lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <ca7ea599-a51e-54a7-4e77-22909a0da0d0@gmail.com>
Date:	Mon, 18 Jul 2016 08:47:02 +0200
From:	"Michael Kerrisk (man-pages)" <mtk.manpages@...il.com>
To:	lkml <linux-kernel@...r.kernel.org>
Cc:	mtk.manpages@...il.com
Subject: man-pages-4.07 is released



Gidday,

The Linux man-pages maintainer proudly announces:

     man-pages-4.07 - man pages for Linux

This release includes input and contributions from
around 50 people. Over 140 pages saw changes, ranging
from typo fixes through to page rewrites and 4 newly
created pages.

Tarball download:
     http://www.kernel.org/doc/man-pages/download.html
Git repository:
     https://git.kernel.org/cgit/docs/man-pages/man-pages.git/
Online changelog:
     http://man7.org/linux/man-pages/changelog.html#release_4.07

A short summary of the release is blogged at:
http://linux-man-pages.blogspot.com/2016/07/man-pages-407-is-released.html

The current version of the pages is browsable at:
http://man7.org/linux/man-pages/

A selection of changes in this release that may be of interest
to readers on LKML is shown below.

Cheers,

Michael

==================== Changes in man-pages-4.07 ====================

Released: 2016-07-17, Ulm


New and rewritten pages
-----------------------

ioctl_fideduperange.2
     Darrick J. Wong  [Christoph Hellwig, Michael Kerrisk]
         New page documenting the FIDEDUPERANGE ioctl
             Document the FIDEDUPERANGE ioctl, formerly known as
             BTRFS_IOC_EXTENT_SAME.

ioctl_ficlonerange.2
     Darrick J. Wong  [Christoph Hellwig, Michael Kerrisk]
         New page documenting FICLONE and FICLONERANGE ioctls
             Document the FICLONE and FICLONERANGE ioctls, formerly known as
             the BTRFS_IOC_CLONE and BTRFS_IOC_CLONE_RANGE ioctls.

mount_namespaces.7
     Michael Kerrisk  [Michael Kerrisk]
         New page describing mount namespaces


Newly documented interfaces in existing pages
---------------------------------------------

mount.2
     Michael Kerrisk
         Document flags used to set propagation type
             Document MS_SHARED, MS_PRIVATE, MS_SLAVE, and MS_UNBINDABLE.
     Michael Kerrisk
         Document the MS_REC flag

ptrace.2
     Michael Kerrisk  [Kees Cook, Jann Horn, Eric W. Biederman, Stephen Smalley]
         Document ptrace access modes

proc.5
     Michael Kerrisk
         Document /proc/[pid]/timerslack_ns
     Michael Kerrisk
         Document /proc/PID/status 'Ngid' field
     Michael Kerrisk
         Document /proc/PID/status fields: 'NStgid', 'NSpid', 'NSpgid', 'NSsid'
     Michael Kerrisk
         Document /proc/PID/status 'Umask' field


Changes to individual pages
---------------------------

ldd.1
     Michael Kerrisk
         Add a little more detail on why ldd is unsafe with untrusted executables

futex.2
     Michael Kerrisk
         Correct an ENOSYS error description
             Since Linux 4.5, FUTEX_CLOCK_REALTIME is allowed with FUTEX_WAIT.
     Michael Kerrisk  [Darren Hart]
         Remove crufty text about FUTEX_WAIT_BITSET interpretation of timeout
             Since Linux 4.5, FUTEX_WAIT also understands
             FUTEX_CLOCK_REALTIME.
     Michael Kerrisk  [Thomas Gleixner]
         Explain how to get equivalent of FUTEX_WAIT with an absolute timeout
     Michael Kerrisk
         Describe FUTEX_BITSET_MATCH_ANY
             Describe FUTEX_BITSET_MATCH_ANY and FUTEX_WAIT and FUTEX_WAKE
             equivalences.
     Michael Kerrisk  [Thomas Gleixner, Darren Hart]
         Fix descriptions of various timeouts
     Michael Kerrisk
         Clarify clock default and choices for FUTEX_WAIT

kcmp.2
     Michael Kerrisk
         kcmp() is governed by PTRACE_MODE_READ_REALCREDS

mount.2
     Michael Kerrisk
         Restructure discussion of 'mountflags' into functional groups
             The existing text makes no differentiation between different
             "classes" of mount flags. However, certain flags such as
             MS_REMOUNT, MS_BIND, MS_MOVE, etc. determine the general
             type of operation that mount() performs. Furthermore, the
             choice of which class of operation to perform is performed in
             a certain order, and that order is significant if multiple
             flags are specified. Restructure and extend the text to
             reflect these details.
     Michael Kerrisk
         Since Linux 2.6.26, bind mounts can be made read-only

process_vm_readv.2
     Michael Kerrisk
         Rephrase permission rules in terms of a ptrace access mode check

ptrace.2
     Michael Kerrisk  [Jann Horn]
         Update Yama ptrace_scope documentation
             Reframe the discussion in terms of PTRACE_MODE_ATTACH checks,
             and make a few other minor tweaks and additions.
     Michael Kerrisk, Jann Horn
         Note that user namespaces can be used to bypass Yama protections
     Michael Kerrisk
         Note that PTRACE_SEIZE is subject to a ptrace access mode check
     Michael Kerrisk
         Rephrase PTRACE_ATTACH permissions in terms of ptrace access mode check

wait.2
     Michael Kerrisk
         Since Linux 4.7, __WALL is implied if child being ptraced
     Michael Kerrisk
         waitid() now (since Linux 4.7) also supports __WNOTHREAD/__WCLONE/__WALL

proc.5
     Michael Kerrisk
         /proc/PID/fd/* are governed by PTRACE_MODE_READ_FSCREDS
             Permission to dereference/readlink /proc/PID/fd/* symlinks is
             governed by a PTRACE_MODE_READ_FSCREDS ptrace access mode check.
     Michael Kerrisk
         /proc/PID/timerslack_ns is governed by PTRACE_MODE_ATTACH_FSCREDS
             Permission to access /proc/PID/timerslack_ns is governed by
             a PTRACE_MODE_ATTACH_FSCREDS ptrace access mode check.
     Michael Kerrisk
         Document /proc/PID/{maps,mem,pagemap} access mode checks
             Permission to access /proc/PID/{maps,pagemap} is governed by a
             PTRACE_MODE_READ_FSCREDS ptrace access mode check.

             Permission to access /proc/PID/mem is governed by a
             PTRACE_MODE_ATTACH_FSCREDS ptrace access mode check.
     Michael Kerrisk
         Note /proc/PID/stat fields that are governed by PTRACE_MODE_READ_FSCREDS
     Michael Kerrisk
         /proc/PID/{cwd,exe,root} are governed by PTRACE_MODE_READ_FSCREDS
             Permission to dereference/readlink /proc/PID/{cwd,exe,root} is
             governed by a PTRACE_MODE_READ_FSCREDS ptrace access mode check.
     Michael Kerrisk
         /proc/PID/io is governed by PTRACE_MODE_READ_FSCREDS
             Permission to access /proc/PID/io is governed by
             a PTRACE_MODE_READ_FSCREDS ptrace access mode check.
     Michael Kerrisk
         /proc/PID/{personality,stack,syscall} are governed by PTRACE_MODE_ATTACH_FSCREDS
             Permission to access /proc/PID/{personality,stack,syscall} is
             governed by a PTRACE_MODE_ATTACH_FSCREDS ptrace access mode check.
     Michael Kerrisk
         /proc/PID/{auxv,environ,wchan} are governed by PTRACE_MODE_READ_FSCREDS
             Permission to access /proc/PID/{auxv,environ,wchan} is governed by
             a PTRACE_MODE_READ_FSCREDS ptrace access mode check.
     Michael Kerrisk
         Move shared subtree /proc/PID/mountinfo fields to mount_namespaces(7)
             Move information on shared subtree fields in /proc/PID/mountinfo
             to mount_namespaces(7).
     Michael Kerrisk  ["Yuming Ma(马玉明)"]
         Note that /proc/net is now virtualized per network namespace

namespaces.7
     Michael Kerrisk
         /proc/PID/ns/* are governed by PTRACE_MODE_READ_FSCREDS
             Permission to dereference/readlink /proc/PID/ns/* symlinks is
             governed by a PTRACE_MODE_READ_FSCREDS ptrace access mode check.
     Michael Kerrisk
         Nowadays, file changes in /proc/PID/mounts are notified differently
             Exceptional condition for select(), (E)POLLPRI for (e)poll
netlink.7
     Andrey Vagin
         Describe netlink socket options

unix.7
     Michael Kerrisk
         Move discussion on pathname socket permissions to DESCRIPTION
     Michael Kerrisk
         Expand discussion of socket permissions
     Michael Kerrisk
         Fix statement about permissions needed to connect to a UNIX doain socket
             Read permission is not required (verified by experiment).
     Michael Kerrisk
         Clarify ownership and permissions assigned during socket creation
     Michael Kerrisk  [Carsten Grohmann]
         Update text on socket permissions on other systems
             At least some of the modern BSDs seem to check for write
             permission on a socket. (I tested OpenBSD 5.9.) On Solaris 10,
             some light testing suggested that write permission is still
             not checked on that system.
     Michael Kerrisk
         Note that umask / permissions have no effect for abstract sockets
     Michael Kerrisk
         Note that abstract sockets automatically disappear when FDs are closed

user_namespaces.7
     Michael Kerrisk  [Michał Zegan]
         Clarify meaning of privilege in a user namespace
             Having privilege in a user NS only allows privileged
             operations on resources governed by that user NS. Many
             privileged operations relate to resources that have no
             association with any namespace type, and only processes
             with privilege in the initial user NS can perform those
             operations.

             See https://bugzilla.kernel.org/show_bug.cgi?id=120671
     Michael Kerrisk  [Michał Zegan]
         List the mount operations permitted by CAP_SYS_ADMIN
             List the mount operations permitted by CAP_SYS_ADMIN in a
             noninitial userns.

             See https://bugzilla.kernel.org/show_bug.cgi?id=120671
     Michael Kerrisk
         Clarify details of CAP_SYS_ADMIN and cgroup v1 mounts
             With respect to cgroups version 1, CAP_SYS_ADMIN in the user
             namespace allows only *named* hierarchies to be mounted (and
             not hierarchies that have a controller).
     Michael Kerrisk
         Clarify CAP_SYS_ADMIN details for mounting FS_USERNS_MOUNT filesystems
     Michael Kerrisk
         Correct user namespace rules for mounting /proc
     Michael Kerrisk
         Describe a concrete example of capability checking
             Add a concrete example of how the kernel checks capabilities in
             an associated user namespace when a process attempts a privileged
             operation.

-- 
Michael Kerrisk
Linux man-pages maintainer; http://www.kernel.org/doc/man-pages/
Linux/UNIX System Programming Training: http://man7.org/training/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ