Michael Kerrisk (man-pages | 5 Sep 09:01 2015
Picon

Re: Seccomp questions for updates to seccomp(2) man page

Hi Kees,

On 08/27/2015 06:32 AM, Kees Cook wrote:
> On Wed, Aug 26, 2015 at 6:42 PM, Michael Kerrisk (man-pages)
> <mtk.manpages@...> wrote:
>> Hello Kees, Will,
>>
>> In recent times I've been asked a couple of questions about seccomp(),
>> and it seems like it would be worthwhile to include these topics in
>> the seccomp(2) man page. Would you be able to help out with some
>> answers?
>>
>> === Use of the instruction pointer in seccomp filters ===
>>
>> The seccomp_data describing the system call includes the process's
>> instruction pointer value. What use can be made of this information?
> 
> Will may have some other history to add here, but it seemed like it
> was a handy thing to add, as it's a dynamic value attached to the
> execution environment. I'm actually not aware of any programs that
> build filters with reference to it.
> 
>> My best guess is that you can use this information in conjunction with
>> /proc/PID/maps to introspect the process layout and thus construct
>> filters that conditionally operate based on which DSO is performing a
>> system call. Is that a reasonable use case? Are there others?
> 
> That's reasonable. Filters limiting syscalls to certain memory ranges
> would likely also want to lock down mmap and mprotect calls, to stop
> anything malicious from trying to sneak into the protected range.
(Continue reading)

Ville Skyttä | 5 Sep 08:27 2015
Picon
Picon

[PATCH] man-pages.7: ffix

---
 man7/man-pages.7 | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/man7/man-pages.7 b/man7/man-pages.7
index c2c4ab7..df5b2b9 100644
--- a/man7/man-pages.7
+++ b/man7/man-pages.7
 <at>  <at>  -452,7 +452,7  <at>  <at>  A comma-separated list of related man pages, possibly followed by
 other related pages or documents.

 The list should be ordered by section number and
-then alphabetically by name
+then alphabetically by name.
 Do not terminate this list with a period.
 .IP
 Where the SEE ALSO list contains many long manual page names,
--

-- 
2.4.3

--
To unsubscribe from this list: send the line "unsubscribe linux-man" in
the body of a message to majordomo@...
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Maria Guseva | 31 Aug 18:12 2015

[patch] ld.so.8: outline missed cases of secure run

Hello,

For the purpose of security many ld.so options(e.g. --inhibit-rpath,
LD_LIBRARY_PATH and others) are disabled for secure types of programs.
Current ld.so man page mentions them as set-user-ID/set-group-ID binaries.
However according to GNU libc sources there could be other cases where
__libc_enable_secure is set to non-zero -- when AT_SECURE value is set in
auxiliary vector:

elf/dl-sysdep.c:148
      case AT_SECURE:
#ifndef HAVE_AUX_SECURE
    seen = -1;
#endif
    __libc_enable_secure = av->a_un.a_val;

So I suggest ld.so man page should reflect this. The man3/getauxval.3 page
already covers this.    
Proposed patch is below. Maybe it also worth mentioning the particular case
of binary files with capabilities as it's done on getauxval.3 page.

diff --git a/man8/ld.so.8 b/man8/ld.so.8
index 8d8a759..686a0e4 100644
--- a/man8/ld.so.8
+++ b/man8/ld.so.8
 <at>  <at>  -62,8 +62,8  <at>  <at>  Use of DT_RPATH is deprecated.
 .IP o
 Using the environment variable
 .BR LD_LIBRARY_PATH .
-Except if the executable is a set-user-ID/set-group-ID binary,
(Continue reading)

Punit Vara | 30 Aug 13:50 2015
Picon

[PATCH] man2: adjtimex.2 : add info about Clock source

	This is a patch to the adjtimex.2 file that add more
	detail about clock source in man page which is asked to be fixed.
	I got this information from standard document RFC5909 which is
	available at https://tools.ietf.org/html/rfc5905#appendix-A.5.5.1
Signed-off-by: Punit Vara <punitvara@...>
---
 man2/adjtimex.2 | 24 ++++++++++++++++++++++--
 1 file changed, 22 insertions(+), 2 deletions(-)

diff --git a/man2/adjtimex.2 b/man2/adjtimex.2
index 04b53b1..77b4e30 100644
--- a/man2/adjtimex.2
+++ b/man2/adjtimex.2
 <at>  <at>  -276,8 +276,28  <at>  <at>  Mode (0 = Phase Locked Loop, 1 = Frequency Locked Loop; read-only).
 .\" commit eea83d896e318bda54be2d2770d2c5d6668d11db
 .\" Author: Roman Zippel <zippel@...>
 Clock source (0 = A, 1 = B; read-only).
-.\" FIXME It would be helpful to have some explanation of what
-.\"       "Clock source" is.
+Clock source is used to synchronized the time.It can be any standard clock 
+sources like :
+
+Geosynchronous Orbit Environment Satellite
+Global Position System
+Galileo Positioning System
+Generic pulse-per-second
+Inter-Range Instrumentation Group
+LF Radio WWVB Ft. Collins, CO 60 kHz
+LF Radio DCF77 Mainflingen, DE 77.5 kHz
+LF Radio HBG Prangins, HB 75 kHz 
(Continue reading)

bugzilla | 29 Aug 12:36 2015

[Bug 103701] New: timegm() manpage suggests a terrible workaround

https://bugzilla.kernel.org/show_bug.cgi?id=103701

            Bug ID: 103701
           Summary: timegm() manpage suggests a terrible workaround
           Product: Documentation
           Version: unspecified
          Hardware: All
                OS: Linux
            Status: NEW
          Severity: low
          Priority: P1
         Component: man-pages
          Assignee: documentation_man-pages@...
          Reporter: shurd@...
        Regression: No

In today's multi-threaded world, is changing an environment variable, calling
tzset(), calling mktime(), changing the env variable back, and calling tzset()
again really the best way to solve this problem?

--

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
--
To unsubscribe from this list: send the line "unsubscribe linux-man" in
the body of a message to majordomo@...
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Daniel Borkmann | 26 Aug 14:02 2015
Picon

[PATCH man] tcp.7: improve paragraphs on tcp_ecn and add tcp_ecn_fallback bullet

Improve description around tcp_ecn, fix the RFC number and it's not a
boolean anymore since long time, and add a description for tcp_ecn_fallback.

See also kernel doc under Documentation/networking/ip-sysctl.txt on
tcp_ecn and tcp_ecn_fallback.

Signed-off-by: Daniel Borkmann <daniel@...>
---
 man7/tcp.7 | 35 ++++++++++++++++++++++++++++++-----
 1 file changed, 30 insertions(+), 5 deletions(-)

diff --git a/man7/tcp.7 b/man7/tcp.7
index 2f290a2..0409a66 100644
--- a/man7/tcp.7
+++ b/man7/tcp.7
 <at>  <at>  -396,12 +396,37  <at>  <at>  option.
 .\" Since 2.4.0-test7
 Enable RFC\ 2883 TCP Duplicate SACK support.
 .TP
-.IR tcp_ecn " (Boolean; default: disabled; since Linux 2.4)"
+.IR tcp_ecn " (Integer; default: 2; since Linux 2.4)"
 .\" Since 2.4.0-test7
-Enable RFC\ 2884 Explicit Congestion Notification.
-When enabled, connectivity to some
-destinations could be affected due to older, misbehaving
-routers along the path causing connections to be dropped.
+Enable RFC\ 3168 Explicit Congestion Notification.
+
+This file can have one of the following values:
+.RS
(Continue reading)

Heinrich Schuchardt | 25 Aug 23:36 2015
Picon
Picon

[PATCH] proc.5: details for threads-max

Add detail information for threads-max.
The checks for minimum and maximum values exist since kernel 4.1.
https://lkml.org/lkml/2015/3/15/96

Signed-off-by: Heinrich Schuchardt <xypron.glpk@...>
---
 man5/proc.5 | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/man5/proc.5 b/man5/proc.5
index bb648d4..83f30af 100644
--- a/man5/proc.5
+++ b/man5/proc.5
 <at>  <at>  -4265,8 +4265,22  <at>  <at>  this is the fifth kernel built from this source base and the
 date following it indicates the time the kernel was built.
 .TP
 .IR /proc/sys/kernel/threads-max " (since Linux 2.3.11)"
+.\" The following is based on Documentation/sysctl/kernel.txt
 This file specifies the system-wide limit on the number of
 threads (tasks) that can be created on the system.
+
+The minimum value that can be written to threads-max is 20.
+The maximum value that can be written to threads-max is given by the
+constant
+.B FUTEX_TID_MASK
+(0x3fffffff).
+If a value outside of this range is written to threads-max an error
+.B EINVAL
+occurs.
+
(Continue reading)

Heinrich Schuchardt | 25 Aug 23:13 2015
Picon
Picon

[PATCH] proc.5: /proc/sys: describe whitespace characters

Suggested patch
https://lkml.org/lkml/2015/8/24/171
indicates missing documentation.

Signed-off-by: Heinrich Schuchardt <xypron.glpk@...>
---
 man5/proc.5 | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/man5/proc.5 b/man5/proc.5
index bb648d4..85e3b76 100644
--- a/man5/proc.5
+++ b/man5/proc.5
 <at>  <at>  -3303,6 +3303,16  <at>  <at>  These variables can be read and sometimes modified using
 the \fI/proc\fP filesystem, and the (deprecated)
 .BR sysctl (2)
 system call.
+
+String values may be terminated by either of \'\\0\' or \'\\n\'.
+
+Integer and long values may be written either in decimal or in
+hexadecimal notation (e.g. 0x3FFF).
+When writing multiple integer or long values these may be separated
+by either of the following whitespace characters:
+\' \', \'\\t\', or \'\\n\'.
+Using other separators leads to an error
+.BR EINVAL .
 .TP
 .IR /proc/sys/abi " (since Linux 2.4.10)"
 This directory may contain files with application binary information.
(Continue reading)

Carlos O'Donell | 24 Aug 18:05 2015
Picon

[patch] mallopt.3: Document M_ARENA_TEST, and M_ARENA_MAX.

In 2013 I brought up the discussion if M_ARENA_MAX and M_ARENA_TEST
were public parameters:
https://sourceware.org/ml/libc-alpha/2013-03/msg00376.html
Consensus among Siddhesh and myself was that they should be public,
and in fact they were already in the public header. Therefore there
may already be applications uses these constants and expecting them
to work. At best we could limit mallopt's acceptance of the options,
but that seems like a bad solution that could lead to unexpected
behaviour for user applications. A quick google search shows that
there are packages relying on these constants to tune the glibc
malloc implementation.

Since glibc 2.10 the M_ARENA_TEST and M_ARENA_MAX features have
been part of the public interface with --enable-experimental-malloc.

Since glibc 2.15 the experimental allocator has been on by default
and M_ARENA_TEST and M_ARENA_MAX have been more broadly used.

There are environment variables, without trailing underscore, that
can also be used to adjust these values at runtime i.e.
MALLOC_ARENA_MAX, and MALLOC_ARENA_TEST.

This change describes these two options in the mallopt man page
along with their environment variables.

Tested with glibc master on x86_64 to verify it works as expected.
Tested patch with linux man pages master.
Please apply.

Signed-off-by: Carlos O'Donell <carlos@...>
(Continue reading)

Zeng Linggang | 24 Aug 12:19 2015

patchset for fgetgrent fgetpwent getspnam mallinfo sigpause and termios

Hello,

This patchset is for fgetgrent.3, fgetpwent.3, sigpause.3, termios.3,
getspnam.3 and mallinfo.3

1. fgetgrent.3 and fgetpwent.3:
   We have some discussions about these two functions, the Subject:
   "Re: question about markings of fgetgrent and fgetpwent"
   However, something about the copyright impeded the progress.
   I am sorry for that, if you are OK, please see these two patches below,
   I have added some "FIXME:" descriptions in them.

2. getspnam.3
   getspnam.3 is a little like fgetgrent.3 and fgetpwent.3, but there are not
   markings in glibc document. I use the function names for the identifiers like
   fgetgrent.3 and fgetpwent.3.

3. mallinfo.3
   Hope the descriptions about "const:mallopt" could explain clearly enough in
   the patch.

4. sigpause.3 and termios.3
   These two functions are safety in Linux kernel, the markings in glibc manual
   are more detailed. I also have added some "FIXME:" descriptions in them.

Thanks and best regards,
Zeng
--
To unsubscribe from this list: send the line "unsubscribe linux-man" in
the body of a message to majordomo@...
(Continue reading)

Josh Triplett | 23 Aug 09:32 2015

poll(2) and select(2) should document spurious EAGAIN for portable programs

On some systems (reported by Jeremy Sequoia as occurring on Darwin),
poll(2) and select(2) can spuriously return EAGAIN if they fail to
allocate kernel-internal resources, rather than ENOMEM as Linux does.
The spec allows this for poll(2):
http://pubs.opengroup.org/onlinepubs/9699919799/functions/poll.html says
poll may return EAGAIN if "The allocation of internal data structures
failed but a subsequent request may succeed."  The spec for select(2)
at http://pubs.opengroup.org/onlinepubs/9699919799/functions/select.html
doesn't specify EAGAIN, but apparently Darwin can return it in that case
too.

I'd suggest the following text for poll(2)'s NOTES section:

Some other UNIX systems can return EAGAIN if they fail to allocate
kernel-internal resources, rather than ENOMEM as Linux does.  The Single
Unix Specification allows this behavior for poll(2).  Portable programs
may wish to check for EAGAIN and loop, just as with EINTR.

And the following text for select(2)'s NOTES section:

Some other UNIX systems can return EAGAIN if they fail to allocate
kernel-internal resources, rather than ENOMEM as Linux does.  The Single
Unix Specification allows this behavior for poll(2), but not for
select(2); nonetheless, some systems do return EAGAIN from select(2).
Portable programs may wish to check for EAGAIN and loop, just as with
EINTR.

- Josh Triplett
--
To unsubscribe from this list: send the line "unsubscribe linux-man" in
(Continue reading)


Gmane