Commit | Line | Data |
---|---|---|
1da177e4 LT |
1 | Documentation for /proc/sys/fs/* kernel version 2.2.10 |
2 | (c) 1998, 1999, Rik van Riel <riel@nl.linux.org> | |
760df93e | 3 | (c) 2009, Shen Feng<shen@cn.fujitsu.com> |
1da177e4 LT |
4 | |
5 | For general info and legal blurb, please look in README. | |
6 | ||
7 | ============================================================== | |
8 | ||
9 | This file contains documentation for the sysctl files in | |
10 | /proc/sys/fs/ and is valid for Linux kernel version 2.2. | |
11 | ||
12 | The files in this directory can be used to tune and monitor | |
13 | miscellaneous and general things in the operation of the Linux | |
14 | kernel. Since some of the files _can_ be used to screw up your | |
15 | system, it is advisable to read both documentation and source | |
16 | before actually making adjustments. | |
17 | ||
760df93e SF |
18 | 1. /proc/sys/fs |
19 | ---------------------------------------------------------- | |
20 | ||
1da177e4 | 21 | Currently, these files are in /proc/sys/fs: |
760df93e SF |
22 | - aio-max-nr |
23 | - aio-nr | |
1da177e4 LT |
24 | - dentry-state |
25 | - dquot-max | |
26 | - dquot-nr | |
27 | - file-max | |
28 | - file-nr | |
29 | - inode-max | |
30 | - inode-nr | |
31 | - inode-state | |
9cfe015a | 32 | - nr_open |
1da177e4 LT |
33 | - overflowuid |
34 | - overflowgid | |
759c0114 WT |
35 | - pipe-user-pages-hard |
36 | - pipe-user-pages-soft | |
30aba665 | 37 | - protected_fifos |
800179c9 | 38 | - protected_hardlinks |
30aba665 | 39 | - protected_regular |
800179c9 | 40 | - protected_symlinks |
a2e0b563 | 41 | - suid_dumpable |
1da177e4 LT |
42 | - super-max |
43 | - super-nr | |
44 | ||
760df93e SF |
45 | ============================================================== |
46 | ||
47 | aio-nr & aio-max-nr: | |
48 | ||
49 | aio-nr is the running total of the number of events specified on the | |
50 | io_setup system call for all currently active aio contexts. If aio-nr | |
51 | reaches aio-max-nr then io_setup will fail with EAGAIN. Note that | |
52 | raising aio-max-nr does not result in the pre-allocation or re-sizing | |
53 | of any kernel data structures. | |
1da177e4 LT |
54 | |
55 | ============================================================== | |
56 | ||
57 | dentry-state: | |
58 | ||
af0c9af1 | 59 | From linux/include/linux/dcache.h: |
1da177e4 | 60 | -------------------------------------------------------------- |
af0c9af1 | 61 | struct dentry_stat_t dentry_stat { |
1da177e4 LT |
62 | int nr_dentry; |
63 | int nr_unused; | |
64 | int age_limit; /* age in seconds */ | |
65 | int want_pages; /* pages requested by system */ | |
af0c9af1 WL |
66 | int nr_negative; /* # of unused negative dentries */ |
67 | int dummy; /* Reserved for future use */ | |
68 | }; | |
69 | -------------------------------------------------------------- | |
70 | ||
71 | Dentries are dynamically allocated and deallocated. | |
72 | ||
73 | nr_dentry shows the total number of dentries allocated (active | |
74 | + unused). nr_unused shows the number of dentries that are not | |
75 | actively used, but are saved in the LRU list for future reuse. | |
76 | ||
1da177e4 LT |
77 | Age_limit is the age in seconds after which dcache entries |
78 | can be reclaimed when memory is short and want_pages is | |
79 | nonzero when shrink_dcache_pages() has been called and the | |
80 | dcache isn't pruned yet. | |
81 | ||
af0c9af1 | 82 | nr_negative shows the number of unused dentries that are also |
1413d9af WL |
83 | negative dentries which do not map to any files. Instead, |
84 | they help speeding up rejection of non-existing files provided | |
85 | by the users. | |
af0c9af1 | 86 | |
1da177e4 LT |
87 | ============================================================== |
88 | ||
89 | dquot-max & dquot-nr: | |
90 | ||
91 | The file dquot-max shows the maximum number of cached disk | |
92 | quota entries. | |
93 | ||
94 | The file dquot-nr shows the number of allocated disk quota | |
95 | entries and the number of free disk quota entries. | |
96 | ||
97 | If the number of free cached disk quotas is very low and | |
98 | you have some awesome number of simultaneous system users, | |
99 | you might want to raise the limit. | |
100 | ||
101 | ============================================================== | |
102 | ||
103 | file-max & file-nr: | |
104 | ||
1da177e4 LT |
105 | The value in file-max denotes the maximum number of file- |
106 | handles that the Linux kernel will allocate. When you get lots | |
107 | of error messages about running out of file handles, you might | |
108 | want to increase this limit. | |
109 | ||
ca3b78aa FT |
110 | Historically,the kernel was able to allocate file handles |
111 | dynamically, but not to free them again. The three values in | |
112 | file-nr denote the number of allocated file handles, the number | |
113 | of allocated but unused file handles, and the maximum number of | |
114 | file handles. Linux 2.6 always reports 0 as the number of free | |
115 | file handles -- this is not an error, it just means that the | |
116 | number of allocated file handles exactly matches the number of | |
117 | used file handles. | |
bcadbbd4 XF |
118 | |
119 | Attempts to allocate more file descriptors than file-max are | |
120 | reported with printk, look for "VFS: file-max limit <number> | |
121 | reached". | |
1da177e4 | 122 | ============================================================== |
9cfe015a ED |
123 | |
124 | nr_open: | |
125 | ||
126 | This denotes the maximum number of file-handles a process can | |
127 | allocate. Default value is 1024*1024 (1048576) which should be | |
128 | enough for most machines. Actual limit depends on RLIMIT_NOFILE | |
129 | resource limit. | |
130 | ||
131 | ============================================================== | |
1da177e4 LT |
132 | |
133 | inode-max, inode-nr & inode-state: | |
134 | ||
135 | As with file handles, the kernel allocates the inode structures | |
136 | dynamically, but can't free them yet. | |
137 | ||
138 | The value in inode-max denotes the maximum number of inode | |
139 | handlers. This value should be 3-4 times larger than the value | |
140 | in file-max, since stdin, stdout and network sockets also | |
141 | need an inode struct to handle them. When you regularly run | |
142 | out of inodes, you need to increase this value. | |
143 | ||
144 | The file inode-nr contains the first two items from | |
145 | inode-state, so we'll skip to that file... | |
146 | ||
147 | Inode-state contains three actual numbers and four dummies. | |
148 | The actual numbers are, in order of appearance, nr_inodes, | |
149 | nr_free_inodes and preshrink. | |
150 | ||
151 | Nr_inodes stands for the number of inodes the system has | |
152 | allocated, this can be slightly more than inode-max because | |
153 | Linux allocates them one pageful at a time. | |
154 | ||
155 | Nr_free_inodes represents the number of free inodes (?) and | |
156 | preshrink is nonzero when the nr_inodes > inode-max and the | |
157 | system needs to prune the inode list instead of allocating | |
158 | more. | |
159 | ||
160 | ============================================================== | |
161 | ||
162 | overflowgid & overflowuid: | |
163 | ||
164 | Some filesystems only support 16-bit UIDs and GIDs, although in Linux | |
165 | UIDs and GIDs are 32 bits. When one of these filesystems is mounted | |
166 | with writes enabled, any UID or GID that would exceed 65535 is translated | |
167 | to a fixed value before being written to disk. | |
168 | ||
169 | These sysctls allow you to change the value of the fixed UID and GID. | |
170 | The default is 65534. | |
171 | ||
172 | ============================================================== | |
759c0114 WT |
173 | |
174 | pipe-user-pages-hard: | |
175 | ||
176 | Maximum total number of pages a non-privileged user may allocate for pipes. | |
177 | Once this limit is reached, no new pipes may be allocated until usage goes | |
178 | below the limit again. When set to 0, no limit is applied, which is the default | |
179 | setting. | |
180 | ||
181 | ============================================================== | |
182 | ||
183 | pipe-user-pages-soft: | |
184 | ||
185 | Maximum total number of pages a non-privileged user may allocate for pipes | |
186 | before the pipe size gets limited to a single page. Once this limit is reached, | |
187 | new pipes will be limited to a single page in size for this user in order to | |
188 | limit total memory usage, and trying to increase them using fcntl() will be | |
189 | denied until usage goes below the limit again. The default value allows to | |
190 | allocate up to 1024 pipes at their default size. When set to 0, no limit is | |
191 | applied. | |
192 | ||
193 | ============================================================== | |
1da177e4 | 194 | |
30aba665 SM |
195 | protected_fifos: |
196 | ||
197 | The intent of this protection is to avoid unintentional writes to | |
198 | an attacker-controlled FIFO, where a program expected to create a regular | |
199 | file. | |
200 | ||
201 | When set to "0", writing to FIFOs is unrestricted. | |
202 | ||
203 | When set to "1" don't allow O_CREAT open on FIFOs that we don't own | |
204 | in world writable sticky directories, unless they are owned by the | |
205 | owner of the directory. | |
206 | ||
207 | When set to "2" it also applies to group writable sticky directories. | |
208 | ||
209 | This protection is based on the restrictions in Openwall. | |
210 | ||
211 | ============================================================== | |
212 | ||
800179c9 KC |
213 | protected_hardlinks: |
214 | ||
215 | A long-standing class of security issues is the hardlink-based | |
216 | time-of-check-time-of-use race, most commonly seen in world-writable | |
217 | directories like /tmp. The common method of exploitation of this flaw | |
218 | is to cross privilege boundaries when following a given hardlink (i.e. a | |
219 | root process follows a hardlink created by another user). Additionally, | |
220 | on systems without separated partitions, this stops unauthorized users | |
221 | from "pinning" vulnerable setuid/setgid files against being upgraded by | |
222 | the administrator, or linking to special files. | |
223 | ||
224 | When set to "0", hardlink creation behavior is unrestricted. | |
225 | ||
226 | When set to "1" hardlinks cannot be created by users if they do not | |
227 | already own the source file, or do not have read/write access to it. | |
228 | ||
229 | This protection is based on the restrictions in Openwall and grsecurity. | |
230 | ||
231 | ============================================================== | |
232 | ||
30aba665 SM |
233 | protected_regular: |
234 | ||
235 | This protection is similar to protected_fifos, but it | |
236 | avoids writes to an attacker-controlled regular file, where a program | |
237 | expected to create one. | |
238 | ||
239 | When set to "0", writing to regular files is unrestricted. | |
240 | ||
241 | When set to "1" don't allow O_CREAT open on regular files that we | |
242 | don't own in world writable sticky directories, unless they are | |
243 | owned by the owner of the directory. | |
244 | ||
245 | When set to "2" it also applies to group writable sticky directories. | |
246 | ||
247 | ============================================================== | |
248 | ||
800179c9 KC |
249 | protected_symlinks: |
250 | ||
251 | A long-standing class of security issues is the symlink-based | |
252 | time-of-check-time-of-use race, most commonly seen in world-writable | |
253 | directories like /tmp. The common method of exploitation of this flaw | |
254 | is to cross privilege boundaries when following a given symlink (i.e. a | |
255 | root process follows a symlink belonging to another user). For a likely | |
256 | incomplete list of hundreds of examples across the years, please see: | |
257 | http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=/tmp | |
258 | ||
259 | When set to "0", symlink following behavior is unrestricted. | |
260 | ||
261 | When set to "1" symlinks are permitted to be followed only when outside | |
262 | a sticky world-writable directory, or when the uid of the symlink and | |
263 | follower match, or when the directory owner matches the symlink's owner. | |
264 | ||
265 | This protection is based on the restrictions in Openwall and grsecurity. | |
266 | ||
267 | ============================================================== | |
268 | ||
a2e0b563 AD |
269 | suid_dumpable: |
270 | ||
271 | This value can be used to query and set the core dump mode for setuid | |
272 | or otherwise protected/tainted binaries. The modes are | |
273 | ||
274 | 0 - (default) - traditional behaviour. Any process which has changed | |
9520628e | 275 | privilege levels or is execute only will not be dumped. |
a2e0b563 AD |
276 | 1 - (debug) - all processes dump core when possible. The core dump is |
277 | owned by the current user and no security is applied. This is | |
278 | intended for system debugging situations only. Ptrace is unchecked. | |
9520628e KC |
279 | This is insecure as it allows regular users to examine the memory |
280 | contents of privileged processes. | |
a2e0b563 | 281 | 2 - (suidsafe) - any binary which normally would not be dumped is dumped |
9520628e KC |
282 | anyway, but only if the "core_pattern" kernel sysctl is set to |
283 | either a pipe handler or a fully qualified path. (For more details | |
284 | on this limitation, see CVE-2006-2451.) This mode is appropriate | |
285 | when administrators are attempting to debug problems in a normal | |
286 | environment, and either have a core dump pipe handler that knows | |
287 | to treat privileged core dumps with care, or specific directory | |
288 | defined for catching core dumps. If a core dump happens without | |
289 | a pipe handler or fully qualifid path, a message will be emitted | |
290 | to syslog warning about the lack of a correct setting. | |
a2e0b563 AD |
291 | |
292 | ============================================================== | |
293 | ||
1da177e4 LT |
294 | super-max & super-nr: |
295 | ||
296 | These numbers control the maximum number of superblocks, and | |
297 | thus the maximum number of mounted filesystems the kernel | |
298 | can have. You only need to increase super-max if you need to | |
299 | mount more filesystems than the current value in super-max | |
300 | allows you to. | |
301 | ||
302 | ============================================================== | |
303 | ||
304 | aio-nr & aio-max-nr: | |
305 | ||
306 | aio-nr shows the current system-wide number of asynchronous io | |
307 | requests. aio-max-nr allows you to change the maximum value | |
308 | aio-nr can grow to. | |
309 | ||
310 | ============================================================== | |
760df93e | 311 | |
d2921684 EB |
312 | mount-max: |
313 | ||
314 | This denotes the maximum number of mounts that may exist | |
315 | in a mount namespace. | |
316 | ||
317 | ============================================================== | |
318 | ||
760df93e SF |
319 | |
320 | 2. /proc/sys/fs/binfmt_misc | |
321 | ---------------------------------------------------------- | |
322 | ||
323 | Documentation for the files in /proc/sys/fs/binfmt_misc is | |
852f1a21 | 324 | in Documentation/admin-guide/binfmt-misc.rst. |
760df93e SF |
325 | |
326 | ||
327 | 3. /proc/sys/fs/mqueue - POSIX message queues filesystem | |
328 | ---------------------------------------------------------- | |
329 | ||
330 | The "mqueue" filesystem provides the necessary kernel features to enable the | |
331 | creation of a user space library that implements the POSIX message queues | |
332 | API (as noted by the MSG tag in the POSIX 1003.1-2001 version of the System | |
333 | Interfaces specification.) | |
334 | ||
335 | The "mqueue" filesystem contains values for determining/setting the amount of | |
336 | resources used by the file system. | |
337 | ||
338 | /proc/sys/fs/mqueue/queues_max is a read/write file for setting/getting the | |
339 | maximum number of message queues allowed on the system. | |
340 | ||
341 | /proc/sys/fs/mqueue/msg_max is a read/write file for setting/getting the | |
342 | maximum number of messages in a queue value. In fact it is the limiting value | |
343 | for another (user) limit which is set in mq_open invocation. This attribute of | |
344 | a queue must be less or equal then msg_max. | |
345 | ||
346 | /proc/sys/fs/mqueue/msgsize_max is a read/write file for setting/getting the | |
347 | maximum message size value (it is every message queue's attribute set during | |
348 | its creation). | |
349 | ||
cef0184c KM |
350 | /proc/sys/fs/mqueue/msg_default is a read/write file for setting/getting the |
351 | default number of messages in a queue value if attr parameter of mq_open(2) is | |
352 | NULL. If it exceed msg_max, the default value is initialized msg_max. | |
353 | ||
354 | /proc/sys/fs/mqueue/msgsize_default is a read/write file for setting/getting | |
355 | the default message size value if attr parameter of mq_open(2) is NULL. If it | |
356 | exceed msgsize_max, the default value is initialized msgsize_max. | |
760df93e SF |
357 | |
358 | 4. /proc/sys/fs/epoll - Configuration options for the epoll interface | |
359 | -------------------------------------------------------- | |
360 | ||
361 | This directory contains configuration options for the epoll(7) interface. | |
362 | ||
760df93e SF |
363 | max_user_watches |
364 | ---------------- | |
365 | ||
366 | Every epoll file descriptor can store a number of files to be monitored | |
367 | for event readiness. Each one of these monitored files constitutes a "watch". | |
368 | This configuration option sets the maximum number of "watches" that are | |
369 | allowed for each user. | |
370 | Each "watch" costs roughly 90 bytes on a 32bit kernel, and roughly 160 bytes | |
371 | on a 64bit one. | |
372 | The current default value for max_user_watches is the 1/32 of the available | |
373 | low memory, divided for the "watch" cost in bytes. | |
374 |