diff options
Diffstat (limited to 'man2/memfd_secret.2')
-rw-r--r-- | man2/memfd_secret.2 | 38 |
1 files changed, 19 insertions, 19 deletions
diff --git a/man2/memfd_secret.2 b/man2/memfd_secret.2 index 5d2436cc5..f3b946d19 100644 --- a/man2/memfd_secret.2 +++ b/man2/memfd_secret.2 @@ -27,7 +27,7 @@ Standard C library glibc provides no wrapper for .BR memfd_secret (), necessitating the use of -.BR syscall (2). +.MR syscall 2 . .SH DESCRIPTION .BR memfd_secret () creates an anonymous RAM-based file and returns a file descriptor @@ -39,10 +39,10 @@ Once all open references to the file are closed, it is automatically released. The initial size of the file is set to 0. Following the call, the file size should be set using -.BR ftruncate (2). +.MR ftruncate 2 . .P The memory areas backing the file created with -.BR memfd_secret (2) +.MR memfd_secret 2 are visible only to the processes that have access to the file descriptor. The memory region is removed from the kernel page tables and only the page tables of the processes holding the file descriptor @@ -59,11 +59,11 @@ to control the behavior of .B FD_CLOEXEC Set the close-on-exec flag on the new file descriptor, which causes the region to be removed from the process on -.BR execve (2). +.MR execve 2 . See the description of the .B O_CLOEXEC flag in -.BR open (2) +.MR open 2 .P As its return value, .BR memfd_secret () @@ -75,20 +75,20 @@ and is set for the file descriptor. .P With respect to -.BR fork (2) +.MR fork 2 and -.BR execve (2), +.MR execve 2 , the usual semantics apply for the file descriptor created by .BR memfd_secret (). A copy of the file descriptor is inherited by the child produced by -.BR fork (2) +.MR fork 2 and refers to the same file. The file descriptor is preserved across -.BR execve (2), +.MR execve 2 , unless the close-on-exec flag has been set. .P The memory region is locked into memory in the same way as with -.BR mlock (2), +.MR mlock 2 , so that it will never be written into swap, and hibernation is inhibited for as long as any .BR memfd_secret () @@ -96,13 +96,13 @@ descriptions exist. However the implementation of .BR memfd_secret () will not try to populate the whole range during the -.BR mmap (2) +.MR mmap 2 call that attaches the region into the process's address space; instead, the pages are only actually allocated as they are faulted in. The amount of memory allowed for memory mappings of the file descriptor obeys the same rules as -.BR mlock (2) +.MR mlock 2 and cannot exceed .BR RLIMIT_MEMLOCK . .SH RETURN VALUE @@ -180,7 +180,7 @@ a kernel-side attack would need to either walk the page tables and create new ones, or spawn a new privileged user-space process to perform secrets exfiltration using -.BR ptrace (2). +.MR ptrace 2 . .P The way .BR memfd_secret () @@ -196,9 +196,9 @@ hybernation is prevented when there are active .BR memfd_secret () users. .SH SEE ALSO -.BR fcntl (2), -.BR ftruncate (2), -.BR mlock (2), -.BR memfd_create (2), -.BR mmap (2), -.BR setrlimit (2) +.MR fcntl 2 , +.MR ftruncate 2 , +.MR mlock 2 , +.MR memfd_create 2 , +.MR mmap 2 , +.MR setrlimit 2 |