Chapter 5 : The /proc filesystem

The /proc filesystem is a specificity of Linux. It is a virtual filesystem, and as such it takes no room on your disk. It is a very convenient way to obtain information on the system, all the more that most files into this directory are human readable (well, with a little habit). Many programs actually gather information from files in /proc, format it in their own way and then display it. This is the case for all programs which display information about processes, and we have already seen a few of them (top, ps and friends). /proc is also a good source of information about your hardware, and similarly, quite a few programs are just interfaces to information contained in /proc.

There is also a special subdirectory, /proc/sys. It allows for changing some kernel parameters in real time or displaying them.

Information about processes

If you list the contents of the /proc directory, you will see many directories the name of which is a number. These are the directories holding information on all processes currently running on the system:

$ ls -d /proc/[0-9]*
/proc/1/    /proc/302/  /proc/451/  /proc/496/  /proc/556/  /proc/633/
/proc/127/  /proc/317/  /proc/452/  /proc/497/  /proc/557/  /proc/718/
/proc/2/    /proc/339/  /proc/453/  /proc/5/    /proc/558/  /proc/755/
/proc/250/  /proc/385/  /proc/454/  /proc/501/  /proc/559/  /proc/760/
/proc/260/  /proc/4/    /proc/455/  /proc/504/  /proc/565/  /proc/761/
/proc/275/  /proc/402/  /proc/463/  /proc/505/  /proc/569/  /proc/769/
/proc/290/  /proc/433/  /proc/487/  /proc/509/  /proc/594/  /proc/774/
/proc/3/    /proc/450/  /proc/491/  /proc/554/  /proc/595/

Note that as a user, you can (logically) only display information related to your own processes, but not the ones of other users. So, let's be root and see what information is available from process 127:

$ su
Password:
$ cd /proc/127
$ ls -l
total 0
-r--r--r--    1 root     root            0 d    c 14 19:53 cmdline
lrwx------    1 root     root            0 d    c 14 19:53 cwd -> //
-r--------    1 root     root            0 d    c 14 19:53 environ
lrwx------    1 root     root            0 d    c 14 19:53 exe -> /usr/sbin/apmd*
dr-x------    2 root     root            0 d    c 14 19:53 fd/
pr--r--r--    1 root     root            0 d    c 14 19:53 maps|
-rw-------    1 root     root            0 d    c 14 19:53 mem
lrwx------    1 root     root            0 d    c 14 19:53 root -> //
-r--r--r--    1 root     root            0 d    c 14 19:53 stat
-r--r--r--    1 root     root            0 d    c 14 19:53 statm
-r--r--r--    1 root     root            0 d    c 14 19:53 status
$

Each directory contains the same entries. Here is a brief description of some of the entries:

• cmdline: This (pseudo-)file contains the whole command line used to invoke the process. It is not formatted: there is no space between the program and its arguments, and there is no newline at the end of the line either.
• cwd: This symbolic link points to the current working directory (hence the name) of the process.
• environ: This file contains all the environment variables defined for this process, in the form VARIABLE=value. Similarly to cmdline, the output is not formatted at all: no newlines to separate between different variables, and no newline at the end either.
• exe: This is a symlink pointing to the executable file corresponding to the process being run.
• fd: This subdirectory contains the list of file descriptors currently opened by the process. See below.
• maps: When you print the contents of this named pipe (with cat for example), you can see the parts of the process' address space which are currently mapped to a file. The fields, from left to right, are: the address space associated to this mapping, the permissions associated to this mapping, the offset from the beginning of the file where the mapping starts, the device on which the mapped file is located, the inode number of the file, and finally the name of the file itsef. See mmap(2).
• root: This is a symbolic link which points to the root directory used by the process. Usually, it will be /, but see chroot(2).
• status: This file contains various information about the process: the name of the executable, its current state, its PID and PPID, its real and effective UID and GID, its memory usage, and other information.

If we list the contents of the directory fd, we obtain this:

$ ls -l fd
total 0
lrwx------    1 root     root           64 Dec 16 22:04 0 -> /dev/console
l-wx------    1 root     root           64 Dec 16 22:04 1 -> pipe:[128]
l-wx------    1 root     root           64 Dec 16 22:04 2 -> pipe:[129]
l-wx------    1 root     root           64 Dec 16 22:04 21 -> pipe:[130]
lrwx------    1 root     root           64 Dec 16 22:04 3 -> /dev/apm_bios
lr-x------    1 root     root           64 Dec 16 22:04 7 -> pipe:[130]
lrwx------    1 root     root           64 Dec 16 22:04 9 ->
/dev/console
$

In fact, this is the list of file descriptors opened by the process. Each opened descriptor is materialized by a symbolic link the name of which is the descriptor number, and which points to the file opened by this descriptor[15]. You can also notice the permissions on the symlinks: this is the only place where they make sense, as they represent the permissions with which the file corresponding to the descriptor has been opened.

Information on hardware

Apart from the directories asociated to the different processes, /proc also contains a myriad of information on the hardware present in your machine. A list of files from the /proc directory gives the following:

$ ls -d [a-z]*
apm      dma          interrupts  loadavg  mounts      rtc       swaps
bus/     fb           ioports     locks    mtrr        scsi/     sys/
cmdline  filesystems  kcore       meminfo  net/        self/     tty/
cpuinfo  fs/          kmsg        misc     partitions  slabinfo  uptime
devices  ide/         ksyms       modules  pci         stat      version
$

For example, if we look at the contents of /proc/interrupts, we can see that it contains the list of interruptions currently used by the system, along with the peripheral which holds them. Similarly, ioports contains the list of input/output address ranges currently busy, and lastly dma does the same for DMA channels. Therefore, in order to chase down a conflict, look at the contents of these three files:

$ cat interrupts
           CPU0
  0:     127648          XT-PIC  timer
  1:       5191          XT-PIC  keyboard
  2:          0          XT-PIC  cascade
  5:       1402          XT-PIC  xirc2ps_cs
  8:          1          XT-PIC  rtc
 10:          0          XT-PIC  ESS Solo1
 12:       2631          XT-PIC  PS/2 Mouse
 13:          1          XT-PIC  fpu
 14:      73434          XT-PIC  ide0
 15:      80234          XT-PIC  ide1
NMI:          0
$ cat ioports
0000-001f : dma1
0020-003f : pic1
0040-005f : timer
0060-006f : keyboard
0070-007f : rtc
0080-008f : dma page reg
00a0-00bf : pic2
00c0-00df : dma2
00f0-00ff : fpu
0170-0177 : ide1
01f0-01f7 : ide0
0300-030f : xirc2ps_cs
0376-0376 : ide1
03c0-03df : vga+
03f6-03f6 : ide0
03f8-03ff : serial(auto)
1050-1057 : ide0
1058-105f : ide1
1080-108f : ESS Solo1
10c0-10cf : ESS Solo1
10d4-10df : ESS Solo1
10ec-10ef : ESS Solo1
$ cat dma
 4: cascade
$

Or, more simply, use the lsdev command, which gathers information from these three files and sorts them by peripheral, which is undoubtedly more convenient[16]:

$ lsdev
Device            DMA   IRQ  I/O Ports
------------------------------------------------
cascade             4     2
dma                          0080-008f
dma1                         0000-001f
dma2                         00c0-00df
ESS                          1080-108f 10c0-10cf 10d4-10df 10ec-10ef
fpu                      13  00f0-00ff
ide0                     14  01f0-01f7 03f6-03f6 1050-1057
ide1                     15  0170-0177 0376-0376 1058-105f
keyboard                  1  0060-006f
Mouse                    12
pic1                         0020-003f
pic2                         00a0-00bf
rtc                       8  0070-007f
serial                       03f8-03ff
Solo1                    10
timer                     0  0040-005f
vga+                         03c0-03df
xirc2ps_cs                5  0300-030f
$

An exhaustive listing of files would be too long, but here's the description of some of them:

• cpuinfo: This file contains, as its name says, information on the processor(s) present on your machine.
• modules: This file contains the list of modules currently used by the kernel, along with the usage count for each one. In fact, this is the same information than what is reported by the lsmod command.
• meminfo: This file contains information on memory usage at the time you print its contents. A more clearly formatted output of the same information is available with the free command.
• apm: If you have a laptop, displaying the contents of this file allows you to see the state of your battery. You can see whether the AC is plugged in, the current load of your battery, and if the APM BIOS of your laptop supports it (unfortunately this is not the case for all), the remaining battery life in minutes. The file isn't very readable by itself, therefore you want to use the apm command instead, which gives the same information in a human readable format.
• bus: This subdirectory contains information on all peripherals found on different buses in your machine. Information inside it are generally seldom readable, and for the most part they are dealed with and reformatted with external utilities: lspcidrake, lspnp, etc.

The /proc/sys subdirectory

The role of this subdirectory is to report different kernel parameters, and to allow for changing in real time some of these parameters. As opposite to all other files in /proc, some files in this directory are writable, but for root only.

A list of directories and files would be too long, all the more that they will depend in a large part on your system, and that most files will only be useful for very specialized applications. However, here are three common uses of this subdirectory:

• Allow routing: Even if the default kernel from Linux-Mandrake is able to route, you must explicitly allow it to do so. For this, you just have to type the following command as root:

  $ echo 1 >/proc/sys/net/ipv4/ip_forward
  

  Replace the 1 by a 0 if you want to forbid routing.

• Prevent IP spoofing: IP spoofing consists in making one believe that a packet coming from the outside world comes from the interface by which it arrives. This technique is very commonly used by crackers[17], but you can make so that the kernel prevents this kind of intrusion for you. You just have to type:

  $ echo 1 >/proc/sys/net/ipv4/conf/all/rp_filter
  

  and this kind of attack becomes impossible.

• Increase the size of the table of open files and the inode table: The size of the table of open files and the inode table is dynamic under Linux. The default values are very largely sufficient for a normal use, but they may be too weak if your machine is a huge server (a database server for example). Indeed, the first obstacle is the fact that processes cannot open any more files because the table is full, therefore you must increase its size. Meanwhile, you must also increase the size of the inode table. These two lines will solve the problem:

  $ echo 8192 >/proc/sys/fs/file-max
  $ echo 16384 >/proc/sys/fs/inode-max
  

  In order for these to be executed each time you boot the system, you might want to add these two lines to the file /etc/rc.d/rc.local so that you avoid typing them each time.