding set> is a per-thread "
"attribute.  (There is no longer a system-wide capability bounding set.)"
msgstr ""

#. type: Plain text
#: build/C/man7/capabilities.7:916
msgid ""
"The bounding set is inherited at B<fork>(2)  from the thread's parent, and "
"is preserved across an B<execve>(2)."
msgstr ""

#. type: Plain text
#: build/C/man7/capabilities.7:929
msgid ""
"A thread may remove capabilities from its capability bounding set using the "
"B<prctl>(2)  B<PR_CAPBSET_DROP> operation, provided it has the "
"B<CAP_SETPCAP> capability.  Once a capability has been dropped from the "
"bounding set, it cannot be restored to that set.  A thread can determine if "
"a capability is in its bounding set using the B<prctl>(2)  "
"B<PR_CAPBSET_READ> operation."
msgstr ""

#. type: Plain text
#: build/C/man7/capabilities.7:947
msgid ""
"Removing capabilities from the bounding set is supported only if file "
"capabilities are compiled into the kernel.  In kernels before Linux 2.6.33, "
"file capabilities were an optional feature configurable via the "
"B<CONFIG_SECURITY_FILE_CAPABILITIES> option.  Since Linux 2.6.33, the "
"configuration option has been removed and file capabilities are always part "
"of the kernel.  When file capabilities are compiled into the kernel, the "
"B<init> process (the ancestor of all processes) begins with a full bounding "
"set.  If file capabilities are not compiled into the kernel, then B<init> "
"begins with a full bounding set minus B<CAP_SETPCAP>, because this "
"capability has a different meaning when there are no file capabilities."
msgstr ""

#. type: Plain text
#: build/C/man7/capabilities.7:954
msgid ""
"Removing a capability from the bounding set does not remove it from the "
"thread's inherited set.  However it does prevent the capability from being "
"added back into the thread's inherited set in the future."
msgstr ""

#. type: SS
#: build/C/man7/capabilities.7:954
#, no-wrap
msgid "Effect of user ID changes on capabilities"
msgstr ""

#. type: Plain text
#: build/C/man7/capabilities.7:963
msgid ""
"To preserve the traditional semantics for transitions between 0 and nonzero "
"user IDs, the kernel makes the following changes to a thread's capability "
"sets on changes to the thread's real, effective, saved set, and filesystem "
"user IDs (using B<setuid>(2), B<setresuid>(2), or similar):"
msgstr ""

#. type: Plain text
#: build/C/man7/capabilities.7:969
msgid ""
"If one or more of the real, effective or saved set user IDs was previously "
"0, and as a result of the UID changes all of these IDs have a nonzero value, "
"then all capabilities are cleared from the permitted and effective "
"capability sets."
msgstr ""

#. type: Plain text
#: build/C/man7/capabilities.7:972
msgid ""
"If the effective user ID is changed from 0 to nonzero, then all capabilities "
"are cleared from the effective set."
msgstr ""

#. type: Plain text
#: build/C/man7/capabilities.7:975
msgid ""
"If the effective user ID is changed from nonzero to 0, then the permitted "
"set is copied to the effective set."
msgstr ""

#. type: IP
#: build/C/man7/capabilities.7:975 build/C/man7/capabilities.7:1030 build/C/man7/user_namespaces.7:529
#, no-wrap
msgid "4."
msgstr ""

#. type: Plain text
#: build/C/man7/capabilities.7:993
msgid ""
"If the filesystem user ID is changed from 0 to nonzero (see B<setfsuid>(2)), "
"then the following capabilities are cleared from the effective set: "
"B<CAP_CHOWN>, B<CAP_DAC_OVERRIDE>, B<CAP_DAC_READ_SEARCH>, B<CAP_FOWNER>, "
"B<CAP_FSETID>, B<CAP_LINUX_IMMUTABLE> (since Linux 2.6.30), "
"B<CAP_MAC_OVERRIDE>, and B<CAP_MKNOD> (since Linux 2.6.30).  If the "
"filesystem UID is changed from nonzero to 0, then any of these capabilities "
"that are enabled in the permitted set are enabled in the effective set."
msgstr ""

#. type: Plain text
#: build/C/man7/capabilities.7:1001
msgid ""
"If a thread that has a 0 value for one or more of its user IDs wants to "
"prevent its permitted capability set being cleared when it resets all of its "
"user IDs to nonzero values, it can do so using the B<prctl>(2)  "
"B<PR_SET_KEEPCAPS> operation."
msgstr ""

#. type: SS
#: build/C/man7/capabilities.7:1001
#, no-wrap
msgid "Programmatically adjusting capability sets"
msgstr ""

#. type: Plain text
#: build/C/man7/capabilities.7:1016
msgid ""
"A thread can retrieve and change its capability sets using the B<capget>(2)  "
"and B<capset>(2)  system calls.  However, the use of B<cap_get_proc>(3)  and "
"B<cap_set_proc>(3), both provided in the I<libcap> package, is preferred for "
"this purpose.  The following rules govern changes to the thread capability "
"sets:"
msgstr ""

#. type: Plain text
#: build/C/man7/capabilities.7:1022
msgid ""
"If the caller does not have the B<CAP_SETPCAP> capability, the new "
"inheritable set must be a subset of the combination of the existing "
"inheritable and permitted sets."
msgstr ""

#. type: Plain text
#: build/C/man7/capabilities.7:1026
msgid ""
"(Since Linux 2.6.25)  The new inheritable set must be a subset of the "
"combination of the existing inheritable set and the capability bounding set."
msgstr ""

#. type: Plain text
#: build/C/man7/capabilities.7:1030
msgid ""
"The new permitted set must be a subset of the existing permitted set (i.e., "
"it is not possible to acquire permitted capabilities that the thread does "
"not currently have)."
msgstr ""

#. type: Plain text
#: build/C/man7/capabilities.7:1032
msgid "The new effective set must be a subset of the new permitted set."
msgstr ""

#. type: SS
#: build/C/man7/capabilities.7:1032
#, no-wrap
msgid "The securebits flags: establishing a capabilities-only environment"
msgstr ""

#.  For some background:
#.        see http://lwn.net/Articles/280279/ and
#.        http://article.gmane.org/gmane.linux.kernel.lsm/5476/
#. type: Plain text
#: build/C/man7/capabilities.7:1043
msgid ""
"Starting with kernel 2.6.26, and with a kernel in which file capabilities "
"are enabled, Linux implements a set of per-thread I<securebits> flags that "
"can be used to disable special handling of capabilities for UID 0 "
"(I<root>).  These flags are as follows:"
msgstr ""

#. type: TP
#: build/C/man7/capabilities.7:1043
#, no-wrap
msgid "B<SECBIT_KEEP_CAPS>"
msgstr ""

#. type: Plain text
#: build/C/man7/capabilities.7:1055
msgid ""
"Setting this flag allows a thread that has one or more 0 UIDs to retain its "
"capabilities when it switches all of its UIDs to a nonzero value.  If this "
"flag is not set, then such a UID switch causes the thread to lose all "
"capabilities.  This flag is always cleared on an B<execve>(2).  (This flag "
"provides the same functionality as the older B<prctl>(2)  B<PR_SET_KEEPCAPS> "
"operation.)"
msgstr ""

#. type: TP
#: build/C/man7/capabilities.7:1055
#, no-wrap
msgid "B<SECBIT_NO_SETUID_FIXUP>"
msgstr ""

#. type: Plain text
#: build/C/man7/capabilities.7:1062
msgid ""
"Setting this flag stops the kernel from adjusting capability sets when the "
"threads's effective and filesystem UIDs are switched between zero and "
"nonzero values.  (See the subsection I<Effect of User ID Changes on "
"Capabilities>.)"
msgstr ""

#. type: TP
#: build/C/man7/capabilities.7:1062
#, no-wrap
msgid "B<SECBIT_NOROOT>"
msgstr ""

#. type: Plain text
#: build/C/man7/capabilities.7:1070
msgid ""
"If this bit is set, then the kernel does not grant capabilities when a "
"set-user-ID-root program is executed, or when a process with an effective or "
"real UID of 0 calls B<execve>(2).  (See the subsection I<Capabilities and "
"execution of programs by root>.)"
msgstr ""

#. type: Plain text
#: build/C/man7/capabilities.7:1080
msgid ""
"Each of the above \"base\" flags has a companion \"locked\" flag.  Setting "
"any of the \"locked\" flags is irreversible, and has the effect of "
"preventing further changes to the corresponding \"base\" flag.  The locked "
"flags are: B<SECBIT_KEEP_CAPS_LOCKED>, B<SECBIT_NO_SETUID_FIXUP_LOCKED>, and "
"B<SECBIT_NOROOT_LOCKED>."
msgstr ""

#. type: Plain text
#: build/C/man7/capabilities.7:1092
msgid ""
"The I<securebits> flags can be modified and retrieved using the B<prctl>(2)  "
"B<PR_SET_SECUREBITS> and B<PR_GET_SECUREBITS> operations.  The "
"B<CAP_SETPCAP> capability is required to modify the flags."
msgstr ""

#. type: Plain text
#: build/C/man7/capabilities.7:1101
msgid ""
"The I<securebits> flags are inherited by child processes.  During an "
"B<execve>(2), all of the flags are preserved, except B<SECBIT_KEEP_CAPS> "
"which is always cleared."
msgstr ""

#. type: Plain text
#: build/C/man7/capabilities.7:1106
msgid ""
"An application can use the following call to lock itself, and all of its "
"descendants, into an environment where the only way of gaining capabilities "
"is by executing a program with associated file capabilities:"
msgstr ""

#. type: Plain text
#: build/C/man7/capabilities.7:1115
#, no-wrap
msgid ""
"prctl(PR_SET_SECUREBITS,\n"
"        SECBIT_KEEP_CAPS_LOCKED |\n"
"        SECBIT_NO_SETUID_FIXUP |\n"
"        SECBIT_NO_SETUID_FIXUP_LOCKED |\n"
"        SECBIT_NOROOT |\n"
"        SECBIT_NOROOT_LOCKED);\n"
msgstr ""

#. type: SS
#: build/C/man7/capabilities.7:1117
#, no-wrap
msgid "Interaction with user namespaces"
msgstr ""

#. type: Plain text
#: build/C/man7/capabilities.7:1120
msgid ""
"For a discussion of the interaction of capabilities and user namespaces, see "
"B<user_namespaces>(7)."
msgstr ""

#. type: Plain text
#: build/C/man7/capabilities.7:1126
msgid ""
"No standards govern capabilities, but the Linux capability implementation is "
"based on the withdrawn POSIX.1e draft standard; see E<.UR "
"http://wt.tuxomania.net\\:/publications\\:/posix.1e/> E<.UE .>"
msgstr ""

#. type: Plain text
#: build/C/man7/capabilities.7:1131
msgid ""
"Since kernel 2.5.27, capabilities are an optional kernel component, and can "
"be enabled/disabled via the B<CONFIG_SECURITY_CAPABILITIES> kernel "
"configuration option."
msgstr ""

#.  7b9a7ec565505699f503b4fcf61500dceb36e744
#. type: Plain text
#: build/C/man7/capabilities.7:1145
msgid ""
"The I</proc/PID/task/TID/status> file can be used to view the capability "
"sets of a thread.  The I</proc/PID/status> file shows the capability sets of "
"a process's main thread.  Before Linux 3.8, nonexistent capabilities were "
"shown as being enabled (1) in these sets.  Since Linux 3.8, all nonexistent "
"capabilities (above B<CAP_LAST_CAP>)  are shown as disabled (0)."
msgstr ""

#. type: Plain text
#: build/C/man7/capabilities.7:1160
msgid ""
"The I<libcap> package provides a suite of routines for setting and getting "
"capabilities that is more comfortable and less likely to change than the "
"interface provided by B<capset>(2)  and B<capget>(2).  This package also "
"provides the B<setcap>(8)  and B<getcap>(8)  programs.  It can be found at"
msgstr ""

#. type: Plain text
#: build/C/man7/capabilities.7:1163
msgid ""
"E<.UR "
"http://www.kernel.org\\:/pub\\:/linux\\:/libs\\:/security\\:/linux-privs> "
"E<.UE .>"
msgstr ""

#. type: Plain text
#: build/C/man7/capabilities.7:1172
msgid ""
"Before kernel 2.6.24, and since kernel 2.6.24 if file capabilities are not "
"enabled, a thread with the B<CAP_SETPCAP> capability can manipulate the "
"capabilities of threads other than itself.  However, this is only "
"theoretically possible, since no thread ever has B<CAP_SETPCAP> in either of "
"these cases:"
msgstr ""

#. type: Plain text
#: build/C/man7/capabilities.7:1177
msgid ""
"In the pre-2.6.25 implementation the system-wide capability bounding set, "
"I</proc/sys/kernel/cap-bound>, always masks out this capability, and this "
"can not be changed without modifying the kernel source and rebuilding."
msgstr ""

#. type: Plain text
#: build/C/man7/capabilities.7:1183
msgid ""
"If file capabilities are disabled in the current implementation, then "
"B<init> starts out with this capability removed from its per-process "
"bounding set, and that bounding set is inherited by all other processes "
"created on the system."
msgstr ""

#. type: Plain text
#: build/C/man7/capabilities.7:1202
msgid ""
"B<capsh>(1), B<capget>(2), B<prctl>(2), B<setfsuid>(2), B<cap_clear>(3), "
"B<cap_copy_ext>(3), B<cap_from_text>(3), B<cap_get_file>(3), "
"B<cap_get_proc>(3), B<cap_init>(3), B<capgetp>(3), B<capsetp>(3), "
"B<libcap>(3), B<credentials>(7), B<user_namespaces>(7), B<pthreads>(7), "
"B<getcap>(8), B<setcap>(8)"
msgstr ""

#. type: Plain text
#: build/C/man7/capabilities.7:1204
msgid "I<include/linux/capability.h> in the Linux kernel source tree"
msgstr ""

#. type: TH
#: build/C/man2/capget.2:15
#, no-wrap
msgid "CAPGET"
msgstr ""

#. type: TH
#: build/C/man2/capget.2:15
#, no-wrap
msgid "2013-03-11"
msgstr ""

#. type: Plain text
#: build/C/man2/capget.2:18
msgid "capget, capset - set/get capabilities of thread(s)"
msgstr ""

#. type: Plain text
#: build/C/man2/capget.2:20
msgid "B<#include E<lt>sys/capability.hE<gt>>"
msgstr ""

#. type: Plain text
#: build/C/man2/capget.2:22
msgid "B<int capget(cap_user_header_t >I<hdrp>B<, cap_user_data_t >I<datap>B<);>"
msgstr ""

#. type: Plain text
#: build/C/man2/capget.2:24
msgid ""
"B<int capset(cap_user_header_t >I<hdrp>B<, const cap_user_data_t "
">I<datap>B<);>"
msgstr ""

#. type: Plain text
#: build/C/man2/capget.2:35
msgid ""
"As of Linux 2.2, the power of the superuser (root) has been partitioned into "
"a set of discrete capabilities.  Each thread has a set of effective "
"capabilities identifying which capabilities (if any) it may currently "
"exercise.  Each thread also has a set of inheritable capabilities that may "
"be passed through an B<execve>(2)  call, and a set of permitted capabilities "
"that it can make effective or inheritable."
msgstr ""

#. type: Plain text
#: build/C/man2/capget.2:44
msgid ""
"These two system calls are the raw kernel interface for getting and setting "
"thread capabilities.  Not only are these system calls specific to Linux, but "
"the kernel API is likely to change and use of these system calls (in "
"particular the format of the I<cap_user_*_t> types) is subject to extension "
"with each kernel revision, but old programs will keep working."
msgstr ""

#. type: Plain text
#: build/C/man2/capget.2:55
msgid ""
"The portable interfaces are B<cap_set_proc>(3)  and B<cap_get_proc>(3); if "
"possible, you should use those interfaces in applications.  If you wish to "
"use the Linux extensions in applications, you should use the easier-to-use "
"interfaces B<capsetp>(3)  and B<capgetp>(3)."
msgstr ""

#. type: SS
#: build/C/man2/capget.2:55
#, no-wrap
msgid "Current details"
msgstr ""

#. type: Plain text
#: build/C/man2/capget.2:58
msgid ""
"Now that you have been warned, some current kernel details.  The structures "
"are defined as follows."
msgstr ""

#. type: Plain text
#: build/C/man2/capget.2:63
#, no-wrap
msgid ""
"#define _LINUX_CAPABILITY_VERSION_1  0x19980330\n"
"#define _LINUX_CAPABILITY_U32S_1     1\n"
msgstr ""

#. type: Plain text
#: build/C/man2/capget.2:66
#, no-wrap
msgid ""
"#define _LINUX_CAPABILITY_VERSION_2  0x20071026\n"
"#define _LINUX_CAPABILITY_U32S_2     2\n"
msgstr ""

#. type: Plain text
#: build/C/man2/capget.2:71
#, no-wrap
msgid ""
"typedef struct __user_cap_header_struct {\n"
"   __u32 version;\n"
"   int pid;\n"
"} *cap_user_header_t;\n"
msgstr ""

#. type: Plain text
#: build/C/man2/capget.2:77
#, no-wrap
msgid ""
"typedef struct __user_cap_data_struct {\n"
"   __u32 effective;\n"
"   __u32 permitted;\n"
"   __u32 inheritable;\n"
"} *cap_user_data_t;\n"
msgstr ""

#. type: Plain text
#: build/C/man2/capget.2:96
msgid ""
"The I<effective>, I<permitted>, and I<inheritable> fields are bit masks of "
"the capabilities defined in B<capabilities>(7).  Note the B<CAP_*> values "
"are bit indexes and need to be bit-shifted before ORing into the bit "
"fields.  To define the structures for passing to the system call you have to "
"use the I<struct __user_cap_header_struct> and I<struct "
"__user_cap_data_struct> names because the typedefs are only pointers."
msgstr ""

#. type: Plain text
#: build/C/man2/capget.2:108
msgid ""
"Kernels prior to 2.6.25 prefer 32-bit capabilities with version "
"B<_LINUX_CAPABILITY_VERSION_1>, and kernels 2.6.25+ prefer 64-bit "
"capabilities with version B<_LINUX_CAPABILITY_VERSION_2>.  Note, 64-bit "
"capabilities use I<datap>[0] and I<datap>[1], whereas 32-bit capabilities "
"use only I<datap>[0]."
msgstr ""

#. type: Plain text
#: build/C/man2/capget.2:112
msgid ""
"Another change affecting the behavior of these system calls is kernel "
"support for file capabilities (VFS capability support).  This support is "
"currently a compile time option (added in kernel 2.6.24)."
msgstr ""

#. type: Plain text
#: build/C/man2/capget.2:119
msgid ""
"For B<capget>()  calls, one can probe the capabilities of any process by "
"specifying its process ID with the I<hdrp-E<gt>pid> field value."
msgstr ""

#. type: SS
#: build/C/man2/capget.2:119
#, no-wrap
msgid "With VFS capability support"
msgstr ""

#. type: Plain text
#: build/C/man2/capget.2:131
msgid ""
"VFS Capability support creates a file-attribute method for adding "
"capabilities to privileged executables.  This privilege model obsoletes "
"kernel support for one process asynchronously setting the capabilities of "
"another.  That is, with VFS support, for B<capset>()  calls the only "
"permitted values for I<hdrp-E<gt>pid> are 0 or B<getpid>(2), which are "
"equivalent."
msgstr ""

#. type: SS
#: build/C/man2/capget.2:131
#, no-wrap
msgid "Without VFS capability support"
msgstr ""

#. type: Plain text
#: build/C/man2/capget.2:157
msgid ""
"When the kernel does not support VFS capabilities, B<capset>()  calls can "
"operate on the capabilities of the thread specified by the I<pid> field of "
"I<hdrp> when that is nonzero, or on the capabilities of the calling thread "
"if I<pid> is 0.  If I<pid> refers to a single-threaded process, then I<pid> "
"can be specified as a traditional process ID; operating on a thread of a "
"multithreaded process requires a thread ID of the type returned by "
"B<gettid>(2).  For B<capset>(), I<pid> can also be: -1, meaning perform the "
"change on all threads except the caller and B<init>(1); or a value less than "
"-1, in which case the change is applied to all members of the process group "
"whose ID is -I<pid>."
msgstr ""

#. type: Plain text
#: build/C/man2/capget.2:160
msgid "For details on the data, see B<capabilities>(7)."
msgstr ""

#. type: Plain text
#: build/C/man2/capget.2:179
msgid ""
"The calls will fail with the error B<EINVAL>, and set the I<version> field "
"of I<hdrp> to the kernel preferred value of B<_LINUX_CAPABILITY_VERSION_?> "
"when an unsupported I<version> value is specified.  In this way, one can "
"probe what the current preferred capability revision is."
msgstr ""

#. type: Plain text
#: build/C/man2/capget.2:188
msgid ""
"Bad memory address.  I<hdrp> must not be NULL.  I<datap> may be NULL only "
"when the user is trying to determine the preferred capability version format "
"supported by the kernel."
msgstr ""

#. type: TP
#: build/C/man2/capget.2:188 build/C/man7/cpuset.7:1180 build/C/man7/cpuset.7:1189 build/C/man7/cpuset.7:1198 build/C/man7/cpuset.7:1208 build/C/man7/cpuset.7:1217 build/C/man7/cpuset.7:1224 build/C/man7/cpuset.7:1231 build/C/man2/getgroups.2:114 build/C/man2/getgroups.2:121 build/C/man2/getpriority.2:118 build/C/man2/getrlimit.2:471 build/C/man2/getrusage.2:198 build/C/man2/iopl.2:72 build/C/man2/ioprio_set.2:170 build/C/man2/seteuid.2:80 build/C/man2/setgid.2:59 build/C/man2/setpgid.2:225 build/C/man2/setresuid.2:99 build/C/man2/setreuid.2:128 build/C/man2/setuid.2:105 build/C/man2/seccomp.2:373 build/C/man2/seccomp.2:380 build/C/man2/seccomp.2:387 build/C/man2/seccomp.2:393 build/C/man2/seccomp.2:402
#, no-wrap
msgid "B<EINVAL>"
msgstr ""

#. type: Plain text
#: build/C/man2/capget.2:191
msgid "One of the arguments was invalid."
msgstr ""

#. type: Plain text
#: build/C/man2/capget.2:196
msgid ""
"An attempt was made to add a capability to the Permitted set, or to set a "
"capability in the Effective or Inheritable sets that is not in the Permitted "
"set."
msgstr ""

#. type: Plain text
#: build/C/man2/capget.2:215
msgid ""
"The caller attempted to use B<capset>()  to modify the capabilities of a "
"thread other than itself, but lacked sufficient privilege.  For kernels "
"supporting VFS capabilities, this is never permitted.  For kernels lacking "
"VFS support, the B<CAP_SETPCAP> capability is required.  (A bug in kernels "
"before 2.6.11 meant that this error could also occur if a thread without "
"this capability tried to change its own capabilities by specifying the "
"I<pid> field as a nonzero value (i.e., the value returned by B<getpid>(2))  "
"instead of 0.)"
msgstr ""

#. type: TP
#: build/C/man2/capget.2:215 build/C/man7/cpuset.7:1330 build/C/man2/getpriority.2:126 build/C/man2/getrlimit.2:502 build/C/man2/getsid.2:70 build/C/man2/ioprio_set.2:187 build/C/man2/setpgid.2:240 build/C/man2/seccomp.2:426
#, no-wrap
msgid "B<ESRCH>"
msgstr ""

#. type: Plain text
#: build/C/man2/capget.2:218
msgid "No such thread."
msgstr ""

#. type: Plain text
#: build/C/man2/capget.2:220 build/C/man2/ioprio_set.2:198
msgid "These system calls are Linux-specific."
msgstr ""

#. type: Plain text
#: build/C/man2/capget.2:225
msgid ""
"The portable interface to the capability querying and setting functions is "
"provided by the I<libcap> library and is available here:"
msgstr ""

#. type: Plain text
#: build/C/man2/capget.2:228
msgid ""
"E<.UR "
"http://git.kernel.org/cgit\\:/linux\\:/kernel\\:/git\\:/morgan\\:\\:/libcap.git> "
"E<.UE>"
msgstr ""

#. type: Plain text
#: build/C/man2/capget.2:231
msgid "B<clone>(2), B<gettid>(2), B<capabilities>(7)"
msgstr ""

#. type: TH
#: build/C/man7/cpuset.7:25
#, no-wrap
msgid "CPUSET"
msgstr ""

#. type: TH
#: build/C/man7/cpuset.7:25
#, no-wrap
msgid "2014-05-21"
msgstr ""

#. type: Plain text
#: build/C/man7/cpuset.7:28
msgid "cpuset - confine processes to processor and memory node subsets"
msgstr ""

#. type: Plain text
#: build/C/man7/cpuset.7:35
msgid ""
"The cpuset filesystem is a pseudo-filesystem interface to the kernel cpuset "
"mechanism, which is used to control the processor placement and memory "
"placement of processes.  It is commonly mounted at I</dev/cpuset>."
msgstr ""

#. type: Plain text
#: build/C/man7/cpuset.7:52
msgid ""
"On systems with kernels compiled with built in support for cpusets, all "
"processes are attached to a cpuset, and cpusets are always present.  If a "
"system supports cpusets, then it will have the entry B<nodev cpuset> in the "
"file I</proc/filesystems>.  By mounting the cpuset filesystem (see the "
"B<EXAMPLE> section below), the administrator can configure the cpusets on a "
"system to control the processor and memory placement of processes on that "
"system.  By default, if the cpuset configuration on a system is not modified "
"or if the cpuset filesystem is not even mounted, then the cpuset mechanism, "
"though present, has no affect on the system's behavior."
msgstr ""

#. type: Plain text
#: build/C/man7/cpuset.7:54
msgid "A cpuset defines a list of CPUs and memory nodes."
msgstr ""

#. type: Plain text
#: build/C/man7/cpuset.7:63
msgid ""
"The CPUs of a system include all the logical processing units on which a "
"process can execute, including, if present, multiple processor cores within "
"a package and Hyper-Threads within a processor core.  Memory nodes include "
"all distinct banks of main memory; small and SMP systems typically have just "
"one memory node that contains all the system's main memory, while NUMA "
"(non-uniform memory access) systems have multiple memory nodes."
msgstr ""

#. type: Plain text
#: build/C/man7/cpuset.7:73
msgid ""
"Cpusets are represented as directories in a hierarchical pseudo-filesystem, "
"where the top directory in the hierarchy (I</dev/cpuset>)  represents the "
"entire system (all online CPUs and memory nodes)  and any cpuset that is the "
"child (descendant) of another parent cpuset contains a subset of that "
"parent's CPUs and memory nodes.  The directories and files representing "
"cpusets have normal filesystem permissions."
msgstr ""

#. type: Plain text
#: build/C/man7/cpuset.7:84
msgid ""
"Every process in the system belongs to exactly one cpuset.  A process is "
"confined to run only on the CPUs in the cpuset it belongs to, and to "
"allocate memory only on the memory nodes in that cpuset.  When a process "
"B<fork>(2)s, the child process is placed in the same cpuset as its parent.  "
"With sufficient privilege, a process may be moved from one cpuset to another "
"and the allowed CPUs and memory nodes of an existing cpuset may be changed."
msgstr ""

#. type: Plain text
#: build/C/man7/cpuset.7:92
msgid ""
"When the system begins booting, a single cpuset is defined that includes all "
"CPUs and memory nodes on the system, and all processes are in that cpuset.  "
"During the boot process, or later during normal system operation, other "
"cpusets may be created, as subdirectories of this top cpuset, under the "
"control of the system administrator, and processes may be placed in these "
"other cpusets."
msgstr ""

#. type: Plain text
#: build/C/man7/cpuset.7:114
msgid ""
"Cpusets are integrated with the B<sched_setaffinity>(2)  scheduling affinity "
"mechanism and the B<mbind>(2)  and B<set_mempolicy>(2)  memory-placement "
"mechanisms in the kernel.  Neither of these mechanisms let a process make "
"use of a CPU or memory node that is not allowed by that process's cpuset.  "
"If changes to a process's cpuset placement conflict with these other "
"mechanisms, then cpuset placement is enforced even if it means overriding "
"these other mechanisms.  The kernel accomplishes this overriding by silently "
"restricting the CPUs and memory nodes requested by these other mechanisms to "
"those allowed by the invoking process's cpuset.  This can result in these "
"other calls returning an error, if for example, such a call ends up "
"requesting an empty set of CPUs or memory nodes, after that request is "
"restricted to the invoking process's cpuset."
msgstr ""

#. type: Plain text
#: build/C/man7/cpuset.7:120
msgid ""
"Typically, a cpuset is used to manage the CPU and memory-node confinement "
"for a set of cooperating processes such as a batch scheduler job, and these "
"other mechanisms are used to manage the placement of individual processes or "
"memory regions within that set or job."
msgstr ""

#. type: SH
#: build/C/man7/cpuset.7:120
#, no-wrap
msgid "FILES"
msgstr ""

#. type: Plain text
#: build/C/man7/cpuset.7:125
msgid ""
"Each directory below I</dev/cpuset> represents a cpuset and contains a fixed "
"set of pseudo-files describing the state of that cpuset."
msgstr ""

#. type: Plain text
#: build/C/man7/cpuset.7:135
msgid ""
"New cpusets are created using the B<mkdir>(2)  system call or the "
"B<mkdir>(1)  command.  The properties of a cpuset, such as its flags, "
"allowed CPUs and memory nodes, and attached processes, are queried and "
"modified by reading or writing to the appropriate file in that cpuset's "
"directory, as listed below."
msgstr ""

#. type: Plain text
#: build/C/man7/cpuset.7:141
msgid ""
"The pseudo-files in each cpuset directory are automatically created when the "
"cpuset is created, as a result of the B<mkdir>(2)  invocation.  It is not "
"possible to directly add or remove these pseudo-files."
msgstr ""

#. type: Plain text
#: build/C/man7/cpuset.7:149
msgid ""
"A cpuset directory that contains no child cpuset directories, and has no "
"attached processes, can be removed using B<rmdir>(2)  or B<rmdir>(1).  It is "
"not necessary, or possible, to remove the pseudo-files inside the directory "
"before removing it."
msgstr ""

#. type: Plain text
#: build/C/man7/cpuset.7:163
msgid ""
"The pseudo-files in each cpuset directory are small text files that may be "
"read and written using traditional shell utilities such as B<cat>(1), and "
"B<echo>(1), or from a program by using file I/O library functions or system "
"calls, such as B<open>(2), B<read>(2), B<write>(2), and B<close>(2)."
msgstr ""

#.  ====================== tasks ======================
#. type: Plain text
#: build/C/man7/cpuset.7:168
msgid ""
"The pseudo-files in a cpuset directory represent internal kernel state and "
"do not have any persistent image on disk.  Each of these per-cpuset files is "
"listed and described below."
msgstr ""

#. type: TP
#: build/C/man7/cpuset.7:168
#, no-wrap
msgid "I<tasks>"
msgstr ""

#. type: Plain text
#: build/C/man7/cpuset.7:178
msgid ""
"List of the process IDs (PIDs) of the processes in that cpuset.  The list is "
"formatted as a series of ASCII decimal numbers, each followed by a newline.  "
"A process may be added to a cpuset (automatically removing it from the "
"cpuset that previously contained it) by writing its PID to that cpuset's "
"I<tasks> file (with or without a trailing newline)."
msgstr ""

#.  =================== notify_on_release ===================
#. type: Plain text
#: build/C/man7/cpuset.7:186
msgid ""
"B<Warning:> only one PID may be written to the I<tasks> file at a time.  If "
"a string is written that contains more than one PID, only the first one will "
"be used."
msgstr ""

#. type: TP
#: build/C/man7/cpuset.7:186
#, no-wrap
msgid "I<notify_on_release>"
msgstr ""

#.  ====================== cpus ======================
#. type: Plain text
#: build/C/man7/cpuset.7:195
msgid ""
"Flag (0 or 1).  If set (1), that cpuset will receive special handling after "
"it is released, that is, after all processes cease using it (i.e., terminate "
"or are moved to a different cpuset)  and all child cpuset directories have "
"been removed.  See the B<Notify On Release> section, below."
msgstr ""

#. type: TP
#: build/C/man7/cpuset.7:195
#, no-wrap
msgid "I<cpuset.cpus>"
msgstr ""

#. type: Plain text
#: build/C/man7/cpuset.7:202
msgid ""
"List of the physical numbers of the CPUs on which processes in that cpuset "
"are allowed to execute.  See B<List Format> below for a description of the "
"format of I<cpus>."
msgstr ""

#.  ==================== cpu_exclusive ====================
#. type: Plain text
#: build/C/man7/cpuset.7:208
msgid ""
"The CPUs allowed to a cpuset may be changed by writing a new list to its "
"I<cpus> file."
msgstr ""

#. type: TP
#: build/C/man7/cpuset.7:208
#, no-wrap
msgid "I<cpuset.cpu_exclusive>"
msgstr ""

#. type: Plain text
#: build/C/man7/cpuset.7:215
msgid ""
"Flag (0 or 1).  If set (1), the cpuset has exclusive use of its CPUs (no "
"sibling or cousin cpuset may overlap CPUs).  By default this is off (0).  "
"Newly created cpusets also initially default this to off (0)."
msgstr ""

#.  ====================== mems ======================
#. type: Plain text
#: build/C/man7/cpuset.7:237
msgid ""
"Two cpusets are I<sibling> cpusets if they share the same parent cpuset in "
"the I</dev/cpuset> hierarchy.  Two cpusets are I<cousin> cpusets if neither "
"is the ancestor of the other.  Regardless of the I<cpu_exclusive> setting, "
"if one cpuset is the ancestor of another, and if both of these cpusets have "
"nonempty I<cpus>, then their I<cpus> must overlap, because the I<cpus> of "
"any cpuset are always a subset of the I<cpus> of its parent cpuset."
msgstr ""

#. type: TP
#: build/C/man7/cpuset.7:237
#, no-wrap
msgid "I<cpuset.mems>"
msgstr ""

#.  ==================== mem_exclusive ====================
#. type: Plain text
#: build/C/man7/cpuset.7:245
msgid ""
"List of memory nodes on which processes in this cpuset are allowed to "
"allocate memory.  See B<List Format> below for a description of the format "
"of I<mems>."
msgstr ""

#. type: TP
#: build/C/man7/cpuset.7:245
#, no-wrap
msgid "I<cpuset.mem_exclusive>"
msgstr ""

#. type: Plain text
#: build/C/man7/cpuset.7:253
msgid ""
"Flag (0 or 1).  If set (1), the cpuset has exclusive use of its memory nodes "
"(no sibling or cousin may overlap).  Also if set (1), the cpuset is a "
"B<Hardwall> cpuset (see below).  By default this is off (0).  Newly created "
"cpusets also initially default this to off (0)."
msgstr ""

#.  ==================== mem_hardwall ====================
#. type: Plain text
#: build/C/man7/cpuset.7:261
msgid ""
"Regardless of the I<mem_exclusive> setting, if one cpuset is the ancestor of "
"another, then their memory nodes must overlap, because the memory nodes of "
"any cpuset are always a subset of the memory nodes of that cpuset's parent "
"cpuset."
msgstr ""

#. type: TP
#: build/C/man7/cpuset.7:261
#, no-wrap
msgid "I<cpuset.mem_hardwall> (since Linux 2.6.26)"
msgstr ""

#.  ==================== memory_migrate ====================
#. type: Plain text
#: build/C/man7/cpuset.7:272
msgid ""
"Flag (0 or 1).  If set (1), the cpuset is a B<Hardwall> cpuset (see below).  "
"Unlike B<mem_exclusive>, there is no constraint on whether cpusets marked "
"B<mem_hardwall> may have overlapping memory nodes with sibling or cousin "
"cpusets.  By default this is off (0).  Newly created cpusets also initially "
"default this to off (0)."
msgstr ""

#. type: TP
#: build/C/man7/cpuset.7:272
#, no-wrap
msgid "I<cpuset.memory_migrate> (since Linux 2.6.16)"
msgstr ""

#.  ==================== memory_pressure ====================
#. type: Plain text
#: build/C/man7/cpuset.7:279
msgid ""
"Flag (0 or 1).  If set (1), then memory migration is enabled.  By default "
"this is off (0).  See the B<Memory Migration> section, below."
msgstr ""

#. type: TP
#: build/C/man7/cpuset.7:279
#, no-wrap
msgid "I<cpuset.memory_pressure> (since Linux 2.6.16)"
msgstr ""

#.  ================= memory_pressure_enabled =================
#. type: Plain text
#: build/C/man7/cpuset.7:292
msgid ""
"A measure of how much memory pressure the processes in this cpuset are "
"causing.  See the B<Memory Pressure> section, below.  Unless "
"I<memory_pressure_enabled> is enabled, always has value zero (0).  This file "
"is read-only.  See the B<WARNINGS> section, below."
msgstr ""

#. type: TP
#: build/C/man7/cpuset.7:292
#, no-wrap
msgid "I<cpuset.memory_pressure_enabled> (since Linux 2.6.16)"
msgstr ""

#.  ================== memory_spread_page ==================
#. type: Plain text
#: build/C/man7/cpuset.7:304
msgid ""
"Flag (0 or 1).  This file is present only in the root cpuset, normally "
"I</dev/cpuset>.  If set (1), the I<memory_pressure> calculations are enabled "
"for all cpusets in the system.  By default this is off (0).  See the "
"B<Memory Pressure> section, below."
msgstr ""

#. type: TP
#: build/C/man7/cpuset.7:304
#, no-wrap
msgid "I<cpuset.memory_spread_page> (since Linux 2.6.17)"
msgstr ""

#.  ================== memory_spread_slab ==================
#. type: Plain text
#: build/C/man7/cpuset.7:314
msgid ""
"Flag (0 or 1).  If set (1), pages in the kernel page cache (filesystem "
"buffers) are uniformly spread across the cpuset.  By default this is off (0) "
"in the top cpuset, and inherited from the parent cpuset in newly created "
"cpusets.  See the B<Memory Spread> section, below."
msgstr ""

#. type: TP
#: build/C/man7/cpuset.7:314
#, no-wrap
msgid "I<cpuset.memory_spread_slab> (since Linux 2.6.17)"
msgstr ""

#.  ================== sched_load_balance ==================
#. type: Plain text
#: build/C/man7/cpuset.7:325
msgid ""
"Flag (0 or 1).  If set (1), the kernel slab caches for file I/O (directory "
"and inode structures) are uniformly spread across the cpuset.  By default "
"this is off (0) in the top cpuset, and inherited from the parent cpuset in "
"newly created cpusets.  See the B<Memory Spread> section, below."
msgstr ""

#. type: TP
#: build/C/man7/cpuset.7:325
#, no-wrap
msgid "I<cpuset.sched_load_balance> (since Linux 2.6.24)"
msgstr ""

#.  ================== sched_relax_domain_level ==================
#. type: Plain text
#: build/C/man7/cpuset.7:339
msgid ""
"Flag (0 or 1).  If set (1, the default) the kernel will automatically load "
"balance processes in that cpuset over the allowed CPUs in that cpuset.  If "
"cleared (0) the kernel will avoid load balancing processes in this cpuset, "
"I<unless> some other cpuset with overlapping CPUs has its "
"I<sched_load_balance> flag set.  See B<Scheduler Load Balancing>, below, for "
"further details."
msgstr ""

#. type: TP
#: build/C/man7/cpuset.7:339
#, no-wrap
msgid "I<cpuset.sched_relax_domain_level> (since Linux 2.6.26)"
msgstr ""

#.  ================== proc cpuset ==================
#. type: Plain text
#: build/C/man7/cpuset.7:359
msgid ""
"Integer, between -1 and a small positive value.  The "
"I<sched_relax_domain_level> controls the width of the range of CPUs over "
"which the kernel scheduler performs immediate rebalancing of runnable tasks "
"across CPUs.  If I<sched_load_balance> is disabled, then the setting of "
"I<sched_relax_domain_level> does not matter, as no such load balancing is "
"done.  If I<sched_load_balance> is enabled, then the higher the value of the "
"I<sched_relax_domain_level>, the wider the range of CPUs over which "
"immediate load balancing is attempted.  See B<Scheduler Relax Domain Level>, "
"below, for further details."
msgstr ""

#.  ================== proc status ==================
#. type: Plain text
#: build/C/man7/cpuset.7:367
msgid ""
"In addition to the above pseudo-files in each directory below "
"I</dev/cpuset>, each process has a pseudo-file, "
"I</proc/E<lt>pidE<gt>/cpuset>, that displays the path of the process's "
"cpuset directory relative to the root of the cpuset filesystem."
msgstr ""

#. type: Plain text
#: build/C/man7/cpuset.7:378
msgid ""
"Also the I</proc/E<lt>pidE<gt>/status> file for each process has four added "
"lines, displaying the process's I<Cpus_allowed> (on which CPUs it may be "
"scheduled) and I<Mems_allowed> (on which memory nodes it may obtain memory), "
"in the two formats B<Mask Format> and B<List Format> (see below)  as shown "
"in the following example:"
msgstr ""

#. type: Plain text
#: build/C/man7/cpuset.7:385
#, no-wrap
msgid ""
"Cpus_allowed:   ffffffff,ffffffff,ffffffff,ffffffff\n"
"Cpus_allowed_list:     0-127\n"
"Mems_allowed:   ffffffff,ffffffff\n"
"Mems_allowed_list:     0-63\n"
msgstr ""

#.  ================== EXTENDED CAPABILITIES ==================
#. type: Plain text
#: build/C/man7/cpuset.7:391
msgid ""
"The \"allowed\" fields were added in Linux 2.6.24; the \"allowed_list\" "
"fields were added in Linux 2.6.26."
msgstr ""

#. type: SH
#: build/C/man7/cpuset.7:391
#, no-wrap
msgid "EXTENDED CAPABILITIES"
msgstr ""

#.  ================== Exclusive Cpusets ==================
#. type: Plain text
#: build/C/man7/cpuset.7:399
msgid ""
"In addition to controlling which I<cpus> and I<mems> a process is allowed to "
"use, cpusets provide the following extended capabilities."
msgstr ""

#. type: SS
#: build/C/man7/cpuset.7:399
#, no-wrap
msgid "Exclusive cpusets"
msgstr ""

#. type: Plain text
#: build/C/man7/cpuset.7:406
msgid ""
"If a cpuset is marked I<cpu_exclusive> or I<mem_exclusive>, no other cpuset, "
"other than a direct ancestor or descendant, may share any of the same CPUs "
"or memory nodes."
msgstr ""

#.  ================== Hardwall ==================
#. type: Plain text
#: build/C/man7/cpuset.7:432
msgid ""
"A cpuset that is I<mem_exclusive> restricts kernel allocations for buffer "
"cache pages and other internal kernel data pages commonly shared by the "
"kernel across multiple users.  All cpusets, whether I<mem_exclusive> or not, "
"restrict allocations of memory for user space.  This enables configuring a "
"system so that several independent jobs can share common kernel data, while "
"isolating each job's user allocation in its own cpuset.  To do this, "
"construct a large I<mem_exclusive> cpuset to hold all the jobs, and "
"construct child, non-I<mem_exclusive> cpusets for each individual job.  Only "
"a small amount of kernel memory, such as requests from interrupt handlers, "
"is allowed to be placed on memory nodes outside even a I<mem_exclusive> "
"cpuset."
msgstr ""

#. type: SS
#: build/C/man7/cpuset.7:432
#, no-wrap
msgid "Hardwall"
msgstr ""

#. type: Plain text
#: build/C/man7/cpuset.7:447
msgid ""
"A cpuset that has I<mem_exclusive> or I<mem_hardwall> set is a I<hardwall> "
"cpuset.  A I<hardwall> cpuset restricts kernel allocations for page, buffer, "
"and other data commonly shared by the kernel across multiple users.  All "
"cpusets, whether I<hardwall> or not, restrict allocations of memory for user "
"space."
msgstr ""

#. type: Plain text
#: build/C/man7/cpuset.7:458
msgid ""
"This enables configuring a system so that several independent jobs can share "
"common kernel data, such as filesystem pages, while isolating each job's "
"user allocation in its own cpuset.  To do this, construct a large "
"I<hardwall> cpuset to hold all the jobs, and construct child cpusets for "
"each individual job which are not I<hardwall> cpusets."
msgstr ""

#.  ================== Notify On Release ==================
#. type: Plain text
#: build/C/man7/cpuset.7:464
msgid ""
"Only a small amount of kernel memory, such as requests from interrupt "
"handlers, is allowed to be taken outside even a I<hardwall> cpuset."
msgstr ""

#. type: SS
#: build/C/man7/cpuset.7:464
#, no-wrap
msgid "Notify on release"
msgstr ""

#. type: Plain text
#: build/C/man7/cpuset.7:476
msgid ""
"If the I<notify_on_release> flag is enabled (1) in a cpuset, then whenever "
"the last process in the cpuset leaves (exits or attaches to some other "
"cpuset)  and the last child cpuset of that cpuset is removed, the kernel "
"will run the command I</sbin/cpuset_release_agent>, supplying the pathname "
"(relative to the mount point of the cpuset filesystem) of the abandoned "
"cpuset.  This enables automatic removal of abandoned cpusets."
msgstr ""

#. type: Plain text
#: build/C/man7/cpuset.7:484
msgid ""
"The default value of I<notify_on_release> in the root cpuset at system boot "
"is disabled (0).  The default value of other cpusets at creation is the "
"current value of their parent's I<notify_on_release> setting."
msgstr ""

#. type: Plain text
#: build/C/man7/cpuset.7:492
msgid ""
"The command I</sbin/cpuset_release_agent> is invoked, with the name "
"(I</dev/cpuset> relative path)  of the to-be-released cpuset in I<argv[1]>."
msgstr ""

#. type: Plain text
#: build/C/man7/cpuset.7:496
msgid ""
"The usual contents of the command I</sbin/cpuset_release_agent> is simply "
"the shell script:"
msgstr ""

#. type: Plain text
#: build/C/man7/cpuset.7:501
#, no-wrap
msgid ""
"#!/bin/sh\n"
"rmdir /dev/cpuset/$1\n"
msgstr ""

#.  ================== Memory Pressure ==================
#. type: Plain text
#: build/C/man7/cpuset.7:509
msgid ""
"As with other flag values below, this flag can be changed by writing an "
"ASCII number 0 or 1 (with optional trailing newline)  into the file, to "
"clear or set the flag, respectively."
msgstr ""

#. type: SS
#: build/C/man7/cpuset.7:509
#, no-wrap
msgid "Memory pressure"
msgstr ""

#. type: Plain text
#: build/C/man7/cpuset.7:515
msgid ""
"The I<memory_pressure> of a cpuset provides a simple per-cpuset running "
"average of the rate that the processes in a cpuset are attempting to free up "
"in-use memory on the nodes of the cpuset to satisfy additional memory "
"requests."
msgstr ""

#. type: Plain text
#: build/C/man7/cpuset.7:519
msgid ""
"This enables batch managers that are monitoring jobs running in dedicated "
"cpusets to efficiently detect what level of memory pressure that job is "
"causing."
msgstr ""

#. type: Plain text
#: build/C/man7/cpuset.7:526
msgid ""
"This is useful both on tightly managed systems running a wide mix of "
"submitted jobs, which may choose to terminate or reprioritize jobs that are "
"trying to use more memory than allowed on the nodes assigned them, and with "
"tightly coupled, long-running, massively parallel scientific computing jobs "
"that will dramatically fail to meet required performance goals if they start "
"to use more memory than allowed to them."
msgstr ""

#. type: Plain text
#: build/C/man7/cpuset.7:531
msgid ""
"This mechanism provides a very economical way for the batch manager to "
"monitor a cpuset for signs of memory pressure.  It's up to the batch manager "
"or other user code to decide what action to take if it detects signs of "
"memory pressure."
msgstr ""

#. type: Plain text
#: build/C/man7/cpuset.7:538
msgid ""
"Unless memory pressure calculation is enabled by setting the pseudo-file "
"I</dev/cpuset/cpuset.memory_pressure_enabled>, it is not computed for any "
"cpuset, and reads from any I<memory_pressure> always return zero, as "
"represented by the ASCII string \"0\\en\".  See the B<WARNINGS> section, "
"below."
msgstr ""

#. type: Plain text
#: build/C/man7/cpuset.7:540
msgid "A per-cpuset, running average is employed for the following reasons:"
msgstr ""

#. type: Plain text
#: build/C/man7/cpuset.7:545
msgid ""
"Because this meter is per-cpuset rather than per-process or per virtual "
"memory region, the system load imposed by a batch scheduler monitoring this "
"metric is sharply reduced on large systems, because a scan of the tasklist "
"can be avoided on each set of queries."
msgstr ""

#. type: Plain text
#: build/C/man7/cpuset.7:550
msgid ""
"Because this meter is a running average rather than an accumulating counter, "
"a batch scheduler can detect memory pressure with a single read, instead of "
"having to read and accumulate results for a period of time."
msgstr ""

#. type: Plain text
#: build/C/man7/cpuset.7:556
msgid ""
"Because this meter is per-cpuset rather than per-process, the batch "
"scheduler can obtain the key information\\(emmemory pressure in a "
"cpuset\\(emwith a single read, rather than having to query and accumulate "
"results over all the (dynamically changing)  set of processes in the cpuset."
msgstr ""

#. type: Plain text
#: build/C/man7/cpuset.7:564
msgid ""
"The I<memory_pressure> of a cpuset is calculated using a per-cpuset simple "
"digital filter that is kept within the kernel.  For each cpuset, this filter "
"tracks the recent rate at which processes attached to that cpuset enter the "
"kernel direct reclaim code."
msgstr ""

#. type: Plain text
#: build/C/man7/cpuset.7:573
msgid ""
"The kernel direct reclaim code is entered whenever a process has to satisfy "
"a memory page request by first finding some other page to repurpose, due to "
"lack of any readily available already free pages.  Dirty filesystem pages "
"are repurposed by first writing them to disk.  Unmodified filesystem buffer "
"pages are repurposed by simply dropping them, though if that page is needed "
"again, it will have to be reread from disk."
msgstr ""

#.  ================== Memory Spread ==================
#. type: Plain text
#: build/C/man7/cpuset.7:581
msgid ""
"The I<cpuset.memory_pressure> file provides an integer number representing "
"the recent (half-life of 10 seconds) rate of entries to the direct reclaim "
"code caused by any process in the cpuset, in units of reclaims attempted per "
"second, times 1000."
msgstr ""

#. type: SS
#: build/C/man7/cpuset.7:581
#, no-wrap
msgid "Memory spread"
msgstr ""

#. type: Plain text
#: build/C/man7/cpuset.7:589
msgid ""
"There are two Boolean flag files per cpuset that control where the kernel "
"allocates pages for the filesystem buffers and related in-kernel data "
"structures.  They are called I<cpuset.memory_spread_page> and "
"I<cpuset.memory_spread_slab>."
msgstr ""

#. type: Plain text
#: build/C/man7/cpuset.7:596
msgid ""
"If the per-cpuset Boolean flag file I<cpuset.memory_spread_page> is set, "
"then the kernel will spread the filesystem buffers (page cache) evenly over "
"all the nodes that the faulting process is allowed to use, instead of "
"preferring to put those pages on the node where the process is running."
msgstr ""

#. type: Plain text
#: build/C/man7/cpuset.7:604
msgid ""
"If the per-cpuset Boolean flag file I<cpuset.memory_spread_slab> is set, "
"then the kernel will spread some filesystem-related slab caches, such as "
"those for inodes and directory entries, evenly over all the nodes that the "
"faulting process is allowed to use, instead of preferring to put those pages "
"on the node where the process is running."
msgstr ""

#. type: Plain text
#: build/C/man7/cpuset.7:609
msgid ""
"The setting of these flags does not affect the data segment (see B<brk>(2))  "
"or stack segment pages of a process."
msgstr ""

#. type: Plain text
#: build/C/man7/cpuset.7:617
msgid ""
"By default, both kinds of memory spreading are off and the kernel prefers to "
"allocate memory pages on the node local to where the requesting process is "
"running.  If that node is not allowed by the process's NUMA memory policy or "
"cpuset configuration or if there are insufficient free memory pages on that "
"node, then the kernel looks for the nearest node that is allowed and has "
"sufficient free memory."
msgstr ""

#. type: Plain text
#: build/C/man7/cpuset.7:620
msgid ""
"When new cpusets are created, they inherit the memory spread settings of "
"their parent."
msgstr ""

#. type: Plain text
#: build/C/man7/cpuset.7:635
msgid ""
"Setting memory spreading causes allocations for the affected page or slab "
"caches to ignore the process's NUMA memory policy and be spread instead.  "
"However, the effect of these changes in memory placement caused by "
"cpuset-specified memory spreading is hidden from the B<mbind>(2)  or "
"B<set_mempolicy>(2)  calls.  These two NUMA memory policy calls always "
"appear to behave as if no cpuset-specified memory spreading is in effect, "
"even if it is.  If cpuset memory spreading is subsequently turned off, the "
"NUMA memory policy most recently specified by these calls is automatically "
"reapplied."
msgstr ""

#. type: Plain text
#: build/C/man7/cpuset.7:644
msgid ""
"Both I<cpuset.memory_spread_page> and I<cpuset.memory_spread_slab> are "
"Boolean flag files.  By default they contain \"0\", meaning that the feature "
"is off for that cpuset.  If a \"1\" is written to that file, that turns the "
"named feature on."
msgstr ""

#. type: Plain text
#: build/C/man7/cpuset.7:647
msgid ""
"Cpuset-specified memory spreading behaves similarly to what is known (in "
"other contexts) as round-robin or interleave memory placement."
msgstr ""

#. type: Plain text
#: build/C/man7/cpuset.7:650
msgid ""
"Cpuset-specified memory spreading can provide substantial performance "
"improvements for jobs that:"
msgstr ""

#. type: IP
#: build/C/man7/cpuset.7:650 build/C/man7/user_namespaces.7:384
#, no-wrap
msgid "a)"
msgstr ""

#. type: Plain text
#: build/C/man7/cpuset.7:654
msgid ""
"need to place thread-local data on memory nodes close to the CPUs which are "
"running the threads that most frequently access that data; but also"
msgstr ""

#. type: IP
#: build/C/man7/cpuset.7:654 build/C/man7/user_namespaces.7:389
#, no-wrap
msgid "b)"
msgstr ""

#. type: Plain text
#: build/C/man7/cpuset.7:657
msgid ""
"need to access large filesystem data sets that must to be spread across the "
"several nodes in the job's cpuset in order to fit."
msgstr ""

#.  ================== Memory Migration ==================
#. type: Plain text
#: build/C/man7/cpuset.7:664
msgid ""
"Without this policy, the memory allocation across the nodes in the job's "
"cpuset can become very uneven, especially for jobs that might have just a "
"single thread initializing or reading in the data set."
msgstr ""

#. type: SS
#: build/C/man7/cpuset.7:664
#, no-wrap
msgid "Memory migration"
msgstr ""

#. type: Plain text
#: build/C/man7/cpuset.7:673
msgid ""
"Normally, under the default setting (disabled) of I<cpuset.memory_migrate>, "
"once a page is allocated (given a physical page of main memory), then that "
"page stays on whatever node it was allocated, so long as it remains "
"allocated, even if the cpuset's memory-placement policy I<mems> subsequently "
"changes."
msgstr ""

#. type: Plain text
#: build/C/man7/cpuset.7:679
msgid ""
"When memory migration is enabled in a cpuset, if the I<mems> setting of the "
"cpuset is changed, then any memory page in use by any process in the cpuset "
"that is on a memory node that is no longer allowed will be migrated to a "
"memory node that is allowed."
msgstr ""

#. type: Plain text
#: build/C/man7/cpuset.7:685
msgid ""
"Furthermore, if a process is moved into a cpuset with I<memory_migrate> "
"enabled, any memory pages it uses that were on memory nodes allowed in its "
"previous cpuset, but which are not allowed in its new cpuset, will be "
"migrated to a memory node allowed in the new cpuset."
msgstr ""

#.  ================== Scheduler Load Balancing ==================
#. type: Plain text
#: build/C/man7/cpuset.7:693
msgid ""
"The relative placement of a migrated page within the cpuset is preserved "
"during these migration operations if possible.  For example, if the page was "
"on the second valid node of the prior cpuset, then the page will be placed "
"on the second valid node of the new cpuset, if possible."
msgstr ""

#. type: SS
#: build/C/man7/cpuset.7:693
#, no-wrap
msgid "Scheduler load balancing"
msgstr ""

#. type: Plain text
#: build/C/man7/cpuset.7:700
msgid ""
"The kernel scheduler automatically load balances processes.  If one CPU is "
"underutilized, the kernel will look for processes on other more overloaded "
"CPUs and move those processes to the underutilized CPU, within the "
"constraints of such placement mechanisms as cpusets and "
"B<sched_setaffinity>(2)."
msgstr ""

#. type: Plain text
#: build/C/man7/cpuset.7:713
msgid ""
"The algorithmic cost of load balancing and its impact on key shared kernel "
"data structures such as the process list increases more than linearly with "
"the number of CPUs being balanced.  For example, it costs more to load "
"balance across one large set of CPUs than it does to balance across two "
"smaller sets of CPUs, each of half the size of the larger set.  (The precise "
"relationship between the number of CPUs being balanced and the cost of load "
"balancing depends on implementation details of the kernel process scheduler, "
"which is subject to change over time, as improved kernel scheduler "
"algorithms are implemented.)"
msgstr ""

#. type: Plain text
#: build/C/man7/cpuset.7:719
msgid ""
"The per-cpuset flag I<sched_load_balance> provides a mechanism to suppress "
"this automatic scheduler load balancing in cases where it is not needed and "
"suppressing it would have worthwhile performance benefits."
msgstr ""

#. type: Plain text
#: build/C/man7/cpuset.7:723
msgid ""
"By default, load balancing is done across all CPUs, except those marked "
"isolated using the kernel boot time \"isolcpus=\" argument.  (See "
"B<Scheduler Relax Domain Level>, below, to change this default.)"
msgstr ""

#. type: Plain text
#: build/C/man7/cpuset.7:726
msgid ""
"This default load balancing across all CPUs is not well suited to the "
"following two situations:"
msgstr ""

#. type: Plain text
#: build/C/man7/cpuset.7:730
msgid ""
"On large systems, load balancing across many CPUs is expensive.  If the "
"system is managed using cpusets to place independent jobs on separate sets "
"of CPUs, full load balancing is unnecessary."
msgstr ""

#. type: Plain text
#: build/C/man7/cpuset.7:734
msgid ""
"Systems supporting real-time on some CPUs need to minimize system overhead "
"on those CPUs, including avoiding process load balancing if that is not "
"needed."
msgstr ""

#. type: Plain text
#: build/C/man7/cpuset.7:744
msgid ""
"When the per-cpuset flag I<sched_load_balance> is enabled (the default "
"setting), it requests load balancing across all the CPUs in that cpuset's "
"allowed CPUs, ensuring that load balancing can move a process (not otherwise "
"pinned, as by B<sched_setaffinity>(2))  from any CPU in that cpuset to any "
"other."
msgstr ""

#. type: Plain text
#: build/C/man7/cpuset.7:753
msgid ""
"When the per-cpuset flag I<sched_load_balance> is disabled, then the "
"scheduler will avoid load balancing across the CPUs in that cpuset, "
"I<except> in so far as is necessary because some overlapping cpuset has "
"I<sched_load_balance> enabled."
msgstr ""

#. type: Plain text
#: build/C/man7/cpuset.7:761
msgid ""
"So, for example, if the top cpuset has the flag I<sched_load_balance> "
"enabled, then the scheduler will load balance across all CPUs, and the "
"setting of the I<sched_load_balance> flag in other cpusets has no effect, as "
"we're already fully load balancing."
msgstr ""

#. type: Plain text
#: build/C/man7/cpuset.7:766
msgid ""
"Therefore in the above two situations, the flag I<sched_load_balance> should "
"be disabled in the top cpuset, and only some of the smaller, child cpusets "
"would have this flag enabled."
msgstr ""

#. type: Plain text
#: build/C/man7/cpuset.7:774
msgid ""
"When doing this, you don't usually want to leave any unpinned processes in "
"the top cpuset that might use nontrivial amounts of CPU, as such processes "
"may be artificially constrained to some subset of CPUs, depending on the "
"particulars of this flag setting in descendant cpusets.  Even if such a "
"process could use spare CPU cycles in some other CPUs, the kernel scheduler "
"might not consider the possibility of load balancing that process to the "
"underused CPU."
msgstr ""

#.  ================== Scheduler Relax Domain Level ==================
#. type: Plain text
#: build/C/man7/cpuset.7:780
msgid ""
"Of course, processes pinned to a particular CPU can be left in a cpuset that "
"disables I<sched_load_balance> as those processes aren't going anywhere else "
"anyway."
msgstr ""

#. type: SS
#: build/C/man7/cpuset.7:780
#, no-wrap
msgid "Scheduler relax domain level"
msgstr ""

#. type: Plain text
#: build/C/man7/cpuset.7:801
msgid ""
"The kernel scheduler performs immediate load balancing whenever a CPU "
"becomes free or another task becomes runnable.  This load balancing works to "
"ensure that as many CPUs as possible are usefully employed running tasks.  "
"The kernel also performs periodic load balancing off the software clock "
"described in B<time>(7).  The setting of I<sched_relax_domain_level> applies "
"only to immediate load balancing.  Regardless of the "
"I<sched_relax_domain_level> setting, periodic load balancing is attempted "
"over all CPUs (unless disabled by turning off I<sched_load_balance>.)  In "
"any case, of course, tasks will be scheduled to run only on CPUs allowed by "
"their cpuset, as modified by B<sched_setaffinity>(2)  system calls."
msgstr ""

#. type: Plain text
#: build/C/man7/cpuset.7:809
msgid ""
"On small systems, such as those with just a few CPUs, immediate load "
"balancing is useful to improve system interactivity and to minimize wasteful "
"idle CPU cycles.  But on large systems, attempting immediate load balancing "
"across a large number of CPUs can be more costly than it is worth, depending "
"on the particular performance characteristics of the job mix and the "
"hardware."
msgstr ""

#. type: Plain text
#: build/C/man7/cpuset.7:817
msgid ""
"The exact meaning of the small integer values of I<sched_relax_domain_level> "
"will depend on internal implementation details of the kernel scheduler code "
"and on the non-uniform architecture of the hardware.  Both of these will "
"evolve over time and vary by system architecture and kernel version."
msgstr ""

#. type: Plain text
#: build/C/man7/cpuset.7:822
msgid ""
"As of this writing, when this capability was introduced in Linux 2.6.26, on "
"certain popular architectures, the positive values of "
"I<sched_relax_domain_level> have the following meanings."
msgstr ""

#. type: IP
#: build/C/man7/cpuset.7:824
#, no-wrap
msgid "B<(1)>"
msgstr ""

#. type: Plain text
#: build/C/man7/cpuset.7:827
msgid ""
"Perform immediate load balancing across Hyper-Thread siblings on the same "
"core."
msgstr ""

#. type: IP
#: build/C/man7/cpuset.7:827
#, no-wrap
msgid "B<(2)>"
msgstr ""

#. type: Plain text
#: build/C/man7/cpuset.7:829
msgid "Perform immediate load balancing across other cores in the same package."
msgstr ""

#. type: IP
#: build/C/man7/cpuset.7:829
#, no-wrap
msgid "B<(3)>"
msgstr ""

#. type: Plain text
#: build/C/man7/cpuset.7:832
msgid ""
"Perform immediate load balancing across other CPUs on the same node or "
"blade."
msgstr ""

#. type: IP
#: build/C/man7/cpuset.7:832
#, no-wrap
msgid "B<(4)>"
msgstr ""

#. type: Plain text
#: build/C/man7/cpuset.7:835
msgid ""
"Perform immediate load balancing across over several (implementation detail) "
"nodes [On NUMA systems]."
msgstr ""

#. type: IP
#: build/C/man7/cpuset.7:835
#, no-wrap
msgid "B<(5)>"
msgstr ""

#. type: Plain text
#: build/C/man7/cpuset.7:838
msgid ""
"Perform immediate load balancing across over all CPUs in system [On NUMA "
"systems]."
msgstr ""

#. type: Plain text
#: build/C/man7/cpuset.7:847
msgid ""
"The I<sched_relax_domain_level> value of zero (0) always means don't perform "
"immediate load balancing, hence that load balancing is done only "
"periodically, not immediately when a CPU becomes available or another task "
"becomes runnable."
msgstr ""

#. type: Plain text
#: build/C/man7/cpuset.7:855
msgid ""
"The I<sched_relax_domain_level> value of minus one (-1)  always means use "
"the system default value.  The system default value can vary by architecture "
"and kernel version.  This system default value can be changed by kernel "
"boot-time \"relax_domain_level=\" argument."
msgstr ""

#. type: Plain text
#: build/C/man7/cpuset.7:863
msgid ""
"In the case of multiple overlapping cpusets which have conflicting "
"I<sched_relax_domain_level> values, then the highest such value applies to "
"all CPUs in any of the overlapping cpusets.  In such cases, the value "
"B<minus one (-1)> is the lowest value, overridden by any other value, and "
"the value B<zero (0)> is the next lowest value."
msgstr ""

#. type: SH
#: build/C/man7/cpuset.7:863
#, no-wrap
msgid "FORMATS"
msgstr ""

#.  ================== Mask Format ==================
#. type: Plain text
#: build/C/man7/cpuset.7:867
msgid "The following formats are used to represent sets of CPUs and memory nodes."
msgstr ""

#. type: SS
#: build/C/man7/cpuset.7:867
#, no-wrap
msgid "Mask format"
msgstr ""

#. type: Plain text
#: build/C/man7/cpuset.7:872
msgid ""
"The B<Mask Format> is used to represent CPU and memory-node bit masks in the "
"I</proc/E<lt>pidE<gt>/status> file."
msgstr ""

#. type: Plain text
#: build/C/man7/cpuset.7:880
msgid ""
"This format displays each 32-bit word in hexadecimal (using ASCII characters "
"\"0\" - \"9\" and \"a\" - \"f\"); words are filled with leading zeros, if "
"required.  For masks longer than one word, a comma separator is used between "
"words.  Words are displayed in big-endian order, which has the most "
"significant bit first.  The hex digits within a word are also in big-endian "
"order."
msgstr ""

#. type: Plain text
#: build/C/man7/cpuset.7:883
msgid ""
"The number of 32-bit words displayed is the minimum number needed to display "
"all bits of the bit mask, based on the size of the bit mask."
msgstr ""

#. type: Plain text
#: build/C/man7/cpuset.7:885
msgid "Examples of the B<Mask Format>:"
msgstr ""

#. type: Plain text
#: build/C/man7/cpuset.7:893
#, no-wrap
msgid ""
"00000001                        # just bit 0 set\n"
"40000000,00000000,00000000      # just bit 94 set\n"
"00000001,00000000,00000000      # just bit 64 set\n"
"000000ff,00000000               # bits 32-39 set\n"
"00000000,000e3862               # 1,5,6,11-13,17-19 set\n"
msgstr ""

#. type: Plain text
#: build/C/man7/cpuset.7:897
msgid "A mask with bits 0, 1, 2, 4, 8, 16, 32, and 64 set displays as:"
msgstr ""

#. type: Plain text
#: build/C/man7/cpuset.7:901
#, no-wrap
msgid "00000001,00000001,00010117\n"
msgstr ""

#.  ================== List Format ==================
#. type: Plain text
#: build/C/man7/cpuset.7:908
msgid ""
"The first \"1\" is for bit 64, the second for bit 32, the third for bit 16, "
"the fourth for bit 8, the fifth for bit 4, and the \"7\" is for bits 2, 1, "
"and 0."
msgstr ""

#. type: SS
#: build/C/man7/cpuset.7:908
#, no-wrap
msgid "List format"
msgstr ""

#. type: Plain text
#: build/C/man7/cpuset.7:915
msgid ""
"The B<List Format> for I<cpus> and I<mems> is a comma-separated list of CPU "
"or memory-node numbers and ranges of numbers, in ASCII decimal."
msgstr ""

#. type: Plain text
#: build/C/man7/cpuset.7:917
msgid "Examples of the B<List Format>:"
msgstr ""

#. type: Plain text
#: build/C/man7/cpuset.7:922
#, no-wrap
msgid ""
"0-4,9           # bits 0, 1, 2, 3, 4, and 9 set\n"
"0-2,7,12-14     # bits 0, 1, 2, 7, 12, 13, and 14 set\n"
msgstr ""

#.  ================== RULES ==================
#. type: SH
#: build/C/man7/cpuset.7:925
#, no-wrap
msgid "RULES"
msgstr ""

#. type: Plain text
#: build/C/man7/cpuset.7:927
msgid "The following rules apply to each cpuset:"
msgstr ""

#. type: Plain text
#: build/C/man7/cpuset.7:930
msgid ""
"Its CPUs and memory nodes must be a (possibly equal)  subset of its "
"parent's."
msgstr ""

#. type: Plain text
#: build/C/man7/cpuset.7:934
msgid "It can be marked I<cpu_exclusive> only if its parent is."
msgstr ""

#. type: Plain text
#: build/C/man7/cpuset.7:938
msgid "It can be marked I<mem_exclusive> only if its parent is."
msgstr ""

#. type: Plain text
#: build/C/man7/cpuset.7:942
msgid "If it is I<cpu_exclusive>, its CPUs may not overlap any sibling."
msgstr ""

#.  ================== PERMISSIONS ==================
#. type: Plain text
#: build/C/man7/cpuset.7:947
msgid "If it is I<memory_exclusive>, its memory nodes may not overlap any sibling."
msgstr ""

#. type: SH
#: build/C/man7/cpuset.7:947
#, no-wrap
msgid "PERMISSIONS"
msgstr ""

#. type: Plain text
#: build/C/man7/cpuset.7:952
msgid ""
"The permissions of a cpuset are determined by the permissions of the "
"directories and pseudo-files in the cpuset filesystem, normally mounted at "
"I</dev/cpuset>."
msgstr ""

#. type: Plain text
#: build/C/man7/cpuset.7:961
msgid ""
"For instance, a process can put itself in some other cpuset (than its "
"current one) if it can write the I<tasks> file for that cpuset.  This "
"requires execute permission on the encompassing directories and write "
"permission on the I<tasks> file."
msgstr ""

#. type: Plain text
#: build/C/man7/cpuset.7:968
msgid ""
"An additional constraint is applied to requests to place some other process "
"in a cpuset.  One process may not attach another to a cpuset unless it would "
"have permission to send that process a signal (see B<kill>(2))."
msgstr ""

#. type: Plain text
#: build/C/man7/cpuset.7:979
msgid ""
"A process may create a child cpuset if it can access and write the parent "
"cpuset directory.  It can modify the CPUs or memory nodes in a cpuset if it "
"can access that cpuset's directory (execute permissions on the each of the "
"parent directories) and write the corresponding I<cpus> or I<mems> file."
msgstr ""

#. type: Plain text
#: build/C/man7/cpuset.7:1000
msgid ""
"There is one minor difference between the manner in which these permissions "
"are evaluated and the manner in which normal filesystem operation "
"permissions are evaluated.  The kernel interprets relative pathnames "
"starting at a process's current working directory.  Even if one is operating "
"on a cpuset file, relative pathnames are interpreted relative to the "
"process's current working directory, not relative to the process's current "
"cpuset.  The only ways that cpuset paths relative to a process's current "
"cpuset can be used are if either the process's current working directory is "
"its cpuset (it first did a B<cd> or B<chdir>(2)  to its cpuset directory "
"beneath I</dev/cpuset>, which is a bit unusual)  or if some user code "
"converts the relative cpuset path to a full filesystem path."
msgstr ""

#.  ================== WARNINGS ==================
#. type: Plain text
#: build/C/man7/cpuset.7:1015
msgid ""
"In theory, this means that user code should specify cpusets using absolute "
"pathnames, which requires knowing the mount point of the cpuset filesystem "
"(usually, but not necessarily, I</dev/cpuset>).  In practice, all user level "
"code that this author is aware of simply assumes that if the cpuset "
"filesystem is mounted, then it is mounted at I</dev/cpuset>.  Furthermore, "
"it is common practice for carefully written user code to verify the presence "
"of the pseudo-file I</dev/cpuset/tasks> in order to verify that the cpuset "
"pseudo-filesystem is currently mounted."
msgstr ""

#. type: SH
#: build/C/man7/cpuset.7:1015
#, no-wrap
msgid "WARNINGS"
msgstr ""

#. type: SS
#: build/C/man7/cpuset.7:1016
#, no-wrap
msgid "Enabling memory_pressure"
msgstr ""

#. type: Plain text
#: build/C/man7/cpuset.7:1025
msgid ""
"By default, the per-cpuset file I<cpuset.memory_pressure> always contains "
"zero (0).  Unless this feature is enabled by writing \"1\" to the "
"pseudo-file I</dev/cpuset/cpuset.memory_pressure_enabled>, the kernel does "
"not compute per-cpuset I<memory_pressure>."
msgstr ""

#. type: SS
#: build/C/man7/cpuset.7:1025
#, no-wrap
msgid "Using the echo command"
msgstr ""

#.  Gack!  csh(1)'s echo does this
#. type: Plain text
#: build/C/man7/cpuset.7:1036
msgid ""
"When using the B<echo> command at the shell prompt to change the values of "
"cpuset files, beware that the built-in B<echo> command in some shells does "
"not display an error message if the B<write>(2)  system call fails.  For "
"example, if the command:"
msgstr ""

#. type: Plain text
#: build/C/man7/cpuset.7:1040
#, no-wrap
msgid "echo 19 E<gt> cpuset.mems\n"
msgstr ""

#. type: Plain text
#: build/C/man7/cpuset.7:1053
msgid ""
"failed because memory node 19 was not allowed (perhaps the current system "
"does not have a memory node 19), then the B<echo> command might not display "
"any error.  It is better to use the B</bin/echo> external command to change "
"cpuset file settings, as this command will display B<write>(2)  errors, as "
"in the example:"
msgstr ""

#. type: Plain text
#: build/C/man7/cpuset.7:1058
#, no-wrap
msgid ""
"/bin/echo 19 E<gt> cpuset.mems\n"
"/bin/echo: write error: Invalid argument\n"
msgstr ""

#.  ================== EXCEPTIONS ==================
#. type: SH
#: build/C/man7/cpuset.7:1061
#, no-wrap
msgid "EXCEPTIONS"
msgstr ""

#. type: SS
#: build/C/man7/cpuset.7:1062
#, no-wrap
msgid "Memory placement"
msgstr ""

#. type: Plain text
#: build/C/man7/cpuset.7:1065
msgid ""
"Not all allocations of system memory are constrained by cpusets, for the "
"following reasons."
msgstr ""

#. type: Plain text
#: build/C/man7/cpuset.7:1080
msgid ""
"If hot-plug functionality is used to remove all the CPUs that are currently "
"assigned to a cpuset, then the kernel will automatically update the "
"I<cpus_allowed> of all processes attached to CPUs in that cpuset to allow "
"all CPUs.  When memory hot-plug functionality for removing memory nodes is "
"available, a similar exception is expected to apply there as well.  In "
"general, the kernel prefers to violate cpuset placement, rather than "
"starving a process that has had all its allowed CPUs or memory nodes taken "
"offline.  User code should reconfigure cpusets to refer only to online CPUs "
"and memory nodes when using hot-plug to add or remove such resources."
msgstr ""

#. type: Plain text
#: build/C/man7/cpuset.7:1088
msgid ""
"A few kernel-critical, internal memory-allocation requests, marked "
"GFP_ATOMIC, must be satisfied immediately.  The kernel may drop some request "
"or malfunction if one of these allocations fail.  If such a request cannot "
"be satisfied within the current process's cpuset, then we relax the cpuset, "
"and look for memory anywhere we can find it.  It's better to violate the "
"cpuset than stress the kernel."
msgstr ""

#. type: Plain text
#: build/C/man7/cpuset.7:1092
msgid ""
"Allocations of memory requested by kernel drivers while processing an "
"interrupt lack any relevant process context, and are not confined by "
"cpusets."
msgstr ""

#. type: SS
#: build/C/man7/cpuset.7:1092
#, no-wrap
msgid "Renaming cpusets"
msgstr ""

#.  ================== ERRORS ==================
#. type: Plain text
#: build/C/man7/cpuset.7:1100
msgid ""
"You can use the B<rename>(2)  system call to rename cpusets.  Only simple "
"renaming is supported; that is, changing the name of a cpuset directory is "
"permitted, but moving a directory into a different directory is not "
"permitted."
msgstr ""

#. type: Plain text
#: build/C/man7/cpuset.7:1104
msgid ""
"The Linux kernel implementation of cpusets sets I<errno> to specify the "
"reason for a failed system call affecting cpusets."
msgstr ""

#. type: Plain text
#: build/C/man7/cpuset.7:1109
msgid ""
"The possible I<errno> settings and their meaning when set on a failed cpuset "
"call are as listed below."
msgstr ""

#. type: TP
#: build/C/man7/cpuset.7:1109
#, no-wrap
msgid "B<E2BIG>"
msgstr ""

#. type: Plain text
#: build/C/man7/cpuset.7:1116
msgid ""
"Attempted a B<write>(2)  on a special cpuset file with a length larger than "
"some kernel-determined upper limit on the length of such writes."
msgstr ""

#. type: Plain text
#: build/C/man7/cpuset.7:1123
msgid ""
"Attempted to B<write>(2)  the process ID (PID) of a process to a cpuset "
"I<tasks> file when one lacks permission to move that process."
msgstr ""

#. type: Plain text
#: build/C/man7/cpuset.7:1129
msgid ""
"Attempted to add, using B<write>(2), a CPU or memory node to a cpuset, when "
"that CPU or memory node was not already in its parent."
msgstr ""

#. type: Plain text
#: build/C/man7/cpuset.7:1137
msgid ""
"Attempted to set, using B<write>(2), I<cpuset.cpu_exclusive> or "
"I<cpuset.mem_exclusive> on a cpuset whose parent lacks the same setting."
msgstr ""

#. type: Plain text
#: build/C/man7/cpuset.7:1144
msgid "Attempted to B<write>(2)  a I<cpuset.memory_pressure> file."
msgstr ""

#. type: Plain text
#: build/C/man7/cpuset.7:1147
msgid "Attempted to create a file in a cpuset directory."
msgstr ""

#. type: TP
#: build/C/man7/cpuset.7:1147 build/C/man7/cpuset.7:1152 build/C/man7/cpuset.7:1157
#, no-wrap
msgid "B<EBUSY>"
msgstr ""

#. type: Plain text
#: build/C/man7/cpuset.7:1152
msgid "Attempted to remove, using B<rmdir>(2), a cpuset with attached processes."
msgstr ""

#. type: Plain text
#: build/C/man7/cpuset.7:1157
msgid "Attempted to remove, using B<rmdir>(2), a cpuset with child cpusets."
msgstr ""

#. type: Plain text
#: build/C/man7/cpuset.7:1162
msgid ""
"Attempted to remove a CPU or memory node from a cpuset that is also in a "
"child of that cpuset."
msgstr ""

#. type: TP
#: build/C/man7/cpuset.7:1162 build/C/man7/cpuset.7:1167
#, no-wrap
msgid "B<EEXIST>"
msgstr ""

#. type: Plain text
#: build/C/man7/cpuset.7:1167
msgid "Attempted to create, using B<mkdir>(2), a cpuset that already exists."
msgstr ""

#. type: Plain text
#: build/C/man7/cpuset.7:1172
msgid "Attempted to B<rename>(2)  a cpuset to a name that already exists."
msgstr ""

#. type: Plain text
#: build/C/man7/cpuset.7:1180
msgid ""
"Attempted to B<read>(2)  or B<write>(2)  a cpuset file using a buffer that "
"is outside the writing processes accessible address space."
msgstr ""

#. type: Plain text
#: build/C/man7/cpuset.7:1189
msgid ""
"Attempted to change a cpuset, using B<write>(2), in a way that would violate "
"a I<cpu_exclusive> or I<mem_exclusive> attribute of that cpuset or any of "
"its siblings."
msgstr ""

#. type: Plain text
#: build/C/man7/cpuset.7:1198
msgid ""
"Attempted to B<write>(2)  an empty I<cpuset.cpus> or I<cpuset.mems> list to "
"a cpuset which has attached processes or child cpusets."
msgstr ""

#. type: Plain text
#: build/C/man7/cpuset.7:1208
msgid ""
"Attempted to B<write>(2)  a I<cpuset.cpus> or I<cpuset.mems> list which "
"included a range with the second number smaller than the first number."
msgstr ""

#. type: Plain text
#: build/C/man7/cpuset.7:1217
msgid ""
"Attempted to B<write>(2)  a I<cpuset.cpus> or I<cpuset.mems> list which "
"included an invalid character in the string."
msgstr ""

#. type: Plain text
#: build/C/man7/cpuset.7:1224
msgid ""
"Attempted to B<write>(2)  a list to a I<cpuset.cpus> file that did not "
"include any online CPUs."
msgstr ""

#. type: Plain text
#: build/C/man7/cpuset.7:1231
msgid ""
"Attempted to B<write>(2)  a list to a I<cpuset.mems> file that did not "
"include any online memory nodes."
msgstr ""

#. type: Plain text
#: build/C/man7/cpuset.7:1238
msgid ""
"Attempted to B<write>(2)  a list to a I<cpuset.mems> file that included a "
"node that held no memory."
msgstr ""

#. type: Plain text
#: build/C/man7/cpuset.7:1246
msgid ""
"Attempted to B<write>(2)  a string to a cpuset I<tasks> file that does not "
"begin with an ASCII decimal integer."
msgstr ""

#. type: Plain text
#: build/C/man7/cpuset.7:1251
msgid "Attempted to B<rename>(2)  a cpuset into a different directory."
msgstr ""

#. type: Plain text
#: build/C/man7/cpuset.7:1258
msgid ""
"Attempted to B<read>(2)  a I</proc/E<lt>pidE<gt>/cpuset> file for a cpuset "
"path that is longer than the kernel page size."
msgstr ""

#. type: Plain text
#: build/C/man7/cpuset.7:1263
msgid ""
"Attempted to create, using B<mkdir>(2), a cpuset whose base directory name "
"is longer than 255 characters."
msgstr ""

#. type: Plain text
#: build/C/man7/cpuset.7:1270
msgid ""
"Attempted to create, using B<mkdir>(2), a cpuset whose full pathname, "
"including the mount point (typically \"/dev/cpuset/\") prefix, is longer "
"than 4095 characters."
msgstr ""

#. type: TP
#: build/C/man7/cpuset.7:1270
#, no-wrap
msgid "B<ENODEV>"
msgstr ""

#. type: Plain text
#: build/C/man7/cpuset.7:1275
msgid ""
"The cpuset was removed by another process at the same time as a B<write>(2)  "
"was attempted on one of the pseudo-files in the cpuset directory."
msgstr ""

#. type: Plain text
#: build/C/man7/cpuset.7:1280
msgid ""
"Attempted to create, using B<mkdir>(2), a cpuset in a parent cpuset that "
"doesn't exist."
msgstr ""

#. type: Plain text
#: build/C/man7/cpuset.7:1287
msgid ""
"Attempted to B<access>(2)  or B<open>(2)  a nonexistent file in a cpuset "
"directory."
msgstr ""

#. type: Plain text
#: build/C/man7/cpuset.7:1292
msgid ""
"Insufficient memory is available within the kernel; can occur on a variety "
"of system calls affecting cpusets, but only if the system is extremely short "
"of memory."
msgstr ""

#. type: TP
#: build/C/man7/cpuset.7:1292 build/C/man7/cpuset.7:1304
#, no-wrap
msgid "B<ENOSPC>"
msgstr ""

#. type: Plain text
#: build/C/man7/cpuset.7:1304
msgid ""
"Attempted to B<write>(2)  the process ID (PID)  of a process to a cpuset "
"I<tasks> file when the cpuset had an empty I<cpuset.cpus> or empty "
"I<cpuset.mems> setting."
msgstr ""

#. type: Plain text
#: build/C/man7/cpuset.7:1314
msgid ""
"Attempted to B<write>(2)  an empty I<cpuset.cpus> or I<cpuset.mems> setting "
"to a cpuset that has tasks attached."
msgstr ""

#. type: Plain text
#: build/C/man7/cpuset.7:1319
msgid "Attempted to B<rename>(2)  a nonexistent cpuset."
msgstr ""

#. type: Plain text
#: build/C/man7/cpuset.7:1322
msgid "Attempted to remove a file from a cpuset directory."
msgstr ""

#. type: TP
#: build/C/man7/cpuset.7:1322
#, no-wrap
msgid "B<ERANGE>"
msgstr ""

#. type: Plain text
#: build/C/man7/cpuset.7:1330
msgid ""
"Specified a I<cpuset.cpus> or I<cpuset.mems> list to the kernel which "
"included a number too large for the kernel to set in its bit masks."
msgstr ""

#.  ================== VERSIONS ==================
#. type: Plain text
#: build/C/man7/cpuset.7:1338
msgid ""
"Attempted to B<write>(2)  the process ID (PID) of a nonexistent process to a "
"cpuset I<tasks> file."
msgstr ""

#.  ================== NOTES ==================
#. type: Plain text
#: build/C/man7/cpuset.7:1341
msgid "Cpusets appeared in version 2.6.12 of the Linux kernel."
msgstr ""

#.  ================== BUGS ==================
#. type: Plain text
#: build/C/man7/cpuset.7:1352
msgid ""
"Despite its name, the I<pid> parameter is actually a thread ID, and each "
"thread in a threaded group can be attached to a different cpuset.  The value "
"returned from a call to B<gettid>(2)  can be passed in the argument I<pid>."
msgstr ""

#. type: SH
#: build/C/man7/cpuset.7:1352 build/C/man2/getpriority.2:225 build/C/man2/getrlimit.2:577 build/C/man2/ioprio_set.2:337 build/C/man2/setfsgid.2:106 build/C/man2/setfsuid.2:114
#, no-wrap
msgid "BUGS"
msgstr ""

#.  ================== EXAMPLE ==================
#. type: Plain text
#: build/C/man7/cpuset.7:1365
msgid ""
"I<cpuset.memory_pressure> cpuset files can be opened for writing, creation, "
"or truncation, but then the B<write>(2)  fails with I<errno> set to "
"B<EACCES>, and the creation and truncation options on B<open>(2)  have no "
"effect."
msgstr ""

#. type: SH
#: build/C/man7/cpuset.7:1365 build/C/man2/getrlimit.2:710 build/C/man7/namespaces.7:361 build/C/man7/pid_namespaces.7:353 build/C/man7/user_namespaces.7:677 build/C/man2/seccomp.2:476
#, no-wrap
msgid "EXAMPLE"
msgstr ""

#. type: Plain text
#: build/C/man7/cpuset.7:1368
msgid ""
"The following examples demonstrate querying and setting cpuset options using "
"shell commands."
msgstr ""

#. type: SS
#: build/C/man7/cpuset.7:1368
#, no-wrap
msgid "Creating and attaching to a cpuset."
msgstr ""

#. type: Plain text
#: build/C/man7/cpuset.7:1371
msgid ""
"To create a new cpuset and attach the current command shell to it, the steps "
"are:"
msgstr ""

#. type: IP
#: build/C/man7/cpuset.7:1373 build/C/man7/cpuset.7:1412
#, no-wrap
msgid "1)"
msgstr ""

#. type: Plain text
#: build/C/man7/cpuset.7:1375
msgid "mkdir /dev/cpuset (if not already done)"
msgstr ""

#. type: IP
#: build/C/man7/cpuset.7:1375 build/C/man7/cpuset.7:1418
#, no-wrap
msgid "2)"
msgstr ""

#. type: Plain text
#: build/C/man7/cpuset.7:1377
msgid "mount -t cpuset none /dev/cpuset (if not already done)"
msgstr ""

#. type: IP
#: build/C/man7/cpuset.7:1377 build/C/man7/cpuset.7:1421
#, no-wrap
msgid "3)"
msgstr ""

#. type: Plain text
#: build/C/man7/cpuset.7:1380
msgid "Create the new cpuset using B<mkdir>(1)."
msgstr ""

#. type: IP
#: build/C/man7/cpuset.7:1380 build/C/man7/cpuset.7:1424
#, no-wrap
msgid "4)"
msgstr ""

#. type: Plain text
#: build/C/man7/cpuset.7:1382
msgid "Assign CPUs and memory nodes to the new cpuset."
msgstr ""

#. type: IP
#: build/C/man7/cpuset.7:1382 build/C/man7/cpuset.7:1429
#, no-wrap
msgid "5)"
msgstr ""

#. type: Plain text
#: build/C/man7/cpuset.7:1384
msgid "Attach the shell to the new cpuset."
msgstr ""

#. type: Plain text
#: build/C/man7/cpuset.7:1389
msgid ""
"For example, the following sequence of commands will set up a cpuset named "
"\"Charlie\", containing just CPUs 2 and 3, and memory node 1, and then "
"attach the current shell to that cpuset."
msgstr ""

#. type: Plain text
#: build/C/man7/cpuset.7:1403
#, no-wrap
msgid ""
"$B< mkdir /dev/cpuset>\n"
"$B< mount -t cpuset cpuset /dev/cpuset>\n"
"$B< cd /dev/cpuset>\n"
"$B< mkdir Charlie>\n"
"$B< cd Charlie>\n"
"$B< /bin/echo 2-3 E<gt> cpuset.cpus>\n"
"$B< /bin/echo 1 E<gt> cpuset.mems>\n"
"$B< /bin/echo $$ E<gt> tasks>\n"
"# The current shell is now running in cpuset Charlie\n"
"# The next line should display '/Charlie'\n"
"$B< cat /proc/self/cpuset>\n"
msgstr ""

#. type: SS
#: build/C/man7/cpuset.7:1405
#, no-wrap
msgid "Migrating a job to different memory nodes."
msgstr ""

#. type: Plain text
#: build/C/man7/cpuset.7:1410
msgid ""
"To migrate a job (the set of processes attached to a cpuset)  to different "
"CPUs and memory nodes in the system, including moving the memory pages "
"currently allocated to that job, perform the following steps."
msgstr ""

#. type: Plain text
#: build/C/man7/cpuset.7:1418
msgid ""
"Let's say we want to move the job in cpuset I<alpha> (CPUs 4-7 and memory "
"nodes 2-3) to a new cpuset I<beta> (CPUs 16-19 and memory nodes 8-9)."
msgstr ""

#. type: Plain text
#: build/C/man7/cpuset.7:1421
msgid "First create the new cpuset I<beta>."
msgstr ""

#. type: Plain text
#: build/C/man7/cpuset.7:1424
msgid "Then allow CPUs 16-19 and memory nodes 8-9 in I<beta>."
msgstr ""

#. type: Plain text
#: build/C/man7/cpuset.7:1429
msgid "Then enable I<memory_migration> in I<beta>."
msgstr ""

#. type: Plain text
#: build/C/man7/cpuset.7:1434
msgid "Then move each process from I<alpha> to I<beta>."
msgstr ""

#. type: Plain text
#: build/C/man7/cpuset.7:1437
msgid "The following sequence of commands accomplishes this."
msgstr ""

#. type: Plain text
#: build/C/man7/cpuset.7:1447
#, no-wrap
msgid ""
"$B< cd /dev/cpuset>\n"
"$B< mkdir beta>\n"
"$B< cd beta>\n"
"$B< /bin/echo 16-19 E<gt> cpuset.cpus>\n"
"$B< /bin/echo 8-9 E<gt> cpuset.mems>\n"
"$B< /bin/echo 1 E<gt> cpuset.memory_migrate>\n"
"$B< while read i; do /bin/echo $i; done E<lt> ../alpha/tasks E<gt> tasks>\n"
msgstr ""

#. type: Plain text
#: build/C/man7/cpuset.7:1456
msgid ""
"The above should move any processes in I<alpha> to I<beta>, and any memory "
"held by these processes on memory nodes 2-3 to memory nodes 8-9, "
"respectively."
msgstr ""

#. type: Plain text
#: build/C/man7/cpuset.7:1458
msgid "Notice that the last step of the above sequence did not do:"
msgstr ""

#. type: Plain text
#: build/C/man7/cpuset.7:1462
#, no-wrap
msgid "$B< cp ../alpha/tasks tasks>\n"
msgstr ""

#. type: Plain text
#: build/C/man7/cpuset.7:1473
msgid ""
"The I<while> loop, rather than the seemingly easier use of the B<cp>(1)  "
"command, was necessary because only one process PID at a time may be written "
"to the I<tasks> file."
msgstr ""

#. type: Plain text
#: build/C/man7/cpuset.7:1481
msgid ""
"The same effect (writing one PID at a time) as the I<while> loop can be "
"accomplished more efficiently, in fewer keystrokes and in syntax that works "
"on any shell, but alas more obscurely, by using the B<-u> (unbuffered) "
"option of B<sed>(1):"
msgstr ""

#. type: Plain text
#: build/C/man7/cpuset.7:1485
#, no-wrap
msgid "$B< sed -un p E<lt> ../alpha/tasks E<gt> tasks>\n"
msgstr ""

#. type: Plain text
#: build/C/man7/cpuset.7:1503
msgid ""
"B<taskset>(1), B<get_mempolicy>(2), B<getcpu>(2), B<mbind>(2), "
"B<sched_getaffinity>(2), B<sched_setaffinity>(2), B<sched_setscheduler>(2), "
"B<set_mempolicy>(2), B<CPU_SET>(3), B<proc>(5), B<numa>(7), B<sched>(7), "
"B<migratepages>(8), B<numactl>(8)"
msgstr ""

#. type: Plain text
#: build/C/man7/cpuset.7:1505
msgid "I<Documentation/cpusets.txt> in the Linux kernel source tree"
msgstr ""

#. type: TH
#: build/C/man7/credentials.7:27
#, no-wrap
msgid "CREDENTIALS"
msgstr ""

#. type: TH
#: build/C/man7/credentials.7:27 build/C/man2/setsid.2:31
#, no-wrap
msgid "2014-12-31"
msgstr ""

#. type: Plain text
#: build/C/man7/credentials.7:30
msgid "credentials - process identifiers"
msgstr ""

#. type: SS
#: build/C/man7/credentials.7:31
#, no-wrap
msgid "Process ID (PID)"
msgstr ""

#. type: Plain text
#: build/C/man7/credentials.7:41
msgid ""
"Each process has a unique nonnegative integer identifier that is assigned "
"when the process is created using B<fork>(2).  A process can obtain its PID "
"using B<getpid>(2).  A PID is represented using the type I<pid_t> (defined "
"in I<E<lt>sys/types.hE<gt>>)."
msgstr ""

#.  .BR sched_rr_get_interval (2),
#.  .BR sched_getaffinity (2),
#.  .BR sched_setaffinity (2),
#.  .BR sched_getparam (2),
#.  .BR sched_setparam (2),
#.  .BR sched_setscheduler (2),
#.  .BR sched_getscheduler (2),
#.  .BR getsid (2),
#.  .BR waitid (2),
#.  .BR wait4 (2),
#. type: Plain text
#: build/C/man7/credentials.7:62
msgid ""
"PIDs are used in a range of system calls to identify the process affected by "
"the call, for example: B<kill>(2), B<ptrace>(2), B<setpriority>(2)  "
"B<setpgid>(2), B<setsid>(2), B<sigqueue>(3), and B<waitpid>(2)."
msgstr ""

#. type: Plain text
#: build/C/man7/credentials.7:65
msgid "A process's PID is preserved across an B<execve>(2)."
msgstr ""

#. type: SS
#: build/C/man7/credentials.7:65
#, no-wrap
msgid "Parent process ID (PPID)"
msgstr ""

#. type: Plain text
#: build/C/man7/credentials.7:73
msgid ""
"A process's parent process ID identifies the process that created this "
"process using B<fork>(2).  A process can obtain its PPID using "
"B<getppid>(2).  A PPID is represented using the type I<pid_t>."
msgstr ""

#. type: Plain text
#: build/C/man7/credentials.7:76
msgid "A process's PPID is preserved across an B<execve>(2)."
msgstr ""

#. type: SS
#: build/C/man7/credentials.7:76
#, no-wrap
msgid "Process group ID and session ID"
msgstr ""

#. type: Plain text
#: build/C/man7/credentials.7:84
msgid ""
"Each process has a session ID and a process group ID, both represented using "
"the type I<pid_t>.  A process can obtain its session ID using B<getsid>(2), "
"and its process group ID using B<getpgrp>(2)."
msgstr ""

#. type: Plain text
#: build/C/man7/credentials.7:90
msgid ""
"A child created by B<fork>(2)  inherits its parent's session ID and process "
"group ID.  A process's session ID and process group ID are preserved across "
"an B<execve>(2)."
msgstr ""

#. type: Plain text
#: build/C/man7/credentials.7:103
msgid ""
"Sessions and process groups are abstractions devised to support shell job "
"control.  A process group (sometimes called a \"job\") is a collection of "
"processes that share the same process group ID; the shell creates a new "
"process group for the process(es) used to execute single command or pipeline "
"(e.g., the two processes created to execute the command \"ls\\ |\\ wc\" are "
"placed in the same process group).  A process's group membership can be set "
"using B<setpgid>(2).  The process whose process ID is the same as its "
"process group ID is the I<process group leader> for that group."
msgstr ""

#. type: Plain text
#: build/C/man7/credentials.7:115
msgid ""
"A session is a collection of processes that share the same session ID.  All "
"of the members of a process group also have the same session ID (i.e., all "
"of the members of a process group always belong to the same session, so that "
"sessions and process groups form a strict two-level hierarchy of processes.)  "
"A new session is created when a process calls B<setsid>(2), which creates a "
"new session whose session ID is the same as the PID of the process that "
"called B<setsid>(2).  The creator of the session is called the I<session "
"leader>."
msgstr ""

#. type: Plain text
#: build/C/man7/credentials.7:124
msgid ""
"All of the processes in a session share a I<controlling terminal>.  The "
"controlling terminal is established when the session leader first opens a "
"terminal (unless the B<O_NOCTTY> flag is specified when calling "
"B<open>(2)).  A terminal may be the controlling terminal of at most one "
"session."
msgstr ""

#. type: Plain text
#: build/C/man7/credentials.7:146
msgid ""
"At most one of the jobs in a session may be the I<foreground job>; other "
"jobs in the session are I<background jobs>.  Only the foreground job may "
"read from the terminal; when a process in the background attempts to read "
"from the terminal, its process group is sent a B<SIGTTIN> signal, which "
"suspends the job.  If the B<TOSTOP> flag has been set for the terminal (see "
"B<termios>(3)), then only the foreground job may write to the terminal; "
"writes from background job cause a B<SIGTTOU> signal to be generated, which "
"suspends the job.  When terminal keys that generate a signal (such as the "
"I<interrupt> key, normally control-C)  are pressed, the signal is sent to "
"the processes in the foreground job."
msgstr ""

#. type: Plain text
#: build/C/man7/credentials.7:167
msgid ""
"Various system calls and library functions may operate on all members of a "
"process group, including B<kill>(2), B<killpg>(2), B<getpriority>(2), "
"B<setpriority>(2), B<ioprio_get>(2), B<ioprio_set>(2), B<waitid>(2), and "
"B<waitpid>(2).  See also the discussion of the B<F_GETOWN>, B<F_GETOWN_EX>, "
"B<F_SETOWN>, and B<F_SETOWN_EX> operations in B<fcntl>(2)."
msgstr ""

#. type: SS
#: build/C/man7/credentials.7:167
#, no-wrap
msgid "User and group identifiers"
msgstr ""

#. type: Plain text
#: build/C/man7/credentials.7:175
msgid ""
"Each process has various associated user and groups IDs.  These IDs are "
"integers, respectively represented using the types I<uid_t> and I<gid_t> "
"(defined in I<E<lt>sys/types.hE<gt>>)."
msgstr ""

#. type: Plain text
#: build/C/man7/credentials.7:177
msgid "On Linux, each process has the following user and group identifiers:"
msgstr ""

#. type: Plain text
#: build/C/man7/credentials.7:183
msgid ""
"Real user ID and real group ID.  These IDs determine who owns the process.  "
"A process can obtain its real user (group) ID using B<getuid>(2)  "
"(B<getgid>(2))."
msgstr ""

#. type: Plain text
#: build/C/man7/credentials.7:195
msgid ""
"Effective user ID and effective group ID.  These IDs are used by the kernel "
"to determine the permissions that the process will have when accessing "
"shared resources such as message queues, shared memory, and semaphores.  On "
"most UNIX systems, these IDs also determine the permissions when accessing "
"files.  However, Linux uses the filesystem IDs described below for this "
"task.  A process can obtain its effective user (group) ID using "
"B<geteuid>(2)  (B<getegid>(2))."
msgstr ""

#. type: Plain text
#: build/C/man7/credentials.7:217
msgid ""
"Saved set-user-ID and saved set-group-ID.  These IDs are used in set-user-ID "
"and set-group-ID programs to save a copy of the corresponding effective IDs "
"that were set when the program was executed (see B<execve>(2)).  A "
"set-user-ID program can assume and drop privileges by switching its "
"effective user ID back and forth between the values in its real user ID and "
"saved set-user-ID.  This switching is done via calls to B<seteuid>(2), "
"B<setreuid>(2), or B<setresuid>(2).  A set-group-ID program performs the "
"analogous tasks using B<setegid>(2), B<setregid>(2), or B<setresgid>(2).  A "
"process can obtain its saved set-user-ID (set-group-ID) using "
"B<getresuid>(2)  (B<getresgid>(2))."
msgstr ""

#. type: Plain text
#: build/C/man7/credentials.7:234
msgid ""
"Filesystem user ID and filesystem group ID (Linux-specific).  These IDs, in "
"conjunction with the supplementary group IDs described below, are used to "
"determine permissions for accessing files; see B<path_resolution>(7)  for "
"details.  Whenever a process's effective user (group) ID is changed, the "
"kernel also automatically changes the filesystem user (group) ID to the same "
"value.  Consequently, the filesystem IDs normally have the same values as "
"the corresponding effective ID, and the semantics for file-permission checks "
"are thus the same on Linux as on other UNIX systems.  The filesystem IDs can "
"be made to differ from the effective IDs by calling B<setfsuid>(2)  and "
"B<setfsgid>(2)."
msgstr ""

#.  Since kernel 2.6.4, the limit is visible via the read-only file
#.  /proc/sys/kernel/ngroups_max.
#.  As at 2.6.22-rc2, this file is still read-only.
#. type: Plain text
#: build/C/man7/credentials.7:253
msgid ""
"Supplementary group IDs.  This is a set of additional group IDs that are "
"used for permission checks when accessing files and other shared resources.  "
"On Linux kernels before 2.6.4, a process can be a member of up to 32 "
"supplementary groups; since kernel 2.6.4, a process can be a member of up to "
"65536 supplementary groups.  The call I<sysconf(_SC_NGROUPS_MAX)> can be "
"used to determine the number of supplementary groups of which a process may "
"be a member.  A process can obtain its set of supplementary group IDs using "
"B<getgroups>(2), and can modify the set using B<setgroups>(2)."
msgstr ""

#. type: Plain text
#: build/C/man7/credentials.7:263
msgid ""
"A child process created by B<fork>(2)  inherits copies of its parent's user "
"and groups IDs.  During an B<execve>(2), a process's real user and group ID "
"and supplementary group IDs are preserved; the effective and saved set IDs "
"may be changed, as described in B<execve>(2)."
msgstr ""

#. type: Plain text
#: build/C/man7/credentials.7:266
msgid ""
"Aside from the purposes noted above, a process's user IDs are also employed "
"in a number of other contexts:"
msgstr ""

#. type: Plain text
#: build/C/man7/credentials.7:269
msgid "when determining the permissions for sending signals (see B<kill>(2));"
msgstr ""

#. type: Plain text
#: build/C/man7/credentials.7:280
msgid ""
"when determining the permissions for setting process-scheduling parameters "
"(nice value, real time scheduling policy and priority, CPU affinity, I/O "
"priority) using B<setpriority>(2), B<sched_setaffinity>(2), "
"B<sched_setscheduler>(2), B<sched_setparam>(2), B<sched_setattr>(2), and "
"B<ioprio_set>(2);"
msgstr ""

#. type: Plain text
#: build/C/man7/credentials.7:283
msgid "when checking resource limits (see B<getrlimit>(2));"
msgstr ""

#. type: Plain text
#: build/C/man7/credentials.7:287
msgid ""
"when checking the limit on the number of inotify instances that the process "
"may create (see B<inotify>(7))."
msgstr ""

#. type: Plain text
#: build/C/man7/credentials.7:293
msgid ""
"Process IDs, parent process IDs, process group IDs, and session IDs are "
"specified in POSIX.1-2001.  The real, effective, and saved set user and "
"groups IDs, and the supplementary group IDs, are specified in POSIX.1-2001.  "
"The filesystem user and group IDs are a Linux extension."
msgstr ""

#. type: Plain text
#: build/C/man7/credentials.7:304
msgid ""
"The POSIX threads specification requires that credentials are shared by all "
"of the threads in a process.  However, at the kernel level, Linux maintains "
"separate user and group credentials for each thread.  The NPTL threading "
"implementation does some work to ensure that any change to user or group "
"credentials (e.g., calls to B<setuid>(2), B<setresuid>(2))  is carried "
"through to all of the POSIX threads in a process."
msgstr ""

#. type: Plain text
#: build/C/man7/credentials.7:339
msgid ""
"B<bash>(1), B<csh>(1), B<ps>(1), B<access>(2), B<execve>(2), "
"B<faccessat>(2), B<fork>(2), B<getgroups>(2), B<getpgrp>(2), B<getpid>(2), "
"B<getppid>(2), B<getsid>(2), B<kill>(2), B<killpg>(2), B<setegid>(2), "
"B<seteuid>(2), B<setfsgid>(2), B<setfsuid>(2), B<setgid>(2), "
"B<setgroups>(2), B<setresgid>(2), B<setresuid>(2), B<setuid>(2), "
"B<waitpid>(2), B<euidaccess>(3), B<initgroups>(3), B<tcgetpgrp>(3), "
"B<tcsetpgrp>(3), B<capabilities>(7), B<namespaces>(7), "
"B<path_resolution>(7), B<pid_namespaces>(7), B<signal>(7), "
"B<user_namespaces>(7), B<unix>(7)"
msgstr ""

#. type: TH
#: build/C/man2/getgid.2:25
#, no-wrap
msgid "GETGID"
msgstr ""

#. type: TH
#: build/C/man2/getgid.2:25 build/C/man2/getresuid.2:28 build/C/man2/getuid.2:26
#, no-wrap
msgid "2010-11-22"
msgstr ""

#. type: Plain text
#: build/C/man2/getgid.2:28
msgid "getgid, getegid - get group identity"
msgstr ""

#. type: Plain text
#: build/C/man2/getgid.2:30 build/C/man2/getgroups.2:38 build/C/man2/getpid.2:32 build/C/man2/getresuid.2:35 build/C/man2/getsid.2:31 build/C/man2/getuid.2:31 build/C/man3/group_member.3:30 build/C/man2/seteuid.2:36 build/C/man2/setgid.2:36 build/C/man2/setpgid.2:53 build/C/man2/setresuid.2:33 build/C/man2/setreuid.2:52 build/C/man2/setsid.2:37 build/C/man2/setuid.2:37
msgid "B<#include E<lt>unistd.hE<gt>>"
msgstr ""

#. type: Plain text
#: build/C/man2/getgid.2:32 build/C/man2/getgroups.2:36 build/C/man2/getpid.2:30 build/C/man2/getuid.2:33 build/C/man2/seteuid.2:34 build/C/man2/setgid.2:34 build/C/man2/setreuid.2:50 build/C/man2/setuid.2:35
msgid "B<#include E<lt>sys/types.hE<gt>>"
msgstr ""

#. type: Plain text
#: build/C/man2/getgid.2:34
msgid "B<gid_t getgid(void);>"
msgstr ""

#. type: Plain text
#: build/C/man2/getgid.2:36
msgid "B<gid_t getegid(void);>"
msgstr ""

#. type: Plain text
#: build/C/man2/getgid.2:39
msgid "B<getgid>()  returns the real group ID of the calling process."
msgstr ""

#. type: Plain text
#: build/C/man2/getgid.2:42
msgid "B<getegid>()  returns the effective group ID of the calling process."
msgstr ""

#. type: Plain text
#: build/C/man2/getgid.2:44 build/C/man2/getpid.2:46 build/C/man2/getuid.2:45
msgid "These functions are always successful."
msgstr ""

#. type: Plain text
#: build/C/man2/getgid.2:46 build/C/man2/getuid.2:47
msgid "POSIX.1-2001, 4.3BSD."
msgstr ""

#. type: Plain text
#: build/C/man2/getgid.2:62
msgid ""
"The original Linux B<getgid>()  and B<getegid>()  system calls supported "
"only 16-bit group IDs.  Subsequently, Linux 2.4 added B<getgid32>()  and "
"B<getegid32>(), supporting 32-bit IDs.  The glibc B<getgid>()  and "
"B<getegid>()  wrapper functions transparently deal with the variations "
"across kernel versions."
msgstr ""

#. type: Plain text
#: build/C/man2/getgid.2:66
msgid "B<getresgid>(2), B<setgid>(2), B<setregid>(2), B<credentials>(7)"
msgstr ""

#. type: TH
#: build/C/man2/getgroups.2:31
#, no-wrap
msgid "GETGROUPS"
msgstr ""

#. type: TH
#: build/C/man2/getgroups.2:31 build/C/man2/getpriority.2:45
#, no-wrap
msgid "2014-08-19"
msgstr ""

#. type: Plain text
#: build/C/man2/getgroups.2:34
msgid "getgroups, setgroups - get/set list of supplementary group IDs"
msgstr ""

#. type: Plain text
#: build/C/man2/getgroups.2:40
msgid "B<int getgroups(int >I<size>B<, gid_t >I<list>B<[]);>"
msgstr ""

#. type: Plain text
#: build/C/man2/getgroups.2:42
msgid "B<#include E<lt>grp.hE<gt>>"
msgstr ""

#. type: Plain text
#: build/C/man2/getgroups.2:44
msgid "B<int setgroups(size_t >I<size>B<, const gid_t *>I<list>B<);>"
msgstr ""

#. type: Plain text
#: build/C/man2/getgroups.2:52
msgid "B<setgroups>(): _BSD_SOURCE"
msgstr ""

#. type: Plain text
#: build/C/man2/getgroups.2:70
msgid ""
"B<getgroups>()  returns the supplementary group IDs of the calling process "
"in I<list>.  The argument I<size> should be set to the maximum number of "
"items that can be stored in the buffer pointed to by I<list>.  If the "
"calling process is a member of more than I<size> supplementary groups, then "
"an error results.  It is unspecified whether the effective group ID of the "
"calling process is included in the returned list.  (Thus, an application "
"should also call B<getegid>(2)  and add or remove the resulting value.)"
msgstr ""

#. type: Plain text
#: build/C/man2/getgroups.2:81
msgid ""
"If I<size> is zero, I<list> is not modified, but the total number of "
"supplementary group IDs for the process is returned.  This allows the caller "
"to determine the size of a dynamically allocated I<list> to be used in a "
"further call to B<getgroups>()."
msgstr ""

#. type: Plain text
#: build/C/man2/getgroups.2:92
msgid ""
"B<setgroups>()  sets the supplementary group IDs for the calling process.  "
"Appropriate privileges (Linux: the B<CAP_SETGID> capability) are required.  "
"The I<size> argument specifies the number of supplementary group IDs in the "
"buffer pointed to by I<list>."
msgstr ""

#. type: Plain text
#: build/C/man2/getgroups.2:99
msgid ""
"On success, B<getgroups>()  returns the number of supplementary group IDs.  "
"On error, -1 is returned, and I<errno> is set appropriately."
msgstr ""

#. type: Plain text
#: build/C/man2/getgroups.2:106
msgid ""
"On success, B<setgroups>()  returns 0.  On error, -1 is returned, and "
"I<errno> is set appropriately."
msgstr ""

#. type: Plain text
#: build/C/man2/getgroups.2:111
msgid "I<list> has an invalid address."
msgstr ""

#. type: Plain text
#: build/C/man2/getgroups.2:114
msgid "B<getgroups>()  can additionally fail with the following error:"
msgstr ""

#. type: Plain text
#: build/C/man2/getgroups.2:118
msgid "I<size> is less than the number of supplementary group IDs, but is not zero."
msgstr ""

#. type: Plain text
#: build/C/man2/getgroups.2:121
msgid "B<setgroups>()  can additionally fail with the following errors:"
msgstr ""

#. type: Plain text
#: build/C/man2/getgroups.2:127
msgid ""
"I<size> is greater than B<NGROUPS_MAX> (32 before Linux 2.6.4; 65536 since "
"Linux 2.6.4)."
msgstr ""

#. type: Plain text
#: build/C/man2/getgroups.2:133
msgid "The calling process has insufficient privilege."
msgstr ""

#. type: Plain text
#: build/C/man2/getgroups.2:141
msgid ""
"SVr4, 4.3BSD.  The B<getgroups>()  function is in POSIX.1-2001.  Since "
"B<setgroups>()  requires privilege, it is not covered by POSIX.1-2001."
msgstr ""

#. type: Plain text
#: build/C/man2/getgroups.2:153
msgid ""
"A process can have up to B<NGROUPS_MAX> supplementary group IDs in addition "
"to the effective group ID.  The constant B<NGROUPS_MAX> is defined in "
"I<E<lt>limits.hE<gt>>.  The set of supplementary group IDs is inherited from "
"the parent process, and preserved across an B<execve>(2)."
msgstr ""

#. type: Plain text
#: build/C/man2/getgroups.2:156
msgid ""
"The maximum number of supplementary group IDs can be found at run time using "
"B<sysconf>(3):"
msgstr ""

#. type: Plain text
#: build/C/man2/getgroups.2:160
#, no-wrap
msgid ""
"    long ngroups_max;\n"
"    ngroups_max = sysconf(_SC_NGROUPS_MAX);\n"
msgstr ""

#. type: Plain text
#: build/C/man2/getgroups.2:168
msgid ""
"The maximum return value of B<getgroups>()  cannot be larger than one more "
"than this value.  Since Linux 2.6.4, the maximum number of supplementary "
"group IDs is also exposed via the Linux-specific read-only file, "
"I</proc/sys/kernel/ngroups_max>."
msgstr ""

#. type: Plain text
#: build/C/man2/getgroups.2:178
msgid ""
"The original Linux B<getgroups>()  system call supported only 16-bit group "
"IDs.  Subsequently, Linux 2.4 added B<getgroups32>(), supporting 32-bit "
"IDs.  The glibc B<getgroups>()  wrapper function transparently deals with "
"the variation across kernel versions."
msgstr ""

#. type: Plain text
#: build/C/man2/getgroups.2:185
msgid ""
"B<getgid>(2), B<setgid>(2), B<getgrouplist>(3), B<group_member>(3), "
"B<initgroups>(3), B<capabilities>(7), B<credentials>(7)"
msgstr ""

#. type: TH
#: build/C/man2/getpid.2:25
#, no-wrap
msgid "GETPID"
msgstr ""

#. type: Plain text
#: build/C/man2/getpid.2:28
msgid "getpid, getppid - get process identification"
msgstr ""

#. type: Plain text
#: build/C/man2/getpid.2:34
msgid "B<pid_t getpid(void);>"
msgstr ""

#. type: Plain text
#: build/C/man2/getpid.2:36
msgid "B<pid_t getppid(void);>"
msgstr ""

#. type: Plain text
#: build/C/man2/getpid.2:41
msgid ""
"B<getpid>()  returns the process ID of the calling process.  (This is often "
"used by routines that generate unique temporary filenames.)"
msgstr ""

#. type: Plain text
#: build/C/man2/getpid.2:44
msgid "B<getppid>()  returns the process ID of the parent of the calling process."
msgstr ""

#. type: Plain text
#: build/C/man2/getpid.2:48
msgid "POSIX.1-2001, 4.3BSD, SVr4."
msgstr ""

#.  The following program demonstrates this "feature":
#
#.  #define _GNU_SOURCE
#.  #include <sys/syscall.h>
#.  #include <sys/wait.h>
#.  #include <stdio.h>
#.  #include <stdlib.h>
#.  #include <unistd.h>
#
#.  int
#.  main(int argc, char *argv[])
#.  {
#.     /* The following statement fills the getpid() cache */
#
#.     printf("parent PID = %ld
#. ", (long) getpid());
#
#.     if (syscall(SYS_fork) == 0) {
#.         if (getpid() != syscall(SYS_getpid))
#.             printf("child getpid() mismatch: getpid()=%ld; "
#.                     "syscall(SYS_getpid)=%ld
#. ",
#.                     (long) getpid(), (long) syscall(SYS_getpid));
#.         exit(EXIT_SUCCESS);
#.     }
#.     wait(NULL);
#. }
#. type: Plain text
#: build/C/man2/getpid.2:100
msgid ""
"Since glibc version 2.3.4, the glibc wrapper function for B<getpid>()  "
"caches PIDs, so as to avoid additional system calls when a process calls "
"B<getpid>()  repeatedly.  Normally this caching is invisible, but its "
"correct operation relies on support in the wrapper functions for B<fork>(2), "
"B<vfork>(2), and B<clone>(2): if an application bypasses the glibc wrappers "
"for these system calls by using B<syscall>(2), then a call to B<getpid>()  "
"in the child will return the wrong value (to be precise: it will return the "
"PID of the parent process).  See also B<clone>(2)  for discussion of a case "
"where B<getpid>()  may return the wrong value even when invoking B<clone>(2)  "
"via the glibc wrapper function."
msgstr ""

#. type: Plain text
#: build/C/man2/getpid.2:110
msgid ""
"B<clone>(2), B<fork>(2), B<kill>(2), B<exec>(3), B<mkstemp>(3), "
"B<tempnam>(3), B<tmpfile>(3), B<tmpnam>(3), B<credentials>(7), "
"B<pid_namespaces>(7)"
msgstr ""

#. type: TH
#: build/C/man2/getpriority.2:45
#, no-wrap
msgid "GETPRIORITY"
msgstr ""

#. type: Plain text
#: build/C/man2/getpriority.2:48
msgid "getpriority, setpriority - get/set program scheduling priority"
msgstr ""

#. type: Plain text
#: build/C/man2/getpriority.2:50 build/C/man2/getrlimit.2:69 build/C/man2/getrusage.2:44
msgid "B<#include E<lt>sys/time.hE<gt>>"
msgstr ""

#. type: Plain text
#: build/C/man2/getpriority.2:52 build/C/man2/getrlimit.2:71 build/C/man2/getrusage.2:46
msgid "B<#include E<lt>sys/resource.hE<gt>>"
msgstr ""

#. type: Plain text
#: build/C/man2/getpriority.2:54
msgid "B<int getpriority(int >I<which>B<, id_t >I<who>B<);>"
msgstr ""

#. type: Plain text
#: build/C/man2/getpriority.2:56
msgid "B<int setpriority(int >I<which>B<, id_t >I<who>B<, int >I<prio>B<);>"
msgstr ""

#. type: Plain text
#: build/C/man2/getpriority.2:67
msgid ""
"The scheduling priority of the process, process group, or user, as indicated "
"by I<which> and I<who> is obtained with the B<getpriority>()  call and set "
"with the B<setpriority>()  call."
msgstr ""

#. type: Plain text
#: build/C/man2/getpriority.2:94
msgid ""
"The value I<which> is one of B<PRIO_PROCESS>, B<PRIO_PGRP>, or B<PRIO_USER>, "
"and I<who> is interpreted relative to I<which> (a process identifier for "
"B<PRIO_PROCESS>, process group identifier for B<PRIO_PGRP>, and a user ID "
"for B<PRIO_USER>).  A zero value for I<who> denotes (respectively) the "
"calling process, the process group of the calling process, or the real user "
"ID of the calling process.  I<Prio> is a value in the range -20 to 19 (but "
"see the Notes below).  The default priority is 0; lower priorities cause "
"more favorable scheduling."
msgstr ""

#. type: Plain text
#: build/C/man2/getpriority.2:104
msgid ""
"The B<getpriority>()  call returns the highest priority (lowest numerical "
"value)  enjoyed by any of the specified processes.  The B<setpriority>()  "
"call sets the priorities of all of the specified processes to the specified "
"value.  Only the superuser may lower priorities."
msgstr ""

#. type: Plain text
#: build/C/man2/getpriority.2:117
msgid ""
"Since B<getpriority>()  can legitimately return the value -1, it is "
"necessary to clear the external variable I<errno> prior to the call, then "
"check it afterward to determine if -1 is an error or a legitimate value.  "
"The B<setpriority>()  call returns 0 if there is no error, or -1 if there "
"is."
msgstr ""

#. type: Plain text
#: build/C/man2/getpriority.2:126
msgid "I<which> was not one of B<PRIO_PROCESS>, B<PRIO_PGRP>, or B<PRIO_USER>."
msgstr ""

#. type: Plain text
#: build/C/man2/getpriority.2:133
msgid "No process was located using the I<which> and I<who> values specified."
msgstr ""

#. type: Plain text
#: build/C/man2/getpriority.2:137
msgid "In addition to the errors indicated above, B<setpriority>()  may fail if:"
msgstr ""

#. type: Plain text
#: build/C/man2/getpriority.2:149
msgid ""
"The caller attempted to lower a process priority, but did not have the "
"required privilege (on Linux: did not have the B<CAP_SYS_NICE> capability).  "
"Since Linux 2.6.12, this error occurs only if the caller attempts to set a "
"process priority outside the range of the B<RLIMIT_NICE> soft resource limit "
"of the target process; see B<getrlimit>(2)  for details."
msgstr ""

#. type: Plain text
#: build/C/man2/getpriority.2:157
msgid ""
"A process was located, but its effective user ID did not match either the "
"effective or the real user ID of the caller, and was not privileged (on "
"Linux: did not have the B<CAP_SYS_NICE> capability).  But see NOTES below."
msgstr ""

#. type: Plain text
#: build/C/man2/getpriority.2:160
msgid "SVr4, 4.4BSD (these function calls first appeared in 4.2BSD), POSIX.1-2001."
msgstr ""

#. type: Plain text
#: build/C/man2/getpriority.2:166
msgid ""
"A child created by B<fork>(2)  inherits its parent's nice value.  The nice "
"value is preserved across B<execve>(2)."
msgstr ""

#. type: Plain text
#: build/C/man2/getpriority.2:177
msgid ""
"The degree to which their relative nice value affects the scheduling of "
"processes varies across UNIX systems, and, on Linux, across kernel "
"versions.  Starting with kernel 2.6.23, Linux adopted an algorithm that "
"causes relative differences in nice values to have a much stronger effect.  "
"This causes very low nice values (+19) to truly provide little CPU to a "
"process whenever there is any other higher priority load on the system, and "
"makes high nice values (-20) deliver most of the CPU to applications that "
"require it (e.g., some audio applications)."
msgstr ""

#. type: Plain text
#: build/C/man2/getpriority.2:192
msgid ""
"The details on the condition for B<EPERM> depend on the system.  The above "
"description is what POSIX.1-2001 says, and seems to be followed on all "
"System\\ V-like systems.  Linux kernels before 2.6.12 required the real or "
"effective user ID of the caller to match the real user of the process I<who> "
"(instead of its effective user ID).  Linux 2.6.12 and later require the "
"effective user ID of the caller to match the real or effective user ID of "
"the process I<who>.  All BSD-like systems (SunOS 4.1.3, Ultrix 4.2, 4.3BSD, "
"FreeBSD 4.3, OpenBSD-2.5, ...) behave in the same manner as Linux 2.6.12 and "
"later."
msgstr ""

#. type: Plain text
#: build/C/man2/getpriority.2:197
msgid ""
"The actual priority range varies between kernel versions.  Linux before "
"1.3.36 had -infinity..15.  Since kernel 1.3.43, Linux has the range "
"-20..19.  On some other systems, the range of nice values is -20..20."
msgstr ""

#. type: Plain text
#: build/C/man2/getpriority.2:210
msgid ""
"Including I<E<lt>sys/time.hE<gt>> is not required these days, but increases "
"portability.  (Indeed, I<E<lt>sys/resource.hE<gt>> defines the I<rusage> "
"structure with fields of type I<struct timeval> defined in "
"I<E<lt>sys/time.hE<gt>>.)"
msgstr ""

#. type: SS
#: build/C/man2/getpriority.2:210 build/C/man2/seteuid.2:132
#, no-wrap
msgid "C library/kernel ABI differences"
msgstr ""

#. type: Plain text
#: build/C/man2/getpriority.2:225
msgid ""
"Within the kernel, nice values are actually represented using the range "
"40..1 (since negative numbers are error codes) and these are the values "
"employed by the B<setpriority>()  and B<getpriority>()  system calls.  The "
"glibc wrapper functions for these system calls handle the translations "
"between the user-land and kernel representations of the nice value according "
"to the formula I<unice\\ =\\ 20\\ -\\ knice>.  (Thus, the kernels 40..1 "
"range corresponds to the range -20..19 as seen by user space.)"
msgstr ""

#. type: Plain text
#: build/C/man2/getpriority.2:232
msgid ""
"According to POSIX, the nice value is a per-process setting.  However, under "
"the current Linux/NPTL implementation of POSIX threads, the nice value is a "
"per-thread attribute: different threads in the same process can have "
"different nice values.  Portable applications should avoid relying on the "
"Linux behavior, which may be made standards conformant in the future."
msgstr ""

#. type: Plain text
#: build/C/man2/getpriority.2:238
msgid "B<nice>(1), B<renice>(1), B<fork>(2), B<capabilities>(7), B<sched>(7)"
msgstr ""

#. type: Plain text
#: build/C/man2/getpriority.2:240
msgid ""
"I<Documentation/scheduler/sched-nice-design.txt> in the Linux kernel source "
"tree (since Linux 2.6.23)"
msgstr ""

#. type: TH
#: build/C/man2/getresuid.2:28
#, no-wrap
msgid "GETRESUID"
msgstr ""

#. type: Plain text
#: build/C/man2/getresuid.2:31
msgid "getresuid, getresgid - get real, effective and saved user/group IDs"
msgstr ""

#. type: Plain text
#: build/C/man2/getresuid.2:33 build/C/man2/setresuid.2:31
msgid "B<#define _GNU_SOURCE> /* See feature_test_macros(7) */"
msgstr ""

#. type: Plain text
#: build/C/man2/getresuid.2:37
msgid "B<int getresuid(uid_t *>I<ruid>B<, uid_t *>I<euid>B<, uid_t *>I<suid>B<);>"
msgstr ""

#. type: Plain text
#: build/C/man2/getresuid.2:39
msgid "B<int getresgid(gid_t *>I<rgid>B<, gid_t *>I<egid>B<, gid_t *>I<sgid>B<);>"
msgstr ""

#. type: Plain text
#: build/C/man2/getresuid.2:50
msgid ""
"B<getresuid>()  returns the real UID, the effective UID, and the saved "
"set-user-ID of the calling process, in the arguments I<ruid>, I<euid>, and "
"I<suid>, respectively.  B<getresgid>()  performs the analogous task for the "
"process's group IDs."
msgstr ""

#. type: Plain text
#: build/C/man2/getresuid.2:60
msgid ""
"One of the arguments specified an address outside the calling program's "
"address space."
msgstr ""

#. type: Plain text
#: build/C/man2/getresuid.2:62
msgid "These system calls appeared on Linux starting with kernel 2.1.44."
msgstr ""

#. type: Plain text
#: build/C/man2/getresuid.2:67
msgid ""
"The prototypes are given by glibc since version 2.3.2, provided "
"B<_GNU_SOURCE> is defined."
msgstr ""

#. type: Plain text
#: build/C/man2/getresuid.2:70 build/C/man2/setresuid.2:112
msgid "These calls are nonstandard; they also appear on HP-UX and some of the BSDs."
msgstr ""

#. type: Plain text
#: build/C/man2/getresuid.2:86
msgid ""
"The original Linux B<getresuid>()  and B<getresgid>()  system calls "
"supported only 16-bit user and group IDs.  Subsequently, Linux 2.4 added "
"B<getresuid32>()  and B<getresgid32>(), supporting 32-bit IDs.  The glibc "
"B<getresuid>()  and B<getresgid>()  wrapper functions transparently deal "
"with the variations across kernel versions."
msgstr ""

#. type: Plain text
#: build/C/man2/getresuid.2:91
msgid ""
"B<getuid>(2), B<setresuid>(2), B<setreuid>(2), B<setuid>(2), "
"B<credentials>(7)"
msgstr ""

#. type: TH
#: build/C/man2/getrlimit.2:64
#, no-wrap
msgid "GETRLIMIT"
msgstr ""

#. type: TH
#: build/C/man2/getrlimit.2:64
#, no-wrap
msgid "2014-10-02"
msgstr ""

#. type: Plain text
#: build/C/man2/getrlimit.2:67
msgid "getrlimit, setrlimit, prlimit - get/set resource limits"
msgstr ""

#. type: Plain text
#: build/C/man2/getrlimit.2:73
msgid "B<int getrlimit(int >I<resource>B<, struct rlimit *>I<rlim>B<);>"
msgstr ""

#. type: Plain text
#: build/C/man2/getrlimit.2:75
msgid "B<int setrlimit(int >I<resource>B<, const struct rlimit *>I<rlim>B<);>"
msgstr ""

#. type: Plain text
#: build/C/man2/getrlimit.2:78
msgid ""
"B<int prlimit(pid_t >I<pid>B<, int >I<resource>B<, const struct rlimit "
"*>I<new_limit>B<,>"
msgstr ""

#. type: Plain text
#: build/C/man2/getrlimit.2:80
msgid "B< struct rlimit *>I<old_limit>B<);>"
msgstr ""

#. type: Plain text
#: build/C/man2/getrlimit.2:88
msgid "B<prlimit>(): _GNU_SOURCE && _FILE_OFFSET_BITS == 64"
msgstr ""

#. type: Plain text
#: build/C/man2/getrlimit.2:97
msgid ""
"The B<getrlimit>()  and B<setrlimit>()  system calls get and set resource "
"limits respectively.  Each resource has an associated soft and hard limit, "
"as defined by the I<rlimit> structure:"
msgstr ""

#. type: Plain text
#: build/C/man2/getrlimit.2:104
#, no-wrap
msgid ""
"struct rlimit {\n"
"    rlim_t rlim_cur;  /* Soft limit */\n"
"    rlim_t rlim_max;  /* Hard limit (ceiling for rlim_cur) */\n"
"};\n"
msgstr ""

#. type: Plain text
#: build/C/man2/getrlimit.2:115
msgid ""
"The soft limit is the value that the kernel enforces for the corresponding "
"resource.  The hard limit acts as a ceiling for the soft limit: an "
"unprivileged process may set only its soft limit to a value in the range "
"from 0 up to the hard limit, and (irreversibly) lower its hard limit.  A "
"privileged process (under Linux: one with the B<CAP_SYS_RESOURCE> "
"capability) may make arbitrary changes to either limit value."
msgstr ""

#. type: Plain text
#: build/C/man2/getrlimit.2:122
msgid ""
"The value B<RLIM_INFINITY> denotes no limit on a resource (both in the "
"structure returned by B<getrlimit>()  and in the structure passed to "
"B<setrlimit>())."
msgstr ""

#. type: Plain text
#: build/C/man2/getrlimit.2:126
msgid "The I<resource> argument must be one of:"
msgstr ""

#. type: TP
#: build/C/man2/getrlimit.2:126
#, no-wrap
msgid "B<RLIMIT_AS>"
msgstr ""

#.  since 2.0.27 / 2.1.12
#. type: Plain text
#: build/C/man2/getrlimit.2:146
msgid ""
"The maximum size of the process's virtual memory (address space) in bytes.  "
"This limit affects calls to B<brk>(2), B<mmap>(2), and B<mremap>(2), which "
"fail with the error B<ENOMEM> upon exceeding this limit.  Also automatic "
"stack expansion will fail (and generate a B<SIGSEGV> that kills the process "
"if no alternate stack has been made available via B<sigaltstack>(2)).  Since "
"the value is a I<long>, on machines with a 32-bit I<long> either this limit "
"is at most 2 GiB, or this resource is unlimited."
msgstr ""

#. type: TP
#: build/C/man2/getrlimit.2:146
#, no-wrap
msgid "B<RLIMIT_CORE>"
msgstr ""

#. type: Plain text
#: build/C/man2/getrlimit.2:154
msgid ""
"Maximum size of a I<core> file (see B<core>(5)).  When 0 no core dump files "
"are created.  When nonzero, larger dumps are truncated to this size."
msgstr ""

#. type: TP
#: build/C/man2/getrlimit.2:154
#, no-wrap
msgid "B<RLIMIT_CPU>"
msgstr ""

#. type: Plain text
#: build/C/man2/getrlimit.2:174
msgid ""
"CPU time limit in seconds.  When the process reaches the soft limit, it is "
"sent a B<SIGXCPU> signal.  The default action for this signal is to "
"terminate the process.  However, the signal can be caught, and the handler "
"can return control to the main program.  If the process continues to consume "
"CPU time, it will be sent B<SIGXCPU> once per second until the hard limit is "
"reached, at which time it is sent B<SIGKILL>.  (This latter point describes "
"Linux behavior.  Implementations vary in how they treat processes which "
"continue to consume CPU time after reaching the soft limit.  Portable "
"applications that need to catch this signal should perform an orderly "
"termination upon first receipt of B<SIGXCPU>.)"
msgstr ""

#. type: TP
#: build/C/man2/getrlimit.2:174
#, no-wrap
msgid "B<RLIMIT_DATA>"
msgstr ""

#. type: Plain text
#: build/C/man2/getrlimit.2:185
msgid ""
"The maximum size of the process's data segment (initialized data, "
"uninitialized data, and heap).  This limit affects calls to B<brk>(2)  and "
"B<sbrk>(2), which fail with the error B<ENOMEM> upon encountering the soft "
"limit of this resource."
msgstr ""

#. type: TP
#: build/C/man2/getrlimit.2:185
#, no-wrap
msgid "B<RLIMIT_FSIZE>"
msgstr ""

#. type: Plain text
#: build/C/man2/getrlimit.2:197
msgid ""
"The maximum size of files that the process may create.  Attempts to extend a "
"file beyond this limit result in delivery of a B<SIGXFSZ> signal.  By "
"default, this signal terminates a process, but a process can catch this "
"signal instead, in which case the relevant system call (e.g., B<write>(2), "
"B<truncate>(2))  fails with the error B<EFBIG>."
msgstr ""

#. type: TP
#: build/C/man2/getrlimit.2:197
#, no-wrap
msgid "B<RLIMIT_LOCKS> (Early Linux 2.4 only)"
msgstr ""

#.  to be precise: Linux 2.4.0-test9; no longer in 2.4.25 / 2.5.65
#. type: Plain text
#: build/C/man2/getrlimit.2:205
msgid ""
"A limit on the combined number of B<flock>(2)  locks and B<fcntl>(2)  leases "
"that this process may establish."
msgstr ""

#. type: TP
#: build/C/man2/getrlimit.2:205
#, no-wrap
msgid "B<RLIMIT_MEMLOCK>"
msgstr ""

#. type: Plain text
#: build/C/man2/getrlimit.2:243
msgid ""
"The maximum number of bytes of memory that may be locked into RAM.  In "
"effect this limit is rounded down to the nearest multiple of the system page "
"size.  This limit affects B<mlock>(2)  and B<mlockall>(2)  and the "
"B<mmap>(2)  B<MAP_LOCKED> operation.  Since Linux 2.6.9 it also affects the "
"B<shmctl>(2)  B<SHM_LOCK> operation, where it sets a maximum on the total "
"bytes in shared memory segments (see B<shmget>(2))  that may be locked by "
"the real user ID of the calling process.  The B<shmctl>(2)  B<SHM_LOCK> "
"locks are accounted for separately from the per-process memory locks "
"established by B<mlock>(2), B<mlockall>(2), and B<mmap>(2)  B<MAP_LOCKED>; a "
"process can lock bytes up to this limit in each of these two categories.  In "
"Linux kernels before 2.6.9, this limit controlled the amount of memory that "
"could be locked by a privileged process.  Since Linux 2.6.9, no limits are "
"placed on the amount of memory that a privileged process may lock, and this "
"limit instead governs the amount of memory that an unprivileged process may "
"lock."
msgstr ""

#. type: TP
#: build/C/man2/getrlimit.2:243
#, no-wrap
msgid "B<RLIMIT_MSGQUEUE> (since Linux 2.6.8)"
msgstr ""

#. type: Plain text
#: build/C/man2/getrlimit.2:251
msgid ""
"Specifies the limit on the number of bytes that can be allocated for POSIX "
"message queues for the real user ID of the calling process.  This limit is "
"enforced for B<mq_open>(3).  Each message queue that the user creates counts "
"(until it is removed)  against this limit according to the formula:"
msgstr ""

#. type: Plain text
#: build/C/man2/getrlimit.2:260
#, no-wrap
msgid ""
"    Since Linux 3.5:\n"
"        bytes = attr.mq_maxmsg * sizeof(struct msg_msg) +\n"
"                min(attr.mq_maxmsg, MQ_PRIO_MAX) *\n"
"                      sizeof(struct posix_msg_tree_node)+\n"
"                                /* For overhead */\n"
"                attr.mq_maxmsg * attr.mq_msgsize;\n"
"                                /* For message data */\n"
msgstr ""

#. type: Plain text
#: build/C/man2/getrlimit.2:266
#, no-wrap
msgid ""
"    Linux 3.4 and earlier:\n"
"        bytes = attr.mq_maxmsg * sizeof(struct msg_msg *) +\n"
"                                /* For overhead */\n"
"                attr.mq_maxmsg * attr.mq_msgsize;\n"
"                                /* For message data */\n"
msgstr ""

#. type: Plain text
#: build/C/man2/getrlimit.2:279
msgid ""
"where I<attr> is the I<mq_attr> structure specified as the fourth argument "
"to B<mq_open>(3), and the I<msg_msg> and I<posix_msg_tree_node> structures "
"are kernel-internal structures."
msgstr ""

#. type: Plain text
#: build/C/man2/getrlimit.2:285
msgid ""
"The \"overhead\" addend in the formula accounts for overhead bytes required "
"by the implementation and ensures that the user cannot create an unlimited "
"number of zero-length messages (such messages nevertheless each consume some "
"system memory for bookkeeping overhead)."
msgstr ""

#. type: TP
#: build/C/man2/getrlimit.2:285
#, no-wrap
msgid "B<RLIMIT_NICE> (since Linux 2.6.12, but see BUGS below)"
msgstr ""

#. type: Plain text
#: build/C/man2/getrlimit.2:298
msgid ""
"Specifies a ceiling to which the process's nice value can be raised using "
"B<setpriority>(2)  or B<nice>(2).  The actual ceiling for the nice value is "
"calculated as I<20\\ -\\ rlim_cur>.  (This strangeness occurs because "
"negative numbers cannot be specified as resource limit values, since they "
"typically have special meanings.  For example, B<RLIM_INFINITY> typically is "
"the same as -1.)"
msgstr ""

#. type: TP
#: build/C/man2/getrlimit.2:298
#, no-wrap
msgid "B<RLIMIT_NOFILE>"
msgstr ""

#. type: Plain text
#: build/C/man2/getrlimit.2:312
msgid ""
"Specifies a value one greater than the maximum file descriptor number that "
"can be opened by this process.  Attempts (B<open>(2), B<pipe>(2), B<dup>(2), "
"etc.)  to exceed this limit yield the error B<EMFILE>.  (Historically, this "
"limit was named B<RLIMIT_OFILE> on BSD.)"
msgstr ""

#. type: TP
#: build/C/man2/getrlimit.2:312
#, no-wrap
msgid "B<RLIMIT_NPROC>"
msgstr ""

#. type: Plain text
#: build/C/man2/getrlimit.2:325
msgid ""
"The maximum number of processes (or, more precisely on Linux, threads)  that "
"can be created for the real user ID of the calling process.  Upon "
"encountering this limit, B<fork>(2)  fails with the error B<EAGAIN>.  This "
"limit is not enforced for processes that have either the B<CAP_SYS_ADMIN> or "
"the B<CAP_SYS_RESOURCE> capability."
msgstr ""

#. type: TP
#: build/C/man2/getrlimit.2:325
#, no-wrap
msgid "B<RLIMIT_RSS>"
msgstr ""

#.  As at kernel 2.6.12, this limit still does nothing in 2.6 though
#.  talk of making it do something has surfaced from time to time in LKML
#.        -- MTK, Jul 05
#. type: Plain text
#: build/C/man2/getrlimit.2:337
msgid ""
"Specifies the limit (in pages) of the process's resident set (the number of "
"virtual pages resident in RAM).  This limit has effect only in Linux 2.4.x, "
"x E<lt> 30, and there affects only calls to B<madvise>(2)  specifying "
"B<MADV_WILLNEED>."
msgstr ""

#. type: TP
#: build/C/man2/getrlimit.2:337
#, no-wrap
msgid "B<RLIMIT_RTPRIO> (since Linux 2.6.12, but see BUGS)"
msgstr ""

#. type: Plain text
#: build/C/man2/getrlimit.2:344
msgid ""
"Specifies a ceiling on the real-time priority that may be set for this "
"process using B<sched_setscheduler>(2)  and B<sched_setparam>(2)."
msgstr ""

#. type: TP
#: build/C/man2/getrlimit.2:344
#, no-wrap
msgid "B<RLIMIT_RTTIME> (since Linux 2.6.25)"
msgstr ""

#. type: Plain text
#: build/C/man2/getrlimit.2:356
msgid ""
"Specifies a limit (in microseconds)  on the amount of CPU time that a "
"process scheduled under a real-time scheduling policy may consume without "
"making a blocking system call.  For the purpose of this limit, each time a "
"process makes a blocking system call, the count of its consumed CPU time is "
"reset to zero.  The CPU time count is not reset if the process continues "
"trying to use the CPU but is preempted, its time slice expires, or it calls "
"B<sched_yield>(2)."
msgstr ""

#. type: Plain text
#: build/C/man2/getrlimit.2:367
msgid ""
"Upon reaching the soft limit, the process is sent a B<SIGXCPU> signal.  If "
"the process catches or ignores this signal and continues consuming CPU time, "
"then B<SIGXCPU> will be generated once each second until the hard limit is "
"reached, at which point the process is sent a B<SIGKILL> signal."
msgstr ""

#. type: Plain text
#: build/C/man2/getrlimit.2:370
msgid ""
"The intended use of this limit is to stop a runaway real-time process from "
"locking up the system."
msgstr ""

#. type: TP
#: build/C/man2/getrlimit.2:370
#, no-wrap
msgid "B<RLIMIT_SIGPENDING> (since Linux 2.6.8)"
msgstr ""

#.  This replaces the /proc/sys/kernel/rtsig-max system-wide limit
#.  that was present in kernels <= 2.6.7.  MTK Dec 04
#. type: Plain text
#: build/C/man2/getrlimit.2:384
msgid ""
"Specifies the limit on the number of signals that may be queued for the real "
"user ID of the calling process.  Both standard and real-time signals are "
"counted for the purpose of checking this limit.  However, the limit is "
"enforced only for B<sigqueue>(3); it is always possible to use B<kill>(2)  "
"to queue one instance of any of the signals that are not already queued to "
"the process."
msgstr ""

#. type: TP
#: build/C/man2/getrlimit.2:384
#, no-wrap
msgid "B<RLIMIT_STACK>"
msgstr ""

#. type: Plain text
#: build/C/man2/getrlimit.2:392
msgid ""
"The maximum size of the process stack, in bytes.  Upon reaching this limit, "
"a B<SIGSEGV> signal is generated.  To handle this signal, a process must "
"employ an alternate signal stack (B<sigaltstack>(2))."
msgstr ""

#. type: Plain text
#: build/C/man2/getrlimit.2:397
msgid ""
"Since Linux 2.6.23, this limit also determines the amount of space used for "
"the process's command-line arguments and environment variables; for details, "
"see B<execve>(2)."
msgstr ""

#. type: SS
#: build/C/man2/getrlimit.2:397
#, no-wrap
msgid "prlimit()"
msgstr ""

#.  commit c022a0acad534fd5f5d5f17280f6d4d135e74e81
#.  Author: Jiri Slaby <jslaby@suse.cz>
#.  Date:   Tue May 4 18:03:50 2010 +0200
#
#.      rlimits: implement prlimit64 syscall
#
#.  commit 6a1d5e2c85d06da35cdfd93f1a27675bfdc3ad8c
#.  Author: Jiri Slaby <jslaby@suse.cz>
#.  Date:   Wed Mar 24 17:06:58 2010 +0100
#
#.      rlimits: add rlimit64 structure
#. type: Plain text
#: build/C/man2/getrlimit.2:417
msgid ""
"The Linux-specific B<prlimit>()  system call combines and extends the "
"functionality of B<setrlimit>()  and B<getrlimit>().  It can be used to both "
"set and get the resource limits of an arbitrary process."
msgstr ""

#. type: Plain text
#: build/C/man2/getrlimit.2:424
msgid ""
"The I<resource> argument has the same meaning as for B<setrlimit>()  and "
"B<getrlimit>()."
msgstr ""

#. type: Plain text
#: build/C/man2/getrlimit.2:442
msgid ""
"If the I<new_limit> argument is a not NULL, then the I<rlimit> structure to "
"which it points is used to set new values for the soft and hard limits for "
"I<resource>.  If the I<old_limit> argument is a not NULL, then a successful "
"call to B<prlimit>()  places the previous soft and hard limits for "
"I<resource> in the I<rlimit> structure pointed to by I<old_limit>."
msgstr ""

#.  FIXME . this permission check is strange
#.  Asked about this on LKML, 7 Nov 2010
#.      "Inconsistent credential checking in prlimit() syscall"
#. type: Plain text
#: build/C/man2/getrlimit.2:461
msgid ""
"The I<pid> argument specifies the ID of the process on which the call is to "
"operate.  If I<pid> is 0, then the call applies to the calling process.  To "
"set or get the resources of a process other than itself, the caller must "
"have the B<CAP_SYS_RESOURCE> capability, or the real, effective, and saved "
"set user IDs of the target process must match the real user ID of the caller "
"I<and> the real, effective, and saved set group IDs of the target process "
"must match the real group ID of the caller."
msgstr ""

#. type: Plain text
#: build/C/man2/getrlimit.2:466
msgid ""
"On success, these system calls return 0.  On error, -1 is returned, and "
"I<errno> is set appropriately."
msgstr ""

#. type: Plain text
#: build/C/man2/getrlimit.2:471
msgid ""
"A pointer argument points to a location outside the accessible address "
"space."
msgstr ""

#. type: Plain text
#: build/C/man2/getrlimit.2:483
msgid ""
"The value specified in I<resource> is not valid; or, for B<setrlimit>()  or "
"B<prlimit>(): I<rlim-E<gt>rlim_cur> was greater than I<rlim-E<gt>rlim_max>."
msgstr ""

#. type: Plain text
#: build/C/man2/getrlimit.2:488
msgid ""
"An unprivileged process tried to raise the hard limit; the "
"B<CAP_SYS_RESOURCE> capability is required to do this."
msgstr ""

#. type: Plain text
#: build/C/man2/getrlimit.2:496
msgid ""
"The caller tried to increase the hard B<RLIMIT_NOFILE> limit above the "
"maximum defined by I</proc/sys/fs/nr_open> (see B<proc>(5))"
msgstr ""

#. type: Plain text
#: build/C/man2/getrlimit.2:502
msgid ""
"(B<prlimit>())  The calling process did not have permission to set limits "
"for the process specified by I<pid>."
msgstr ""

#. type: Plain text
#: build/C/man2/getrlimit.2:506
msgid "Could not find a process with the ID specified in I<pid>."
msgstr ""

#. type: Plain text
#: build/C/man2/getrlimit.2:511
msgid ""
"The B<prlimit>()  system call is available since Linux 2.6.36.  Library "
"support is available since glibc 2.13."
msgstr ""

#. type: Plain text
#: build/C/man2/getrlimit.2:515
msgid "B<getrlimit>(), B<setrlimit>(): SVr4, 4.3BSD, POSIX.1-2001."
msgstr ""

#. type: Plain text
#: build/C/man2/getrlimit.2:518
msgid "B<prlimit>(): Linux-specific."
msgstr ""

#. type: Plain text
#: build/C/man2/getrlimit.2:534
msgid ""
"B<RLIMIT_MEMLOCK> and B<RLIMIT_NPROC> derive from BSD and are not specified "
"in POSIX.1-2001; they are present on the BSDs and Linux, but on few other "
"implementations.  B<RLIMIT_RSS> derives from BSD and is not specified in "
"POSIX.1-2001; it is nevertheless present on most implementations.  "
"B<RLIMIT_MSGQUEUE>, B<RLIMIT_NICE>, B<RLIMIT_RTPRIO>, B<RLIMIT_RTTIME>, and "
"B<RLIMIT_SIGPENDING> are Linux-specific."
msgstr ""

#. type: Plain text
#: build/C/man2/getrlimit.2:540
msgid ""
"A child process created via B<fork>(2)  inherits its parent's resource "
"limits.  Resource limits are preserved across B<execve>(2)."
msgstr ""

#. type: Plain text
#: build/C/man2/getrlimit.2:545
msgid ""
"Lowering the soft limit for a resource below the process's current "
"consumption of that resource will succeed (but will prevent the process from "
"further increasing its consumption of the resource)."
msgstr ""

#. type: Plain text
#: build/C/man2/getrlimit.2:554
msgid ""
"One can set the resource limits of the shell using the built-in I<ulimit> "
"command (I<limit> in B<csh>(1)).  The shell's resource limits are inherited "
"by the processes that it creates to execute commands."
msgstr ""

#. type: Plain text
#: build/C/man2/getrlimit.2:559
msgid ""
"Since Linux 2.6.24, the resource limits of any process can be inspected via "
"I</proc/[pid]/limits>; see B<proc>(5)."
msgstr ""

#. type: Plain text
#: build/C/man2/getrlimit.2:568
msgid ""
"Ancient systems provided a B<vlimit>()  function with a similar purpose to "
"B<setrlimit>().  For backward compatibility, glibc also provides "
"B<vlimit>().  All new applications should be written using B<setrlimit>()."
msgstr ""

#. type: SS
#: build/C/man2/getrlimit.2:568
#, no-wrap
msgid "C library/ kernel ABI differences"
msgstr ""

#. type: Plain text
#: build/C/man2/getrlimit.2:577
msgid ""
"Since version 2.13, the glibc B<getrlimit>()  and B<setrlimit>()  wrapper "
"functions no longer invoke the corresponding system calls, but instead "
"employ B<prlimit>(), for the reasons described in BUGS."
msgstr ""

#. type: Plain text
#: build/C/man2/getrlimit.2:586
msgid ""
"In older Linux kernels, the B<SIGXCPU> and B<SIGKILL> signals delivered when "
"a process encountered the soft and hard B<RLIMIT_CPU> limits were delivered "
"one (CPU) second later than they should have been.  This was fixed in kernel "
"2.6.8."
msgstr ""

#.  see http://marc.theaimsgroup.com/?l=linux-kernel&m=114008066530167&w=2
#. type: Plain text
#: build/C/man2/getrlimit.2:594
msgid ""
"In 2.6.x kernels before 2.6.17, a B<RLIMIT_CPU> limit of 0 is wrongly "
"treated as \"no limit\" (like B<RLIM_INFINITY>).  Since Linux 2.6.17, "
"setting a limit of 0 does have an effect, but is actually treated as a limit "
"of 1 second."
msgstr ""

#.  See https://lwn.net/Articles/145008/
#. type: Plain text
#: build/C/man2/getrlimit.2:599
msgid ""
"A kernel bug means that B<RLIMIT_RTPRIO> does not work in kernel 2.6.12; the "
"problem is fixed in kernel 2.6.13."
msgstr ""

#.  see http://marc.theaimsgroup.com/?l=linux-kernel&m=112256338703880&w=2
#. type: Plain text
#: build/C/man2/getrlimit.2:610
msgid ""
"In kernel 2.6.12, there was an off-by-one mismatch between the priority "
"ranges returned by B<getpriority>(2)  and B<RLIMIT_NICE>.  This had the "
"effect that the actual ceiling for the nice value was calculated as I<19\\ "
"-\\ rlim_cur>.  This was fixed in kernel 2.6.13."
msgstr ""

#.  The relevant patch, sent to LKML, seems to be
#.  http://thread.gmane.org/gmane.linux.kernel/273462
#.  From: Roland McGrath <roland <at> redhat.com>
#.  Subject: [PATCH 7/7] make RLIMIT_CPU/SIGXCPU per-process
#.  Date: 2005-01-23 23:27:46 GMT
#.  Tested Solaris 10, FreeBSD 9, OpenBSD 5.0
#.  FIXME . https://bugzilla.kernel.org/show_bug.cgi?id=50951
#. type: Plain text
#: build/C/man2/getrlimit.2:637
msgid ""
"Since Linux 2.6.12, if a process reaches its soft B<RLIMIT_CPU> limit and "
"has a handler installed for B<SIGXCPU>, then, in addition to invoking the "
"signal handler, the kernel increases the soft limit by one second.  This "
"behavior repeats if the process continues to consume CPU time, until the "
"hard limit is reached, at which point the process is killed.  Other "
"implementations do not change the B<RLIMIT_CPU> soft limit in this manner, "
"and the Linux behavior is probably not standards conformant; portable "
"applications should avoid relying on this Linux-specific behavior.  The "
"Linux-specific B<RLIMIT_RTTIME> limit exhibits the same behavior when the "
"soft limit is encountered."
msgstr ""

#. type: Plain text
#: build/C/man2/getrlimit.2:647
msgid ""
"Kernels before 2.4.22 did not diagnose the error B<EINVAL> for "
"B<setrlimit>()  when I<rlim-E<gt>rlim_cur> was greater than "
"I<rlim-E<gt>rlim_max>."
msgstr ""

#. type: SS
#: build/C/man2/getrlimit.2:647
#, no-wrap
msgid "Representation of \"large\" resource limit values on 32-bit platforms"
msgstr ""

#.  https://bugzilla.kernel.org/show_bug.cgi?id=5042
#.  http://sources.redhat.com/bugzilla/show_bug.cgi?id=12201
#. type: Plain text
#: build/C/man2/getrlimit.2:678
msgid ""
"The glibc B<getrlimit>()  and B<setrlimit>()  wrapper functions use a 64-bit "
"I<rlim_t> data type, even on 32-bit platforms.  However, the I<rlim_t> data "
"type used in the B<getrlimit>()  and B<setrlimit>()  system calls is a "
"(32-bit)  I<unsigned long>.  Furthermore, in Linux versions before 2.6.36, "
"the kernel represents resource limits on 32-bit platforms as I<unsigned "
"long>.  However, a 32-bit data type is not wide enough.  The most pertinent "
"limit here is B<RLIMIT_FSIZE>, which specifies the maximum size to which a "
"file can grow: to be useful, this limit must be represented using a type "
"that is as wide as the type used to represent file offsets\\(emthat is, as "
"wide as a 64-bit B<off_t> (assuming a program compiled with "
"I<_FILE_OFFSET_BITS=64>)."
msgstr ""

#. type: Plain text
#: build/C/man2/getrlimit.2:688
msgid ""
"To work around this kernel limitation, if a program tried to set a resource "
"limit to a value larger than can be represented in a 32-bit I<unsigned "
"long>, then the glibc B<setrlimit>()  wrapper function silently converted "
"the limit value to B<RLIM_INFINITY>.  In other words, the requested resource "
"limit setting was silently ignored."
msgstr ""

#. type: Plain text
#: build/C/man2/getrlimit.2:690
msgid "This problem was addressed in Linux 2.6.36 with two principal changes:"
msgstr ""

#. type: Plain text
#: build/C/man2/getrlimit.2:693
msgid ""
"the addition of a new kernel representation of resource limits that uses 64 "
"bits, even on 32-bit platforms;"
msgstr ""

#. type: Plain text
#: build/C/man2/getrlimit.2:697
msgid ""
"the addition of the B<prlimit>()  system call, which employs 64-bit values "
"for its resource limit arguments."
msgstr ""

#.  https://www.sourceware.org/bugzilla/show_bug.cgi?id=12201
#. type: Plain text
#: build/C/man2/getrlimit.2:710
msgid ""
"Since version 2.13, glibc works around the limitations of the B<getrlimit>()  "
"and B<setrlimit>()  system calls by implementing B<setrlimit>()  and "
"B<getrlimit>()  as wrapper functions that call B<prlimit>()."
msgstr ""

#. type: Plain text
#: build/C/man2/getrlimit.2:713
msgid "The program below demonstrates the use of B<prlimit>()."
msgstr ""

#. type: Plain text
#: build/C/man2/getrlimit.2:722
#, no-wrap
msgid ""
"#define _GNU_SOURCE\n"
"#define _FILE_OFFSET_BITS 64\n"
"#include E<lt>stdio.hE<gt>\n"
"#include E<lt>time.hE<gt>\n"
"#include E<lt>stdlib.hE<gt>\n"
"#include E<lt>unistd.hE<gt>\n"
"#include E<lt>sys/resource.hE<gt>\n"
msgstr ""

#. type: Plain text
#: build/C/man2/getrlimit.2:725
#, no-wrap
msgid ""
"#define errExit(msg) \tdo { perror(msg); exit(EXIT_FAILURE); \\e\n"
"                        } while (0)\n"
msgstr ""

#. type: Plain text
#: build/C/man2/getrlimit.2:732
#, no-wrap
msgid ""
"int\n"
"main(int argc, char *argv[])\n"
"{\n"
"    struct rlimit old, new;\n"
"    struct rlimit *newp;\n"
"    pid_t pid;\n"
msgstr ""

#. type: Plain text
#: build/C/man2/getrlimit.2:738
#, no-wrap
msgid ""
"    if (!(argc == 2 || argc == 4)) {\n"
"        fprintf(stderr, \"Usage: %s E<lt>pidE<gt> [E<lt>new-soft-limitE<gt> "
"\"\n"
"                \"E<lt>new-hard-limitE<gt>]\\en\", argv[0]);\n"
"        exit(EXIT_FAILURE);\n"
"    }\n"
msgstr ""

#. type: Plain text
#: build/C/man2/getrlimit.2:740
#, no-wrap
msgid "    pid = atoi(argv[1]);        /* PID of target process */\n"
msgstr ""

#. type: Plain text
#: build/C/man2/getrlimit.2:747
#, no-wrap
msgid ""
"    newp = NULL;\n"
"    if (argc == 4) {\n"
"        new.rlim_cur = atoi(argv[2]);\n"
"        new.rlim_max = atoi(argv[3]);\n"
"        newp = &new;\n"
"    }\n"
msgstr ""

#. type: Plain text
#: build/C/man2/getrlimit.2:750
#, no-wrap
msgid ""
"    /* Set CPU time limit of target process; retrieve and display\n"
"       previous limit */\n"
msgstr ""

#. type: Plain text
#: build/C/man2/getrlimit.2:755
#, no-wrap
msgid ""
"    if (prlimit(pid, RLIMIT_CPU, newp, &old) == -1)\n"
"        errExit(\"prlimit-1\");\n"
"    printf(\"Previous limits: soft=%lld; hard=%lld\\en\",\n"
"            (long long) old.rlim_cur, (long long) old.rlim_max);\n"
msgstr ""

#. type: Plain text
#: build/C/man2/getrlimit.2:757
#, no-wrap
msgid "    /* Retrieve and display new CPU time limit */\n"
msgstr ""

#. type: Plain text
#: build/C/man2/getrlimit.2:762
#, no-wrap
msgid ""
"    if (prlimit(pid, RLIMIT_CPU, NULL, &old) == -1)\n"
"        errExit(\"prlimit-2\");\n"
"    printf(\"New limits: soft=%lld; hard=%lld\\en\",\n"
"            (long long) old.rlim_cur, (long long) old.rlim_max);\n"
msgstr ""

#. type: Plain text
#: build/C/man2/getrlimit.2:765 build/C/man7/user_namespaces.7:829
#, no-wrap
msgid ""
"    exit(EXIT_FAILURE);\n"
"}\n"
msgstr ""

#. type: Plain text
#: build/C/man2/getrlimit.2:783
msgid ""
"B<prlimit>(1), B<dup>(2), B<fcntl>(2), B<fork>(2), B<getrusage>(2), "
"B<mlock>(2), B<mmap>(2), B<open>(2), B<quotactl>(2), B<sbrk>(2), "
"B<shmctl>(2), B<malloc>(3), B<sigqueue>(3), B<ulimit>(3), B<core>(5), "
"B<capabilities>(7), B<signal>(7)"
msgstr ""

#. type: TH
#: build/C/man2/getrusage.2:39
#, no-wrap
msgid "GETRUSAGE"
msgstr ""

#. type: TH
#: build/C/man2/getrusage.2:39
#, no-wrap
msgid "2014-05-10"
msgstr ""

#. type: Plain text
#: build/C/man2/getrusage.2:42
msgid "getrusage - get resource usage"
msgstr ""

#. type: Plain text
#: build/C/man2/getrusage.2:48
msgid "B<int getrusage(int >I<who>B<, struct rusage *>I<usage>B<);>"
msgstr ""

#. type: Plain text
#: build/C/man2/getrusage.2:54
msgid ""
"B<getrusage>()  returns resource usage measures for I<who>, which can be one "
"of the following:"
msgstr ""

#. type: TP
#: build/C/man2/getrusage.2:54
#, no-wrap
msgid "B<RUSAGE_SELF>"
msgstr ""

#. type: Plain text
#: build/C/man2/getrusage.2:58
msgid ""
"Return resource usage statistics for the calling process, which is the sum "
"of resources used by all threads in the process."
msgstr ""

#. type: TP
#: build/C/man2/getrusage.2:58
#, no-wrap
msgid "B<RUSAGE_CHILDREN>"
msgstr ""

#. type: Plain text
#: build/C/man2/getrusage.2:65
msgid ""
"Return resource usage statistics for all children of the calling process "
"that have terminated and been waited for.  These statistics will include the "
"resources used by grandchildren, and further removed descendants, if all of "
"the intervening descendants waited on their terminated children."
msgstr ""

#. type: TP
#: build/C/man2/getrusage.2:65
#, no-wrap
msgid "B<RUSAGE_THREAD> (since Linux 2.6.26)"
msgstr ""

#. type: Plain text
#: build/C/man2/getrusage.2:75
msgid ""
"Return resource usage statistics for the calling thread.  The B<_GNU_SOURCE> "
"feature test macro must be defined (before including I<any> header file)  in "
"order to obtain the definition of this constant from "
"I<E<lt>sys/resource.hE<gt>>."
msgstr ""

#. type: Plain text
#: build/C/man2/getrusage.2:79
msgid ""
"The resource usages are returned in the structure pointed to by I<usage>, "
"which has the following form:"
msgstr ""

#. type: Plain text
#: build/C/man2/getrusage.2:100
#, no-wrap
msgid ""
"struct rusage {\n"
"    struct timeval ru_utime; /* user CPU time used */\n"
"    struct timeval ru_stime; /* system CPU time used */\n"
"    long   ru_maxrss;        /* maximum resident set size */\n"
"    long   ru_ixrss;         /* integral shared memory size */\n"
"    long   ru_idrss;         /* integral unshared data size */\n"
"    long   ru_isrss;         /* integral unshared stack size */\n"
"    long   ru_minflt;        /* page reclaims (soft page faults) */\n"
"    long   ru_majflt;        /* page faults (hard page faults) */\n"
"    long   ru_nswap;         /* swaps */\n"
"    long   ru_inblock;       /* block input operations */\n"
"    long   ru_oublock;       /* block output operations */\n"
"    long   ru_msgsnd;        /* IPC messages sent */\n"
"    long   ru_msgrcv;        /* IPC messages received */\n"
"    long   ru_nsignals;      /* signals received */\n"
"    long   ru_nvcsw;         /* voluntary context switches */\n"
"    long   ru_nivcsw;        /* involuntary context switches */\n"
"};\n"
msgstr ""

#. type: Plain text
#: build/C/man2/getrusage.2:108
msgid ""
"Not all fields are completed; unmaintained fields are set to zero by the "
"kernel.  (The unmaintained fields are provided for compatibility with other "
"systems, and because they may one day be supported on Linux.)  The fields "
"are interpreted as follows:"
msgstr ""

#. type: TP
#: build/C/man2/getrusage.2:108
#, no-wrap
msgid "I<ru_utime>"
msgstr ""

#. type: Plain text
#: build/C/man2/getrusage.2:114
msgid ""
"This is the total amount of time spent executing in user mode, expressed in "
"a I<timeval> structure (seconds plus microseconds)."
msgstr ""

#. type: TP
#: build/C/man2/getrusage.2:114
#, no-wrap
msgid "I<ru_stime>"
msgstr ""

#. type: Plain text
#: build/C/man2/getrusage.2:120
msgid ""
"This is the total amount of time spent executing in kernel mode, expressed "
"in a I<timeval> structure (seconds plus microseconds)."
msgstr ""

#. type: TP
#: build/C/man2/getrusage.2:120
#, no-wrap
msgid "I<ru_maxrss> (since Linux 2.6.32)"
msgstr ""

#. type: Plain text
#: build/C/man2/getrusage.2:127
msgid ""
"This is the maximum resident set size used (in kilobytes).  For "
"B<RUSAGE_CHILDREN>, this is the resident set size of the largest child, not "
"the maximum resident set size of the process tree."
msgstr ""

#. type: TP
#: build/C/man2/getrusage.2:127
#, no-wrap
msgid "I<ru_ixrss> (unmaintained)"
msgstr ""

#.  On some systems, this field records the number of signals received.
#. type: Plain text
#: build/C/man2/getrusage.2:133 build/C/man2/getrusage.2:138 build/C/man2/getrusage.2:143 build/C/man2/getrusage.2:155 build/C/man2/getrusage.2:167 build/C/man2/getrusage.2:173 build/C/man2/getrusage.2:177
msgid "This field is currently unused on Linux."
msgstr ""

#. type: TP
#: build/C/man2/getrusage.2:133
#, no-wrap
msgid "I<ru_idrss> (unmaintained)"
msgstr ""

#. type: TP
#: build/C/man2/getrusage.2:138
#, no-wrap
msgid "I<ru_isrss> (unmaintained)"
msgstr ""

#. type: TP
#: build/C/man2/getrusage.2:143
#, no-wrap
msgid "I<ru_minflt>"
msgstr ""

#. type: Plain text
#: build/C/man2/getrusage.2:148
msgid ""
"The number of page faults serviced without any I/O activity; here I/O "
"activity is avoided by ``reclaiming'' a page frame from the list of pages "
"awaiting reallocation."
msgstr ""

#. type: TP
#: build/C/man2/getrusage.2:148
#, no-wrap
msgid "I<ru_majflt>"
msgstr ""

#. type: Plain text
#: build/C/man2/getrusage.2:151
msgid "The number of page faults serviced that required I/O activity."
msgstr ""

#. type: TP
#: build/C/man2/getrusage.2:151
#, no-wrap
msgid "I<ru_nswap> (unmaintained)"
msgstr ""

#. type: TP
#: build/C/man2/getrusage.2:155
#, no-wrap
msgid "I<ru_inblock> (since Linux 2.6.22)"
msgstr ""

#. type: Plain text
#: build/C/man2/getrusage.2:158
msgid "The number of times the filesystem had to perform input."
msgstr ""

#. type: TP
#: build/C/man2/getrusage.2:158
#, no-wrap
msgid "I<ru_oublock> (since Linux 2.6.22)"
msgstr ""

#. type: Plain text
#: build/C/man2/getrusage.2:161
msgid "The number of times the filesystem had to perform output."
msgstr ""

#. type: TP
#: build/C/man2/getrusage.2:161
#, no-wrap
msgid "I<ru_msgsnd> (unmaintained)"
msgstr ""

#. type: TP
#: build/C/man2/getrusage.2:167
#, no-wrap
msgid "I<ru_msgrcv> (unmaintained)"
msgstr ""

#. type: TP
#: build/C/man2/getrusage.2:173
#, no-wrap
msgid "I<ru_nsignals> (unmaintained)"
msgstr ""

#. type: TP
#: build/C/man2/getrusage.2:177
#, no-wrap
msgid "I<ru_nvcsw> (since Linux 2.6)"
msgstr ""

#. type: Plain text
#: build/C/man2/getrusage.2:182
msgid ""
"The number of times a context switch resulted due to a process voluntarily "
"giving up the processor before its time slice was completed (usually to "
"await availability of a resource)."
msgstr ""

#. type: TP
#: build/C/man2/getrusage.2:182
#, no-wrap
msgid "I<ru_nivcsw> (since Linux 2.6)"
msgstr ""

#. type: Plain text
#: build/C/man2/getrusage.2:187
msgid ""
"The number of times a context switch resulted due to a higher priority "
"process becoming runnable or because the current process exceeded its time "
"slice."
msgstr ""

#. type: Plain text
#: build/C/man2/getrusage.2:198
msgid "I<usage> points outside the accessible address space."
msgstr ""

#. type: Plain text
#: build/C/man2/getrusage.2:202
msgid "I<who> is invalid."
msgstr ""

#. type: Plain text
#: build/C/man2/getrusage.2:210
msgid ""
"SVr4, 4.3BSD.  POSIX.1-2001 specifies B<getrusage>(), but specifies only the "
"fields I<ru_utime> and I<ru_stime>."
msgstr ""

#. type: Plain text
#: build/C/man2/getrusage.2:213
msgid "B<RUSAGE_THREAD> is Linux-specific."
msgstr ""

#. type: Plain text
#: build/C/man2/getrusage.2:216
msgid "Resource usage metrics are preserved across an B<execve>(2)."
msgstr ""

#. type: Plain text
#: build/C/man2/getrusage.2:224
msgid ""
"Including I<E<lt>sys/time.hE<gt>> is not required these days, but increases "
"portability.  (Indeed, I<struct timeval> is defined in "
"I<E<lt>sys/time.hE<gt>>.)"
msgstr ""

#.  See the description of getrusage() in XSH.
#.  A similar statement was also in SUSv2.
#. type: Plain text
#: build/C/man2/getrusage.2:236
msgid ""
"In Linux kernel versions before 2.6.9, if the disposition of B<SIGCHLD> is "
"set to B<SIG_IGN> then the resource usages of child processes are "
"automatically included in the value returned by B<RUSAGE_CHILDREN>, although "
"POSIX.1-2001 explicitly prohibits this.  This nonconformance is rectified in "
"Linux 2.6.9 and later."
msgstr ""

#. type: Plain text
#: build/C/man2/getrusage.2:239
msgid ""
"The structure definition shown at the start of this page was taken from "
"4.3BSD Reno."
msgstr ""

#. type: Plain text
#: build/C/man2/getrusage.2:248
msgid ""
"Ancient systems provided a B<vtimes>()  function with a similar purpose to "
"B<getrusage>().  For backward compatibility, glibc also provides "
"B<vtimes>().  All new applications should be written using B<getrusage>()."
msgstr ""

#. type: Plain text
#: build/C/man2/getrusage.2:253
msgid "See also the description of I</proc/PID/stat> in B<proc>(5)."
msgstr ""

#. type: Plain text
#: build/C/man2/getrusage.2:259
msgid ""
"B<clock_gettime>(2), B<getrlimit>(2), B<times>(2), B<wait>(2), B<wait4>(2), "
"B<clock>(3)"
msgstr ""

#. type: TH
#: build/C/man2/getsid.2:26
#, no-wrap
msgid "GETSID"
msgstr ""

#. type: TH
#: build/C/man2/getsid.2:26
#, no-wrap
msgid "2010-09-26"
msgstr ""

#. type: Plain text
#: build/C/man2/getsid.2:29
msgid "getsid - get session ID"
msgstr ""

#. type: Plain text
#: build/C/man2/getsid.2:33
msgid "B<pid_t getsid(pid_t>I< pid>B<);>"
msgstr ""

#. type: Plain text
#: build/C/man2/getsid.2:42
msgid "B<getsid>():"
msgstr ""

#. type: Plain text
#: build/C/man2/getsid.2:45 build/C/man2/setpgid.2:79
msgid "_XOPEN_SOURCE\\ E<gt>=\\ 500 || _XOPEN_SOURCE\\ &&\\ _XOPEN_SOURCE_EXTENDED"
msgstr ""

#. type: Plain text
#: build/C/man2/getsid.2:47 build/C/man2/setpgid.2:81
msgid "|| /* Since glibc 2.12: */ _POSIX_C_SOURCE\\ E<gt>=\\ 200809L"
msgstr ""

#. type: Plain text
#: build/C/man2/getsid.2:58
msgid ""
"I<getsid(0)> returns the session ID of the calling process.  I<getsid(p)> "
"returns the session ID of the process with process ID I<p>.  (The session ID "
"of a process is the process group ID of the session leader.)"
msgstr ""

#. type: Plain text
#: build/C/man2/getsid.2:63
msgid ""
"On success, a session ID is returned.  On error, I<(pid_t)\\ -1> will be "
"returned, and I<errno> is set appropriately."
msgstr ""

#. type: Plain text
#: build/C/man2/getsid.2:70
msgid ""
"A process with process ID I<p> exists, but it is not in the same session as "
"the calling process, and the implementation considers this an error."
msgstr ""

#. type: Plain text
#: build/C/man2/getsid.2:75
msgid "No process with process ID I<p> was found."
msgstr ""

#.  Linux has this system call since Linux 1.3.44.
#.  There is libc support since libc 5.2.19.
#. type: Plain text
#: build/C/man2/getsid.2:79
msgid "This system call is available on Linux since version 2.0."
msgstr ""

#. type: Plain text
#: build/C/man2/getsid.2:81 build/C/man2/setgid.2:73 build/C/man2/setsid.2:70
msgid "SVr4, POSIX.1-2001."
msgstr ""

#. type: Plain text
#: build/C/man2/getsid.2:84
msgid "Linux does not return B<EPERM>."
msgstr ""

#. type: Plain text
#: build/C/man2/getsid.2:87
msgid "B<getpgid>(2), B<setsid>(2), B<credentials>(7)"
msgstr ""

#. type: TH
#: build/C/man2/getuid.2:26
#, no-wrap
msgid "GETUID"
msgstr ""

#. type: Plain text
#: build/C/man2/getuid.2:29
msgid "getuid, geteuid - get user identity"
msgstr ""

#. type: Plain text
#: build/C/man2/getuid.2:35
msgid "B<uid_t getuid(void);>"
msgstr ""

#. type: Plain text
#: build/C/man2/getuid.2:37
msgid "B<uid_t geteuid(void);>"
msgstr ""

#. type: Plain text
#: build/C/man2/getuid.2:40
msgid "B<getuid>()  returns the real user ID of the calling process."
msgstr ""

#. type: Plain text
#: build/C/man2/getuid.2:43
msgid "B<geteuid>()  returns the effective user ID of the calling process."
msgstr ""

#. type: SS
#: build/C/man2/getuid.2:48
#, no-wrap
msgid "History"
msgstr ""

#. type: Plain text
#: build/C/man2/getuid.2:57
msgid ""
"In UNIX\\ V6 the B<getuid>()  call returned I<(euid E<lt>E<lt> 8) + uid>.  "
"UNIX\\ V7 introduced separate calls B<getuid>()  and B<geteuid>()."
msgstr ""

#. type: Plain text
#: build/C/man2/getuid.2:73
msgid ""
"The original Linux B<getuid>()  and B<geteuid>()  system calls supported "
"only 16-bit user IDs.  Subsequently, Linux 2.4 added B<getuid32>()  and "
"B<geteuid32>(), supporting 32-bit IDs.  The glibc B<getuid>()  and "
"B<geteuid>()  wrapper functions transparently deal with the variations "
"across kernel versions."
msgstr ""

#. type: Plain text
#: build/C/man2/getuid.2:77
msgid "B<getresuid>(2), B<setreuid>(2), B<setuid>(2), B<credentials>(7)"
msgstr ""

#. type: TH
#: build/C/man3/group_member.3:25
#, no-wrap
msgid "GROUP_MEMBER"
msgstr ""

#. type: TH
#: build/C/man3/group_member.3:25
#, no-wrap
msgid "2014-03-30"
msgstr ""

#. type: TH
#: build/C/man3/group_member.3:25
#, no-wrap
msgid "GNU"
msgstr ""

#. type: Plain text
#: build/C/man3/group_member.3:28
msgid "group_member - test whether a process is in a group"
msgstr ""

#. type: Plain text
#: build/C/man3/group_member.3:32
msgid "B<int group_member(gid_t >I<gid>B<);>"
msgstr ""

#. type: Plain text
#: build/C/man3/group_member.3:40
msgid "B<group_member>(): _GNU_SOURCE"
msgstr ""

#. type: Plain text
#: build/C/man3/group_member.3:48
msgid ""
"The B<group_member>()  function tests whether any of the caller's "
"supplementary group IDs (as returned by B<getgroups>(2))  matches I<gid>."
msgstr ""

#. type: Plain text
#: build/C/man3/group_member.3:55
msgid ""
"The B<group_member>()  function returns nonzero if any of the caller's "
"supplementary group IDs matches I<gid>, and zero otherwise."
msgstr ""

#. type: Plain text
#: build/C/man3/group_member.3:57
msgid "This function is a nonstandard GNU extension."
msgstr ""

#. type: Plain text
#: build/C/man3/group_member.3:61
msgid "B<getgid>(2), B<getgroups>(2), B<getgrouplist>(3), B<group>(5)"
msgstr ""

#. type: TH
#: build/C/man2/iopl.2:33
#, no-wrap
msgid "IOPL"
msgstr ""

#. type: TH
#: build/C/man2/iopl.2:33
#, no-wrap
msgid "2013-03-15"
msgstr ""

#. type: Plain text
#: build/C/man2/iopl.2:36
msgid "iopl - change I/O privilege level"
msgstr ""

#. type: Plain text
#: build/C/man2/iopl.2:38
msgid "B<#include E<lt>sys/io.hE<gt>>"
msgstr ""

#. type: Plain text
#: build/C/man2/iopl.2:40
msgid "B<int iopl(int >I<level>B<);>"
msgstr ""

#. type: Plain text
#: build/C/man2/iopl.2:45
msgid ""
"B<iopl>()  changes the I/O privilege level of the calling process, as "
"specified by the two least significant bits in I<level>."
msgstr ""

#. type: Plain text
#: build/C/man2/iopl.2:51
msgid ""
"This call is necessary to allow 8514-compatible X servers to run under "
"Linux.  Since these X servers require access to all 65536 I/O ports, the "
"B<ioperm>(2)  call is not sufficient."
msgstr ""

#. type: Plain text
#: build/C/man2/iopl.2:55
msgid ""
"In addition to granting unrestricted I/O port access, running at a higher "
"I/O privilege level also allows the process to disable interrupts.  This "
"will probably crash the system, and is not recommended."
msgstr ""

#. type: Plain text
#: build/C/man2/iopl.2:60
msgid "Permissions are inherited by B<fork>(2)  and B<execve>(2)."
msgstr ""

#. type: Plain text
#: build/C/man2/iopl.2:62
msgid "The I/O privilege level for a normal process is 0."
msgstr ""

#. type: Plain text
#: build/C/man2/iopl.2:66
msgid ""
"This call is mostly for the i386 architecture.  On many other architectures "
"it does not exist or will always return an error."
msgstr ""

#. type: Plain text
#: build/C/man2/iopl.2:76
msgid "I<level> is greater than 3."
msgstr ""

#. type: Plain text
#: build/C/man2/iopl.2:79
msgid "This call is unimplemented."
msgstr ""

#. type: Plain text
#: build/C/man2/iopl.2:87
msgid ""
"The calling process has insufficient privilege to call B<iopl>(); the "
"B<CAP_SYS_RAWIO> capability is required to raise the I/O privilege level "
"above its current value."
msgstr ""

#. type: Plain text
#: build/C/man2/iopl.2:91
msgid ""
"B<iopl>()  is Linux-specific and should not be used in programs that are "
"intended to be portable."
msgstr ""

#. type: Plain text
#: build/C/man2/iopl.2:100
msgid ""
"Libc5 treats it as a system call and has a prototype in "
"I<E<lt>unistd.hE<gt>>.  Glibc1 does not have a prototype.  Glibc2 has a "
"prototype both in I<E<lt>sys/io.hE<gt>> and in I<E<lt>sys/perm.hE<gt>>.  "
"Avoid the latter, it is available on i386 only."
msgstr ""

#. type: Plain text
#: build/C/man2/iopl.2:103
msgid "B<ioperm>(2), B<outb>(2), B<capabilities>(7)"
msgstr ""

#. type: TH
#: build/C/man2/ioprio_set.2:24
#, no-wrap
msgid "IOPRIO_SET"
msgstr ""

#. type: TH
#: build/C/man2/ioprio_set.2:24
#, no-wrap
msgid "2013-02-12"
msgstr ""

#. type: Plain text
#: build/C/man2/ioprio_set.2:27
msgid "ioprio_get, ioprio_set - get/set I/O scheduling class and priority"
msgstr ""

#. type: Plain text
#: build/C/man2/ioprio_set.2:31
#, no-wrap
msgid ""
"B<int ioprio_get(int >I<which>B<, int >I<who>B<);>\n"
"B<int ioprio_set(int >I<which>B<, int >I<who>B<, int >I<ioprio>B<);>\n"
msgstr ""

#. type: Plain text
#: build/C/man2/ioprio_set.2:35
msgid "I<Note>: There are no glibc wrappers for these system calls; see NOTES."
msgstr ""

#. type: Plain text
#: build/C/man2/ioprio_set.2:42
msgid ""
"The B<ioprio_get>()  and B<ioprio_set>()  system calls respectively get and "
"set the I/O scheduling class and priority of one or more threads."
msgstr ""

#. type: Plain text
#: build/C/man2/ioprio_set.2:54
msgid ""
"The I<which> and I<who> arguments identify the thread(s) on which the system "
"calls operate.  The I<which> argument determines how I<who> is interpreted, "
"and has one of the following values:"
msgstr ""

#. type: TP
#: build/C/man2/ioprio_set.2:54
#, no-wrap
msgid "B<IOPRIO_WHO_PROCESS>"
msgstr ""

#. type: Plain text
#: build/C/man2/ioprio_set.2:61
msgid ""
"I<who> is a process ID or thread ID identifying a single process or thread.  "
"If I<who> is 0, then operate on the calling thread."
msgstr ""

#. type: TP
#: build/C/man2/ioprio_set.2:61
#, no-wrap
msgid "B<IOPRIO_WHO_PGRP>"
msgstr ""

#. type: Plain text
#: build/C/man2/ioprio_set.2:68
msgid ""
"I<who> is a process group ID identifying all the members of a process "
"group.  If I<who> is 0, then operate on the process group of which the "
"caller is a member."
msgstr ""

#. type: TP
#: build/C/man2/ioprio_set.2:68
#, no-wrap
msgid "B<IOPRIO_WHO_USER>"
msgstr ""

#.  FIXME . Need to document the behavior when 'who" is specified as 0
#.  See http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=652443
#. type: Plain text
#: build/C/man2/ioprio_set.2:75
msgid ""
"I<who> is a user ID identifying all of the processes that have a matching "
"real UID."
msgstr ""

#. type: Plain text
#: build/C/man2/ioprio_set.2:98
msgid ""
"If I<which> is specified as B<IOPRIO_WHO_PGRP> or B<IOPRIO_WHO_USER> when "
"calling B<ioprio_get>(), and more than one process matches I<who>, then the "
"returned priority will be the highest one found among all of the matching "
"processes.  One priority is said to be higher than another one if it belongs "
"to a higher priority class (B<IOPRIO_CLASS_RT> is the highest priority "
"class; B<IOPRIO_CLASS_IDLE> is the lowest)  or if it belongs to the same "
"priority class as the other process but has a higher priority level (a lower "
"priority number means a higher priority level)."
msgstr ""

#. type: Plain text
#: build/C/man2/ioprio_set.2:108
msgid ""
"The I<ioprio> argument given to B<ioprio_set>()  is a bit mask that "
"specifies both the scheduling class and the priority to be assigned to the "
"target process(es).  The following macros are used for assembling and "
"dissecting I<ioprio> values:"
msgstr ""

#. type: TP
#: build/C/man2/ioprio_set.2:108
#, no-wrap
msgid "B<IOPRIO_PRIO_VALUE(>I<class>B<, >I<data>B<)>"
msgstr ""

#. type: Plain text
#: build/C/man2/ioprio_set.2:117
msgid ""
"Given a scheduling I<class> and priority (I<data>), this macro combines the "
"two values to produce an I<ioprio> value, which is returned as the result of "
"the macro."
msgstr ""

#. type: TP
#: build/C/man2/ioprio_set.2:117
#, no-wrap
msgid "B<IOPRIO_PRIO_CLASS(>I<mask>B<)>"
msgstr ""

#. type: Plain text
#: build/C/man2/ioprio_set.2:129
msgid ""
"Given I<mask> (an I<ioprio> value), this macro returns its I/O class "
"component, that is, one of the values B<IOPRIO_CLASS_RT>, "
"B<IOPRIO_CLASS_BE>, or B<IOPRIO_CLASS_IDLE>."
msgstr ""

#. type: TP
#: build/C/man2/ioprio_set.2:129
#, no-wrap
msgid "B<IOPRIO_PRIO_DATA(>I<mask>B<)>"
msgstr ""

#. type: Plain text
#: build/C/man2/ioprio_set.2:138
msgid ""
"Given I<mask> (an I<ioprio> value), this macro returns its priority "
"(I<data>)  component."
msgstr ""

#. type: Plain text
#: build/C/man2/ioprio_set.2:141
msgid ""
"See the NOTES section for more information on scheduling classes and "
"priorities."
msgstr ""

#. type: Plain text
#: build/C/man2/ioprio_set.2:149
msgid ""
"I/O priorities are supported for reads and for synchronous (B<O_DIRECT>, "
"B<O_SYNC>)  writes.  I/O priorities are not supported for asynchronous "
"writes because they are issued outside the context of the program dirtying "
"the memory, and thus program-specific priorities do not apply."
msgstr ""

#. type: Plain text
#: build/C/man2/ioprio_set.2:162
msgid ""
"On success, B<ioprio_get>()  returns the I<ioprio> value of the process with "
"highest I/O priority of any of the processes that match the criteria "
"specified in I<which> and I<who>.  On error, -1 is returned, and I<errno> is "
"set to indicate the error."
msgstr ""

#. type: Plain text
#: build/C/man2/ioprio_set.2:169
msgid ""
"On success, B<ioprio_set>()  returns 0.  On error, -1 is returned, and "
"I<errno> is set to indicate the error."
msgstr ""

#. type: Plain text
#: build/C/man2/ioprio_set.2:179
msgid ""
"Invalid value for I<which> or I<ioprio>.  Refer to the NOTES section for "
"available scheduler classes and priority levels for I<ioprio>."
msgstr ""

#. type: Plain text
#: build/C/man2/ioprio_set.2:187
msgid ""
"The calling process does not have the privilege needed to assign this "
"I<ioprio> to the specified process(es).  See the NOTES section for more "
"information on required privileges for B<ioprio_set>()."
msgstr ""

#. type: Plain text
#: build/C/man2/ioprio_set.2:193
msgid ""
"No process(es) could be found that matched the specification in I<which> and "
"I<who>."
msgstr ""

#. type: Plain text
#: build/C/man2/ioprio_set.2:196
msgid "These system calls have been available on Linux since kernel 2.6.13."
msgstr ""

#. type: Plain text
#: build/C/man2/ioprio_set.2:201
msgid ""
"Glibc does not provide a wrapper for these system calls; call them using "
"B<syscall>(2)."
msgstr ""

#. type: Plain text
#: build/C/man2/ioprio_set.2:220
msgid ""
"Two or more processes or threads can share an I/O context.  This will be the "
"case when B<clone>(2)  was called with the B<CLONE_IO> flag.  However, by "
"default, the distinct threads of a process will B<not> share the same I/O "
"context.  This means that if you want to change the I/O priority of all "
"threads in a process, you may need to call B<ioprio_set>()  on each of the "
"threads.  The thread ID that you would need for this operation is the one "
"that is returned by B<gettid>(2)  or B<clone>(2)."
msgstr ""

#. type: Plain text
#: build/C/man2/ioprio_set.2:225
msgid ""
"These system calls have an effect only when used in conjunction with an I/O "
"scheduler that supports I/O priorities.  As at kernel 2.6.17 the only such "
"scheduler is the Completely Fair Queuing (CFQ) I/O scheduler."
msgstr ""

#. type: SS
#: build/C/man2/ioprio_set.2:225
#, no-wrap
msgid "Selecting an I/O scheduler"
msgstr ""

#. type: Plain text
#: build/C/man2/ioprio_set.2:229
msgid ""
"I/O Schedulers are selected on a per-device basis via the special file "
"I</sys/block/E<lt>deviceE<gt>/queue/scheduler>."
msgstr ""

#. type: Plain text
#: build/C/man2/ioprio_set.2:235
msgid ""
"One can view the current I/O scheduler via the I</sys> filesystem.  For "
"example, the following command displays a list of all schedulers currently "
"loaded in the kernel:"
msgstr ""

#. type: Plain text
#: build/C/man2/ioprio_set.2:240
#, no-wrap
msgid ""
"$B< cat /sys/block/hda/queue/scheduler>\n"
"noop anticipatory deadline [cfq]\n"
msgstr ""

#. type: Plain text
#: build/C/man2/ioprio_set.2:254
msgid ""
"The scheduler surrounded by brackets is the one actually in use for the "
"device (I<hda> in the example).  Setting another scheduler is done by "
"writing the name of the new scheduler to this file.  For example, the "
"following command will set the scheduler for the I<hda> device to I<cfq>:"
msgstr ""

#. type: Plain text
#: build/C/man2/ioprio_set.2:260
#, no-wrap
msgid ""
"$B< su>\n"
"Password:\n"
"#B< echo cfq E<gt> /sys/block/hda/queue/scheduler>\n"
msgstr ""

#. type: SS
#: build/C/man2/ioprio_set.2:262
#, no-wrap
msgid "The Completely Fair Queuing (CFQ) I/O scheduler"
msgstr ""

#. type: Plain text
#: build/C/man2/ioprio_set.2:268
msgid ""
"Since v3 (aka CFQ Time Sliced) CFQ implements I/O nice levels similar to "
"those of CPU scheduling.  These nice levels are grouped in three scheduling "
"classes each one containing one or more priority levels:"
msgstr ""

#. type: TP
#: build/C/man2/ioprio_set.2:268
#, no-wrap
msgid "B<IOPRIO_CLASS_RT> (1)"
msgstr ""

#. type: Plain text
#: build/C/man2/ioprio_set.2:283
msgid ""
"This is the real-time I/O class.  This scheduling class is given higher "
"priority than any other class: processes from this class are given first "
"access to the disk every time.  Thus this I/O class needs to be used with "
"some care: one I/O real-time process can starve the entire system.  Within "
"the real-time class, there are 8 levels of class data (priority) that "
"determine exactly how much time this process needs the disk for on each "
"service.  The highest real-time priority level is 0; the lowest is 7.  In "
"the future this might change to be more directly mappable to performance, by "
"passing in a desired data rate instead."
msgstr ""

#. type: TP
#: build/C/man2/ioprio_set.2:283
#, no-wrap
msgid "B<IOPRIO_CLASS_BE> (2)"
msgstr ""

#. type: Plain text
#: build/C/man2/ioprio_set.2:296
msgid ""
"This is the best-effort scheduling class, which is the default for any "
"process that hasn't set a specific I/O priority.  The class data (priority) "
"determines how much I/O bandwidth the process will get.  Best-effort "
"priority levels are analogous to CPU nice values (see B<getpriority>(2)).  "
"The priority level determines a priority relative to other processes in the "
"best-effort scheduling class.  Priority levels range from 0 (highest) to 7 "
"(lowest)."
msgstr ""

#. type: TP
#: build/C/man2/ioprio_set.2:296
#, no-wrap
msgid "B<IOPRIO_CLASS_IDLE> (3)"
msgstr ""

#. type: Plain text
#: build/C/man2/ioprio_set.2:305
msgid ""
"This is the idle scheduling class.  Processes running at this level only get "
"I/O time when no-one else needs the disk.  The idle class has no class "
"data.  Attention is required when assigning this priority class to a "
"process, since it may become starved if higher priority processes are "
"constantly accessing the disk."
msgstr ""

#. type: Plain text
#: build/C/man2/ioprio_set.2:309
msgid ""
"Refer to I<Documentation/block/ioprio.txt> for more information on the CFQ "
"I/O Scheduler and an example program."
msgstr ""

#. type: SS
#: build/C/man2/ioprio_set.2:309
#, no-wrap
msgid "Required permissions to set I/O priorities"
msgstr ""

#. type: Plain text
#: build/C/man2/ioprio_set.2:312
msgid ""
"Permission to change a process's priority is granted or denied based on two "
"assertions:"
msgstr ""

#. type: TP
#: build/C/man2/ioprio_set.2:312
#, no-wrap
msgid "B<Process ownership>"
msgstr ""

#. type: Plain text
#: build/C/man2/ioprio_set.2:320
msgid ""
"An unprivileged process may set only the I/O priority of a process whose "
"real UID matches the real or effective UID of the calling process.  A "
"process which has the B<CAP_SYS_NICE> capability can change the priority of "
"any process."
msgstr ""

#. type: TP
#: build/C/man2/ioprio_set.2:320
#, no-wrap
msgid "B<What is the desired priority>"
msgstr ""

#. type: Plain text
#: build/C/man2/ioprio_set.2:332
msgid ""
"Attempts to set very high priorities (B<IOPRIO_CLASS_RT>)  require the "
"B<CAP_SYS_ADMIN> capability.  Kernel versions up to 2.6.24 also required "
"B<CAP_SYS_ADMIN> to set a very low priority (B<IOPRIO_CLASS_IDLE>), but "
"since Linux 2.6.25, this is no longer required."
msgstr ""

#. type: Plain text
#: build/C/man2/ioprio_set.2:337
msgid ""
"A call to B<ioprio_set>()  must follow both rules, or the call will fail "
"with the error B<EPERM>."
msgstr ""

#.  6 May 07: Bug report raised:
#.  http://sources.redhat.com/bugzilla/show_bug.cgi?id=4464
#.  Ulrich Drepper replied that he wasn't going to add these
#.  to glibc.
#. type: Plain text
#: build/C/man2/ioprio_set.2:346
msgid ""
"Glibc does not yet provide a suitable header file defining the function "
"prototypes and macros described on this page.  Suitable definitions can be "
"found in I<linux/ioprio.h>."
msgstr ""

#. type: Plain text
#: build/C/man2/ioprio_set.2:351
msgid "B<ionice>(1), B<getpriority>(2), B<open>(2), B<capabilities>(7)"
msgstr ""

#. type: Plain text
#: build/C/man2/ioprio_set.2:353
msgid "I<Documentation/block/ioprio.txt> in the Linux kernel source tree"
msgstr ""

#. type: TH
#: build/C/man2/ipc.2:25
#, no-wrap
msgid "IPC"
msgstr ""

#. type: TH
#: build/C/man2/ipc.2:25
#, no-wrap
msgid "2012-10-16"
msgstr ""

#. type: Plain text
#: build/C/man2/ipc.2:28
msgid "ipc - System V IPC system calls"
msgstr ""

#. type: Plain text
#: build/C/man2/ipc.2:33
#, no-wrap
msgid ""
"B<int ipc(unsigned int >I<call>B<, int >I<first>B<, int >I<second>B<, int "
">I<third>B<,>\n"
"B<        void *>I<ptr>B<, long >I<fifth>B<);>\n"
msgstr ""

#. type: Plain text
#: build/C/man2/ipc.2:41
msgid ""
"B<ipc>()  is a common kernel entry point for the System\\ V IPC calls for "
"messages, semaphores, and shared memory.  I<call> determines which IPC "
"function to invoke; the other arguments are passed through to the "
"appropriate call."
msgstr ""

#. type: Plain text
#: build/C/man2/ipc.2:45
msgid ""
"User programs should call the appropriate functions by their usual names.  "
"Only standard library implementors and kernel hackers need to know about "
"B<ipc>()."
msgstr ""

#. type: Plain text
#: build/C/man2/ipc.2:49
msgid ""
"B<ipc>()  is Linux-specific, and should not be used in programs intended to "
"be portable."
msgstr ""

#. type: Plain text
#: build/C/man2/ipc.2:57
msgid ""
"On some architectures\\(emfor example x86-64 and ARM\\(emthere is no "
"B<ipc>()  system call; instead B<msgctl>(2), B<semctl>(2), B<shmctl>(2), and "
"so on really are implemented as separate system calls."
msgstr ""

#. type: Plain text
#: build/C/man2/ipc.2:69
msgid ""
"B<msgctl>(2), B<msgget>(2), B<msgrcv>(2), B<msgsnd>(2), B<semctl>(2), "
"B<semget>(2), B<semop>(2), B<semtimedop>(2), B<shmat>(2), B<shmctl>(2), "
"B<shmdt>(2), B<shmget>(2)"
msgstr ""

#. type: TH
#: build/C/man7/namespaces.7:27
#, no-wrap
msgid "NAMESPACES"
msgstr ""

#. type: Plain text
#: build/C/man7/namespaces.7:30
msgid "namespaces - overview of Linux namespaces"
msgstr ""

#. type: Plain text
#: build/C/man7/namespaces.7:37
msgid ""
"A namespace wraps a global system resource in an abstraction that makes it "
"appear to the processes within the namespace that they have their own "
"isolated instance of the global resource.  Changes to the global resource "
"are visible to other processes that are members of the namespace, but are "
"invisible to other processes.  One use of namespaces is to implement "
"containers."
msgstr ""

#. type: Plain text
#: build/C/man7/namespaces.7:39
msgid "Linux provides the following namespaces:"
msgstr ""

#. type: tbl table
#: build/C/man7/namespaces.7:42
#, no-wrap
msgid "Namespace\tConstant\tIsolates\n"
msgstr ""

#. type: tbl table
#: build/C/man7/namespaces.7:43
#, no-wrap
msgid "IPC\tCLONE_NEWIPC\tSystem V IPC, POSIX message queues\n"
msgstr ""

#. type: tbl table
#: build/C/man7/namespaces.7:44
#, no-wrap
msgid "Network\tCLONE_NEWNET\tNetwork devices, stacks, ports, etc.\n"
msgstr ""

#. type: tbl table
#: build/C/man7/namespaces.7:45
#, no-wrap
msgid "Mount\tCLONE_NEWNS\tMount points\n"
msgstr ""

#. type: tbl table
#: build/C/man7/namespaces.7:46
#, no-wrap
msgid "PID\tCLONE_NEWPID\tProcess IDs\n"
msgstr ""

#. type: tbl table
#: build/C/man7/namespaces.7:47
#, no-wrap
msgid "User\tCLONE_NEWUSER\tUser and group IDs\n"
msgstr ""

#. type: tbl table
#: build/C/man7/namespaces.7:48
#, no-wrap
msgid "UTS\tCLONE_NEWUTS\tHostname and NIS domain name\n"
msgstr ""

#
#.  ==================== The namespaces API ====================
#. type: Plain text
#: build/C/man7/namespaces.7:57
msgid ""
"This page describes the various namespaces and the associated I</proc> "
"files, and summarizes the APIs for working with namespaces."
msgstr ""

#. type: SS
#: build/C/man7/namespaces.7:57
#, no-wrap
msgid "The namespaces API"
msgstr ""

#. type: Plain text
#: build/C/man7/namespaces.7:62
msgid ""
"As well as various I</proc> files described below, the namespaces API "
"includes the following system calls:"
msgstr ""

#. type: TP
#: build/C/man7/namespaces.7:62
#, no-wrap
msgid "B<clone>(2)"
msgstr ""

#. type: Plain text
#: build/C/man7/namespaces.7:75
msgid ""
"The B<clone>(2)  system call creates a new process.  If the I<flags> "
"argument of the call specifies one or more of the B<CLONE_NEW*> flags listed "
"below, then new namespaces are created for each flag, and the child process "
"is made a member of those namespaces.  (This system call also implements a "
"number of features unrelated to namespaces.)"
msgstr ""

#. type: TP
#: build/C/man7/namespaces.7:75
#, no-wrap
msgid "B<setns>(2)"
msgstr ""

#. type: Plain text
#: build/C/man7/namespaces.7:84
msgid ""
"The B<setns>(2)  system call allows the calling process to join an existing "
"namespace.  The namespace to join is specified via a file descriptor that "
"refers to one of the I</proc/[pid]/ns> files described below."
msgstr ""

#. type: TP
#: build/C/man7/namespaces.7:84
#, no-wrap
msgid "B<unshare>(2)"
msgstr ""

#. type: Plain text
#: build/C/man7/namespaces.7:97
msgid ""
"The B<unshare>(2)  system call moves the calling process to a new "
"namespace.  If the I<flags> argument of the call specifies one or more of "
"the B<CLONE_NEW*> flags listed below, then new namespaces are created for "
"each flag, and the calling process is made a member of those namespaces.  "
"(This system call also implements a number of features unrelated to "
"namespaces.)"
msgstr ""

#
#.  ==================== The /proc/[pid]/ns/ directory ====================
#. type: Plain text
#: build/C/man7/namespaces.7:110
msgid ""
"Creation of new namespaces using B<clone>(2)  and B<unshare>(2)  in most "
"cases requires the B<CAP_SYS_ADMIN> capability.  User namespaces are the "
"exception: since Linux 3.8, no privilege is required to create a user "
"namespace."
msgstr ""

#. type: SS
#: build/C/man7/namespaces.7:110
#, no-wrap
msgid "The /proc/[pid]/ns/ directory"
msgstr ""

#.  See commit 6b4e306aa3dc94a0545eb9279475b1ab6209a31f
#. type: Plain text
#: build/C/man7/namespaces.7:117
msgid ""
"Each process has a I</proc/[pid]/ns/> subdirectory containing one entry for "
"each namespace that supports being manipulated by B<setns>(2):"
msgstr ""

#. type: Plain text
#: build/C/man7/namespaces.7:128
#, no-wrap
msgid ""
"$ B<ls -l /proc/$$/ns>\n"
"total 0\n"
"lrwxrwxrwx. 1 mtk mtk 0 Jan 14 01:20 ipc -E<gt> ipc:[4026531839]\n"
"lrwxrwxrwx. 1 mtk mtk 0 Jan 14 01:20 mnt -E<gt> mnt:[4026531840]\n"
"lrwxrwxrwx. 1 mtk mtk 0 Jan 14 01:20 net -E<gt> net:[4026531956]\n"
"lrwxrwxrwx. 1 mtk mtk 0 Jan 14 01:20 pid -E<gt> pid:[4026531836]\n"
"lrwxrwxrwx. 1 mtk mtk 0 Jan 14 01:20 user -E<gt> user:[4026531837]\n"
"lrwxrwxrwx. 1 mtk mtk 0 Jan 14 01:20 uts -E<gt> uts:[4026531838]\n"
msgstr ""

#. type: Plain text
#: build/C/man7/namespaces.7:138
msgid ""
"Bind mounting (see B<mount>(2))  one of the files in this directory to "
"somewhere else in the filesystem keeps the corresponding namespace of the "
"process specified by I<pid> alive even if all processes currently in the "
"namespace terminate."
msgstr ""

#. type: Plain text
#: build/C/man7/namespaces.7:149
msgid ""
"Opening one of the files in this directory (or a file that is bind mounted "
"to one of these files)  returns a file handle for the corresponding "
"namespace of the process specified by I<pid>.  As long as this file "
"descriptor remains open, the namespace will remain alive, even if all "
"processes in the namespace terminate.  The file descriptor can be passed to "
"B<setns>(2)."
msgstr ""

#. type: Plain text
#: build/C/man7/namespaces.7:160
msgid ""
"In Linux 3.7 and earlier, these files were visible as hard links.  Since "
"Linux 3.8, they appear as symbolic links.  If two processes are in the same "
"namespace, then the inode numbers of their I</proc/[pid]/ns/xxx> symbolic "
"links will be the same; an application can check this using the "
"I<stat.st_ino> field returned by B<stat>(2).  The content of this symbolic "
"link is a string containing the namespace type and inode number as in the "
"following example:"
msgstr ""

#. type: Plain text
#: build/C/man7/namespaces.7:165
#, no-wrap
msgid ""
"$ B<readlink /proc/$$/ns/uts>\n"
"uts:[4026531838]\n"
msgstr ""

#. type: Plain text
#: build/C/man7/namespaces.7:169
msgid "The files in this subdirectory are as follows:"
msgstr ""

#. type: TP
#: build/C/man7/namespaces.7:169
#, no-wrap
msgid "I</proc/[pid]/ns/ipc> (since Linux 3.0)"
msgstr ""

#. type: Plain text
#: build/C/man7/namespaces.7:172
msgid "This file is a handle for the IPC namespace of the process."
msgstr ""

#. type: TP
#: build/C/man7/namespaces.7:172
#, no-wrap
msgid "I</proc/[pid]/ns/mnt> (since Linux 3.8)"
msgstr ""

#. type: Plain text
#: build/C/man7/namespaces.7:175
msgid "This file is a handle for the mount namespace of the process."
msgstr ""

#. type: TP
#: build/C/man7/namespaces.7:175
#, no-wrap
msgid "I</proc/[pid]/ns/net> (since Linux 3.0)"
msgstr ""

#. type: Plain text
#: build/C/man7/namespaces.7:178
msgid "This file is a handle for the network namespace of the process."
msgstr ""

#. type: TP
#: build/C/man7/namespaces.7:178
#, no-wrap
msgid "I</proc/[pid]/ns/pid> (since Linux 3.8)"
msgstr ""

#. type: Plain text
#: build/C/man7/namespaces.7:181
msgid "This file is a handle for the PID namespace of the process."
msgstr ""

#. type: TP
#: build/C/man7/namespaces.7:181
#, no-wrap
msgid "I</proc/[pid]/ns/user> (since Linux 3.8)"
msgstr ""

#. type: Plain text
#: build/C/man7/namespaces.7:184
msgid "This file is a handle for the user namespace of the process."
msgstr ""

#. type: TP
#: build/C/man7/namespaces.7:184
#, no-wrap
msgid "I</proc/[pid]/ns/uts> (since Linux 3.0)"
msgstr ""

#
#.  ==================== IPC namespaces ====================
#. type: Plain text
#: build/C/man7/namespaces.7:190
msgid "This file is a handle for the UTS namespace of the process."
msgstr ""

#. type: SS
#: build/C/man7/namespaces.7:190
#, no-wrap
msgid "IPC namespaces (CLONE_NEWIPC)"
msgstr ""

#.  commit 7eafd7c74c3f2e67c27621b987b28397110d643f
#.  https://lwn.net/Articles/312232/
#. type: Plain text
#: build/C/man7/namespaces.7:202
msgid ""
"IPC namespaces isolate certain IPC resources, namely, System V IPC objects "
"(see B<svipc>(7))  and (since Linux 2.6.30)  POSIX message queues (see "
"B<mq_overview>(7)).  The common characteristic of these IPC mechanisms is "
"that IPC objects are identified by mechanisms other than filesystem "
"pathnames."
msgstr ""

#. type: Plain text
#: build/C/man7/namespaces.7:208
msgid ""
"Each IPC namespace has its own set of System V IPC identifiers and its own "
"POSIX message queue filesystem.  Objects created in an IPC namespace are "
"visible to all other processes that are members of that namespace, but are "
"not visible to processes in other IPC namespaces."
msgstr ""

#. type: Plain text
#: build/C/man7/namespaces.7:212
msgid "The following I</proc> interfaces are distinct in each IPC namespace:"
msgstr ""

#. type: Plain text
#: build/C/man7/namespaces.7:215
msgid "The POSIX message queue interfaces in I</proc/sys/fs/mqueue>."
msgstr ""

#. type: Plain text
#: build/C/man7/namespaces.7:228
msgid ""
"The System V IPC interfaces in I</proc/sys/kernel>, namely: I<msgmax>, "
"I<msgmnb>, I<msgmni>, I<sem>, I<shmall>, I<shmmax>, I<shmmni>, and "
"I<shm_rmid_forced>."
msgstr ""

#. type: Plain text
#: build/C/man7/namespaces.7:231
msgid "The System V IPC interfaces in I</proc/sysvipc>."
msgstr ""

#. type: Plain text
#: build/C/man7/namespaces.7:235
msgid ""
"When an IPC namespace is destroyed (i.e., when the last process that is a "
"member of the namespace terminates), all IPC objects in the namespace are "
"automatically destroyed."
msgstr ""

#
#.  ==================== Network namespaces ====================
#. type: Plain text
#: build/C/man7/namespaces.7:242
msgid ""
"Use of IPC namespaces requires a kernel that is configured with the "
"B<CONFIG_IPC_NS> option."
msgstr ""

#. type: SS
#: build/C/man7/namespaces.7:242
#, no-wrap
msgid "Network namespaces (CLONE_NEWNET)"
msgstr ""

#.  FIXME Add pointer to veth(4) page when it is eventually completed
#. type: Plain text
#: build/C/man7/namespaces.7:257
msgid ""
"Network namespaces provide isolation of the system resources associated with "
"networking: network devices, IPv4 and IPv6 protocol stacks, IP routing "
"tables, firewalls, the I</proc/net> directory, the I</sys/class/net> "
"directory, port numbers (sockets), and so on.  A physical network device can "
"live in exactly one network namespace.  A virtual network device (\"veth\") "
"pair provides a pipe-like abstraction that can be used to create tunnels "
"between network namespaces, and can be used to create a bridge to a physical "
"network device in another namespace."
msgstr ""

#. type: Plain text
#: build/C/man7/namespaces.7:262
msgid ""
"When a network namespace is freed (i.e., when the last process in the "
"namespace terminates), its physical network devices are moved back to the "
"initial network namespace (not to the parent of the process)."
msgstr ""

#
#.  ==================== Mount namespaces ====================
#. type: Plain text
#: build/C/man7/namespaces.7:269
msgid ""
"Use of network namespaces requires a kernel that is configured with the "
"B<CONFIG_NET_NS> option."
msgstr ""

#. type: SS
#: build/C/man7/namespaces.7:269
#, no-wrap
msgid "Mount namespaces (CLONE_NEWNS)"
msgstr ""

#. type: Plain text
#: build/C/man7/namespaces.7:277
msgid ""
"Mount namespaces isolate the set of filesystem mount points, meaning that "
"processes in different mount namespaces can have different views of the "
"filesystem hierarchy.  The set of mounts in a mount namespace is modified "
"using B<mount>(2)  and B<umount>(2)."
msgstr ""

#. type: Plain text
#: build/C/man7/namespaces.7:294
msgid ""
"The I</proc/[pid]/mounts> file (present since Linux 2.4.19)  lists all the "
"filesystems currently mounted in the process's mount namespace.  The format "
"of this file is documented in B<fstab>(5).  Since kernel version 2.6.15, "
"this file is pollable: after opening the file for reading, a change in this "
"file (i.e., a filesystem mount or unmount) causes B<select>(2)  to mark the "
"file descriptor as readable, and B<poll>(2)  and B<epoll_wait>(2)  mark the "
"file as having an error condition."
msgstr ""

#. type: Plain text
#: build/C/man7/namespaces.7:302
msgid ""
"The I</proc/[pid]/mountstats> file (present since Linux 2.6.17)  exports "
"information (statistics, configuration information)  about the mount points "
"in the process's mount namespace.  This file is only readable by the owner "
"of the process.  Lines in this file have the form:"
msgstr ""

#. type: Plain text
#: build/C/man7/namespaces.7:308
#, no-wrap
msgid ""
"device /dev/sda7 mounted on /home with fstype ext3 [statistics]\n"
"(       1      )            ( 2 )             (3 ) (4)\n"
msgstr ""

#. type: Plain text
#: build/C/man7/namespaces.7:312
msgid "The fields in each line are:"
msgstr ""

#. type: IP
#: build/C/man7/namespaces.7:312 build/C/man7/user_namespaces.7:371
#, no-wrap
msgid "(1)"
msgstr ""

#. type: Plain text
#: build/C/man7/namespaces.7:316
msgid ""
"The name of the mounted device (or \"nodevice\" if there is no corresponding "
"device)."
msgstr ""

#. type: IP
#: build/C/man7/namespaces.7:316 build/C/man7/user_namespaces.7:375
#, no-wrap
msgid "(2)"
msgstr ""

#. type: Plain text
#: build/C/man7/namespaces.7:319
msgid "The mount point within the filesystem tree."
msgstr ""

#. type: IP
#: build/C/man7/namespaces.7:319 build/C/man7/user_namespaces.7:401
#, no-wrap
msgid "(3)"
msgstr ""

#. type: Plain text
#: build/C/man7/namespaces.7:322
msgid "The filesystem type."
msgstr ""

#. type: TP
#: build/C/man7/namespaces.7:322
#, no-wrap
msgid "(4)"
msgstr ""

#. type: Plain text
#: build/C/man7/namespaces.7:327
msgid ""
"Optional statistics and configuration information.  Currently (as at Linux "
"2.6.26), only NFS filesystems export information via this field."
msgstr ""

#
#.  ==================== PID namespaces ====================
#. type: SS
#: build/C/man7/namespaces.7:331
#, no-wrap
msgid "PID namespaces (CLONE_NEWPID)"
msgstr ""

#
#.  ==================== User namespaces ====================
#. type: Plain text
#: build/C/man7/namespaces.7:337
msgid "See B<pid_namespaces>(7)."
msgstr ""

#. type: SS
#: build/C/man7/namespaces.7:337
#, no-wrap
msgid "User namespaces (CLONE_NEWUSER)"
msgstr ""

#. type: Plain text
#: build/C/man7/namespaces.7:343 build/C/man7/namespaces.7:364 build/C/man7/pid_namespaces.7:356
msgid "See B<user_namespaces>(7)."
msgstr ""

#. type: SS
#: build/C/man7/namespaces.7:343
#, no-wrap
msgid "UTS namespaces (CLONE_NEWUTS)"
msgstr ""

#. type: Plain text
#: build/C/man7/namespaces.7:355
msgid ""
"UTS namespaces provide isolation of two system identifiers: the hostname and "
"the NIS domain name.  These identifiers are set using B<sethostname>(2)  and "
"B<setdomainname>(2), and can be retrieved using B<uname>(2), "
"B<gethostname>(2), and B<getdomainname>(2)."
msgstr ""

#. type: Plain text
#: build/C/man7/namespaces.7:359
msgid ""
"Use of UTS namespaces requires a kernel that is configured with the "
"B<CONFIG_UTS_NS> option."
msgstr ""

#. type: Plain text
#: build/C/man7/namespaces.7:361 build/C/man7/pid_namespaces.7:353 build/C/man7/user_namespaces.7:648
msgid "Namespaces are a Linux-specific feature."
msgstr ""

#. type: Plain text
#: build/C/man7/namespaces.7:376
msgid ""
"B<nsenter>(1), B<readlink>(1), B<unshare>(1), B<clone>(2), B<setns>(2), "
"B<unshare>(2), B<proc>(5), B<credentials>(7), B<capabilities>(7), "
"B<pid_namespaces>(7), B<user_namespaces>(7), B<switch_root>(8)"
msgstr ""

#. type: TH
#: build/C/man7/pid_namespaces.7:27
#, no-wrap
msgid "PID_NAMESPACES"
msgstr ""

#. type: TH
#: build/C/man7/pid_namespaces.7:27 build/C/man2/seccomp.2:27
#, no-wrap
msgid "2015-01-10"
msgstr ""

#. type: Plain text
#: build/C/man7/pid_namespaces.7:30
msgid "pid_namespaces - overview of Linux PID namespaces"
msgstr ""

#. type: Plain text
#: build/C/man7/pid_namespaces.7:33 build/C/man7/user_namespaces.7:33
msgid "For an overview of namespaces, see B<namespaces>(7)."
msgstr ""

#. type: Plain text
#: build/C/man7/pid_namespaces.7:40
msgid ""
"PID namespaces isolate the process ID number space, meaning that processes "
"in different PID namespaces can have the same PID.  PID namespaces allow "
"containers to provide functionality such as suspending/resuming the set of "
"processes in the container and migrating the container to a new host while "
"the processes inside the container maintain the same PIDs."
msgstr ""

#. type: Plain text
#: build/C/man7/pid_namespaces.7:48
msgid ""
"PIDs in a new PID namespace start at 1, somewhat like a standalone system, "
"and calls to B<fork>(2), B<vfork>(2), or B<clone>(2)  will produce processes "
"with PIDs that are unique within the namespace."
msgstr ""

#
#.  ============================================================
#. type: Plain text
#: build/C/man7/pid_namespaces.7:55
msgid ""
"Use of PID namespaces requires a kernel that is configured with the "
"B<CONFIG_PID_NS> option."
msgstr ""

#. type: SS
#: build/C/man7/pid_namespaces.7:55
#, no-wrap
msgid "The namespace init process"
msgstr ""

#. type: Plain text
#: build/C/man7/pid_namespaces.7:75
msgid ""
"The first process created in a new namespace (i.e., the process created "
"using B<clone>(2)  with the B<CLONE_NEWPID> flag, or the first child created "
"by a process after a call to B<unshare>(2)  using the B<CLONE_NEWPID> flag) "
"has the PID 1, and is the \"init\" process for the namespace (see "
"B<init>(1)).  A child process that is orphaned within the namespace will be "
"reparented to this process rather than B<init>(1)  (unless one of the "
"ancestors of the child in the same PID namespace employed the B<prctl>(2)  "
"B<PR_SET_CHILD_SUBREAPER> command to mark itself as the reaper of orphaned "
"descendant processes)."
msgstr ""

#. type: Plain text
#: build/C/man7/pid_namespaces.7:102
msgid ""
"If the \"init\" process of a PID namespace terminates, the kernel terminates "
"all of the processes in the namespace via a B<SIGKILL> signal.  This "
"behavior reflects the fact that the \"init\" process is essential for the "
"correct operation of a PID namespace.  In this case, a subsequent B<fork>(2)  "
"into this PID namespace will fail with the error B<ENOMEM>; it is not "
"possible to create a new processes in a PID namespace whose \"init\" process "
"has terminated.  Such scenarios can occur when, for example, a process uses "
"an open file descriptor for a I</proc/[pid]/ns/pid> file corresponding to a "
"process that was in a namespace to B<setns>(2)  into that namespace after "
"the \"init\" process has terminated.  Another possible scenario can occur "
"after a call to B<unshare>(2): if the first child subsequently created by a "
"B<fork>(2)  terminates, then subsequent calls to B<fork>(2)  will fail with "
"B<ENOMEM>."
msgstr ""

#. type: Plain text
#: build/C/man7/pid_namespaces.7:108
msgid ""
"Only signals for which the \"init\" process has established a signal handler "
"can be sent to the \"init\" process by other members of the PID namespace.  "
"This restriction applies even to privileged processes, and prevents other "
"members of the PID namespace from accidentally killing the \"init\" process."
msgstr ""

#. type: Plain text
#: build/C/man7/pid_namespaces.7:128
msgid ""
"Likewise, a process in an ancestor namespace can\\(emsubject to the usual "
"permission checks described in B<kill>(2)\\(emsend signals to the \"init\" "
"process of a child PID namespace only if the \"init\" process has "
"established a handler for that signal.  (Within the handler, the "
"I<siginfo_t> I<si_pid> field described in B<sigaction>(2)  will be zero.)  "
"B<SIGKILL> or B<SIGSTOP> are treated exceptionally: these signals are "
"forcibly delivered when sent from an ancestor PID namespace.  Neither of "
"these signals can be caught by the \"init\" process, and so will result in "
"the usual actions associated with those signals (respectively, terminating "
"and stopping the process)."
msgstr ""

#
#.  ============================================================
#. type: Plain text
#: build/C/man7/pid_namespaces.7:138
msgid ""
"Starting with Linux 3.4, the B<reboot>(2)  system call causes a signal to be "
"sent to the namespace \"init\" process.  See B<reboot>(2)  for more details."
msgstr ""

#. type: SS
#: build/C/man7/pid_namespaces.7:138
#, no-wrap
msgid "Nesting PID namespaces"
msgstr ""

#. type: Plain text
#: build/C/man7/pid_namespaces.7:149
msgid ""
"PID namespaces can be nested: each PID namespace has a parent, except for "
"the initial (\"root\") PID namespace.  The parent of a PID namespace is the "
"PID namespace of the process that created the namespace using B<clone>(2)  "
"or B<unshare>(2).  PID namespaces thus form a tree, with all namespaces "
"ultimately tracing their ancestry to the root namespace."
msgstr ""

#. type: Plain text
#: build/C/man7/pid_namespaces.7:164
msgid ""
"A process is visible to other processes in its PID namespace, and to the "
"processes in each direct ancestor PID namespace going back to the root PID "
"namespace.  In this context, \"visible\" means that one process can be the "
"target of operations by another process using system calls that specify a "
"process ID.  Conversely, the processes in a child PID namespace can't see "
"processes in the parent and further removed ancestor namespaces.  More "
"succinctly: a process can see (e.g., send signals with B<kill>(2), set nice "
"values with B<setpriority>(2), etc.) only processes contained in its own PID "
"namespace and in descendants of that namespace."
msgstr ""

#. type: Plain text
#: build/C/man7/pid_namespaces.7:176
msgid ""
"A process has one process ID in each of the layers of the PID namespace "
"hierarchy in which is visible, and walking back though each direct ancestor "
"namespace through to the root PID namespace.  System calls that operate on "
"process IDs always operate using the process ID that is visible in the PID "
"namespace of the caller.  A call to B<getpid>(2)  always returns the PID "
"associated with the namespace in which the process was created."
msgstr ""

#. type: Plain text
#: build/C/man7/pid_namespaces.7:191
msgid ""
"Some processes in a PID namespace may have parents that are outside of the "
"namespace.  For example, the parent of the initial process in the namespace "
"(i.e., the B<init>(1)  process with PID 1) is necessarily in another "
"namespace.  Likewise, the direct children of a process that uses B<setns>(2)  "
"to cause its children to join a PID namespace are in a different PID "
"namespace from the caller of B<setns>(2).  Calls to B<getppid>(2)  for such "
"processes return 0."
msgstr ""

#
#.  ============================================================
#. type: Plain text
#: build/C/man7/pid_namespaces.7:204
msgid ""
"While processes may freely descend into child PID namespaces (e.g., using "
"B<setns>(2)  with B<CLONE_NEWPID>), they may not move in the other "
"direction.  That is to say, processes may not enter any ancestor namespaces "
"(parent, grandparent, etc.).  Changing PID namespaces is a one way "
"operation."
msgstr ""

#. type: SS
#: build/C/man7/pid_namespaces.7:204
#, no-wrap
msgid "setns(2) and unshare(2) semantics"
msgstr ""

#. type: Plain text
#: build/C/man7/pid_namespaces.7:220
msgid ""
"Calls to B<setns>(2)  that specify a PID namespace file descriptor and calls "
"to B<unshare>(2)  with the B<CLONE_NEWPID> flag cause children subsequently "
"created by the caller to be placed in a different PID namespace from the "
"caller.  These calls do not, however, change the PID namespace of the "
"calling process, because doing so would change the caller's idea of its own "
"PID (as reported by B<getpid>()), which would break many applications and "
"libraries."
msgstr ""

#. type: Plain text
#: build/C/man7/pid_namespaces.7:228
msgid ""
"To put things another way: a process's PID namespace membership is "
"determined when the process is created and cannot be changed thereafter.  "
"Among other things, this means that the parental relationship between "
"processes mirrors the parental relationship between PID namespaces: the "
"parent of a process is either in the same namespace or resides in the "
"immediate parent PID namespace."
msgstr ""

#. type: SS
#: build/C/man7/pid_namespaces.7:228
#, no-wrap
msgid "Compatibility of CLONE_NEWPID with other CLONE_* flags"
msgstr ""

#. type: Plain text
#: build/C/man7/pid_namespaces.7:233
msgid "B<CLONE_NEWPID> can't be combined with some other B<CLONE_*> flags:"
msgstr ""

#. type: Plain text
#: build/C/man7/pid_namespaces.7:241
msgid ""
"B<CLONE_THREAD> requires being in the same PID namespace in order that the "
"threads in a process can send signals to each other.  Similarly, it must be "
"possible to see all of the threads of a processes in the B<proc>(5)  "
"filesystem."
msgstr ""

#. type: Plain text
#: build/C/man7/pid_namespaces.7:252
msgid ""
"B<CLONE_SIGHAND> requires being in the same PID namespace; otherwise the "
"process ID of the process sending a signal could not be meaningfully encoded "
"when a signal is sent (see the description of the I<siginfo_t> type in "
"B<sigaction>(2)).  A signal queue shared by processes in multiple PID "
"namespaces will defeat that."
msgstr ""

#. type: Plain text
#: build/C/man7/pid_namespaces.7:262
msgid ""
"B<CLONE_VM> requires all of the threads to be in the same PID namespace, "
"because, from the point of view of a core dump, if two processes share the "
"same address space then they are threads and will be core dumped together.  "
"When a core dump is written, the PID of each thread is written into the core "
"dump.  Writing the process IDs could not meaningfully succeed if some of the "
"process IDs were in a parent PID namespace."
msgstr ""

#. type: Plain text
#: build/C/man7/pid_namespaces.7:280
msgid ""
"To summarize: there is a technical requirement for each of B<CLONE_THREAD>, "
"B<CLONE_SIGHAND>, and B<CLONE_VM> to share a PID namespace.  (Note "
"furthermore that in B<clone>(2)  requires B<CLONE_VM> to be specified if "
"B<CLONE_THREAD> or B<CLONE_SIGHAND> is specified.)  Thus, call sequences "
"such as the following will fail (with the error B<EINVAL>):"
msgstr ""

#. type: Plain text
#: build/C/man7/pid_namespaces.7:284
#, no-wrap
msgid ""
"    unshare(CLONE_NEWPID);\n"
"    clone(..., CLONE_VM, ...);    /* Fails */\n"
msgstr ""

#. type: Plain text
#: build/C/man7/pid_namespaces.7:287
#, no-wrap
msgid ""
"    setns(fd, CLONE_NEWPID);\n"
"    clone(..., CLONE_VM, ...);    /* Fails */\n"
msgstr ""

#. type: Plain text
#: build/C/man7/pid_namespaces.7:290
#, no-wrap
msgid ""
"    clone(..., CLONE_VM, ...);\n"
"    setns(fd, CLONE_NEWPID);      /* Fails */\n"
msgstr ""

#. type: Plain text
#: build/C/man7/pid_namespaces.7:293
#, no-wrap
msgid ""
"    clone(..., CLONE_VM, ...);\n"
"    unshare(CLONE_NEWPID);        /* Fails */\n"
msgstr ""

#
#.  ============================================================
#. type: SS
#: build/C/man7/pid_namespaces.7:297
#, no-wrap
msgid "/proc and PID namespaces"
msgstr ""

#. type: Plain text
#: build/C/man7/pid_namespaces.7:306
msgid ""
"A I</proc> filesystem shows (in the I</proc/PID> directories) only processes "
"visible in the PID namespace of the process that performed the mount, even "
"if the I</proc> filesystem is viewed from processes in other namespaces."
msgstr ""

#. type: Plain text
#: build/C/man7/pid_namespaces.7:325
msgid ""
"After creating a new PID namespace, it is useful for the child to change its "
"root directory and mount a new procfs instance at I</proc> so that tools "
"such as B<ps>(1)  work correctly.  If a new mount namespace is "
"simultaneously created by including B<CLONE_NEWNS> in the I<flags> argument "
"of B<clone>(2)  or B<unshare>(2), then it isn't necessary to change the root "
"directory: a new procfs instance can be mounted directly over I</proc>."
msgstr ""

#. type: Plain text
#: build/C/man7/pid_namespaces.7:329
msgid "From a shell, the command to mount I</proc> is:"
msgstr ""

#. type: Plain text
#: build/C/man7/pid_namespaces.7:331
#, no-wrap
msgid "    $ mount -t proc proc /proc\n"
msgstr ""

#
#.  ============================================================
#. type: Plain text
#: build/C/man7/pid_namespaces.7:343
msgid ""
"Calling B<readlink>(2)  on the path I</proc/self> yields the process ID of "
"the caller in the PID namespace of the procfs mount (i.e., the PID namespace "
"of the process that mounted the procfs).  This can be useful for "
"introspection purposes, when a process wants to discover its PID in other "
"namespaces."
msgstr ""

#. type: SS
#: build/C/man7/pid_namespaces.7:343 build/C/man7/user_namespaces.7:635
#, no-wrap
msgid "Miscellaneous"
msgstr ""

#. type: Plain text
#: build/C/man7/pid_namespaces.7:351
msgid ""
"When a process ID is passed over a UNIX domain socket to a process in a "
"different PID namespace (see the description of B<SCM_CREDENTIALS> in "
"B<unix>(7)), it is translated into the corresponding PID value in the "
"receiving process's PID namespace."
msgstr ""

#. type: Plain text
#: build/C/man7/pid_namespaces.7:364
msgid ""
"B<clone>(2), B<setns>(2), B<unshare>(2), B<proc>(5), B<credentials>(7), "
"B<capabilities>(7), B<user_namespaces>(7), B<switch_root>(8)"
msgstr ""

#. type: TH
#: build/C/man2/seteuid.2:29
#, no-wrap
msgid "SETEUID"
msgstr ""

#. type: Plain text
#: build/C/man2/seteuid.2:32
msgid "seteuid, setegid - set effective user or group ID"
msgstr ""

#. type: Plain text
#: build/C/man2/seteuid.2:38
msgid "B<int seteuid(uid_t >I<euid>B<);>"
msgstr ""

#. type: Plain text
#: build/C/man2/seteuid.2:40
msgid "B<int setegid(gid_t >I<egid>B<);>"
msgstr ""

#. type: Plain text
#: build/C/man2/seteuid.2:49
msgid "B<seteuid>(), B<setegid>():"
msgstr ""

#. type: Plain text
#: build/C/man2/seteuid.2:51
msgid ""
"_BSD_SOURCE || _POSIX_C_SOURCE\\ E<gt>=\\ 200112L || _XOPEN_SOURCE\\ "
"E<gt>=\\ 600"
msgstr ""

#. type: Plain text
#: build/C/man2/seteuid.2:58
msgid ""
"B<seteuid>()  sets the effective user ID of the calling process.  "
"Unprivileged user processes may only set the effective user ID to the real "
"user ID, the effective user ID or the saved set-user-ID."
msgstr ""

#.  When
#.  .I euid
#.  equals \-1, nothing is changed.
#.  (This is an artifact of the implementation in glibc of seteuid()
#.  using setresuid(2).)
#. type: Plain text
#: build/C/man2/seteuid.2:67
msgid ""
"Precisely the same holds for B<setegid>()  with \"group\" instead of "
"\"user\"."
msgstr ""

#. type: Plain text
#: build/C/man2/seteuid.2:79
msgid ""
"I<Note>: there are cases where B<seteuid>()  can fail even when the caller "
"is UID 0; it is a grave security error to omit checking for a failure return "
"from B<seteuid>()."
msgstr ""

#. type: Plain text
#: build/C/man2/seteuid.2:83
msgid "The target user or group ID is not valid in this user namespace."
msgstr ""

#. type: Plain text
#: build/C/man2/seteuid.2:99
msgid ""
"The calling process is not privileged (Linux: does not have the "
"B<CAP_SETUID> capability in the case of B<seteuid>(), or the B<CAP_SETGID> "
"capability in the case of B<setegid>())  and I<euid> (respectively, I<egid>)  "
"is not the real user (group) ID, the effective user (group) ID, or the saved "
"set-user-ID (saved set-group-ID)."
msgstr ""

#. type: Plain text
#: build/C/man2/seteuid.2:101
msgid "4.3BSD, POSIX.1-2001."
msgstr ""

#. type: Plain text
#: build/C/man2/seteuid.2:107
msgid ""
"Setting the effective user (group) ID to the saved set-user-ID (saved "
"set-group-ID) is possible since Linux 1.1.37 (1.1.38).  On an arbitrary "
"system one should check B<_POSIX_SAVED_IDS>."
msgstr ""

#. type: Plain text
#: build/C/man2/seteuid.2:123
msgid ""
"Under glibc 2.0 B<seteuid(>I<euid>B<)> is equivalent to B<setreuid(-1,>I< "
"euid>B<)> and hence may change the saved set-user-ID.  Under glibc 2.1 and "
"later it is equivalent to B<setresuid(-1,>I< euid>B<, -1)> and hence does "
"not change the saved set-user-ID.  Analogous remarks hold for B<setegid>(), "
"with the difference that the change in implementation from B<setregid(-1,>I< "
"egid>B<)> to B<setresgid(-1,>I< egid>B<, -1)> occurred in glibc 2.2 or 2.3 "
"(depending on the hardware architecture)."
msgstr ""

#. type: Plain text
#: build/C/man2/seteuid.2:132
msgid ""
"According to POSIX.1, B<seteuid>()  (B<setegid>())  need not permit I<euid> "
"(I<egid>)  to be the same value as the current effective user (group) ID, "
"and some implementations do not permit this."
msgstr ""

#. type: Plain text
#: build/C/man2/seteuid.2:141
msgid ""
"On Linux, B<seteuid>()  and B<setegid>()  are implemented as library "
"functions that call, respectively, B<setreuid>(2)  and B<setresgid>(2)."
msgstr ""

#. type: Plain text
#: build/C/man2/seteuid.2:148
msgid ""
"B<geteuid>(2), B<setresuid>(2), B<setreuid>(2), B<setuid>(2), "
"B<capabilities>(7), B<credentials>(7), B<user_namespaces>(7)"
msgstr ""

#. type: TH
#: build/C/man2/setfsgid.2:31
#, no-wrap
msgid "SETFSGID"
msgstr ""

#. type: TH
#: build/C/man2/setfsgid.2:31 build/C/man2/setfsuid.2:31
#, no-wrap
msgid "2013-08-08"
msgstr ""

#. type: Plain text
#: build/C/man2/setfsgid.2:34
msgid "setfsgid - set group identity used for filesystem checks"
msgstr ""

#. type: Plain text
#: build/C/man2/setfsgid.2:36 build/C/man2/setfsuid.2:36
msgid "B<#include E<lt>sys/fsuid.hE<gt>>"
msgstr ""

#. type: Plain text
#: build/C/man2/setfsgid.2:38
msgid "B<int setfsgid(uid_t >I<fsgid>B<);>"
msgstr ""

#. type: Plain text
#: build/C/man2/setfsgid.2:51
msgid ""
"The system call B<setfsgid>()  changes the value of the caller's filesystem "
"group ID\\(emthe group ID that the Linux kernel uses to check for all "
"accesses to the filesystem.  Normally, the value of the filesystem group ID "
"will shadow the value of the effective group ID.  In fact, whenever the "
"effective group ID is changed, the filesystem group ID will also be changed "
"to the new value of the effective group ID."
msgstr ""

#. type: Plain text
#: build/C/man2/setfsgid.2:62
msgid ""
"Explicit calls to B<setfsuid>(2)  and B<setfsgid>()  are usually used only "
"by programs such as the Linux NFS server that need to change what user and "
"group ID is used for file access without a corresponding change in the real "
"and effective user and group IDs.  A change in the normal user IDs for a "
"program such as the NFS server is a security hole that can expose it to "
"unwanted signals.  (But see below.)"
msgstr ""

#. type: Plain text
#: build/C/man2/setfsgid.2:68
msgid ""
"B<setfsgid>()  will succeed only if the caller is the superuser or if "
"I<fsgid> matches either the caller's real group ID, effective group ID, "
"saved set-group-ID, or current the filesystem user ID."
msgstr ""

#. type: Plain text
#: build/C/man2/setfsgid.2:71
msgid ""
"On both success and failure, this call returns the previous filesystem group "
"ID of the caller."
msgstr ""

#.  This system call is present since Linux 1.1.44
#.  and in libc since libc 4.7.6.
#. type: Plain text
#: build/C/man2/setfsgid.2:75 build/C/man2/setfsuid.2:75
msgid "This system call is present in Linux since version 1.2."
msgstr ""

#. type: Plain text
#: build/C/man2/setfsgid.2:79
msgid ""
"B<setfsgid>()  is Linux-specific and should not be used in programs intended "
"to be portable."
msgstr ""

#. type: Plain text
#: build/C/man2/setfsgid.2:85
msgid ""
"When glibc determines that the argument is not a valid group ID, it will "
"return -1 and set I<errno> to B<EINVAL> without attempting the system call."
msgstr ""

#. type: Plain text
#: build/C/man2/setfsgid.2:96
msgid ""
"Note that at the time this system call was introduced, a process could send "
"a signal to a process with the same effective user ID.  Today signal "
"permission handling is slightly different.  See B<setfsuid>(2)  for a "
"discussion of why the use of both B<setfsuid>(2)  and B<setfsgid>()  is "
"nowadays unneeded."
msgstr ""

#. type: Plain text
#: build/C/man2/setfsgid.2:106
msgid ""
"The original Linux B<setfsgid>()  system call supported only 16-bit group "
"IDs.  Subsequently, Linux 2.4 added B<setfsgid32>()  supporting 32-bit IDs.  "
"The glibc B<setfsgid>()  wrapper function transparently deals with the "
"variation across kernel versions."
msgstr ""

#. type: Plain text
#: build/C/man2/setfsgid.2:123
msgid ""
"No error indications of any kind are returned to the caller, and the fact "
"that both successful and unsuccessful calls return the same value makes it "
"impossible to directly determine whether the call succeeded or failed.  "
"Instead, the caller must resort to looking at the return value from a "
"further call such as I<setfsgid(-1)> (which will always fail), in order to "
"determine if a preceding call to B<setfsgid>()  changed the filesystem group "
"ID.  At the very least, B<EPERM> should be returned when the call fails "
"(because the caller lacks the B<CAP_SETGID> capability)."
msgstr ""

#. type: Plain text
#: build/C/man2/setfsgid.2:127
msgid "B<kill>(2), B<setfsuid>(2), B<capabilities>(7), B<credentials>(7)"
msgstr ""

#. type: TH
#: build/C/man2/setfsuid.2:31
#, no-wrap
msgid "SETFSUID"
msgstr ""

#. type: Plain text
#: build/C/man2/setfsuid.2:34
msgid "setfsuid - set user identity used for filesystem checks"
msgstr ""

#. type: Plain text
#: build/C/man2/setfsuid.2:38
msgid "B<int setfsuid(uid_t >I<fsuid>B<);>"
msgstr ""

#. type: Plain text
#: build/C/man2/setfsuid.2:51
msgid ""
"The system call B<setfsuid>()  changes the value of the caller's filesystem "
"user ID\\(emthe user ID that the Linux kernel uses to check for all accesses "
"to the filesystem.  Normally, the value of the filesystem user ID will "
"shadow the value of the effective user ID.  In fact, whenever the effective "
"user ID is changed, the filesystem user ID will also be changed to the new "
"value of the effective user ID."
msgstr ""

#. type: Plain text
#: build/C/man2/setfsuid.2:62
msgid ""
"Explicit calls to B<setfsuid>()  and B<setfsgid>(2)  are usually used only "
"by programs such as the Linux NFS server that need to change what user and "
"group ID is used for file access without a corresponding change in the real "
"and effective user and group IDs.  A change in the normal user IDs for a "
"program such as the NFS server is a security hole that can expose it to "
"unwanted signals.  (But see below.)"
msgstr ""

#. type: Plain text
#: build/C/man2/setfsuid.2:68
msgid ""
"B<setfsuid>()  will succeed only if the caller is the superuser or if "
"I<fsuid> matches either the caller's real user ID, effective user ID, saved "
"set-user-ID, or current filesystem user ID."
msgstr ""

#. type: Plain text
#: build/C/man2/setfsuid.2:71
msgid ""
"On both success and failure, this call returns the previous filesystem user "
"ID of the caller."
msgstr ""

#. type: Plain text
#: build/C/man2/setfsuid.2:79
msgid ""
"B<setfsuid>()  is Linux-specific and should not be used in programs intended "
"to be portable."
msgstr ""

#. type: Plain text
#: build/C/man2/setfsuid.2:85
msgid ""
"When glibc determines that the argument is not a valid user ID, it will "
"return -1 and set I<errno> to B<EINVAL> without attempting the system call."
msgstr ""

#. type: Plain text
#: build/C/man2/setfsuid.2:104
msgid ""
"At the time when this system call was introduced, one process could send a "
"signal to another process with the same effective user ID.  This meant that "
"if a privileged process changed its effective user ID for the purpose of "
"file permission checking, then it could become vulnerable to receiving "
"signals sent by another (unprivileged) process with the same user ID.  The "
"filesystem user ID attribute was thus added to allow a process to change its "
"user ID for the purposes of file permission checking without at the same "
"time becoming vulnerable to receiving unwanted signals.  Since Linux 2.0, "
"signal permission handling is different (see B<kill>(2)), with the result "
"that a process change can change its effective user ID without being "
"vulnerable to receiving signals from unwanted processes.  Thus, "
"B<setfsuid>()  is nowadays unneeded and should be avoided in new "
"applications (likewise for B<setfsgid>(2))."
msgstr ""

#. type: Plain text
#: build/C/man2/setfsuid.2:114
msgid ""
"The original Linux B<setfsuid>()  system call supported only 16-bit user "
"IDs.  Subsequently, Linux 2.4 added B<setfsuid32>()  supporting 32-bit IDs.  "
"The glibc B<setfsuid>()  wrapper function transparently deals with the "
"variation across kernel versions."
msgstr ""

#. type: Plain text
#: build/C/man2/setfsuid.2:131
msgid ""
"No error indications of any kind are returned to the caller, and the fact "
"that both successful and unsuccessful calls return the same value makes it "
"impossible to directly determine whether the call succeeded or failed.  "
"Instead, the caller must resort to looking at the return value from a "
"further call such as I<setfsuid(-1)> (which will always fail), in order to "
"determine if a preceding call to B<setfsuid>()  changed the filesystem user "
"ID.  At the very least, B<EPERM> should be returned when the call fails "
"(because the caller lacks the B<CAP_SETUID> capability)."
msgstr ""

#. type: Plain text
#: build/C/man2/setfsuid.2:135
msgid "B<kill>(2), B<setfsgid>(2), B<capabilities>(7), B<credentials>(7)"
msgstr ""

#. type: TH
#: build/C/man2/setgid.2:29
#, no-wrap
msgid "SETGID"
msgstr ""

#. type: Plain text
#: build/C/man2/setgid.2:32
msgid "setgid - set group identity"
msgstr ""

#. type: Plain text
#: build/C/man2/setgid.2:38
msgid "B<int setgid(gid_t >I<gid>B<);>"
msgstr ""

#. type: Plain text
#: build/C/man2/setgid.2:43
msgid ""
"B<setgid>()  sets the effective group ID of the calling process.  If the "
"caller is the superuser, the real GID and saved set-group-ID are also set."
msgstr ""

#. type: Plain text
#: build/C/man2/setgid.2:53
msgid ""
"Under Linux, B<setgid>()  is implemented like the POSIX version with the "
"B<_POSIX_SAVED_IDS> feature.  This allows a set-group-ID program that is not "
"set-user-ID-root to drop all of its group privileges, do some un-privileged "
"work, and then reengage the original effective group ID in a secure manner."
msgstr ""

#. type: Plain text
#: build/C/man2/setgid.2:64
msgid "The group ID specified in I<gid> is not valid in this user namespace."
msgstr ""

#. type: Plain text
#: build/C/man2/setgid.2:71
msgid ""
"The calling process is not privileged (does not have the B<CAP_SETGID> "
"capability), and I<gid> does not match the real group ID or saved "
"set-group-ID of the calling process."
msgstr ""

#. type: Plain text
#: build/C/man2/setgid.2:83
msgid ""
"The original Linux B<setgid>()  system call supported only 16-bit group "
"IDs.  Subsequently, Linux 2.4 added B<setgid32>()  supporting 32-bit IDs.  "
"The glibc B<setgid>()  wrapper function transparently deals with the "
"variation across kernel versions."
msgstr ""

#. type: Plain text
#: build/C/man2/setgid.2:89
msgid ""
"B<getgid>(2), B<setegid>(2), B<setregid>(2), B<capabilities>(7), "
"B<credentials>(7), B<user_namespaces>(7)"
msgstr ""

#. type: TH
#: build/C/man2/setpgid.2:48
#, no-wrap
msgid "SETPGID"
msgstr ""

#. type: TH
#: build/C/man2/setpgid.2:48
#, no-wrap
msgid "2014-01-07"
msgstr ""

#. type: Plain text
#: build/C/man2/setpgid.2:51
msgid "setpgid, getpgid, setpgrp, getpgrp - set/get process group"
msgstr ""

#. type: Plain text
#: build/C/man2/setpgid.2:55
msgid "B<int setpgid(pid_t >I<pid>B<, pid_t >I<pgid>B<);>"
msgstr ""

#. type: Plain text
#: build/C/man2/setpgid.2:57
msgid "B<pid_t getpgid(pid_t >I<pid>B<);>"
msgstr ""

#. type: Plain text
#: build/C/man2/setpgid.2:59
msgid "B<pid_t getpgrp(void);> /* POSIX.1 version */"
msgstr ""

#. type: Plain text
#: build/C/man2/setpgid.2:62
msgid ""
"B<pid_t getpgrp(pid_t >I<pid>B<);\\ \\ \\ \\ \\ \\ \\ \\ \\ \\ \\ > /* BSD "
"version */"
msgstr ""

#. type: Plain text
#: build/C/man2/setpgid.2:64
msgid "B<int setpgrp(void);> /* System V version */"
msgstr ""

#. type: Plain text
#: build/C/man2/setpgid.2:67
msgid "B<int setpgrp(pid_t >I<pid>B<, pid_t >I<pgid>B<);\\ > /* BSD version */"
msgstr ""

#. type: Plain text
#: build/C/man2/setpgid.2:76
msgid "B<getpgid>():"
msgstr ""

#. type: Plain text
#: build/C/man2/setpgid.2:84
msgid "B<setpgrp>() (POSIX.1):"
msgstr ""

#. type: Plain text
#: build/C/man2/setpgid.2:87
#, no-wrap
msgid ""
"    _SVID_SOURCE || _XOPEN_SOURCE\\ E<gt>=\\ 500 ||\n"
"    _XOPEN_SOURCE\\ &&\\ _XOPEN_SOURCE_EXTENDED\n"
msgstr ""

#. type: Plain text
#: build/C/man2/setpgid.2:89
#, no-wrap
msgid "    || /* Since glibc 2.19: */ _BSD_SOURCE\n"
msgstr ""

#. type: Plain text
#: build/C/man2/setpgid.2:93
msgid "B<setpgrp>()\\ (BSD), B<getpgrp>()\\ (BSD) [before glibc 2.19]:"
msgstr ""

#. type: Plain text
#: build/C/man2/setpgid.2:97
#, no-wrap
msgid ""
"    _BSD_SOURCE &&\n"
"        !\\ (_POSIX_SOURCE || _POSIX_C_SOURCE || _XOPEN_SOURCE ||\n"
"           _XOPEN_SOURCE_EXTENDED || _GNU_SOURCE || _SVID_SOURCE)\n"
msgstr ""

#. type: Plain text
#: build/C/man2/setpgid.2:109
msgid ""
"All of these interfaces are available on Linux, and are used for getting and "
"setting the process group ID (PGID) of a process.  The preferred, "
"POSIX.1-specified ways of doing this are: B<getpgrp>(void), for retrieving "
"the calling process's PGID; and B<setpgid>(), for setting a process's PGID."
msgstr ""

#. type: Plain text
#: build/C/man2/setpgid.2:134
msgid ""
"B<setpgid>()  sets the PGID of the process specified by I<pid> to I<pgid>.  "
"If I<pid> is zero, then the process ID of the calling process is used.  If "
"I<pgid> is zero, then the PGID of the process specified by I<pid> is made "
"the same as its process ID.  If B<setpgid>()  is used to move a process from "
"one process group to another (as is done by some shells when creating "
"pipelines), both process groups must be part of the same session (see "
"B<setsid>(2)  and B<credentials>(7)).  In this case, the I<pgid> specifies "
"an existing process group to be joined and the session ID of that group must "
"match the session ID of the joining process."
msgstr ""

#. type: Plain text
#: build/C/man2/setpgid.2:139
msgid ""
"The POSIX.1 version of B<getpgrp>(), which takes no arguments, returns the "
"PGID of the calling process."
msgstr ""

#. type: Plain text
#: build/C/man2/setpgid.2:150
msgid ""
"B<getpgid>()  returns the PGID of the process specified by I<pid>.  If "
"I<pid> is zero, the process ID of the calling process is used.  (Retrieving "
"the PGID of a process other than the caller is rarely necessary, and the "
"POSIX.1 B<getpgrp>()  is preferred for that task.)"
msgstr ""

#. type: Plain text
#: build/C/man2/setpgid.2:155
msgid ""
"The System\\ V-style B<setpgrp>(), which takes no arguments, is equivalent "
"to I<setpgid(0,\\ 0)>."
msgstr ""

#. type: Plain text
#: build/C/man2/setpgid.2:163
msgid ""
"The BSD-specific B<setpgrp>()  call, which takes arguments I<pid> and "
"I<pgid>, is is a wrapper function that calls"
msgstr ""

#. type: Plain text
#: build/C/man2/setpgid.2:165
#, no-wrap
msgid "    setpgid(pid, pgid)\n"
msgstr ""

#.  The true BSD setpgrp() system call differs in allowing the PGID
#.  to be set to arbitrary values, rather than being restricted to
#.  PGIDs in the same session.
#. type: Plain text
#: build/C/man2/setpgid.2:176
msgid ""
"Since glibc 2.19, the BSD-specific B<setpgrp>()  function is no longer "
"exposed by I<E<lt>unistd.hE<gt>>; calls should be replaced with the "
"B<setpgid>()  call shown above."
msgstr ""

#. type: Plain text
#: build/C/man2/setpgid.2:182
msgid ""
"The BSD-specific B<getpgrp>()  call, which takes a single I<pid> argument, "
"is a wrapper function that calls"
msgstr ""

#. type: Plain text
#: build/C/man2/setpgid.2:184
#, no-wrap
msgid "    getpgid(pid)\n"
msgstr ""

#. type: Plain text
#: build/C/man2/setpgid.2:195
msgid ""
"Since glibc 2.19, the BSD-specific B<getpgrp>()  function is no longer "
"exposed by I<E<lt>unistd.hE<gt>>; calls should be replaced with calls to the "
"POSIX.1 B<getpgrp>()  which takes no arguments (if the intent is to obtain "
"the caller's PGID), or with the B<getpgid>()  call shown above."
msgstr ""

#. type: Plain text
#: build/C/man2/setpgid.2:204
msgid ""
"On success, B<setpgid>()  and B<setpgrp>()  return zero.  On error, -1 is "
"returned, and I<errno> is set appropriately."
msgstr ""

#. type: Plain text
#: build/C/man2/setpgid.2:208
msgid "The POSIX.1 B<getpgrp>()  always returns the PGID of the caller."
msgstr ""

#. type: Plain text
#: build/C/man2/setpgid.2:216
msgid ""
"B<getpgid>(), and the BSD-specific B<getpgrp>()  return a process group on "
"success.  On error, -1 is returned, and I<errno> is set appropriately."
msgstr ""

#. type: Plain text
#: build/C/man2/setpgid.2:225
msgid ""
"An attempt was made to change the process group ID of one of the children of "
"the calling process and the child had already performed an B<execve>(2)  "
"(B<setpgid>(), B<setpgrp>())."
msgstr ""

#. type: Plain text
#: build/C/man2/setpgid.2:231
msgid "I<pgid> is less than 0 (B<setpgid>(), B<setpgrp>())."
msgstr ""

#. type: Plain text
#: build/C/man2/setpgid.2:240
msgid ""
"An attempt was made to move a process into a process group in a different "
"session, or to change the process group ID of one of the children of the "
"calling process and the child was in a different session, or to change the "
"process group ID of a session leader (B<setpgid>(), B<setpgrp>())."
msgstr ""

#. type: Plain text
#: build/C/man2/setpgid.2:250
msgid ""
"For B<getpgid>(): I<pid> does not match any process.  For B<setpgid>(): "
"I<pid> is not the calling process and not a child of the calling process."
msgstr ""

#. type: Plain text
#: build/C/man2/setpgid.2:256
msgid ""
"B<setpgid>()  and the version of B<getpgrp>()  with no arguments conform to "
"POSIX.1-2001."
msgstr ""

#. type: Plain text
#: build/C/man2/setpgid.2:265
msgid ""
"POSIX.1-2001 also specifies B<getpgid>()  and the version of B<setpgrp>()  "
"that takes no arguments.  (POSIX.1-2008 marks this B<setpgrp>()  "
"specification as obsolete.)"
msgstr ""

#. type: Plain text
#: build/C/man2/setpgid.2:272
msgid ""
"The version of B<getpgrp>()  with one argument and the version of "
"B<setpgrp>()  that takes two arguments derive from 4.2BSD, and are not "
"specified by POSIX.1."
msgstr ""

#. type: Plain text
#: build/C/man2/setpgid.2:278
msgid ""
"A child created via B<fork>(2)  inherits its parent's process group ID.  The "
"PGID is preserved across an B<execve>(2)."
msgstr ""

#. type: Plain text
#: build/C/man2/setpgid.2:281
msgid ""
"Each process group is a member of a session and each process is a member of "
"the session of which its process group is a member."
msgstr ""

#. type: Plain text
#: build/C/man2/setpgid.2:308
msgid ""
"A session can have a controlling terminal.  At any time, one (and only one) "
"of the process groups in the session can be the foreground process group for "
"the terminal; the remaining process groups are in the background.  If a "
"signal is generated from the terminal (e.g., typing the interrupt key to "
"generate B<SIGINT>), that signal is sent to the foreground process group.  "
"(See B<termios>(3)  for a description of the characters that generate "
"signals.)  Only the foreground process group may B<read>(2)  from the "
"terminal; if a background process group tries to B<read>(2)  from the "
"terminal, then the group is sent a B<SIGTTIN> signal, which suspends it.  "
"The B<tcgetpgrp>(3)  and B<tcsetpgrp>(3)  functions are used to get/set the "
"foreground process group of the controlling terminal."
msgstr ""

#. type: Plain text
#: build/C/man2/setpgid.2:316
msgid ""
"The B<setpgid>()  and B<getpgrp>()  calls are used by programs such as "
"B<bash>(1)  to create process groups in order to implement shell job "
"control."
msgstr ""

#. type: Plain text
#: build/C/man2/setpgid.2:326
msgid ""
"If a session has a controlling terminal, and the B<CLOCAL> flag for that "
"terminal is not set, and a terminal hangup occurs, then the session leader "
"is sent a B<SIGHUP>.  If the session leader exits, then a B<SIGHUP> signal "
"will also be sent to each process in the foreground process group of the "
"controlling terminal."
msgstr ""

#.  exit.3 refers to the following text:
#. type: Plain text
#: build/C/man2/setpgid.2:340
msgid ""
"If the exit of the process causes a process group to become orphaned, and if "
"any member of the newly orphaned process group is stopped, then a B<SIGHUP> "
"signal followed by a B<SIGCONT> signal will be sent to each process in the "
"newly orphaned process group.  An orphaned process group is one in which the "
"parent of every member of process group is either itself also a member of "
"the process group or is a member of a process group in a different session "
"(see also B<credentials>(7))."
msgstr ""

#. type: Plain text
#: build/C/man2/setpgid.2:346
msgid ""
"B<getuid>(2), B<setsid>(2), B<tcgetpgrp>(3), B<tcsetpgrp>(3), B<termios>(3), "
"B<credentials>(7)"
msgstr ""

#. type: TH
#: build/C/man2/setresuid.2:26
#, no-wrap
msgid "SETRESUID"
msgstr ""

#. type: Plain text
#: build/C/man2/setresuid.2:29
msgid "setresuid, setresgid - set real, effective and saved user or group ID"
msgstr ""

#. type: Plain text
#: build/C/man2/setresuid.2:35
msgid "B<int setresuid(uid_t >I<ruid>B<, uid_t >I<euid>B<, uid_t >I<suid>B<);>"
msgstr ""

#. type: Plain text
#: build/C/man2/setresuid.2:37
msgid "B<int setresgid(gid_t >I<rgid>B<, gid_t >I<egid>B<, gid_t >I<sgid>B<);>"
msgstr ""

#. type: Plain text
#: build/C/man2/setresuid.2:41
msgid ""
"B<setresuid>()  sets the real user ID, the effective user ID, and the saved "
"set-user-ID of the calling process."
msgstr ""

#. type: Plain text
#: build/C/man2/setresuid.2:47
msgid ""
"Unprivileged user processes may change the real UID, effective UID, and "
"saved set-user-ID, each to one of: the current real UID, the current "
"effective UID or the current saved set-user-ID."
msgstr ""

#. type: Plain text
#: build/C/man2/setresuid.2:51
msgid ""
"Privileged processes (on Linux, those having the B<CAP_SETUID> capability)  "
"may set the real UID, effective UID, and saved set-user-ID to arbitrary "
"values."
msgstr ""

#. type: Plain text
#: build/C/man2/setresuid.2:53
msgid "If one of the arguments equals -1, the corresponding value is not changed."
msgstr ""

#. type: Plain text
#: build/C/man2/setresuid.2:57
msgid ""
"Regardless of what changes are made to the real UID, effective UID, and "
"saved set-user-ID, the filesystem UID is always set to the same value as the "
"(possibly new) effective UID."
msgstr ""

#. type: Plain text
#: build/C/man2/setresuid.2:64
msgid ""
"Completely analogously, B<setresgid>()  sets the real GID, effective GID, "
"and saved set-group-ID of the calling process (and always modifies the "
"filesystem GID to be the same as the effective GID), with the same "
"restrictions for unprivileged processes."
msgstr ""

#. type: Plain text
#: build/C/man2/setresuid.2:76
msgid ""
"I<Note>: there are cases where B<setresuid>()  can fail even when the caller "
"is UID 0; it is a grave security error to omit checking for a failure return "
"from B<setresuid>()."
msgstr ""

#. type: TP
#: build/C/man2/setresuid.2:77 build/C/man2/setresuid.2:84 build/C/man2/setreuid.2:106 build/C/man2/setreuid.2:113 build/C/man2/setuid.2:83 build/C/man2/setuid.2:90
#, no-wrap
msgid "B<EAGAIN>"
msgstr ""

#. type: Plain text
#: build/C/man2/setresuid.2:84 build/C/man2/setreuid.2:113
msgid ""
"The call would change the caller's real UID (i.e., I<ruid> does not match "
"the caller's real UID), but there was a temporary failure allocating the "
"necessary kernel data structures."
msgstr ""

#. type: Plain text
#: build/C/man2/setresuid.2:99 build/C/man2/setreuid.2:128
msgid ""
"I<ruid> does not match the caller's real UID and this call would bring the "
"number of processes belonging to the real user ID I<ruid> over the caller's "
"B<RLIMIT_NPROC> resource limit.  Since Linux 3.1, this error case no longer "
"occurs (but robust applications should check for this error); see the "
"description of B<EAGAIN> in B<execve>(2)."
msgstr ""

#. type: Plain text
#: build/C/man2/setresuid.2:103 build/C/man2/setreuid.2:132
msgid ""
"One or more of the target user or group IDs is not valid in this user "
"namespace."
msgstr ""

#. type: Plain text
#: build/C/man2/setresuid.2:107
msgid ""
"The calling process is not privileged (did not have the B<CAP_SETUID> "
"capability) and tried to change the IDs to values that are not permitted."
msgstr ""

#. type: Plain text
#: build/C/man2/setresuid.2:109
msgid "These calls are available under Linux since Linux 2.1.44."
msgstr ""

#. type: Plain text
#: build/C/man2/setresuid.2:116
msgid ""
"Under HP-UX and FreeBSD, the prototype is found in I<E<lt>unistd.hE<gt>>.  "
"Under Linux, the prototype is provided by glibc since version 2.3.2."
msgstr ""

#. type: Plain text
#: build/C/man2/setresuid.2:132
msgid ""
"The original Linux B<setresuid>()  and B<setresgid>()  system calls "
"supported only 16-bit user and group IDs.  Subsequently, Linux 2.4 added "
"B<setresuid32>()  and B<setresgid32>(), supporting 32-bit IDs.  The glibc "
"B<setresuid>()  and B<setresgid>()  wrapper functions transparently deal "
"with the variations across kernel versions."
msgstr ""

#. type: Plain text
#: build/C/man2/setresuid.2:141
msgid ""
"B<getresuid>(2), B<getuid>(2), B<setfsgid>(2), B<setfsuid>(2), "
"B<setreuid>(2), B<setuid>(2), B<capabilities>(7), B<credentials>(7), "
"B<user_namespaces>(7)"
msgstr ""

#. type: TH
#: build/C/man2/setreuid.2:45
#, no-wrap
msgid "SETREUID"
msgstr ""

#. type: Plain text
#: build/C/man2/setreuid.2:48
msgid "setreuid, setregid - set real and/or effective user or group ID"
msgstr ""

#. type: Plain text
#: build/C/man2/setreuid.2:54
msgid "B<int setreuid(uid_t >I<ruid>B<, uid_t >I<euid>B<);>"
msgstr ""

#. type: Plain text
#: build/C/man2/setreuid.2:56
msgid "B<int setregid(gid_t >I<rgid>B<, gid_t >I<egid>B<);>"
msgstr ""

#. type: Plain text
#: build/C/man2/setreuid.2:64
msgid "B<setreuid>(), B<setregid>():"
msgstr ""

#. type: Plain text
#: build/C/man2/setreuid.2:68
msgid ""
"_BSD_SOURCE || _XOPEN_SOURCE\\ E<gt>=\\ 500 || _XOPEN_SOURCE\\ &&\\ "
"_XOPEN_SOURCE_EXTENDED"
msgstr ""

#. type: Plain text
#: build/C/man2/setreuid.2:73
msgid "B<setreuid>()  sets real and effective user IDs of the calling process."
msgstr ""

#. type: Plain text
#: build/C/man2/setreuid.2:76
msgid ""
"Supplying a value of -1 for either the real or effective user ID forces the "
"system to leave that ID unchanged."
msgstr ""

#. type: Plain text
#: build/C/man2/setreuid.2:79
msgid ""
"Unprivileged processes may only set the effective user ID to the real user "
"ID, the effective user ID, or the saved set-user-ID."
msgstr ""

#. type: Plain text
#: build/C/man2/setreuid.2:82
msgid ""
"Unprivileged users may only set the real user ID to the real user ID or the "
"effective user ID."
msgstr ""

#. type: Plain text
#: build/C/man2/setreuid.2:88
msgid ""
"If the real user ID is set (i.e., I<ruid> is not -1) or the effective user "
"ID is set to a value not equal to the previous real user ID, the saved "
"set-user-ID will be set to the new effective user ID."
msgstr ""

#. type: Plain text
#: build/C/man2/setreuid.2:93
msgid ""
"Completely analogously, B<setregid>()  sets real and effective group ID's of "
"the calling process, and all of the above holds with \"group\" instead of "
"\"user\"."
msgstr ""

#. type: Plain text
#: build/C/man2/setreuid.2:105
msgid ""
"I<Note>: there are cases where B<setreuid>()  can fail even when the caller "
"is UID 0; it is a grave security error to omit checking for a failure return "
"from B<setreuid>()."
msgstr ""

#. type: Plain text
#: build/C/man2/setreuid.2:148
msgid ""
"The calling process is not privileged (Linux: does not have the "
"B<CAP_SETUID> capability in the case of B<setreuid>(), or the B<CAP_SETGID> "
"capability in the case of B<setregid>())  and a change other than (i)  "
"swapping the effective user (group) ID with the real user (group) ID, or "
"(ii) setting one to the value of the other or (iii) setting the effective "
"user (group) ID to the value of the saved set-user-ID (saved set-group-ID) "
"was specified."
msgstr ""

#. type: Plain text
#: build/C/man2/setreuid.2:154
msgid ""
"POSIX.1-2001, 4.3BSD (the B<setreuid>()  and B<setregid>()  function calls "
"first appeared in 4.2BSD)."
msgstr ""

#. type: Plain text
#: build/C/man2/setreuid.2:158
msgid ""
"Setting the effective user (group) ID to the saved set-user-ID (saved "
"set-group-ID) is possible since Linux 1.1.37 (1.1.38)."
msgstr ""

#. type: Plain text
#: build/C/man2/setreuid.2:175
msgid ""
"POSIX.1 does not specify all of possible ID changes that are permitted on "
"Linux for an unprivileged process.  For B<setreuid>(), the effective user ID "
"can be made the same as the real user ID or the save set-user-ID, and it is "
"unspecified whether unprivileged processes may set the real user ID to the "
"real user ID, the effective user ID, or the saved set-user-ID.  For "
"B<setregid>(), the real group ID can be changed to the value of the saved "
"set-group-ID, and the effective group ID can be changed to the value of the "
"real group ID or the saved set-group-ID.  The precise details of what ID "
"changes are permitted vary across implementations."
msgstr ""

#. type: Plain text
#: build/C/man2/setreuid.2:178
msgid ""
"POSIX.1 makes no specification about the effect of these calls on the saved "
"set-user-ID and saved set-group-ID."
msgstr ""

#. type: Plain text
#: build/C/man2/setreuid.2:194
msgid ""
"The original Linux B<setreuid>()  and B<setregid>()  system calls supported "
"only 16-bit user and group IDs.  Subsequently, Linux 2.4 added "
"B<setreuid32>()  and B<setregid32>(), supporting 32-bit IDs.  The glibc "
"B<setreuid>()  and B<setregid>()  wrapper functions transparently deal with "
"the variations across kernel versions."
msgstr ""

#. type: Plain text
#: build/C/man2/setreuid.2:202
msgid ""
"B<getgid>(2), B<getuid>(2), B<seteuid>(2), B<setgid>(2), B<setresuid>(2), "
"B<setuid>(2), B<capabilities>(7), B<user_namespaces>(7)"
msgstr ""

#. type: TH
#: build/C/man2/setsid.2:31
#, no-wrap
msgid "SETSID"
msgstr ""

#. type: Plain text
#: build/C/man2/setsid.2:34
msgid "setsid - creates a session and sets the process group ID"
msgstr ""

#. type: Plain text
#: build/C/man2/setsid.2:39
msgid "B<pid_t setsid(void);>"
msgstr ""

#. type: Plain text
#: build/C/man2/setsid.2:50
msgid ""
"B<setsid>()  creates a new session if the calling process is not a process "
"group leader.  The calling process is the leader of the new session (i.e., "
"its session ID is made the same as it process ID).  The calling process also "
"becomes the process group leader of a new process group in the session "
"(i.e., its process group ID is made the same as it process ID)."
msgstr ""

#. type: Plain text
#: build/C/man2/setsid.2:54
msgid ""
"The calling process will be the only process in the new process group and in "
"the new session.  The new session has no controlling terminal."
msgstr ""

#. type: Plain text
#: build/C/man2/setsid.2:61
msgid ""
"On success, the (new) session ID of the calling process is returned.  On "
"error, I<(pid_t)\\ -1> is returned, and I<errno> is set to indicate the "
"error."
msgstr ""

#. type: Plain text
#: build/C/man2/setsid.2:68
msgid ""
"The process group ID of any process equals the PID of the calling process.  "
"Thus, in particular, B<setsid>()  fails if the calling process is already a "
"process group leader."
msgstr ""

#. type: Plain text
#: build/C/man2/setsid.2:76
msgid ""
"A child created via B<fork>(2)  inherits its parent's session ID.  The "
"session ID is preserved across an B<execve>(2)."
msgstr ""

#. type: Plain text
#: build/C/man2/setsid.2:93
msgid ""
"A process group leader is a process whose process group ID equals its PID.  "
"Disallowing a process group leader from calling B<setsid>()  prevents the "
"possibility that a process group leader places itself in a new session while "
"other processes in the process group remain in the original session; such a "
"scenario would break the strict two-level hierarchy of sessions and process "
"groups.  In order to be sure that B<setsid>()  will succeed, B<fork>(2)  and "
"B<_exit>(2), and have the child do B<setsid>()."
msgstr ""

#. type: Plain text
#: build/C/man2/setsid.2:99
msgid ""
"B<setsid>(1), B<getsid>(2), B<setpgid>(2), B<setpgrp>(2), B<tcgetsid>(3), "
"B<credentials>(7)"
msgstr ""

#. type: TH
#: build/C/man2/setuid.2:30
#, no-wrap
msgid "SETUID"
msgstr ""

#. type: Plain text
#: build/C/man2/setuid.2:33
msgid "setuid - set user identity"
msgstr ""

#. type: Plain text
#: build/C/man2/setuid.2:39
msgid "B<int setuid(uid_t >I<uid>B<);>"
msgstr ""

#. type: Plain text
#: build/C/man2/setuid.2:44
msgid ""
"B<setuid>()  sets the effective user ID of the calling process.  If the "
"effective UID of the caller is root, the real UID and saved set-user-ID are "
"also set."
msgstr ""

#. type: Plain text
#: build/C/man2/setuid.2:53
msgid ""
"Under Linux, B<setuid>()  is implemented like the POSIX version with the "
"B<_POSIX_SAVED_IDS> feature.  This allows a set-user-ID (other than root) "
"program to drop all of its user privileges, do some un-privileged work, and "
"then reengage the original effective user ID in a secure manner."
msgstr ""

#. type: Plain text
#: build/C/man2/setuid.2:63
msgid ""
"If the user is root or the program is set-user-ID-root, special care must be "
"taken.  The B<setuid>()  function checks the effective user ID of the caller "
"and if it is the superuser, all process-related user ID's are set to "
"I<uid>.  After this has occurred, it is impossible for the program to regain "
"root privileges."
msgstr ""

#. type: Plain text
#: build/C/man2/setuid.2:70
msgid ""
"Thus, a set-user-ID-root program wishing to temporarily drop root "
"privileges, assume the identity of an unprivileged user, and then regain "
"root privileges afterward cannot use B<setuid>().  You can accomplish this "
"with B<seteuid>(2)."
msgstr ""

#. type: Plain text
#: build/C/man2/setuid.2:82
msgid ""
"I<Note>: there are cases where B<setuid>()  can fail even when the caller is "
"UID 0; it is a grave security error to omit checking for a failure return "
"from B<setuid>()."
msgstr ""

#. type: Plain text
#: build/C/man2/setuid.2:90
msgid ""
"The call would change the caller's real UID (i.e., I<uid> does not match the "
"caller's real UID), but there was a temporary failure allocating the "
"necessary kernel data structures."
msgstr ""

#. type: Plain text
#: build/C/man2/setuid.2:105
msgid ""
"I<uid> does not match the real user ID of the caller and this call would "
"bring the number of processes belonging to the real user ID I<uid> over the "
"caller's B<RLIMIT_NPROC> resource limit.  Since Linux 3.1, this error case "
"no longer occurs (but robust applications should check for this error); see "
"the description of B<EAGAIN> in B<execve>(2)."
msgstr ""

#. type: Plain text
#: build/C/man2/setuid.2:110
msgid "The user ID specified in I<uid> is not valid in this user namespace."
msgstr ""

#. type: Plain text
#: build/C/man2/setuid.2:117
msgid ""
"The user is not privileged (Linux: does not have the B<CAP_SETUID> "
"capability) and I<uid> does not match the real UID or saved set-user-ID of "
"the calling process."
msgstr ""

#.  SVr4 documents an additional EINVAL error condition.
#. type: Plain text
#: build/C/man2/setuid.2:122
msgid ""
"SVr4, POSIX.1-2001.  Not quite compatible with the 4.4BSD call, which sets "
"all of the real, saved, and effective user IDs."
msgstr ""

#. type: Plain text
#: build/C/man2/setuid.2:130
msgid ""
"Linux has the concept of the filesystem user ID, normally equal to the "
"effective user ID.  The B<setuid>()  call also sets the filesystem user ID "
"of the calling process.  See B<setfsuid>(2)."
msgstr ""

#. type: Plain text
#: build/C/man2/setuid.2:135
msgid ""
"If I<uid> is different from the old effective UID, the process will be "
"forbidden from leaving core dumps."
msgstr ""

#. type: Plain text
#: build/C/man2/setuid.2:145
msgid ""
"The original Linux B<setuid>()  system call supported only 16-bit user IDs.  "
"Subsequently, Linux 2.4 added B<setuid32>()  supporting 32-bit IDs.  The "
"glibc B<setuid>()  wrapper function transparently deals with the variation "
"across kernel versions."
msgstr ""

#. type: Plain text
#: build/C/man2/setuid.2:152
msgid ""
"B<getuid>(2), B<seteuid>(2), B<setfsuid>(2), B<setreuid>(2), "
"B<capabilities>(7), B<credentials>(7), B<user_namespaces>(7)"
msgstr ""

#. type: TH
#: build/C/man7/svipc.7:40
#, no-wrap
msgid "SVIPC"
msgstr ""

#. type: Plain text
#: build/C/man7/svipc.7:43
msgid "svipc - System V interprocess communication mechanisms"
msgstr ""

#. type: Plain text
#: build/C/man7/svipc.7:48
#, no-wrap
msgid ""
"B<#include E<lt>sys/msg.hE<gt>>\n"
"B<#include E<lt>sys/sem.hE<gt>>\n"
"B<#include E<lt>sys/shm.hE<gt>>\n"
msgstr ""

#. type: Plain text
#: build/C/man7/svipc.7:56
msgid ""
"This manual page refers to the Linux implementation of the System V "
"interprocess communication (IPC) mechanisms: message queues, semaphore sets, "
"and shared memory segments.  In the following, the word I<resource> means an "
"instantiation of one among such mechanisms."
msgstr ""

#. type: SS
#: build/C/man7/svipc.7:56
#, no-wrap
msgid "Resource access permissions"
msgstr ""

#. type: Plain text
#: build/C/man7/svipc.7:64
msgid ""
"For each resource, the system uses a common structure of type I<struct "
"ipc_perm> to store information needed in determining permissions to perform "
"an IPC operation.  The I<ipc_perm> structure includes the following members:"
msgstr ""

#. type: Plain text
#: build/C/man7/svipc.7:74
#, no-wrap
msgid ""
"struct ipc_perm {\n"
"    uid_t          cuid;   /* creator user ID */\n"
"    gid_t          cgid;   /* creator group ID */\n"
"    uid_t          uid;    /* owner user ID */\n"
"    gid_t          gid;    /* owner group ID */\n"
"    unsigned short mode;   /* r/w permissions */\n"
"};\n"
msgstr ""

#. type: Plain text
#: build/C/man7/svipc.7:84
msgid ""
"The I<mode> member of the I<ipc_perm> structure defines, with its lower 9 "
"bits, the access permissions to the resource for a process executing an IPC "
"system call.  The permissions are interpreted as follows:"
msgstr ""

#. type: Plain text
#: build/C/man7/svipc.7:88
#, no-wrap
msgid ""
"    0400    Read by user.\n"
"    0200    Write by user.\n"
msgstr ""

#. type: Plain text
#: build/C/man7/svipc.7:91
#, no-wrap
msgid ""
"    0040    Read by group.\n"
"    0020    Write by group.\n"
msgstr ""

#. type: Plain text
#: build/C/man7/svipc.7:94
#, no-wrap
msgid ""
"    0004    Read by others.\n"
"    0002    Write by others.\n"
msgstr ""

#. type: Plain text
#: build/C/man7/svipc.7:102
msgid ""
"Bits 0100, 0010, and 0001 (the execute bits) are unused by the system.  "
"Furthermore, \"write\" effectively means \"alter\" for a semaphore set."
msgstr ""

#. type: Plain text
#: build/C/man7/svipc.7:105
msgid "The same system header file also defines the following symbolic constants:"
msgstr ""

#. type: TP
#: build/C/man7/svipc.7:105
#, no-wrap
msgid "B<IPC_CREAT>"
msgstr ""

#. type: Plain text
#: build/C/man7/svipc.7:108
msgid "Create entry if key doesn't exist."
msgstr ""

#. type: TP
#: build/C/man7/svipc.7:108
#, no-wrap
msgid "B<IPC_EXCL>"
msgstr ""

#. type: Plain text
#: build/C/man7/svipc.7:111
msgid "Fail if key exists."
msgstr ""

#. type: TP
#: build/C/man7/svipc.7:111
#, no-wrap
msgid "B<IPC_NOWAIT>"
msgstr ""

#. type: Plain text
#: build/C/man7/svipc.7:114
msgid "Error if request must wait."
msgstr ""

#. type: TP
#: build/C/man7/svipc.7:114
#, no-wrap
msgid "B<IPC_PRIVATE>"
msgstr ""

#. type: Plain text
#: build/C/man7/svipc.7:117
msgid "Private key."
msgstr ""

#. type: TP
#: build/C/man7/svipc.7:117
#, no-wrap
msgid "B<IPC_RMID>"
msgstr ""

#. type: Plain text
#: build/C/man7/svipc.7:120
msgid "Remove resource."
msgstr ""

#. type: TP
#: build/C/man7/svipc.7:120
#, no-wrap
msgid "B<IPC_SET>"
msgstr ""

#. type: Plain text
#: build/C/man7/svipc.7:123
msgid "Set resource options."
msgstr ""

#. type: TP
#: build/C/man7/svipc.7:123
#, no-wrap
msgid "B<IPC_STAT>"
msgstr ""

#. type: Plain text
#: build/C/man7/svipc.7:126
msgid "Get resource options."
msgstr ""

#. type: Plain text
#: build/C/man7/svipc.7:135
msgid ""
"Note that B<IPC_PRIVATE> is a I<key_t> type, while all the other symbolic "
"constants are flag fields and can be OR'ed into an I<int> type variable."
msgstr ""

#. type: SS
#: build/C/man7/svipc.7:135
#, no-wrap
msgid "Message queues"
msgstr ""

#. type: Plain text
#: build/C/man7/svipc.7:143
msgid ""
"A message queue is uniquely identified by a positive integer (its I<msqid>)  "
"and has an associated data structure of type I<struct msqid_ds>, defined in "
"I<E<lt>sys/msg.hE<gt>>, containing the following members:"
msgstr ""

#. type: Plain text
#: build/C/man7/svipc.7:156
#, no-wrap
msgid ""
"struct msqid_ds {\n"
"    struct ipc_perm msg_perm;\n"
"    msgqnum_t       msg_qnum;    /* no of messages on queue */\n"
"    msglen_t        msg_qbytes;  /* bytes max on a queue */\n"
"    pid_t           msg_lspid;   /* PID of last msgsnd(2) call */\n"
"    pid_t           msg_lrpid;   /* PID of last msgrcv(2) call */\n"
"    time_t          msg_stime;   /* last msgsnd(2) time */\n"
"    time_t          msg_rtime;   /* last msgrcv(2) time */\n"
"    time_t          msg_ctime;   /* last change time */\n"
"};\n"
msgstr ""

#. type: TP
#: build/C/man7/svipc.7:158
#, no-wrap
msgid "I<msg_perm>"
msgstr ""

#. type: Plain text
#: build/C/man7/svipc.7:163
msgid ""
"I<ipc_perm> structure that specifies the access permissions on the message "
"queue."
msgstr ""

#. type: TP
#: build/C/man7/svipc.7:163
#, no-wrap
msgid "I<msg_qnum>"
msgstr ""

#. type: Plain text
#: build/C/man7/svipc.7:166
msgid "Number of messages currently on the message queue."
msgstr ""

#. type: TP
#: build/C/man7/svipc.7:166
#, no-wrap
msgid "I<msg_qbytes>"
msgstr ""

#. type: Plain text
#: build/C/man7/svipc.7:170
msgid "Maximum number of bytes of message text allowed on the message queue."
msgstr ""

#. type: TP
#: build/C/man7/svipc.7:170
#, no-wrap
msgid "I<msg_lspid>"
msgstr ""

#. type: Plain text
#: build/C/man7/svipc.7:175
msgid "ID of the process that performed the last B<msgsnd>(2)  system call."
msgstr ""

#. type: TP
#: build/C/man7/svipc.7:175
#, no-wrap
msgid "I<msg_lrpid>"
msgstr ""

#. type: Plain text
#: build/C/man7/svipc.7:180
msgid "ID of the process that performed the last B<msgrcv>(2)  system call."
msgstr ""

#. type: TP
#: build/C/man7/svipc.7:180
#, no-wrap
msgid "I<msg_stime>"
msgstr ""

#. type: Plain text
#: build/C/man7/svipc.7:185
msgid "Time of the last B<msgsnd>(2)  system call."
msgstr ""

#. type: TP
#: build/C/man7/svipc.7:185
#, no-wrap
msgid "I<msg_rtime>"
msgstr ""

#. type: Plain text
#: build/C/man7/svipc.7:190
msgid "Time of the last B<msgrcv>(2)  system call."
msgstr ""

#. type: TP
#: build/C/man7/svipc.7:190
#, no-wrap
msgid "I<msg_ctime>"
msgstr ""

#. type: Plain text
#: build/C/man7/svipc.7:196
msgid ""
"Time of the last system call that changed a member of the I<msqid_ds> "
"structure."
msgstr ""

#. type: SS
#: build/C/man7/svipc.7:196
#, no-wrap
msgid "Semaphore sets"
msgstr ""

#. type: Plain text
#: build/C/man7/svipc.7:204
msgid ""
"A semaphore set is uniquely identified by a positive integer (its I<semid>)  "
"and has an associated data structure of type I<struct semid_ds>, defined in "
"I<E<lt>sys/sem.hE<gt>>, containing the following members:"
msgstr ""

#. type: Plain text
#: build/C/man7/svipc.7:213
#, no-wrap
msgid ""
"struct semid_ds {\n"
"    struct ipc_perm sem_perm;\n"
"    time_t          sem_otime;   /* last operation time */\n"
"    time_t          sem_ctime;   /* last change time */\n"
"    unsigned long   sem_nsems;   /* count of sems in set */\n"
"};\n"
msgstr ""

#. type: TP
#: build/C/man7/svipc.7:215
#, no-wrap
msgid "I<sem_perm>"
msgstr ""

#. type: Plain text
#: build/C/man7/svipc.7:220
msgid ""
"I<ipc_perm> structure that specifies the access permissions on the semaphore "
"set."
msgstr ""

#. type: TP
#: build/C/man7/svipc.7:220
#, no-wrap
msgid "I<sem_otime>"
msgstr ""

#. type: Plain text
#: build/C/man7/svipc.7:225
msgid "Time of last B<semop>(2)  system call."
msgstr ""

#. type: TP
#: build/C/man7/svipc.7:225
#, no-wrap
msgid "I<sem_ctime>"
msgstr ""

#. type: Plain text
#: build/C/man7/svipc.7:231
msgid ""
"Time of last B<semctl>(2)  system call that changed a member of the above "
"structure or of one semaphore belonging to the set."
msgstr ""

#. type: TP
#: build/C/man7/svipc.7:231
#, no-wrap
msgid "I<sem_nsems>"
msgstr ""

#. type: Plain text
#: build/C/man7/svipc.7:239
msgid ""
"Number of semaphores in the set.  Each semaphore of the set is referenced by "
"a nonnegative integer ranging from B<0> to I<sem_nsems-1>."
msgstr ""

#. type: Plain text
#: build/C/man7/svipc.7:243
msgid ""
"A semaphore is a data structure of type I<struct sem> containing the "
"following members:"
msgstr ""

#.     unsigned short semncnt; /* nr awaiting semval to increase */
#.     unsigned short semzcnt; /* nr awaiting semval = 0 */
#. type: Plain text
#: build/C/man7/svipc.7:252
#, no-wrap
msgid ""
"struct sem {\n"
"    int semval;  /* semaphore value */\n"
"    int sempid;  /* PID for last operation */\n"
"};\n"
msgstr ""

#. type: TP
#: build/C/man7/svipc.7:254
#, no-wrap
msgid "I<semval>"
msgstr ""

#. type: Plain text
#: build/C/man7/svipc.7:257
msgid "Semaphore value: a nonnegative integer."
msgstr ""

#. type: TP
#: build/C/man7/svipc.7:257
#, no-wrap
msgid "I<sempid>"
msgstr ""

#. .TP
#. .I semncnt
#. Number of processes suspended awaiting for
#. .I semval
#. to increase.
#. .TP
#. .I semznt
#. Number of processes suspended awaiting for
#. .I semval
#. to become zero.
#. type: Plain text
#: build/C/man7/svipc.7:271
msgid ""
"ID of the last process that performed a semaphore operation on this "
"semaphore."
msgstr ""

#. type: SS
#: build/C/man7/svipc.7:271
#, no-wrap
msgid "Shared memory segments"
msgstr ""

#. type: Plain text
#: build/C/man7/svipc.7:279
msgid ""
"A shared memory segment is uniquely identified by a positive integer (its "
"I<shmid>)  and has an associated data structure of type I<struct shmid_ds>, "
"defined in I<E<lt>sys/shm.hE<gt>>, containing the following members:"
msgstr ""

#. type: Plain text
#: build/C/man7/svipc.7:292
#, no-wrap
msgid ""
"struct shmid_ds {\n"
"    struct ipc_perm shm_perm;\n"
"    size_t          shm_segsz;   /* size of segment */\n"
"    pid_t           shm_cpid;    /* PID of creator */\n"
"    pid_t           shm_lpid;    /* PID, last operation */\n"
"    shmatt_t        shm_nattch;  /* no. of current attaches */\n"
"    time_t          shm_atime;   /* time of last attach */\n"
"    time_t          shm_dtime;   /* time of last detach */\n"
"    time_t          shm_ctime;   /* time of last change */\n"
"};\n"
msgstr ""

#. type: TP
#: build/C/man7/svipc.7:294
#, no-wrap
msgid "I<shm_perm>"
msgstr ""

#. type: Plain text
#: build/C/man7/svipc.7:299
msgid ""
"I<ipc_perm> structure that specifies the access permissions on the shared "
"memory segment."
msgstr ""

#. type: TP
#: build/C/man7/svipc.7:299
#, no-wrap
msgid "I<shm_segsz>"
msgstr ""

#. type: Plain text
#: build/C/man7/svipc.7:302
msgid "Size in bytes of the shared memory segment."
msgstr ""

#. type: TP
#: build/C/man7/svipc.7:302
#, no-wrap
msgid "I<shm_cpid>"
msgstr ""

#. type: Plain text
#: build/C/man7/svipc.7:305
msgid "ID of the process that created the shared memory segment."
msgstr ""

#. type: TP
#: build/C/man7/svipc.7:305
#, no-wrap
msgid "I<shm_lpid>"
msgstr ""

#. type: Plain text
#: build/C/man7/svipc.7:312
msgid ""
"ID of the last process that executed a B<shmat>(2)  or B<shmdt>(2)  system "
"call."
msgstr ""

#. type: TP
#: build/C/man7/svipc.7:312
#, no-wrap
msgid "I<shm_nattch>"
msgstr ""

#. type: Plain text
#: build/C/man7/svipc.7:315
msgid "Number of current alive attaches for this shared memory segment."
msgstr ""

#. type: TP
#: build/C/man7/svipc.7:315
#, no-wrap
msgid "I<shm_atime>"
msgstr ""

#. type: Plain text
#: build/C/man7/svipc.7:320
msgid "Time of the last B<shmat>(2)  system call."
msgstr ""

#. type: TP
#: build/C/man7/svipc.7:320
#, no-wrap
msgid "I<shm_dtime>"
msgstr ""

#. type: Plain text
#: build/C/man7/svipc.7:325
msgid "Time of the last B<shmdt>(2)  system call."
msgstr ""

#. type: TP
#: build/C/man7/svipc.7:325
#, no-wrap
msgid "I<shm_ctime>"
msgstr ""

#. type: Plain text
#: build/C/man7/svipc.7:331
msgid "Time of the last B<shmctl>(2)  system call that changed I<shmid_ds>."
msgstr ""

#. type: SS
#: build/C/man7/svipc.7:331
#, no-wrap
msgid "IPC namespaces"
msgstr ""

#. type: Plain text
#: build/C/man7/svipc.7:335
msgid ""
"For a discussion of the interaction of System V IPC objects and IPC "
"namespaces, see B<namespaces>(7)."
msgstr ""

#. type: Plain text
#: build/C/man7/svipc.7:352
msgid ""
"B<ipcmk>(1), B<ipcrm>(1), B<ipcs>(1), B<ipc>(2), B<msgctl>(2), B<msgget>(2), "
"B<msgrcv>(2), B<msgsnd>(2), B<semctl>(2), B<semget>(2), B<semop>(2), "
"B<shmat>(2), B<shmctl>(2), B<shmdt>(2), B<shmget>(2), B<ftok>(3), "
"B<namespaces>(7)"
msgstr ""

#. type: TH
#: build/C/man3/ulimit.3:27
#, no-wrap
msgid "ULIMIT"
msgstr ""

#. type: TH
#: build/C/man3/ulimit.3:27
#, no-wrap
msgid "2008-08-06"
msgstr ""

#. type: Plain text
#: build/C/man3/ulimit.3:30
msgid "ulimit - get and set user limits"
msgstr ""

#. type: Plain text
#: build/C/man3/ulimit.3:32
msgid "B<#include E<lt>ulimit.hE<gt>>"
msgstr ""

#. type: Plain text
#: build/C/man3/ulimit.3:34
msgid "B<long ulimit(int >I<cmd>B<, long >I<newlimit>B<);>"
msgstr ""

#. type: Plain text
#: build/C/man3/ulimit.3:46
msgid ""
"Warning: This routine is obsolete.  Use B<getrlimit>(2), B<setrlimit>(2), "
"and B<sysconf>(3)  instead.  For the shell command B<ulimit>(), see "
"B<bash>(1)."
msgstr ""

#. type: Plain text
#: build/C/man3/ulimit.3:53
msgid ""
"The B<ulimit>()  call will get or set some limit for the calling process.  "
"The I<cmd> argument can have one of the following values."
msgstr ""

#. type: TP
#: build/C/man3/ulimit.3:53
#, no-wrap
msgid "B<UL_GETFSIZE>"
msgstr ""

#. type: Plain text
#: build/C/man3/ulimit.3:56
msgid "Return the limit on the size of a file, in units of 512 bytes."
msgstr ""

#. type: TP
#: build/C/man3/ulimit.3:56
#, no-wrap
msgid "B<UL_SETFSIZE>"
msgstr ""

#. type: Plain text
#: build/C/man3/ulimit.3:59
msgid "Set the limit on the size of a file."
msgstr ""

#. type: TP
#: build/C/man3/ulimit.3:59
#, no-wrap
msgid "B<3>"
msgstr ""

#. type: Plain text
#: build/C/man3/ulimit.3:63
msgid ""
"(Not implemented for Linux.)  Return the maximum possible address of the "
"data segment."
msgstr ""

#. type: TP
#: build/C/man3/ulimit.3:63
#, no-wrap
msgid "B<4>"
msgstr ""

#. type: Plain text
#: build/C/man3/ulimit.3:67
msgid ""
"(Implemented but no symbolic constant provided.)  Return the maximum number "
"of files that the calling process can open."
msgstr ""

#. type: Plain text
#: build/C/man3/ulimit.3:74
msgid ""
"On success, B<ulimit>()  returns a nonnegative value.  On error, -1 is "
"returned, and I<errno> is set appropriately."
msgstr ""

#. type: Plain text
#: build/C/man3/ulimit.3:78
msgid "A unprivileged process tried to increase a limit."
msgstr ""

#. type: Plain text
#: build/C/man3/ulimit.3:83
msgid "SVr4, POSIX.1-2001.  POSIX.1-2008 marks B<ulimit>()  as obsolete."
msgstr ""

#. type: Plain text
#: build/C/man3/ulimit.3:87
msgid "B<bash>(1), B<getrlimit>(2), B<setrlimit>(2), B<sysconf>(3)"
msgstr ""

#. type: TH
#: build/C/man7/user_namespaces.7:27
#, no-wrap
msgid "USER_NAMESPACES"
msgstr ""

#. type: Plain text
#: build/C/man7/user_namespaces.7:30
msgid "user_namespaces - overview of Linux user namespaces"
msgstr ""

#.  FIXME: This page says very little about the interaction
#.  of user namespaces and keys. Add something on this topic.
#
#.  ============================================================
#. type: Plain text
#: build/C/man7/user_namespaces.7:56
msgid ""
"User namespaces isolate security-related identifiers and attributes, in "
"particular, user IDs and group IDs (see B<credentials>(7)), the root "
"directory, keys (see B<keyctl>(2)), and capabilities (see "
"B<capabilities>(7)).  A process's user and group IDs can be different inside "
"and outside a user namespace.  In particular, a process can have a normal "
"unprivileged user ID outside a user namespace while at the same time having "
"a user ID of 0 inside the namespace; in other words, the process has full "
"privileges for operations inside the user namespace, but is unprivileged for "
"operations outside the namespace."
msgstr ""

#. type: SS
#: build/C/man7/user_namespaces.7:56
#, no-wrap
msgid "Nested namespaces, namespace membership"
msgstr ""

#. type: Plain text
#: build/C/man7/user_namespaces.7:69
msgid ""
"User namespaces can be nested; that is, each user namespace\\(emexcept the "
"initial (\"root\")  namespace\\(emhas a parent user namespace, and can have "
"zero or more child user namespaces.  The parent user namespace is the user "
"namespace of the process that creates the user namespace via a call to "
"B<unshare>(2)  or B<clone>(2)  with the B<CLONE_NEWUSER> flag."
msgstr ""

#.  commit 8742f229b635bf1c1c84a3dfe5e47c814c20b5c8
#.  FIXME Explain the rationale for this limit. (What is the rationale?)
#. type: Plain text
#: build/C/man7/user_namespaces.7:80
msgid ""
"The kernel imposes (since version 3.11) a limit of 32 nested levels of user "
"namespaces.  Calls to B<unshare>(2)  or B<clone>(2)  that would cause this "
"limit to be exceeded fail with the error B<EUSERS>."
msgstr ""

#. type: Plain text
#: build/C/man7/user_namespaces.7:95
msgid ""
"Each process is a member of exactly one user namespace.  A process created "
"via B<fork>(2)  or B<clone>(2)  without the B<CLONE_NEWUSER> flag is a "
"member of the same user namespace as its parent.  A single-threaded process "
"can join another user namespace with B<setns>(2)  if it has the "
"B<CAP_SYS_ADMIN> in that namespace; upon doing so, it gains a full set of "
"capabilities in that namespace."
msgstr ""

#
#.  ============================================================
#. type: Plain text
#: build/C/man7/user_namespaces.7:110
msgid ""
"A call to B<clone>(2)  or B<unshare>(2)  with the B<CLONE_NEWUSER> flag "
"makes the new child process (for B<clone>(2))  or the caller (for "
"B<unshare>(2))  a member of the new user namespace created by the call."
msgstr ""

#. type: SS
#: build/C/man7/user_namespaces.7:110
#, no-wrap
msgid "Capabilities"
msgstr ""

#. type: Plain text
#: build/C/man7/user_namespaces.7:132
msgid ""
"The child process created by B<clone>(2)  with the B<CLONE_NEWUSER> flag "
"starts out with a complete set of capabilities in the new user namespace.  "
"Likewise, a process that creates a new user namespace using B<unshare>(2)  "
"or joins an existing user namespace using B<setns>(2)  gains a full set of "
"capabilities in that namespace.  On the other hand, that process has no "
"capabilities in the parent (in the case of B<clone>(2))  or previous (in the "
"case of B<unshare>(2)  and B<setns>(2))  user namespace, even if the new "
"namespace is created or joined by the root user (i.e., a process with user "
"ID 0 in the root namespace)."
msgstr ""

#. type: Plain text
#: build/C/man7/user_namespaces.7:142
msgid ""
"Note that a call to B<execve>(2)  will cause a process's capabilities to be "
"recalculated in the usual way (see B<capabilities>(7)), so that usually, "
"unless it has a user ID of 0 within the namespace or the executable file has "
"a nonempty inheritable capabilities mask, it will lose all capabilities.  "
"See the discussion of user and group ID mappings, below."
msgstr ""

#. type: Plain text
#: build/C/man7/user_namespaces.7:167
msgid ""
"A call to B<clone>(2), B<unshare>(2), or B<setns>(2)  using the "
"B<CLONE_NEWUSER> flag sets the \"securebits\" flags (see B<capabilities>(7))  "
"to their default values (all flags disabled) in the child (for B<clone>(2))  "
"or caller (for B<unshare>(2), or B<setns>(2)).  Note that because the caller "
"no longer has capabilities in its original user namespace after a call to "
"B<setns>(2), it is not possible for a process to reset its \"securebits\" "
"flags while retaining its user namespace membership by using a pair of "
"B<setns>(2)  calls to move to another user namespace and then return to its "
"original user namespace."
msgstr ""

#. type: Plain text
#: build/C/man7/user_namespaces.7:173
msgid ""
"Having a capability inside a user namespace permits a process to perform "
"operations (that require privilege)  only on resources governed by that "
"namespace.  The rules for determining whether or not a process has a "
"capability in a particular user namespace are as follows:"
msgstr ""

#.  In the 3.8 sources, see security/commoncap.c::cap_capable():
#. type: Plain text
#: build/C/man7/user_namespaces.7:189
msgid ""
"A process has a capability inside a user namespace if it is a member of that "
"namespace and it has the capability in its effective capability set.  A "
"process can gain capabilities in its effective capability set in various "
"ways.  For example, it may execute a set-user-ID program or an executable "
"with associated file capabilities.  In addition, a process may gain "
"capabilities via the effect of B<clone>(2), B<unshare>(2), or B<setns>(2), "
"as already described."
msgstr ""

#. type: Plain text
#: build/C/man7/user_namespaces.7:193
msgid ""
"If a process has a capability in a user namespace, then it has that "
"capability in all child (and further removed descendant)  namespaces as "
"well."
msgstr ""

#.  * The owner of the user namespace in the parent of the
#.  * user namespace has all caps.
#.  (and likewise associates the effective group ID of the creating process
#.  with the namespace).
#.  See kernel commit 520d9eabce18edfef76a60b7b839d54facafe1f9 for a fix
#.  on this point
#.      This includes the case where the process executes a set-user-ID
#.      program that confers the effective UID of the creator of the namespace.
#
#.  ============================================================
#. type: Plain text
#: build/C/man7/user_namespaces.7:214
msgid ""
"When a user namespace is created, the kernel records the effective user ID "
"of the creating process as being the \"owner\" of the namespace.  A process "
"that resides in the parent of the user namespace and whose effective user ID "
"matches the owner of the namespace has all capabilities in the namespace.  "
"By virtue of the previous rule, this means that the process has all "
"capabilities in all further removed descendant user namespaces as well."
msgstr ""

#. type: SS
#: build/C/man7/user_namespaces.7:214
#, no-wrap
msgid "Interaction of user namespaces and other types of namespaces"
msgstr ""

#. type: Plain text
#: build/C/man7/user_namespaces.7:219
msgid ""
"Starting in Linux 3.8, unprivileged processes can create user namespaces, "
"and mount, PID, IPC, network, and UTS namespaces can be created with just "
"the B<CAP_SYS_ADMIN> capability in the caller's user namespace."
msgstr ""

#. type: Plain text
#: build/C/man7/user_namespaces.7:225
msgid ""
"When a non-user-namespace is created, it is owned by the user namespace in "
"which the creating process was a member at the time of the creation of the "
"namespace.  Actions on the non-user-namespace require capabilities in the "
"corresponding user namespace."
msgstr ""

#. type: Plain text
#: build/C/man7/user_namespaces.7:242
msgid ""
"If B<CLONE_NEWUSER> is specified along with other B<CLONE_NEW*> flags in a "
"single B<clone>(2)  or B<unshare>(2)  call, the user namespace is guaranteed "
"to be created first, giving the child (B<clone>(2))  or caller "
"(B<unshare>(2))  privileges over the remaining namespaces created by the "
"call.  Thus, it is possible for an unprivileged caller to specify this "
"combination of flags."
msgstr ""

#
#.  ============================================================
#. type: Plain text
#: build/C/man7/user_namespaces.7:258
msgid ""
"When a new IPC, mount, network, PID, or UTS namespace is created via "
"B<clone>(2)  or B<unshare>(2), the kernel records the user namespace of the "
"creating process against the new namespace.  (This association can't be "
"changed.)  When a process in the new namespace subsequently performs "
"privileged operations that operate on global resources isolated by the "
"namespace, the permission checks are performed according to the process's "
"capabilities in the user namespace that the kernel associated with the new "
"namespace."
msgstr ""

#. type: SS
#: build/C/man7/user_namespaces.7:258
#, no-wrap
msgid "Restrictions on mount namespaces"
msgstr ""

#. type: Plain text
#: build/C/man7/user_namespaces.7:261
msgid "Note the following points with respect to mount namespaces:"
msgstr ""

#. type: Plain text
#: build/C/man7/user_namespaces.7:266
msgid ""
"A mount namespace has an owner user namespace.  A mount namespace whose "
"owner user namespace is different from the owner user namespace of its "
"parent mount namespace is considered a less privileged mount namespace."
msgstr ""

#. type: Plain text
#: build/C/man7/user_namespaces.7:272
msgid ""
"When creating a less privileged mount namespace, shared mounts are reduced "
"to slave mounts.  This ensures that mappings performed in less privileged "
"mount namespaces will not propagate to more privileged mount namespaces."
msgstr ""

#.  FIXME .
#.      What does "come as a single unit from more privileged mount" mean?
#. type: Plain text
#: build/C/man7/user_namespaces.7:285
msgid ""
"Mounts that come as a single unit from more privileged mount are locked "
"together and may not be separated in a less privileged mount namespace.  "
"(The B<unshare>(2)  B<CLONE_NEWNS> operation brings across all of the mounts "
"from the original mount namespace as a single unit, and recursive mounts "
"that propagate between mount namespaces propagate as a single unit.)"
msgstr ""

#.  commit 9566d6742852c527bf5af38af5cbb878dad75705
#.  Author: Eric W. Biederman <ebiederm@xmission.com>
#.  Date:   Mon Jul 28 17:26:07 2014 -0700
#
#.       mnt: Correct permission checks in do_remount
#. type: Plain text
#: build/C/man7/user_namespaces.7:306
msgid ""
"The B<mount>(2)  flags B<MS_RDONLY>, B<MS_NOSUID>, B<MS_NOEXEC>, and the "
"\"atime\" flags (B<MS_NOATIME>, B<MS_NODIRATIME>, B<MS_RELATIME>)  settings "
"become locked when propagated from a more privileged to a less privileged "
"mount namespace, and may not be changed in the less privileged mount "
"namespace."
msgstr ""

#.  (As of 3.18-rc1 (in Al Viro's 2014-08-30 vfs.git#for-next tree))
#. type: Plain text
#: build/C/man7/user_namespaces.7:313
msgid ""
"A file or directory that is a mount point in one namespace that is not a "
"mount point in another namespace, may be renamed, unlinked, or removed "
"(B<rmdir>(2))  in the mount namespace in which it is not a mount point "
"(subject to the usual permission checks)."
msgstr ""

#
#.  ============================================================
#. type: Plain text
#: build/C/man7/user_namespaces.7:324
msgid ""
"Previously, attempting to unlink, rename, or remove a file or directory that "
"was a mount point in another mount namespace would result in the error "
"B<EBUSY>.  That behavior had technical problems of enforcement (e.g., for "
"NFS)  and permitted denial-of-service attacks against more privileged "
"users.  (i.e., preventing individual files from being updated by bind "
"mounting on top of them)."
msgstr ""

#. type: SS
#: build/C/man7/user_namespaces.7:324
#, no-wrap
msgid "User and group ID mappings: uid_map and gid_map"
msgstr ""

#.  commit 22d917d80e842829d0ca0a561967d728eb1d6303
#. type: Plain text
#: build/C/man7/user_namespaces.7:339
msgid ""
"When a user namespace is created, it starts out without a mapping of user "
"IDs (group IDs)  to the parent user namespace.  The I</proc/[pid]/uid_map> "
"and I</proc/[pid]/gid_map> files (available since Linux 3.5)  expose the "
"mappings for user and group IDs inside the user namespace for the process "
"I<pid>.  These files can be read to view the mappings in a user namespace "
"and written to (once) to define the mappings."
msgstr ""

#. type: Plain text
#: build/C/man7/user_namespaces.7:345
msgid ""
"The description in the following paragraphs explains the details for "
"I<uid_map>; I<gid_map> is exactly the same, but each instance of \"user ID\" "
"is replaced by \"group ID\"."
msgstr ""

#. type: Plain text
#: build/C/man7/user_namespaces.7:359
msgid ""
"The I<uid_map> file exposes the mapping of user IDs from the user namespace "
"of the process I<pid> to the user namespace of the process that opened "
"I<uid_map> (but see a qualification to this point below).  In other words, "
"processes that are in different user namespaces will potentially see "
"different values when reading from a particular I<uid_map> file, depending "
"on the user ID mappings for the user namespaces of the reading processes."
msgstr ""

#. type: Plain text
#: build/C/man7/user_namespaces.7:371
msgid ""
"Each line in the I<uid_map> file specifies a 1-to-1 mapping of a range of "
"contiguous user IDs between two user namespaces.  (When a user namespace is "
"first created, this file is empty.)  The specification in each line takes "
"the form of three numbers delimited by white space.  The first two numbers "
"specify the starting user ID in each of the two user namespaces.  The third "
"number specifies the length of the mapped range.  In detail, the fields are "
"interpreted as follows:"
msgstr ""

#. type: Plain text
#: build/C/man7/user_namespaces.7:375
msgid ""
"The start of the range of user IDs in the user namespace of the process "
"I<pid>."
msgstr ""

#. type: Plain text
#: build/C/man7/user_namespaces.7:383
msgid ""
"The start of the range of user IDs to which the user IDs specified by field "
"one map.  How field two is interpreted depends on whether the process that "
"opened I<uid_map> and the process I<pid> are in the same user namespace, as "
"follows:"
msgstr ""

#. type: Plain text
#: build/C/man7/user_namespaces.7:389
msgid ""
"If the two processes are in different user namespaces: field two is the "
"start of a range of user IDs in the user namespace of the process that "
"opened I<uid_map>."
msgstr ""

#. type: Plain text
#: build/C/man7/user_namespaces.7:400
msgid ""
"If the two processes are in the same user namespace: field two is the start "
"of the range of user IDs in the parent user namespace of the process "
"I<pid>.  This case enables the opener of I<uid_map> (the common case here is "
"opening I</proc/self/uid_map>)  to see the mapping of user IDs into the user "
"namespace of the process that created this user namespace."
msgstr ""

#. type: Plain text
#: build/C/man7/user_namespaces.7:404
msgid ""
"The length of the range of user IDs that is mapped between the two user "
"namespaces."
msgstr ""

#. type: Plain text
#: build/C/man7/user_namespaces.7:411
msgid ""
"System calls that return user IDs (group IDs)\\(emfor example, B<getuid>(2), "
"B<getgid>(2), and the credential fields in the structure returned by "
"B<stat>(2)\\(emreturn the user ID (group ID) mapped into the caller's user "
"namespace."
msgstr ""

#. type: Plain text
#: build/C/man7/user_namespaces.7:419
msgid ""
"When a process accesses a file, its user and group IDs are mapped into the "
"initial user namespace for the purpose of permission checking and assigning "
"IDs when creating a file.  When a process retrieves file user and group IDs "
"via B<stat>(2), the IDs are mapped in the opposite direction, to produce "
"values relative to the process user and group ID mappings."
msgstr ""

#. type: Plain text
#: build/C/man7/user_namespaces.7:428
msgid ""
"The initial user namespace has no parent namespace, but, for consistency, "
"the kernel provides dummy user and group ID mapping files for this "
"namespace.  Looking at the I<uid_map> file (I<gid_map> is the same) from a "
"shell in the initial namespace shows:"
msgstr ""

#. type: Plain text
#: build/C/man7/user_namespaces.7:433
#, no-wrap
msgid ""
"$ B<cat /proc/$$/uid_map>\n"
"         0          0 4294967295\n"
msgstr ""

#
#.  ============================================================
#. type: Plain text
#: build/C/man7/user_namespaces.7:453
msgid ""
"This mapping tells us that the range starting at user ID 0 in this namespace "
"maps to a range starting at 0 in the (nonexistent) parent namespace, and the "
"length of the range is the largest 32-bit unsigned integer.  (This "
"deliberately leaves 4294967295 (the 32-bit signed -1 value) unmapped.  This "
"is deliberate: I<(uid_t)\\ -\\1> is used in several interfaces (e.g., "
"B<setreuid>(2))  as a way to specify \"no user ID\".  Leaving I<(uid_t)\\ "
"-\\1> unmapped and unusable guarantees that there will be no confusion when "
"using these interfaces."
msgstr ""

#. type: SS
#: build/C/man7/user_namespaces.7:453
#, no-wrap
msgid "Defining user and group ID mappings: writing to uid_map and gid_map"
msgstr ""

#. type: Plain text
#: build/C/man7/user_namespaces.7:469
msgid ""
"After the creation of a new user namespace, the I<uid_map> file of I<one> of "
"the processes in the namespace may be written to I<once> to define the "
"mapping of user IDs in the new user namespace.  An attempt to write more "
"than once to a I<uid_map> file in a user namespace fails with the error "
"B<EPERM>.  Similar rules apply for I<gid_map> files."
msgstr ""

#. type: Plain text
#: build/C/man7/user_namespaces.7:474
msgid ""
"The lines written to I<uid_map> (I<gid_map>)  must conform to the following "
"rules:"
msgstr ""

#. type: Plain text
#: build/C/man7/user_namespaces.7:477
msgid ""
"The three fields must be valid numbers, and the last field must be greater "
"than 0."
msgstr ""

#. type: Plain text
#: build/C/man7/user_namespaces.7:479
msgid "Lines are terminated by newline characters."
msgstr ""

#.  FIXME(Eric): the restriction "less than" rather than "less than or equal"
#.  seems strangely arbitrary. Furthermore, the comment does not agree
#.  with the code in kernel/user_namespace.c. Which is correct?
#. type: Plain text
#: build/C/man7/user_namespaces.7:492
msgid ""
"There is an (arbitrary) limit on the number of lines in the file.  As at "
"Linux 3.8, the limit is five lines.  In addition, the number of bytes "
"written to the file must be less than the system page size, and the write "
"must be performed at the start of the file (i.e., B<lseek>(2)  and "
"B<pwrite>(2)  can't be used to write to nonzero offsets in the file)."
msgstr ""

#.  commit 0bd14b4fd72afd5df41e9fd59f356740f22fceba
#. type: Plain text
#: build/C/man7/user_namespaces.7:505
msgid ""
"The range of user IDs (group IDs)  specified in each line cannot overlap "
"with the ranges in any other lines.  In the initial implementation (Linux "
"3.8), this requirement was satisfied by a simplistic implementation that "
"imposed the further requirement that the values in both field 1 and field 2 "
"of successive lines must be in ascending numerical order, which prevented "
"some otherwise valid maps from being created.  Linux 3.9 and later fix this "
"limitation, allowing any valid set of nonoverlapping maps."
msgstr ""

#. type: Plain text
#: build/C/man7/user_namespaces.7:507
msgid "At least one line must be written to the file."
msgstr ""

#. type: Plain text
#: build/C/man7/user_namespaces.7:510
msgid "Writes that violate the above rules fail with the error B<EINVAL>."
msgstr ""

#. type: Plain text
#: build/C/man7/user_namespaces.7:515
msgid ""
"In order for a process to write to the I</proc/[pid]/uid_map> "
"(I</proc/[pid]/gid_map>)  file, all of the following requirements must be "
"met:"
msgstr ""

#. type: Plain text
#: build/C/man7/user_namespaces.7:521
msgid ""
"The writing process must have the B<CAP_SETUID> (B<CAP_SETGID>)  capability "
"in the user namespace of the process I<pid>."
msgstr ""

#. type: Plain text
#: build/C/man7/user_namespaces.7:526
msgid ""
"The writing process must be in either the user namespace of the process "
"I<pid> or inside the parent user namespace of the process I<pid>."
msgstr ""

#. type: Plain text
#: build/C/man7/user_namespaces.7:529
msgid ""
"The mapped user IDs (group IDs) must in turn have a mapping in the parent "
"user namespace."
msgstr ""

#. type: Plain text
#: build/C/man7/user_namespaces.7:531
msgid "One of the following is true:"
msgstr ""

#. type: Plain text
#: build/C/man7/user_namespaces.7:541
msgid ""
"The data written to I<uid_map> (I<gid_map>)  consists of a single line that "
"maps the writing process's filesystem user ID (group ID) in the parent user "
"namespace to a user ID (group ID)  in the user namespace.  The usual case "
"here is that this single line provides a mapping for user ID of the process "
"that created the namespace."
msgstr ""

#. type: Plain text
#: build/C/man7/user_namespaces.7:548
msgid ""
"The opening process has the B<CAP_SETUID> (B<CAP_SETGID>)  capability in the "
"parent user namespace.  Thus, a privileged process can make mappings to "
"arbitrary user IDs (group IDs)  in the parent user namespace."
msgstr ""

#
#.  ============================================================
#. type: Plain text
#: build/C/man7/user_namespaces.7:555
msgid "Writes that violate the above rules fail with the error B<EPERM>."
msgstr ""

#. type: SS
#: build/C/man7/user_namespaces.7:555
#, no-wrap
msgid "Unmapped user and group IDs"
msgstr ""

#.  from_kuid_munged(), from_kgid_munged()
#. type: Plain text
#: build/C/man7/user_namespaces.7:572
msgid ""
"There are various places where an unmapped user ID (group ID)  may be "
"exposed to user space.  For example, the first process in a new user "
"namespace may call B<getuid>()  before a user ID mapping has been defined "
"for the namespace.  In most such cases, an unmapped user ID is converted to "
"the overflow user ID (group ID); the default value for the overflow user ID "
"(group ID) is 65534.  See the descriptions of "
"I</proc/sys/kernel/overflowuid> and I</proc/sys/kernel/overflowgid> in "
"B<proc>(5)."
msgstr ""

#.  also SO_PEERCRED
#. type: Plain text
#: build/C/man7/user_namespaces.7:600
msgid ""
"The cases where unmapped IDs are mapped in this fashion include system calls "
"that return user IDs (B<getuid>(2), B<getgid>(2), and similar), credentials "
"passed over a UNIX domain socket, credentials returned by B<stat>(2), "
"B<waitid>(2), and the System V IPC \"ctl\" B<IPC_STAT> operations, "
"credentials exposed by I</proc/PID/status> and the files in "
"I</proc/sysvipc/*>, credentials returned via the I<si_uid> field in the "
"I<siginfo_t> received with a signal (see B<sigaction>(2)), credentials "
"written to the process accounting file (see B<acct>(5)), and credentials "
"returned with POSIX message queue notifications (see B<mq_notify>(3))."
msgstr ""

#.  from_kuid(), from_kgid()
#.  Also F_GETOWNER_UIDS is an exception
#
#.  ============================================================
#. type: Plain text
#: build/C/man7/user_namespaces.7:615
msgid ""
"There is one notable case where unmapped user and group IDs are I<not> "
"converted to the corresponding overflow ID value.  When viewing a I<uid_map> "
"or I<gid_map> file in which there is no mapping for the second field, that "
"field is displayed as 4294967295 (-1 as an unsigned integer);"
msgstr ""

#. type: SS
#: build/C/man7/user_namespaces.7:615
#, no-wrap
msgid "Set-user-ID and set-group-ID programs"
msgstr ""

#
#.  ============================================================
#. type: Plain text
#: build/C/man7/user_namespaces.7:635
msgid ""
"When a process inside a user namespace executes a set-user-ID (set-group-ID) "
"program, the process's effective user (group) ID inside the namespace is "
"changed to whatever value is mapped for the user (group) ID of the file.  "
"However, if either the user I<or> the group ID of the file has no mapping "
"inside the namespace, the set-user-ID (set-group-ID) bit is silently "
"ignored: the new program is executed, but the process's effective user "
"(group) ID is left unchanged.  (This mirrors the semantics of executing a "
"set-user-ID or set-group-ID program that resides on a filesystem that was "
"mounted with the B<MS_NOSUID> flag, as described in B<mount>(2).)"
msgstr ""

#. type: Plain text
#: build/C/man7/user_namespaces.7:645
msgid ""
"When a process's user and group IDs are passed over a UNIX domain socket to "
"a process in a different user namespace (see the description of "
"B<SCM_CREDENTIALS> in B<unix>(7)), they are translated into the "
"corresponding values as per the receiving process's user and group ID "
"mappings."
msgstr ""

#
#.  ============================================================
#. type: Plain text
#: build/C/man7/user_namespaces.7:658
msgid ""
"Over the years, there have been a lot of features that have been added to "
"the Linux kernel that have been made available only to privileged users "
"because of their potential to confuse set-user-ID-root applications.  In "
"general, it becomes safe to allow the root user in a user namespace to use "
"those features because it is impossible, while in a user namespace, to gain "
"more privilege than the root user of a user namespace has."
msgstr ""

#. type: SS
#: build/C/man7/user_namespaces.7:658
#, no-wrap
msgid "Availability"
msgstr ""

#. type: Plain text
#: build/C/man7/user_namespaces.7:666
msgid ""
"Use of user namespaces requires a kernel that is configured with the "
"B<CONFIG_USER_NS> option.  User namespaces require support in a range of "
"subsystems across the kernel.  When an unsupported subsystem is configured "
"into the kernel, it is not possible to configure user namespaces support."
msgstr ""

#.  commit d6970d4b726cea6d7a9bc4120814f95c09571fc3
#. type: Plain text
#: build/C/man7/user_namespaces.7:677
msgid ""
"As at Linux 3.8, most relevant subsystems supported user namespaces, but a "
"number of filesystems did not have the infrastructure needed to map user and "
"group IDs between user namespaces.  Linux 3.9 added the required "
"infrastructure support for many of the remaining unsupported filesystems "
"(Plan 9 (9P), Andrew File System (AFS), Ceph, CIFS, CODA, NFS, and OCFS2).  "
"Linux 3.11 added support the last of the unsupported major filesystems, XFS."
msgstr ""

#. type: Plain text
#: build/C/man7/user_namespaces.7:686
msgid ""
"The program below is designed to allow experimenting with user namespaces, "
"as well as other types of namespaces.  It creates namespaces as specified by "
"command-line options and then executes a command inside those namespaces.  "
"The comments and I<usage()> function inside the program provide a full "
"explanation of the program.  The following shell session demonstrates its "
"use."
msgstr ""

#. type: Plain text
#: build/C/man7/user_namespaces.7:688
msgid "First, we look at the run-time environment:"
msgstr ""

#. type: Plain text
#: build/C/man7/user_namespaces.7:697
#, no-wrap
msgid ""
"$ B<uname -rs>     # Need Linux 3.8 or later\n"
"Linux 3.8.0\n"
"$ B<id -u>         # Running as unprivileged user\n"
"1000\n"
"$ B<id -g>\n"
"1000\n"
msgstr ""

#. type: Plain text
#: build/C/man7/user_namespaces.7:711
msgid ""
"Now start a new shell in new user (I<-U>), mount (I<-m>), and PID (I<-p>)  "
"namespaces, with user ID (I<-M>)  and group ID (I<-G>)  1000 mapped to 0 "
"inside the user namespace:"
msgstr ""

#. type: Plain text
#: build/C/man7/user_namespaces.7:715
#, no-wrap
msgid "$ B<./userns_child_exec -p -m -U -M '0 1000 1' -G '0 1000 1' bash>\n"
msgstr ""

#. type: Plain text
#: build/C/man7/user_namespaces.7:720
msgid ""
"The shell has PID 1, because it is the first process in the new PID "
"namespace:"
msgstr ""

#. type: Plain text
#: build/C/man7/user_namespaces.7:725
#, no-wrap
msgid ""
"bash$ B<echo $$>\n"
"1\n"
msgstr ""

#. type: Plain text
#: build/C/man7/user_namespaces.7:730
msgid ""
"Inside the user namespace, the shell has user and group ID 0, and a full set "
"of permitted and effective capabilities:"
msgstr ""

#. type: Plain text
#: build/C/man7/user_namespaces.7:740
#, no-wrap
msgid ""
"bash$ B<cat /proc/$$/status | egrep '^[UG]id'>\n"
"Uid:\t0\t0\t0\t0\n"
"Gid:\t0\t0\t0\t0\n"
"bash$ B<cat /proc/$$/status | egrep '^Cap(Prm|Inh|Eff)'>\n"
"CapInh:\t0000000000000000\n"
"CapPrm:\t0000001fffffffff\n"
"CapEff:\t0000001fffffffff\n"
msgstr ""

#. type: Plain text
#: build/C/man7/user_namespaces.7:748
msgid ""
"Mounting a new I</proc> filesystem and listing all of the processes visible "
"in the new PID namespace shows that the shell can't see any processes "
"outside the PID namespace:"
msgstr ""

#. type: Plain text
#: build/C/man7/user_namespaces.7:756
#, no-wrap
msgid ""
"bash$ B<mount -t proc proc /proc>\n"
"bash$ B<ps ax>\n"
"  PID TTY      STAT   TIME COMMAND\n"
"    1 pts/3    S      0:00 bash\n"
"   22 pts/3    R+     0:00 ps ax\n"
msgstr ""

#. type: SS
#: build/C/man7/user_namespaces.7:758 build/C/man2/seccomp.2:574
#, no-wrap
msgid "Program source"
msgstr ""

#. type: Plain text
#: build/C/man7/user_namespaces.7:762
#, no-wrap
msgid "/* userns_child_exec.c\n"
msgstr ""

#. type: Plain text
#: build/C/man7/user_namespaces.7:764
#, no-wrap
msgid "   Licensed under GNU General Public License v2 or later\n"
msgstr ""

#. type: Plain text
#: build/C/man7/user_namespaces.7:780
#, no-wrap
msgid ""
"   Create a child process that executes a shell command in new\n"
"   namespace(s); allow UID and GID mappings to be specified when\n"
"   creating a user namespace.\n"
"*/\n"
"#define _GNU_SOURCE\n"
"#include E<lt>sched.hE<gt>\n"
"#include E<lt>unistd.hE<gt>\n"
"#include E<lt>stdlib.hE<gt>\n"
"#include E<lt>sys/wait.hE<gt>\n"
"#include E<lt>signal.hE<gt>\n"
"#include E<lt>fcntl.hE<gt>\n"
"#include E<lt>stdio.hE<gt>\n"
"#include E<lt>string.hE<gt>\n"
"#include E<lt>limits.hE<gt>\n"
"#include E<lt>errno.hE<gt>\n"
msgstr ""

#. type: Plain text
#: build/C/man7/user_namespaces.7:783
#, no-wrap
msgid ""
"/* A simple error-handling function: print an error message based\n"
"   on the value in \\(aqerrno\\(aq and terminate the calling process */\n"
msgstr ""

#. type: Plain text
#: build/C/man7/user_namespaces.7:786
#, no-wrap
msgid ""
"#define errExit(msg)    do { perror(msg); exit(EXIT_FAILURE); \\e\n"
"                        } while (0)\n"
msgstr ""

#. type: Plain text
#: build/C/man7/user_namespaces.7:791
#, no-wrap
msgid ""
"struct child_args {\n"
"    char **argv;        /* Command to be executed by child, with args */\n"
"    int    pipe_fd[2];  /* Pipe used to synchronize parent and child */\n"
"};\n"
msgstr ""

#. type: Plain text
#: build/C/man7/user_namespaces.7:793
#, no-wrap
msgid "static int verbose;\n"
msgstr ""

#. type: Plain text
#: build/C/man7/user_namespaces.7:826
#, no-wrap
msgid ""
"static void\n"
"usage(char *pname)\n"
"{\n"
"    fprintf(stderr, \"Usage: %s [options] cmd [arg...]\\en\\en\", pname);\n"
"    fprintf(stderr, \"Create a child process that executes a shell \"\n"
"            \"command in a new user namespace,\\en\"\n"
"            \"and possibly also other new namespace(s).\\en\\en\");\n"
"    fprintf(stderr, \"Options can be:\\en\\en\");\n"
"#define fpe(str) fprintf(stderr, \"    %s\", str);\n"
"    fpe(\"-i          New IPC namespace\\en\");\n"
"    fpe(\"-m          New mount namespace\\en\");\n"
"    fpe(\"-n          New network namespace\\en\");\n"
"    fpe(\"-p          New PID namespace\\en\");\n"
"    fpe(\"-u          New UTS namespace\\en\");\n"
"    fpe(\"-U          New user namespace\\en\");\n"
"    fpe(\"-M uid_map  Specify UID map for user namespace\\en\");\n"
"    fpe(\"-G gid_map  Specify GID map for user namespace\\en\");\n"
"    fpe(\"-z          Map user\\(aqs UID and GID to 0 in user "
"namespace\\en\");\n"
"    fpe(\"            (equivalent to: -M \\(aq0 E<lt>uidE<gt> 1\\(aq -G "
"\\(aq0 E<lt>gidE<gt> 1\\(aq)\\en\");\n"
"    fpe(\"-v          Display verbose messages\\en\");\n"
"    fpe(\"\\en\");\n"
"    fpe(\"If -z, -M, or -G is specified, -U is required.\\en\");\n"
"    fpe(\"It is not permitted to specify both -z and either -M or "
"-G.\\en\");\n"
"    fpe(\"\\en\");\n"
"    fpe(\"Map strings for -M and -G consist of records of the "
"form:\\en\");\n"
"    fpe(\"\\en\");\n"
"    fpe(\"    ID-inside-ns   ID-outside-ns   len\\en\");\n"
"    fpe(\"\\en\");\n"
"    fpe(\"A map string can contain multiple records, separated\"\n"
"        \" by commas;\\en\");\n"
"    fpe(\"the commas are replaced by newlines before writing\"\n"
"        \" to map files.\\en\");\n"
msgstr ""

#. type: Plain text
#: build/C/man7/user_namespaces.7:834
#, no-wrap
msgid ""
"/* Update the mapping file \\(aqmap_file\\(aq, with the value provided in\n"
"   \\(aqmapping\\(aq, a string that defines a UID or GID mapping. A UID or\n"
"   GID mapping consists of one or more newline-delimited records\n"
"   of the form:\n"
msgstr ""

#. type: Plain text
#: build/C/man7/user_namespaces.7:836
#, no-wrap
msgid "       ID_inside-ns    ID-outside-ns   length\n"
msgstr ""

#. type: Plain text
#: build/C/man7/user_namespaces.7:841
#, no-wrap
msgid ""
"   Requiring the user to supply a string that contains newlines is\n"
"   of course inconvenient for command-line use. Thus, we permit the\n"
"   use of commas to delimit records in this string, and replace them\n"
"   with newlines before writing the string to the file. */\n"
msgstr ""

#. type: Plain text
#: build/C/man7/user_namespaces.7:847
#, no-wrap
msgid ""
"static void\n"
"update_map(char *mapping, char *map_file)\n"
"{\n"
"    int fd, j;\n"
"    size_t map_len;     /* Length of \\(aqmapping\\(aq */\n"
msgstr ""

#. type: Plain text
#: build/C/man7/user_namespaces.7:849
#, no-wrap
msgid "    /* Replace commas in mapping string with newlines */\n"
msgstr ""

#. type: Plain text
#: build/C/man7/user_namespaces.7:854
#, no-wrap
msgid ""
"    map_len = strlen(mapping);\n"
"    for (j = 0; j E<lt> map_len; j++)\n"
"        if (mapping[j] == \\(aq,\\(aq)\n"
"            mapping[j] = \\(aq\\en\\(aq;\n"
msgstr ""

#. type: Plain text
#: build/C/man7/user_namespaces.7:861
#, no-wrap
msgid ""
"    fd = open(map_file, O_RDWR);\n"
"    if (fd == -1) {\n"
"        fprintf(stderr, \"ERROR: open %s: %s\\en\", map_file,\n"
"                strerror(errno));\n"
"        exit(EXIT_FAILURE);\n"
"    }\n"
msgstr ""

#. type: Plain text
#: build/C/man7/user_namespaces.7:867
#, no-wrap
msgid ""
"    if (write(fd, mapping, map_len) != map_len) {\n"
"        fprintf(stderr, \"ERROR: write %s: %s\\en\", map_file,\n"
"                strerror(errno));\n"
"        exit(EXIT_FAILURE);\n"
"    }\n"
msgstr ""

#. type: Plain text
#: build/C/man7/user_namespaces.7:870
#, no-wrap
msgid ""
"    close(fd);\n"
"}\n"
msgstr ""

#. type: Plain text
#: build/C/man7/user_namespaces.7:876
#, no-wrap
msgid ""
"static int              /* Start function for cloned child */\n"
"childFunc(void *arg)\n"
"{\n"
"    struct child_args *args = (struct child_args *) arg;\n"
"    char ch;\n"
msgstr ""

#. type: Plain text
#: build/C/man7/user_namespaces.7:881
#, no-wrap
msgid ""
"    /* Wait until the parent has updated the UID and GID mappings.\n"
"       See the comment in main(). We wait for end of file on a\n"
"       pipe that will be closed by the parent process once it has\n"
"       updated the mappings. */\n"
msgstr ""

#. type: Plain text
#: build/C/man7/user_namespaces.7:890
#, no-wrap
msgid ""
"    close(args-E<gt>pipe_fd[1]);    /* Close our descriptor for the write\n"
"                                   end of the pipe so that we see EOF\n"
"                                   when parent closes its descriptor */\n"
"    if (read(args-E<gt>pipe_fd[0], &ch, 1) != 0) {\n"
"        fprintf(stderr,\n"
"                \"Failure in child: read from pipe returned != 0\\en\");\n"
"        exit(EXIT_FAILURE);\n"
"    }\n"
msgstr ""

#. type: Plain text
#: build/C/man7/user_namespaces.7:892
#, no-wrap
msgid "    /* Execute a shell command */\n"
msgstr ""

#. type: Plain text
#: build/C/man7/user_namespaces.7:897
#, no-wrap
msgid ""
"    printf(\"About to exec %s\\en\", args-E<gt>argv[0]);\n"
"    execvp(args-E<gt>argv[0], args-E<gt>argv);\n"
"    errExit(\"execvp\");\n"
"}\n"
msgstr ""

#. type: Plain text
#: build/C/man7/user_namespaces.7:899
#, no-wrap
msgid "#define STACK_SIZE (1024 * 1024)\n"
msgstr ""

#. type: Plain text
#: build/C/man7/user_namespaces.7:901
#, no-wrap
msgid "static char child_stack[STACK_SIZE];    /* Space for child\\(aqs stack */\n"
msgstr ""

#. type: Plain text
#: build/C/man7/user_namespaces.7:912
#, no-wrap
msgid ""
"int\n"
"main(int argc, char *argv[])\n"
"{\n"
"    int flags, opt, map_zero;\n"
"    pid_t child_pid;\n"
"    struct child_args args;\n"
"    char *uid_map, *gid_map;\n"
"    const int MAP_BUF_SIZE = 100;\n"
"    char map_buf[MAP_BUF_SIZE];\n"
"    char map_path[PATH_MAX];\n"
msgstr ""

#. type: Plain text
#: build/C/man7/user_namespaces.7:919
#, no-wrap
msgid ""
"    /* Parse command-line options. The initial \\(aq+\\(aq character in\n"
"       the final getopt() argument prevents GNU-style permutation\n"
"       of command-line options. That\\(aqs useful, since sometimes\n"
"       the \\(aqcommand\\(aq to be executed by this program itself\n"
"       has command-line options. We don\\(aqt want getopt() to treat\n"
"       those as options to this program. */\n"
msgstr ""

#. type: Plain text
#: build/C/man7/user_namespaces.7:940
#, no-wrap
msgid ""
"    flags = 0;\n"
"    verbose = 0;\n"
"    gid_map = NULL;\n"
"    uid_map = NULL;\n"
"    map_zero = 0;\n"
"    while ((opt = getopt(argc, argv, \"+imnpuUM:G:zv\")) != -1) {\n"
"        switch (opt) {\n"
"        case \\(aqi\\(aq: flags |= CLONE_NEWIPC;        break;\n"
"        case \\(aqm\\(aq: flags |= CLONE_NEWNS;         break;\n"
"        case \\(aqn\\(aq: flags |= CLONE_NEWNET;        break;\n"
"        case \\(aqp\\(aq: flags |= CLONE_NEWPID;        break;\n"
"        case \\(aqu\\(aq: flags |= CLONE_NEWUTS;        break;\n"
"        case \\(aqv\\(aq: verbose = 1;                  break;\n"
"        case \\(aqz\\(aq: map_zero = 1;                 break;\n"
"        case \\(aqM\\(aq: uid_map = optarg;             break;\n"
"        case \\(aqG\\(aq: gid_map = optarg;             break;\n"
"        case \\(aqU\\(aq: flags |= CLONE_NEWUSER;       break;\n"
"        default:  usage(argv[0]);\n"
"        }\n"
"    }\n"
msgstr ""

#. type: Plain text
#: build/C/man7/user_namespaces.7:942
#, no-wrap
msgid "    /* -M or -G without -U is nonsensical */\n"
msgstr ""

#. type: Plain text
#: build/C/man7/user_namespaces.7:947
#, no-wrap
msgid ""
"    if (((uid_map != NULL || gid_map != NULL || map_zero) &&\n"
"                !(flags & CLONE_NEWUSER)) ||\n"
"            (map_zero && (uid_map != NULL || gid_map != NULL)))\n"
"        usage(argv[0]);\n"
msgstr ""

#. type: Plain text
#: build/C/man7/user_namespaces.7:949
#, no-wrap
msgid "    args.argv = &argv[optind];\n"
msgstr ""

#. type: Plain text
#: build/C/man7/user_namespaces.7:959
#, no-wrap
msgid ""
"    /* We use a pipe to synchronize the parent and child, in order to\n"
"       ensure that the parent sets the UID and GID maps before the child\n"
"       calls execve(). This ensures that the child maintains its\n"
"       capabilities during the execve() in the common case where we\n"
"       want to map the child\\(aqs effective user ID to 0 in the new user\n"
"       namespace. Without this synchronization, the child would lose\n"
"       its capabilities if it performed an execve() with nonzero\n"
"       user IDs (see the capabilities(7) man page for details of the\n"
"       transformation of a process\\(aqs capabilities during execve()). */\n"
msgstr ""

#. type: Plain text
#: build/C/man7/user_namespaces.7:962
#, no-wrap
msgid ""
"    if (pipe(args.pipe_fd) == -1)\n"
"        errExit(\"pipe\");\n"
msgstr ""

#. type: Plain text
#: build/C/man7/user_namespaces.7:964
#, no-wrap
msgid "    /* Create the child in new namespace(s) */\n"
msgstr ""

#. type: Plain text
#: build/C/man7/user_namespaces.7:969
#, no-wrap
msgid ""
"    child_pid = clone(childFunc, child_stack + STACK_SIZE,\n"
"                      flags | SIGCHLD, &args);\n"
"    if (child_pid == -1)\n"
"        errExit(\"clone\");\n"
msgstr ""

#. type: Plain text
#: build/C/man7/user_namespaces.7:971
#, no-wrap
msgid "    /* Parent falls through to here */\n"
msgstr ""

#. type: Plain text
#: build/C/man7/user_namespaces.7:975
#, no-wrap
msgid ""
"    if (verbose)\n"
"        printf(\"%s: PID of child created by clone() is %ld\\en\",\n"
"                argv[0], (long) child_pid);\n"
msgstr ""

#. type: Plain text
#: build/C/man7/user_namespaces.7:977
#, no-wrap
msgid "    /* Update the UID and GID maps in the child */\n"
msgstr ""

#. type: Plain text
#: build/C/man7/user_namespaces.7:996
#, no-wrap
msgid ""
"    if (uid_map != NULL || map_zero) {\n"
"        snprintf(map_path, PATH_MAX, \"/proc/%ld/uid_map\",\n"
"                (long) child_pid);\n"
"        if (map_zero) {\n"
"            snprintf(map_buf, MAP_BUF_SIZE, \"0 %ld 1\", (long) getuid());\n"
"            uid_map = map_buf;\n"
"        }\n"
"        update_map(uid_map, map_path);\n"
"    }\n"
"    if (gid_map != NULL || map_zero) {\n"
"        snprintf(map_path, PATH_MAX, \"/proc/%ld/gid_map\",\n"
"                (long) child_pid);\n"
"        if (map_zero) {\n"
"            snprintf(map_buf, MAP_BUF_SIZE, \"0 %ld 1\", (long) getgid());\n"
"            gid_map = map_buf;\n"
"        }\n"
"        update_map(gid_map, map_path);\n"
"    }\n"
msgstr ""

#. type: Plain text
#: build/C/man7/user_namespaces.7:999
#, no-wrap
msgid ""
"    /* Close the write end of the pipe, to signal to the child that we\n"
"       have updated the UID and GID maps */\n"
msgstr ""

#. type: Plain text
#: build/C/man7/user_namespaces.7:1001
#, no-wrap
msgid "    close(args.pipe_fd[1]);\n"
msgstr ""

#. type: Plain text
#: build/C/man7/user_namespaces.7:1004
#, no-wrap
msgid ""
"    if (waitpid(child_pid, NULL, 0) == -1)      /* Wait for child */\n"
"        errExit(\"waitpid\");\n"
msgstr ""

#. type: Plain text
#: build/C/man7/user_namespaces.7:1007
#, no-wrap
msgid ""
"    if (verbose)\n"
"        printf(\"%s: terminating\\en\", argv[0]);\n"
msgstr ""

#. type: Plain text
#: build/C/man7/user_namespaces.7:1010
#, no-wrap
msgid ""
"    exit(EXIT_SUCCESS);\n"
"}\n"
msgstr ""

#.  From the shadow package
#.  From the shadow package
#.  From the shadow package
#.  From the shadow package
#. type: Plain text
#: build/C/man7/user_namespaces.7:1024
msgid ""
"B<newgidmap>(1), B<newuidmap>(1), B<clone>(2), B<setns>(2), B<unshare>(2), "
"B<proc>(5), B<subgid>(5), B<subuid>(5), B<credentials>(7), "
"B<capabilities>(7), B<namespaces>(7), B<pid_namespaces>(7)"
msgstr ""

#. type: Plain text
#: build/C/man7/user_namespaces.7:1026
msgid "The kernel source file I<Documentation/namespaces/resource-control.txt>."
msgstr ""

#. type: TH
#: build/C/man2/seccomp.2:27
#, no-wrap
msgid "SECCOMP"
msgstr ""

#. type: Plain text
#: build/C/man2/seccomp.2:30
msgid "seccomp - operate on Secure Computing state of the process"
msgstr ""

#.  Kees Cook noted: Anything that uses SECCOMP_RET_TRACE returns will
#.                   need <sys/ptrace.h>
#. type: Plain text
#: build/C/man2/seccomp.2:39
#, no-wrap
msgid ""
"B<#include E<lt>linux/seccomp.hE<gt>>\n"
"B<#include E<lt>linux/filter.hE<gt>>\n"
"B<#include E<lt>linux/audit.hE<gt>>\n"
"B<#include E<lt>linux/signal.hE<gt>>\n"
"B<#include E<lt>sys/ptrace.hE<gt>>\n"
msgstr ""

#. type: Plain text
#: build/C/man2/seccomp.2:42
#, no-wrap
msgid ""
"B<int seccomp(unsigned int >I<operation>B<, unsigned int >I<flags>B<, void "
"*>I<args>B<);>\n"
msgstr ""

#. type: Plain text
#: build/C/man2/seccomp.2:48
msgid ""
"The B<seccomp>()  system call operates on the Secure Computing (seccomp) "
"state of the calling process."
msgstr ""

#. type: Plain text
#: build/C/man2/seccomp.2:52
msgid "Currently, Linux supports the following I<operation> values:"
msgstr ""

#. type: TP
#: build/C/man2/seccomp.2:52
#, no-wrap
msgid "B<SECCOMP_SET_MODE_STRICT>"
msgstr ""

#. type: Plain text
#: build/C/man2/seccomp.2:66
msgid ""
"The only system calls that the calling thread is permitted to make are "
"B<read>(2), B<write>(2), B<_exit>(2), and B<sigreturn>(2).  Other system "
"calls result in the delivery of a B<SIGKILL> signal.  Strict secure "
"computing mode is useful for number-crunching applications that may need to "
"execute untrusted byte code, perhaps obtained by reading from a pipe or "
"socket."
msgstr ""

#. type: Plain text
#: build/C/man2/seccomp.2:70
msgid ""
"This operation is available only if the kernel is configured with "
"B<CONFIG_SECCOMP> enabled."
msgstr ""

#. type: Plain text
#: build/C/man2/seccomp.2:76
msgid "The value of I<flags> must be 0, and I<args> must be NULL."
msgstr ""

#. type: Plain text
#: build/C/man2/seccomp.2:78
msgid "This operation is functionally identical to the call:"
msgstr ""

#. type: Plain text
#: build/C/man2/seccomp.2:80
#, no-wrap
msgid "    prctl(PR_SET_SECCOMP, SECCOMP_MODE_STRICT);\n"
msgstr ""

#. type: TP
#: build/C/man2/seccomp.2:80
#, no-wrap
msgid "B<SECCOMP_SET_MODE_FILTER>"
msgstr ""

#. type: Plain text
#: build/C/man2/seccomp.2:95
msgid ""
"The system calls allowed are defined by a pointer to a Berkeley Packet "
"Filter (BPF) passed via I<args>.  This argument is a pointer to a I<struct\\ "
"sock_fprog>; it can be designed to filter arbitrary system calls and system "
"call arguments.  If the filter is invalid, B<seccomp>()  fails, returning "
"B<EINVAL> in I<errno>."
msgstr ""

#. type: Plain text
#: build/C/man2/seccomp.2:107
msgid ""
"If B<fork>(2)  or B<clone>(2)  is allowed by the filter, any child processes "
"will be constrained to the same system call filters as the parent.  If "
"B<execve>(2)  is allowed, the existing filters will be preserved across a "
"call to B<execve>(2)."
msgstr ""

#. type: Plain text
#: build/C/man2/seccomp.2:117
msgid ""
"In order to use the B<SECCOMP_SET_MODE_FILTER> operation, either the caller "
"must have the B<CAP_SYS_ADMIN> capability, or the thread must already have "
"the I<no_new_privs> bit set.  If that bit was not already set by an ancestor "
"of this thread, the thread must make the following call:"
msgstr ""

#. type: Plain text
#: build/C/man2/seccomp.2:119
#, no-wrap
msgid "    prctl(PR_SET_NO_NEW_PRIVS, 1);\n"
msgstr ""

#. type: Plain text
#: build/C/man2/seccomp.2:138
msgid ""
"Otherwise, the B<SECCOMP_SET_MODE_FILTER> operation will fail and return "
"B<EACCES> in I<errno>.  This requirement ensures that an unprivileged "
"process cannot apply a malicious filter and then invoke a set-user-ID or "
"other privileged program using B<execve>(2), thus potentially compromising "
"that program.  (Such a malicious filter might, for example, cause an attempt "
"to use B<setuid>(2)  to set the caller's user IDs to non-zero values to "
"instead return 0 without actually making the system call.  Thus, the program "
"might be tricked into retaining superuser privileges in circumstances where "
"it is possible to influence it to do dangerous things because it did not "
"actually drop privileges.)"
msgstr ""

#. type: Plain text
#: build/C/man2/seccomp.2:146
msgid ""
"If B<prctl>(2)  or B<seccomp>(2)  is allowed by the attached filter, further "
"filters may be added.  This will increase evaluation time, but allows for "
"further reduction of the attack surface during execution of a thread."
msgstr ""

#. type: Plain text
#: build/C/man2/seccomp.2:152
msgid ""
"The B<SECCOMP_SET_MODE_FILTER> operation is available only if the kernel is "
"configured with B<CONFIG_SECCOMP_FILTER> enabled."
msgstr ""

#. type: Plain text
#: build/C/man2/seccomp.2:156
msgid "When I<flags> is 0, this operation is functionally identical to the call:"
msgstr ""

#. type: Plain text
#: build/C/man2/seccomp.2:158
#, no-wrap
msgid "    prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, args);\n"
msgstr ""

#. type: Plain text
#: build/C/man2/seccomp.2:162
msgid "The recognized I<flags> are:"
msgstr ""

#. type: TP
#: build/C/man2/seccomp.2:163
#, no-wrap
msgid "B<SECCOMP_FILTER_FLAG_TSYNC>"
msgstr ""

#. type: Plain text
#: build/C/man2/seccomp.2:171
msgid ""
"When adding a new filter, synchronize all other threads of the calling "
"process to the same seccomp filter tree.  A \"filter tree\" is the ordered "
"list of filters attached to a thread.  (Attaching identical filters in "
"separate B<seccomp>()  calls results in different filters from this "
"perspective.)"
msgstr ""

#. type: Plain text
#: build/C/man2/seccomp.2:179
msgid ""
"If any thread cannot synchronize to the same filter tree, the call will not "
"attach the new seccomp filter, and will fail, returning the first thread ID "
"found that cannot synchronize.  Synchronization will fail if another thread "
"in the same process is in B<SECCOMP_MODE_STRICT> or if it has attached new "
"seccomp filters to itself, diverging from the calling thread's filter tree."
msgstr ""

#. type: SS
#: build/C/man2/seccomp.2:180
#, no-wrap
msgid "Filters"
msgstr ""

#. type: Plain text
#: build/C/man2/seccomp.2:185
msgid ""
"When adding filters via B<SECCOMP_SET_MODE_FILTER>, I<args> points to a "
"filter program:"
msgstr ""

#. type: Plain text
#: build/C/man2/seccomp.2:193
#, no-wrap
msgid ""
"struct sock_fprog {\n"
"    unsigned short      len;    /* Number of BPF instructions */\n"
"    struct sock_filter *filter; /* Pointer to array of\n"
"                                   BPF instructions */\n"
"};\n"
msgstr ""

#. type: Plain text
#: build/C/man2/seccomp.2:197
msgid "Each program must contain one or more BPF instructions:"
msgstr ""

#. type: Plain text
#: build/C/man2/seccomp.2:206
#, no-wrap
msgid ""
"struct sock_filter {            /* Filter block */\n"
"    __u16 code;                 /* Actual filter code */\n"
"    __u8  jt;                   /* Jump true */\n"
"    __u8  jf;                   /* Jump false */\n"
"    __u32 k;                    /* Generic multiuse field */\n"
"};\n"
msgstr ""

#. type: Plain text
#: build/C/man2/seccomp.2:213
msgid ""
"When executing the instructions, the BPF program operates on the system call "
"information made available (i.e., use the B<BPF_ABS> addressing mode) as a "
"buffer of the following form:"
msgstr ""

#. type: Plain text
#: build/C/man2/seccomp.2:223
#, no-wrap
msgid ""
"struct seccomp_data {\n"
"    int   nr;                   /* System call number */\n"
"    __u32 arch;                 /* AUDIT_ARCH_* value\n"
"                                   (see E<lt>linux/audit.hE<gt>) */\n"
"    __u64 instruction_pointer;  /* CPU instruction pointer */\n"
"    __u64 args[6];              /* Up to 6 system call arguments */\n"
"};\n"
msgstr ""

#. type: Plain text
#: build/C/man2/seccomp.2:234
msgid ""
"A seccomp filter returns a 32-bit value consisting of two parts: the most "
"significant 16 bits (corresponding to the mask defined by the constant "
"B<SECCOMP_RET_ACTION>)  contain one of the \"action\" values listed below; "
"the least significant 16-bits (defined by the constant B<SECCOMP_RET_DATA>)  "
"are \"data\" to be associated with this return value."
msgstr ""

#. type: Plain text
#: build/C/man2/seccomp.2:242
msgid ""
"If multiple filters exist, they are all executed, in reverse order of their "
"addition to the filter tree (i.e., the most recently installed filter is "
"executed first).  The return value for the evaluation of a given system call "
"is the first-seen B<SECCOMP_RET_ACTION> value of highest precedence (along "
"with its accompanying data)  returned by execution of all of the filters."
msgstr ""

#. type: Plain text
#: build/C/man2/seccomp.2:245
msgid ""
"In decreasing order of precedence, the values that may be returned by a "
"seccomp filter are:"
msgstr ""

#. type: TP
#: build/C/man2/seccomp.2:245
#, no-wrap
msgid "B<SECCOMP_RET_KILL>"
msgstr ""

#. type: Plain text
#: build/C/man2/seccomp.2:254
msgid ""
"This value results in the process exiting immediately without executing the "
"system call.  The process terminates as though killed by a B<SIGSYS> signal "
"(I<not> B<SIGKILL>)."
msgstr ""

#. type: TP
#: build/C/man2/seccomp.2:254
#, no-wrap
msgid "B<SECCOMP_RET_TRAP>"
msgstr ""

#. type: Plain text
#: build/C/man2/seccomp.2:264
msgid ""
"This value results in the kernel sending a B<SIGSYS> signal to the "
"triggering process without executing the system call.  Various fields will "
"be set in the I<siginfo_t> structure (see B<sigaction>(2))  associated with "
"signal:"
msgstr ""

#. type: Plain text
#: build/C/man2/seccomp.2:269
msgid "I<si_signo> will contain B<SIGSYS>."
msgstr ""

#. type: Plain text
#: build/C/man2/seccomp.2:272
msgid "I<si_call_addr> will show the address of the system call instruction."
msgstr ""

#. type: Plain text
#: build/C/man2/seccomp.2:277
msgid "I<si_syscall> and I<si_arch> will indicate which system call was attempted."
msgstr ""

#. type: Plain text
#: build/C/man2/seccomp.2:281
msgid "I<si_code> will contain B<SYS_SECCOMP>."
msgstr ""

#. type: Plain text
#: build/C/man2/seccomp.2:286
msgid ""
"I<si_errno> will contain the B<SECCOMP_RET_DATA> portion of the filter "
"return value."
msgstr ""

#. type: Plain text
#: build/C/man2/seccomp.2:295
msgid ""
"The program counter will be as though the system call happened (i.e., it "
"will not point to the system call instruction).  The return value register "
"will contain an architecture-dependent value; if resuming execution, set it "
"to something appropriate for the system call.  (The architecture dependency "
"is because replacing it with B<ENOSYS> could overwrite some useful "
"information.)"
msgstr ""

#. type: TP
#: build/C/man2/seccomp.2:295
#, no-wrap
msgid "B<SECCOMP_RET_ERRNO>"
msgstr ""

#. type: Plain text
#: build/C/man2/seccomp.2:302
msgid ""
"This value results in the B<SECCOMP_RET_DATA> portion of the filter's return "
"value being passed to user space as the I<errno> value without executing the "
"system call."
msgstr ""

#. type: TP
#: build/C/man2/seccomp.2:302
#, no-wrap
msgid "B<SECCOMP_RET_TRACE>"
msgstr ""

#. type: Plain text
#: build/C/man2/seccomp.2:312
msgid ""
"When returned, this value will cause the kernel to attempt to notify a "
"B<ptrace>(2)-based tracer prior to executing the system call.  If there is "
"no tracer present, the system call is not executed and returns a failure "
"status with I<errno> set to B<ENOSYS>."
msgstr ""

#. type: Plain text
#: build/C/man2/seccomp.2:323
msgid ""
"A tracer will be notified if it requests B<PTRACE_O_TRACESECCOMP> using "
"I<ptrace(PTRACE_SETOPTIONS)>.  The tracer will be notified of a "
"B<PTRACE_EVENT_SECCOMP> and the B<SECCOMP_RET_DATA> portion of the filter's "
"return value will be available to the tracer via B<PTRACE_GETEVENTMSG>."
msgstr ""

#. type: Plain text
#: build/C/man2/seccomp.2:330
msgid ""
"The tracer can skip the system call by changing the system call number to "
"-1.  Alternatively, the tracer can change the system call requested by "
"changing the system call to a valid system call number.  If the tracer asks "
"to skip the system call, then the system call will appear to return the "
"value that the tracer puts in the return value register."
msgstr ""

#. type: Plain text
#: build/C/man2/seccomp.2:339
msgid ""
"The seccomp check will not be run again after the tracer is notified.  (This "
"means that seccomp-based sandboxes B<must not> allow use of "
"B<ptrace>(2)\\(emeven of other sandboxed processes\\(emwithout extreme care; "
"ptracers can use this mechanism to escape from the seccomp sandbox.)"
msgstr ""

#. type: TP
#: build/C/man2/seccomp.2:339
#, no-wrap
msgid "B<SECCOMP_RET_ALLOW>"
msgstr ""

#. type: Plain text
#: build/C/man2/seccomp.2:342
msgid "This value results in the system call being executed."
msgstr ""

#. type: Plain text
#: build/C/man2/seccomp.2:358
msgid ""
"On success, B<seccomp>()  returns 0.  On error, if "
"B<SECCOMP_FILTER_FLAG_TSYNC> was used, the return value is the ID of the "
"thread that caused the synchronization failure.  (This ID is a kernel thread "
"ID of the type returned by B<clone>(2)  and B<gettid>(2).)  On other errors, "
"-1 is returned, and I<errno> is set to indicate the cause of the error."
msgstr ""

#. type: Plain text
#: build/C/man2/seccomp.2:361
msgid "B<seccomp>()  can fail for the following reasons:"
msgstr ""

#. type: TP
#: build/C/man2/seccomp.2:361
#, no-wrap
msgid "B<EACCESS>"
msgstr ""

#. type: Plain text
#: build/C/man2/seccomp.2:369
msgid ""
"The caller did not have the B<CAP_SYS_ADMIN> capability, or had not set "
"I<no_new_privs> before using B<SECCOMP_SET_MODE_FILTER>."
msgstr ""

#. type: Plain text
#: build/C/man2/seccomp.2:373
msgid "I<args> was not a valid address."
msgstr ""

#. type: Plain text
#: build/C/man2/seccomp.2:380
msgid "I<operation> is unknown; or I<flags> are invalid for the given I<operation>."
msgstr ""

#. type: Plain text
#: build/C/man2/seccomp.2:387
msgid ""
"I<operation> included B<BPF_ABS>, but the specified offset was not aligned "
"to a 32-bit boundary or exceeded I<sizeof(struct\\ seccomp_data)>."
msgstr ""

#.  See kernel/seccomp.c::seccomp_may_assign_mode() in 3.18 sources
#. type: Plain text
#: build/C/man2/seccomp.2:393
msgid ""
"A secure computing mode has already been set, and I<operation> differs from "
"the existing setting."
msgstr ""

#.  See stub kernel/seccomp.c::seccomp_set_mode_filter() in 3.18 sources
#. type: Plain text
#: build/C/man2/seccomp.2:402
msgid ""
"I<operation> specified B<SECCOMP_SET_MODE_FILTER>, but the kernel was not "
"built with B<CONFIG_SECCOMP_FILTER> enabled."
msgstr ""

#. type: Plain text
#: build/C/man2/seccomp.2:413
msgid ""
"I<operation> specified B<SECCOMP_SET_MODE_FILTER>, but the filter program "
"pointed to by I<args> was not valid or the length of the filter program was "
"zero or exceeded B<BPF_MAXINSNS> (4096) instructions.  B<EINVAL>"
msgstr ""

#.  ENOMEM in kernel/seccomp.c::seccomp_attach_filter() in 3.18 sources
#. type: Plain text
#: build/C/man2/seccomp.2:426
msgid ""
"The total length of all filter programs attached to the calling thread would "
"exceed B<MAX_INSNS_PER_PATH> (32768) instructions.  Note that for the "
"purposes of calculating this limit, each already existing filter program "
"incurs an overhead penalty of 4 instructions."
msgstr ""

#. type: Plain text
#: build/C/man2/seccomp.2:430
msgid ""
"Another thread caused a failure during thread sync, but its ID could not be "
"determined."
msgstr ""

#.  FIXME . Add glibc version
#. type: Plain text
#: build/C/man2/seccomp.2:435
msgid "The B<seccomp>()  system call first appeared in Linux 3.17."
msgstr ""

#. type: Plain text
#: build/C/man2/seccomp.2:439
msgid "The B<seccomp>()  system call is a nonstandard Linux extension."
msgstr ""

#. type: Plain text
#: build/C/man2/seccomp.2:446
msgid ""
"The I<Seccomp> field of the I</proc/[pid]/status> file provides a method of "
"viewing the seccomp mode of a process; see B<proc>(5)."
msgstr ""

#. type: Plain text
#: build/C/man2/seccomp.2:453
msgid ""
"B<seccomp>()  provides a superset of the functionality provided by the "
"B<prctl>(2)  B<PR_SET_SECCOMP> operation (which does not support I<flags>)."
msgstr ""

#. type: SS
#: build/C/man2/seccomp.2:453
#, no-wrap
msgid "Seccomp-specific BPF details"
msgstr ""

#. type: Plain text
#: build/C/man2/seccomp.2:455
msgid "Note the following BPF details specific to seccomp filters:"
msgstr ""

#. type: Plain text
#: build/C/man2/seccomp.2:463
msgid ""
"The B<BPF_H> and B<BPF_B> size modifiers are not supported: all operations "
"must load and store (4-byte) words (B<BPF_W>)."
msgstr ""

#. type: Plain text
#: build/C/man2/seccomp.2:469
msgid ""
"To access the contents of the I<seccomp_data> buffer, use the B<BPF_ABS> "
"addressing mode modifier."
msgstr ""

#. type: Plain text
#: build/C/man2/seccomp.2:476
msgid ""
"The B<BPF_LEN> addressing mode modifier yields an immediate mode operand "
"whose value is the size of the I<seccomp_data> buffer."
msgstr ""

#. type: Plain text
#: build/C/man2/seccomp.2:482
msgid ""
"The program below accepts four or more arguments.  The first three arguments "
"are a system call number, a numeric architecture identifier, and an error "
"number.  The program uses these values to construct a BPF filter that is "
"used at run time to perform the following checks:"
msgstr ""

#. type: IP
#: build/C/man2/seccomp.2:482
#, no-wrap
msgid "[1]"
msgstr ""

#. type: Plain text
#: build/C/man2/seccomp.2:486
msgid ""
"If the program is not running on the specified architecture, the BPF filter "
"causes system calls to fail with the error B<ENOSYS>."
msgstr ""

#. type: IP
#: build/C/man2/seccomp.2:486
#, no-wrap
msgid "[2]"
msgstr ""

#. type: Plain text
#: build/C/man2/seccomp.2:491
msgid ""
"If the program attempts to execute the system call with the specified "
"number, the BPF filter causes the system call to fail, with I<errno> being "
"set to the specified error number."
msgstr ""

#. type: Plain text
#: build/C/man2/seccomp.2:500
msgid ""
"The remaining command-line arguments specify the pathname and additional "
"arguments of a program that the example program should attempt to execute "
"using B<execve>(3)  (a library function that employs the B<execve>(2)  "
"system call).  Some example runs of the program are shown below."
msgstr ""

#. type: Plain text
#: build/C/man2/seccomp.2:504
msgid ""
"First, we display the architecture that we are running on (x86-64)  and then "
"construct a shell function that looks up system call numbers on this "
"architecture:"
msgstr ""

#. type: Plain text
#: build/C/man2/seccomp.2:513
#, no-wrap
msgid ""
"$ B<uname -m>\n"
"x86_64\n"
"$ B<syscall_nr() {\n"
"    cat /usr/src/linux/arch/x86/syscalls/syscall_64.tbl | \\e\n"
"    awk '$2 != \"x32\" && $3 == \"'$1'\" { print $1 }'\n"
"}>\n"
msgstr ""

#. type: Plain text
#: build/C/man2/seccomp.2:520
msgid ""
"When the BPF filter rejects a system call (case [2] above), it causes the "
"system call to fail with the error number specified on the command line.  In "
"the experiments shown here, we'll use error number 99:"
msgstr ""

#. type: Plain text
#: build/C/man2/seccomp.2:525
#, no-wrap
msgid ""
"$ B<errno 99>\n"
"EADDRNOTAVAIL 99 Cannot assign requested address\n"
msgstr ""

#. type: Plain text
#: build/C/man2/seccomp.2:533
msgid ""
"In the following example, we attempt to run the command B<whoami>(1), but "
"the BPF filter rejects the B<execve>(2)  system call, so that the command is "
"not even executed:"
msgstr ""

#. type: Plain text
#: build/C/man2/seccomp.2:544
#, no-wrap
msgid ""
"$ B<syscall_nr execve>\n"
"59\n"
"$ B<./a.out>\n"
"Usage: ./a.out E<lt>syscall_nrE<gt> E<lt>archE<gt> E<lt>errnoE<gt> "
"E<lt>progE<gt> [E<lt>argsE<gt>]\n"
"Hint for E<lt>archE<gt>: AUDIT_ARCH_I386: 0x40000003\n"
"                 AUDIT_ARCH_X86_64: 0xC000003E\n"
"$ B<./a.out 59 0xC000003E 99 /bin/whoami>\n"
"execv: Cannot assign requested address\n"
msgstr ""

#. type: Plain text
#: build/C/man2/seccomp.2:552
msgid ""
"In the next example, the BPF filter rejects the B<write>(2)  system call, so "
"that, although it is successfully started, the B<whoami>(1)  command is not "
"able to write output:"
msgstr ""

#. type: Plain text
#: build/C/man2/seccomp.2:558
#, no-wrap
msgid ""
"$ B<syscall_nr write>\n"
"1\n"
"$ B<./a.out 1 0xC000003E 99 /bin/whoami>\n"
msgstr ""

#. type: Plain text
#: build/C/man2/seccomp.2:565
msgid ""
"In the final example, the BPF filter rejects a system call that is not used "
"by the B<whoami>(1)  command, so it is able to successfully execute and "
"produce output:"
msgstr ""

#. type: Plain text
#: build/C/man2/seccomp.2:572
#, no-wrap
msgid ""
"$ B<syscall_nr preadv>\n"
"295\n"
"$ B<./a.out 295 0xC000003E 99 /bin/whoami>\n"
"cecilia\n"
msgstr ""

#. type: Plain text
#: build/C/man2/seccomp.2:586
#, no-wrap
msgid ""
"#include E<lt>errno.hE<gt>\n"
"#include E<lt>stddef.hE<gt>\n"
"#include E<lt>stdio.hE<gt>\n"
"#include E<lt>stdlib.hE<gt>\n"
"#include E<lt>unistd.hE<gt>\n"
"#include E<lt>linux/audit.hE<gt>\n"
"#include E<lt>linux/filter.hE<gt>\n"
"#include E<lt>linux/seccomp.hE<gt>\n"
"#include E<lt>sys/prctl.hE<gt>\n"
msgstr ""

#. type: Plain text
#: build/C/man2/seccomp.2:595
#, no-wrap
msgid ""
"static int\n"
"install_filter(int syscall_nr, int t_arch, int f_errno)\n"
"{\n"
"    struct sock_filter filter[] = {\n"
"        /* [0] Load architecture from 'seccomp_data' buffer into\n"
"               accumulator */\n"
"        BPF_STMT(BPF_LD | BPF_W | BPF_ABS,\n"
"                 (offsetof(struct seccomp_data, arch))),\n"
msgstr ""

#. type: Plain text
#: build/C/man2/seccomp.2:599
#, no-wrap
msgid ""
"        /* [1] Jump forward 4 instructions if architecture does not\n"
"               match 't_arch' */\n"
"        BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, t_arch, 0, 4),\n"
msgstr ""

#. type: Plain text
#: build/C/man2/seccomp.2:604
#, no-wrap
msgid ""
"        /* [2] Load system call number from 'seccomp_data' buffer into\n"
"               accumulator */\n"
"        BPF_STMT(BPF_LD | BPF_W | BPF_ABS,\n"
"                 (offsetof(struct seccomp_data, nr))),\n"
msgstr ""

#. type: Plain text
#: build/C/man2/seccomp.2:608
#, no-wrap
msgid ""
"        /* [3] Jump forward 1 instruction if system call number\n"
"               does not match 'syscall_nr' */\n"
"        BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, syscall_nr, 0, 1),\n"
msgstr ""

#. type: Plain text
#: build/C/man2/seccomp.2:613
#, no-wrap
msgid ""
"        /* [4] Matching architecture and system call: don't execute\n"
"\t       the system call, and return 'f_errno' in 'errno' */\n"
"        BPF_STMT(BPF_RET | BPF_K,\n"
"                 SECCOMP_RET_ERRNO | (f_errno & SECCOMP_RET_DATA)),\n"
msgstr ""

#. type: Plain text
#: build/C/man2/seccomp.2:617
#, no-wrap
msgid ""
"        /* [5] Destination of system call number mismatch: allow other\n"
"               system calls */\n"
"        BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_ALLOW),\n"
msgstr ""

#. type: Plain text
#: build/C/man2/seccomp.2:621
#, no-wrap
msgid ""
"        /* [6] Destination of architecture mismatch: kill process */\n"
"        BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_KILL),\n"
"    };\n"
msgstr ""

#. type: Plain text
#: build/C/man2/seccomp.2:626
#, no-wrap
msgid ""
"    struct sock_fprog prog = {\n"
"        .len = (unsigned short) (sizeof(filter) / sizeof(filter[0])),\n"
"        .filter = filter,\n"
"    };\n"
msgstr ""

#. type: Plain text
#: build/C/man2/seccomp.2:631
#, no-wrap
msgid ""
"    if (seccomp(SECCOMP_SET_MODE_FILTER, 0, &prog)) {\n"
"        perror(\"seccomp\");\n"
"        return 1;\n"
"    }\n"
msgstr ""

#. type: Plain text
#: build/C/man2/seccomp.2:634
#, no-wrap
msgid ""
"    return 0;\n"
"}\n"
msgstr ""

#. type: Plain text
#: build/C/man2/seccomp.2:646
#, no-wrap
msgid ""
"int\n"
"main(int argc, char **argv)\n"
"{\n"
"    if (argc E<lt> 5) {\n"
"        fprintf(stderr, \"Usage: \"\n"
"                \"%s E<lt>syscall_nrE<gt> E<lt>archE<gt> E<lt>errnoE<gt> "
"E<lt>progE<gt> [E<lt>argsE<gt>]\\en\"\n"
"                \"Hint for E<lt>archE<gt>: AUDIT_ARCH_I386: 0x%X\\en\"\n"
"                \"                 AUDIT_ARCH_X86_64: 0x%X\\en\"\n"
"                \"\\en\", argv[0], AUDIT_ARCH_I386, AUDIT_ARCH_X86_64);\n"
"        exit(EXIT_FAILURE);\n"
"    }\n"
msgstr ""

#. type: Plain text
#: build/C/man2/seccomp.2:651
#, no-wrap
msgid ""
"    if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) {\n"
"        perror(\"prctl\");\n"
"        exit(EXIT_FAILURE);\n"
"    }\n"
msgstr ""

#. type: Plain text
#: build/C/man2/seccomp.2:656
#, no-wrap
msgid ""
"    if (install_filter(strtol(argv[1], NULL, 0),\n"
"                       strtol(argv[2], NULL, 0),\n"
"                       strtol(argv[3], NULL, 0)))\n"
"        exit(EXIT_FAILURE);\n"
msgstr ""

#. type: Plain text
#: build/C/man2/seccomp.2:661
#, no-wrap
msgid ""
"    execv(argv[4], &argv[4]);\n"
"    perror(\"execv\");\n"
"    exit(EXIT_FAILURE);\n"
"}\n"
msgstr ""

#. type: Plain text
#: build/C/man2/seccomp.2:668
msgid "B<prctl>(2), B<ptrace>(2), B<sigaction>(2), B<signal>(7), B<socket>(7)"
msgstr ""

#. type: Plain text
#: build/C/man2/seccomp.2:673
msgid ""
"The kernel source files I<Documentation/networking/filter.txt> and "
"I<Documentation/prctl/seccomp_filter.txt>."
msgstr ""

#. type: Plain text
#: build/C/man2/seccomp.2:678
msgid ""
"McCanne, S. and Jacobson, V. (1992)  I<The BSD Packet Filter: A New "
"Architecture for User-level Packet Capture>, Proceedings of the USENIX "
"Winter 1993 Conference E<.UR http://www.tcpdump.org/papers/bpf-usenix93.pdf> "
"E<.UE>"
msgstr ""