Loading Documentation/ABI/testing/sysfs-driver-xen-blkback +9 −0 Original line number Diff line number Diff line Loading @@ -35,3 +35,12 @@ Description: controls the duration in milliseconds that blkback will not cache any page not backed by a grant mapping. The default is 10ms. What: /sys/module/xen_blkback/parameters/feature_persistent Date: September 2020 KernelVersion: 5.10 Contact: SeongJae Park <sjpark@amazon.de> Description: Whether to enable the persistent grants feature or not. Note that this option only takes effect on newly created backends. The default is Y (enable). Documentation/ABI/testing/sysfs-driver-xen-blkfront +10 −1 Original line number Diff line number Diff line What: /sys/module/xen_blkfront/parameters/max What: /sys/module/xen_blkfront/parameters/max_indirect_segments Date: June 2013 KernelVersion: 3.11 Contact: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com> Loading @@ -8,3 +8,12 @@ Description: is 32 - higher value means more potential throughput but more memory usage. The backend picks the minimum of the frontend and its default backend value. What: /sys/module/xen_blkfront/parameters/feature_persistent Date: September 2020 KernelVersion: 5.10 Contact: SeongJae Park <sjpark@amazon.de> Description: Whether to enable the persistent grants feature or not. Note that this option only takes effect on newly created frontends. The default is Y (enable). Documentation/admin-guide/LSM/SafeSetID.rst +20 −9 Original line number Diff line number Diff line Loading @@ -3,9 +3,9 @@ SafeSetID ========= SafeSetID is an LSM module that gates the setid family of syscalls to restrict UID/GID transitions from a given UID/GID to only those approved by a system-wide whitelist. These restrictions also prohibit the given UIDs/GIDs system-wide allowlist. These restrictions also prohibit the given UIDs/GIDs from obtaining auxiliary privileges associated with CAP_SET{U/G}ID, such as allowing a user to set up user namespace UID mappings. allowing a user to set up user namespace UID/GID mappings. Background Loading Loading @@ -98,10 +98,21 @@ Directions for use ================== This LSM hooks the setid syscalls to make sure transitions are allowed if an applicable restriction policy is in place. Policies are configured through securityfs by writing to the safesetid/add_whitelist_policy and safesetid/flush_whitelist_policies files at the location where securityfs is mounted. The format for adding a policy is '<UID>:<UID>', using literal numbers, such as '123:456'. To flush the policies, any write to the file is sufficient. Again, configuring a policy for a UID will prevent that UID from obtaining auxiliary setid privileges, such as allowing a user to set up user namespace UID mappings. securityfs by writing to the safesetid/uid_allowlist_policy and safesetid/gid_allowlist_policy files at the location where securityfs is mounted. The format for adding a policy is '<UID>:<UID>' or '<GID>:<GID>', using literal numbers, and ending with a newline character such as '123:456\n'. Writing an empty string "" will flush the policy. Again, configuring a policy for a UID/GID will prevent that UID/GID from obtaining auxiliary setid privileges, such as allowing a user to set up user namespace UID/GID mappings. Note on GID policies and setgroups() ================== In v5.9 we are adding support for limiting CAP_SETGID privileges as was done previously for CAP_SETUID. However, for compatibility with common sandboxing related code conventions in userspace, we currently allow arbitrary setgroups() calls for processes with CAP_SETGID restrictions. Until we add support in a future release for restricting setgroups() calls, these GID policies add no meaningful security. setgroups() restrictions will be enforced once we have the policy checking code in place, which will rely on GID policy configuration code added in v5.9. Documentation/admin-guide/cpu-load.rst +33 −30 Original line number Diff line number Diff line Loading @@ -66,16 +66,19 @@ will lead to quite erratic information inside ``/proc/stat``:: (void) signr; stop = 1; } static unsigned long hog (unsigned long niters) { stop = 0; while (!stop && --niters); return niters; } int main (void) { int i; struct itimerval it = { .it_interval = { .tv_sec = 0, .tv_usec = 1 }, struct itimerval it = { .it_interval = { .tv_sec = 0, .tv_usec = 1 }, .it_value = { .tv_sec = 0, .tv_usec = 1 } }; sigset_t set; unsigned long v[HIST]; Loading Documentation/admin-guide/kernel-parameters.txt +7 −0 Original line number Diff line number Diff line Loading @@ -5978,6 +5978,13 @@ After which time (jiffies) the event handling loop should start to delay EOI handling. Default is 2. xen.fifo_events= [XEN] Boolean parameter to disable using fifo event handling even if available. Normally fifo event handling is preferred over the 2-level event handling, as it is fairer and the number of possible event channels is much higher. Default is on (use fifo events). nopv= [X86,XEN,KVM,HYPER_V,VMWARE] Disables the PV optimizations forcing the guest to run as generic guest with no PV drivers. Currently support Loading Loading
Documentation/ABI/testing/sysfs-driver-xen-blkback +9 −0 Original line number Diff line number Diff line Loading @@ -35,3 +35,12 @@ Description: controls the duration in milliseconds that blkback will not cache any page not backed by a grant mapping. The default is 10ms. What: /sys/module/xen_blkback/parameters/feature_persistent Date: September 2020 KernelVersion: 5.10 Contact: SeongJae Park <sjpark@amazon.de> Description: Whether to enable the persistent grants feature or not. Note that this option only takes effect on newly created backends. The default is Y (enable).
Documentation/ABI/testing/sysfs-driver-xen-blkfront +10 −1 Original line number Diff line number Diff line What: /sys/module/xen_blkfront/parameters/max What: /sys/module/xen_blkfront/parameters/max_indirect_segments Date: June 2013 KernelVersion: 3.11 Contact: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com> Loading @@ -8,3 +8,12 @@ Description: is 32 - higher value means more potential throughput but more memory usage. The backend picks the minimum of the frontend and its default backend value. What: /sys/module/xen_blkfront/parameters/feature_persistent Date: September 2020 KernelVersion: 5.10 Contact: SeongJae Park <sjpark@amazon.de> Description: Whether to enable the persistent grants feature or not. Note that this option only takes effect on newly created frontends. The default is Y (enable).
Documentation/admin-guide/LSM/SafeSetID.rst +20 −9 Original line number Diff line number Diff line Loading @@ -3,9 +3,9 @@ SafeSetID ========= SafeSetID is an LSM module that gates the setid family of syscalls to restrict UID/GID transitions from a given UID/GID to only those approved by a system-wide whitelist. These restrictions also prohibit the given UIDs/GIDs system-wide allowlist. These restrictions also prohibit the given UIDs/GIDs from obtaining auxiliary privileges associated with CAP_SET{U/G}ID, such as allowing a user to set up user namespace UID mappings. allowing a user to set up user namespace UID/GID mappings. Background Loading Loading @@ -98,10 +98,21 @@ Directions for use ================== This LSM hooks the setid syscalls to make sure transitions are allowed if an applicable restriction policy is in place. Policies are configured through securityfs by writing to the safesetid/add_whitelist_policy and safesetid/flush_whitelist_policies files at the location where securityfs is mounted. The format for adding a policy is '<UID>:<UID>', using literal numbers, such as '123:456'. To flush the policies, any write to the file is sufficient. Again, configuring a policy for a UID will prevent that UID from obtaining auxiliary setid privileges, such as allowing a user to set up user namespace UID mappings. securityfs by writing to the safesetid/uid_allowlist_policy and safesetid/gid_allowlist_policy files at the location where securityfs is mounted. The format for adding a policy is '<UID>:<UID>' or '<GID>:<GID>', using literal numbers, and ending with a newline character such as '123:456\n'. Writing an empty string "" will flush the policy. Again, configuring a policy for a UID/GID will prevent that UID/GID from obtaining auxiliary setid privileges, such as allowing a user to set up user namespace UID/GID mappings. Note on GID policies and setgroups() ================== In v5.9 we are adding support for limiting CAP_SETGID privileges as was done previously for CAP_SETUID. However, for compatibility with common sandboxing related code conventions in userspace, we currently allow arbitrary setgroups() calls for processes with CAP_SETGID restrictions. Until we add support in a future release for restricting setgroups() calls, these GID policies add no meaningful security. setgroups() restrictions will be enforced once we have the policy checking code in place, which will rely on GID policy configuration code added in v5.9.
Documentation/admin-guide/cpu-load.rst +33 −30 Original line number Diff line number Diff line Loading @@ -66,16 +66,19 @@ will lead to quite erratic information inside ``/proc/stat``:: (void) signr; stop = 1; } static unsigned long hog (unsigned long niters) { stop = 0; while (!stop && --niters); return niters; } int main (void) { int i; struct itimerval it = { .it_interval = { .tv_sec = 0, .tv_usec = 1 }, struct itimerval it = { .it_interval = { .tv_sec = 0, .tv_usec = 1 }, .it_value = { .tv_sec = 0, .tv_usec = 1 } }; sigset_t set; unsigned long v[HIST]; Loading
Documentation/admin-guide/kernel-parameters.txt +7 −0 Original line number Diff line number Diff line Loading @@ -5978,6 +5978,13 @@ After which time (jiffies) the event handling loop should start to delay EOI handling. Default is 2. xen.fifo_events= [XEN] Boolean parameter to disable using fifo event handling even if available. Normally fifo event handling is preferred over the 2-level event handling, as it is fairer and the number of possible event channels is much higher. Default is on (use fifo events). nopv= [X86,XEN,KVM,HYPER_V,VMWARE] Disables the PV optimizations forcing the guest to run as generic guest with no PV drivers. Currently support Loading
Jakub Kicinski <kuba@kernel.org>Jakub Kicinski <kuba@kernel.org>