1 =============================== 1 ===============================
2 Documentation for /proc/sys/fs/ 2 Documentation for /proc/sys/fs/
3 =============================== 3 ===============================
4 4
5 Copyright (c) 1998, 1999, Rik van Riel <riel@n 5 Copyright (c) 1998, 1999, Rik van Riel <riel@nl.linux.org>
6 6
7 Copyright (c) 2009, Shen Feng<shen@cn.fu 7 Copyright (c) 2009, Shen Feng<shen@cn.fujitsu.com>
8 8
9 For general info and legal blurb, please look 9 For general info and legal blurb, please look in intro.rst.
10 10
11 ---------------------------------------------- 11 ------------------------------------------------------------------------------
12 12
13 This file contains documentation for the sysct 13 This file contains documentation for the sysctl files and directories
14 in ``/proc/sys/fs/``. 14 in ``/proc/sys/fs/``.
15 15
16 The files in this directory can be used to tun 16 The files in this directory can be used to tune and monitor
17 miscellaneous and general things in the operat 17 miscellaneous and general things in the operation of the Linux
18 kernel. Since some of the files *can* be used 18 kernel. Since some of the files *can* be used to screw up your
19 system, it is advisable to read both documenta 19 system, it is advisable to read both documentation and source
20 before actually making adjustments. 20 before actually making adjustments.
21 21
22 1. /proc/sys/fs 22 1. /proc/sys/fs
23 =============== 23 ===============
24 24
25 Currently, these files might (depending on you 25 Currently, these files might (depending on your configuration)
26 show up in ``/proc/sys/fs``: 26 show up in ``/proc/sys/fs``:
27 27
28 .. contents:: :local: 28 .. contents:: :local:
29 29
30 30
31 aio-nr & aio-max-nr 31 aio-nr & aio-max-nr
32 ------------------- 32 -------------------
33 33
34 ``aio-nr`` shows the current system-wide numbe 34 ``aio-nr`` shows the current system-wide number of asynchronous io
35 requests. ``aio-max-nr`` allows you to change 35 requests. ``aio-max-nr`` allows you to change the maximum value
36 ``aio-nr`` can grow to. If ``aio-nr`` reaches 36 ``aio-nr`` can grow to. If ``aio-nr`` reaches ``aio-nr-max`` then
37 ``io_setup`` will fail with ``EAGAIN``. Note 37 ``io_setup`` will fail with ``EAGAIN``. Note that raising
38 ``aio-max-nr`` does not result in the 38 ``aio-max-nr`` does not result in the
39 pre-allocation or re-sizing of any kernel data 39 pre-allocation or re-sizing of any kernel data structures.
40 40
41 dentry-negative <<
42 ---------------------------- <<
43 <<
44 Policy for negative dentries. Set to 1 to to a <<
45 file is removed, and 0 to disable it. By defau <<
46 41
47 dentry-state 42 dentry-state
48 ------------ 43 ------------
49 44
50 This file shows the values in ``struct dentry_ !! 45 This file shows the values in ``struct dentry_stat``, as defined in
51 ``fs/dcache.c``:: !! 46 ``linux/include/linux/dcache.h``::
52 47
53 struct dentry_stat_t dentry_stat { 48 struct dentry_stat_t dentry_stat {
54 long nr_dentry; !! 49 int nr_dentry;
55 long nr_unused; !! 50 int nr_unused;
56 long age_limit; /* age in seco !! 51 int age_limit; /* age in seconds */
57 long want_pages; /* pages reque !! 52 int want_pages; /* pages requested by system */
58 long nr_negative; /* # of unused !! 53 int nr_negative; /* # of unused negative dentries */
59 long dummy; /* Reserved fo !! 54 int dummy; /* Reserved for future use */
60 }; 55 };
61 56
62 Dentries are dynamically allocated and dealloc 57 Dentries are dynamically allocated and deallocated.
63 58
64 ``nr_dentry`` shows the total number of dentri 59 ``nr_dentry`` shows the total number of dentries allocated (active
65 + unused). ``nr_unused shows`` the number of d 60 + unused). ``nr_unused shows`` the number of dentries that are not
66 actively used, but are saved in the LRU list f 61 actively used, but are saved in the LRU list for future reuse.
67 62
68 ``age_limit`` is the age in seconds after whic 63 ``age_limit`` is the age in seconds after which dcache entries
69 can be reclaimed when memory is short and ``wa 64 can be reclaimed when memory is short and ``want_pages`` is
70 nonzero when ``shrink_dcache_pages()`` has bee 65 nonzero when ``shrink_dcache_pages()`` has been called and the
71 dcache isn't pruned yet. 66 dcache isn't pruned yet.
72 67
73 ``nr_negative`` shows the number of unused den 68 ``nr_negative`` shows the number of unused dentries that are also
74 negative dentries which do not map to any file 69 negative dentries which do not map to any files. Instead,
75 they help speeding up rejection of non-existin 70 they help speeding up rejection of non-existing files provided
76 by the users. 71 by the users.
77 72
78 73
79 file-max & file-nr 74 file-max & file-nr
80 ------------------ 75 ------------------
81 76
82 The value in ``file-max`` denotes the maximum 77 The value in ``file-max`` denotes the maximum number of file-
83 handles that the Linux kernel will allocate. W 78 handles that the Linux kernel will allocate. When you get lots
84 of error messages about running out of file ha 79 of error messages about running out of file handles, you might
85 want to increase this limit. 80 want to increase this limit.
86 81
87 Historically,the kernel was able to allocate f 82 Historically,the kernel was able to allocate file handles
88 dynamically, but not to free them again. The t 83 dynamically, but not to free them again. The three values in
89 ``file-nr`` denote the number of allocated fil 84 ``file-nr`` denote the number of allocated file handles, the number
90 of allocated but unused file handles, and the 85 of allocated but unused file handles, and the maximum number of
91 file handles. Linux 2.6 and later always repor 86 file handles. Linux 2.6 and later always reports 0 as the number of free
92 file handles -- this is not an error, it just 87 file handles -- this is not an error, it just means that the
93 number of allocated file handles exactly match 88 number of allocated file handles exactly matches the number of
94 used file handles. 89 used file handles.
95 90
96 Attempts to allocate more file descriptors tha 91 Attempts to allocate more file descriptors than ``file-max`` are
97 reported with ``printk``, look for:: 92 reported with ``printk``, look for::
98 93
99 VFS: file-max limit <number> reached 94 VFS: file-max limit <number> reached
100 95
101 in the kernel logs. 96 in the kernel logs.
102 97
103 98
104 inode-nr & inode-state 99 inode-nr & inode-state
105 ---------------------- 100 ----------------------
106 101
107 As with file handles, the kernel allocates the 102 As with file handles, the kernel allocates the inode structures
108 dynamically, but can't free them yet. 103 dynamically, but can't free them yet.
109 104
110 The file ``inode-nr`` contains the first two i 105 The file ``inode-nr`` contains the first two items from
111 ``inode-state``, so we'll skip to that file... 106 ``inode-state``, so we'll skip to that file...
112 107
113 ``inode-state`` contains three actual numbers 108 ``inode-state`` contains three actual numbers and four dummies.
114 The actual numbers are, in order of appearance 109 The actual numbers are, in order of appearance, ``nr_inodes``,
115 ``nr_free_inodes`` and ``preshrink``. 110 ``nr_free_inodes`` and ``preshrink``.
116 111
117 ``nr_inodes`` stands for the number of inodes 112 ``nr_inodes`` stands for the number of inodes the system has
118 allocated. 113 allocated.
119 114
120 ``nr_free_inodes`` represents the number of fr 115 ``nr_free_inodes`` represents the number of free inodes (?) and
121 preshrink is nonzero when the 116 preshrink is nonzero when the
122 system needs to prune the inode list instead o 117 system needs to prune the inode list instead of allocating
123 more. 118 more.
124 119
125 120
126 mount-max 121 mount-max
127 --------- 122 ---------
128 123
129 This denotes the maximum number of mounts that 124 This denotes the maximum number of mounts that may exist
130 in a mount namespace. 125 in a mount namespace.
131 126
132 127
133 nr_open 128 nr_open
134 ------- 129 -------
135 130
136 This denotes the maximum number of file-handle 131 This denotes the maximum number of file-handles a process can
137 allocate. Default value is 1024*1024 (1048576) 132 allocate. Default value is 1024*1024 (1048576) which should be
138 enough for most machines. Actual limit depends 133 enough for most machines. Actual limit depends on ``RLIMIT_NOFILE``
139 resource limit. 134 resource limit.
140 135
141 136
142 overflowgid & overflowuid 137 overflowgid & overflowuid
143 ------------------------- 138 -------------------------
144 139
145 Some filesystems only support 16-bit UIDs and 140 Some filesystems only support 16-bit UIDs and GIDs, although in Linux
146 UIDs and GIDs are 32 bits. When one of these f 141 UIDs and GIDs are 32 bits. When one of these filesystems is mounted
147 with writes enabled, any UID or GID that would 142 with writes enabled, any UID or GID that would exceed 65535 is translated
148 to a fixed value before being written to disk. 143 to a fixed value before being written to disk.
149 144
150 These sysctls allow you to change the value of 145 These sysctls allow you to change the value of the fixed UID and GID.
151 The default is 65534. 146 The default is 65534.
152 147
153 148
154 pipe-user-pages-hard 149 pipe-user-pages-hard
155 -------------------- 150 --------------------
156 151
157 Maximum total number of pages a non-privileged 152 Maximum total number of pages a non-privileged user may allocate for pipes.
158 Once this limit is reached, no new pipes may b 153 Once this limit is reached, no new pipes may be allocated until usage goes
159 below the limit again. When set to 0, no limit 154 below the limit again. When set to 0, no limit is applied, which is the default
160 setting. 155 setting.
161 156
162 157
163 pipe-user-pages-soft 158 pipe-user-pages-soft
164 -------------------- 159 --------------------
165 160
166 Maximum total number of pages a non-privileged 161 Maximum total number of pages a non-privileged user may allocate for pipes
167 before the pipe size gets limited to a single 162 before the pipe size gets limited to a single page. Once this limit is reached,
168 new pipes will be limited to a single page in 163 new pipes will be limited to a single page in size for this user in order to
169 limit total memory usage, and trying to increa 164 limit total memory usage, and trying to increase them using ``fcntl()`` will be
170 denied until usage goes below the limit again. 165 denied until usage goes below the limit again. The default value allows to
171 allocate up to 1024 pipes at their default siz 166 allocate up to 1024 pipes at their default size. When set to 0, no limit is
172 applied. 167 applied.
173 168
174 169
175 protected_fifos 170 protected_fifos
176 --------------- 171 ---------------
177 172
178 The intent of this protection is to avoid unin 173 The intent of this protection is to avoid unintentional writes to
179 an attacker-controlled FIFO, where a program e 174 an attacker-controlled FIFO, where a program expected to create a regular
180 file. 175 file.
181 176
182 When set to "0", writing to FIFOs is unrestric 177 When set to "0", writing to FIFOs is unrestricted.
183 178
184 When set to "1" don't allow ``O_CREAT`` open o 179 When set to "1" don't allow ``O_CREAT`` open on FIFOs that we don't own
185 in world writable sticky directories, unless t 180 in world writable sticky directories, unless they are owned by the
186 owner of the directory. 181 owner of the directory.
187 182
188 When set to "2" it also applies to group writa 183 When set to "2" it also applies to group writable sticky directories.
189 184
190 This protection is based on the restrictions i 185 This protection is based on the restrictions in Openwall.
191 186
192 187
193 protected_hardlinks 188 protected_hardlinks
194 -------------------- 189 --------------------
195 190
196 A long-standing class of security issues is th 191 A long-standing class of security issues is the hardlink-based
197 time-of-check-time-of-use race, most commonly 192 time-of-check-time-of-use race, most commonly seen in world-writable
198 directories like ``/tmp``. The common method o 193 directories like ``/tmp``. The common method of exploitation of this flaw
199 is to cross privilege boundaries when followin 194 is to cross privilege boundaries when following a given hardlink (i.e. a
200 root process follows a hardlink created by ano 195 root process follows a hardlink created by another user). Additionally,
201 on systems without separated partitions, this 196 on systems without separated partitions, this stops unauthorized users
202 from "pinning" vulnerable setuid/setgid files 197 from "pinning" vulnerable setuid/setgid files against being upgraded by
203 the administrator, or linking to special files 198 the administrator, or linking to special files.
204 199
205 When set to "0", hardlink creation behavior is 200 When set to "0", hardlink creation behavior is unrestricted.
206 201
207 When set to "1" hardlinks cannot be created by 202 When set to "1" hardlinks cannot be created by users if they do not
208 already own the source file, or do not have re 203 already own the source file, or do not have read/write access to it.
209 204
210 This protection is based on the restrictions i 205 This protection is based on the restrictions in Openwall and grsecurity.
211 206
212 207
213 protected_regular 208 protected_regular
214 ----------------- 209 -----------------
215 210
216 This protection is similar to `protected_fifos 211 This protection is similar to `protected_fifos`_, but it
217 avoids writes to an attacker-controlled regula 212 avoids writes to an attacker-controlled regular file, where a program
218 expected to create one. 213 expected to create one.
219 214
220 When set to "0", writing to regular files is u 215 When set to "0", writing to regular files is unrestricted.
221 216
222 When set to "1" don't allow ``O_CREAT`` open o 217 When set to "1" don't allow ``O_CREAT`` open on regular files that we
223 don't own in world writable sticky directories 218 don't own in world writable sticky directories, unless they are
224 owned by the owner of the directory. 219 owned by the owner of the directory.
225 220
226 When set to "2" it also applies to group writa 221 When set to "2" it also applies to group writable sticky directories.
227 222
228 223
229 protected_symlinks 224 protected_symlinks
230 ------------------ 225 ------------------
231 226
232 A long-standing class of security issues is th 227 A long-standing class of security issues is the symlink-based
233 time-of-check-time-of-use race, most commonly 228 time-of-check-time-of-use race, most commonly seen in world-writable
234 directories like ``/tmp``. The common method o 229 directories like ``/tmp``. The common method of exploitation of this flaw
235 is to cross privilege boundaries when followin 230 is to cross privilege boundaries when following a given symlink (i.e. a
236 root process follows a symlink belonging to an 231 root process follows a symlink belonging to another user). For a likely
237 incomplete list of hundreds of examples across 232 incomplete list of hundreds of examples across the years, please see:
238 https://cve.mitre.org/cgi-bin/cvekey.cgi?keywo 233 https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=/tmp
239 234
240 When set to "0", symlink following behavior is 235 When set to "0", symlink following behavior is unrestricted.
241 236
242 When set to "1" symlinks are permitted to be f 237 When set to "1" symlinks are permitted to be followed only when outside
243 a sticky world-writable directory, or when the 238 a sticky world-writable directory, or when the uid of the symlink and
244 follower match, or when the directory owner ma 239 follower match, or when the directory owner matches the symlink's owner.
245 240
246 This protection is based on the restrictions i 241 This protection is based on the restrictions in Openwall and grsecurity.
247 242
248 243
249 suid_dumpable 244 suid_dumpable
250 ------------- 245 -------------
251 246
252 This value can be used to query and set the co 247 This value can be used to query and set the core dump mode for setuid
253 or otherwise protected/tainted binaries. The m 248 or otherwise protected/tainted binaries. The modes are
254 249
255 = ========== ============================== 250 = ========== ===============================================================
256 0 (default) Traditional behaviour. Any pro 251 0 (default) Traditional behaviour. Any process which has changed
257 privilege levels or is execute 252 privilege levels or is execute only will not be dumped.
258 1 (debug) All processes dump core when p 253 1 (debug) All processes dump core when possible. The core dump is
259 owned by the current user and 254 owned by the current user and no security is applied. This is
260 intended for system debugging 255 intended for system debugging situations only.
261 Ptrace is unchecked. 256 Ptrace is unchecked.
262 This is insecure as it allows 257 This is insecure as it allows regular users to examine the
263 memory contents of privileged 258 memory contents of privileged processes.
264 2 (suidsafe) Any binary which normally woul 259 2 (suidsafe) Any binary which normally would not be dumped is dumped
265 anyway, but only if the ``core 260 anyway, but only if the ``core_pattern`` kernel sysctl (see
266 :ref:`Documentation/admin-guid 261 :ref:`Documentation/admin-guide/sysctl/kernel.rst <core_pattern>`)
267 is set to 262 is set to
268 either a pipe handler or a ful 263 either a pipe handler or a fully qualified path. (For more
269 details on this limitation, se 264 details on this limitation, see CVE-2006-2451.) This mode is
270 appropriate when administrator 265 appropriate when administrators are attempting to debug
271 problems in a normal environme 266 problems in a normal environment, and either have a core dump
272 pipe handler that knows to tre 267 pipe handler that knows to treat privileged core dumps with
273 care, or specific directory de 268 care, or specific directory defined for catching core dumps.
274 If a core dump happens without 269 If a core dump happens without a pipe handler or fully
275 qualified path, a message will 270 qualified path, a message will be emitted to syslog warning
276 about the lack of a correct se 271 about the lack of a correct setting.
277 = ========== ============================== 272 = ========== ===============================================================
278 273
279 274
280 275
281 2. /proc/sys/fs/binfmt_misc 276 2. /proc/sys/fs/binfmt_misc
282 =========================== 277 ===========================
283 278
284 Documentation for the files in ``/proc/sys/fs/ 279 Documentation for the files in ``/proc/sys/fs/binfmt_misc`` is
285 in Documentation/admin-guide/binfmt-misc.rst. 280 in Documentation/admin-guide/binfmt-misc.rst.
286 281
287 282
288 3. /proc/sys/fs/mqueue - POSIX message queues 283 3. /proc/sys/fs/mqueue - POSIX message queues filesystem
289 ============================================== 284 ========================================================
290 285
291 286
292 The "mqueue" filesystem provides the necessa 287 The "mqueue" filesystem provides the necessary kernel features to enable the
293 creation of a user space library that imple 288 creation of a user space library that implements the POSIX message queues
294 API (as noted by the MSG tag in the POSIX 10 289 API (as noted by the MSG tag in the POSIX 1003.1-2001 version of the System
295 Interfaces specification.) 290 Interfaces specification.)
296 291
297 The "mqueue" filesystem contains values for de 292 The "mqueue" filesystem contains values for determining/setting the
298 amount of resources used by the file system. 293 amount of resources used by the file system.
299 294
300 ``/proc/sys/fs/mqueue/queues_max`` is a read/w 295 ``/proc/sys/fs/mqueue/queues_max`` is a read/write file for
301 setting/getting the maximum number of message 296 setting/getting the maximum number of message queues allowed on the
302 system. 297 system.
303 298
304 ``/proc/sys/fs/mqueue/msg_max`` is a read/writ 299 ``/proc/sys/fs/mqueue/msg_max`` is a read/write file for
305 setting/getting the maximum number of messages 300 setting/getting the maximum number of messages in a queue value. In
306 fact it is the limiting value for another (use 301 fact it is the limiting value for another (user) limit which is set in
307 ``mq_open`` invocation. This attribute of a q 302 ``mq_open`` invocation. This attribute of a queue must be less than
308 or equal to ``msg_max``. 303 or equal to ``msg_max``.
309 304
310 ``/proc/sys/fs/mqueue/msgsize_max`` is a read/ 305 ``/proc/sys/fs/mqueue/msgsize_max`` is a read/write file for
311 setting/getting the maximum message size value 306 setting/getting the maximum message size value (it is an attribute of
312 every message queue, set during its creation). 307 every message queue, set during its creation).
313 308
314 ``/proc/sys/fs/mqueue/msg_default`` is a read/ 309 ``/proc/sys/fs/mqueue/msg_default`` is a read/write file for
315 setting/getting the default number of messages 310 setting/getting the default number of messages in a queue value if the
316 ``attr`` parameter of ``mq_open(2)`` is ``NULL 311 ``attr`` parameter of ``mq_open(2)`` is ``NULL``. If it exceeds
317 ``msg_max``, the default value is initialized 312 ``msg_max``, the default value is initialized to ``msg_max``.
318 313
319 ``/proc/sys/fs/mqueue/msgsize_default`` is a r 314 ``/proc/sys/fs/mqueue/msgsize_default`` is a read/write file for
320 setting/getting the default message size value 315 setting/getting the default message size value if the ``attr``
321 parameter of ``mq_open(2)`` is ``NULL``. If it 316 parameter of ``mq_open(2)`` is ``NULL``. If it exceeds
322 ``msgsize_max``, the default value is initiali 317 ``msgsize_max``, the default value is initialized to ``msgsize_max``.
323 318
324 4. /proc/sys/fs/epoll - Configuration options 319 4. /proc/sys/fs/epoll - Configuration options for the epoll interface
325 ============================================== 320 =====================================================================
326 321
327 This directory contains configuration options 322 This directory contains configuration options for the epoll(7) interface.
328 323
329 max_user_watches 324 max_user_watches
330 ---------------- 325 ----------------
331 326
332 Every epoll file descriptor can store a number 327 Every epoll file descriptor can store a number of files to be monitored
333 for event readiness. Each one of these monitor 328 for event readiness. Each one of these monitored files constitutes a "watch".
334 This configuration option sets the maximum num 329 This configuration option sets the maximum number of "watches" that are
335 allowed for each user. 330 allowed for each user.
336 Each "watch" costs roughly 90 bytes on a 32-bi 331 Each "watch" costs roughly 90 bytes on a 32-bit kernel, and roughly 160 bytes
337 on a 64-bit one. 332 on a 64-bit one.
338 The current default value for ``max_user_watch 333 The current default value for ``max_user_watches`` is 4% of the
339 available low memory, divided by the "watch" c 334 available low memory, divided by the "watch" cost in bytes.
340 <<
341 5. /proc/sys/fs/fuse - Configuration options f <<
342 ============================================== <<
343 <<
344 This directory contains the following configur <<
345 filesystems: <<
346 <<
347 ``/proc/sys/fs/fuse/max_pages_limit`` is a rea <<
348 setting/getting the maximum number of pages th <<
349 requests in FUSE. <<
Linux® is a registered trademark of Linus Torvalds in the United States and other countries.
TOMOYO® is a registered trademark of NTT DATA CORPORATION.