[BACK]Return to sysctl.7 CVS log [TXT][DIR] Up to [cvs.NetBSD.org] / src / share / man / man7

Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.

Diff for /src/share/man/man7/sysctl.7 between version 1.3 and 1.4

version 1.3, 2006/12/23 08:06:54 version 1.4, 2007/02/02 02:39:13
Line 29 
Line 29 
 .\"  .\"
 .\"     @(#)sysctl.3    8.4 (Berkeley) 5/9/95  .\"     @(#)sysctl.3    8.4 (Berkeley) 5/9/95
 .\"  .\"
 .Dd December 4, 2006  .Dd February 2, 2007
 .Dt SYSCTL 7  .Dt SYSCTL 7
 .Os  .Os
 .Sh NAME  .Sh NAME
Line 1935  and
Line 1935  and
 .Dv PF_UNIX  .Dv PF_UNIX
 PCBs), and  PCBs), and
 .Xr w 1 .  .Xr w 1 .
   .It Li security.models
   .Nx
   supports pluggable security models.
   Every security model used, whether if loaded as an LKM or built with the system,
   is required to add an entry to this node with at least one element,
   .Dq name ,
   indicating the name of the security model.
   .Pp
   In addition to the name, any settings and other information private to the
   security model will be available under this node.
   See
   .Xr secmodel 9
   for more information.
 .It Li security.pax  .It Li security.pax
 Settings for PaX -- exploit mitigation features.  Settings for PaX -- exploit mitigation features.
   For more information on any of the PaX features, please see
   .Xr paxctl 8
   and
   .Xr security 8 .
 .Pp  .Pp
 .Bl -tag -width "123456"  .Bl -tag -width "123456"
 .It Li security.pax.mprotect.enable  .It Li security.pax.mprotect.enable
Line 1954  explicit enable/disable flag.
Line 1971  explicit enable/disable flag.
 .Pp  .Pp
 When non-zero, all programs will get the PaX MPROTECT restrictions,  When non-zero, all programs will get the PaX MPROTECT restrictions,
 except those exempted with  except those exempted with
 .Xr paxctl 1  .  .Xr paxctl 8  .
 Otherwise, all programs will not get the PaX MPROTECT restrictions,  Otherwise, all programs will not get the PaX MPROTECT restrictions,
 except those specifically marked as such with  except those specifically marked as such with
 .Xr paxctl 1 .  .Xr paxctl 8 .
 .It Li security.pax.segvguard.enable  .It Li security.pax.segvguard.enable
 Enable PaX Segvguard.  Enable PaX Segvguard.
 .Pp  .Pp
 Please see  
 .Xr security 8  
 for more information.  
 .Pp  
 PaX Segvguard can detect and prevent certain exploitation attempts, where  PaX Segvguard can detect and prevent certain exploitation attempts, where
 an attacker may try for example to brute-force function return addresses  an attacker may try for example to brute-force function return addresses
 of respawning daemons.  of respawning daemons.
Line 1980  explicit enable/disable flag.
Line 1993  explicit enable/disable flag.
 .Pp  .Pp
 When non-zero, all programs will get the PaX Segvguard,  When non-zero, all programs will get the PaX Segvguard,
 except those exempted with  except those exempted with
 .Xr paxctl 1  .  .Xr paxctl 8  .
 Otherwise, no program will get the PaX Segvguard restrictions,  Otherwise, no program will get the PaX Segvguard restrictions,
 except those specifically marked as such with  except those specifically marked as such with
 .Xr paxctl 1 .  .Xr paxctl 8 .
 .It Li security.pax.segvguard.expiry_timeout  .It Li security.pax.segvguard.expiry_timeout
 If the max number was not reached within this timeout (in seconds), the entry  If the max number was not reached within this timeout (in seconds), the entry
 will expire.  will expire.

Legend:
Removed from v.1.3  
changed lines
  Added in v.1.4

CVSweb <webmaster@jp.NetBSD.org>