# SOME DESCRIPTIVE TITLE # Copyright (C) YEAR Free Software Foundation, Inc. # This file is distributed under the same license as the PACKAGE package. # FIRST AUTHOR , YEAR. # #, fuzzy msgid "" msgstr "" "Project-Id-Version: PACKAGE VERSION\n" "POT-Creation-Date: 2013-03-22 01:06+0900\n" "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n" "Last-Translator: FULL NAME \n" "Language-Team: LANGUAGE \n" "Language: \n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=UTF-8\n" "Content-Transfer-Encoding: 8bit\n" #. type: TH #: build/C/man2/acct.2:31 build/C/man5/acct.5:25 #, no-wrap msgid "ACCT" msgstr "" #. type: TH #: build/C/man2/acct.2:31 #, no-wrap msgid "2008-06-16" msgstr "" #. type: TH #: build/C/man2/acct.2:31 build/C/man5/acct.5:25 build/C/man7/capabilities.7:48 build/C/man2/capget.2:15 build/C/man7/cpuset.7:25 build/C/man7/credentials.7:27 build/C/man2/getgid.2:25 build/C/man2/getgroups.2:31 build/C/man2/getpid.2:25 build/C/man2/getpriority.2:48 build/C/man2/getresuid.2:28 build/C/man2/getrlimit.2:64 build/C/man2/getrusage.2:39 build/C/man2/getsid.2:26 build/C/man2/getuid.2:26 build/C/man2/iopl.2:33 build/C/man2/ioprio_set.2:24 build/C/man2/ipc.2:25 build/C/man2/seteuid.2:29 build/C/man2/setfsgid.2:31 build/C/man2/setfsuid.2:31 build/C/man2/setgid.2:29 build/C/man2/setpgid.2:48 build/C/man2/setresuid.2:26 build/C/man2/setreuid.2:45 build/C/man2/setsid.2:30 build/C/man2/setuid.2:30 build/C/man7/svipc.7:27 build/C/man3/ulimit.3:27 #, no-wrap msgid "Linux" msgstr "" #. type: TH #: build/C/man2/acct.2:31 build/C/man5/acct.5:25 build/C/man7/capabilities.7:48 build/C/man2/capget.2:15 build/C/man7/cpuset.7:25 build/C/man7/credentials.7:27 build/C/man2/getgid.2:25 build/C/man2/getgroups.2:31 build/C/man2/getpid.2:25 build/C/man2/getpriority.2:48 build/C/man2/getresuid.2:28 build/C/man2/getrlimit.2:64 build/C/man2/getrusage.2:39 build/C/man2/getsid.2:26 build/C/man2/getuid.2:26 build/C/man2/iopl.2:33 build/C/man2/ioprio_set.2:24 build/C/man2/ipc.2:25 build/C/man2/seteuid.2:29 build/C/man2/setfsgid.2:31 build/C/man2/setfsuid.2:31 build/C/man2/setgid.2:29 build/C/man2/setpgid.2:48 build/C/man2/setresuid.2:26 build/C/man2/setreuid.2:45 build/C/man2/setsid.2:30 build/C/man2/setuid.2:30 build/C/man7/svipc.7:27 build/C/man3/ulimit.3:27 #, no-wrap msgid "Linux Programmer's Manual" msgstr "" #. type: SH #: build/C/man2/acct.2:32 build/C/man5/acct.5:26 build/C/man7/capabilities.7:49 build/C/man2/capget.2:16 build/C/man7/cpuset.7:26 build/C/man7/credentials.7:28 build/C/man2/getgid.2:26 build/C/man2/getgroups.2:32 build/C/man2/getpid.2:26 build/C/man2/getpriority.2:49 build/C/man2/getresuid.2:29 build/C/man2/getrlimit.2:65 build/C/man2/getrusage.2:40 build/C/man2/getsid.2:27 build/C/man2/getuid.2:27 build/C/man2/iopl.2:34 build/C/man2/ioprio_set.2:25 build/C/man2/ipc.2:26 build/C/man2/seteuid.2:30 build/C/man2/setfsgid.2:32 build/C/man2/setfsuid.2:32 build/C/man2/setgid.2:30 build/C/man2/setpgid.2:49 build/C/man2/setresuid.2:27 build/C/man2/setreuid.2:46 build/C/man2/setsid.2:31 build/C/man2/setuid.2:31 build/C/man7/svipc.7:28 build/C/man3/ulimit.3:28 #, no-wrap msgid "NAME" msgstr "" #. type: Plain text #: build/C/man2/acct.2:34 msgid "acct - switch process accounting on or off" msgstr "" #. type: SH #: build/C/man2/acct.2:34 build/C/man5/acct.5:28 build/C/man2/capget.2:18 build/C/man2/getgid.2:28 build/C/man2/getgroups.2:34 build/C/man2/getpid.2:28 build/C/man2/getpriority.2:51 build/C/man2/getresuid.2:31 build/C/man2/getrlimit.2:67 build/C/man2/getrusage.2:42 build/C/man2/getsid.2:29 build/C/man2/getuid.2:29 build/C/man2/iopl.2:36 build/C/man2/ioprio_set.2:27 build/C/man2/ipc.2:28 build/C/man2/seteuid.2:32 build/C/man2/setfsgid.2:34 build/C/man2/setfsuid.2:34 build/C/man2/setgid.2:32 build/C/man2/setpgid.2:51 build/C/man2/setresuid.2:29 build/C/man2/setreuid.2:48 build/C/man2/setsid.2:33 build/C/man2/setuid.2:33 build/C/man7/svipc.7:30 build/C/man3/ulimit.3:30 #, no-wrap msgid "SYNOPSIS" msgstr "" #. type: Plain text #: build/C/man2/acct.2:38 #, no-wrap msgid "B<#include Eunistd.hE>\n" msgstr "" #. type: Plain text #: build/C/man2/acct.2:40 #, no-wrap msgid "BIB<);>\n" msgstr "" #. type: Plain text #: build/C/man2/acct.2:46 build/C/man2/getgroups.2:48 build/C/man2/getrlimit.2:84 build/C/man2/getsid.2:37 build/C/man2/seteuid.2:44 build/C/man2/setpgid.2:71 build/C/man2/setreuid.2:60 msgid "Feature Test Macro Requirements for glibc (see B(7)):" msgstr "" #. type: Plain text #: build/C/man2/acct.2:50 msgid "B(): _BSD_SOURCE || (_XOPEN_SOURCE && _XOPEN_SOURCE\\ E\\ 500)" msgstr "" #. type: SH #: build/C/man2/acct.2:50 build/C/man5/acct.5:30 build/C/man7/capabilities.7:51 build/C/man2/capget.2:24 build/C/man7/cpuset.7:28 build/C/man7/credentials.7:30 build/C/man2/getgid.2:36 build/C/man2/getgroups.2:52 build/C/man2/getpid.2:36 build/C/man2/getpriority.2:59 build/C/man2/getresuid.2:39 build/C/man2/getrlimit.2:88 build/C/man2/getrusage.2:48 build/C/man2/getsid.2:50 build/C/man2/getuid.2:37 build/C/man2/iopl.2:40 build/C/man2/ioprio_set.2:35 build/C/man2/ipc.2:34 build/C/man2/seteuid.2:53 build/C/man2/setfsgid.2:39 build/C/man2/setfsuid.2:39 build/C/man2/setgid.2:38 build/C/man2/setpgid.2:98 build/C/man2/setresuid.2:37 build/C/man2/setreuid.2:70 build/C/man2/setsid.2:40 build/C/man2/setuid.2:39 build/C/man7/svipc.7:36 build/C/man3/ulimit.3:34 #, no-wrap msgid "DESCRIPTION" msgstr "" #. type: Plain text #: build/C/man2/acct.2:59 msgid "" "The B() system call enables or disables process accounting. If " "called with the name of an existing file as its argument, accounting is " "turned on, and records for each terminating process are appended to " "I as it terminates. An argument of NULL causes accounting to be " "turned off." msgstr "" #. type: SH #: build/C/man2/acct.2:59 build/C/man2/capget.2:160 build/C/man2/getgroups.2:92 build/C/man2/getpriority.2:107 build/C/man2/getresuid.2:50 build/C/man2/getrlimit.2:430 build/C/man2/getrusage.2:180 build/C/man2/getsid.2:58 build/C/man2/iopl.2:66 build/C/man2/ioprio_set.2:149 build/C/man2/seteuid.2:67 build/C/man2/setfsgid.2:69 build/C/man2/setfsuid.2:69 build/C/man2/setgid.2:53 build/C/man2/setpgid.2:172 build/C/man2/setresuid.2:64 build/C/man2/setreuid.2:91 build/C/man2/setsid.2:51 build/C/man2/setuid.2:70 build/C/man3/ulimit.3:67 #, no-wrap msgid "RETURN VALUE" msgstr "" #. type: Plain text #: build/C/man2/acct.2:64 build/C/man2/capget.2:165 build/C/man2/getresuid.2:55 build/C/man2/getrusage.2:185 build/C/man2/iopl.2:71 build/C/man2/seteuid.2:72 build/C/man2/setgid.2:58 build/C/man2/setresuid.2:69 build/C/man2/setreuid.2:96 build/C/man2/setuid.2:75 msgid "" "On success, zero is returned. On error, -1 is returned, and I is set " "appropriately." msgstr "" #. type: SH #: build/C/man2/acct.2:64 build/C/man2/capget.2:179 build/C/man7/cpuset.7:1100 build/C/man2/getgid.2:42 build/C/man2/getgroups.2:106 build/C/man2/getpid.2:44 build/C/man2/getpriority.2:120 build/C/man2/getresuid.2:55 build/C/man2/getrlimit.2:435 build/C/man2/getrusage.2:185 build/C/man2/getsid.2:63 build/C/man2/getuid.2:43 build/C/man2/iopl.2:71 build/C/man2/ioprio_set.2:169 build/C/man2/seteuid.2:72 build/C/man2/setgid.2:58 build/C/man2/setpgid.2:193 build/C/man2/setresuid.2:69 build/C/man2/setreuid.2:96 build/C/man2/setsid.2:58 build/C/man2/setuid.2:75 build/C/man3/ulimit.3:74 #, no-wrap msgid "ERRORS" msgstr "" #. type: TP #: build/C/man2/acct.2:65 build/C/man7/cpuset.7:1116 build/C/man7/cpuset.7:1123 build/C/man7/cpuset.7:1129 build/C/man7/cpuset.7:1137 build/C/man7/cpuset.7:1144 build/C/man2/getpriority.2:140 build/C/man2/setpgid.2:194 #, no-wrap msgid "B" msgstr "" #. type: Plain text #: build/C/man2/acct.2:76 msgid "" "Write permission is denied for the specified file, or search permission is " "denied for one of the directories in the path prefix of I (see " "also B(7)), or I is not a regular file." msgstr "" #. type: TP #: build/C/man2/acct.2:76 build/C/man2/capget.2:180 build/C/man7/cpuset.7:1172 build/C/man2/getgroups.2:107 build/C/man2/getresuid.2:56 build/C/man2/getrlimit.2:436 build/C/man2/getrusage.2:186 #, no-wrap msgid "B" msgstr "" #. type: Plain text #: build/C/man2/acct.2:80 msgid "I points outside your accessible address space." msgstr "" #. type: TP #: build/C/man2/acct.2:80 build/C/man7/cpuset.7:1238 build/C/man7/cpuset.7:1246 #, no-wrap msgid "B" msgstr "" #. type: Plain text #: build/C/man2/acct.2:84 msgid "Error writing to the file I." msgstr "" #. type: TP #: build/C/man2/acct.2:84 #, no-wrap msgid "B" msgstr "" #. type: Plain text #: build/C/man2/acct.2:88 msgid "I is a directory." msgstr "" #. type: TP #: build/C/man2/acct.2:88 #, no-wrap msgid "B" msgstr "" #. type: Plain text #: build/C/man2/acct.2:92 msgid "Too many symbolic links were encountered in resolving I." msgstr "" #. type: TP #: build/C/man2/acct.2:92 build/C/man7/cpuset.7:1251 build/C/man7/cpuset.7:1258 build/C/man7/cpuset.7:1263 #, no-wrap msgid "B" msgstr "" #. type: Plain text #: build/C/man2/acct.2:96 msgid "I was too long." msgstr "" #. type: TP #: build/C/man2/acct.2:96 #, no-wrap msgid "B" msgstr "" #. type: Plain text #: build/C/man2/acct.2:99 msgid "The system limit on the total number of open files has been reached." msgstr "" #. type: TP #: build/C/man2/acct.2:99 build/C/man7/cpuset.7:1275 build/C/man7/cpuset.7:1280 #, no-wrap msgid "B" msgstr "" #. type: Plain text #: build/C/man2/acct.2:102 msgid "The specified filename does not exist." msgstr "" #. type: TP #: build/C/man2/acct.2:102 build/C/man7/cpuset.7:1287 build/C/man2/getgroups.2:127 #, no-wrap msgid "B" msgstr "" #. type: Plain text #: build/C/man2/acct.2:105 build/C/man2/getgroups.2:130 msgid "Out of memory." msgstr "" #. type: TP #: build/C/man2/acct.2:105 build/C/man2/iopl.2:76 #, no-wrap msgid "B" msgstr "" #. type: Plain text #: build/C/man2/acct.2:111 msgid "" "BSD process accounting has not been enabled when the operating system kernel " "was compiled. The kernel configuration parameter controlling this feature " "is B." msgstr "" #. type: TP #: build/C/man2/acct.2:111 build/C/man7/cpuset.7:1314 #, no-wrap msgid "B" msgstr "" #. type: Plain text #: build/C/man2/acct.2:116 msgid "A component used as a directory in I is not in fact a directory." msgstr "" #. type: TP #: build/C/man2/acct.2:116 build/C/man2/capget.2:191 build/C/man2/capget.2:196 build/C/man7/cpuset.7:1319 build/C/man2/getgroups.2:130 build/C/man2/getpriority.2:152 build/C/man2/getrlimit.2:452 build/C/man2/getsid.2:64 build/C/man2/iopl.2:79 build/C/man2/ioprio_set.2:179 build/C/man2/seteuid.2:75 build/C/man2/setgid.2:59 build/C/man2/setpgid.2:208 build/C/man2/setresuid.2:77 build/C/man2/setreuid.2:97 build/C/man2/setsid.2:59 build/C/man2/setuid.2:85 build/C/man3/ulimit.3:75 #, no-wrap msgid "B" msgstr "" #. type: Plain text #: build/C/man2/acct.2:122 msgid "" "The calling process has insufficient privilege to enable process " "accounting. On Linux the B capability is required." msgstr "" #. type: TP #: build/C/man2/acct.2:122 #, no-wrap msgid "B" msgstr "" #. type: Plain text #: build/C/man2/acct.2:126 msgid "I refers to a file on a read-only file system." msgstr "" #. type: TP #: build/C/man2/acct.2:126 #, no-wrap msgid "B" msgstr "" #. type: Plain text #: build/C/man2/acct.2:129 msgid "There are no more free file structures or we ran out of memory." msgstr "" #. type: SH #: build/C/man2/acct.2:129 build/C/man5/acct.5:153 build/C/man7/capabilities.7:1061 build/C/man2/capget.2:218 build/C/man7/credentials.7:234 build/C/man2/getgid.2:44 build/C/man2/getgroups.2:133 build/C/man2/getpid.2:46 build/C/man2/getpriority.2:160 build/C/man2/getresuid.2:67 build/C/man2/getrlimit.2:473 build/C/man2/getrusage.2:194 build/C/man2/getsid.2:79 build/C/man2/getuid.2:45 build/C/man2/iopl.2:87 build/C/man2/ioprio_set.2:196 build/C/man2/ipc.2:45 build/C/man2/seteuid.2:91 build/C/man2/setfsgid.2:80 build/C/man2/setfsuid.2:80 build/C/man2/setgid.2:66 build/C/man2/setpgid.2:227 build/C/man2/setresuid.2:83 build/C/man2/setreuid.2:113 build/C/man2/setsid.2:65 build/C/man2/setuid.2:92 build/C/man3/ulimit.3:78 #, no-wrap msgid "CONFORMING TO" msgstr "" #. SVr4 documents an EBUSY error condition, but no EISDIR or ENOSYS. #. Also AIX and HP-UX document EBUSY (attempt is made #. to enable accounting when it is already enabled), as does Solaris #. (attempt is made to enable accounting using the same file that is #. currently being used). #. type: Plain text #: build/C/man2/acct.2:136 msgid "SVr4, 4.3BSD (but not POSIX)." msgstr "" #. type: SH #: build/C/man2/acct.2:136 build/C/man5/acct.5:157 build/C/man7/capabilities.7:1067 build/C/man2/capget.2:220 build/C/man7/cpuset.7:1341 build/C/man7/credentials.7:240 build/C/man2/getgid.2:46 build/C/man2/getgroups.2:141 build/C/man2/getpid.2:48 build/C/man2/getpriority.2:163 build/C/man2/getresuid.2:70 build/C/man2/getrlimit.2:496 build/C/man2/getrusage.2:205 build/C/man2/getsid.2:81 build/C/man2/getuid.2:47 build/C/man2/iopl.2:91 build/C/man2/ioprio_set.2:198 build/C/man2/ipc.2:49 build/C/man2/seteuid.2:93 build/C/man2/setfsgid.2:84 build/C/man2/setfsuid.2:84 build/C/man2/setgid.2:68 build/C/man2/setpgid.2:249 build/C/man2/setresuid.2:86 build/C/man2/setreuid.2:119 build/C/man2/setsid.2:67 build/C/man2/setuid.2:97 #, no-wrap msgid "NOTES" msgstr "" #. type: Plain text #: build/C/man2/acct.2:139 msgid "" "No accounting is produced for programs running when a system crash occurs. " "In particular, nonterminating processes are never accounted for." msgstr "" #. type: Plain text #: build/C/man2/acct.2:142 msgid "" "The structure of the records written to the accounting file is described in " "B(5)." msgstr "" #. type: SH #: build/C/man2/acct.2:142 build/C/man5/acct.5:174 build/C/man7/capabilities.7:1123 build/C/man2/capget.2:228 build/C/man7/cpuset.7:1488 build/C/man7/credentials.7:251 build/C/man2/getgid.2:62 build/C/man2/getgroups.2:171 build/C/man2/getpid.2:100 build/C/man2/getpriority.2:232 build/C/man2/getresuid.2:86 build/C/man2/getrlimit.2:656 build/C/man2/getrusage.2:245 build/C/man2/getsid.2:84 build/C/man2/getuid.2:73 build/C/man2/iopl.2:100 build/C/man2/ioprio_set.2:346 build/C/man2/ipc.2:57 build/C/man2/seteuid.2:124 build/C/man2/setfsgid.2:112 build/C/man2/setfsuid.2:112 build/C/man2/setgid.2:78 build/C/man2/setpgid.2:317 build/C/man2/setresuid.2:106 build/C/man2/setreuid.2:159 build/C/man2/setsid.2:84 build/C/man2/setuid.2:120 build/C/man7/svipc.7:318 build/C/man3/ulimit.3:83 #, no-wrap msgid "SEE ALSO" msgstr "" #. type: Plain text #: build/C/man2/acct.2:144 msgid "B(5)" msgstr "" #. type: SH #: build/C/man2/acct.2:144 build/C/man5/acct.5:179 build/C/man7/capabilities.7:1143 build/C/man2/capget.2:232 build/C/man7/cpuset.7:1505 build/C/man7/credentials.7:282 build/C/man2/getgid.2:67 build/C/man2/getgroups.2:178 build/C/man2/getpid.2:110 build/C/man2/getpriority.2:240 build/C/man2/getresuid.2:92 build/C/man2/getrlimit.2:674 build/C/man2/getrusage.2:252 build/C/man2/getsid.2:88 build/C/man2/getuid.2:78 build/C/man2/iopl.2:104 build/C/man2/ioprio_set.2:354 build/C/man2/ipc.2:70 build/C/man2/seteuid.2:131 build/C/man2/setfsgid.2:117 build/C/man2/setfsuid.2:117 build/C/man2/setgid.2:84 build/C/man2/setpgid.2:324 build/C/man2/setresuid.2:115 build/C/man2/setreuid.2:167 build/C/man2/setsid.2:91 build/C/man2/setuid.2:127 build/C/man7/svipc.7:335 build/C/man3/ulimit.3:88 #, no-wrap msgid "COLOPHON" msgstr "" #. type: Plain text #: build/C/man2/acct.2:151 build/C/man5/acct.5:186 build/C/man7/capabilities.7:1150 build/C/man2/capget.2:239 build/C/man7/cpuset.7:1512 build/C/man7/credentials.7:289 build/C/man2/getgid.2:74 build/C/man2/getgroups.2:185 build/C/man2/getpid.2:117 build/C/man2/getpriority.2:247 build/C/man2/getresuid.2:99 build/C/man2/getrlimit.2:681 build/C/man2/getrusage.2:259 build/C/man2/getsid.2:95 build/C/man2/getuid.2:85 build/C/man2/iopl.2:111 build/C/man2/ioprio_set.2:361 build/C/man2/ipc.2:77 build/C/man2/seteuid.2:138 build/C/man2/setfsgid.2:124 build/C/man2/setfsuid.2:124 build/C/man2/setgid.2:91 build/C/man2/setpgid.2:331 build/C/man2/setresuid.2:122 build/C/man2/setreuid.2:174 build/C/man2/setsid.2:98 build/C/man2/setuid.2:134 build/C/man7/svipc.7:342 build/C/man3/ulimit.3:95 msgid "" "This page is part of release 3.50 of the Linux I project. A " "description of the project, and information about reporting bugs, can be " "found at http://www.kernel.org/doc/man-pages/." msgstr "" #. type: TH #: build/C/man5/acct.5:25 #, no-wrap msgid "2008-06-15" msgstr "" #. type: Plain text #: build/C/man5/acct.5:28 msgid "acct - process accounting file" msgstr "" #. type: Plain text #: build/C/man5/acct.5:30 msgid "B<#include Esys/acct.hE>" msgstr "" #. type: Plain text #: build/C/man5/acct.5:36 msgid "" "If the kernel is built with the process accounting option enabled " "(B), then calling B(2) starts process " "accounting, for example:" msgstr "" #. type: Plain text #: build/C/man5/acct.5:39 msgid "acct(\"/var/log/pacct\");" msgstr "" #. type: Plain text #: build/C/man5/acct.5:47 msgid "" "When process accounting is enabled, the kernel writes a record to the " "accounting file as each process on the system terminates. This record " "contains information about the terminated process, and is defined in " "Isys/acct.hE> as follows:" msgstr "" #. type: Plain text #: build/C/man5/acct.5:51 #, no-wrap msgid "#define ACCT_COMM 16\n" msgstr "" #. type: Plain text #: build/C/man5/acct.5:53 #, no-wrap msgid "typedef u_int16_t comp_t;\n" msgstr "" #. type: Plain text #: build/C/man5/acct.5:77 #, no-wrap msgid "" "struct acct {\n" " char ac_flag; /* Accounting flags */\n" " u_int16_t ac_uid; /* Accounting user ID */\n" " u_int16_t ac_gid; /* Accounting group ID */\n" " u_int16_t ac_tty; /* Controlling terminal */\n" " u_int32_t ac_btime; /* Process creation time\n" " (seconds since the Epoch) */\n" " comp_t ac_utime; /* User CPU time */\n" " comp_t ac_stime; /* System CPU time */\n" " comp_t ac_etime; /* Elapsed time */\n" " comp_t ac_mem; /* Average memory usage (kB) */\n" " comp_t ac_io; /* Characters transferred (unused) */\n" " comp_t ac_rw; /* Blocks read or written (unused) */\n" " comp_t ac_minflt; /* Minor page faults */\n" " comp_t ac_majflt; /* Major page faults */\n" " comp_t ac_swaps; /* Number of swaps (unused) */\n" " u_int32_t ac_exitcode; /* Process termination status\n" " (see wait(2)) */\n" " char ac_comm[ACCT_COMM+1];\n" " /* Command name (basename of last\n" " executed command; null-terminated) */\n" " char ac_pad[I]; /* padding bytes */\n" "};\n" msgstr "" #. type: Plain text #: build/C/man5/acct.5:84 #, no-wrap msgid "" "enum { /* Bits that may be set in ac_flag field */\n" " AFORK = 0x01, /* Has executed fork, but no exec */\n" " ASU = 0x02, /* Used superuser privileges */\n" " ACORE = 0x08, /* Dumped core */\n" " AXSIG = 0x10 /* Killed by a signal */\n" "};\n" msgstr "" #. type: Plain text #: build/C/man5/acct.5:94 msgid "" "The I data type is a floating-point value consisting of a 3-bit, " "base-8 exponent, and a 13-bit mantissa. A value, I, of this type can be " "converted to a (long) integer as follows:" msgstr "" #. type: Plain text #: build/C/man5/acct.5:97 #, no-wrap msgid " v = (c & 0x1fff) EE (((c EE 13) & 0x7) * 3);\n" msgstr "" #. type: Plain text #: build/C/man5/acct.5:107 msgid "" "The I, I, and I fields measure time in \"clock " "ticks\"; divide these values by I to convert them to " "seconds." msgstr "" #. type: SS #: build/C/man5/acct.5:107 #, no-wrap msgid "Version 3 accounting file format" msgstr "" #. type: Plain text #: build/C/man5/acct.5:122 msgid "" "Since kernel 2.6.8, an optional alternative version of the accounting file " "can be produced if the B option is set when " "building the kernel. With this option is set, the records written to the " "accounting file contain additional fields, and the width of I and " "I fields is widened from 16 to 32 bits (in line with the increased " "size of UID and GIDs in Linux 2.4 and later). The records are defined as " "follows:" msgstr "" #. type: Plain text #: build/C/man5/acct.5:147 #, no-wrap msgid "" "struct acct_v3 {\n" " char ac_flag; /* Flags */\n" " char ac_version; /* Always set to ACCT_VERSION (3) */\n" " u_int16_t ac_tty; /* Controlling terminal */\n" " u_int32_t ac_exitcode; /* Process termination status */\n" " u_int32_t ac_uid; /* Real user ID */\n" " u_int32_t ac_gid; /* Real group ID */\n" " u_int32_t ac_pid; /* Process ID */\n" " u_int32_t ac_ppid; /* Parent process ID */\n" " u_int32_t ac_btime; /* Process creation time */\n" " float ac_etime; /* Elapsed time */\n" " comp_t ac_utime; /* User CPU time */\n" " comp_t ac_stime; /* System time */\n" " comp_t ac_mem; /* Average memory usage (kB) */\n" " comp_t ac_io; /* Characters transferred (unused) */\n" " comp_t ac_rw; /* Blocks read or written\n" " (unused) */\n" " comp_t ac_minflt; /* Minor page faults */\n" " comp_t ac_majflt; /* Major page faults */\n" " comp_t ac_swaps; /* Number of swaps (unused) */\n" " char ac_comm[ACCT_COMM]; /* Command name */\n" "};\n" msgstr "" #. type: SH #: build/C/man5/acct.5:149 build/C/man7/cpuset.7:1338 build/C/man2/getresuid.2:60 build/C/man2/getrlimit.2:468 build/C/man2/getsid.2:75 build/C/man2/ioprio_set.2:193 build/C/man2/setfsgid.2:76 build/C/man2/setfsuid.2:76 build/C/man2/setresuid.2:81 #, no-wrap msgid "VERSIONS" msgstr "" #. type: Plain text #: build/C/man5/acct.5:153 msgid "The I structure is defined in glibc since version 2.6." msgstr "" #. type: Plain text #: build/C/man5/acct.5:157 msgid "" "Process accounting originated on BSD. Although it is present on most " "systems, it is not standardized, and the details vary somewhat between " "systems." msgstr "" #. type: Plain text #: build/C/man5/acct.5:160 msgid "" "Records in the accounting file are ordered by termination time of the " "process." msgstr "" #. type: Plain text #: build/C/man5/acct.5:167 msgid "" "In kernels up to and including 2.6.9, a separate accounting record is " "written for each thread created using the NPTL threading library; since " "Linux 2.6.10, a single accounting record is written for the entire process " "on termination of the last thread in the process." msgstr "" #. type: Plain text #: build/C/man5/acct.5:174 msgid "" "The I file, described in B(5), defines settings " "that control the behavior of process accounting when disk space runs low." msgstr "" #. type: Plain text #: build/C/man5/acct.5:179 msgid "B(1), B(2), B(8), B(8)" msgstr "" #. type: TH #: build/C/man7/capabilities.7:48 #, no-wrap msgid "CAPABILITIES" msgstr "" #. type: TH #: build/C/man7/capabilities.7:48 build/C/man2/capget.2:15 #, no-wrap msgid "2013-03-11" msgstr "" #. type: Plain text #: build/C/man7/capabilities.7:51 msgid "capabilities - overview of Linux capabilities" msgstr "" #. type: Plain text #: build/C/man7/capabilities.7:63 msgid "" "For the purpose of performing permission checks, traditional UNIX " "implementations distinguish two categories of processes: I " "processes (whose effective user ID is 0, referred to as superuser or root), " "and I processes (whose effective UID is nonzero). Privileged " "processes bypass all kernel permission checks, while unprivileged processes " "are subject to full permission checking based on the process's credentials " "(usually: effective UID, effective GID, and supplementary group list)." msgstr "" #. type: Plain text #: build/C/man7/capabilities.7:70 msgid "" "Starting with kernel 2.2, Linux divides the privileges traditionally " "associated with superuser into distinct units, known as I, " "which can be independently enabled and disabled. Capabilities are a " "per-thread attribute." msgstr "" #. type: SS #: build/C/man7/capabilities.7:70 #, no-wrap msgid "Capabilities list" msgstr "" #. type: Plain text #: build/C/man7/capabilities.7:73 msgid "" "The following list shows the capabilities implemented on Linux, and the " "operations or behaviors that each capability permits:" msgstr "" #. type: TP #: build/C/man7/capabilities.7:73 #, no-wrap msgid "B (since Linux 2.6.11)" msgstr "" #. type: Plain text #: build/C/man7/capabilities.7:77 msgid "" "Enable and disable kernel auditing; change auditing filter rules; retrieve " "auditing status and filtering rules." msgstr "" #. type: TP #: build/C/man7/capabilities.7:77 #, no-wrap msgid "B (since Linux 2.6.11)" msgstr "" #. type: Plain text #: build/C/man7/capabilities.7:80 msgid "Write records to kernel auditing log." msgstr "" #. type: TP #: build/C/man7/capabilities.7:80 #, no-wrap msgid "B (since Linux 3.5)" msgstr "" #. type: Plain text #: build/C/man7/capabilities.7:86 msgid "" "Employ features that can block system suspend (B(7) B, " "I)." msgstr "" #. type: TP #: build/C/man7/capabilities.7:86 #, no-wrap msgid "B" msgstr "" #. type: Plain text #: build/C/man7/capabilities.7:90 msgid "Make arbitrary changes to file UIDs and GIDs (see B(2))." msgstr "" #. type: TP #: build/C/man7/capabilities.7:90 #, no-wrap msgid "B" msgstr "" #. type: Plain text #: build/C/man7/capabilities.7:94 msgid "" "Bypass file read, write, and execute permission checks. (DAC is an " "abbreviation of \"discretionary access control\".)" msgstr "" #. type: TP #: build/C/man7/capabilities.7:94 #, no-wrap msgid "B" msgstr "" #. type: Plain text #: build/C/man7/capabilities.7:98 msgid "" "Bypass file read permission checks and directory read and execute permission " "checks." msgstr "" #. type: TP #: build/C/man7/capabilities.7:98 #, no-wrap msgid "B" msgstr "" #. type: IP #: build/C/man7/capabilities.7:102 build/C/man7/capabilities.7:112 build/C/man7/capabilities.7:116 build/C/man7/capabilities.7:118 build/C/man7/capabilities.7:120 build/C/man7/capabilities.7:190 build/C/man7/capabilities.7:192 build/C/man7/capabilities.7:194 build/C/man7/capabilities.7:196 build/C/man7/capabilities.7:198 build/C/man7/capabilities.7:200 build/C/man7/capabilities.7:202 build/C/man7/capabilities.7:204 build/C/man7/capabilities.7:206 build/C/man7/capabilities.7:230 build/C/man7/capabilities.7:232 build/C/man7/capabilities.7:278 build/C/man7/capabilities.7:288 build/C/man7/capabilities.7:294 build/C/man7/capabilities.7:299 build/C/man7/capabilities.7:305 build/C/man7/capabilities.7:312 build/C/man7/capabilities.7:315 build/C/man7/capabilities.7:323 build/C/man7/capabilities.7:325 build/C/man7/capabilities.7:334 build/C/man7/capabilities.7:341 build/C/man7/capabilities.7:344 build/C/man7/capabilities.7:348 build/C/man7/capabilities.7:351 build/C/man7/capabilities.7:354 build/C/man7/capabilities.7:361 build/C/man7/capabilities.7:366 build/C/man7/capabilities.7:372 build/C/man7/capabilities.7:376 build/C/man7/capabilities.7:380 build/C/man7/capabilities.7:384 build/C/man7/capabilities.7:388 build/C/man7/capabilities.7:415 build/C/man7/capabilities.7:420 build/C/man7/capabilities.7:425 build/C/man7/capabilities.7:428 build/C/man7/capabilities.7:431 build/C/man7/capabilities.7:440 build/C/man7/capabilities.7:444 build/C/man7/capabilities.7:470 build/C/man7/capabilities.7:475 build/C/man7/capabilities.7:478 build/C/man7/capabilities.7:483 build/C/man7/capabilities.7:486 build/C/man7/capabilities.7:489 build/C/man7/capabilities.7:492 build/C/man7/capabilities.7:495 build/C/man7/capabilities.7:500 build/C/man7/capabilities.7:502 build/C/man7/capabilities.7:508 build/C/man7/capabilities.7:516 build/C/man7/capabilities.7:518 build/C/man7/capabilities.7:522 build/C/man7/capabilities.7:524 build/C/man7/capabilities.7:527 build/C/man7/capabilities.7:531 build/C/man7/capabilities.7:533 build/C/man7/capabilities.7:535 build/C/man7/capabilities.7:537 build/C/man7/capabilities.7:546 build/C/man7/capabilities.7:553 build/C/man7/capabilities.7:558 build/C/man7/capabilities.7:563 build/C/man7/capabilities.7:590 build/C/man7/capabilities.7:597 build/C/man7/capabilities.7:788 build/C/man7/capabilities.7:796 build/C/man7/capabilities.7:1112 build/C/man7/capabilities.7:1117 build/C/man7/cpuset.7:540 build/C/man7/cpuset.7:545 build/C/man7/cpuset.7:550 build/C/man7/cpuset.7:726 build/C/man7/cpuset.7:730 build/C/man7/cpuset.7:927 build/C/man7/cpuset.7:930 build/C/man7/cpuset.7:934 build/C/man7/cpuset.7:938 build/C/man7/cpuset.7:942 build/C/man7/credentials.7:125 build/C/man7/credentials.7:131 build/C/man7/credentials.7:143 build/C/man7/credentials.7:165 build/C/man7/credentials.7:182 build/C/man7/credentials.7:214 build/C/man7/credentials.7:217 build/C/man7/credentials.7:227 build/C/man7/credentials.7:230 #, no-wrap msgid "*" msgstr "" #. type: Plain text #: build/C/man7/capabilities.7:112 msgid "" "Bypass permission checks on operations that normally require the file system " "UID of the process to match the UID of the file (e.g., B(2), " "B(2)), excluding those operations covered by B and " "B;" msgstr "" #. type: Plain text #: build/C/man7/capabilities.7:116 msgid "set extended file attributes (see B(1)) on arbitrary files;" msgstr "" #. type: Plain text #: build/C/man7/capabilities.7:118 msgid "set Access Control Lists (ACLs) on arbitrary files;" msgstr "" #. type: Plain text #: build/C/man7/capabilities.7:120 msgid "ignore directory sticky bit on file deletion;" msgstr "" #. type: Plain text #: build/C/man7/capabilities.7:127 msgid "specify B for arbitrary files in B(2) and B(2)." msgstr "" #. type: TP #: build/C/man7/capabilities.7:129 #, no-wrap msgid "B" msgstr "" #. type: Plain text #: build/C/man7/capabilities.7:135 msgid "" "Don't clear set-user-ID and set-group-ID permission bits when a file is " "modified; set the set-group-ID bit for a file whose GID does not match the " "file system or any of the supplementary GIDs of the calling process." msgstr "" #. type: TP #: build/C/man7/capabilities.7:135 #, no-wrap msgid "B" msgstr "" #. FIXME As at Linux 3.2, there are some strange uses of this capability #. in other places; they probably should be replaced with something else. #. type: Plain text #: build/C/man7/capabilities.7:144 msgid "Lock memory (B(2), B(2), B(2), B(2))." msgstr "" #. type: TP #: build/C/man7/capabilities.7:144 #, no-wrap msgid "B" msgstr "" #. type: Plain text #: build/C/man7/capabilities.7:147 msgid "Bypass permission checks for operations on System V IPC objects." msgstr "" #. type: TP #: build/C/man7/capabilities.7:147 #, no-wrap msgid "B" msgstr "" #. FIXME CAP_KILL also has an effect for threads + setting child #. termination signal to other than SIGCHLD: without this #. capability, the termination signal reverts to SIGCHLD #. if the child does an exec(). What is the rationale #. for this? #. type: Plain text #: build/C/man7/capabilities.7:160 msgid "" "Bypass permission checks for sending signals (see B(2)). This " "includes use of the B(2) B operation." msgstr "" #. type: TP #: build/C/man7/capabilities.7:160 #, no-wrap msgid "B (since Linux 2.4)" msgstr "" #. type: Plain text #: build/C/man7/capabilities.7:164 msgid "Establish leases on arbitrary files (see B(2))." msgstr "" #. type: TP #: build/C/man7/capabilities.7:164 #, no-wrap msgid "B" msgstr "" #. These attributes are now available on ext2, ext3, Reiserfs, XFS, JFS #. type: Plain text #: build/C/man7/capabilities.7:173 msgid "" "Set the B and B i-node flags (see " "B(1))." msgstr "" #. type: TP #: build/C/man7/capabilities.7:173 #, no-wrap msgid "B (since Linux 2.6.25)" msgstr "" #. type: Plain text #: build/C/man7/capabilities.7:177 msgid "" "Override Mandatory Access Control (MAC). Implemented for the Smack Linux " "Security Module (LSM)." msgstr "" #. type: TP #: build/C/man7/capabilities.7:177 #, no-wrap msgid "B (since Linux 2.6.25)" msgstr "" #. type: Plain text #: build/C/man7/capabilities.7:181 msgid "Allow MAC configuration or state changes. Implemented for the Smack LSM." msgstr "" #. type: TP #: build/C/man7/capabilities.7:181 #, no-wrap msgid "B (since Linux 2.4)" msgstr "" #. type: Plain text #: build/C/man7/capabilities.7:185 msgid "Create special files using B(2)." msgstr "" #. type: TP #: build/C/man7/capabilities.7:185 #, no-wrap msgid "B" msgstr "" #. type: Plain text #: build/C/man7/capabilities.7:188 msgid "Perform various network-related operations:" msgstr "" #. type: Plain text #: build/C/man7/capabilities.7:192 msgid "interface configuration;" msgstr "" #. type: Plain text #: build/C/man7/capabilities.7:194 msgid "administration of IP firewall, masquerading, and accounting" msgstr "" #. type: Plain text #: build/C/man7/capabilities.7:196 msgid "modify routing tables;" msgstr "" #. type: Plain text #: build/C/man7/capabilities.7:198 msgid "bind to any address for transparent proxying;" msgstr "" #. type: Plain text #: build/C/man7/capabilities.7:200 msgid "set type-of-service (TOS)" msgstr "" #. type: Plain text #: build/C/man7/capabilities.7:202 msgid "clear driver statistics;" msgstr "" #. type: Plain text #: build/C/man7/capabilities.7:204 msgid "set promiscuous mode;" msgstr "" #. type: Plain text #: build/C/man7/capabilities.7:206 msgid "enabling multicasting;" msgstr "" #. type: Plain text #: build/C/man7/capabilities.7:217 msgid "" "use B(2) to set the following socket options: B, " "B, B (for a priority outside the range 0 to 6), " "B, and B." msgstr "" #. type: TP #: build/C/man7/capabilities.7:219 #, no-wrap msgid "B" msgstr "" #. type: Plain text #: build/C/man7/capabilities.7:223 msgid "" "Bind a socket to Internet domain privileged ports (port numbers less than " "1024)." msgstr "" #. type: TP #: build/C/man7/capabilities.7:223 #, no-wrap msgid "B" msgstr "" #. type: Plain text #: build/C/man7/capabilities.7:226 msgid "(Unused) Make socket broadcasts, and listen to multicasts." msgstr "" #. type: TP #: build/C/man7/capabilities.7:226 #, no-wrap msgid "B" msgstr "" #. type: Plain text #: build/C/man7/capabilities.7:232 msgid "use RAW and PACKET sockets;" msgstr "" #. type: Plain text #: build/C/man7/capabilities.7:234 msgid "bind to any address for transparent proxying." msgstr "" #. type: TP #: build/C/man7/capabilities.7:237 #, no-wrap msgid "B" msgstr "" #. type: Plain text #: build/C/man7/capabilities.7:241 msgid "" "Make arbitrary manipulations of process GIDs and supplementary GID list; " "forge GID when passing socket credentials via UNIX domain sockets." msgstr "" #. type: TP #: build/C/man7/capabilities.7:241 #, no-wrap msgid "B (since Linux 2.6.24)" msgstr "" #. type: Plain text #: build/C/man7/capabilities.7:244 msgid "Set file capabilities." msgstr "" #. type: TP #: build/C/man7/capabilities.7:244 #, no-wrap msgid "B" msgstr "" #. type: Plain text #: build/C/man7/capabilities.7:255 msgid "" "If file capabilities are not supported: grant or remove any capability in " "the caller's permitted capability set to or from any other process. (This " "property of B is not available when the kernel is configured to " "support file capabilities, since B has entirely different " "semantics for such kernels.)" msgstr "" #. type: Plain text #: build/C/man7/capabilities.7:265 msgid "" "If file capabilities are supported: add any capability from the calling " "thread's bounding set to its inheritable set; drop capabilities from the " "bounding set (via B(2) B); make changes to the " "I flags." msgstr "" #. type: TP #: build/C/man7/capabilities.7:265 #, no-wrap msgid "B" msgstr "" #. FIXME CAP_SETUID also an effect in exec(); document this. #. type: Plain text #: build/C/man7/capabilities.7:274 msgid "" "Make arbitrary manipulations of process UIDs (B(2), B(2), " "B(2), B(2)); make forged UID when passing socket " "credentials via UNIX domain sockets." msgstr "" #. type: TP #: build/C/man7/capabilities.7:274 #, no-wrap msgid "B" msgstr "" #. type: Plain text #: build/C/man7/capabilities.7:288 msgid "" "Perform a range of system administration operations including: " "B(2), B(2), B(2), B(2), B(2), " "B(2), and B(2);" msgstr "" #. type: Plain text #: build/C/man7/capabilities.7:294 msgid "" "perform privileged B(2) operations (since Linux 2.6.37, " "B should be used to permit such operations);" msgstr "" #. type: Plain text #: build/C/man7/capabilities.7:299 msgid "perform B B(2) command;" msgstr "" #. type: Plain text #: build/C/man7/capabilities.7:305 msgid "" "perform B and B operations on arbitrary System V IPC " "objects;" msgstr "" #. type: Plain text #: build/C/man7/capabilities.7:312 msgid "" "perform operations on I and I Extended Attributes (see " "B(5));" msgstr "" #. type: Plain text #: build/C/man7/capabilities.7:315 msgid "use B(2);" msgstr "" #. type: Plain text #: build/C/man7/capabilities.7:323 msgid "" "use B(2) to assign B and (before Linux 2.6.25) " "B I/O scheduling classes;" msgstr "" #. type: Plain text #: build/C/man7/capabilities.7:325 msgid "forge UID when passing socket credentials;" msgstr "" #. type: Plain text #: build/C/man7/capabilities.7:334 msgid "" "exceed I, the system-wide limit on the number of open " "files, in system calls that open files (e.g., B(2), B(2), " "B(2), B(2));" msgstr "" #. type: Plain text #: build/C/man7/capabilities.7:341 msgid "" "employ B flags that create new namespaces with B(2) and " "B(2);" msgstr "" #. type: Plain text #: build/C/man7/capabilities.7:344 msgid "call B(2);" msgstr "" #. type: Plain text #: build/C/man7/capabilities.7:348 msgid "access privileged I event information;" msgstr "" #. type: Plain text #: build/C/man7/capabilities.7:351 msgid "call B(2);" msgstr "" #. type: Plain text #: build/C/man7/capabilities.7:354 msgid "call B(2);" msgstr "" #. type: Plain text #: build/C/man7/capabilities.7:361 msgid "perform B and B B(2) operations;" msgstr "" #. type: Plain text #: build/C/man7/capabilities.7:366 msgid "perform B(2) B operation;" msgstr "" #. type: Plain text #: build/C/man7/capabilities.7:372 msgid "" "employ the B B(2) to insert characters into the input queue " "of a terminal other than the caller's controlling terminal." msgstr "" #. type: Plain text #: build/C/man7/capabilities.7:376 msgid "employ the obsolete B(2) system call;" msgstr "" #. type: Plain text #: build/C/man7/capabilities.7:380 msgid "employ the obsolete B(2) system call;" msgstr "" #. type: Plain text #: build/C/man7/capabilities.7:384 msgid "perform various privileged block-device B(2) operations;" msgstr "" #. type: Plain text #: build/C/man7/capabilities.7:388 msgid "perform various privileged file-system B(2) operations;" msgstr "" #. type: Plain text #: build/C/man7/capabilities.7:390 msgid "perform administrative operations on many device drivers." msgstr "" #. type: TP #: build/C/man7/capabilities.7:392 #, no-wrap msgid "B" msgstr "" #. type: Plain text #: build/C/man7/capabilities.7:398 msgid "Use B(2) and B(2)." msgstr "" #. type: TP #: build/C/man7/capabilities.7:398 #, no-wrap msgid "B" msgstr "" #. type: Plain text #: build/C/man7/capabilities.7:402 msgid "Use B(2)." msgstr "" #. type: TP #: build/C/man7/capabilities.7:402 #, no-wrap msgid "B" msgstr "" #. type: Plain text #: build/C/man7/capabilities.7:411 msgid "" "Load and unload kernel modules (see B(2) and " "B(2)); in kernels before 2.6.25: drop capabilities from the " "system-wide capability bounding set." msgstr "" #. type: TP #: build/C/man7/capabilities.7:411 #, no-wrap msgid "B" msgstr "" #. type: Plain text #: build/C/man7/capabilities.7:420 msgid "" "Raise process nice value (B(2), B(2)) and change the " "nice value for arbitrary processes;" msgstr "" #. type: Plain text #: build/C/man7/capabilities.7:425 msgid "" "set real-time scheduling policies for calling process, and set scheduling " "policies and priorities for arbitrary processes (B(2), " "B(2));" msgstr "" #. type: Plain text #: build/C/man7/capabilities.7:428 msgid "set CPU affinity for arbitrary processes (B(2));" msgstr "" #. type: Plain text #: build/C/man7/capabilities.7:431 msgid "" "set I/O scheduling class and priority for arbitrary processes " "(B(2));" msgstr "" #. FIXME CAP_SYS_NICE also has the following effect for #. migrate_pages(2): #. do_migrate_pages(mm, &old, &new, #. capable(CAP_SYS_NICE) ? MPOL_MF_MOVE_ALL : MPOL_MF_MOVE); #. type: Plain text #: build/C/man7/capabilities.7:440 msgid "" "apply B(2) to arbitrary processes and allow processes to be " "migrated to arbitrary nodes;" msgstr "" #. type: Plain text #: build/C/man7/capabilities.7:444 msgid "apply B(2) to arbitrary processes;" msgstr "" #. type: Plain text #: build/C/man7/capabilities.7:451 msgid "use the B flag with B(2) and B(2)." msgstr "" #. type: TP #: build/C/man7/capabilities.7:453 #, no-wrap msgid "B" msgstr "" #. type: Plain text #: build/C/man7/capabilities.7:457 msgid "Use B(2)." msgstr "" #. type: TP #: build/C/man7/capabilities.7:457 #, no-wrap msgid "B" msgstr "" #. type: Plain text #: build/C/man7/capabilities.7:466 msgid "" "Trace arbitrary processes using B(2); apply B(2) " "to arbitrary processes; inspect processes using B(2)." msgstr "" #. type: TP #: build/C/man7/capabilities.7:466 #, no-wrap msgid "B" msgstr "" #. type: Plain text #: build/C/man7/capabilities.7:475 msgid "Perform I/O port operations (B(2) and B(2));" msgstr "" #. type: Plain text #: build/C/man7/capabilities.7:478 msgid "access I;" msgstr "" #. type: Plain text #: build/C/man7/capabilities.7:483 msgid "employ the B B(2) operation;" msgstr "" #. type: Plain text #: build/C/man7/capabilities.7:486 msgid "" "open devices for accessing x86 model-specific registers (MSRs, see " "B(4))" msgstr "" #. type: Plain text #: build/C/man7/capabilities.7:489 msgid "update I;" msgstr "" #. type: Plain text #: build/C/man7/capabilities.7:492 msgid "" "create memory mappings at addresses below the value specified by " "I;" msgstr "" #. type: Plain text #: build/C/man7/capabilities.7:495 msgid "map files in I;" msgstr "" #. type: Plain text #: build/C/man7/capabilities.7:500 msgid "open I and I;" msgstr "" #. type: Plain text #: build/C/man7/capabilities.7:502 msgid "perform various SCSI device commands;" msgstr "" #. type: Plain text #: build/C/man7/capabilities.7:508 msgid "perform certain operations on B(4) and B(4) devices;" msgstr "" #. type: Plain text #: build/C/man7/capabilities.7:510 msgid "perform a range of device-specific operations on other devices." msgstr "" #. type: TP #: build/C/man7/capabilities.7:512 #, no-wrap msgid "B" msgstr "" #. type: Plain text #: build/C/man7/capabilities.7:518 msgid "Use reserved space on ext2 file systems;" msgstr "" #. type: Plain text #: build/C/man7/capabilities.7:522 msgid "make B(2) calls controlling ext3 journaling;" msgstr "" #. type: Plain text #: build/C/man7/capabilities.7:524 msgid "override disk quota limits;" msgstr "" #. type: Plain text #: build/C/man7/capabilities.7:527 msgid "increase resource limits (see B(2));" msgstr "" #. type: Plain text #: build/C/man7/capabilities.7:531 msgid "override B resource limit;" msgstr "" #. type: Plain text #: build/C/man7/capabilities.7:533 msgid "override maximum number of consoles on console allocation;" msgstr "" #. type: Plain text #: build/C/man7/capabilities.7:535 msgid "override maximum number of keymaps;" msgstr "" #. type: Plain text #: build/C/man7/capabilities.7:537 msgid "allow more than 64hz interrupts from the real-time clock;" msgstr "" #. type: Plain text #: build/C/man7/capabilities.7:546 msgid "" "raise I limit for a System V message queue above the limit in " "I (see B(2) and B(2));" msgstr "" #. type: Plain text #: build/C/man7/capabilities.7:553 msgid "" "override the I limit when setting the capacity " "of a pipe using the B B(2) command." msgstr "" #. type: Plain text #: build/C/man7/capabilities.7:558 msgid "" "use B to increase the capacity of a pipe above the limit " "specified by I;" msgstr "" #. type: Plain text #: build/C/man7/capabilities.7:563 msgid "" "override I limit when creating POSIX message " "queues (see B(7));" msgstr "" #. type: Plain text #: build/C/man7/capabilities.7:572 msgid "" "employ B(2) B operation; set I " "to a value lower than the value last set by a process with " "B." msgstr "" #. type: TP #: build/C/man7/capabilities.7:574 #, no-wrap msgid "B" msgstr "" #. type: Plain text #: build/C/man7/capabilities.7:581 msgid "" "Set system clock (B(2), B(2), B(2)); set " "real-time (hardware) clock." msgstr "" #. type: TP #: build/C/man7/capabilities.7:581 #, no-wrap msgid "B" msgstr "" #. type: Plain text #: build/C/man7/capabilities.7:588 msgid "" "Use B(2); employ various privileged B(2) operations on " "virtual terminals." msgstr "" #. type: TP #: build/C/man7/capabilities.7:588 #, no-wrap msgid "B (since Linux 2.6.37)" msgstr "" #. type: Plain text #: build/C/man7/capabilities.7:597 msgid "" "Perform privileged B(2) operations. See B(2) for " "information on which operations require privilege." msgstr "" #. type: Plain text #: build/C/man7/capabilities.7:607 msgid "" "View kernel addresses exposed via I and other interfaces when " "I has the value 1. (See the discussion of " "the I in B(5).)" msgstr "" #. type: TP #: build/C/man7/capabilities.7:607 #, no-wrap msgid "B (since Linux 3.0)" msgstr "" #. type: Plain text #: build/C/man7/capabilities.7:615 msgid "" "Trigger something that will wake up the system (set B " "and B timers)." msgstr "" #. type: SS #: build/C/man7/capabilities.7:615 #, no-wrap msgid "Past and current implementation" msgstr "" #. type: Plain text #: build/C/man7/capabilities.7:617 msgid "A full implementation of capabilities requires that:" msgstr "" #. type: IP #: build/C/man7/capabilities.7:617 build/C/man7/capabilities.7:760 build/C/man7/capabilities.7:907 build/C/man7/capabilities.7:960 #, no-wrap msgid "1." msgstr "" #. type: Plain text #: build/C/man7/capabilities.7:621 msgid "" "For all privileged operations, the kernel must check whether the thread has " "the required capability in its effective set." msgstr "" #. type: IP #: build/C/man7/capabilities.7:621 build/C/man7/capabilities.7:765 build/C/man7/capabilities.7:913 build/C/man7/capabilities.7:966 #, no-wrap msgid "2." msgstr "" #. type: Plain text #: build/C/man7/capabilities.7:624 msgid "" "The kernel must provide system calls allowing a thread's capability sets to " "be changed and retrieved." msgstr "" #. type: IP #: build/C/man7/capabilities.7:624 build/C/man7/capabilities.7:916 build/C/man7/capabilities.7:970 #, no-wrap msgid "3." msgstr "" #. type: Plain text #: build/C/man7/capabilities.7:627 msgid "" "The file system must support attaching capabilities to an executable file, " "so that a process gains those capabilities when the file is executed." msgstr "" #. type: Plain text #: build/C/man7/capabilities.7:631 msgid "" "Before kernel 2.6.24, only the first two of these requirements are met; " "since kernel 2.6.24, all three requirements are met." msgstr "" #. type: SS #: build/C/man7/capabilities.7:631 #, no-wrap msgid "Thread capability sets" msgstr "" #. type: Plain text #: build/C/man7/capabilities.7:634 msgid "" "Each thread has three capability sets containing zero or more of the above " "capabilities:" msgstr "" #. type: TP #: build/C/man7/capabilities.7:634 #, no-wrap msgid "I:" msgstr "" #. type: Plain text #: build/C/man7/capabilities.7:642 msgid "" "This is a limiting superset for the effective capabilities that the thread " "may assume. It is also a limiting superset for the capabilities that may be " "added to the inheritable set by a thread that does not have the " "B capability in its effective set." msgstr "" #. type: Plain text #: build/C/man7/capabilities.7:648 msgid "" "If a thread drops a capability from its permitted set, it can never " "reacquire that capability (unless it B(2)s either a set-user-ID-root " "program, or a program whose associated file capabilities grant that " "capability)." msgstr "" #. type: TP #: build/C/man7/capabilities.7:648 #, no-wrap msgid "I:" msgstr "" #. type: Plain text #: build/C/man7/capabilities.7:655 msgid "" "This is a set of capabilities preserved across an B(2). It provides " "a mechanism for a process to assign capabilities to the permitted set of the " "new program during an B(2)." msgstr "" #. type: TP #: build/C/man7/capabilities.7:655 build/C/man7/capabilities.7:697 #, no-wrap msgid "I:" msgstr "" #. type: Plain text #: build/C/man7/capabilities.7:659 msgid "" "This is the set of capabilities used by the kernel to perform permission " "checks for the thread." msgstr "" #. type: Plain text #: build/C/man7/capabilities.7:665 msgid "" "A child created via B(2) inherits copies of its parent's capability " "sets. See below for a discussion of the treatment of capabilities during " "B(2)." msgstr "" #. type: Plain text #: build/C/man7/capabilities.7:670 msgid "" "Using B(2), a thread may manipulate its own capability sets (see " "below)." msgstr "" #. type: SS #: build/C/man7/capabilities.7:670 #, no-wrap msgid "File capabilities" msgstr "" #. type: Plain text #: build/C/man7/capabilities.7:685 msgid "" "Since kernel 2.6.24, the kernel supports associating capability sets with an " "executable file using B(8). The file capability sets are stored in " "an extended attribute (see B(2)) named I. " "Writing to this extended attribute requires the B capability. " "The file capability sets, in conjunction with the capability sets of the " "thread, determine the capabilities of a thread after an B(2)." msgstr "" #. type: Plain text #: build/C/man7/capabilities.7:687 msgid "The three file capability sets are:" msgstr "" #. type: TP #: build/C/man7/capabilities.7:687 #, no-wrap msgid "I (formerly known as I):" msgstr "" #. type: Plain text #: build/C/man7/capabilities.7:691 msgid "" "These capabilities are automatically permitted to the thread, regardless of " "the thread's inheritable capabilities." msgstr "" #. type: TP #: build/C/man7/capabilities.7:691 #, no-wrap msgid "I (formerly known as I):" msgstr "" #. type: Plain text #: build/C/man7/capabilities.7:697 msgid "" "This set is ANDed with the thread's inheritable set to determine which " "inheritable capabilities are enabled in the permitted set of the thread " "after the B(2)." msgstr "" #. type: Plain text #: build/C/man7/capabilities.7:707 msgid "" "This is not a set, but rather just a single bit. If this bit is set, then " "during an B(2) all of the new permitted capabilities for the thread " "are also raised in the effective set. If this bit is not set, then after an " "B(2), none of the new permitted capabilities is in the new effective " "set." msgstr "" #. type: Plain text #: build/C/man7/capabilities.7:723 msgid "" "Enabling the file effective capability bit implies that any file permitted " "or inheritable capability that causes a thread to acquire the corresponding " "permitted capability during an B(2) (see the transformation rules " "described below) will also acquire that capability in its effective set. " "Therefore, when assigning capabilities to a file (B(8), " "B(3), B(3)), if we specify the effective flag as " "being enabled for any capability, then the effective flag must also be " "specified as enabled for all other capabilities for which the corresponding " "permitted or inheritable flags is enabled." msgstr "" #. type: SS #: build/C/man7/capabilities.7:723 #, no-wrap msgid "Transformation of capabilities during execve()" msgstr "" #. type: Plain text #: build/C/man7/capabilities.7:729 msgid "" "During an B(2), the kernel calculates the new capabilities of the " "process using the following algorithm:" msgstr "" #. type: Plain text #: build/C/man7/capabilities.7:734 #, no-wrap msgid "" "P'(permitted) = (P(inheritable) & F(inheritable)) |\n" " (F(permitted) & cap_bset)\n" msgstr "" #. type: Plain text #: build/C/man7/capabilities.7:736 #, no-wrap msgid "P'(effective) = F(effective) ? P'(permitted) : 0\n" msgstr "" #. type: Plain text #: build/C/man7/capabilities.7:738 #, no-wrap msgid "P'(inheritable) = P(inheritable) [i.e., unchanged]\n" msgstr "" #. type: Plain text #: build/C/man7/capabilities.7:742 msgid "where:" msgstr "" #. type: IP #: build/C/man7/capabilities.7:743 #, no-wrap msgid "P" msgstr "" #. type: Plain text #: build/C/man7/capabilities.7:746 msgid "denotes the value of a thread capability set before the B(2)" msgstr "" #. type: IP #: build/C/man7/capabilities.7:746 #, no-wrap msgid "P'" msgstr "" #. type: Plain text #: build/C/man7/capabilities.7:749 msgid "denotes the value of a capability set after the B(2)" msgstr "" #. type: IP #: build/C/man7/capabilities.7:749 #, no-wrap msgid "F" msgstr "" #. type: Plain text #: build/C/man7/capabilities.7:751 msgid "denotes a file capability set" msgstr "" #. type: IP #: build/C/man7/capabilities.7:751 #, no-wrap msgid "cap_bset" msgstr "" #. type: Plain text #: build/C/man7/capabilities.7:753 msgid "is the value of the capability bounding set (described below)." msgstr "" #. type: SS #: build/C/man7/capabilities.7:755 #, no-wrap msgid "Capabilities and execution of programs by root" msgstr "" #. type: Plain text #: build/C/man7/capabilities.7:760 msgid "" "In order to provide an all-powerful I using capability sets, during an " "B(2):" msgstr "" #. type: Plain text #: build/C/man7/capabilities.7:765 msgid "" "If a set-user-ID-root program is being executed, or the real user ID of the " "process is 0 (root) then the file inheritable and permitted sets are " "defined to be all ones (i.e., all capabilities enabled)." msgstr "" #. type: Plain text #: build/C/man7/capabilities.7:768 msgid "" "If a set-user-ID-root program is being executed, then the file effective bit " "is defined to be one (enabled)." msgstr "" #. If a process with real UID 0, and nonzero effective UID does an #. exec(), then it gets all capabilities in its #. permitted set, and no effective capabilities #. type: Plain text #: build/C/man7/capabilities.7:783 msgid "" "The upshot of the above rules, combined with the capabilities " "transformations described above, is that when a process B(2)s a " "set-user-ID-root program, or when a process with an effective UID of 0 " "B(2)s a program, it gains all capabilities in its permitted and " "effective capability sets, except those masked out by the capability " "bounding set. This provides semantics that are the same as those provided " "by traditional UNIX systems." msgstr "" #. type: SS #: build/C/man7/capabilities.7:783 #, no-wrap msgid "Capability bounding set" msgstr "" #. type: Plain text #: build/C/man7/capabilities.7:788 msgid "" "The capability bounding set is a security mechanism that can be used to " "limit the capabilities that can be gained during an B(2). The " "bounding set is used in the following ways:" msgstr "" #. type: Plain text #: build/C/man7/capabilities.7:796 msgid "" "During an B(2), the capability bounding set is ANDed with the file " "permitted capability set, and the result of this operation is assigned to " "the thread's permitted capability set. The capability bounding set thus " "places a limit on the permitted capabilities that may be granted by an " "executable file." msgstr "" #. type: Plain text #: build/C/man7/capabilities.7:808 msgid "" "(Since Linux 2.6.25) The capability bounding set acts as a limiting " "superset for the capabilities that a thread can add to its inheritable set " "using B(2). This means that if a capability is not in the bounding " "set, then a thread can't add this capability to its inheritable set, even if " "it was in its permitted capabilities, and thereby cannot have this " "capability preserved in its permitted set when it B(2)s a file that " "has the capability in its inheritable set." msgstr "" #. type: Plain text #: build/C/man7/capabilities.7:815 msgid "" "Note that the bounding set masks the file permitted capabilities, but not " "the inherited capabilities. If a thread maintains a capability in its " "inherited set that is not in its bounding set, then it can still gain that " "capability in its permitted set by executing a file that has the capability " "in its inherited set." msgstr "" #. type: Plain text #: build/C/man7/capabilities.7:818 msgid "" "Depending on the kernel version, the capability bounding set is either a " "system-wide attribute, or a per-process attribute." msgstr "" #. type: Plain text #: build/C/man7/capabilities.7:820 msgid "B" msgstr "" #. type: Plain text #: build/C/man7/capabilities.7:828 msgid "" "In kernels before 2.6.25, the capability bounding set is a system-wide " "attribute that affects all threads on the system. The bounding set is " "accessible via the file I. (Confusingly, this " "bit mask parameter is expressed as a signed decimal number in " "I.)" msgstr "" #. type: Plain text #: build/C/man7/capabilities.7:835 msgid "" "Only the B process may set capabilities in the capability bounding " "set; other than that, the superuser (more precisely: programs with the " "B capability) may only clear capabilities from this set." msgstr "" #. type: Plain text #: build/C/man7/capabilities.7:844 msgid "" "On a standard system the capability bounding set always masks out the " "B capability. To remove this restriction (dangerous!), modify " "the definition of B in I and " "rebuild the kernel." msgstr "" #. type: Plain text #: build/C/man7/capabilities.7:848 msgid "" "The system-wide capability bounding set feature was added to Linux starting " "with kernel version 2.2.11." msgstr "" #. type: Plain text #: build/C/man7/capabilities.7:850 msgid "B" msgstr "" #. type: Plain text #: build/C/man7/capabilities.7:855 msgid "" "From Linux 2.6.25, the I is a per-thread " "attribute. (There is no longer a system-wide capability bounding set.)" msgstr "" #. type: Plain text #: build/C/man7/capabilities.7:860 msgid "" "The bounding set is inherited at B(2) from the thread's parent, and " "is preserved across an B(2)." msgstr "" #. type: Plain text #: build/C/man7/capabilities.7:873 msgid "" "A thread may remove capabilities from its capability bounding set using the " "B(2) B operation, provided it has the " "B capability. Once a capability has been dropped from the " "bounding set, it cannot be restored to that set. A thread can determine if " "a capability is in its bounding set using the B(2) " "B operation." msgstr "" #. type: Plain text #: build/C/man7/capabilities.7:891 msgid "" "Removing capabilities from the bounding set is only supported if file " "capabilities are compiled into the kernel. In kernels before Linux 2.6.33, " "file capabilities were an optional feature configurable via the " "CONFIG_SECURITY_FILE_CAPABILITIES option. Since Linux 2.6.33, the " "configuration option has been removed and file capabilities are always part " "of the kernel. When file capabilities are compiled into the kernel, the " "B process (the ancestor of all processes) begins with a full bounding " "set. If file capabilities are not compiled into the kernel, then B " "begins with a full bounding set minus B, because this " "capability has a different meaning when there are no file capabilities." msgstr "" #. type: Plain text #: build/C/man7/capabilities.7:898 msgid "" "Removing a capability from the bounding set does not remove it from the " "thread's inherited set. However it does prevent the capability from being " "added back into the thread's inherited set in the future." msgstr "" #. type: SS #: build/C/man7/capabilities.7:898 #, no-wrap msgid "Effect of user ID changes on capabilities" msgstr "" #. type: Plain text #: build/C/man7/capabilities.7:907 msgid "" "To preserve the traditional semantics for transitions between 0 and nonzero " "user IDs, the kernel makes the following changes to a thread's capability " "sets on changes to the thread's real, effective, saved set, and file system " "user IDs (using B(2), B(2), or similar):" msgstr "" #. type: Plain text #: build/C/man7/capabilities.7:913 msgid "" "If one or more of the real, effective or saved set user IDs was previously " "0, and as a result of the UID changes all of these IDs have a nonzero value, " "then all capabilities are cleared from the permitted and effective " "capability sets." msgstr "" #. type: Plain text #: build/C/man7/capabilities.7:916 msgid "" "If the effective user ID is changed from 0 to nonzero, then all capabilities " "are cleared from the effective set." msgstr "" #. type: Plain text #: build/C/man7/capabilities.7:919 msgid "" "If the effective user ID is changed from nonzero to 0, then the permitted " "set is copied to the effective set." msgstr "" #. type: IP #: build/C/man7/capabilities.7:919 build/C/man7/capabilities.7:974 #, no-wrap msgid "4." msgstr "" #. type: Plain text #: build/C/man7/capabilities.7:937 msgid "" "If the file system user ID is changed from 0 to nonzero (see B(2)) " "then the following capabilities are cleared from the effective set: " "B, B, B, B, " "B, B (since Linux 2.2.30), " "B, and B (since Linux 2.2.30). If the file " "system UID is changed from nonzero to 0, then any of these capabilities that " "are enabled in the permitted set are enabled in the effective set." msgstr "" #. type: Plain text #: build/C/man7/capabilities.7:945 msgid "" "If a thread that has a 0 value for one or more of its user IDs wants to " "prevent its permitted capability set being cleared when it resets all of its " "user IDs to nonzero values, it can do so using the B(2) " "B operation." msgstr "" #. type: SS #: build/C/man7/capabilities.7:945 #, no-wrap msgid "Programmatically adjusting capability sets" msgstr "" #. type: Plain text #: build/C/man7/capabilities.7:960 msgid "" "A thread can retrieve and change its capability sets using the B(2) " "and B(2) system calls. However, the use of B(3) and " "B(3), both provided in the I package, is preferred for " "this purpose. The following rules govern changes to the thread capability " "sets:" msgstr "" #. type: Plain text #: build/C/man7/capabilities.7:966 msgid "" "If the caller does not have the B capability, the new " "inheritable set must be a subset of the combination of the existing " "inheritable and permitted sets." msgstr "" #. type: Plain text #: build/C/man7/capabilities.7:970 msgid "" "(Since kernel 2.6.25) The new inheritable set must be a subset of the " "combination of the existing inheritable set and the capability bounding set." msgstr "" #. type: Plain text #: build/C/man7/capabilities.7:974 msgid "" "The new permitted set must be a subset of the existing permitted set (i.e., " "it is not possible to acquire permitted capabilities that the thread does " "not currently have)." msgstr "" #. type: Plain text #: build/C/man7/capabilities.7:976 msgid "The new effective set must be a subset of the new permitted set." msgstr "" #. type: SS #: build/C/man7/capabilities.7:976 #, no-wrap msgid "The securebits flags: establishing a capabilities-only environment" msgstr "" #. For some background: #. see http://lwn.net/Articles/280279/ and #. http://article.gmane.org/gmane.linux.kernel.lsm/5476/ #. type: Plain text #: build/C/man7/capabilities.7:987 msgid "" "Starting with kernel 2.6.26, and with a kernel in which file capabilities " "are enabled, Linux implements a set of per-thread I flags that " "can be used to disable special handling of capabilities for UID 0 " "(I). These flags are as follows:" msgstr "" #. type: TP #: build/C/man7/capabilities.7:987 #, no-wrap msgid "B" msgstr "" #. type: Plain text #: build/C/man7/capabilities.7:999 msgid "" "Setting this flag allows a thread that has one or more 0 UIDs to retain its " "capabilities when it switches all of its UIDs to a nonzero value. If this " "flag is not set, then such a UID switch causes the thread to lose all " "capabilities. This flag is always cleared on an B(2). (This flag " "provides the same functionality as the older B(2) B " "operation.)" msgstr "" #. type: TP #: build/C/man7/capabilities.7:999 #, no-wrap msgid "B" msgstr "" #. type: Plain text #: build/C/man7/capabilities.7:1006 msgid "" "Setting this flag stops the kernel from adjusting capability sets when the " "threads's effective and file system UIDs are switched between zero and " "nonzero values. (See the subsection I.)" msgstr "" #. type: TP #: build/C/man7/capabilities.7:1006 #, no-wrap msgid "B" msgstr "" #. type: Plain text #: build/C/man7/capabilities.7:1014 msgid "" "If this bit is set, then the kernel does not grant capabilities when a " "set-user-ID-root program is executed, or when a process with an effective or " "real UID of 0 calls B(2). (See the subsection I.)" msgstr "" #. type: Plain text #: build/C/man7/capabilities.7:1024 msgid "" "Each of the above \"base\" flags has a companion \"locked\" flag. Setting " "any of the \"locked\" flags is irreversible, and has the effect of " "preventing further changes to the corresponding \"base\" flag. The locked " "flags are: B, B, and " "B." msgstr "" #. type: Plain text #: build/C/man7/capabilities.7:1036 msgid "" "The I flags can be modified and retrieved using the B(2) " "B and B operations. The " "B capability is required to modify the flags." msgstr "" #. type: Plain text #: build/C/man7/capabilities.7:1045 msgid "" "The I flags are inherited by child processes. During an " "B(2), all of the flags are preserved, except B " "which is always cleared." msgstr "" #. type: Plain text #: build/C/man7/capabilities.7:1050 msgid "" "An application can use the following call to lock itself, and all of its " "descendants, into an environment where the only way of gaining capabilities " "is by executing a program with associated file capabilities:" msgstr "" #. type: Plain text #: build/C/man7/capabilities.7:1059 #, no-wrap msgid "" "prctl(PR_SET_SECUREBITS,\n" " SECBIT_KEEP_CAPS_LOCKED |\n" " SECBIT_NO_SETUID_FIXUP |\n" " SECBIT_NO_SETUID_FIXUP_LOCKED |\n" " SECBIT_NOROOT |\n" " SECBIT_NOROOT_LOCKED);\n" msgstr "" #. type: Plain text #: build/C/man7/capabilities.7:1067 msgid "" "No standards govern capabilities, but the Linux capability implementation is " "based on the withdrawn POSIX.1e draft standard; see E<.UR " "http://wt.tuxomania.net\\:/publications\\:/posix.1e/> E<.UE .>" msgstr "" #. type: Plain text #: build/C/man7/capabilities.7:1071 msgid "" "Since kernel 2.5.27, capabilities are an optional kernel component, and can " "be enabled/disabled via the CONFIG_SECURITY_CAPABILITIES kernel " "configuration option." msgstr "" #. 7b9a7ec565505699f503b4fcf61500dceb36e744 #. type: Plain text #: build/C/man7/capabilities.7:1085 msgid "" "The I file can be used to view the capability " "sets of a thread. The I file shows the capability sets of " "a process's main thread. Before Linux 3.8, nonexistent capabilities were " "shown as being enabled (1) in these sets. Since Linux 3.8, all non-existent " "capabilities (above B) are shown as disabled (0)." msgstr "" #. type: Plain text #: build/C/man7/capabilities.7:1100 msgid "" "The I package provides a suite of routines for setting and getting " "capabilities that is more comfortable and less likely to change than the " "interface provided by B(2) and B(2). This package also " "provides the B(8) and B(8) programs. It can be found at" msgstr "" #. type: Plain text #: build/C/man7/capabilities.7:1103 msgid "" "E<.UR " "http://www.kernel.org\\:/pub\\:/linux\\:/libs\\:/security\\:/linux-privs> " "E<.UE .>" msgstr "" #. type: Plain text #: build/C/man7/capabilities.7:1112 msgid "" "Before kernel 2.6.24, and since kernel 2.6.24 if file capabilities are not " "enabled, a thread with the B capability can manipulate the " "capabilities of threads other than itself. However, this is only " "theoretically possible, since no thread ever has B in either of " "these cases:" msgstr "" #. type: Plain text #: build/C/man7/capabilities.7:1117 msgid "" "In the pre-2.6.25 implementation the system-wide capability bounding set, " "I, always masks out this capability, and this " "can not be changed without modifying the kernel source and rebuilding." msgstr "" #. type: Plain text #: build/C/man7/capabilities.7:1123 msgid "" "If file capabilities are disabled in the current implementation, then " "B starts out with this capability removed from its per-process " "bounding set, and that bounding set is inherited by all other processes " "created on the system." msgstr "" #. type: Plain text #: build/C/man7/capabilities.7:1140 msgid "" "B(2), B(2), B(2), B(3), " "B(3), B(3), B(3), " "B(3), B(3), B(3), B(3), " "B(3), B(7), B(7), B(8), B(8)" msgstr "" #. type: Plain text #: build/C/man7/capabilities.7:1143 msgid "I in the Linux kernel source tree" msgstr "" #. type: TH #: build/C/man2/capget.2:15 #, no-wrap msgid "CAPGET" msgstr "" #. type: Plain text #: build/C/man2/capget.2:18 msgid "capget, capset - set/get capabilities of thread(s)" msgstr "" #. type: Plain text #: build/C/man2/capget.2:20 msgid "B<#include Esys/capability.hE>" msgstr "" #. type: Plain text #: build/C/man2/capget.2:22 msgid "BIB<, cap_user_data_t >IB<);>" msgstr "" #. type: Plain text #: build/C/man2/capget.2:24 msgid "" "BIB<, const cap_user_data_t " ">IB<);>" msgstr "" #. type: Plain text #: build/C/man2/capget.2:35 msgid "" "As of Linux 2.2, the power of the superuser (root) has been partitioned into " "a set of discrete capabilities. Each thread has a set of effective " "capabilities identifying which capabilities (if any) it may currently " "exercise. Each thread also has a set of inheritable capabilities that may " "be passed through an B(2) call, and a set of permitted capabilities " "that it can make effective or inheritable." msgstr "" #. type: Plain text #: build/C/man2/capget.2:44 msgid "" "These two system calls are the raw kernel interface for getting and setting " "thread capabilities. Not only are these system calls specific to Linux, but " "the kernel API is likely to change and use of these system calls (in " "particular the format of the I types) is subject to extension " "with each kernel revision, but old programs will keep working." msgstr "" #. type: Plain text #: build/C/man2/capget.2:55 msgid "" "The portable interfaces are B(3) and B(3); if " "possible you should use those interfaces in applications. If you wish to " "use the Linux extensions in applications, you should use the easier-to-use " "interfaces B(3) and B(3)." msgstr "" #. type: SS #: build/C/man2/capget.2:55 #, no-wrap msgid "Current details" msgstr "" #. type: Plain text #: build/C/man2/capget.2:58 msgid "" "Now that you have been warned, some current kernel details. The structures " "are defined as follows." msgstr "" #. type: Plain text #: build/C/man2/capget.2:63 #, no-wrap msgid "" "#define _LINUX_CAPABILITY_VERSION_1 0x19980330\n" "#define _LINUX_CAPABILITY_U32S_1 1\n" msgstr "" #. type: Plain text #: build/C/man2/capget.2:66 #, no-wrap msgid "" "#define _LINUX_CAPABILITY_VERSION_2 0x20071026\n" "#define _LINUX_CAPABILITY_U32S_2 2\n" msgstr "" #. type: Plain text #: build/C/man2/capget.2:71 #, no-wrap msgid "" "typedef struct __user_cap_header_struct {\n" " __u32 version;\n" " int pid;\n" "} *cap_user_header_t;\n" msgstr "" #. type: Plain text #: build/C/man2/capget.2:77 #, no-wrap msgid "" "typedef struct __user_cap_data_struct {\n" " __u32 effective;\n" " __u32 permitted;\n" " __u32 inheritable;\n" "} *cap_user_data_t;\n" msgstr "" #. type: Plain text #: build/C/man2/capget.2:96 msgid "" "The I, I, and I fields are bit masks of " "the capabilities defined in I Note the B values are " "bit indexes and need to be bit-shifted before ORing into the bit fields. To " "define the structures for passing to the system call you have to use the " "I and I " "names because the typedefs are only pointers." msgstr "" #. type: Plain text #: build/C/man2/capget.2:108 msgid "" "Kernels prior to 2.6.25 prefer 32-bit capabilities with version " "B<_LINUX_CAPABILITY_VERSION_1>, and kernels 2.6.25+ prefer 64-bit " "capabilities with version B<_LINUX_CAPABILITY_VERSION_2>. Note, 64-bit " "capabilities use I[0] and I[1], whereas 32-bit capabilities " "use only I[0]." msgstr "" #. type: Plain text #: build/C/man2/capget.2:112 msgid "" "Another change affecting the behavior of these system calls is kernel " "support for file capabilities (VFS capability support). This support is " "currently a compile time option (added in kernel 2.6.24)." msgstr "" #. type: Plain text #: build/C/man2/capget.2:119 msgid "" "For B() calls, one can probe the capabilities of any process by " "specifying its process ID with the Ipid> field value." msgstr "" #. type: SS #: build/C/man2/capget.2:119 #, no-wrap msgid "With VFS capability support" msgstr "" #. type: Plain text #: build/C/man2/capget.2:131 msgid "" "VFS Capability support creates a file-attribute method for adding " "capabilities to privileged executables. This privilege model obsoletes " "kernel support for one process asynchronously setting the capabilities of " "another. That is, with VFS support, for B() calls the only " "permitted values for Ipid> are 0 or B(2), which are " "equivalent." msgstr "" #. type: SS #: build/C/man2/capget.2:131 #, no-wrap msgid "Without VFS capability support" msgstr "" #. type: Plain text #: build/C/man2/capget.2:157 msgid "" "When the kernel does not support VFS capabilities, B() calls can " "operate on the capabilities of the thread specified by the I field of " "I when that is nonzero, or on the capabilities of the calling thread " "if I is 0. If I refers to a single-threaded process, then I " "can be specified as a traditional process ID; operating on a thread of a " "multithreaded process requires a thread ID of the type returned by " "B(2). For B(), I can also be: -1, meaning perform the " "change on all threads except the caller and B(8); or a value less than " "-1, in which case the change is applied to all members of the process group " "whose ID is -I." msgstr "" #. type: Plain text #: build/C/man2/capget.2:160 msgid "For details on the data, see B(7)." msgstr "" #. type: Plain text #: build/C/man2/capget.2:179 msgid "" "The calls will fail with the error B, and set the I field " "of I to the kernel preferred value of B<_LINUX_CAPABILITY_VERSION_?> " "when an unsupported I value is specified. In this way, one can " "probe what the current preferred capability revision is." msgstr "" #. type: Plain text #: build/C/man2/capget.2:188 msgid "" "Bad memory address. I must not be NULL. I may be NULL only " "when the user is trying to determine the preferred capability version format " "supported by the kernel." msgstr "" #. type: TP #: build/C/man2/capget.2:188 build/C/man7/cpuset.7:1180 build/C/man7/cpuset.7:1189 build/C/man7/cpuset.7:1198 build/C/man7/cpuset.7:1208 build/C/man7/cpuset.7:1217 build/C/man7/cpuset.7:1224 build/C/man7/cpuset.7:1231 build/C/man2/getgroups.2:114 build/C/man2/getgroups.2:121 build/C/man2/getpriority.2:121 build/C/man2/getrlimit.2:440 build/C/man2/getrusage.2:190 build/C/man2/iopl.2:72 build/C/man2/ioprio_set.2:170 build/C/man2/setpgid.2:202 #, no-wrap msgid "B" msgstr "" #. type: Plain text #: build/C/man2/capget.2:191 msgid "One of the arguments was invalid." msgstr "" #. type: Plain text #: build/C/man2/capget.2:196 msgid "" "An attempt was made to add a capability to the Permitted set, or to set a " "capability in the Effective or Inheritable sets that is not in the Permitted " "set." msgstr "" #. type: Plain text #: build/C/man2/capget.2:215 msgid "" "The caller attempted to use B() to modify the capabilities of a " "thread other than itself, but lacked sufficient privilege. For kernels " "supporting VFS capabilities, this is never permitted. For kernels lacking " "VFS support, the B capability is required. (A bug in kernels " "before 2.6.11 meant that this error could also occur if a thread without " "this capability tried to change its own capabilities by specifying the " "I field as a nonzero value (i.e., the value returned by B(2)) " "instead of 0.)" msgstr "" #. type: TP #: build/C/man2/capget.2:215 build/C/man7/cpuset.7:1330 build/C/man2/getpriority.2:129 build/C/man2/getrlimit.2:464 build/C/man2/getsid.2:70 build/C/man2/ioprio_set.2:187 build/C/man2/setpgid.2:217 #, no-wrap msgid "B" msgstr "" #. type: Plain text #: build/C/man2/capget.2:218 msgid "No such thread." msgstr "" #. type: Plain text #: build/C/man2/capget.2:220 build/C/man2/ioprio_set.2:198 msgid "These system calls are Linux-specific." msgstr "" #. type: Plain text #: build/C/man2/capget.2:225 msgid "" "The portable interface to the capability querying and setting functions is " "provided by the I library and is available here:" msgstr "" #. type: Plain text #: build/C/man2/capget.2:228 msgid "" "E<.UR " "http://git.kernel.org/cgit\\:/linux\\:/kernel\\:/git\\:/morgan\\:\\:/libcap.git> " "E<.UE>" msgstr "" #. type: Plain text #: build/C/man2/capget.2:232 msgid "B(2), B(2), B(7)" msgstr "" #. type: TH #: build/C/man7/cpuset.7:25 #, no-wrap msgid "CPUSET" msgstr "" #. type: TH #: build/C/man7/cpuset.7:25 build/C/man2/getpriority.2:48 build/C/man2/ioprio_set.2:24 build/C/man7/svipc.7:27 #, no-wrap msgid "2013-02-12" msgstr "" #. type: Plain text #: build/C/man7/cpuset.7:28 msgid "cpuset - confine processes to processor and memory node subsets" msgstr "" #. type: Plain text #: build/C/man7/cpuset.7:35 msgid "" "The cpuset file system is a pseudo-file-system interface to the kernel " "cpuset mechanism, which is used to control the processor placement and " "memory placement of processes. It is commonly mounted at I." msgstr "" #. type: Plain text #: build/C/man7/cpuset.7:52 msgid "" "On systems with kernels compiled with built in support for cpusets, all " "processes are attached to a cpuset, and cpusets are always present. If a " "system supports cpusets, then it will have the entry B in the " "file I. By mounting the cpuset file system (see the " "B section below), the administrator can configure the cpusets on a " "system to control the processor and memory placement of processes on that " "system. By default, if the cpuset configuration on a system is not modified " "or if the cpuset file system is not even mounted, then the cpuset mechanism, " "though present, has no affect on the system's behavior." msgstr "" #. type: Plain text #: build/C/man7/cpuset.7:54 msgid "A cpuset defines a list of CPUs and memory nodes." msgstr "" #. type: Plain text #: build/C/man7/cpuset.7:63 msgid "" "The CPUs of a system include all the logical processing units on which a " "process can execute, including, if present, multiple processor cores within " "a package and Hyper-Threads within a processor core. Memory nodes include " "all distinct banks of main memory; small and SMP systems typically have just " "one memory node that contains all the system's main memory, while NUMA " "(non-uniform memory access) systems have multiple memory nodes." msgstr "" #. type: Plain text #: build/C/man7/cpuset.7:73 msgid "" "Cpusets are represented as directories in a hierarchical pseudo-file system, " "where the top directory in the hierarchy (I) represents the " "entire system (all online CPUs and memory nodes) and any cpuset that is the " "child (descendant) of another parent cpuset contains a subset of that " "parent's CPUs and memory nodes. The directories and files representing " "cpusets have normal file-system permissions." msgstr "" #. type: Plain text #: build/C/man7/cpuset.7:84 msgid "" "Every process in the system belongs to exactly one cpuset. A process is " "confined to only run on the CPUs in the cpuset it belongs to, and to " "allocate memory only on the memory nodes in that cpuset. When a process " "B(2)s, the child process is placed in the same cpuset as its parent. " "With sufficient privilege, a process may be moved from one cpuset to another " "and the allowed CPUs and memory nodes of an existing cpuset may be changed." msgstr "" #. type: Plain text #: build/C/man7/cpuset.7:92 msgid "" "When the system begins booting, a single cpuset is defined that includes all " "CPUs and memory nodes on the system, and all processes are in that cpuset. " "During the boot process, or later during normal system operation, other " "cpusets may be created, as subdirectories of this top cpuset, under the " "control of the system administrator, and processes may be placed in these " "other cpusets." msgstr "" #. type: Plain text #: build/C/man7/cpuset.7:114 msgid "" "Cpusets are integrated with the B(2) scheduling affinity " "mechanism and the B(2) and B(2) memory-placement " "mechanisms in the kernel. Neither of these mechanisms let a process make " "use of a CPU or memory node that is not allowed by that process's cpuset. " "If changes to a process's cpuset placement conflict with these other " "mechanisms, then cpuset placement is enforced even if it means overriding " "these other mechanisms. The kernel accomplishes this overriding by silently " "restricting the CPUs and memory nodes requested by these other mechanisms to " "those allowed by the invoking process's cpuset. This can result in these " "other calls returning an error, if for example, such a call ends up " "requesting an empty set of CPUs or memory nodes, after that request is " "restricted to the invoking process's cpuset." msgstr "" #. type: Plain text #: build/C/man7/cpuset.7:120 msgid "" "Typically, a cpuset is used to manage the CPU and memory-node confinement " "for a set of cooperating processes such as a batch scheduler job, and these " "other mechanisms are used to manage the placement of individual processes or " "memory regions within that set or job." msgstr "" #. type: SH #: build/C/man7/cpuset.7:120 #, no-wrap msgid "FILES" msgstr "" #. type: Plain text #: build/C/man7/cpuset.7:125 msgid "" "Each directory below I represents a cpuset and contains a fixed " "set of pseudo-files describing the state of that cpuset." msgstr "" #. type: Plain text #: build/C/man7/cpuset.7:135 msgid "" "New cpusets are created using the B(2) system call or the " "B(1) command. The properties of a cpuset, such as its flags, " "allowed CPUs and memory nodes, and attached processes, are queried and " "modified by reading or writing to the appropriate file in that cpuset's " "directory, as listed below." msgstr "" #. type: Plain text #: build/C/man7/cpuset.7:141 msgid "" "The pseudo-files in each cpuset directory are automatically created when the " "cpuset is created, as a result of the B(2) invocation. It is not " "possible to directly add or remove these pseudo-files." msgstr "" #. type: Plain text #: build/C/man7/cpuset.7:149 msgid "" "A cpuset directory that contains no child cpuset directories, and has no " "attached processes, can be removed using B(2) or B(1). It is " "not necessary, or possible, to remove the pseudo-files inside the directory " "before removing it." msgstr "" #. type: Plain text #: build/C/man7/cpuset.7:163 msgid "" "The pseudo-files in each cpuset directory are small text files that may be " "read and written using traditional shell utilities such as B(1), and " "B(1), or from a program by using file I/O library functions or system " "calls, such as B(2), B(2), B(2), and B(2)." msgstr "" #. ====================== tasks ====================== #. type: Plain text #: build/C/man7/cpuset.7:168 msgid "" "The pseudo-files in a cpuset directory represent internal kernel state and " "do not have any persistent image on disk. Each of these per-cpuset files is " "listed and described below." msgstr "" #. type: TP #: build/C/man7/cpuset.7:168 #, no-wrap msgid "I" msgstr "" #. type: Plain text #: build/C/man7/cpuset.7:178 msgid "" "List of the process IDs (PIDs) of the processes in that cpuset. The list is " "formatted as a series of ASCII decimal numbers, each followed by a newline. " "A process may be added to a cpuset (automatically removing it from the " "cpuset that previously contained it) by writing its PID to that cpuset's " "I file (with or without a trailing newline.)" msgstr "" #. =================== notify_on_release =================== #. type: Plain text #: build/C/man7/cpuset.7:186 msgid "" "B only one PID may be written to the I file at a time. If " "a string is written that contains more than one PID, only the first one will " "be used." msgstr "" #. type: TP #: build/C/man7/cpuset.7:186 #, no-wrap msgid "I" msgstr "" #. ====================== cpus ====================== #. type: Plain text #: build/C/man7/cpuset.7:195 msgid "" "Flag (0 or 1). If set (1), that cpuset will receive special handling after " "it is released, that is, after all processes cease using it (i.e., terminate " "or are moved to a different cpuset) and all child cpuset directories have " "been removed. See the B section, below." msgstr "" #. type: TP #: build/C/man7/cpuset.7:195 #, no-wrap msgid "I" msgstr "" #. type: Plain text #: build/C/man7/cpuset.7:202 msgid "" "List of the physical numbers of the CPUs on which processes in that cpuset " "are allowed to execute. See B below for a description of the " "format of I." msgstr "" #. ==================== cpu_exclusive ==================== #. type: Plain text #: build/C/man7/cpuset.7:208 msgid "" "The CPUs allowed to a cpuset may be changed by writing a new list to its " "I file." msgstr "" #. type: TP #: build/C/man7/cpuset.7:208 #, no-wrap msgid "I" msgstr "" #. type: Plain text #: build/C/man7/cpuset.7:215 msgid "" "Flag (0 or 1). If set (1), the cpuset has exclusive use of its CPUs (no " "sibling or cousin cpuset may overlap CPUs). By default this is off (0). " "Newly created cpusets also initially default this to off (0)." msgstr "" #. ====================== mems ====================== #. type: Plain text #: build/C/man7/cpuset.7:237 msgid "" "Two cpusets are I cpusets if they share the same parent cpuset in " "the I hierarchy. Two cpusets are I cpusets if neither " "is the ancestor of the other. Regardless of the I setting, " "if one cpuset is the ancestor of another, and if both of these cpusets have " "nonempty I, then their I must overlap, because the I of " "any cpuset are always a subset of the I of its parent cpuset." msgstr "" #. type: TP #: build/C/man7/cpuset.7:237 #, no-wrap msgid "I" msgstr "" #. ==================== mem_exclusive ==================== #. type: Plain text #: build/C/man7/cpuset.7:245 msgid "" "List of memory nodes on which processes in this cpuset are allowed to " "allocate memory. See B below for a description of the format " "of I." msgstr "" #. type: TP #: build/C/man7/cpuset.7:245 #, no-wrap msgid "I" msgstr "" #. type: Plain text #: build/C/man7/cpuset.7:253 msgid "" "Flag (0 or 1). If set (1), the cpuset has exclusive use of its memory nodes " "(no sibling or cousin may overlap). Also if set (1), the cpuset is a " "B cpuset (see below.) By default this is off (0). Newly created " "cpusets also initially default this to off (0)." msgstr "" #. ==================== mem_hardwall ==================== #. type: Plain text #: build/C/man7/cpuset.7:261 msgid "" "Regardless of the I setting, if one cpuset is the ancestor of " "another, then their memory nodes must overlap, because the memory nodes of " "any cpuset are always a subset of the memory nodes of that cpuset's parent " "cpuset." msgstr "" #. type: TP #: build/C/man7/cpuset.7:261 #, no-wrap msgid "I (since Linux 2.6.26)" msgstr "" #. ==================== memory_migrate ==================== #. type: Plain text #: build/C/man7/cpuset.7:272 msgid "" "Flag (0 or 1). If set (1), the cpuset is a B cpuset (see below.) " "Unlike B, there is no constraint on whether cpusets marked " "B may have overlapping memory nodes with sibling or cousin " "cpusets. By default this is off (0). Newly created cpusets also initially " "default this to off (0)." msgstr "" #. type: TP #: build/C/man7/cpuset.7:272 #, no-wrap msgid "I (since Linux 2.6.16)" msgstr "" #. ==================== memory_pressure ==================== #. type: Plain text #: build/C/man7/cpuset.7:279 msgid "" "Flag (0 or 1). If set (1), then memory migration is enabled. By default " "this is off (0). See the B section, below." msgstr "" #. type: TP #: build/C/man7/cpuset.7:279 #, no-wrap msgid "I (since Linux 2.6.16)" msgstr "" #. ================= memory_pressure_enabled ================= #. type: Plain text #: build/C/man7/cpuset.7:292 msgid "" "A measure of how much memory pressure the processes in this cpuset are " "causing. See the B section, below. Unless " "I is enabled, always has value zero (0). This file " "is read-only. See the B section, below." msgstr "" #. type: TP #: build/C/man7/cpuset.7:292 #, no-wrap msgid "I (since Linux 2.6.16)" msgstr "" #. ================== memory_spread_page ================== #. type: Plain text #: build/C/man7/cpuset.7:304 msgid "" "Flag (0 or 1). This file is only present in the root cpuset, normally " "I. If set (1), the I calculations are enabled " "for all cpusets in the system. By default this is off (0). See the " "B section, below." msgstr "" #. type: TP #: build/C/man7/cpuset.7:304 #, no-wrap msgid "I (since Linux 2.6.17)" msgstr "" #. ================== memory_spread_slab ================== #. type: Plain text #: build/C/man7/cpuset.7:314 msgid "" "Flag (0 or 1). If set (1), pages in the kernel page cache (file-system " "buffers) are uniformly spread across the cpuset. By default this is off (0) " "in the top cpuset, and inherited from the parent cpuset in newly created " "cpusets. See the B section, below." msgstr "" #. type: TP #: build/C/man7/cpuset.7:314 #, no-wrap msgid "I (since Linux 2.6.17)" msgstr "" #. ================== sched_load_balance ================== #. type: Plain text #: build/C/man7/cpuset.7:325 msgid "" "Flag (0 or 1). If set (1), the kernel slab caches for file I/O (directory " "and inode structures) are uniformly spread across the cpuset. By default " "this is off (0) in the top cpuset, and inherited from the parent cpuset in " "newly created cpusets. See the B section, below." msgstr "" #. type: TP #: build/C/man7/cpuset.7:325 #, no-wrap msgid "I (since Linux 2.6.24)" msgstr "" #. ================== sched_relax_domain_level ================== #. type: Plain text #: build/C/man7/cpuset.7:339 msgid "" "Flag (0 or 1). If set (1, the default) the kernel will automatically load " "balance processes in that cpuset over the allowed CPUs in that cpuset. If " "cleared (0) the kernel will avoid load balancing processes in this cpuset, " "I some other cpuset with overlapping CPUs has its " "I flag set. See B, below, for " "further details." msgstr "" #. type: TP #: build/C/man7/cpuset.7:339 #, no-wrap msgid "I (since Linux 2.6.26)" msgstr "" #. ================== proc cpuset ================== #. type: Plain text #: build/C/man7/cpuset.7:359 msgid "" "Integer, between -1 and a small positive value. The " "I controls the width of the range of CPUs over " "which the kernel scheduler performs immediate rebalancing of runnable tasks " "across CPUs. If I is disabled, then the setting of " "I does not matter, as no such load balancing is " "done. If I is enabled, then the higher the value of the " "I, the wider the range of CPUs over which " "immediate load balancing is attempted. See B, " "below, for further details." msgstr "" #. ================== proc status ================== #. type: Plain text #: build/C/man7/cpuset.7:367 msgid "" "In addition to the above pseudo-files in each directory below " "I, each process has a pseudo-file, " "IpidE/cpuset>, that displays the path of the process's " "cpuset directory relative to the root of the cpuset file system." msgstr "" #. type: Plain text #: build/C/man7/cpuset.7:378 msgid "" "Also the IpidE/status> file for each process has four added " "lines, displaying the process's I (on which CPUs it may be " "scheduled) and I (on which memory nodes it may obtain memory), " "in the two formats B and B (see below) as shown " "in the following example:" msgstr "" #. type: Plain text #: build/C/man7/cpuset.7:385 #, no-wrap msgid "" "Cpus_allowed: ffffffff,ffffffff,ffffffff,ffffffff\n" "Cpus_allowed_list: 0-127\n" "Mems_allowed: ffffffff,ffffffff\n" "Mems_allowed_list: 0-63\n" msgstr "" #. ================== EXTENDED CAPABILITIES ================== #. type: Plain text #: build/C/man7/cpuset.7:391 msgid "" "The \"allowed\" fields were added in Linux 2.6.24; the \"allowed_list\" " "fields were added in Linux 2.6.26." msgstr "" #. type: SH #: build/C/man7/cpuset.7:391 #, no-wrap msgid "EXTENDED CAPABILITIES" msgstr "" #. ================== Exclusive Cpusets ================== #. type: Plain text #: build/C/man7/cpuset.7:399 msgid "" "In addition to controlling which I and I a process is allowed to " "use, cpusets provide the following extended capabilities." msgstr "" #. type: SS #: build/C/man7/cpuset.7:399 #, no-wrap msgid "Exclusive cpusets" msgstr "" #. type: Plain text #: build/C/man7/cpuset.7:406 msgid "" "If a cpuset is marked I or I, no other cpuset, " "other than a direct ancestor or descendant, may share any of the same CPUs " "or memory nodes." msgstr "" #. ================== Hardwall ================== #. type: Plain text #: build/C/man7/cpuset.7:432 msgid "" "A cpuset that is I restricts kernel allocations for buffer " "cache pages and other internal kernel data pages commonly shared by the " "kernel across multiple users. All cpusets, whether I or not, " "restrict allocations of memory for user space. This enables configuring a " "system so that several independent jobs can share common kernel data, while " "isolating each job's user allocation in its own cpuset. To do this, " "construct a large I cpuset to hold all the jobs, and " "construct child, non-I cpusets for each individual job. Only " "a small amount of kernel memory, such as requests from interrupt handlers, " "is allowed to be placed on memory nodes outside even a I " "cpuset." msgstr "" #. type: SS #: build/C/man7/cpuset.7:432 #, no-wrap msgid "Hardwall" msgstr "" #. type: Plain text #: build/C/man7/cpuset.7:447 msgid "" "A cpuset that has I or I set is a I " "cpuset. A I cpuset restricts kernel allocations for page, buffer, " "and other data commonly shared by the kernel across multiple users. All " "cpusets, whether I or not, restrict allocations of memory for user " "space." msgstr "" #. type: Plain text #: build/C/man7/cpuset.7:458 msgid "" "This enables configuring a system so that several independent jobs can share " "common kernel data, such as file system pages, while isolating each job's " "user allocation in its own cpuset. To do this, construct a large " "I cpuset to hold all the jobs, and construct child cpusets for " "each individual job which are not I cpusets." msgstr "" #. ================== Notify On Release ================== #. type: Plain text #: build/C/man7/cpuset.7:464 msgid "" "Only a small amount of kernel memory, such as requests from interrupt " "handlers, is allowed to be taken outside even a I cpuset." msgstr "" #. type: SS #: build/C/man7/cpuset.7:464 #, no-wrap msgid "Notify on release" msgstr "" #. type: Plain text #: build/C/man7/cpuset.7:476 msgid "" "If the I flag is enabled (1) in a cpuset, then whenever " "the last process in the cpuset leaves (exits or attaches to some other " "cpuset) and the last child cpuset of that cpuset is removed, the kernel " "will run the command I, supplying the pathname " "(relative to the mount point of the cpuset file system) of the abandoned " "cpuset. This enables automatic removal of abandoned cpusets." msgstr "" #. type: Plain text #: build/C/man7/cpuset.7:484 msgid "" "The default value of I in the root cpuset at system boot " "is disabled (0). The default value of other cpusets at creation is the " "current value of their parent's I setting." msgstr "" #. type: Plain text #: build/C/man7/cpuset.7:492 msgid "" "The command I is invoked, with the name " "(I relative path) of the to-be-released cpuset in I." msgstr "" #. type: Plain text #: build/C/man7/cpuset.7:496 msgid "" "The usual contents of the command I is simply " "the shell script:" msgstr "" #. type: Plain text #: build/C/man7/cpuset.7:501 #, no-wrap msgid "" "#!/bin/sh\n" "rmdir /dev/cpuset/$1\n" msgstr "" #. ================== Memory Pressure ================== #. type: Plain text #: build/C/man7/cpuset.7:509 msgid "" "As with other flag values below, this flag can be changed by writing an " "ASCII number 0 or 1 (with optional trailing newline) into the file, to " "clear or set the flag, respectively." msgstr "" #. type: SS #: build/C/man7/cpuset.7:509 #, no-wrap msgid "Memory pressure" msgstr "" #. type: Plain text #: build/C/man7/cpuset.7:515 msgid "" "The I of a cpuset provides a simple per-cpuset running " "average of the rate that the processes in a cpuset are attempting to free up " "in-use memory on the nodes of the cpuset to satisfy additional memory " "requests." msgstr "" #. type: Plain text #: build/C/man7/cpuset.7:519 msgid "" "This enables batch managers that are monitoring jobs running in dedicated " "cpusets to efficiently detect what level of memory pressure that job is " "causing." msgstr "" #. type: Plain text #: build/C/man7/cpuset.7:526 msgid "" "This is useful both on tightly managed systems running a wide mix of " "submitted jobs, which may choose to terminate or reprioritize jobs that are " "trying to use more memory than allowed on the nodes assigned them, and with " "tightly coupled, long-running, massively parallel scientific computing jobs " "that will dramatically fail to meet required performance goals if they start " "to use more memory than allowed to them." msgstr "" #. type: Plain text #: build/C/man7/cpuset.7:531 msgid "" "This mechanism provides a very economical way for the batch manager to " "monitor a cpuset for signs of memory pressure. It's up to the batch manager " "or other user code to decide what action to take if it detects signs of " "memory pressure." msgstr "" #. type: Plain text #: build/C/man7/cpuset.7:538 msgid "" "Unless memory pressure calculation is enabled by setting the pseudo-file " "I, it is not computed for any " "cpuset, and reads from any I always return zero, as " "represented by the ASCII string \"0\\en\". See the B section, " "below." msgstr "" #. type: Plain text #: build/C/man7/cpuset.7:540 msgid "A per-cpuset, running average is employed for the following reasons:" msgstr "" #. type: Plain text #: build/C/man7/cpuset.7:545 msgid "" "Because this meter is per-cpuset rather than per-process or per virtual " "memory region, the system load imposed by a batch scheduler monitoring this " "metric is sharply reduced on large systems, because a scan of the tasklist " "can be avoided on each set of queries." msgstr "" #. type: Plain text #: build/C/man7/cpuset.7:550 msgid "" "Because this meter is a running average rather than an accumulating counter, " "a batch scheduler can detect memory pressure with a single read, instead of " "having to read and accumulate results for a period of time." msgstr "" #. type: Plain text #: build/C/man7/cpuset.7:556 msgid "" "Because this meter is per-cpuset rather than per-process, the batch " "scheduler can obtain the key information\\(emmemory pressure in a " "cpuset\\(emwith a single read, rather than having to query and accumulate " "results over all the (dynamically changing) set of processes in the cpuset." msgstr "" #. type: Plain text #: build/C/man7/cpuset.7:564 msgid "" "The I of a cpuset is calculated using a per-cpuset simple " "digital filter that is kept within the kernel. For each cpuset, this filter " "tracks the recent rate at which processes attached to that cpuset enter the " "kernel direct reclaim code." msgstr "" #. type: Plain text #: build/C/man7/cpuset.7:573 msgid "" "The kernel direct reclaim code is entered whenever a process has to satisfy " "a memory page request by first finding some other page to repurpose, due to " "lack of any readily available already free pages. Dirty file system pages " "are repurposed by first writing them to disk. Unmodified file system buffer " "pages are repurposed by simply dropping them, though if that page is needed " "again, it will have to be reread from disk." msgstr "" #. ================== Memory Spread ================== #. type: Plain text #: build/C/man7/cpuset.7:581 msgid "" "The I file provides an integer number representing " "the recent (half-life of 10 seconds) rate of entries to the direct reclaim " "code caused by any process in the cpuset, in units of reclaims attempted per " "second, times 1000." msgstr "" #. type: SS #: build/C/man7/cpuset.7:581 #, no-wrap msgid "Memory spread" msgstr "" #. type: Plain text #: build/C/man7/cpuset.7:589 msgid "" "There are two Boolean flag files per cpuset that control where the kernel " "allocates pages for the file-system buffers and related in-kernel data " "structures. They are called I and " "I." msgstr "" #. type: Plain text #: build/C/man7/cpuset.7:596 msgid "" "If the per-cpuset Boolean flag file I is set, " "then the kernel will spread the file-system buffers (page cache) evenly over " "all the nodes that the faulting process is allowed to use, instead of " "preferring to put those pages on the node where the process is running." msgstr "" #. type: Plain text #: build/C/man7/cpuset.7:604 msgid "" "If the per-cpuset Boolean flag file I is set, " "then the kernel will spread some file-system-related slab caches, such as " "those for inodes and directory entries, evenly over all the nodes that the " "faulting process is allowed to use, instead of preferring to put those pages " "on the node where the process is running." msgstr "" #. type: Plain text #: build/C/man7/cpuset.7:609 msgid "" "The setting of these flags does not affect the data segment (see B(2)) " "or stack segment pages of a process." msgstr "" #. type: Plain text #: build/C/man7/cpuset.7:617 msgid "" "By default, both kinds of memory spreading are off and the kernel prefers to " "allocate memory pages on the node local to where the requesting process is " "running. If that node is not allowed by the process's NUMA memory policy or " "cpuset configuration or if there are insufficient free memory pages on that " "node, then the kernel looks for the nearest node that is allowed and has " "sufficient free memory." msgstr "" #. type: Plain text #: build/C/man7/cpuset.7:620 msgid "" "When new cpusets are created, they inherit the memory spread settings of " "their parent." msgstr "" #. type: Plain text #: build/C/man7/cpuset.7:635 msgid "" "Setting memory spreading causes allocations for the affected page or slab " "caches to ignore the process's NUMA memory policy and be spread instead. " "However, the effect of these changes in memory placement caused by " "cpuset-specified memory spreading is hidden from the B(2) or " "B(2) calls. These two NUMA memory policy calls always " "appear to behave as if no cpuset-specified memory spreading is in effect, " "even if it is. If cpuset memory spreading is subsequently turned off, the " "NUMA memory policy most recently specified by these calls is automatically " "reapplied." msgstr "" #. type: Plain text #: build/C/man7/cpuset.7:644 msgid "" "Both I and I are " "Boolean flag files. By default they contain \"0\", meaning that the feature " "is off for that cpuset. If a \"1\" is written to that file, that turns the " "named feature on." msgstr "" #. type: Plain text #: build/C/man7/cpuset.7:647 msgid "" "Cpuset-specified memory spreading behaves similarly to what is known (in " "other contexts) as round-robin or interleave memory placement." msgstr "" #. type: Plain text #: build/C/man7/cpuset.7:650 msgid "" "Cpuset-specified memory spreading can provide substantial performance " "improvements for jobs that:" msgstr "" #. type: IP #: build/C/man7/cpuset.7:650 #, no-wrap msgid "a)" msgstr "" #. type: Plain text #: build/C/man7/cpuset.7:654 msgid "" "need to place thread-local data on memory nodes close to the CPUs which are " "running the threads that most frequently access that data; but also" msgstr "" #. type: IP #: build/C/man7/cpuset.7:654 #, no-wrap msgid "b)" msgstr "" #. type: Plain text #: build/C/man7/cpuset.7:657 msgid "" "need to access large file-system data sets that must to be spread across the " "several nodes in the job's cpuset in order to fit." msgstr "" #. ================== Memory Migration ================== #. type: Plain text #: build/C/man7/cpuset.7:664 msgid "" "Without this policy, the memory allocation across the nodes in the job's " "cpuset can become very uneven, especially for jobs that might have just a " "single thread initializing or reading in the data set." msgstr "" #. type: SS #: build/C/man7/cpuset.7:664 #, no-wrap msgid "Memory migration" msgstr "" #. type: Plain text #: build/C/man7/cpuset.7:673 msgid "" "Normally, under the default setting (disabled) of I, " "once a page is allocated (given a physical page of main memory) then that " "page stays on whatever node it was allocated, so long as it remains " "allocated, even if the cpuset's memory-placement policy I subsequently " "changes." msgstr "" #. type: Plain text #: build/C/man7/cpuset.7:679 msgid "" "When memory migration is enabled in a cpuset, if the I setting of the " "cpuset is changed, then any memory page in use by any process in the cpuset " "that is on a memory node that is no longer allowed will be migrated to a " "memory node that is allowed." msgstr "" #. type: Plain text #: build/C/man7/cpuset.7:685 msgid "" "Furthermore, if a process is moved into a cpuset with I " "enabled, any memory pages it uses that were on memory nodes allowed in its " "previous cpuset, but which are not allowed in its new cpuset, will be " "migrated to a memory node allowed in the new cpuset." msgstr "" #. ================== Scheduler Load Balancing ================== #. type: Plain text #: build/C/man7/cpuset.7:693 msgid "" "The relative placement of a migrated page within the cpuset is preserved " "during these migration operations if possible. For example, if the page was " "on the second valid node of the prior cpuset, then the page will be placed " "on the second valid node of the new cpuset, if possible." msgstr "" #. type: SS #: build/C/man7/cpuset.7:693 #, no-wrap msgid "Scheduler load balancing" msgstr "" #. type: Plain text #: build/C/man7/cpuset.7:700 msgid "" "The kernel scheduler automatically load balances processes. If one CPU is " "underutilized, the kernel will look for processes on other more overloaded " "CPUs and move those processes to the underutilized CPU, within the " "constraints of such placement mechanisms as cpusets and " "B(2)." msgstr "" #. type: Plain text #: build/C/man7/cpuset.7:713 msgid "" "The algorithmic cost of load balancing and its impact on key shared kernel " "data structures such as the process list increases more than linearly with " "the number of CPUs being balanced. For example, it costs more to load " "balance across one large set of CPUs than it does to balance across two " "smaller sets of CPUs, each of half the size of the larger set. (The precise " "relationship between the number of CPUs being balanced and the cost of load " "balancing depends on implementation details of the kernel process scheduler, " "which is subject to change over time, as improved kernel scheduler " "algorithms are implemented.)" msgstr "" #. type: Plain text #: build/C/man7/cpuset.7:719 msgid "" "The per-cpuset flag I provides a mechanism to suppress " "this automatic scheduler load balancing in cases where it is not needed and " "suppressing it would have worthwhile performance benefits." msgstr "" #. type: Plain text #: build/C/man7/cpuset.7:723 msgid "" "By default, load balancing is done across all CPUs, except those marked " "isolated using the kernel boot time \"isolcpus=\" argument. (See " "B, below, to change this default.)" msgstr "" #. type: Plain text #: build/C/man7/cpuset.7:726 msgid "" "This default load balancing across all CPUs is not well suited to the " "following two situations:" msgstr "" #. type: Plain text #: build/C/man7/cpuset.7:730 msgid "" "On large systems, load balancing across many CPUs is expensive. If the " "system is managed using cpusets to place independent jobs on separate sets " "of CPUs, full load balancing is unnecessary." msgstr "" #. type: Plain text #: build/C/man7/cpuset.7:734 msgid "" "Systems supporting real-time on some CPUs need to minimize system overhead " "on those CPUs, including avoiding process load balancing if that is not " "needed." msgstr "" #. type: Plain text #: build/C/man7/cpuset.7:744 msgid "" "When the per-cpuset flag I is enabled (the default " "setting), it requests load balancing across all the CPUs in that cpuset's " "allowed CPUs, ensuring that load balancing can move a process (not otherwise " "pinned, as by B(2)) from any CPU in that cpuset to any " "other." msgstr "" #. type: Plain text #: build/C/man7/cpuset.7:753 msgid "" "When the per-cpuset flag I is disabled, then the " "scheduler will avoid load balancing across the CPUs in that cpuset, " "I in so far as is necessary because some overlapping cpuset has " "I enabled." msgstr "" #. type: Plain text #: build/C/man7/cpuset.7:761 msgid "" "So, for example, if the top cpuset has the flag I " "enabled, then the scheduler will load balance across all CPUs, and the " "setting of the I flag in other cpusets has no effect, as " "we're already fully load balancing." msgstr "" #. type: Plain text #: build/C/man7/cpuset.7:766 msgid "" "Therefore in the above two situations, the flag I should " "be disabled in the top cpuset, and only some of the smaller, child cpusets " "would have this flag enabled." msgstr "" #. type: Plain text #: build/C/man7/cpuset.7:774 msgid "" "When doing this, you don't usually want to leave any unpinned processes in " "the top cpuset that might use nontrivial amounts of CPU, as such processes " "may be artificially constrained to some subset of CPUs, depending on the " "particulars of this flag setting in descendant cpusets. Even if such a " "process could use spare CPU cycles in some other CPUs, the kernel scheduler " "might not consider the possibility of load balancing that process to the " "underused CPU." msgstr "" #. ================== Scheduler Relax Domain Level ================== #. type: Plain text #: build/C/man7/cpuset.7:780 msgid "" "Of course, processes pinned to a particular CPU can be left in a cpuset that " "disables I as those processes aren't going anywhere else " "anyway." msgstr "" #. type: SS #: build/C/man7/cpuset.7:780 #, no-wrap msgid "Scheduler relax domain level" msgstr "" #. type: Plain text #: build/C/man7/cpuset.7:801 msgid "" "The kernel scheduler performs immediate load balancing whenever a CPU " "becomes free or another task becomes runnable. This load balancing works to " "ensure that as many CPUs as possible are usefully employed running tasks. " "The kernel also performs periodic load balancing off the software clock " "described in I