D21087.id60196.diff
No OneTemporary
Actions

Size

4 KB

Referenced Files

None

Subscribers

None

D21087.id60196.diff
View Options

	Index: share/man/man7/security.7
	===================================================================
	--- share/man/man7/security.7
	+++ share/man/man7/security.7
	@@ -1,4 +1,9 @@
	.\" Copyright (C) 1998 Matthew Dillon. All rights reserved.
	+.\" Copyright (c) 2019 The FreeBSD Foundation, Inc.
	+.\"
	+.\" Parts of this documentation was written by
	+.\" Konstantin Belousov <kib@FreeBSD.org> under sponsorship
	+.\" from the FreeBSD Foundation.
	.\"
	.\" Redistribution and use in source and binary forms, with or without
	.\" modification, are permitted provided that the following conditions
	@@ -23,7 +28,7 @@
	.\"
	.\" $FreeBSD$
	.\"
	-.Dd December 25, 2013
	+.Dd July 27, 2019
	.Dt SECURITY 7
	.Os
	.Sh NAME
	@@ -941,12 +946,117 @@
	.Pa authorized_keys
	file to make the key only usable to entities logging in from specific
	machines.
	+.Sh KNOBS AND TWEAKS
	+System provides several knobs and tweak handles that make some introspection
	+information access more restricted.
	+Some people consider this as improving system security, so the knobs are
	+briefly listed there, together with controls which enable some mitigations
	+of the hardware state leaks.
	+.Bl -tag -width security.bsd.unprivileged_proc_debug
	+.It Dv security.bsd.see_other_uids
	+Controls visibility of the processes owned by different uid.
	+The knob directly affects the
	+.Dv kern.proc
	+sysctls filtering of data, which results in restricted output from
	+utilities like
	+.Xr ps 1 .
	+.It Dv security.bsd.see_other_gids
	+Same, for processes owned by different gid.
	+.It Dv security.bsd.see_jail_proc
	+Same, for processes belonging to a jail.
	+.It Dv security.bsd.conservative_signals
	+When enabled, only allows to send job control and usual termination signals
	+like
	+.Dv SIGKILL ,
	+.Dv SIGINT ,
	+and
	+.Dv SIGTERM ,
	+to the processes executing programs with changed uids.
	+.It Dv security.bsd.unprivileged_proc_debug
	+Controls availability of the process debugging facilities to non-root users.
	+See also
	+.Xr proccontrol 1
	+mode
	+.Dv trace .
	+.It Dv vm.pmap.pti
	+Tunable, amd64-only.
	+Enables mode of operation of virtual memory system where usermode page
	+tables are sanitized to prevent so called Meltdown information leak on
	+some Intel CPUs.
	+By default system detects that CPU needs the workaround, and enables it
	+automatically.
	+See also
	+.Xr proccontrol 1
	+mode
	+.Dv kpti .
	+.It Dv hw.mds_disable
	+amd64 and i386.
	+Controls Microarchitectural Data Sampling hardware information leak
	+mitigation.
	+.It Dv hw.spec_store_bypass_disable
	+amd64 and i386.
	+Controls Speculative Store Bypass hardware information leak mitigation.
	+.It Dv hw.ibrs_disable
	+amd64 and i386.
	+Controls Indirect Branch Restricted Speculation hardware information leak
	+mitigation.
	+.It Dv machdep.syscall_ret_l1d_flush
	+amd64.
	+Controls force-flush of L1D cache on return from syscalls which report
	+the errors different from
	+.Ev EEXIST ,
	+.Ev EAGAIN ,
	+.Ev EXDEV ,
	+.Ev ENOENT ,
	+.Ev ENOTCONN ,
	+and
	+.Ev EINPROGRESS .
	+This is mostly a paranoid setting added to prevent hypothetical exploitation
	+of unknown gadgets for unknown hardware issues.
	+The error codes exclusion list is composed of the most common errors which
	+typically occurs on normal system operation.
	+.It Dv machdep.nmi_flush_l1d_sw
	+amd64.
	+Controls force-flush of L1D cache on NMI,
	+provides software assist for bhyve mitigation of L1 terminal fault
	+hardware information leak.
	+.It Dv hw.vmm.vmx.l1d_flush
	+amd64.
	+Controls the mitigation of L1 Terminal Fault in bhyve hypervisor.
	+.It Dv kern.elf32.aslr.enable
	+Controls system-global Address Space Layour Randomization (ASLR) for
	+normal (non-PIE) 32bit binaries.
	+See also
	+.Xr proccontrol 1
	+mode
	+.Dv aslr ,
	+also affected by the per-image control note flag.
	+.It Dv kern.elf32.aslr.pie_enable
	+Controls system-global Address Space Layour Randomization for
	+position-independent (PIE) 32bit binaries.
	+.It Dv kern.elf32.aslr.honor_sbrk
	+Makes ASLR less aggressive and more compatible with old binaries
	+relying on the sbrk area.
	+.It Dv kern.elf64.aslr.enable
	+64bit binaries ASLR control.
	+.It Dv kern.elf64.aslr.pie_enable
	+32bit PIE binaries ASLR control.
	+.It Dv kern.elf64.aslr.honor_sbrk
	+64bit binaries ASLR sbrk compatibility control.
	+.It Dv kern.elf32.nxstack
	+Enables non-executable stack for 32bit processes.
	+Enabled by default if supported by hardware and corresponding binary.
	+.It Dv kern.elf64.nxstack
	+Enables non-executable stack for 64bit processes.
	+.El
	.Sh SEE ALSO
	.Xr chflags 1 ,
	.Xr find 1 ,
	.Xr md5 1 ,
	.Xr netstat 1 ,
	.Xr openssl 1 ,
	+.Xr proccontrol 1 ,
	+.Xr ps 1 ,
	.Xr ssh 1 ,
	.Xr xdm 1 Pq Pa ports/x11/xorg-clients ,
	.Xr group 5 ,

File Metadata

Mime Type: text/plain
Expires: Thu, Jan 15, 5:04 AM (10 h, 42 m)
Storage Engine: blob
Storage Format: Raw Data
Storage Handle: 27644413
Default Alt Text: D21087.id60196.diff (4 KB)

D21087.id60196.diffNo OneTemporaryActions

D21087.id60196.diffView Options

File Metadata

Event Timeline

D21087.id60196.diff
No OneTemporary
Actions

D21087.id60196.diff
View Options