Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. =================================================================== RCS file: /ftp/cvs/cvsroot/src/share/man/man7/sysctl.7,v rcsdiff: /ftp/cvs/cvsroot/src/share/man/man7/sysctl.7,v: warning: Unknown phrases like `commitid ...;' are present. retrieving revision 1.94 retrieving revision 1.107 diff -u -p -r1.94 -r1.107 --- src/share/man/man7/sysctl.7 2015/09/29 07:59:15 1.94 +++ src/share/man/man7/sysctl.7 2017/01/08 14:28:42 1.107 @@ -1,4 +1,4 @@ -.\" $NetBSD: sysctl.7,v 1.94 2015/09/29 07:59:15 wiz Exp $ +.\" $NetBSD: sysctl.7,v 1.107 2017/01/08 14:28:42 wiz Exp $ .\" .\" Copyright (c) 1993 .\" The Regents of the University of California. All rights reserved. @@ -29,7 +29,7 @@ .\" .\" @(#)sysctl.3 8.4 (Berkeley) 5/9/95 .\" -.Dd September 24, 2015 +.Dd November 17, 2016 .Dt SYSCTL 7 .Os .Sh NAME @@ -188,7 +188,7 @@ level is detailed below. The changeable column shows whether a process with appropriate privilege may change the value. .Bl -column "hw.machine_arch" "integer" "Changeable" -offset indent -.It Sy Second level name Sy Type Sy Changeable +.It Sy Second level name Ta Sy Type Ta Sy Changeable .It hw.alignbytes integer no .It hw.byteorder integer no .It hw.cnmagic string yes @@ -272,7 +272,7 @@ The changeable column shows whether a pr privilege may change the value. .Bl -column "kern.posix_reader_writer_locks" \ "struct kinfo_drivers" "not applicable" -.It Sy Second level name Sy Type Sy Changeable +.It Sy Second level name Ta Sy Type Ta Sy Changeable .It kern.aio_listio_max integer yes .It kern.aio_max integer yes .It kern.arandom integer no @@ -315,6 +315,7 @@ privilege may change the value. .It kern.maxproc integer yes .It kern.maxptys integer yes .It kern.maxvnodes integer yes +.It kern.messages integer yes .It kern.mbuf node not applicable .It kern.memlock integer no .It kern.memlock_range integer no @@ -398,11 +399,16 @@ A .Vt struct timeval structure is returned. This structure contains the time that the system was booted. +.It Li kern.bufq +This variable contains information on the +.Xr bufq 9 +subsystem. +Currently, the only third level name implemented is +.Dv kern.bufq.strategies +which provides a list of buffer queue strategies currently available. .It Li kern.buildinfo When the kernel is built, the build environment may optionally provide arbitrary information to be stored in this variable. -.\" .It Li kern.bufq -.\" XXX: Undocumented. .It Li kern.ccpu ( Dv KERN_CCPU ) The scheduler exponential decay value. .It Li kern.clockrate ( Dv KERN_CLOCKRATE ) @@ -428,7 +434,7 @@ The third level name is .Dv kern.coredump.setid and fourth level variables are described below. .Bl -column "kern.coredump.setid.group" "integer" "Changeable" -offset indent -.It Sy Fourth level name Sy Type Sy Changeable +.It Sy Fourth level name Ta Sy Type Ta Sy Changeable .It kern.coredump.setid.dump integer yes .It kern.coredump.setid.group integer yes .It kern.coredump.setid.mode integer yes @@ -456,7 +462,7 @@ Mapping of CPU number to CPU id. .It Li kern.cp_time ( Dv KERN_CP_TIME ) Returns an array of .Dv CPUSTATES -.Vt uint64_t Ns s. +.Vt uint64_t Ns s . This array contains the number of clock ticks spent in different CPU states. On multi-processor systems, the sum across all CPUs is returned unless @@ -541,6 +547,29 @@ otherwise\ 0. Returns the number of .Xr hardclock 9 ticks. +.It Li kern.hist +This variable contains kernel history data if the kernel was +configured for any of the options +.Dv UVHMIST , +.Dv USB_DEBUG , +.Dv BIOHIST , +or +.Dv SCDEBUG . +(See +.Xr options 4 +for more details.) +The third-level names correspond to each available history table. +The values of the history tables are in an internal format, and can be +decoded by the +.Xr vmstat 1 +utility's +.Fl U +and +.Fl u +options; +the +.Fl l +option can be used to see which tables are available. .It Li kern.hostid ( Dv KERN_HOSTID ) Get or set the host identifier. This is aimed to replace the legacy @@ -566,7 +595,7 @@ and Return information about the SysV IPC parameters. The third level names for the ipc variables are detailed below. .Bl -column "kern.ipc.shm_use_phys" "integer" "Changeable" -offset indent -.It Sy Third level name Sy Type Sy Changeable +.It Sy Third level name Ta Sy Type Ta Sy Changeable .It kern.ipc.sysvmsg integer no .It kern.ipc.sysvsem integer no .It kern.ipc.sysvshm integer no @@ -599,7 +628,7 @@ otherwise\ 0. Return System V style IPC configuration and run-time information. The fourth level name selects the System V style IPC facility. .Bl -column "KERN_SYSVIPC_MSG_INFO" "struct shm_sysctl_info" -offset indent -.It Sy Fourth level name Sy Type +.It Sy Fourth level name Ta Sy Type .It KERN_SYSVIPC_MSG_INFO struct msg_sysctl_info .It KERN_SYSVIPC_SEM_INFO struct sem_sysctl_info .It KERN_SYSVIPC_SHM_INFO struct shm_sysctl_info @@ -700,7 +729,7 @@ The third level names for the mbuf varia The changeable column shows whether a process with appropriate privilege may change the value. .Bl -column "kern.mbuf.nmbclusters" "integer" "Changeable" -offset indent -.It Sy Third level name Sy Type Sy Changeable +.It Sy Third level name Ta Sy Type Ta Sy Changeable .\" XXX Changeable? really? .It kern.mbuf.mblowat integer yes .It kern.mbuf.mclbytes integer yes @@ -739,11 +768,23 @@ Returns 1 if the .St -p1003.1b-93 Memory Protection Option is available on this system, otherwise\ 0. +.It Li kern.messages +Kernel console message verbosity. +See +.Sy \ +.Bl -column "verbosity" "setting" -offset indent +.It Sy Verbosity Setting +.It \ \ \ \ 0 Silent Sy AB_SILENT +.It \ \ \ \ 1 Quiet Sy AB_QUIET +.It \ \ \ \ 2 Normal Sy AB_NORMAL +.It \ \ \ \ 3 Verbose Sy AB_VERBOSE +.It \ \ \ \ 4 Debug Sy AB_DEBUG +.El .It Li kern.module Settings related to kernel modules. The third level names for the settings are described below. .Bl -column "kern.module.autoload" "integer" "Changeable" -offset indent -.It Sy Third level name Sy Type Sy Changeable +.It Sy Third level name Ta Sy Type Ta Sy Changeable .It kern.module.autoload integer yes .It kern.module.autotime integer yes .It kern.module.verbose integer yes @@ -778,7 +819,7 @@ This node is created dynamically when the corresponding kernel module is loaded. The third level names for the settings are described below. .Bl -column "kern.mqueue.mq_max_msgsize" "integer" "Changeable" -offset indent -.It Sy Third level name Sy Type Sy Changeable +.It Sy Third level name Ta Sy Type Ta Sy Changeable .It kern.mqueue.mq_open_max integer yes .It kern.mqueue.mq_prio_max integer yes .It kern.mqueue.mq_max_msgsize integer yes @@ -830,7 +871,7 @@ The third level names for the integer p The changeable column shows whether a process with appropriate privilege may change the value. .Bl -column "kern.pipe.maxbigpipes" "integer" "Changeable" -offset indent -.It Sy Third level name Sy Type Sy Changeable +.It Sy Third level name Ta Sy Type Ta Sy Changeable .It kern.pipe.kvasiz integer yes .It kern.pipe.maxbigpipes integer yes .It kern.pipe.maxkvasz integer yes @@ -923,7 +964,7 @@ structures is returned, whose size depends on the current number of such objects in the system. The third and fourth level numeric names are as follows: .Bl -column "KERN_PROC_SESSION" "Fourth level is:" -offset indent -.It Sy Third level name Sy Fourth level is: +.It Sy Third level name Ta Sy Fourth level is: .It KERN_PROC_ALL None .It KERN_PROC_GID A group ID .It KERN_PROC_PID A process ID @@ -968,7 +1009,7 @@ is detailed below. The changeable column shows whether a process with appropriate privilege may change the value. .Bl -column "kern.profiling.gmonparam" "struct gmonparam" "Changeable" -offset indent -.It Sy Third level name Sy Type Sy Changeable +.It Sy Third level name Ta Sy Type Ta Sy Changeable .It kern.profiling.count u_short[\|] yes .It kern.profiling.froms u_short[\|] yes .It kern.profiling.gmonparam struct gmonparam no @@ -1029,7 +1070,7 @@ otherwise\ 0. .It Li kern.timecounter ( dynamic ) Display and control the timecounter source of the system. .Bl -column "kern.timecounter.timestepwarnings" "integer" "Changeable" -offset indent -.It Sy Third level name Sy Type Sy Changeable +.It Sy Third level name Ta Sy Type Ta Sy Changeable .It kern.timecounter.choice string no .It kern.timecounter.hardware string yes .It kern.timecounter.timestepwarnings integer yes @@ -1053,7 +1094,7 @@ The third level names for the tty statis The changeable column shows whether a process with appropriate privilege may change the value. .Bl -column "kern.tkstat.cancc" "quad" "Changeable" -offset indent -.It Sy Third level name Sy Type Sy Changeable +.It Sy Third level name Ta Sy Type Ta Sy Changeable .It kern.tkstat.cancc quad no .It kern.tkstat.nin quad no .It kern.tkstat.nout quad no @@ -1076,7 +1117,7 @@ The third level names for the tty setup The changeable column shows whether a process with appropriate privilege may change the value. .Bl -column "kern.tty.qsize" "int" "Changeable" -offset indent -.It Sy Third level name Sy Type Sy Changeable +.It Sy Third level name Ta Sy Type Ta Sy Changeable .It kern.tty.qsize int yes .El .Pp @@ -1093,7 +1134,7 @@ and .It Li kern.uidinfo Resource usage for the current user. .Bl -column "kern.uidinfo.proccnt" "integer" "Changeable" -offset indent -.It Sy Third level name Sy Type Sy Changeable +.It Sy Third level name Ta Sy Type Ta Sy Changeable .It kern.uidinfo.proccnt integer no .It kern.uidinfo.lwpcnt integer no .It kern.uidinfo.lockcnt integer no @@ -1128,7 +1169,7 @@ system. Runtime information for .Xr veriexec 8 . .Bl -column "kern.veriexec.algorithms" "integer" "Changeable" -offset indent -.It Sy Third level name Sy Type Sy Changeable +.It Sy Third level name Ta Sy Type Ta Sy Changeable .It kern.veriexec.algorithms string no .It kern.veriexec.count node not applicable .It kern.veriexec.strict integer yes @@ -1177,7 +1218,7 @@ followed by the vnode itself The set of variables defined is architecture dependent. Most architectures define at least the following variables. .Bl -column "machdep.booted_kernel" "Type" "Changeable" -offset indent -.It Sy Second level name Sy Type Sy Changeable +.It Sy Second level name Ta Sy Type Ta Sy Changeable .It Li machdep.booted_kernel string no .El .\" XXX: Document the above. @@ -1190,7 +1231,7 @@ privilege may change the value. The second and third levels are typically the protocol family and protocol number, though this is not always the case. .Bl -column "Second level name" "IPsec key management values" "Changeable" -offset indent -.It Sy Second level name Sy Type Sy Changeable +.It Sy Second level name Ta Sy Type Ta Sy Changeable .It net.route routing messages no .It net.inet IPv4 values yes .It net.inet6 IPv6 values yes @@ -1210,7 +1251,7 @@ The fourth level name is an address fami select all address families. The fifth and sixth level names are as follows: .Bl -column "Fifth level name" "Sixth level is:" -offset indent -.It Sy Fifth level name Sy Sixth level is: +.It Sy Fifth level name Ta Sy Sixth level is: .It NET_RT_FLAGS rtflags .It NET_RT_DUMP None .It NET_RT_IFLIST None @@ -1222,15 +1263,13 @@ The third level name is the protocol. The fourth level name is the variable name. The currently defined protocols and names are: .Bl -column "Protocol" "anonportalgo.available" "integer" "Changeable" -offset indent -.It Sy Protocol Variable Sy Type Sy Changeable +.It Sy Protocol Variable Ta Sy Type Ta Sy Changeable .It arp down integer yes .It arp keep integer yes .It arp log_movements integer yes .It arp log_permanent_modify integer yes .It arp log_unknown_network integer yes .It arp log_wrong_iface integer yes -.It arp prune integer yes -.It arp refresh integer yes .It carp allow integer yes .It carp preempt integer yes .It carp log integer yes @@ -1247,6 +1286,7 @@ The currently defined protocols and name .It ip anonportmax integer yes .It ip anonportmin integer yes .It ip checkinterface integer yes +.It ip dad_count integer yes .It ip directed-broadcast integer yes .It ip do_loopback_cksum integer yes .It ip forwarding integer yes @@ -1312,10 +1352,6 @@ The variables are as follows: Failed ARP entry lifetime. .It Li arp.keep Valid ARP entry lifetime. -.It Li arp.prune -ARP cache pruning interval. -.It Li arp.refresh -ARP entry refresh interval. .It Li carp.allow If set to 0, incoming .Xr carp 4 @@ -1368,6 +1404,11 @@ Currently, this must be disabled if ipna destination address to another local interface, or if addresses are added to the loopback interface instead of the interface where the packets for those packets are received. +.It Li ip.dad_count +The number of +.Xr arp 4 +probes sent for Address Conflict Detection. +Set to 0 to disable this. .It Li ip.directed-broadcast If set to 1, enables directed broadcast behavior for the host. .It Li ip.do_loopback_cksum @@ -1604,7 +1645,7 @@ The third level name is the protocol. The fourth level name is the variable name. The currently defined protocols and names are: .Bl -column "Protocol" "anonportalgo.available" "integer" "Changeable" -offset indent -.It Sy Protocol Variable Sy Type Sy Changeable +.It Sy Protocol Variable Ta Sy Type Ta Sy Changeable .It icmp6 errppslimit integer yes .It icmp6 mtudisc_hiwat integer yes .It icmp6 mtudisc_lowat integer yes @@ -1619,6 +1660,7 @@ The currently defined protocols and name .It icmp6 rediraccept integer yes .It icmp6 redirtimeout integer yes .It ip6 accept_rtadv integer yes +.It ip6 addctlpolicy struct in6_addrpolicy no .It ip6 anonportalgo.selected string yes .It ip6 anonportalgo.available string yes .It ip6 anonportalgo.reserve struct yes @@ -1774,7 +1816,7 @@ The maximum number of fragments the node \-1 means that the node will accept as many fragments as it receives. The flag is provided basically for avoiding possible DoS attacks. .It Li ip6.neighborgcthresh -Maximum number of entries in neighbor cache. +Maximum number of entries in neighbor cache per interface. Set to negative to disable. The default value is 2048. .It Li ip6.redirect @@ -1900,7 +1942,7 @@ Get or set various global information ab The third level name is the variable name. The currently defined variable and names are: .Bl -column "blockacq_lifetime" "integer" "Changeable" -offset indent -.It Sy Variable Type Sy Changeable +.It Sy Variable Type Ta Sy Changeable .It debug integer yes .It enabled integer yes .It used integer no @@ -1980,7 +2022,7 @@ value of PROC_PID_CORENAME is reset to t The second level name is either the magic value PROC_CURPROC, which points to the current process, or the PID of the target process. .Bl -column "proc.pid.corename" "string" "not applicable" -offset indent -.It Sy Third level name Sy Type Sy Changeable +.It Sy Third level name Ta Sy Type Ta Sy Changeable .It proc.pid.corename string yes .It proc.pid.rlimit node not applicable .It proc.pid.stopfork int yes @@ -2114,7 +2156,7 @@ level is detailed below. The changeable column shows whether a process with appropriate privilege may change the value. .Bl -column "user.coll_weights_max" "integer" "Changeable" -offset indent -.It Sy Second level name Sy Type Sy Changeable +.It Sy Second level name Ta Sy Type Ta Sy Changeable .It user.atexit_max integer no .It user.bc_base_max integer no .It user.bc_dim_max integer no @@ -2219,7 +2261,7 @@ level is detailed below. The changeable column shows whether a process with appropriate privilege may change the value. .Bl -column "Second level name" "struct uvmexp_sysctl" "Changeable" -offset indent -.It Sy Second level name Sy Type Sy Changeable +.It Sy Second level name Ta Sy Type Ta Sy Changeable .It vm.anonmax int yes .It vm.anonmin int yes .It vm.bufcache int yes @@ -2310,7 +2352,7 @@ The changeable column shows whether a pr privilege may change the value. .\" XXX sort .Bl -column "Second level name" "integer" "Changeable" -offset indent -.It Sy Second level name Sy Type Sy Changeable +.It Sy Second level name Ta Sy Type Ta Sy Changeable .It ddb.radix integer yes .It ddb.maxoff integer yes .It ddb.maxwidth integer yes @@ -2365,7 +2407,7 @@ level contains various security-related the system. The available second level names are: .Bl -column "Second level name" "integer" "Changeable" -offset indent -.It Sy Second level name Sy Type Sy Changeable +.It Sy Second level name Ta Sy Type Ta Sy Changeable .It Li security.curtain integer yes .It Li security.models node not applicable .It Li security.pax node not applicable @@ -2376,8 +2418,8 @@ Available settings are detailed below. .It Li security.curtain If non-zero, will filter return objects according to the user .Tn ID -requesting information about them, preventing from users any -access to objects they do not own. +requesting information about them, preventing users from +accessing any objects they do not own. .Pp At the moment, it affects .Xr ps 1 , @@ -2419,6 +2461,7 @@ The available third and fourth level nam .\".It Li security.pax.aslr.stack_len integer yes .It Li security.pax.mprotect.enabled integer yes .It Li security.pax.mprotect.global integer yes +.It Li security.pax.mprotect.ptrace integer yes .It Li security.pax.segvguard.enabled integer yes .It Li security.pax.segvguard.expiry_timeout integer yes .It Li security.pax.segvguard.global integer yes @@ -2466,6 +2509,19 @@ except those exempted with Otherwise, all programs will not get the PaX MPROTECT restrictions, except those specifically marked as such with .Xr paxctl 8 . +.It Li security.pax.mprotect.ptrace +This variable allows +.Xr ptrace 2 +to override PaX MPROTECT permissions. +It can have the following values: +.Bl -tag -width XX -compact +.It 0 +Does not let override any permissions. +.It 1 +Disables PaX MPROTECT from processes that start executing while traced (default). +.It 2 +Bypasses PaX MPROTECT for all processes being traced. +.El .It Li security.pax.segvguard.enabled Enable PaX Segvguard. .Pp