1prctl(2) System Calls Manual prctl(2)
2
6 prctl - operations on a process or thread
7
9 Standard C library (libc, -lc)
10
12 #include <sys/prctl.h>
13 int prctl(int option, unsigned long arg2, unsigned long arg3,
15 unsigned long arg4, unsigned long arg5);
16
18 prctl() manipulates various aspects of the behavior of the calling
19 thread or process.
20 Note that careless use of some prctl() operations can confuse the user-
22 space run-time environment, so these operations should be used with
23 care.
24 prctl() is called with a first argument describing what to do (with
26 values defined in <linux/prctl.h>), and further arguments with a sig‐
27 nificance depending on the first one. The first argument can be:
28 PR_CAP_AMBIENT (since Linux 4.3)
30 Reads or changes the ambient capability set of the calling
31 thread, according to the value of arg2, which must be one of the
32 following:
33 PR_CAP_AMBIENT_RAISE
35 The capability specified in arg3 is added to the ambient
36 set. The specified capability must already be present in
37 both the permitted and the inheritable sets of the
38 process. This operation is not permitted if the
39 SECBIT_NO_CAP_AMBIENT_RAISE securebit is set.
40 PR_CAP_AMBIENT_LOWER
42 The capability specified in arg3 is removed from the am‐
43 bient set.
44 PR_CAP_AMBIENT_IS_SET
46 The prctl() call returns 1 if the capability in arg3 is
47 in the ambient set and 0 if it is not.
48 PR_CAP_AMBIENT_CLEAR_ALL
50 All capabilities will be removed from the ambient set.
51 This operation requires setting arg3 to zero.
52 In all of the above operations, arg4 and arg5 must be specified
54 as 0.
55 Higher-level interfaces layered on top of the above operations
57 are provided in the libcap(3) library in the form of cap_get_am‐
58 bient(3), cap_set_ambient(3), and cap_reset_ambient(3).
59 PR_CAPBSET_READ (since Linux 2.6.25)
61 Return (as the function result) 1 if the capability specified in
62 arg2 is in the calling thread's capability bounding set, or 0 if
63 it is not. (The capability constants are defined in <linux/ca‐
64 pability.h>.) The capability bounding set dictates whether the
65 process can receive the capability through a file's permitted
66 capability set on a subsequent call to execve(2).
67 If the capability specified in arg2 is not valid, then the call
69 fails with the error EINVAL.
70 A higher-level interface layered on top of this operation is
72 provided in the libcap(3) library in the form of
73 cap_get_bound(3).
74 PR_CAPBSET_DROP (since Linux 2.6.25)
76 If the calling thread has the CAP_SETPCAP capability within its
77 user namespace, then drop the capability specified by arg2 from
78 the calling thread's capability bounding set. Any children of
79 the calling thread will inherit the newly reduced bounding set.
80 The call fails with the error: EPERM if the calling thread does
82 not have the CAP_SETPCAP; EINVAL if arg2 does not represent a
83 valid capability; or EINVAL if file capabilities are not enabled
84 in the kernel, in which case bounding sets are not supported.
85 A higher-level interface layered on top of this operation is
87 provided in the libcap(3) library in the form of
88 cap_drop_bound(3).
89 PR_SET_CHILD_SUBREAPER (since Linux 3.4)
91 If arg2 is nonzero, set the "child subreaper" attribute of the
92 calling process; if arg2 is zero, unset the attribute.
93 A subreaper fulfills the role of init(1) for its descendant pro‐
95 cesses. When a process becomes orphaned (i.e., its immediate
96 parent terminates), then that process will be reparented to the
97 nearest still living ancestor subreaper. Subsequently, calls to
98 getppid(2) in the orphaned process will now return the PID of
99 the subreaper process, and when the orphan terminates, it is the
100 subreaper process that will receive a SIGCHLD signal and will be
101 able to wait(2) on the process to discover its termination sta‐
102 tus.
103 The setting of the "child subreaper" attribute is not inherited
105 by children created by fork(2) and clone(2). The setting is
106 preserved across execve(2).
107 Establishing a subreaper process is useful in session management
109 frameworks where a hierarchical group of processes is managed by
110 a subreaper process that needs to be informed when one of the
111 processes—for example, a double-forked daemon—terminates (per‐
112 haps so that it can restart that process). Some init(1) frame‐
113 works (e.g., systemd(1)) employ a subreaper process for similar
114 reasons.
115 PR_GET_CHILD_SUBREAPER (since Linux 3.4)
117 Return the "child subreaper" setting of the caller, in the loca‐
118 tion pointed to by (int *) arg2.
119 PR_SET_DUMPABLE (since Linux 2.3.20)
121 Set the state of the "dumpable" attribute, which determines
122 whether core dumps are produced for the calling process upon de‐
123 livery of a signal whose default behavior is to produce a core
124 dump.
125 Up to and including Linux 2.6.12, arg2 must be either 0
127 (SUID_DUMP_DISABLE, process is not dumpable) or 1
128 (SUID_DUMP_USER, process is dumpable). Between Linux 2.6.13 and
129 Linux 2.6.17, the value 2 was also permitted, which caused any
130 binary which normally would not be dumped to be dumped readable
131 by root only; for security reasons, this feature has been re‐
132 moved. (See also the description of /proc/sys/fs/suid_dumpable
133 in proc(5).)
134 Normally, the "dumpable" attribute is set to 1. However, it is
136 reset to the current value contained in the file /proc/sys/fs/
137 suid_dumpable (which by default has the value 0), in the follow‐
138 ing circumstances:
139 • The process's effective user or group ID is changed.
141 • The process's filesystem user or group ID is changed (see
143 credentials(7)).
144 • The process executes (execve(2)) a set-user-ID or set-group-
146 ID program, resulting in a change of either the effective
147 user ID or the effective group ID.
148 • The process executes (execve(2)) a program that has file ca‐
150 pabilities (see capabilities(7)), but only if the permitted
151 capabilities gained exceed those already permitted for the
152 process.
153 Processes that are not dumpable can not be attached via
155 ptrace(2) PTRACE_ATTACH; see ptrace(2) for further details.
156 If a process is not dumpable, the ownership of files in the
158 process's /proc/pid directory is affected as described in
159 proc(5).
160 PR_GET_DUMPABLE (since Linux 2.3.20)
162 Return (as the function result) the current state of the calling
163 process's dumpable attribute.
164 PR_SET_ENDIAN (since Linux 2.6.18, PowerPC only)
166 Set the endian-ness of the calling process to the value given in
167 arg2, which should be one of the following: PR_ENDIAN_BIG,
168 PR_ENDIAN_LITTLE, or PR_ENDIAN_PPC_LITTLE (PowerPC pseudo little
169 endian).
170 PR_GET_ENDIAN (since Linux 2.6.18, PowerPC only)
172 Return the endian-ness of the calling process, in the location
173 pointed to by (int *) arg2.
174 PR_SET_FP_MODE (since Linux 4.0, only on MIPS)
176 On the MIPS architecture, user-space code can be built using an
177 ABI which permits linking with code that has more restrictive
178 floating-point (FP) requirements. For example, user-space code
179 may be built to target the O32 FPXX ABI and linked with code
180 built for either one of the more restrictive FP32 or FP64 ABIs.
181 When more restrictive code is linked in, the overall requirement
182 for the process is to use the more restrictive floating-point
183 mode.
184 Because the kernel has no means of knowing in advance which mode
186 the process should be executed in, and because these restric‐
187 tions can change over the lifetime of the process, the
188 PR_SET_FP_MODE operation is provided to allow control of the
189 floating-point mode from user space.
190 The (unsigned int) arg2 argument is a bit mask describing the
192 floating-point mode used:
193 PR_FP_MODE_FR
195 When this bit is unset (so called FR=0 or FR0 mode), the
196 32 floating-point registers are 32 bits wide, and 64-bit
197 registers are represented as a pair of registers (even-
198 and odd- numbered, with the even-numbered register con‐
199 taining the lower 32 bits, and the odd-numbered register
200 containing the higher 32 bits).
201 When this bit is set (on supported hardware), the 32
203 floating-point registers are 64 bits wide (so called FR=1
204 or FR1 mode). Note that modern MIPS implementations
205 (MIPS R6 and newer) support FR=1 mode only.
206 Applications that use the O32 FP32 ABI can operate only
208 when this bit is unset (FR=0; or they can be used with
209 FRE enabled, see below). Applications that use the O32
210 FP64 ABI (and the O32 FP64A ABI, which exists to provide
211 the ability to operate with existing FP32 code; see be‐
212 low) can operate only when this bit is set (FR=1). Ap‐
213 plications that use the O32 FPXX ABI can operate with ei‐
214 ther FR=0 or FR=1 .
215 PR_FP_MODE_FRE
217 Enable emulation of 32-bit floating-point mode. When
218 this mode is enabled, it emulates 32-bit floating-point
219 operations by raising a reserved-instruction exception on
220 every instruction that uses 32-bit formats and the kernel
221 then handles the instruction in software. (The problem
222 lies in the discrepancy of handling odd-numbered regis‐
223 ters which are the high 32 bits of 64-bit registers with
224 even numbers in FR=0 mode and the lower 32-bit parts of
225 odd-numbered 64-bit registers in FR=1 mode.) Enabling
226 this bit is necessary when code with the O32 FP32 ABI
227 should operate with code with compatible the O32 FPXX or
228 O32 FP64A ABIs (which require FR=1 FPU mode) or when it
229 is executed on newer hardware (MIPS R6 onwards) which
230 lacks FR=0 mode support when a binary with the FP32 ABI
231 is used.
232 Note that this mode makes sense only when the FPU is in
234 64-bit mode (FR=1).
235 Note that the use of emulation inherently has a signifi‐
237 cant performance hit and should be avoided if possible.
238 In the N32/N64 ABI, 64-bit floating-point mode is always used,
240 so FPU emulation is not required and the FPU always operates in
241 FR=1 mode.
242 This option is mainly intended for use by the dynamic linker
244 (ld.so(8)).
245 The arguments arg3, arg4, and arg5 are ignored.
247 PR_GET_FP_MODE (since Linux 4.0, only on MIPS)
249 Return (as the function result) the current floating-point mode
250 (see the description of PR_SET_FP_MODE for details).
251 On success, the call returns a bit mask which represents the
253 current floating-point mode.
254 The arguments arg2, arg3, arg4, and arg5 are ignored.
256 PR_SET_FPEMU (since Linux 2.4.18, 2.5.9, only on ia64)
258 Set floating-point emulation control bits to arg2. Pass
259 PR_FPEMU_NOPRINT to silently emulate floating-point operation
260 accesses, or PR_FPEMU_SIGFPE to not emulate floating-point oper‐
261 ations and send SIGFPE instead.
262 PR_GET_FPEMU (since Linux 2.4.18, 2.5.9, only on ia64)
264 Return floating-point emulation control bits, in the location
265 pointed to by (int *) arg2.
266 PR_SET_FPEXC (since Linux 2.4.21, 2.5.32, only on PowerPC)
268 Set floating-point exception mode to arg2. Pass
269 PR_FP_EXC_SW_ENABLE to use FPEXC for FP exception enables,
270 PR_FP_EXC_DIV for floating-point divide by zero, PR_FP_EXC_OVF
271 for floating-point overflow, PR_FP_EXC_UND for floating-point
272 underflow, PR_FP_EXC_RES for floating-point inexact result,
273 PR_FP_EXC_INV for floating-point invalid operation,
274 PR_FP_EXC_DISABLED for FP exceptions disabled, PR_FP_EXC_NONRE‐
275 COV for async nonrecoverable exception mode, PR_FP_EXC_ASYNC for
276 async recoverable exception mode, PR_FP_EXC_PRECISE for precise
277 exception mode.
278 PR_GET_FPEXC (since Linux 2.4.21, 2.5.32, only on PowerPC)
280 Return floating-point exception mode, in the location pointed to
281 by (int *) arg2.
282 PR_SET_IO_FLUSHER (since Linux 5.6)
284 If a user process is involved in the block layer or filesystem
285 I/O path, and can allocate memory while processing I/O requests
286 it must set arg2 to 1. This will put the process in the
287 IO_FLUSHER state, which allows it special treatment to make
288 progress when allocating memory. If arg2 is 0, the process will
289 clear the IO_FLUSHER state, and the default behavior will be
290 used.
291 The calling process must have the CAP_SYS_RESOURCE capability.
293 arg3, arg4, and arg5 must be zero.
295 The IO_FLUSHER state is inherited by a child process created via
297 fork(2) and is preserved across execve(2).
298 Examples of IO_FLUSHER applications are FUSE daemons, SCSI de‐
300 vice emulation daemons, and daemons that perform error handling
301 like multipath path recovery applications.
302 PR_GET_IO_FLUSHER (Since Linux 5.6)
304 Return (as the function result) the IO_FLUSHER state of the
305 caller. A value of 1 indicates that the caller is in the
306 IO_FLUSHER state; 0 indicates that the caller is not in the
307 IO_FLUSHER state.
308 The calling process must have the CAP_SYS_RESOURCE capability.
310 arg2, arg3, arg4, and arg5 must be zero.
312 PR_SET_KEEPCAPS (since Linux 2.2.18)
314 Set the state of the calling thread's "keep capabilities" flag.
315 The effect of this flag is described in capabilities(7). arg2
316 must be either 0 (clear the flag) or 1 (set the flag). The
317 "keep capabilities" value will be reset to 0 on subsequent calls
318 to execve(2).
319 PR_GET_KEEPCAPS (since Linux 2.2.18)
321 Return (as the function result) the current state of the calling
322 thread's "keep capabilities" flag. See capabilities(7) for a
323 description of this flag.
324 PR_MCE_KILL (since Linux 2.6.32)
326 Set the machine check memory corruption kill policy for the
327 calling thread. If arg2 is PR_MCE_KILL_CLEAR, clear the thread
328 memory corruption kill policy and use the system-wide default.
329 (The system-wide default is defined by /proc/sys/vm/memory_fail‐
330 ure_early_kill; see proc(5).) If arg2 is PR_MCE_KILL_SET, use a
331 thread-specific memory corruption kill policy. In this case,
332 arg3 defines whether the policy is early kill
333 (PR_MCE_KILL_EARLY), late kill (PR_MCE_KILL_LATE), or the sys‐
334 tem-wide default (PR_MCE_KILL_DEFAULT). Early kill means that
335 the thread receives a SIGBUS signal as soon as hardware memory
336 corruption is detected inside its address space. In late kill
337 mode, the process is killed only when it accesses a corrupted
338 page. See sigaction(2) for more information on the SIGBUS sig‐
339 nal. The policy is inherited by children. The remaining unused
340 prctl() arguments must be zero for future compatibility.
341 PR_MCE_KILL_GET (since Linux 2.6.32)
343 Return (as the function result) the current per-process machine
344 check kill policy. All unused prctl() arguments must be zero.
345 PR_SET_MM (since Linux 3.3)
347 Modify certain kernel memory map descriptor fields of the call‐
348 ing process. Usually these fields are set by the kernel and dy‐
349 namic loader (see ld.so(8) for more information) and a regular
350 application should not use this feature. However, there are
351 cases, such as self-modifying programs, where a program might
352 find it useful to change its own memory map.
353 The calling process must have the CAP_SYS_RESOURCE capability.
355 The value in arg2 is one of the options below, while arg3 pro‐
356 vides a new value for the option. The arg4 and arg5 arguments
357 must be zero if unused.
358 Before Linux 3.10, this feature is available only if the kernel
360 is built with the CONFIG_CHECKPOINT_RESTORE option enabled.
361 PR_SET_MM_START_CODE
363 Set the address above which the program text can run.
364 The corresponding memory area must be readable and exe‐
365 cutable, but not writable or shareable (see mprotect(2)
366 and mmap(2) for more information).
367 PR_SET_MM_END_CODE
369 Set the address below which the program text can run.
370 The corresponding memory area must be readable and exe‐
371 cutable, but not writable or shareable.
372 PR_SET_MM_START_DATA
374 Set the address above which initialized and uninitialized
375 (bss) data are placed. The corresponding memory area
376 must be readable and writable, but not executable or
377 shareable.
378 PR_SET_MM_END_DATA
380 Set the address below which initialized and uninitialized
381 (bss) data are placed. The corresponding memory area
382 must be readable and writable, but not executable or
383 shareable.
384 PR_SET_MM_START_STACK
386 Set the start address of the stack. The corresponding
387 memory area must be readable and writable.
388 PR_SET_MM_START_BRK
390 Set the address above which the program heap can be ex‐
391 panded with brk(2) call. The address must be greater
392 than the ending address of the current program data seg‐
393 ment. In addition, the combined size of the resulting
394 heap and the size of the data segment can't exceed the
395 RLIMIT_DATA resource limit (see setrlimit(2)).
396 PR_SET_MM_BRK
398 Set the current brk(2) value. The requirements for the
399 address are the same as for the PR_SET_MM_START_BRK op‐
400 tion.
401 The following options are available since Linux 3.5.
403 PR_SET_MM_ARG_START
405 Set the address above which the program command line is
406 placed.
407 PR_SET_MM_ARG_END
409 Set the address below which the program command line is
410 placed.
411 PR_SET_MM_ENV_START
413 Set the address above which the program environment is
414 placed.
415 PR_SET_MM_ENV_END
417 Set the address below which the program environment is
418 placed.
419 The address passed with PR_SET_MM_ARG_START,
421 PR_SET_MM_ARG_END, PR_SET_MM_ENV_START, and
422 PR_SET_MM_ENV_END should belong to a process stack area.
423 Thus, the corresponding memory area must be readable,
424 writable, and (depending on the kernel configuration)
425 have the MAP_GROWSDOWN attribute set (see mmap(2)).
426 PR_SET_MM_AUXV
428 Set a new auxiliary vector. The arg3 argument should
429 provide the address of the vector. The arg4 is the size
430 of the vector.
431 PR_SET_MM_EXE_FILE
433 Supersede the /proc/pid/exe symbolic link with a new one
434 pointing to a new executable file identified by the file
435 descriptor provided in arg3 argument. The file descrip‐
436 tor should be obtained with a regular open(2) call.
437 To change the symbolic link, one needs to unmap all ex‐
439 isting executable memory areas, including those created
440 by the kernel itself (for example the kernel usually cre‐
441 ates at least one executable memory area for the ELF
442 .text section).
443 In Linux 4.9 and earlier, the PR_SET_MM_EXE_FILE opera‐
445 tion can be performed only once in a process's lifetime;
446 attempting to perform the operation a second time results
447 in the error EPERM. This restriction was enforced for
448 security reasons that were subsequently deemed specious,
449 and the restriction was removed in Linux 4.10 because
450 some user-space applications needed to perform this oper‐
451 ation more than once.
452 The following options are available since Linux 3.18.
454 PR_SET_MM_MAP
456 Provides one-shot access to all the addresses by passing
457 in a struct prctl_mm_map (as defined in <linux/prctl.h>).
458 The arg4 argument should provide the size of the struct.
459 This feature is available only if the kernel is built
461 with the CONFIG_CHECKPOINT_RESTORE option enabled.
462 PR_SET_MM_MAP_SIZE
464 Returns the size of the struct prctl_mm_map the kernel
465 expects. This allows user space to find a compatible
466 struct. The arg4 argument should be a pointer to an un‐
467 signed int.
468 This feature is available only if the kernel is built
470 with the CONFIG_CHECKPOINT_RESTORE option enabled.
471 PR_SET_VMA (since Linux 5.17)
473 Sets an attribute specified in arg2 for virtual memory areas
474 starting from the address specified in arg3 and spanning the
475 size specified in arg4. arg5 specifies the value of the attri‐
476 bute to be set.
477 Note that assigning an attribute to a virtual memory area might
479 prevent it from being merged with adjacent virtual memory areas
480 due to the difference in that attribute's value.
481 Currently, arg2 must be one of:
483 PR_SET_VMA_ANON_NAME
485 Set a name for anonymous virtual memory areas. arg5
486 should be a pointer to a null-terminated string contain‐
487 ing the name. The name length including null byte cannot
488 exceed 80 bytes. If arg5 is NULL, the name of the appro‐
489 priate anonymous virtual memory areas will be reset. The
490 name can contain only printable ascii characters (includ‐
491 ing space), except '[', ']', '\', '$', and '`'.
492 PR_MPX_ENABLE_MANAGEMENT, PR_MPX_DISABLE_MANAGEMENT (since Linux 3.19,
494 removed in Linux 5.4; only on x86)
495 Enable or disable kernel management of Memory Protection eXten‐
496 sions (MPX) bounds tables. The arg2, arg3, arg4, and arg5 argu‐
497 ments must be zero.
498 MPX is a hardware-assisted mechanism for performing bounds
500 checking on pointers. It consists of a set of registers storing
501 bounds information and a set of special instruction prefixes
502 that tell the CPU on which instructions it should do bounds en‐
503 forcement. There is a limited number of these registers and
504 when there are more pointers than registers, their contents must
505 be "spilled" into a set of tables. These tables are called
506 "bounds tables" and the MPX prctl() operations control whether
507 the kernel manages their allocation and freeing.
508 When management is enabled, the kernel will take over allocation
510 and freeing of the bounds tables. It does this by trapping the
511 #BR exceptions that result at first use of missing bounds tables
512 and instead of delivering the exception to user space, it allo‐
513 cates the table and populates the bounds directory with the lo‐
514 cation of the new table. For freeing, the kernel checks to see
515 if bounds tables are present for memory which is not allocated,
516 and frees them if so.
517 Before enabling MPX management using PR_MPX_ENABLE_MANAGEMENT,
519 the application must first have allocated a user-space buffer
520 for the bounds directory and placed the location of that direc‐
521 tory in the bndcfgu register.
522 These calls fail if the CPU or kernel does not support MPX.
524 Kernel support for MPX is enabled via the CONFIG_X86_INTEL_MPX
525 configuration option. You can check whether the CPU supports
526 MPX by looking for the mpx CPUID bit, like with the following
527 command:
528 cat /proc/cpuinfo | grep ' mpx '
530 A thread may not switch in or out of long (64-bit) mode while
532 MPX is enabled.
533 All threads in a process are affected by these calls.
535 The child of a fork(2) inherits the state of MPX management.
537 During execve(2), MPX management is reset to a state as if
538 PR_MPX_DISABLE_MANAGEMENT had been called.
539 For further information on Intel MPX, see the kernel source file
541 Documentation/x86/intel_mpx.txt.
542 Due to a lack of toolchain support, PR_MPX_ENABLE_MANAGEMENT and
544 PR_MPX_DISABLE_MANAGEMENT are not supported in Linux 5.4 and
545 later.
546 PR_SET_NAME (since Linux 2.6.9)
548 Set the name of the calling thread, using the value in the loca‐
549 tion pointed to by (char *) arg2. The name can be up to 16
550 bytes long, including the terminating null byte. (If the length
551 of the string, including the terminating null byte, exceeds 16
552 bytes, the string is silently truncated.) This is the same at‐
553 tribute that can be set via pthread_setname_np(3) and retrieved
554 using pthread_getname_np(3). The attribute is likewise accessi‐
555 ble via /proc/self/task/tid/comm (see proc(5)), where tid is the
556 thread ID of the calling thread, as returned by gettid(2).
557 PR_GET_NAME (since Linux 2.6.11)
559 Return the name of the calling thread, in the buffer pointed to
560 by (char *) arg2. The buffer should allow space for up to 16
561 bytes; the returned string will be null-terminated.
562 PR_SET_NO_NEW_PRIVS (since Linux 3.5)
564 Set the calling thread's no_new_privs attribute to the value in
565 arg2. With no_new_privs set to 1, execve(2) promises not to
566 grant privileges to do anything that could not have been done
567 without the execve(2) call (for example, rendering the set-user-
568 ID and set-group-ID mode bits, and file capabilities non-func‐
569 tional). Once set, the no_new_privs attribute cannot be unset.
570 The setting of this attribute is inherited by children created
571 by fork(2) and clone(2), and preserved across execve(2).
572 Since Linux 4.10, the value of a thread's no_new_privs attribute
574 can be viewed via the NoNewPrivs field in the /proc/pid/status
575 file.
576 For more information, see the kernel source file Documenta‐
578 tion/userspace-api/no_new_privs.rst (or Documenta‐
579 tion/prctl/no_new_privs.txt before Linux 4.13). See also sec‐
580 comp(2).
581 PR_GET_NO_NEW_PRIVS (since Linux 3.5)
583 Return (as the function result) the value of the no_new_privs
584 attribute for the calling thread. A value of 0 indicates the
585 regular execve(2) behavior. A value of 1 indicates execve(2)
586 will operate in the privilege-restricting mode described above.
587 PR_PAC_RESET_KEYS (since Linux 5.0, only on arm64)
589 Securely reset the thread's pointer authentication keys to fresh
590 random values generated by the kernel.
591 The set of keys to be reset is specified by arg2, which must be
593 a logical OR of zero or more of the following:
594 PR_PAC_APIAKEY
596 instruction authentication key A
597 PR_PAC_APIBKEY
599 instruction authentication key B
600 PR_PAC_APDAKEY
602 data authentication key A
603 PR_PAC_APDBKEY
605 data authentication key B
606 PR_PAC_APGAKEY
608 generic authentication “A” key.
609 (Yes folks, there really is no generic B key.)
611 As a special case, if arg2 is zero, then all the keys are reset.
613 Since new keys could be added in future, this is the recommended
614 way to completely wipe the existing keys when establishing a
615 clean execution context. Note that there is no need to use
616 PR_PAC_RESET_KEYS in preparation for calling execve(2), since
617 execve(2) resets all the pointer authentication keys.
618 The remaining arguments arg3, arg4, and arg5 must all be zero.
620 If the arguments are invalid, and in particular if arg2 contains
622 set bits that are unrecognized or that correspond to a key not
623 available on this platform, then the call fails with error EIN‐
624 VAL.
625 Warning: Because the compiler or run-time environment may be us‐
627 ing some or all of the keys, a successful PR_PAC_RESET_KEYS may
628 crash the calling process. The conditions for using it safely
629 are complex and system-dependent. Don't use it unless you know
630 what you are doing.
631 For more information, see the kernel source file Documenta‐
633 tion/arm64/pointer-authentication.rst (or Documenta‐
634 tion/arm64/pointer-authentication.txt before Linux 5.3).
635 PR_SET_PDEATHSIG (since Linux 2.1.57)
637 Set the parent-death signal of the calling process to arg2 (ei‐
638 ther a signal value in the range 1..NSIG-1, or 0 to clear).
639 This is the signal that the calling process will get when its
640 parent dies.
641 Warning: the "parent" in this case is considered to be the
643 thread that created this process. In other words, the signal
644 will be sent when that thread terminates (via, for example,
645 pthread_exit(3)), rather than after all of the threads in the
646 parent process terminate.
647 The parent-death signal is sent upon subsequent termination of
649 the parent thread and also upon termination of each subreaper
650 process (see the description of PR_SET_CHILD_SUBREAPER above) to
651 which the caller is subsequently reparented. If the parent
652 thread and all ancestor subreapers have already terminated by
653 the time of the PR_SET_PDEATHSIG operation, then no parent-death
654 signal is sent to the caller.
655 The parent-death signal is process-directed (see signal(7)) and,
657 if the child installs a handler using the sigaction(2) SA_SIG‐
658 INFO flag, the si_pid field of the siginfo_t argument of the
659 handler contains the PID of the terminating parent process.
660 The parent-death signal setting is cleared for the child of a
662 fork(2). It is also (since Linux 2.4.36 / 2.6.23) cleared when
663 executing a set-user-ID or set-group-ID binary, or a binary that
664 has associated capabilities (see capabilities(7)); otherwise,
665 this value is preserved across execve(2). The parent-death sig‐
666 nal setting is also cleared upon changes to any of the following
667 thread credentials: effective user ID, effective group ID,
668 filesystem user ID, or filesystem group ID.
669 PR_GET_PDEATHSIG (since Linux 2.3.15)
671 Return the current value of the parent process death signal, in
672 the location pointed to by (int *) arg2.
673 PR_SET_PTRACER (since Linux 3.4)
675 This is meaningful only when the Yama LSM is enabled and in mode
676 1 ("restricted ptrace", visible via /proc/sys/ker‐
677 nel/yama/ptrace_scope). When a "ptracer process ID" is passed
678 in arg2, the caller is declaring that the ptracer process can
679 ptrace(2) the calling process as if it were a direct process an‐
680 cestor. Each PR_SET_PTRACER operation replaces the previous
681 "ptracer process ID". Employing PR_SET_PTRACER with arg2 set to
682 0 clears the caller's "ptracer process ID". If arg2 is
683 PR_SET_PTRACER_ANY, the ptrace restrictions introduced by Yama
684 are effectively disabled for the calling process.
685 For further information, see the kernel source file Documenta‐
687 tion/admin-guide/LSM/Yama.rst (or Documentation/secu‐
688 rity/Yama.txt before Linux 4.13).
689 PR_SET_SECCOMP (since Linux 2.6.23)
691 Set the secure computing (seccomp) mode for the calling thread,
692 to limit the available system calls. The more recent seccomp(2)
693 system call provides a superset of the functionality of
694 PR_SET_SECCOMP, and is the preferred interface for new applica‐
695 tions.
696 The seccomp mode is selected via arg2. (The seccomp constants
698 are defined in <linux/seccomp.h>.) The following values can be
699 specified:
700 SECCOMP_MODE_STRICT (since Linux 2.6.23)
702 See the description of SECCOMP_SET_MODE_STRICT in sec‐
703 comp(2).
704 This operation is available only if the kernel is config‐
706 ured with CONFIG_SECCOMP enabled.
707 SECCOMP_MODE_FILTER (since Linux 3.5)
709 The allowed system calls are defined by a pointer to a
710 Berkeley Packet Filter passed in arg3. This argument is
711 a pointer to struct sock_fprog; it can be designed to
712 filter arbitrary system calls and system call arguments.
713 See the description of SECCOMP_SET_MODE_FILTER in sec‐
714 comp(2).
715 This operation is available only if the kernel is config‐
717 ured with CONFIG_SECCOMP_FILTER enabled.
718 For further details on seccomp filtering, see seccomp(2).
720 PR_GET_SECCOMP (since Linux 2.6.23)
722 Return (as the function result) the secure computing mode of the
723 calling thread. If the caller is not in secure computing mode,
724 this operation returns 0; if the caller is in strict secure com‐
725 puting mode, then the prctl() call will cause a SIGKILL signal
726 to be sent to the process. If the caller is in filter mode, and
727 this system call is allowed by the seccomp filters, it returns
728 2; otherwise, the process is killed with a SIGKILL signal.
729 This operation is available only if the kernel is configured
731 with CONFIG_SECCOMP enabled.
732 Since Linux 3.8, the Seccomp field of the /proc/pid/status file
734 provides a method of obtaining the same information, without the
735 risk that the process is killed; see proc(5).
736 PR_SET_SECUREBITS (since Linux 2.6.26)
738 Set the "securebits" flags of the calling thread to the value
739 supplied in arg2. See capabilities(7).
740 PR_GET_SECUREBITS (since Linux 2.6.26)
742 Return (as the function result) the "securebits" flags of the
743 calling thread. See capabilities(7).
744 PR_GET_SPECULATION_CTRL (since Linux 4.17)
746 Return (as the function result) the state of the speculation
747 misfeature specified in arg2. Currently, the only permitted
748 value for this argument is PR_SPEC_STORE_BYPASS (otherwise the
749 call fails with the error ENODEV).
750 The return value uses bits 0-3 with the following meaning:
752 PR_SPEC_PRCTL
754 Mitigation can be controlled per thread by PR_SET_SPECU‐
755 LATION_CTRL.
756 PR_SPEC_ENABLE
758 The speculation feature is enabled, mitigation is dis‐
759 abled.
760 PR_SPEC_DISABLE
762 The speculation feature is disabled, mitigation is en‐
763 abled.
764 PR_SPEC_FORCE_DISABLE
766 Same as PR_SPEC_DISABLE but cannot be undone.
767 PR_SPEC_DISABLE_NOEXEC (since Linux 5.1)
769 Same as PR_SPEC_DISABLE, but the state will be cleared on
770 execve(2).
771 If all bits are 0, then the CPU is not affected by the specula‐
773 tion misfeature.
774 If PR_SPEC_PRCTL is set, then per-thread control of the mitiga‐
776 tion is available. If not set, prctl() for the speculation mis‐
777 feature will fail.
778 The arg3, arg4, and arg5 arguments must be specified as 0; oth‐
780 erwise the call fails with the error EINVAL.
781 PR_SET_SPECULATION_CTRL (since Linux 4.17)
783 Sets the state of the speculation misfeature specified in arg2.
784 The speculation-misfeature settings are per-thread attributes.
785 Currently, arg2 must be one of:
787 PR_SPEC_STORE_BYPASS
789 Set the state of the speculative store bypass misfeature.
790 PR_SPEC_INDIRECT_BRANCH (since Linux 4.20)
792 Set the state of the indirect branch speculation misfea‐
793 ture.
794 If arg2 does not have one of the above values, then the call
796 fails with the error ENODEV.
797 The arg3 argument is used to hand in the control value, which is
799 one of the following:
800 PR_SPEC_ENABLE
802 The speculation feature is enabled, mitigation is dis‐
803 abled.
804 PR_SPEC_DISABLE
806 The speculation feature is disabled, mitigation is en‐
807 abled.
808 PR_SPEC_FORCE_DISABLE
810 Same as PR_SPEC_DISABLE, but cannot be undone. A subse‐
811 quent prctl(arg2, PR_SPEC_ENABLE) with the same value for
812 arg2 will fail with the error EPERM.
813 PR_SPEC_DISABLE_NOEXEC (since Linux 5.1)
815 Same as PR_SPEC_DISABLE, but the state will be cleared on
816 execve(2). Currently only supported for arg2 equal to
817 PR_SPEC_STORE_BYPASS.
818 Any unsupported value in arg3 will result in the call failing
820 with the error ERANGE.
821 The arg4 and arg5 arguments must be specified as 0; otherwise
823 the call fails with the error EINVAL.
824 The speculation feature can also be controlled by the
826 spec_store_bypass_disable boot parameter. This parameter may
827 enforce a read-only policy which will result in the prctl() call
828 failing with the error ENXIO. For further details, see the ker‐
829 nel source file Documentation/admin-guide/kernel-parameters.txt.
830 PR_SVE_SET_VL (since Linux 4.15, only on arm64)
832 Configure the thread's SVE vector length, as specified by (int)
833 arg2. Arguments arg3, arg4, and arg5 are ignored.
834 The bits of arg2 corresponding to PR_SVE_VL_LEN_MASK must be set
836 to the desired vector length in bytes. This is interpreted as
837 an upper bound: the kernel will select the greatest available
838 vector length that does not exceed the value specified. In par‐
839 ticular, specifying SVE_VL_MAX (defined in <asm/sigcontext.h>)
840 for the PR_SVE_VL_LEN_MASK bits requests the maximum supported
841 vector length.
842 In addition, the other bits of arg2 must be set to one of the
844 following combinations of flags:
845 0 Perform the change immediately. At the next execve(2) in
847 the thread, the vector length will be reset to the value
848 configured in /proc/sys/abi/sve_default_vector_length.
849 PR_SVE_VL_INHERIT
851 Perform the change immediately. Subsequent execve(2)
852 calls will preserve the new vector length.
853 PR_SVE_SET_VL_ONEXEC
855 Defer the change, so that it is performed at the next ex‐
856 ecve(2) in the thread. Further execve(2) calls will re‐
857 set the vector length to the value configured in
858 /proc/sys/abi/sve_default_vector_length.
859 PR_SVE_SET_VL_ONEXEC | PR_SVE_VL_INHERIT
861 Defer the change, so that it is performed at the next ex‐
862 ecve(2) in the thread. Further execve(2) calls will pre‐
863 serve the new vector length.
864 In all cases, any previously pending deferred change is can‐
866 celed.
867 The call fails with error EINVAL if SVE is not supported on the
869 platform, if arg2 is unrecognized or invalid, or the value in
870 the bits of arg2 corresponding to PR_SVE_VL_LEN_MASK is outside
871 the range SVE_VL_MIN..SVE_VL_MAX or is not a multiple of 16.
872 On success, a nonnegative value is returned that describes the
874 selected configuration. If PR_SVE_SET_VL_ONEXEC was included in
875 arg2, then the configuration described by the return value will
876 take effect at the next execve(2). Otherwise, the configuration
877 is already in effect when the PR_SVE_SET_VL call returns. In
878 either case, the value is encoded in the same way as the return
879 value of PR_SVE_GET_VL. Note that there is no explicit flag in
880 the return value corresponding to PR_SVE_SET_VL_ONEXEC.
881 The configuration (including any pending deferred change) is in‐
883 herited across fork(2) and clone(2).
884 For more information, see the kernel source file Documenta‐
886 tion/arm64/sve.rst (or Documentation/arm64/sve.txt before Linux
887 5.3).
888 Warning: Because the compiler or run-time environment may be us‐
890 ing SVE, using this call without the PR_SVE_SET_VL_ONEXEC flag
891 may crash the calling process. The conditions for using it
892 safely are complex and system-dependent. Don't use it unless
893 you really know what you are doing.
894 PR_SVE_GET_VL (since Linux 4.15, only on arm64)
896 Get the thread's current SVE vector length configuration.
897 Arguments arg2, arg3, arg4, and arg5 are ignored.
899 Provided that the kernel and platform support SVE, this opera‐
901 tion always succeeds, returning a nonnegative value that de‐
902 scribes the current configuration. The bits corresponding to
903 PR_SVE_VL_LEN_MASK contain the currently configured vector
904 length in bytes. The bit corresponding to PR_SVE_VL_INHERIT in‐
905 dicates whether the vector length will be inherited across ex‐
906 ecve(2).
907 Note that there is no way to determine whether there is a pend‐
909 ing vector length change that has not yet taken effect.
910 For more information, see the kernel source file Documenta‐
912 tion/arm64/sve.rst (or Documentation/arm64/sve.txt before Linux
913 5.3).
914 PR_SET_SYSCALL_USER_DISPATCH (since Linux 5.11, x86 only)
916 Configure the Syscall User Dispatch mechanism for the calling
917 thread. This mechanism allows an application to selectively in‐
918 tercept system calls so that they can be handled within the ap‐
919 plication itself. Interception takes the form of a thread-di‐
920 rected SIGSYS signal that is delivered to the thread when it
921 makes a system call. If intercepted, the system call is not ex‐
922 ecuted by the kernel.
923 To enable this mechanism, arg2 should be set to PR_SYS_DIS‐
925 PATCH_ON. Once enabled, further system calls will be selec‐
926 tively intercepted, depending on a control variable provided by
927 user space. In this case, arg3 and arg4 respectively identify
928 the offset and length of a single contiguous memory region in
929 the process address space from where system calls are always al‐
930 lowed to be executed, regardless of the control variable. (Typ‐
931 ically, this area would include the area of memory containing
932 the C library.)
933 arg5 points to a char-sized variable that is a fast switch to
935 allow/block system call execution without the overhead of doing
936 another system call to re-configure Syscall User Dispatch. This
937 control variable can either be set to SYSCALL_DISPATCH_FIL‐
938 TER_BLOCK to block system calls from executing or to
939 SYSCALL_DISPATCH_FILTER_ALLOW to temporarily allow them to be
940 executed. This value is checked by the kernel on every system
941 call entry, and any unexpected value will raise an uncatchable
942 SIGSYS at that time, killing the application.
943 When a system call is intercepted, the kernel sends a thread-di‐
945 rected SIGSYS signal to the triggering thread. Various fields
946 will be set in the siginfo_t structure (see sigaction(2)) asso‐
947 ciated with the signal:
948 • si_signo will contain SIGSYS.
950 • si_call_addr will show the address of the system call in‐
952 struction.
953 • si_syscall and si_arch will indicate which system call was
955 attempted.
956 • si_code will contain SYS_USER_DISPATCH.
958 • si_errno will be set to 0.
960 The program counter will be as though the system call happened
962 (i.e., the program counter will not point to the system call in‐
963 struction).
964 When the signal handler returns to the kernel, the system call
966 completes immediately and returns to the calling thread, without
967 actually being executed. If necessary (i.e., when emulating the
968 system call on user space.), the signal handler should set the
969 system call return value to a sane value, by modifying the reg‐
970 ister context stored in the ucontext argument of the signal han‐
971 dler. See sigaction(2), sigreturn(2), and getcontext(3) for
972 more information.
973 If arg2 is set to PR_SYS_DISPATCH_OFF, Syscall User Dispatch is
975 disabled for that thread. the remaining arguments must be set
976 to 0.
977 The setting is not preserved across fork(2), clone(2), or ex‐
979 ecve(2).
980 For more information, see the kernel source file Documenta‐
982 tion/admin-guide/syscall-user-dispatch.rst
983 PR_SET_TAGGED_ADDR_CTRL (since Linux 5.4, only on arm64)
985 Controls support for passing tagged user-space addresses to the
986 kernel (i.e., addresses where bits 56—63 are not all zero).
987 The level of support is selected by arg2, which can be one of
989 the following:
990 0 Addresses that are passed for the purpose of being deref‐
992 erenced by the kernel must be untagged.
993 PR_TAGGED_ADDR_ENABLE
995 Addresses that are passed for the purpose of being deref‐
996 erenced by the kernel may be tagged, with the exceptions
997 summarized below.
998 The remaining arguments arg3, arg4, and arg5 must all be zero.
1000 On success, the mode specified in arg2 is set for the calling
1002 thread and the return value is 0. If the arguments are invalid,
1003 the mode specified in arg2 is unrecognized, or if this feature
1004 is unsupported by the kernel or disabled via
1005 /proc/sys/abi/tagged_addr_disabled, the call fails with the er‐
1006 ror EINVAL.
1007 In particular, if prctl(PR_SET_TAGGED_ADDR_CTRL, 0, 0, 0, 0)
1009 fails with EINVAL, then all addresses passed to the kernel must
1010 be untagged.
1011 Irrespective of which mode is set, addresses passed to certain
1013 interfaces must always be untagged:
1014 • brk(2), mmap(2), shmat(2), shmdt(2), and the new_address ar‐
1016 gument of mremap(2).
1017 (Prior to Linux 5.6 these accepted tagged addresses, but the
1019 behaviour may not be what you expect. Don't rely on it.)
1020 • ‘polymorphic’ interfaces that accept pointers to arbitrary
1022 types cast to a void * or other generic type, specifically
1023 prctl(), ioctl(2), and in general setsockopt(2) (only certain
1024 specific setsockopt(2) options allow tagged addresses).
1025 This list of exclusions may shrink when moving from one kernel
1027 version to a later kernel version. While the kernel may make
1028 some guarantees for backwards compatibility reasons, for the
1029 purposes of new software the effect of passing tagged addresses
1030 to these interfaces is unspecified.
1031 The mode set by this call is inherited across fork(2) and
1033 clone(2). The mode is reset by execve(2) to 0 (i.e., tagged ad‐
1034 dresses not permitted in the user/kernel ABI).
1035 For more information, see the kernel source file Documenta‐
1037 tion/arm64/tagged-address-abi.rst.
1038 Warning: This call is primarily intended for use by the run-time
1040 environment. A successful PR_SET_TAGGED_ADDR_CTRL call else‐
1041 where may crash the calling process. The conditions for using
1042 it safely are complex and system-dependent. Don't use it unless
1043 you know what you are doing.
1044 PR_GET_TAGGED_ADDR_CTRL (since Linux 5.4, only on arm64)
1046 Returns the current tagged address mode for the calling thread.
1047 Arguments arg2, arg3, arg4, and arg5 must all be zero.
1049 If the arguments are invalid or this feature is disabled or un‐
1051 supported by the kernel, the call fails with EINVAL. In partic‐
1052 ular, if prctl(PR_GET_TAGGED_ADDR_CTRL, 0, 0, 0, 0) fails with
1053 EINVAL, then this feature is definitely either unsupported, or
1054 disabled via /proc/sys/abi/tagged_addr_disabled. In this case,
1055 all addresses passed to the kernel must be untagged.
1056 Otherwise, the call returns a nonnegative value describing the
1058 current tagged address mode, encoded in the same way as the arg2
1059 argument of PR_SET_TAGGED_ADDR_CTRL.
1060 For more information, see the kernel source file Documenta‐
1062 tion/arm64/tagged-address-abi.rst.
1063 PR_TASK_PERF_EVENTS_DISABLE (since Linux 2.6.31)
1065 Disable all performance counters attached to the calling
1066 process, regardless of whether the counters were created by this
1067 process or another process. Performance counters created by the
1068 calling process for other processes are unaffected. For more
1069 information on performance counters, see the Linux kernel source
1070 file tools/perf/design.txt.
1071 Originally called PR_TASK_PERF_COUNTERS_DISABLE; renamed (re‐
1073 taining the same numerical value) in Linux 2.6.32.
1074 PR_TASK_PERF_EVENTS_ENABLE (since Linux 2.6.31)
1076 The converse of PR_TASK_PERF_EVENTS_DISABLE; enable performance
1077 counters attached to the calling process.
1078 Originally called PR_TASK_PERF_COUNTERS_ENABLE; renamed in Linux
1080 2.6.32.
1081 PR_SET_THP_DISABLE (since Linux 3.15)
1083 Set the state of the "THP disable" flag for the calling thread.
1084 If arg2 has a nonzero value, the flag is set, otherwise it is
1085 cleared. Setting this flag provides a method for disabling
1086 transparent huge pages for jobs where the code cannot be modi‐
1087 fied, and using a malloc hook with madvise(2) is not an option
1088 (i.e., statically allocated data). The setting of the "THP dis‐
1089 able" flag is inherited by a child created via fork(2) and is
1090 preserved across execve(2).
1091 PR_GET_THP_DISABLE (since Linux 3.15)
1093 Return (as the function result) the current setting of the "THP
1094 disable" flag for the calling thread: either 1, if the flag is
1095 set, or 0, if it is not.
1096 PR_GET_TID_ADDRESS (since Linux 3.5)
1098 Return the clear_child_tid address set by set_tid_address(2) and
1099 the clone(2) CLONE_CHILD_CLEARTID flag, in the location pointed
1100 to by (int **) arg2. This feature is available only if the ker‐
1101 nel is built with the CONFIG_CHECKPOINT_RESTORE option enabled.
1102 Note that since the prctl() system call does not have a compat
1103 implementation for the AMD64 x32 and MIPS n32 ABIs, and the ker‐
1104 nel writes out a pointer using the kernel's pointer size, this
1105 operation expects a user-space buffer of 8 (not 4) bytes on
1106 these ABIs.
1107 PR_SET_TIMERSLACK (since Linux 2.6.28)
1109 Each thread has two associated timer slack values: a "default"
1110 value, and a "current" value. This operation sets the "current"
1111 timer slack value for the calling thread. arg2 is an unsigned
1112 long value, then maximum "current" value is ULONG_MAX and the
1113 minimum "current" value is 1. If the nanosecond value supplied
1114 in arg2 is greater than zero, then the "current" value is set to
1115 this value. If arg2 is equal to zero, the "current" timer slack
1116 is reset to the thread's "default" timer slack value.
1117 The "current" timer slack is used by the kernel to group timer
1119 expirations for the calling thread that are close to one an‐
1120 other; as a consequence, timer expirations for the thread may be
1121 up to the specified number of nanoseconds late (but will never
1122 expire early). Grouping timer expirations can help reduce sys‐
1123 tem power consumption by minimizing CPU wake-ups.
1124 The timer expirations affected by timer slack are those set by
1126 select(2), pselect(2), poll(2), ppoll(2), epoll_wait(2),
1127 epoll_pwait(2), clock_nanosleep(2), nanosleep(2), and futex(2)
1128 (and thus the library functions implemented via futexes, includ‐
1129 ing pthread_cond_timedwait(3), pthread_mutex_timedlock(3),
1130 pthread_rwlock_timedrdlock(3), pthread_rwlock_timedwrlock(3),
1131 and sem_timedwait(3)).
1132 Timer slack is not applied to threads that are scheduled under a
1134 real-time scheduling policy (see sched_setscheduler(2)).
1135 When a new thread is created, the two timer slack values are
1137 made the same as the "current" value of the creating thread.
1138 Thereafter, a thread can adjust its "current" timer slack value
1139 via PR_SET_TIMERSLACK. The "default" value can't be changed.
1140 The timer slack values of init (PID 1), the ancestor of all pro‐
1141 cesses, are 50,000 nanoseconds (50 microseconds). The timer
1142 slack value is inherited by a child created via fork(2), and is
1143 preserved across execve(2).
1144 Since Linux 4.6, the "current" timer slack value of any process
1146 can be examined and changed via the file /proc/pid/timer‐
1147 slack_ns. See proc(5).
1148 PR_GET_TIMERSLACK (since Linux 2.6.28)
1150 Return (as the function result) the "current" timer slack value
1151 of the calling thread.
1152 PR_SET_TIMING (since Linux 2.6.0)
1154 Set whether to use (normal, traditional) statistical process
1155 timing or accurate timestamp-based process timing, by passing
1156 PR_TIMING_STATISTICAL or PR_TIMING_TIMESTAMP to arg2. PR_TIM‐
1157 ING_TIMESTAMP is not currently implemented (attempting to set
1158 this mode will yield the error EINVAL).
1159 PR_GET_TIMING (since Linux 2.6.0)
1161 Return (as the function result) which process timing method is
1162 currently in use.
1163 PR_SET_TSC (since Linux 2.6.26, x86 only)
1165 Set the state of the flag determining whether the timestamp
1166 counter can be read by the process. Pass PR_TSC_ENABLE to arg2
1167 to allow it to be read, or PR_TSC_SIGSEGV to generate a SIGSEGV
1168 when the process tries to read the timestamp counter.
1169 PR_GET_TSC (since Linux 2.6.26, x86 only)
1171 Return the state of the flag determining whether the timestamp
1172 counter can be read, in the location pointed to by (int *) arg2.
1173 PR_SET_UNALIGN
1175 (Only on: ia64, since Linux 2.3.48; parisc, since Linux 2.6.15;
1176 PowerPC, since Linux 2.6.18; Alpha, since Linux 2.6.22; sh,
1177 since Linux 2.6.34; tile, since Linux 3.12) Set unaligned access
1178 control bits to arg2. Pass PR_UNALIGN_NOPRINT to silently fix
1179 up unaligned user accesses, or PR_UNALIGN_SIGBUS to generate
1180 SIGBUS on unaligned user access. Alpha also supports an addi‐
1181 tional flag with the value of 4 and no corresponding named con‐
1182 stant, which instructs kernel to not fix up unaligned accesses
1183 (it is analogous to providing the UAC_NOFIX flag in SSI_NVPAIRS
1184 operation of the setsysinfo() system call on Tru64).
1185 PR_GET_UNALIGN
1187 (See PR_SET_UNALIGN for information on versions and architec‐
1188 tures.) Return unaligned access control bits, in the location
1189 pointed to by (unsigned int *) arg2.
1190
1192 On success, PR_CAP_AMBIENT+PR_CAP_AMBIENT_IS_SET, PR_CAPBSET_READ,
1193 PR_GET_DUMPABLE, PR_GET_FP_MODE, PR_GET_IO_FLUSHER, PR_GET_KEEPCAPS,
1194 PR_MCE_KILL_GET, PR_GET_NO_NEW_PRIVS, PR_GET_SECUREBITS, PR_GET_SPECU‐
1195 LATION_CTRL, PR_SVE_GET_VL, PR_SVE_SET_VL, PR_GET_TAGGED_ADDR_CTRL,
1196 PR_GET_THP_DISABLE, PR_GET_TIMING, PR_GET_TIMERSLACK, and (if it re‐
1197 turns) PR_GET_SECCOMP return the nonnegative values described above.
1198 All other option values return 0 on success. On error, -1 is returned,
1199 and errno is set to indicate the error.
1200
1202 EACCES option is PR_SET_SECCOMP and arg2 is SECCOMP_MODE_FILTER, but
1203 the process does not have the CAP_SYS_ADMIN capability or has
1204 not set the no_new_privs attribute (see the discussion of
1205 PR_SET_NO_NEW_PRIVS above).
1206 EACCES option is PR_SET_MM, and arg3 is PR_SET_MM_EXE_FILE, the file is
1208 not executable.
1209 EBADF option is PR_SET_MM, arg3 is PR_SET_MM_EXE_FILE, and the file
1211 descriptor passed in arg4 is not valid.
1212 EBUSY option is PR_SET_MM, arg3 is PR_SET_MM_EXE_FILE, and this the
1214 second attempt to change the /proc/pid/exe symbolic link, which
1215 is prohibited.
1216 EFAULT arg2 is an invalid address.
1218 EFAULT option is PR_SET_SECCOMP, arg2 is SECCOMP_MODE_FILTER, the sys‐
1220 tem was built with CONFIG_SECCOMP_FILTER, and arg3 is an invalid
1221 address.
1222 EFAULT option is PR_SET_SYSCALL_USER_DISPATCH and arg5 has an invalid
1224 address.
1225 EINVAL The value of option is not recognized, or not supported on this
1227 system.
1228 EINVAL option is PR_MCE_KILL or PR_MCE_KILL_GET or PR_SET_MM, and un‐
1230 used prctl() arguments were not specified as zero.
1231 EINVAL arg2 is not valid value for this option.
1233 EINVAL option is PR_SET_SECCOMP or PR_GET_SECCOMP, and the kernel was
1235 not configured with CONFIG_SECCOMP.
1236 EINVAL option is PR_SET_SECCOMP, arg2 is SECCOMP_MODE_FILTER, and the
1238 kernel was not configured with CONFIG_SECCOMP_FILTER.
1239 EINVAL option is PR_SET_MM, and one of the following is true
1241 • arg4 or arg5 is nonzero;
1243 • arg3 is greater than TASK_SIZE (the limit on the size of the
1245 user address space for this architecture);
1246 • arg2 is PR_SET_MM_START_CODE, PR_SET_MM_END_CODE,
1248 PR_SET_MM_START_DATA, PR_SET_MM_END_DATA, or
1249 PR_SET_MM_START_STACK, and the permissions of the correspond‐
1250 ing memory area are not as required;
1251 • arg2 is PR_SET_MM_START_BRK or PR_SET_MM_BRK, and arg3 is
1253 less than or equal to the end of the data segment or speci‐
1254 fies a value that would cause the RLIMIT_DATA resource limit
1255 to be exceeded.
1256 EINVAL option is PR_SET_PTRACER and arg2 is not 0, PR_SET_PTRACER_ANY,
1258 or the PID of an existing process.
1259 EINVAL option is PR_SET_PDEATHSIG and arg2 is not a valid signal num‐
1261 ber.
1262 EINVAL option is PR_SET_DUMPABLE and arg2 is neither SUID_DUMP_DISABLE
1264 nor SUID_DUMP_USER.
1265 EINVAL option is PR_SET_TIMING and arg2 is not PR_TIMING_STATISTICAL.
1267 EINVAL option is PR_SET_NO_NEW_PRIVS and arg2 is not equal to 1 or
1269 arg3, arg4, or arg5 is nonzero.
1270 EINVAL option is PR_GET_NO_NEW_PRIVS and arg2, arg3, arg4, or arg5 is
1272 nonzero.
1273 EINVAL option is PR_SET_THP_DISABLE and arg3, arg4, or arg5 is nonzero.
1275 EINVAL option is PR_GET_THP_DISABLE and arg2, arg3, arg4, or arg5 is
1277 nonzero.
1278 EINVAL option is PR_CAP_AMBIENT and an unused argument (arg4, arg5, or,
1280 in the case of PR_CAP_AMBIENT_CLEAR_ALL, arg3) is nonzero; or
1281 arg2 has an invalid value; or arg2 is PR_CAP_AMBIENT_LOWER,
1282 PR_CAP_AMBIENT_RAISE, or PR_CAP_AMBIENT_IS_SET and arg3 does not
1283 specify a valid capability.
1284 EINVAL option was PR_GET_SPECULATION_CTRL or PR_SET_SPECULATION_CTRL
1286 and unused arguments to prctl() are not 0. EINVAL option is
1287 PR_PAC_RESET_KEYS and the arguments are invalid or unsupported.
1288 See the description of PR_PAC_RESET_KEYS above for details.
1289 EINVAL option is PR_SVE_SET_VL and the arguments are invalid or unsup‐
1291 ported, or SVE is not available on this platform. See the de‐
1292 scription of PR_SVE_SET_VL above for details.
1293 EINVAL option is PR_SVE_GET_VL and SVE is not available on this plat‐
1295 form.
1296 EINVAL option is PR_SET_SYSCALL_USER_DISPATCH and one of the following
1298 is true:
1299 • arg2 is PR_SYS_DISPATCH_OFF and the remaining arguments are
1301 not 0;
1302 • arg2 is PR_SYS_DISPATCH_ON and the memory range specified is
1304 outside the address space of the process.
1305 • arg2 is invalid.
1307 EINVAL option is PR_SET_TAGGED_ADDR_CTRL and the arguments are invalid
1309 or unsupported. See the description of PR_SET_TAGGED_ADDR_CTRL
1310 above for details.
1311 EINVAL option is PR_GET_TAGGED_ADDR_CTRL and the arguments are invalid
1313 or unsupported. See the description of PR_GET_TAGGED_ADDR_CTRL
1314 above for details.
1315 ENODEV option was PR_SET_SPECULATION_CTRL the kernel or CPU does not
1317 support the requested speculation misfeature.
1318 ENXIO option was PR_MPX_ENABLE_MANAGEMENT or PR_MPX_DISABLE_MANAGEMENT
1320 and the kernel or the CPU does not support MPX management.
1321 Check that the kernel and processor have MPX support.
1322 ENXIO option was PR_SET_SPECULATION_CTRL implies that the control of
1324 the selected speculation misfeature is not possible. See
1325 PR_GET_SPECULATION_CTRL for the bit fields to determine which
1326 option is available.
1327 EOPNOTSUPP
1329 option is PR_SET_FP_MODE and arg2 has an invalid or unsupported
1330 value.
1331 EPERM option is PR_SET_SECUREBITS, and the caller does not have the
1333 CAP_SETPCAP capability, or tried to unset a "locked" flag, or
1334 tried to set a flag whose corresponding locked flag was set (see
1335 capabilities(7)).
1336 EPERM option is PR_SET_SPECULATION_CTRL wherein the speculation was
1338 disabled with PR_SPEC_FORCE_DISABLE and caller tried to enable
1339 it again.
1340 EPERM option is PR_SET_KEEPCAPS, and the caller's
1342 SECBIT_KEEP_CAPS_LOCKED flag is set (see capabilities(7)).
1343 EPERM option is PR_CAPBSET_DROP, and the caller does not have the
1345 CAP_SETPCAP capability.
1346 EPERM option is PR_SET_MM, and the caller does not have the
1348 CAP_SYS_RESOURCE capability.
1349 EPERM option is PR_CAP_AMBIENT and arg2 is PR_CAP_AMBIENT_RAISE, but
1351 either the capability specified in arg3 is not present in the
1352 process's permitted and inheritable capability sets, or the
1353 PR_CAP_AMBIENT_LOWER securebit has been set.
1354 ERANGE option was PR_SET_SPECULATION_CTRL and arg3 is not PR_SPEC_EN‐
1356 ABLE, PR_SPEC_DISABLE, PR_SPEC_FORCE_DISABLE, nor PR_SPEC_DIS‐
1357 ABLE_NOEXEC.
1358
1360 IRIX has a prctl() system call (also introduced in Linux 2.1.44 as
1361 irix_prctl on the MIPS architecture), with prototype
1362 ptrdiff_t prctl(int option, int arg2, int arg3);
1364 and options to get the maximum number of processes per user, get the
1366 maximum number of processors the calling process can use, find out
1367 whether a specified process is currently blocked, get or set the maxi‐
1368 mum stack size, and so on.
1369
1371 Linux.
1372
1374 Linux 2.1.57, glibc 2.0.6
1375
1377 signal(2), core(5)
1378Linux man-pages 6.04 2023-04-01 prctl(2)