Changeset View
Changeset View
Standalone View
Standalone View
share/man/man7/security.7
| Show All 22 Lines | |||||
| .\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) | .\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) | ||||
| .\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT | .\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT | ||||
| .\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY | .\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY | ||||
| .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF | .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF | ||||
| .\" SUCH DAMAGE. | .\" SUCH DAMAGE. | ||||
| .\" | .\" | ||||
| .\" $FreeBSD$ | .\" $FreeBSD$ | ||||
| .\" | .\" | ||||
| .Dd February 28, 2021 | .Dd January 14, 2022 | ||||
| .Dt SECURITY 7 | .Dt SECURITY 7 | ||||
| .Os | .Os | ||||
| .Sh NAME | .Sh NAME | ||||
| .Nm security | .Nm security | ||||
| .Nd introduction to security under FreeBSD | .Nd introduction to security under FreeBSD | ||||
| .Sh DESCRIPTION | .Sh DESCRIPTION | ||||
| Security is a function that begins and ends with the system administrator. | Security is a function that begins and ends with the system administrator. | ||||
| While all | While all | ||||
| ▲ Show 20 Lines • Show All 1,017 Lines • ▼ Show 20 Lines | |||||
| .Dv aslr , | .Dv aslr , | ||||
| also affected by the per-image control note flag. | also affected by the per-image control note flag. | ||||
| .It Dv kern.elf32.aslr.pie_enable | .It Dv kern.elf32.aslr.pie_enable | ||||
| Controls system-global Address Space Layout Randomization for | Controls system-global Address Space Layout Randomization for | ||||
| position-independent (PIE) 32bit binaries. | position-independent (PIE) 32bit binaries. | ||||
| .It Dv kern.elf32.aslr.honor_sbrk | .It Dv kern.elf32.aslr.honor_sbrk | ||||
| Makes ASLR less aggressive and more compatible with old binaries | Makes ASLR less aggressive and more compatible with old binaries | ||||
| relying on the sbrk area. | relying on the sbrk area. | ||||
| .It Dv kern.elf32.aslr.stack_gap | .It Dv kern.elf32.aslr.stack | ||||
| If ASLR is enabled for a binary, a non-zero value creates a randomized | If ASLR is enabled for a binary, a non-zero value enables randomization | ||||
| stack gap between strings and the end of the aux vector. | of the stack. | ||||
| The value is the maximum percentage of main stack to waste on the gap. | Otherwise, the stack is mapped at a fixed location determined by the | ||||
| Cannot be greater than 50, i.e., at most half of the stack. | process ABI. | ||||
| .It Dv kern.elf64.aslr.enable | .It Dv kern.elf64.aslr.enable | ||||
| 64bit binaries ASLR control. | 64bit binaries ASLR control. | ||||
danfe: I think the better (proper?) spelling is hyphenated: 64-bit (here and below). | |||||
markjAuthorUnsubmitted Done Inline Actionsmarkj: https://reviews.freebsd.org/D33908 | |||||
| .It Dv kern.elf64.aslr.pie_enable | .It Dv kern.elf64.aslr.pie_enable | ||||
| 64bit PIE binaries ASLR control. | 64bit PIE binaries ASLR control. | ||||
| .It Dv kern.elf64.aslr.honor_sbrk | .It Dv kern.elf64.aslr.honor_sbrk | ||||
| 64bit binaries ASLR sbrk compatibility control. | 64bit binaries ASLR sbrk compatibility control. | ||||
| .It Dv kern.elf64.aslr.stack_gap | .It Dv kern.elf64.aslr.stack | ||||
| Controls stack gap for 64bit binaries. | Controls stack randomization for 64bit binaries. | ||||
emasteUnsubmitted Done Inline Actionsstack address randomization emaste: stack address randomization | |||||
| .It Dv kern.elf32.nxstack | .It Dv kern.elf32.nxstack | ||||
| Enables non-executable stack for 32bit processes. | Enables non-executable stack for 32bit processes. | ||||
| Enabled by default if supported by hardware and corresponding binary. | Enabled by default if supported by hardware and corresponding binary. | ||||
| .It Dv kern.elf64.nxstack | .It Dv kern.elf64.nxstack | ||||
| Enables non-executable stack for 64bit processes. | Enables non-executable stack for 64bit processes. | ||||
| .It Dv kern.elf32.allow_wx | .It Dv kern.elf32.allow_wx | ||||
| Enables mapping of simultaneously writable and executable pages for | Enables mapping of simultaneously writable and executable pages for | ||||
| 32bit processes. | 32bit processes. | ||||
| Show All 31 Lines | |||||
I think the better (proper?) spelling is hyphenated: 64-bit (here and below).