version 1.123, 2018/02/22 14:37:53 |
version 1.142, 2019/11/16 17:33:09 |
|
|
.\" |
.\" |
.\" @(#)sysctl.3 8.4 (Berkeley) 5/9/95 |
.\" @(#)sysctl.3 8.4 (Berkeley) 5/9/95 |
.\" |
.\" |
.Dd February 22, 2018 |
.Dd November 14, 2019 |
.Dt SYSCTL 7 |
.Dt SYSCTL 7 |
.Os |
.Os |
.Sh NAME |
.Sh NAME |
Line 278 privilege may change the value. |
|
Line 278 privilege may change the value. |
|
.It kern.arandom integer no |
.It kern.arandom integer no |
.It kern.argmax integer no |
.It kern.argmax integer no |
.It kern.boothowto integer no |
.It kern.boothowto integer no |
.It kern.boottime struct timeval no |
.It kern.boottime struct timespec no |
.It kern.buildinfo string no |
.It kern.buildinfo string no |
.\".It kern.bufq node not applicable |
.\".It kern.bufq node not applicable |
.It kern.ccpu integer no |
.It kern.ccpu integer no |
Line 293 privilege may change the value. |
|
Line 293 privilege may change the value. |
|
.It kern.domainname string yes |
.It kern.domainname string yes |
.It kern.drivers struct kinfo_drivers no |
.It kern.drivers struct kinfo_drivers no |
.It kern.dump_on_panic integer yes |
.It kern.dump_on_panic integer yes |
|
.It kern.expose_address integer yes |
.It kern.file struct file no |
.It kern.file struct file no |
.It kern.forkfsleep integer yes |
.It kern.forkfsleep integer yes |
.It kern.fscale integer no |
.It kern.fscale integer no |
Line 307 privilege may change the value. |
|
Line 308 privilege may change the value. |
|
.It kern.labelsector integer no |
.It kern.labelsector integer no |
.It kern.login_name_max integer no |
.It kern.login_name_max integer no |
.It kern.logsigexit integer yes |
.It kern.logsigexit integer yes |
|
.It kern.lwp struct kinfo_lwp yes |
.It kern.mapped_files integer no |
.It kern.mapped_files integer no |
.It kern.maxfiles integer yes |
.It kern.maxfiles integer yes |
.It kern.maxlwp integer yes |
.It kern.maxlwp integer yes |
Line 358 privilege may change the value. |
|
Line 360 privilege may change the value. |
|
.It kern.sched node not applicable |
.It kern.sched node not applicable |
.It kern.securelevel integer raise only |
.It kern.securelevel integer raise only |
.It kern.somaxkva integer yes |
.It kern.somaxkva integer yes |
|
.It kern.sooptions integer yes |
.It kern.synchronized_io integer no |
.It kern.synchronized_io integer no |
.It kern.timecounter node not applicable |
.It kern.timecounter node not applicable |
.It kern.timex struct no |
.It kern.timex struct no |
Line 380 the variable may be created and removed |
|
Line 383 the variable may be created and removed |
|
upon loading or unloading the corresponding kernel module. |
upon loading or unloading the corresponding kernel module. |
.It Li kern.aio_max |
.It Li kern.aio_max |
The maximum number of asynchronous I/O operations. |
The maximum number of asynchronous I/O operations. |
.It Li kern.arandom |
.It Li kern.arandom ( Dv KERN_ARND ) |
This variable picks a random number each time it is queried. |
This variable returns up to 256 bytes of random data. |
|
Multiple queries can be used to obtain an infinite amount of |
|
non-blocking cryptographically secure random data. |
The used random number generator |
The used random number generator |
.Pf ( RNG ) |
.Pf ( RNG ) |
is based on |
is based on |
Line 395 Flags passed from the boot loader; see |
|
Line 400 Flags passed from the boot loader; see |
|
for the meanings of the flags. |
for the meanings of the flags. |
.It Li kern.boottime ( Dv KERN_BOOTTIME ) |
.It Li kern.boottime ( Dv KERN_BOOTTIME ) |
A |
A |
.Vt struct timeval |
.Vt struct timespec |
structure is returned. |
structure is returned. |
This structure contains the time that the system was booted. |
This structure contains the time that the system was booted. |
|
That time is defined (for this purpose) to be the time at |
|
which the kernel first started accumulating clock ticks. |
.It Li kern.bufq |
.It Li kern.bufq |
This variable contains information on the |
This variable contains information on the |
.Xr bufq 9 |
.Xr bufq 9 |
Line 513 field is always a NUL terminated string. |
|
Line 520 field is always a NUL terminated string. |
|
The |
The |
.Va d_bmajor |
.Va d_bmajor |
field will be set to \-1 if the driver doesn't have a block device. |
field will be set to \-1 if the driver doesn't have a block device. |
|
.It Li kern.expose_address |
|
Expose kernel addresses in |
|
.Xr sysctl 3 |
|
calls used by |
|
.Xr fstat 1 |
|
and |
|
.Xr sockstat 1 . |
|
If it is set to |
|
.Dv 0 |
|
access is not allowed. |
|
If it is set to |
|
.Dv 1 |
|
then only processes that have opened |
|
.Pa /dev/kmem |
|
can have access. |
|
If it is set to |
|
.Dv 2 |
|
every process is allowed. |
|
Defaults to |
|
.Dv 0 |
|
for |
|
.Dv KASLR |
|
kernels |
|
and |
|
.Dv 1 |
|
otherwise. |
|
Allowing general access renders KASLR ineffective; allowing only kmem |
|
accessing programs weakens KASLR if those programs can be subverted |
|
to leak the addresses. |
.It Li kern.dump_on_panic ( Dv KERN_DUMP_ON_PANIC ) |
.It Li kern.dump_on_panic ( Dv KERN_DUMP_ON_PANIC ) |
Perform a crash dump on system |
Perform a crash dump on system |
.Xr panic 9 . |
.Xr panic 9 . |
Line 694 If this flag is non-zero, the kernel wil |
|
Line 730 If this flag is non-zero, the kernel wil |
|
all process exits due to signals which create a |
all process exits due to signals which create a |
.Xr core 5 |
.Xr core 5 |
file, and whether the coredump was created. |
file, and whether the coredump was created. |
|
.It Li kern.lwp ( Dv KERN_LWP ) |
|
Returns information about the current light-weight process. |
|
The |
|
.Sy kinfo_lwp |
|
structure is defined in |
|
.In sys/sysctl.h . |
.It Li kern.mapped_files ( Dv KERN_MAPPED_FILES ) |
.It Li kern.mapped_files ( Dv KERN_MAPPED_FILES ) |
Returns 1 if the |
Returns 1 if the |
.St -p1003.1b-93 |
.St -p1003.1b-93 |
Line 993 The fourth level name is as follows: |
|
Line 1035 The fourth level name is as follows: |
|
.It Dv KERN_PROC_NARGV The number of argv strings |
.It Dv KERN_PROC_NARGV The number of argv strings |
.It Dv KERN_PROC_NENV The number of environ strings |
.It Dv KERN_PROC_NENV The number of environ strings |
.It Dv KERN_PROC_PATHNAME The full pathname of the executable |
.It Dv KERN_PROC_PATHNAME The full pathname of the executable |
|
.It Dv KERN_PROC_CWD The current working directory |
.El |
.El |
.It Li kern.profiling ( Dv KERN_PROF ) |
.It Li kern.profiling ( Dv KERN_PROF ) |
Return profiling information about the kernel. |
Return profiling information about the kernel. |
Line 1049 Return the offset of real time clock fro |
|
Line 1092 Return the offset of real time clock fro |
|
.It Li kern.saved_ids ( Dv KERN_SAVED_IDS ) |
.It Li kern.saved_ids ( Dv KERN_SAVED_IDS ) |
Returns 1 if saved set-group and saved set-user ID is available. |
Returns 1 if saved set-group and saved set-user ID is available. |
.It Li kern.sbmax ( Dv KERN_SBMAX ) |
.It Li kern.sbmax ( Dv KERN_SBMAX ) |
Maximum socket buffer size. |
Maximum socket buffer size in bytes. |
.\" XXX units? |
|
.It Li kern.securelevel ( Dv KERN_SECURELVL ) |
.It Li kern.securelevel ( Dv KERN_SECURELVL ) |
See |
See |
.Xr secmodel_securelevel 9 . |
.Xr secmodel_securelevel 9 . |
|
|
.Xr sched 3 . |
.Xr sched 3 . |
.El |
.El |
.It Li kern.somaxkva ( Dv KERN_SOMAXKVA ) |
.It Li kern.somaxkva ( Dv KERN_SOMAXKVA ) |
Maximum amount of kernel memory to be used for socket buffers. |
Maximum amount of kernel memory to be used for socket buffers in bytes. |
.\" XXX units? |
.It Li kern.sooptions |
|
Set the default socket option flags for |
|
.Xr socket 2 |
|
creation. |
|
See |
|
.Xr setsockopt 2 |
|
for a list of supported flags. |
.It Li kern.synchronized_io ( Dv KERN_SYNCHRONIZED_IO ) |
.It Li kern.synchronized_io ( Dv KERN_SYNCHRONIZED_IO ) |
Returns 1 if the |
Returns 1 if the |
.St -p1003.1b-93 |
.St -p1003.1b-93 |
Line 1231 Resource usage for the current user. |
|
Line 1279 Resource usage for the current user. |
|
.It kern.uidinfo.proccnt integer no |
.It kern.uidinfo.proccnt integer no |
.It kern.uidinfo.lwpcnt integer no |
.It kern.uidinfo.lwpcnt integer no |
.It kern.uidinfo.lockcnt integer no |
.It kern.uidinfo.lockcnt integer no |
|
.It kern.uidinfo.semcnt integer no |
.It kern.uidinfo.sbsize integer no |
.It kern.uidinfo.sbsize integer no |
.El |
.El |
.Bl -tag -width "123456" |
.Bl -tag -width "123456" |
Line 1241 Returns the number of active threads for |
|
Line 1290 Returns the number of active threads for |
|
of each process is not counted. |
of each process is not counted. |
.It Li kern.uidinfo.lockcnt |
.It Li kern.uidinfo.lockcnt |
Number of locks held by the current user. |
Number of locks held by the current user. |
|
.It Li kern.uidinfo.semcnt |
|
Number of semaphores held by the current user. |
.It Li kern.uidinfo.sbsize |
.It Li kern.uidinfo.sbsize |
Number of bytes in socket buffers allocated to the current user. |
Number of bytes in socket buffers allocated to the current user. |
.El |
.El |
Line 1305 Each element of the array contains the k |
|
Line 1356 Each element of the array contains the k |
|
.Vt struct vnode * |
.Vt struct vnode * |
followed by the vnode itself |
followed by the vnode itself |
.Vt struct vnode . |
.Vt struct vnode . |
.\" XXX: Undocumented: kern.lwp: no children? |
|
.El |
.El |
.Ss The machdep.* subtree |
.Ss The machdep.* subtree |
The set of variables defined is architecture dependent. |
The set of variables defined is architecture dependent. |
Line 1492 This cannot be set to less than 1024 or |
|
Line 1542 This cannot be set to less than 1024 or |
|
.It Li ip.checkinterface |
.It Li ip.checkinterface |
If set to non-zero, the host will reject packets addressed to it |
If set to non-zero, the host will reject packets addressed to it |
that arrive on an interface not bound to that address. |
that arrive on an interface not bound to that address. |
Currently, this must be disabled if ipnat is used to translate the |
Currently, this must be disabled if NAT is used to translate the |
destination address to another local interface, or if addresses |
destination address to another local interface, or if addresses |
are added to the loopback interface instead of the interface where |
are added to the loopback interface instead of the interface where |
the packets for those packets are received. |
the packets for those packets are received. |
Line 2041 The currently defined variable and names |
|
Line 2091 The currently defined variable and names |
|
.It esp_auth integer yes |
.It esp_auth integer yes |
.It ah_keymin integer yes |
.It ah_keymin integer yes |
.El |
.El |
.Pp |
|
The variables are as follows: |
The variables are as follows: |
.Bl -tag -width "123456" |
.Bl -tag -width "123456" |
.It Li debug |
.It Li debug |
Turn on debugging message from within the kernel. |
Turn on debugging message from within the kernel. |
The value is a bitmap, as defined in |
The value is a bitmap, as defined in |
.In netkey/key_debug.h . |
.In netipsec/key_debug.h . |
.It Li enabled |
.It Li enabled |
Control processing of IPsec control messages. |
Control processing of IPsec control messages. |
.Bl -tag -width indent |
.Bl -tag -width indent |
Line 2059 Allow IPsec processing when SPD policies |
|
Line 2108 Allow IPsec processing when SPD policies |
|
Force IPsec processing even when SPD policies are not present. |
Force IPsec processing even when SPD policies are not present. |
.El |
.El |
.It Li used |
.It Li used |
Based on if IPsec is enabled, and SPD rule existance, show if |
Based on if IPsec is enabled, and SPD rule existence, show if |
IPsec is being used. |
IPsec is being used. |
Note that currently once IPsec is being used, it cannot be disabled. |
Note that currently once IPsec is being used, it cannot be disabled. |
.It Li spi_try |
.It Li spi_try |
Line 2091 Minimum AH key length, in bits, |
|
Line 2140 Minimum AH key length, in bits, |
|
The value is used when the kernel creates proposal payload |
The value is used when the kernel creates proposal payload |
on ACQUIRE PF_KEY message. |
on ACQUIRE PF_KEY message. |
.El |
.El |
|
.It Li net.local ( Dv PF_LOCAL ) |
|
Get or set various global information about |
|
.Dv AF_LOCAL |
|
type sockets. |
|
For some variables, the third level name is the variable name: |
|
.Bl -column "Variable" "integer" "Changeable" -offset indent |
|
.It Sy Variable Type Ta Sy Changeable |
|
.It inflight integer no |
|
.It deferred integer no |
|
.El |
|
The variables are as follows: |
|
.Bl -tag -width "123456" |
|
.It Li inflight |
|
The number of file descriptors currently passed between processes, |
|
.Qq in flight . |
|
.It Li deferred |
|
The number of file descriptors passed between processes that have been |
|
deferred for cleanup by a kernel task. |
|
.El |
|
.Pp |
|
Other variables are specific to a socket type: |
|
.Bl -column "seqpacket" "sendspace" "integer" "Changeable" -offset indent |
|
.It Sy "Socket Type" Sy Variable Type Ta Sy Changeable |
|
.It dgram pcblist struct no |
|
.It dgram recvspace integer yes |
|
.It dgram sendspace integer yes |
|
.It seqpacket pcblist struct no |
|
.It stream pcblist struct no |
|
.It stream recvspace integer yes |
|
.It stream sendspace integer yes |
|
.El |
|
The variables are as follows: |
|
.Bl -tag -width "123456" |
|
.It Li dgram.pcblist |
|
The Protocol Control Block list structure for datagram sockets. |
|
Parsed by |
|
.Xr netstat 1 |
|
or |
|
.Xr sockstat 1 . |
|
.It Li dgram.recvspace |
|
The default datagram receive buffer size. |
|
.It Li dgram.sendspace |
|
The default datagram send buffer size. |
|
.It Li seqpacket.pcblist |
|
The Protocol Control Block list structure for Sequential Packet sockets. |
|
Parsed by |
|
.Xr netstat 1 |
|
or |
|
.Xr sockstat 1 . |
|
.It Li stream.pcblist |
|
The Protocol Control Block list structure for stream sockets. |
|
Parsed by |
|
.Xr netstat 1 |
|
or |
|
.Xr sockstat 1 . |
|
.It Li stream.recvspace |
|
The default stream receive buffer size. |
|
.It Li stream.sendspace |
|
The default stream send buffer size. |
|
.El |
.El |
.El |
.Ss The proc.* subtree |
.Ss The proc.* subtree |
The string and integer information available for the |
The string and integer information available for the |
Line 2424 the fifth is the size of |
|
Line 2533 the fifth is the size of |
|
Returns an array of |
Returns an array of |
.Vt struct kinfo_vmentry |
.Vt struct kinfo_vmentry |
objects. |
objects. |
|
.It Li vm.ubc_direct |
|
Use direct map for UBC I/O, avoiding need to map and unmap buffer memory. |
|
Speeds up operation for fast I/O devices like NVMe, especially |
|
on multi-CPU systems. |
|
Only available on some architectures. |
|
Currently still experimental, default is off. |
.It Li vm.uspace ( Dv VM_USPACE ) |
.It Li vm.uspace ( Dv VM_USPACE ) |
The number of bytes allocated for each kernel stack. |
The number of bytes allocated for each kernel stack. |
.It Li vm.uvmexp ( Dv VM_UVMEXP ) |
.It Li vm.uvmexp ( Dv VM_UVMEXP ) |
Line 2450 privilege may change the value. |
|
Line 2565 privilege may change the value. |
|
.Bl -column "Second level name" "integer" "Changeable" -offset indent |
.Bl -column "Second level name" "integer" "Changeable" -offset indent |
.It Sy Second level name Ta Sy Type Ta Sy Changeable |
.It Sy Second level name Ta Sy Type Ta Sy Changeable |
.It ddb.commandonenter string yes |
.It ddb.commandonenter string yes |
.It ddb.dumpstack integer yes |
.It ddb.dumpstack integer yes |
.It ddb.fromconsole integer yes |
.It ddb.fromconsole integer yes |
.It ddb.lines integer yes |
.It ddb.lines integer yes |
.It ddb.maxoff integer yes |
.It ddb.maxoff integer yes |
Line 2463 privilege may change the value. |
|
Line 2578 privilege may change the value. |
|
.El |
.El |
.Bl -tag -width "123456" |
.Bl -tag -width "123456" |
.It Li ddb.commandonenter |
.It Li ddb.commandonenter |
If not empty, a command to be executed on each enter to the DDB. |
If not empty, the string is used as the DDB command to be executed each time |
|
DDB is entered. |
.It Li ddb.dumpstack |
.It Li ddb.dumpstack |
A value of 1 causes a stack trace to be printed on entering ddb from a panic. |
A value of 1 causes a stack trace to be printed on entering ddb from a panic. |
A value of 0 disables this behaviour. The default value is 1. |
A value of 0 disables this behaviour. |
|
The default value is 1. |
.It Li ddb.fromconsole ( Dv DDBCTL_FROMCONSOLE ) |
.It Li ddb.fromconsole ( Dv DDBCTL_FROMCONSOLE ) |
If not zero, DDB may be entered by sending a break on a serial |
If not zero, DDB may be entered by sending a break on a serial |
console or by a special key sequence on a graphics console. |
console or by a special key sequence on a graphics console. |
|
|
.Xr secmodel 9 |
.Xr secmodel 9 |
for more information. |
for more information. |
.It Li security.pax |
.It Li security.pax |
Settings for PaX -- exploit mitigation features. |
Settings for PaX \(em exploit mitigation features. |
For more information on any of the PaX features, please see |
For more information on any of the PaX features, please see |
.Xr paxctl 8 |
.Xr paxctl 8 |
and |
and |