1PRCTL(2) Linux Programmer's Manual PRCTL(2)
2
6 prctl - operations on a process or thread
7
9 #include <sys/prctl.h>
10 int prctl(int option, unsigned long arg2, unsigned long arg3,
12 unsigned long arg4, unsigned long arg5);
13
15 prctl() manipulates various aspects of the behavior of the calling
16 thread or process.
17 Note that careless use of some prctl() operations can confuse the user-
19 space run-time environment, so these operations should be used with
20 care.
21 prctl() is called with a first argument describing what to do (with
23 values defined in <linux/prctl.h>), and further arguments with a sig‐
24 nificance depending on the first one. The first argument can be:
25 PR_CAP_AMBIENT (since Linux 4.3)
27 Reads or changes the ambient capability set of the calling
28 thread, according to the value of arg2, which must be one of the
29 following:
30 PR_CAP_AMBIENT_RAISE
32 The capability specified in arg3 is added to the ambient
33 set. The specified capability must already be present in
34 both the permitted and the inheritable sets of the
35 process. This operation is not permitted if the
36 SECBIT_NO_CAP_AMBIENT_RAISE securebit is set.
37 PR_CAP_AMBIENT_LOWER
39 The capability specified in arg3 is removed from the am‐
40 bient set.
41 PR_CAP_AMBIENT_IS_SET
43 The prctl() call returns 1 if the capability in arg3 is
44 in the ambient set and 0 if it is not.
45 PR_CAP_AMBIENT_CLEAR_ALL
47 All capabilities will be removed from the ambient set.
48 This operation requires setting arg3 to zero.
49 In all of the above operations, arg4 and arg5 must be specified
51 as 0.
52 Higher-level interfaces layered on top of the above operations
54 are provided in the libcap(3) library in the form of cap_get_am‐
55 bient(3), cap_set_ambient(3), and cap_reset_ambient(3).
56 PR_CAPBSET_READ (since Linux 2.6.25)
58 Return (as the function result) 1 if the capability specified in
59 arg2 is in the calling thread's capability bounding set, or 0 if
60 it is not. (The capability constants are defined in <linux/ca‐
61 pability.h>.) The capability bounding set dictates whether the
62 process can receive the capability through a file's permitted
63 capability set on a subsequent call to execve(2).
64 If the capability specified in arg2 is not valid, then the call
66 fails with the error EINVAL.
67 A higher-level interface layered on top of this operation is
69 provided in the libcap(3) library in the form of
70 cap_get_bound(3).
71 PR_CAPBSET_DROP (since Linux 2.6.25)
73 If the calling thread has the CAP_SETPCAP capability within its
74 user namespace, then drop the capability specified by arg2 from
75 the calling thread's capability bounding set. Any children of
76 the calling thread will inherit the newly reduced bounding set.
77 The call fails with the error: EPERM if the calling thread does
79 not have the CAP_SETPCAP; EINVAL if arg2 does not represent a
80 valid capability; or EINVAL if file capabilities are not enabled
81 in the kernel, in which case bounding sets are not supported.
82 A higher-level interface layered on top of this operation is
84 provided in the libcap(3) library in the form of
85 cap_drop_bound(3).
86 PR_SET_CHILD_SUBREAPER (since Linux 3.4)
88 If arg2 is nonzero, set the "child subreaper" attribute of the
89 calling process; if arg2 is zero, unset the attribute.
90 A subreaper fulfills the role of init(1) for its descendant pro‐
92 cesses. When a process becomes orphaned (i.e., its immediate
93 parent terminates), then that process will be reparented to the
94 nearest still living ancestor subreaper. Subsequently, calls to
95 getppid(2) in the orphaned process will now return the PID of
96 the subreaper process, and when the orphan terminates, it is the
97 subreaper process that will receive a SIGCHLD signal and will be
98 able to wait(2) on the process to discover its termination sta‐
99 tus.
100 The setting of the "child subreaper" attribute is not inherited
102 by children created by fork(2) and clone(2). The setting is
103 preserved across execve(2).
104 Establishing a subreaper process is useful in session management
106 frameworks where a hierarchical group of processes is managed by
107 a subreaper process that needs to be informed when one of the
108 processes—for example, a double-forked daemon—terminates (per‐
109 haps so that it can restart that process). Some init(1) frame‐
110 works (e.g., systemd(1)) employ a subreaper process for similar
111 reasons.
112 PR_GET_CHILD_SUBREAPER (since Linux 3.4)
114 Return the "child subreaper" setting of the caller, in the loca‐
115 tion pointed to by (int *) arg2.
116 PR_SET_DUMPABLE (since Linux 2.3.20)
118 Set the state of the "dumpable" attribute, which determines
119 whether core dumps are produced for the calling process upon de‐
120 livery of a signal whose default behavior is to produce a core
121 dump.
122 In kernels up to and including 2.6.12, arg2 must be either 0
124 (SUID_DUMP_DISABLE, process is not dumpable) or 1
125 (SUID_DUMP_USER, process is dumpable). Between kernels 2.6.13
126 and 2.6.17, the value 2 was also permitted, which caused any bi‐
127 nary which normally would not be dumped to be dumped readable by
128 root only; for security reasons, this feature has been removed.
129 (See also the description of /proc/sys/fs/suid_dumpable in
130 proc(5).)
131 Normally, the "dumpable" attribute is set to 1. However, it is
133 reset to the current value contained in the file /proc/sys/fs/
134 suid_dumpable (which by default has the value 0), in the follow‐
135 ing circumstances:
136 * The process's effective user or group ID is changed.
138 * The process's filesystem user or group ID is changed (see
140 credentials(7)).
141 * The process executes (execve(2)) a set-user-ID or set-group-
143 ID program, resulting in a change of either the effective
144 user ID or the effective group ID.
145 * The process executes (execve(2)) a program that has file ca‐
147 pabilities (see capabilities(7)), but only if the permitted
148 capabilities gained exceed those already permitted for the
149 process.
150 Processes that are not dumpable can not be attached via
152 ptrace(2) PTRACE_ATTACH; see ptrace(2) for further details.
153 If a process is not dumpable, the ownership of files in the
155 process's /proc/[pid] directory is affected as described in
156 proc(5).
157 PR_GET_DUMPABLE (since Linux 2.3.20)
159 Return (as the function result) the current state of the calling
160 process's dumpable attribute.
161 PR_SET_ENDIAN (since Linux 2.6.18, PowerPC only)
163 Set the endian-ness of the calling process to the value given in
164 arg2, which should be one of the following: PR_ENDIAN_BIG,
165 PR_ENDIAN_LITTLE, or PR_ENDIAN_PPC_LITTLE (PowerPC pseudo little
166 endian).
167 PR_GET_ENDIAN (since Linux 2.6.18, PowerPC only)
169 Return the endian-ness of the calling process, in the location
170 pointed to by (int *) arg2.
171 PR_SET_FP_MODE (since Linux 4.0, only on MIPS)
173 On the MIPS architecture, user-space code can be built using an
174 ABI which permits linking with code that has more restrictive
175 floating-point (FP) requirements. For example, user-space code
176 may be built to target the O32 FPXX ABI and linked with code
177 built for either one of the more restrictive FP32 or FP64 ABIs.
178 When more restrictive code is linked in, the overall requirement
179 for the process is to use the more restrictive floating-point
180 mode.
181 Because the kernel has no means of knowing in advance which mode
183 the process should be executed in, and because these restric‐
184 tions can change over the lifetime of the process, the
185 PR_SET_FP_MODE operation is provided to allow control of the
186 floating-point mode from user space.
187 The (unsigned int) arg2 argument is a bit mask describing the
189 floating-point mode used:
190 PR_FP_MODE_FR
192 When this bit is unset (so called FR=0 or FR0 mode), the
193 32 floating-point registers are 32 bits wide, and 64-bit
194 registers are represented as a pair of registers (even-
195 and odd- numbered, with the even-numbered register con‐
196 taining the lower 32 bits, and the odd-numbered register
197 containing the higher 32 bits).
198 When this bit is set (on supported hardware), the 32
200 floating-point registers are 64 bits wide (so called FR=1
201 or FR1 mode). Note that modern MIPS implementations
202 (MIPS R6 and newer) support FR=1 mode only.
203 Applications that use the O32 FP32 ABI can operate only
205 when this bit is unset (FR=0; or they can be used with
206 FRE enabled, see below). Applications that use the O32
207 FP64 ABI (and the O32 FP64A ABI, which exists to provide
208 the ability to operate with existing FP32 code; see be‐
209 low) can operate only when this bit is set (FR=1). Ap‐
210 plications that use the O32 FPXX ABI can operate with ei‐
211 ther FR=0 or FR=1.
212 PR_FP_MODE_FRE
214 Enable emulation of 32-bit floating-point mode. When
215 this mode is enabled, it emulates 32-bit floating-point
216 operations by raising a reserved-instruction exception on
217 every instruction that uses 32-bit formats and the kernel
218 then handles the instruction in software. (The problem
219 lies in the discrepancy of handling odd-numbered regis‐
220 ters which are the high 32 bits of 64-bit registers with
221 even numbers in FR=0 mode and the lower 32-bit parts of
222 odd-numbered 64-bit registers in FR=1 mode.) Enabling
223 this bit is necessary when code with the O32 FP32 ABI
224 should operate with code with compatible the O32 FPXX or
225 O32 FP64A ABIs (which require FR=1 FPU mode) or when it
226 is executed on newer hardware (MIPS R6 onwards) which
227 lacks FR=0 mode support when a binary with the FP32 ABI
228 is used.
229 Note that this mode makes sense only when the FPU is in
231 64-bit mode (FR=1).
232 Note that the use of emulation inherently has a signifi‐
234 cant performance hit and should be avoided if possible.
235 In the N32/N64 ABI, 64-bit floating-point mode is always used,
237 so FPU emulation is not required and the FPU always operates in
238 FR=1 mode.
239 This option is mainly intended for use by the dynamic linker
241 (ld.so(8)).
242 The arguments arg3, arg4, and arg5 are ignored.
244 PR_GET_FP_MODE (since Linux 4.0, only on MIPS)
246 Return (as the function result) the current floating-point mode
247 (see the description of PR_SET_FP_MODE for details).
248 On success, the call returns a bit mask which represents the
250 current floating-point mode.
251 The arguments arg2, arg3, arg4, and arg5 are ignored.
253 PR_SET_FPEMU (since Linux 2.4.18, 2.5.9, only on ia64)
255 Set floating-point emulation control bits to arg2. Pass
256 PR_FPEMU_NOPRINT to silently emulate floating-point operation
257 accesses, or PR_FPEMU_SIGFPE to not emulate floating-point oper‐
258 ations and send SIGFPE instead.
259 PR_GET_FPEMU (since Linux 2.4.18, 2.5.9, only on ia64)
261 Return floating-point emulation control bits, in the location
262 pointed to by (int *) arg2.
263 PR_SET_FPEXC (since Linux 2.4.21, 2.5.32, only on PowerPC)
265 Set floating-point exception mode to arg2. Pass
266 PR_FP_EXC_SW_ENABLE to use FPEXC for FP exception enables,
267 PR_FP_EXC_DIV for floating-point divide by zero, PR_FP_EXC_OVF
268 for floating-point overflow, PR_FP_EXC_UND for floating-point
269 underflow, PR_FP_EXC_RES for floating-point inexact result,
270 PR_FP_EXC_INV for floating-point invalid operation,
271 PR_FP_EXC_DISABLED for FP exceptions disabled, PR_FP_EXC_NONRE‐
272 COV for async nonrecoverable exception mode, PR_FP_EXC_ASYNC for
273 async recoverable exception mode, PR_FP_EXC_PRECISE for precise
274 exception mode.
275 PR_GET_FPEXC (since Linux 2.4.21, 2.5.32, only on PowerPC)
277 Return floating-point exception mode, in the location pointed to
278 by (int *) arg2.
279 PR_SET_IO_FLUSHER (since Linux 5.6)
281 If a user process is involved in the block layer or filesystem
282 I/O path, and can allocate memory while processing I/O requests
283 it must set arg2 to 1. This will put the process in the
284 IO_FLUSHER state, which allows it special treatment to make
285 progress when allocating memory. If arg2 is 0, the process will
286 clear the IO_FLUSHER state, and the default behavior will be
287 used.
288 The calling process must have the CAP_SYS_RESOURCE capability.
290 arg3, arg4, and arg5 must be zero.
292 The IO_FLUSHER state is inherited by a child process created via
294 fork(2) and is preserved across execve(2).
295 Examples of IO_FLUSHER applications are FUSE daemons, SCSI de‐
297 vice emulation daemons, and daemons that perform error handling
298 like multipath path recovery applications.
299 PR_GET_IO_FLUSHER (Since Linux 5.6)
301 Return (as the function result) the IO_FLUSHER state of the
302 caller. A value of 1 indicates that the caller is in the
303 IO_FLUSHER state; 0 indicates that the caller is not in the
304 IO_FLUSHER state.
305 The calling process must have the CAP_SYS_RESOURCE capability.
307 arg2, arg3, arg4, and arg5 must be zero.
309 PR_SET_KEEPCAPS (since Linux 2.2.18)
311 Set the state of the calling thread's "keep capabilities" flag.
312 The effect of this flag is described in capabilities(7). arg2
313 must be either 0 (clear the flag) or 1 (set the flag). The
314 "keep capabilities" value will be reset to 0 on subsequent calls
315 to execve(2).
316 PR_GET_KEEPCAPS (since Linux 2.2.18)
318 Return (as the function result) the current state of the calling
319 thread's "keep capabilities" flag. See capabilities(7) for a
320 description of this flag.
321 PR_MCE_KILL (since Linux 2.6.32)
323 Set the machine check memory corruption kill policy for the
324 calling thread. If arg2 is PR_MCE_KILL_CLEAR, clear the thread
325 memory corruption kill policy and use the system-wide default.
326 (The system-wide default is defined by /proc/sys/vm/memory_fail‐
327 ure_early_kill; see proc(5).) If arg2 is PR_MCE_KILL_SET, use a
328 thread-specific memory corruption kill policy. In this case,
329 arg3 defines whether the policy is early kill
330 (PR_MCE_KILL_EARLY), late kill (PR_MCE_KILL_LATE), or the sys‐
331 tem-wide default (PR_MCE_KILL_DEFAULT). Early kill means that
332 the thread receives a SIGBUS signal as soon as hardware memory
333 corruption is detected inside its address space. In late kill
334 mode, the process is killed only when it accesses a corrupted
335 page. See sigaction(2) for more information on the SIGBUS sig‐
336 nal. The policy is inherited by children. The remaining unused
337 prctl() arguments must be zero for future compatibility.
338 PR_MCE_KILL_GET (since Linux 2.6.32)
340 Return (as the function result) the current per-process machine
341 check kill policy. All unused prctl() arguments must be zero.
342 PR_SET_MM (since Linux 3.3)
344 Modify certain kernel memory map descriptor fields of the call‐
345 ing process. Usually these fields are set by the kernel and dy‐
346 namic loader (see ld.so(8) for more information) and a regular
347 application should not use this feature. However, there are
348 cases, such as self-modifying programs, where a program might
349 find it useful to change its own memory map.
350 The calling process must have the CAP_SYS_RESOURCE capability.
352 The value in arg2 is one of the options below, while arg3 pro‐
353 vides a new value for the option. The arg4 and arg5 arguments
354 must be zero if unused.
355 Before Linux 3.10, this feature is available only if the kernel
357 is built with the CONFIG_CHECKPOINT_RESTORE option enabled.
358 PR_SET_MM_START_CODE
360 Set the address above which the program text can run.
361 The corresponding memory area must be readable and exe‐
362 cutable, but not writable or shareable (see mprotect(2)
363 and mmap(2) for more information).
364 PR_SET_MM_END_CODE
366 Set the address below which the program text can run.
367 The corresponding memory area must be readable and exe‐
368 cutable, but not writable or shareable.
369 PR_SET_MM_START_DATA
371 Set the address above which initialized and uninitialized
372 (bss) data are placed. The corresponding memory area
373 must be readable and writable, but not executable or
374 shareable.
375 PR_SET_MM_END_DATA
377 Set the address below which initialized and uninitialized
378 (bss) data are placed. The corresponding memory area
379 must be readable and writable, but not executable or
380 shareable.
381 PR_SET_MM_START_STACK
383 Set the start address of the stack. The corresponding
384 memory area must be readable and writable.
385 PR_SET_MM_START_BRK
387 Set the address above which the program heap can be ex‐
388 panded with brk(2) call. The address must be greater
389 than the ending address of the current program data seg‐
390 ment. In addition, the combined size of the resulting
391 heap and the size of the data segment can't exceed the
392 RLIMIT_DATA resource limit (see setrlimit(2)).
393 PR_SET_MM_BRK
395 Set the current brk(2) value. The requirements for the
396 address are the same as for the PR_SET_MM_START_BRK op‐
397 tion.
398 The following options are available since Linux 3.5.
400 PR_SET_MM_ARG_START
402 Set the address above which the program command line is
403 placed.
404 PR_SET_MM_ARG_END
406 Set the address below which the program command line is
407 placed.
408 PR_SET_MM_ENV_START
410 Set the address above which the program environment is
411 placed.
412 PR_SET_MM_ENV_END
414 Set the address below which the program environment is
415 placed.
416 The address passed with PR_SET_MM_ARG_START,
418 PR_SET_MM_ARG_END, PR_SET_MM_ENV_START, and
419 PR_SET_MM_ENV_END should belong to a process stack area.
420 Thus, the corresponding memory area must be readable,
421 writable, and (depending on the kernel configuration)
422 have the MAP_GROWSDOWN attribute set (see mmap(2)).
423 PR_SET_MM_AUXV
425 Set a new auxiliary vector. The arg3 argument should
426 provide the address of the vector. The arg4 is the size
427 of the vector.
428 PR_SET_MM_EXE_FILE
430 Supersede the /proc/pid/exe symbolic link with a new one
431 pointing to a new executable file identified by the file
432 descriptor provided in arg3 argument. The file descrip‐
433 tor should be obtained with a regular open(2) call.
434 To change the symbolic link, one needs to unmap all ex‐
436 isting executable memory areas, including those created
437 by the kernel itself (for example the kernel usually cre‐
438 ates at least one executable memory area for the ELF
439 .text section).
440 In Linux 4.9 and earlier, the PR_SET_MM_EXE_FILE opera‐
442 tion can be performed only once in a process's lifetime;
443 attempting to perform the operation a second time results
444 in the error EPERM. This restriction was enforced for
445 security reasons that were subsequently deemed specious,
446 and the restriction was removed in Linux 4.10 because
447 some user-space applications needed to perform this oper‐
448 ation more than once.
449 The following options are available since Linux 3.18.
451 PR_SET_MM_MAP
453 Provides one-shot access to all the addresses by passing
454 in a struct prctl_mm_map (as defined in <linux/prctl.h>).
455 The arg4 argument should provide the size of the struct.
456 This feature is available only if the kernel is built
458 with the CONFIG_CHECKPOINT_RESTORE option enabled.
459 PR_SET_MM_MAP_SIZE
461 Returns the size of the struct prctl_mm_map the kernel
462 expects. This allows user space to find a compatible
463 struct. The arg4 argument should be a pointer to an un‐
464 signed int.
465 This feature is available only if the kernel is built
467 with the CONFIG_CHECKPOINT_RESTORE option enabled.
468 PR_MPX_ENABLE_MANAGEMENT, PR_MPX_DISABLE_MANAGEMENT (since Linux 3.19,
470 removed in Linux 5.4; only on x86)
471 Enable or disable kernel management of Memory Protection eXten‐
472 sions (MPX) bounds tables. The arg2, arg3, arg4, and arg5 argu‐
473 ments must be zero.
474 MPX is a hardware-assisted mechanism for performing bounds
476 checking on pointers. It consists of a set of registers storing
477 bounds information and a set of special instruction prefixes
478 that tell the CPU on which instructions it should do bounds en‐
479 forcement. There is a limited number of these registers and
480 when there are more pointers than registers, their contents must
481 be "spilled" into a set of tables. These tables are called
482 "bounds tables" and the MPX prctl() operations control whether
483 the kernel manages their allocation and freeing.
484 When management is enabled, the kernel will take over allocation
486 and freeing of the bounds tables. It does this by trapping the
487 #BR exceptions that result at first use of missing bounds tables
488 and instead of delivering the exception to user space, it allo‐
489 cates the table and populates the bounds directory with the lo‐
490 cation of the new table. For freeing, the kernel checks to see
491 if bounds tables are present for memory which is not allocated,
492 and frees them if so.
493 Before enabling MPX management using PR_MPX_ENABLE_MANAGEMENT,
495 the application must first have allocated a user-space buffer
496 for the bounds directory and placed the location of that direc‐
497 tory in the bndcfgu register.
498 These calls fail if the CPU or kernel does not support MPX.
500 Kernel support for MPX is enabled via the CONFIG_X86_INTEL_MPX
501 configuration option. You can check whether the CPU supports
502 MPX by looking for the mpx CPUID bit, like with the following
503 command:
504 cat /proc/cpuinfo | grep ' mpx '
506 A thread may not switch in or out of long (64-bit) mode while
508 MPX is enabled.
509 All threads in a process are affected by these calls.
511 The child of a fork(2) inherits the state of MPX management.
513 During execve(2), MPX management is reset to a state as if
514 PR_MPX_DISABLE_MANAGEMENT had been called.
515 For further information on Intel MPX, see the kernel source file
517 Documentation/x86/intel_mpx.txt.
518 Due to a lack of toolchain support, PR_MPX_ENABLE_MANAGEMENT and
520 PR_MPX_DISABLE_MANAGEMENT are not supported in Linux 5.4 and
521 later.
522 PR_SET_NAME (since Linux 2.6.9)
524 Set the name of the calling thread, using the value in the loca‐
525 tion pointed to by (char *) arg2. The name can be up to 16
526 bytes long, including the terminating null byte. (If the length
527 of the string, including the terminating null byte, exceeds 16
528 bytes, the string is silently truncated.) This is the same at‐
529 tribute that can be set via pthread_setname_np(3) and retrieved
530 using pthread_getname_np(3). The attribute is likewise accessi‐
531 ble via /proc/self/task/[tid]/comm (see proc(5)), where [tid] is
532 the thread ID of the calling thread, as returned by gettid(2).
533 PR_GET_NAME (since Linux 2.6.11)
535 Return the name of the calling thread, in the buffer pointed to
536 by (char *) arg2. The buffer should allow space for up to 16
537 bytes; the returned string will be null-terminated.
538 PR_SET_NO_NEW_PRIVS (since Linux 3.5)
540 Set the calling thread's no_new_privs attribute to the value in
541 arg2. With no_new_privs set to 1, execve(2) promises not to
542 grant privileges to do anything that could not have been done
543 without the execve(2) call (for example, rendering the set-user-
544 ID and set-group-ID mode bits, and file capabilities non-func‐
545 tional). Once set, the no_new_privs attribute cannot be unset.
546 The setting of this attribute is inherited by children created
547 by fork(2) and clone(2), and preserved across execve(2).
548 Since Linux 4.10, the value of a thread's no_new_privs attribute
550 can be viewed via the NoNewPrivs field in the /proc/[pid]/status
551 file.
552 For more information, see the kernel source file Documenta‐
554 tion/userspace-api/no_new_privs.rst (or Documenta‐
555 tion/prctl/no_new_privs.txt before Linux 4.13). See also sec‐
556 comp(2).
557 PR_GET_NO_NEW_PRIVS (since Linux 3.5)
559 Return (as the function result) the value of the no_new_privs
560 attribute for the calling thread. A value of 0 indicates the
561 regular execve(2) behavior. A value of 1 indicates execve(2)
562 will operate in the privilege-restricting mode described above.
563 PR_PAC_RESET_KEYS (since Linux 5.0, only on arm64)
565 Securely reset the thread's pointer authentication keys to fresh
566 random values generated by the kernel.
567 The set of keys to be reset is specified by arg2, which must be
569 a logical OR of zero or more of the following:
570 PR_PAC_APIAKEY
572 instruction authentication key A
573 PR_PAC_APIBKEY
575 instruction authentication key B
576 PR_PAC_APDAKEY
578 data authentication key A
579 PR_PAC_APDBKEY
581 data authentication key B
582 PR_PAC_APGAKEY
584 generic authentication “A” key.
585 (Yes folks, there really is no generic B key.)
587 As a special case, if arg2 is zero, then all the keys are reset.
589 Since new keys could be added in future, this is the recommended
590 way to completely wipe the existing keys when establishing a
591 clean execution context. Note that there is no need to use
592 PR_PAC_RESET_KEYS in preparation for calling execve(2), since
593 execve(2) resets all the pointer authentication keys.
594 The remaining arguments arg3, arg4, and arg5 must all be zero.
596 If the arguments are invalid, and in particular if arg2 contains
598 set bits that are unrecognized or that correspond to a key not
599 available on this platform, then the call fails with error EIN‐
600 VAL.
601 Warning: Because the compiler or run-time environment may be us‐
603 ing some or all of the keys, a successful PR_PAC_RESET_KEYS may
604 crash the calling process. The conditions for using it safely
605 are complex and system-dependent. Don't use it unless you know
606 what you are doing.
607 For more information, see the kernel source file Documenta‐
609 tion/arm64/pointer-authentication.rst (or Documenta‐
610 tion/arm64/pointer-authentication.txt before Linux 5.3).
611 PR_SET_PDEATHSIG (since Linux 2.1.57)
613 Set the parent-death signal of the calling process to arg2 (ei‐
614 ther a signal value in the range 1..NSIG-1, or 0 to clear).
615 This is the signal that the calling process will get when its
616 parent dies.
617 Warning: the "parent" in this case is considered to be the
619 thread that created this process. In other words, the signal
620 will be sent when that thread terminates (via, for example,
621 pthread_exit(3)), rather than after all of the threads in the
622 parent process terminate.
623 The parent-death signal is sent upon subsequent termination of
625 the parent thread and also upon termination of each subreaper
626 process (see the description of PR_SET_CHILD_SUBREAPER above) to
627 which the caller is subsequently reparented. If the parent
628 thread and all ancestor subreapers have already terminated by
629 the time of the PR_SET_PDEATHSIG operation, then no parent-death
630 signal is sent to the caller.
631 The parent-death signal is process-directed (see signal(7)) and,
633 if the child installs a handler using the sigaction(2) SA_SIG‐
634 INFO flag, the si_pid field of the siginfo_t argument of the
635 handler contains the PID of the terminating parent process.
636 The parent-death signal setting is cleared for the child of a
638 fork(2). It is also (since Linux 2.4.36 / 2.6.23) cleared when
639 executing a set-user-ID or set-group-ID binary, or a binary that
640 has associated capabilities (see capabilities(7)); otherwise,
641 this value is preserved across execve(2). The parent-death sig‐
642 nal setting is also cleared upon changes to any of the following
643 thread credentials: effective user ID, effective group ID,
644 filesystem user ID, or filesystem group ID.
645 PR_GET_PDEATHSIG (since Linux 2.3.15)
647 Return the current value of the parent process death signal, in
648 the location pointed to by (int *) arg2.
649 PR_SET_PTRACER (since Linux 3.4)
651 This is meaningful only when the Yama LSM is enabled and in mode
652 1 ("restricted ptrace", visible via /proc/sys/ker‐
653 nel/yama/ptrace_scope). When a "ptracer process ID" is passed
654 in arg2, the caller is declaring that the ptracer process can
655 ptrace(2) the calling process as if it were a direct process an‐
656 cestor. Each PR_SET_PTRACER operation replaces the previous
657 "ptracer process ID". Employing PR_SET_PTRACER with arg2 set to
658 0 clears the caller's "ptracer process ID". If arg2 is
659 PR_SET_PTRACER_ANY, the ptrace restrictions introduced by Yama
660 are effectively disabled for the calling process.
661 For further information, see the kernel source file Documenta‐
663 tion/admin-guide/LSM/Yama.rst (or Documentation/secu‐
664 rity/Yama.txt before Linux 4.13).
665 PR_SET_SECCOMP (since Linux 2.6.23)
667 Set the secure computing (seccomp) mode for the calling thread,
668 to limit the available system calls. The more recent seccomp(2)
669 system call provides a superset of the functionality of
670 PR_SET_SECCOMP.
671 The seccomp mode is selected via arg2. (The seccomp constants
673 are defined in <linux/seccomp.h>.)
674 With arg2 set to SECCOMP_MODE_STRICT, the only system calls that
676 the thread is permitted to make are read(2), write(2), _exit(2)
677 (but not exit_group(2)), and sigreturn(2). Other system calls
678 result in the delivery of a SIGKILL signal. Strict secure com‐
679 puting mode is useful for number-crunching applications that may
680 need to execute untrusted byte code, perhaps obtained by reading
681 from a pipe or socket. This operation is available only if the
682 kernel is configured with CONFIG_SECCOMP enabled.
683 With arg2 set to SECCOMP_MODE_FILTER (since Linux 3.5), the sys‐
685 tem calls allowed are defined by a pointer to a Berkeley Packet
686 Filter passed in arg3. This argument is a pointer to struct
687 sock_fprog; it can be designed to filter arbitrary system calls
688 and system call arguments. This mode is available only if the
689 kernel is configured with CONFIG_SECCOMP_FILTER enabled.
690 If SECCOMP_MODE_FILTER filters permit fork(2), then the seccomp
692 mode is inherited by children created by fork(2); if execve(2)
693 is permitted, then the seccomp mode is preserved across ex‐
694 ecve(2). If the filters permit prctl() calls, then additional
695 filters can be added; they are run in order until the first non-
696 allow result is seen.
697 For further information, see the kernel source file Documenta‐
699 tion/userspace-api/seccomp_filter.rst (or Documenta‐
700 tion/prctl/seccomp_filter.txt before Linux 4.13).
701 PR_GET_SECCOMP (since Linux 2.6.23)
703 Return (as the function result) the secure computing mode of the
704 calling thread. If the caller is not in secure computing mode,
705 this operation returns 0; if the caller is in strict secure com‐
706 puting mode, then the prctl() call will cause a SIGKILL signal
707 to be sent to the process. If the caller is in filter mode, and
708 this system call is allowed by the seccomp filters, it returns
709 2; otherwise, the process is killed with a SIGKILL signal. This
710 operation is available only if the kernel is configured with
711 CONFIG_SECCOMP enabled.
712 Since Linux 3.8, the Seccomp field of the /proc/[pid]/status
714 file provides a method of obtaining the same information, with‐
715 out the risk that the process is killed; see proc(5).
716 PR_SET_SECUREBITS (since Linux 2.6.26)
718 Set the "securebits" flags of the calling thread to the value
719 supplied in arg2. See capabilities(7).
720 PR_GET_SECUREBITS (since Linux 2.6.26)
722 Return (as the function result) the "securebits" flags of the
723 calling thread. See capabilities(7).
724 PR_GET_SPECULATION_CTRL (since Linux 4.17)
726 Return (as the function result) the state of the speculation
727 misfeature specified in arg2. Currently, the only permitted
728 value for this argument is PR_SPEC_STORE_BYPASS (otherwise the
729 call fails with the error ENODEV).
730 The return value uses bits 0-3 with the following meaning:
732 PR_SPEC_PRCTL
734 Mitigation can be controlled per thread by PR_SET_SPECU‐
735 LATION_CTRL.
736 PR_SPEC_ENABLE
738 The speculation feature is enabled, mitigation is dis‐
739 abled.
740 PR_SPEC_DISABLE
742 The speculation feature is disabled, mitigation is en‐
743 abled.
744 PR_SPEC_FORCE_DISABLE
746 Same as PR_SPEC_DISABLE but cannot be undone.
747 PR_SPEC_DISABLE_NOEXEC (since Linux 5.1)
749 Same as PR_SPEC_DISABLE, but the state will be cleared on
750 execve(2).
751 If all bits are 0, then the CPU is not affected by the specula‐
753 tion misfeature.
754 If PR_SPEC_PRCTL is set, then per-thread control of the mitiga‐
756 tion is available. If not set, prctl() for the speculation mis‐
757 feature will fail.
758 The arg3, arg4, and arg5 arguments must be specified as 0; oth‐
760 erwise the call fails with the error EINVAL.
761 PR_SET_SPECULATION_CTRL (since Linux 4.17)
763 Sets the state of the speculation misfeature specified in arg2.
764 The speculation-misfeature settings are per-thread attributes.
765 Currently, arg2 must be one of:
767 PR_SPEC_STORE_BYPASS
769 Set the state of the speculative store bypass misfeature.
770 PR_SPEC_INDIRECT_BRANCH (since Linux 4.20)
772 Set the state of the indirect branch speculation misfea‐
773 ture.
774 If arg2 does not have one of the above values, then the call
776 fails with the error ENODEV.
777 The arg3 argument is used to hand in the control value, which is
779 one of the following:
780 PR_SPEC_ENABLE
782 The speculation feature is enabled, mitigation is dis‐
783 abled.
784 PR_SPEC_DISABLE
786 The speculation feature is disabled, mitigation is en‐
787 abled.
788 PR_SPEC_FORCE_DISABLE
790 Same as PR_SPEC_DISABLE, but cannot be undone. A subse‐
791 quent prctl(arg2, PR_SPEC_ENABLE) with the same value for
792 arg2 will fail with the error EPERM.
793 PR_SPEC_DISABLE_NOEXEC (since Linux 5.1)
795 Same as PR_SPEC_DISABLE, but the state will be cleared on
796 execve(2). Currently only supported for arg2 equal to
797 PR_SPEC_STORE_BYPASS.
798 Any unsupported value in arg3 will result in the call failing
800 with the error ERANGE.
801 The arg4 and arg5 arguments must be specified as 0; otherwise
803 the call fails with the error EINVAL.
804 The speculation feature can also be controlled by the
806 spec_store_bypass_disable boot parameter. This parameter may
807 enforce a read-only policy which will result in the prctl() call
808 failing with the error ENXIO. For further details, see the ker‐
809 nel source file Documentation/admin-guide/kernel-parameters.txt.
810 PR_SVE_SET_VL (since Linux 4.15, only on arm64)
812 Configure the thread's SVE vector length, as specified by (int)
813 arg2. Arguments arg3, arg4, and arg5 are ignored.
814 The bits of arg2 corresponding to PR_SVE_VL_LEN_MASK must be set
816 to the desired vector length in bytes. This is interpreted as
817 an upper bound: the kernel will select the greatest available
818 vector length that does not exceed the value specified. In par‐
819 ticular, specifying SVE_VL_MAX (defined in <asm/sigcontext.h>)
820 for the PR_SVE_VL_LEN_MASK bits requests the maximum supported
821 vector length.
822 In addition, the other bits of arg2 must be set to one of the
824 following combinations of flags:
825 0 Perform the change immediately. At the next execve(2) in
827 the thread, the vector length will be reset to the value
828 configured in /proc/sys/abi/sve_default_vector_length.
829 PR_SVE_VL_INHERIT
831 Perform the change immediately. Subsequent execve(2)
832 calls will preserve the new vector length.
833 PR_SVE_SET_VL_ONEXEC
835 Defer the change, so that it is performed at the next ex‐
836 ecve(2) in the thread. Further execve(2) calls will re‐
837 set the vector length to the value configured in
838 /proc/sys/abi/sve_default_vector_length.
839 PR_SVE_SET_VL_ONEXEC | PR_SVE_VL_INHERIT
841 Defer the change, so that it is performed at the next ex‐
842 ecve(2) in the thread. Further execve(2) calls will pre‐
843 serve the new vector length.
844 In all cases, any previously pending deferred change is can‐
846 celed.
847 The call fails with error EINVAL if SVE is not supported on the
849 platform, if arg2 is unrecognized or invalid, or the value in
850 the bits of arg2 corresponding to PR_SVE_VL_LEN_MASK is outside
851 the range SVE_VL_MIN..SVE_VL_MAX or is not a multiple of 16.
852 On success, a nonnegative value is returned that describes the
854 selected configuration. If PR_SVE_SET_VL_ONEXEC was included in
855 arg2, then the configuration described by the return value will
856 take effect at the next execve(2). Otherwise, the configuration
857 is already in effect when the PR_SVE_SET_VL call returns. In
858 either case, the value is encoded in the same way as the return
859 value of PR_SVE_GET_VL. Note that there is no explicit flag in
860 the return value corresponding to PR_SVE_SET_VL_ONEXEC.
861 The configuration (including any pending deferred change) is in‐
863 herited across fork(2) and clone(2).
864 For more information, see the kernel source file Documenta‐
866 tion/arm64/sve.rst (or Documentation/arm64/sve.txt before Linux
867 5.3).
868 Warning: Because the compiler or run-time environment may be us‐
870 ing SVE, using this call without the PR_SVE_SET_VL_ONEXEC flag
871 may crash the calling process. The conditions for using it
872 safely are complex and system-dependent. Don't use it unless
873 you really know what you are doing.
874 PR_SVE_GET_VL (since Linux 4.15, only on arm64)
876 Get the thread's current SVE vector length configuration.
877 Arguments arg2, arg3, arg4, and arg5 are ignored.
879 Provided that the kernel and platform support SVE, this opera‐
881 tion always succeeds, returning a nonnegative value that de‐
882 scribes the current configuration. The bits corresponding to
883 PR_SVE_VL_LEN_MASK contain the currently configured vector
884 length in bytes. The bit corresponding to PR_SVE_VL_INHERIT in‐
885 dicates whether the vector length will be inherited across ex‐
886 ecve(2).
887 Note that there is no way to determine whether there is a pend‐
889 ing vector length change that has not yet taken effect.
890 For more information, see the kernel source file Documenta‐
892 tion/arm64/sve.rst (or Documentation/arm64/sve.txt before Linux
893 5.3).
894 PR_SET_SYSCALL_USER_DISPATCH (since Linux 5.11, x86 only)
896 Configure the Syscall User Dispatch mechanism for the calling
897 thread. This mechanism allows an application to selectively in‐
898 tercept system calls so that they can be handled within the ap‐
899 plication itself. Interception takes the form of a thread-di‐
900 rected SIGSYS signal that is delivered to the thread when it
901 makes a system call. If intercepted, the system call is not ex‐
902 ecuted by the kernel.
903 To enable this mechanism, arg2 should be set to PR_SYS_DIS‐
905 PATCH_ON. Once enabled, further system calls will be selec‐
906 tively intercepted, depending on a control variable provided by
907 user space. In this case, arg3 and arg4 respectively identify
908 the offset and length of a single contiguous memory region in
909 the process address space from where system calls are always al‐
910 lowed to be executed, regardless of the control variable. (Typ‐
911 ically, this area would include the area of memory containing
912 the C library.)
913 arg5 points to a char-sized variable that is a fast switch to
915 allow/block system call execution without the overhead of doing
916 another system call to re-configure Syscall User Dispatch. This
917 control variable can either be set to SYSCALL_DISPATCH_FIL‐
918 TER_BLOCK to block system calls from executing or to
919 SYSCALL_DISPATCH_FILTER_ALLOW to temporarily allow them to be
920 executed. This value is checked by the kernel on every system
921 call entry, and any unexpected value will raise an uncatchable
922 SIGSYS at that time, killing the application.
923 When a system call is intercepted, the kernel sends a thread-di‐
925 rected SIGSYS signal to the triggering thread. Various fields
926 will be set in the siginfo_t structure (see sigaction(2)) asso‐
927 ciated with the signal:
928 * si_signo will contain SIGSYS.
930 * si_call_addr will show the address of the system call in‐
932 struction.
933 * si_syscall and si_arch will indicate which system call was
935 attempted.
936 * si_code will contain SYS_USER_DISPATCH.
938 * si_errno will be set to 0.
940 The program counter will be as though the system call happened
942 (i.e., the program counter will not point to the system call in‐
943 struction).
944 When the signal handler returns to the kernel, the system call
946 completes immediately and returns to the calling thread, without
947 actually being executed. If necessary (i.e., when emulating the
948 system call on user space.), the signal handler should set the
949 system call return value to a sane value, by modifying the reg‐
950 ister context stored in the ucontext argument of the signal han‐
951 dler. See sigaction(2), sigreturn(2), and getcontext(3) for
952 more information.
953 If arg2 is set to PR_SYS_DISPATCH_OFF, Syscall User Dispatch is
955 disabled for that thread. the remaining arguments must be set
956 to 0.
957 The setting is not preserved across fork(2), clone(2), or ex‐
959 ecve(2).
960 For more information, see the kernel source file Documenta‐
962 tion/admin-guide/syscall-user-dispatch.rst
963 PR_SET_TAGGED_ADDR_CTRL (since Linux 5.4, only on arm64)
965 Controls support for passing tagged user-space addresses to the
966 kernel (i.e., addresses where bits 56—63 are not all zero).
967 The level of support is selected by arg2, which can be one of
969 the following:
970 0 Addresses that are passed for the purpose of being deref‐
972 erenced by the kernel must be untagged.
973 PR_TAGGED_ADDR_ENABLE
975 Addresses that are passed for the purpose of being deref‐
976 erenced by the kernel may be tagged, with the exceptions
977 summarized below.
978 The remaining arguments arg3, arg4, and arg5 must all be zero.
980 On success, the mode specified in arg2 is set for the calling
982 thread and the return value is 0. If the arguments are invalid,
983 the mode specified in arg2 is unrecognized, or if this feature
984 is unsupported by the kernel or disabled via
985 /proc/sys/abi/tagged_addr_disabled, the call fails with the er‐
986 ror EINVAL.
987 In particular, if prctl(PR_SET_TAGGED_ADDR_CTRL, 0, 0, 0, 0)
989 fails with EINVAL, then all addresses passed to the kernel must
990 be untagged.
991 Irrespective of which mode is set, addresses passed to certain
993 interfaces must always be untagged:
994 • brk(2), mmap(2), shmat(2), shmdt(2), and the new_address argu‐
996 ment of mremap(2).
997 (Prior to Linux 5.6 these accepted tagged addresses, but the
999 behaviour may not be what you expect. Don't rely on it.)
1000 • ‘polymorphic’ interfaces that accept pointers to arbitrary
1002 types cast to a void * or other generic type, specifically
1003 prctl(), ioctl(2), and in general setsockopt(2) (only certain
1004 specific setsockopt(2) options allow tagged addresses).
1005 This list of exclusions may shrink when moving from one kernel
1007 version to a later kernel version. While the kernel may make
1008 some guarantees for backwards compatibility reasons, for the
1009 purposes of new software the effect of passing tagged addresses
1010 to these interfaces is unspecified.
1011 The mode set by this call is inherited across fork(2) and
1013 clone(2). The mode is reset by execve(2) to 0 (i.e., tagged ad‐
1014 dresses not permitted in the user/kernel ABI).
1015 For more information, see the kernel source file Documenta‐
1017 tion/arm64/tagged-address-abi.rst.
1018 Warning: This call is primarily intended for use by the run-time
1020 environment. A successful PR_SET_TAGGED_ADDR_CTRL call else‐
1021 where may crash the calling process. The conditions for using
1022 it safely are complex and system-dependent. Don't use it unless
1023 you know what you are doing.
1024 PR_GET_TAGGED_ADDR_CTRL (since Linux 5.4, only on arm64)
1026 Returns the current tagged address mode for the calling thread.
1027 Arguments arg2, arg3, arg4, and arg5 must all be zero.
1029 If the arguments are invalid or this feature is disabled or un‐
1031 supported by the kernel, the call fails with EINVAL. In partic‐
1032 ular, if prctl(PR_GET_TAGGED_ADDR_CTRL, 0, 0, 0, 0) fails with
1033 EINVAL, then this feature is definitely either unsupported, or
1034 disabled via /proc/sys/abi/tagged_addr_disabled. In this case,
1035 all addresses passed to the kernel must be untagged.
1036 Otherwise, the call returns a nonnegative value describing the
1038 current tagged address mode, encoded in the same way as the arg2
1039 argument of PR_SET_TAGGED_ADDR_CTRL.
1040 For more information, see the kernel source file Documenta‐
1042 tion/arm64/tagged-address-abi.rst.
1043 PR_TASK_PERF_EVENTS_DISABLE (since Linux 2.6.31)
1045 Disable all performance counters attached to the calling
1046 process, regardless of whether the counters were created by this
1047 process or another process. Performance counters created by the
1048 calling process for other processes are unaffected. For more
1049 information on performance counters, see the Linux kernel source
1050 file tools/perf/design.txt.
1051 Originally called PR_TASK_PERF_COUNTERS_DISABLE; renamed (re‐
1053 taining the same numerical value) in Linux 2.6.32.
1054 PR_TASK_PERF_EVENTS_ENABLE (since Linux 2.6.31)
1056 The converse of PR_TASK_PERF_EVENTS_DISABLE; enable performance
1057 counters attached to the calling process.
1058 Originally called PR_TASK_PERF_COUNTERS_ENABLE; renamed in Linux
1060 2.6.32.
1061 PR_SET_THP_DISABLE (since Linux 3.15)
1063 Set the state of the "THP disable" flag for the calling thread.
1064 If arg2 has a nonzero value, the flag is set, otherwise it is
1065 cleared. Setting this flag provides a method for disabling
1066 transparent huge pages for jobs where the code cannot be modi‐
1067 fied, and using a malloc hook with madvise(2) is not an option
1068 (i.e., statically allocated data). The setting of the "THP dis‐
1069 able" flag is inherited by a child created via fork(2) and is
1070 preserved across execve(2).
1071 PR_GET_THP_DISABLE (since Linux 3.15)
1073 Return (as the function result) the current setting of the "THP
1074 disable" flag for the calling thread: either 1, if the flag is
1075 set, or 0, if it is not.
1076 PR_GET_TID_ADDRESS (since Linux 3.5)
1078 Return the clear_child_tid address set by set_tid_address(2) and
1079 the clone(2) CLONE_CHILD_CLEARTID flag, in the location pointed
1080 to by (int **) arg2. This feature is available only if the ker‐
1081 nel is built with the CONFIG_CHECKPOINT_RESTORE option enabled.
1082 Note that since the prctl() system call does not have a compat
1083 implementation for the AMD64 x32 and MIPS n32 ABIs, and the ker‐
1084 nel writes out a pointer using the kernel's pointer size, this
1085 operation expects a user-space buffer of 8 (not 4) bytes on
1086 these ABIs.
1087 PR_SET_TIMERSLACK (since Linux 2.6.28)
1089 Each thread has two associated timer slack values: a "default"
1090 value, and a "current" value. This operation sets the "current"
1091 timer slack value for the calling thread. arg2 is an unsigned
1092 long value, then maximum "current" value is ULONG_MAX and the
1093 minimum "current" value is 1. If the nanosecond value supplied
1094 in arg2 is greater than zero, then the "current" value is set to
1095 this value. If arg2 is equal to zero, the "current" timer slack
1096 is reset to the thread's "default" timer slack value.
1097 The "current" timer slack is used by the kernel to group timer
1099 expirations for the calling thread that are close to one an‐
1100 other; as a consequence, timer expirations for the thread may be
1101 up to the specified number of nanoseconds late (but will never
1102 expire early). Grouping timer expirations can help reduce sys‐
1103 tem power consumption by minimizing CPU wake-ups.
1104 The timer expirations affected by timer slack are those set by
1106 select(2), pselect(2), poll(2), ppoll(2), epoll_wait(2),
1107 epoll_pwait(2), clock_nanosleep(2), nanosleep(2), and futex(2)
1108 (and thus the library functions implemented via futexes, includ‐
1109 ing pthread_cond_timedwait(3), pthread_mutex_timedlock(3),
1110 pthread_rwlock_timedrdlock(3), pthread_rwlock_timedwrlock(3),
1111 and sem_timedwait(3)).
1112 Timer slack is not applied to threads that are scheduled under a
1114 real-time scheduling policy (see sched_setscheduler(2)).
1115 When a new thread is created, the two timer slack values are
1117 made the same as the "current" value of the creating thread.
1118 Thereafter, a thread can adjust its "current" timer slack value
1119 via PR_SET_TIMERSLACK. The "default" value can't be changed.
1120 The timer slack values of init (PID 1), the ancestor of all pro‐
1121 cesses, are 50,000 nanoseconds (50 microseconds). The timer
1122 slack value is inherited by a child created via fork(2), and is
1123 preserved across execve(2).
1124 Since Linux 4.6, the "current" timer slack value of any process
1126 can be examined and changed via the file /proc/[pid]/timer‐
1127 slack_ns. See proc(5).
1128 PR_GET_TIMERSLACK (since Linux 2.6.28)
1130 Return (as the function result) the "current" timer slack value
1131 of the calling thread.
1132 PR_SET_TIMING (since Linux 2.6.0)
1134 Set whether to use (normal, traditional) statistical process
1135 timing or accurate timestamp-based process timing, by passing
1136 PR_TIMING_STATISTICAL or PR_TIMING_TIMESTAMP to arg2. PR_TIM‐
1137 ING_TIMESTAMP is not currently implemented (attempting to set
1138 this mode will yield the error EINVAL).
1139 PR_GET_TIMING (since Linux 2.6.0)
1141 Return (as the function result) which process timing method is
1142 currently in use.
1143 PR_SET_TSC (since Linux 2.6.26, x86 only)
1145 Set the state of the flag determining whether the timestamp
1146 counter can be read by the process. Pass PR_TSC_ENABLE to arg2
1147 to allow it to be read, or PR_TSC_SIGSEGV to generate a SIGSEGV
1148 when the process tries to read the timestamp counter.
1149 PR_GET_TSC (since Linux 2.6.26, x86 only)
1151 Return the state of the flag determining whether the timestamp
1152 counter can be read, in the location pointed to by (int *) arg2.
1153 PR_SET_UNALIGN
1155 (Only on: ia64, since Linux 2.3.48; parisc, since Linux 2.6.15;
1156 PowerPC, since Linux 2.6.18; Alpha, since Linux 2.6.22; sh,
1157 since Linux 2.6.34; tile, since Linux 3.12) Set unaligned access
1158 control bits to arg2. Pass PR_UNALIGN_NOPRINT to silently fix
1159 up unaligned user accesses, or PR_UNALIGN_SIGBUS to generate
1160 SIGBUS on unaligned user access. Alpha also supports an addi‐
1161 tional flag with the value of 4 and no corresponding named con‐
1162 stant, which instructs kernel to not fix up unaligned accesses
1163 (it is analogous to providing the UAC_NOFIX flag in SSI_NVPAIRS
1164 operation of the setsysinfo() system call on Tru64).
1165 PR_GET_UNALIGN
1167 (See PR_SET_UNALIGN for information on versions and architec‐
1168 tures.) Return unaligned access control bits, in the location
1169 pointed to by (unsigned int *) arg2.
1170
1172 On success, PR_CAP_AMBIENT+PR_CAP_AMBIENT_IS_SET, PR_CAPBSET_READ,
1173 PR_GET_DUMPABLE, PR_GET_FP_MODE, PR_GET_IO_FLUSHER, PR_GET_KEEPCAPS,
1174 PR_MCE_KILL_GET, PR_GET_NO_NEW_PRIVS, PR_GET_SECUREBITS, PR_GET_SPECU‐
1175 LATION_CTRL, PR_SVE_GET_VL, PR_SVE_SET_VL, PR_GET_TAGGED_ADDR_CTRL,
1176 PR_GET_THP_DISABLE, PR_GET_TIMING, PR_GET_TIMERSLACK, and (if it re‐
1177 turns) PR_GET_SECCOMP return the nonnegative values described above.
1178 All other option values return 0 on success. On error, -1 is returned,
1179 and errno is set to indicate the error.
1180
1182 EACCES option is PR_SET_SECCOMP and arg2 is SECCOMP_MODE_FILTER, but
1183 the process does not have the CAP_SYS_ADMIN capability or has
1184 not set the no_new_privs attribute (see the discussion of
1185 PR_SET_NO_NEW_PRIVS above).
1186 EACCES option is PR_SET_MM, and arg3 is PR_SET_MM_EXE_FILE, the file is
1188 not executable.
1189 EBADF option is PR_SET_MM, arg3 is PR_SET_MM_EXE_FILE, and the file
1191 descriptor passed in arg4 is not valid.
1192 EBUSY option is PR_SET_MM, arg3 is PR_SET_MM_EXE_FILE, and this the
1194 second attempt to change the /proc/pid/exe symbolic link, which
1195 is prohibited.
1196 EFAULT arg2 is an invalid address.
1198 EFAULT option is PR_SET_SECCOMP, arg2 is SECCOMP_MODE_FILTER, the sys‐
1200 tem was built with CONFIG_SECCOMP_FILTER, and arg3 is an invalid
1201 address.
1202 EFAULT option is PR_SET_SYSCALL_USER_DISPATCH and arg5 has an invalid
1204 address.
1205 EINVAL The value of option is not recognized, or not supported on this
1207 system.
1208 EINVAL option is PR_MCE_KILL or PR_MCE_KILL_GET or PR_SET_MM, and un‐
1210 used prctl() arguments were not specified as zero.
1211 EINVAL arg2 is not valid value for this option.
1213 EINVAL option is PR_SET_SECCOMP or PR_GET_SECCOMP, and the kernel was
1215 not configured with CONFIG_SECCOMP.
1216 EINVAL option is PR_SET_SECCOMP, arg2 is SECCOMP_MODE_FILTER, and the
1218 kernel was not configured with CONFIG_SECCOMP_FILTER.
1219 EINVAL option is PR_SET_MM, and one of the following is true
1221 * arg4 or arg5 is nonzero;
1223 * arg3 is greater than TASK_SIZE (the limit on the size of the
1225 user address space for this architecture);
1226 * arg2 is PR_SET_MM_START_CODE, PR_SET_MM_END_CODE,
1228 PR_SET_MM_START_DATA, PR_SET_MM_END_DATA, or
1229 PR_SET_MM_START_STACK, and the permissions of the correspond‐
1230 ing memory area are not as required;
1231 * arg2 is PR_SET_MM_START_BRK or PR_SET_MM_BRK, and arg3 is
1233 less than or equal to the end of the data segment or speci‐
1234 fies a value that would cause the RLIMIT_DATA resource limit
1235 to be exceeded.
1236 EINVAL option is PR_SET_PTRACER and arg2 is not 0, PR_SET_PTRACER_ANY,
1238 or the PID of an existing process.
1239 EINVAL option is PR_SET_PDEATHSIG and arg2 is not a valid signal num‐
1241 ber.
1242 EINVAL option is PR_SET_DUMPABLE and arg2 is neither SUID_DUMP_DISABLE
1244 nor SUID_DUMP_USER.
1245 EINVAL option is PR_SET_TIMING and arg2 is not PR_TIMING_STATISTICAL.
1247 EINVAL option is PR_SET_NO_NEW_PRIVS and arg2 is not equal to 1 or
1249 arg3, arg4, or arg5 is nonzero.
1250 EINVAL option is PR_GET_NO_NEW_PRIVS and arg2, arg3, arg4, or arg5 is
1252 nonzero.
1253 EINVAL option is PR_SET_THP_DISABLE and arg3, arg4, or arg5 is nonzero.
1255 EINVAL option is PR_GET_THP_DISABLE and arg2, arg3, arg4, or arg5 is
1257 nonzero.
1258 EINVAL option is PR_CAP_AMBIENT and an unused argument (arg4, arg5, or,
1260 in the case of PR_CAP_AMBIENT_CLEAR_ALL, arg3) is nonzero; or
1261 arg2 has an invalid value; or arg2 is PR_CAP_AMBIENT_LOWER,
1262 PR_CAP_AMBIENT_RAISE, or PR_CAP_AMBIENT_IS_SET and arg3 does not
1263 specify a valid capability.
1264 EINVAL option was PR_GET_SPECULATION_CTRL or PR_SET_SPECULATION_CTRL
1266 and unused arguments to prctl() are not 0. EINVAL option is
1267 PR_PAC_RESET_KEYS and the arguments are invalid or unsupported.
1268 See the description of PR_PAC_RESET_KEYS above for details.
1269 EINVAL option is PR_SVE_SET_VL and the arguments are invalid or unsup‐
1271 ported, or SVE is not available on this platform. See the de‐
1272 scription of PR_SVE_SET_VL above for details.
1273 EINVAL option is PR_SVE_GET_VL and SVE is not available on this plat‐
1275 form.
1276 EINVAL option is PR_SET_SYSCALL_USER_DISPATCH and one of the following
1278 is true:
1279 * arg2 is PR_SYS_DISPATCH_OFF and the remaining arguments are
1281 not 0;
1282 * arg2 is PR_SYS_DISPATCH_ON and the memory range specified is
1284 outside the address space of the process.
1285 * arg2 is invalid.
1287 EINVAL option is PR_SET_TAGGED_ADDR_CTRL and the arguments are invalid
1289 or unsupported. See the description of PR_SET_TAGGED_ADDR_CTRL
1290 above for details.
1291 EINVAL option is PR_GET_TAGGED_ADDR_CTRL and the arguments are invalid
1293 or unsupported. See the description of PR_GET_TAGGED_ADDR_CTRL
1294 above for details.
1295 ENODEV option was PR_SET_SPECULATION_CTRL the kernel or CPU does not
1297 support the requested speculation misfeature.
1298 ENXIO option was PR_MPX_ENABLE_MANAGEMENT or PR_MPX_DISABLE_MANAGEMENT
1300 and the kernel or the CPU does not support MPX management.
1301 Check that the kernel and processor have MPX support.
1302 ENXIO option was PR_SET_SPECULATION_CTRL implies that the control of
1304 the selected speculation misfeature is not possible. See
1305 PR_GET_SPECULATION_CTRL for the bit fields to determine which
1306 option is available.
1307 EOPNOTSUPP
1309 option is PR_SET_FP_MODE and arg2 has an invalid or unsupported
1310 value.
1311 EPERM option is PR_SET_SECUREBITS, and the caller does not have the
1313 CAP_SETPCAP capability, or tried to unset a "locked" flag, or
1314 tried to set a flag whose corresponding locked flag was set (see
1315 capabilities(7)).
1316 EPERM option is PR_SET_SPECULATION_CTRL wherein the speculation was
1318 disabled with PR_SPEC_FORCE_DISABLE and caller tried to enable
1319 it again.
1320 EPERM option is PR_SET_KEEPCAPS, and the caller's
1322 SECBIT_KEEP_CAPS_LOCKED flag is set (see capabilities(7)).
1323 EPERM option is PR_CAPBSET_DROP, and the caller does not have the
1325 CAP_SETPCAP capability.
1326 EPERM option is PR_SET_MM, and the caller does not have the
1328 CAP_SYS_RESOURCE capability.
1329 EPERM option is PR_CAP_AMBIENT and arg2 is PR_CAP_AMBIENT_RAISE, but
1331 either the capability specified in arg3 is not present in the
1332 process's permitted and inheritable capability sets, or the
1333 PR_CAP_AMBIENT_LOWER securebit has been set.
1334 ERANGE option was PR_SET_SPECULATION_CTRL and arg3 is not PR_SPEC_EN‐
1336 ABLE, PR_SPEC_DISABLE, PR_SPEC_FORCE_DISABLE, nor PR_SPEC_DIS‐
1337 ABLE_NOEXEC.
1338
1340 The prctl() system call was introduced in Linux 2.1.57.
1341
1343 This call is Linux-specific. IRIX has a prctl() system call (also in‐
1344 troduced in Linux 2.1.44 as irix_prctl on the MIPS architecture), with
1345 prototype
1346 ptrdiff_t prctl(int option, int arg2, int arg3);
1348 and options to get the maximum number of processes per user, get the
1350 maximum number of processors the calling process can use, find out
1351 whether a specified process is currently blocked, get or set the maxi‐
1352 mum stack size, and so on.
1353
1355 signal(2), core(5)
1356
1358 This page is part of release 5.13 of the Linux man-pages project. A
1359 description of the project, information about reporting bugs, and the
1360 latest version of this page, can be found at
1361 https://www.kernel.org/doc/man-pages/.
1362Linux 2021-03-22 PRCTL(2)