Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. =================================================================== RCS file: /ftp/cvs/cvsroot/src/share/man/man7/sysctl.7,v rcsdiff: /ftp/cvs/cvsroot/src/share/man/man7/sysctl.7,v: warning: Unknown phrases like `commitid ...;' are present. retrieving revision 1.32 retrieving revision 1.43 diff -u -p -r1.32 -r1.43 --- src/share/man/man7/sysctl.7 2010/02/21 14:26:33 1.32 +++ src/share/man/man7/sysctl.7 2010/04/20 07:33:45 1.43 @@ -1,4 +1,4 @@ -.\" $NetBSD: sysctl.7,v 1.32 2010/02/21 14:26:33 wiz Exp $ +.\" $NetBSD: sysctl.7,v 1.43 2010/04/20 07:33:45 jruoho Exp $ .\" .\" Copyright (c) 1993 .\" The Regents of the University of California. All rights reserved. @@ -29,7 +29,7 @@ .\" .\" @(#)sysctl.3 8.4 (Berkeley) 5/9/95 .\" -.Dd February 21, 2010 +.Dd April 20, 2010 .Dt SYSCTL 7 .Os .Sh NAME @@ -70,7 +70,7 @@ See the manual page for programming examples. .Sh Top level names The top level names are defined with a CTL_ prefix in -.Aq Pa sys/sysctl.h , +.In sys/sysctl.h , and are as follows. The next and subsequent levels down are found in the include files listed here, and described in separate sections below. @@ -112,6 +112,7 @@ if a variable is initialized in more tha For example, to export the variable .Dv dospecialcheck as a debugging variable, the following declaration would be used: +.Pp .Bd -literal -offset indent -compact int dospecialcheck = 1; struct ctldebug debug5 = { "dospecialcheck", \*[Am]dospecialcheck }; @@ -154,9 +155,8 @@ The string and integer information avail level is detailed below. The changeable column shows whether a process with appropriate privilege may change the value. -.Bl -column "hw.acpi.supported_states" "integer" "Changeable" -offset indent +.Bl -column "hw.machine_arch" "integer" "Changeable" -offset indent .It Sy Second level name Type Changeable -.It hw.acpi.supported_states string no .It hw.alignbytes integer no .It hw.byteorder integer no .It hw.cnmagic string yes @@ -174,25 +174,6 @@ privilege may change the value. .El .Pp .Bl -tag -width "123456" -.It Li hw.acpi.supported_states -List of possible -.Tn ACPI -sleep states. -The list can contain the following values: -.Bl -tag -width XS1X -.It S0 -fully running -.It S1 -power on suspend (CPU and hard disks are off) -.It S2 -similar to S3, usually not implemented -.It S3 -suspend-to-RAM -.It S4 -suspend-to-disk (needs BIOS support) -.It S5 -power off -.El .It Li hw.alignbytes ( HW_ALIGNBYTES ) Alignment constraint for all possible data types. This shows the value @@ -249,30 +230,34 @@ The bytes of non-kernel memory as a 32-b The bytes of non-kernel memory as a 64-bit integer. .El .Sh The kern.* subtree +This subtree includes data generally related to the kernel. The string and integer information available for the .Li kern level is detailed below. The changeable column shows whether a process with appropriate privilege may change the value. -The types of data currently available are process information, -system vnodes, the open file entries, routing table entries, -virtual memory statistics, load average history, and clock rate -information. -.Bl -column "kern.posix_reader_writer_locks" "struct kinfo_drivers" "not applicable" +.Bl -column "kern.posix_reader_writer_locks" \ +"struct kinfo_drivers" "not applicable" .It Sy Second level name Type Changeable +.\".It kern.arandom integer no .It kern.argmax integer no .It kern.autonicetime integer yes .It kern.autoniceval integer yes +.It kern.boothowto integer no .It kern.boottime struct timeval no -.It kern.bufq node not applicable +.\".It kern.bufq node not applicable .It kern.ccpu integer no .It kern.clockrate struct clockinfo no .It kern.consdev integer no +.It kern.coredump node not applicable .It kern.cp_id struct no .It kern.cp_time uint64_t[\|] no +.\".It kern.cryptodevallowsoft integer yes .It kern.defcorename string yes +.It kern.detachall integer yes .It kern.domainname string yes .It kern.drivers struct kinfo_drivers no +.It kern.dump_on_panic integer yes .It kern.file struct file no .It kern.forkfsleep integer yes .It kern.fscale integer no @@ -281,6 +266,7 @@ information. .It kern.hostid integer yes .It kern.hostname string yes .It kern.iov_max integer no +.It kern.ipc node not applicable .It kern.job_control integer no .It kern.labeloffset integer no .It kern.labelsector integer no @@ -297,18 +283,23 @@ information. .It kern.memlock integer no .It kern.memlock_range integer no .It kern.memory_protection integer no +.It kern.module node not applicable .It kern.monotonic_clock integer no .It kern.msgbuf integer no .It kern.msgbufsize integer no .It kern.ngroups integer no +.\".It kern.no_sa_support integer yes .It kern.ntptime struct ntptimeval no .It kern.osrelease string no -.It kern.osrev integer no +.It kern.osrevision integer no .It kern.ostype string no +.\".It kern.panic_now integer yes .It kern.pipe node not applicable -.It kern.posix1 integer no +.\" .It kern.posix node not applicable +.It kern.posix1version integer no .It kern.posix_barriers integer no .It kern.posix_reader_writer_locks integer no +.\".It kern.posix_sched integer yes .It kern.posix_semaphores integer no .It kern.posix_spin_locks integer no .It kern.posix_threads integer no @@ -316,31 +307,41 @@ information. .It kern.proc struct kinfo_proc no .It kern.proc2 struct kinfo_proc2 no .It kern.proc_args string no -.It kern.prof node not applicable +.It kern.profiling node not applicable +.\".It kern.pset node not applicable .It kern.rawpartition integer no .It kern.root_device string no .It kern.root_partition integer no .It kern.rtc_offset integer yes .It kern.saved_ids integer no +.It kern.sbmax integer yes +.\".It kern.sched node not applicable .It kern.securelevel integer raise only +.It kern.somaxkva integer yes .It kern.synchronized_io integer no -.It kern.ipc node not applicable .It kern.timecounter node not applicable .It kern.timex struct no .It kern.tkstat node not applicable .It kern.urandom integer no +.\".It kern.usercrypto integer yes +.\" It kern.userasymcrypto integer yes +.It kern.veriexec node not applicable .It kern.version string no .It kern.vnode struct vnode no .El .Bl -tag -width "123456" +.\".It Li kern.arandom +.\" XXX: Undocumented. .It Li kern.argmax ( KERN_ARGMAX ) The maximum bytes of argument to .Xr execve 2 . +.\" XXX: Is kern.autonicetime still available? .It Li kern.autonicetime ( KERN_AUTONICETIME ) The number of seconds of CPU-time a non-root process may accumulate before having its priority lowered from the default to the value of KERN_AUTONICEVAL. If set to 0, automatic lowering of priority is not performed, and if set to \-1 all non-root processes are immediately lowered. +.\" XXX: Is kern.autoniceval still available? .It Li kern.autoniceval ( KERN_AUTONICEVAL ) The priority assigned for automatically niced processes. .It Li kern.boothowto @@ -352,6 +353,8 @@ A .Va struct timeval structure is returned. This structure contains the time that the system was booted. +.\" .It Li kern.bufq +.\" XXX: Undocumented. .It Li kern.ccpu ( KERN_CCPU ) The scheduler exponential decay value. .It Li kern.clockrate ( KERN_CLOCKRATE ) @@ -361,8 +364,45 @@ structure is returned. This structure contains the clock, statistics clock and profiling clock frequencies, the number of micro-seconds per hz tick, and the clock skew rate. +Refer to +.Xr hz 9 +for additional details. .It Li kern.consdev ( KERN_CONSDEV ) Console device. +.It Li kern.coredump +Settings related to set-id processes coredumps. +By default, set-id processes do not dump core in situations where +other processes would. +The settings in this node allows an administrator to change this +behavior. +.Pp +The third level name is +.Dv kern.coredump.setid +and fourth level variables are described below. +.Bl -column "kern.coredump.setid.group" "integer" "Changeable" -offset indent +.It Sy Fourth level name Type Changeable +.It kern.coredump.setid.dump integer yes +.It kern.coredump.setid.group integer yes +.It kern.coredump.setid.mode integer yes +.It kern.coredump.setid.owner integer yes +.It kern.coredump.setid.path string yes +.El +.Bl -tag -width "123456" +.It Li kern.coredump.setid.dump +If non-zero, set-id processes will dump core. +.It Li kern.coredump.setid.group +The group-id for the set-id processes' coredump. +.It Li kern.coredump.setid.mode +The mode for the set-id processes' coredump. +See +.Xr chmod 1 . +.It Li kern.coredump.setid.owner +The user-id that will be used as the owner of the set-id processes' +coredump. +.It Li kern.coredump.setid.path +The path to which set-id processes' coredumps will be saved to. +Same syntax as kern.defcorename. +.El .It Li kern.cp_id ( KERN_CP_ID ) Mapping of CPU number to CPU id. .It Li kern.cp_time ( KERN_CP_TIME ) @@ -373,6 +413,8 @@ On multi-processor systems, the sum acro appropriate space is given for one data set for each CPU. Data for a specific CPU can also be obtained by adding the number of the CPU at the end of the MIB, enlarging it by one. +.\".It Li kern.cryptodevallowsoft +.\" XXX: Undocumented. .It Li kern.defcorename ( KERN_DEFCORENAME ) Default template for the name of core dump files (see also .Li proc.pid.corename @@ -388,10 +430,10 @@ and can be changed with the kernel confi (see .Xr options 4 ). +.It Li kern.detachall +Detach all devices at shutdown. .It Li kern.domainname ( KERN_DOMAINNAME ) Get or set the YP domain name. -.It Li kern.dump_on_panic ( KERN_DUMP_ON_PANIC ) -Perform a crash dump on system panic. .It Li kern.drivers ( KERN_DRIVERS ) Return an array of .Va struct kinfo_drivers @@ -403,6 +445,9 @@ field is always a NUL terminated string. The .Va d_bmajor field will be set to \-1 if the driver doesn't have a block device. +.It Li kern.dump_on_panic ( KERN_DUMP_ON_PANIC ) +Perform a crash dump on system +.Xr panic 9 . .It Li kern.file ( KERN_FILE ) Return the entire file table. The returned data consists of a single @@ -432,9 +477,15 @@ Returns the number of .Xr hardclock 9 ticks. .It Li kern.hostid ( KERN_HOSTID ) -Get or set the host id. +Get or set the host identifier. +This is aimed to replace the legacy +.Xr gethostid 3 +and +.Xr sethostid 3 +system calls. .It Li kern.hostname ( KERN_HOSTNAME ) -Get or set the hostname. +Get or set the +.Xr hostname 1 . .It Li kern.iov_max ( KERN_IOV_MAX ) Return the maximum number of .Va iovec @@ -446,6 +497,92 @@ structures that a process has available .Xr sendmsg 2 and .Xr writev 2 . +.It Li kern.ipc ( KERN_SYSVIPC ) +Return information about the SysV IPC parameters. +The third level names for the ipc variables are detailed below. +.Bl -column "kern.ipc.shm_use_phys" "integer" "Changeable" -offset indent +.It Sy Third level name Type Changeable +.It kern.ipc.sysvmsg integer no +.It kern.ipc.sysvsem integer no +.It kern.ipc.sysvshm integer no +.It kern.ipc.sysvipc_info struct no +.It kern.ipc.shmmax integer yes +.It kern.ipc.shmmni integer yes +.It kern.ipc.shmseg integer yes +.It kern.ipc.shmmaxpgs integer yes +.It kern.ipc.shm_use_phys integer yes +.It kern.ipc.msgmni integer yes +.It kern.ipc.msgseg integer yes +.It kern.ipc.semmni integer yes +.It kern.ipc.semmns integer yes +.It kern.ipc.semmnu integer yes +.El +.Bl -tag -width "123456" +.It Li kern.ipc.sysvmsg ( KERN_SYSVIPC_MSG ) +Returns 1 if System V style message queue functionality is available +on this system, +otherwise 0. +.It Li kern.ipc.sysvsem ( KERN_SYSVIPC_SEM ) +Returns 1 if System V style semaphore functionality is available +on this system, +otherwise 0. +.It Li kern.ipc.sysvshm ( KERN_SYSVIPC_SHM ) +Returns 1 if System V style share memory functionality is available +on this system, +otherwise 0. +.It Li kern.ipc.sysvipc_info ( KERN_SYSVIPC_INFO ) +Return System V style IPC configuration and run-time information. +The fourth level name selects the System V style IPC facility. +.Bl -column "KERN_SYSVIPC_MSG_INFO" "struct shm_sysctl_info" -offset indent +.It Sy Fourth level name Type +.It KERN_SYSVIPC_MSG_INFO struct msg_sysctl_info +.It KERN_SYSVIPC_SEM_INFO struct sem_sysctl_info +.It KERN_SYSVIPC_SHM_INFO struct shm_sysctl_info +.El +.Pp +.Bl -tag -width "123456" +.It Li KERN_SYSVIPC_MSG_INFO +Return information on the System V style message facility. +The +.Sy msg_sysctl_info +structure is defined in +.In sys/msg.h . +.It Li KERN_SYSVIPC_SEM_INFO +Return information on the System V style semaphore facility. +The +.Sy sem_sysctl_info +structure is defined in +.In sys/sem.h . +.It Li KERN_SYSVIPC_SHM_INFO +Return information on the System V style shared memory facility. +The +.Sy shm_sysctl_info +structure is defined in +.In sys/shm.h . +.El +.It Li kern.ipc.shmmax ( KERN_SYSVIPC_SHMMAX ) +Max shared memory segment size in bytes. +.It Li kern.ipc.shmmni ( KERN_SYSVIPC_SHMMNI ) +Max number of shared memory identifiers. +.It Li kern.ipc.shmseg ( KERN_SYSVIPC_SHMSEG ) +Max shared memory segments per process. +.It Li kern.ipc.shmmaxpgs ( KERN_SYSVIPC_SHMMAXPGS ) +Max amount of shared memory in pages. +.It Li kern.ipc.shm_use_phys ( KERN_SYSVIPC_SHMUSEPHYS ) +Locking of shared memory in physical memory. +If 0, memory can be swapped +out, otherwise it will be locked in physical memory. +.It Li kern.ipc.msgmni +Max number of message queue identifiers. +.It Li kern.ipc.msgseg +Max number of number of message segments. +.It Li kern.ipc.semmni +Max number of number of semaphore identifiers. +.It Li kern.ipc.semmns +Max number of number of semaphores in system. +.It Li kern.ipc.semmnu +Max number of undo structures in system. +.El .It Li kern.job_control ( KERN_JOB_CONTROL ) Return 1 if job control is available on this system, otherwise 0. .It Li kern.labeloffset ( KERN_LABELOFFSET ) @@ -529,6 +666,26 @@ otherwise 0. Returns 1 if the POSIX 1003.1b Memory Protection Option is available on this system, otherwise 0. +.It Li kern.module +Settings related to kernel modules. +The third level names for the settings are described below. +.Bl -column "kern.module.autoload" "integer" "Changeable" -offset indent +.It Sy Third level name Type Changeable +.It kern.module.autoload integer yes +.It kern.module.verbose integer yes +.El +.Pp +The variables are as follows: +.Bl -tag -width "123456" +.It Li kern.module.autoload +A boolean that controls whether kernel modules are loaded automatically. +See for example +.Xr modstat 8 +for additional details. +.It Li kern.module.verbose +A boolean that enables or disables verbose +debug messages related to kernel modules. +.El .It Li kern.monotonic_clock ( KERN_MONOTONIC_CLOCK ) Returns the standard version the implementation of the POSIX 1003.1b Monotonic Clock Option conforms to, @@ -541,6 +698,8 @@ The returned data may contain NUL bytes. The maximum number of characters that the kernel message buffer can hold. .It Li kern.ngroups ( KERN_NGROUPS ) The maximum number of supplemental groups. +.\" .It Li kern.no_sa_support +.\" XXX: Undocumented. .It Li kern.ntptime ( KERN_NTPTIME ) A .Va struct ntptimeval @@ -554,6 +713,8 @@ The system release string. The system revision string. .It Li kern.ostype ( KERN_OSTYPE ) The system type string. +.\".It Li kern.panic_now +.\" XXX: Undocumented. .It Li kern.pipe ( KERN_PIPE ) Pipe settings. The third level names for the integer pipe settings is detailed below. @@ -581,6 +742,8 @@ Limit for direct transfers via page loan .It Li kern.pipe.nbigpipes ( KERN_PIPE_NBIGPIPES ) Number of "big" pipes. .El +.\" XXX: Undocumented .It Li kern.posix ( ? ) +.\" This is a node in which the only variable is semmax. .It Li kern.posix1version ( KERN_POSIX1 ) The version of ISO/IEC 9945 (POSIX 1003.1) with which the system attempts to comply. @@ -598,6 +761,8 @@ and its Read-Write Locks option to which the system attempts to conform, otherwise 0. +.\".It Li kern.posix_sched +.\" XXX: Undocumented. .It Li kern.posix_semaphores ( KERN_POSIX_SEMAPHORES ) The version of .St -p1003.1 @@ -700,6 +865,8 @@ Array of .Va struct tostruct describing destination of calls and their counts. .El +.\" .It Li kern.pset +.\" XXX: Undocumented. .It Li kern.rawpartition ( KERN_RAWPARTITION ) The raw partition of a disk (a == 0). .It Li kern.root_device ( KERN_ROOT_DEVICE ) @@ -717,6 +884,8 @@ Maximum socket buffer size. .It Li kern.securelevel ( KERN_SECURELVL ) See .Xr secmodel_securelevel 9 . +.\" .It Li kern.sched +.\" XXX: Undocumented. .It Li kern.somaxkva ( KERN_SOMAXKVA ) Maximum amount of kernel memory to be used for socket buffers. .\" XXX units? @@ -724,92 +893,6 @@ Maximum amount of kernel memory to be us Returns 1 if the POSIX 1003.1b Synchronized I/O Option is available on this system, otherwise 0. -.It Li kern.ipc ( KERN_SYSVIPC ) -Return information about the SysV IPC parameters. -The third level names for the ipc variables are detailed below. -.Bl -column "kern.ipc.shm_use_phys" "integer" "Changeable" -offset indent -.It Sy Third level name Type Changeable -.It kern.ipc.sysvmsg integer no -.It kern.ipc.sysvsem integer no -.It kern.ipc.sysvshm integer no -.It kern.ipc.sysvipc_info struct no -.It kern.ipc.shmmax integer yes -.It kern.ipc.shmmni integer yes -.It kern.ipc.shmseg integer yes -.It kern.ipc.shmmaxpgs integer yes -.It kern.ipc.shm_use_phys integer yes -.It kern.ipc.msgmni integer yes -.It kern.ipc.msgseg integer yes -.It kern.ipc.semmni integer yes -.It kern.ipc.semmns integer yes -.It kern.ipc.semmnu integer yes -.El -.Bl -tag -width "123456" -.It Li kern.ipc.sysvmsg ( KERN_SYSVIPC_MSG ) -Returns 1 if System V style message queue functionality is available -on this system, -otherwise 0. -.It Li kern.ipc.sysvsem ( KERN_SYSVIPC_SEM ) -Returns 1 if System V style semaphore functionality is available -on this system, -otherwise 0. -.It Li kern.ipc.sysvshm ( KERN_SYSVIPC_SHM ) -Returns 1 if System V style share memory functionality is available -on this system, -otherwise 0. -.It Li kern.ipc.sysvipc_info ( KERN_SYSVIPC_INFO ) -Return System V style IPC configuration and run-time information. -The fourth level name selects the System V style IPC facility. -.Bl -column "KERN_SYSVIPC_MSG_INFO" "struct shm_sysctl_info" -offset indent -.It Sy Fourth level name Type -.It KERN_SYSVIPC_MSG_INFO struct msg_sysctl_info -.It KERN_SYSVIPC_SEM_INFO struct sem_sysctl_info -.It KERN_SYSVIPC_SHM_INFO struct shm_sysctl_info -.El -.Pp -.Bl -tag -width "123456" -.It Li KERN_SYSVIPC_MSG_INFO -Return information on the System V style message facility. -The -.Sy msg_sysctl_info -structure is defined in -.Aq Pa sys/msg.h . -.It Li KERN_SYSVIPC_SEM_INFO -Return information on the System V style semaphore facility. -The -.Sy sem_sysctl_info -structure is defined in -.Aq Pa sys/sem.h . -.It Li KERN_SYSVIPC_SHM_INFO -Return information on the System V style shared memory facility. -The -.Sy shm_sysctl_info -structure is defined in -.Aq Pa sys/shm.h . -.El -.It Li kern.ipc.shmmax ( KERN_SYSVIPC_SHMMAX ) -Max shared memory segment size in bytes. -.It Li kern.ipc.shmmni ( KERN_SYSVIPC_SHMMNI ) -Max number of shared memory identifiers. -.It Li kern.ipc.shmseg ( KERN_SYSVIPC_SHMSEG ) -Max shared memory segments per process. -.It Li kern.ipc.shmmaxpgs ( KERN_SYSVIPC_SHMMAXPGS ) -Max amount of shared memory in pages. -.It Li kern.ipc.shm_use_phys ( KERN_SYSVIPC_SHMUSEPHYS ) -Locking of shared memory in physical memory. -If 0, memory can be swapped -out, otherwise it will be locked in physical memory. -.It Li kern.ipc.msgmni -Max number of message queue identifiers. -.It Li kern.ipc.msgseg -Max number of number of message segments. -.It Li kern.ipc.semmni -Max number of number of semaphore identifiers. -.It Li kern.ipc.semmns -Max number of number of semaphores in system. -.It Li kern.ipc.semmnu -Max number of undo structures in system. -.El .It Li kern.timecounter ( dynamic ) Display and control the timecounter source of the system. .Bl -column "kern.timecounter.timestepwarnings" "integer" "Changeable" -offset indent @@ -857,8 +940,20 @@ The number of raw input characters. .El .It Li kern.urandom ( KERN_URND ) Random integer value. +.\".It Li kern.usercrypto +.\" XXX: Undocumented. +.\".It Li kern.userasymcrypto +.\" XXX: Undocumented. .It Li kern.veriexec -Tunings for Verixec. +Runtime information for +.Xr veriexec 8 . +.Bl -column "kern.veriexec.algorithms" "integer" "Changeable" -offset indent +.It Sy Third level name Type Changeable +.It kern.veriexec.algorithms string no +.It kern.veriexec.count node not applicable +.It kern.veriexec.strict integer yes +.It kern.veriexec.verbose integer yes +.El .Bl -tag -width "123456" .It Li kern.veriexec.algorithms Returns a string with the supported algorithms in Veriexec. @@ -896,38 +991,16 @@ Each element of the array contains the k .Va struct vnode * followed by the vnode itself .Va struct vnode . -.It Li kern.coredump.setid -Settings related to set-id processes coredumps. -By default, set-id processes do not dump core in situations where -other processes would. -The settings in this node allows an administrator to change this -behavior. -.Pp -.Bl -tag -width "123456" -.It Li kern.coredump.setid.dump -If non-zero, set-id processes will dump core. -.It Li kern.coredump.setid.group -The group-id for the set-id processes' coredump. -.It Li kern.coredump.setid.mode -The mode for the set-id processes' coredump. -See -.Xr chmod 1 . -.It Li kern.coredump.setid.owner -The user-id that will be used as the owner of the set-id processes' -coredump. -.It Li kern.coredump.setid.path -The path to which set-id processes' coredumps will be saved to. -Same syntax as kern.defcorename. -.El -.\" XXX kern.lwp +.\" XXX: Undocumented: kern.lwp: no children? .El .Sh The machdep.* subtree The set of variables defined is architecture dependent. Most architectures define at least the following variables. -.Bl -column "Second level name" "Type" "Changeable" -offset indent +.Bl -column "machdep.booted_kernel" "Type" "Changeable" -offset indent .It Sy Second level name Type Changeable -.It Li CPU_CONSDEV dev_t no +.It Li machdep.booted_kernel string no .El +.\" XXX: Document the above. .Sh The net.* subtree The string and integer information available for the .Li net @@ -1968,7 +2041,7 @@ The returned data consists of a .\" XXX vm.idlezero .El .Sh The ddb.* subtree ( CTL_DDB ) -The integer information available for the +The information available for the .Li ddb level is detailed below. The changeable column shows whether a process with appropriate @@ -1978,30 +2051,44 @@ privilege may change the value. .It Sy Second level name Type Changeable .It ddb.radix integer yes .It ddb.maxoff integer yes +.It ddb.maxwidth integer yes .It ddb.lines integer yes .It ddb.tabstops integer yes .It ddb.onpanic integer yes .It ddb.fromconsole integer yes +.It ddb.tee_msgbuf integer yes +.It ddb.commandonenter string yes .El .Pp .Bl -tag -width "123456" -.It Li ddb.radix ( DBCTL_RADIX ) +.It Li ddb.radix ( DDBCTL_RADIX ) The input and output radix. -.It Li ddb.maxoff ( DBCTL_MAXOFF ) +.It Li ddb.maxoff ( DDBCTL_MAXOFF ) The maximum symbol offset. -.It Li ddb.lines ( DBCTL_LINES ) +.It Li ddb.maxwidth ( DDBCTL_MAXWIDTH ) +The maximum output line width. +.It Li ddb.lines ( DDBCTL_LINES ) Number of display lines. -.It Li ddb.tabstops ( DBCTL_TABSTOPS ) +.It Li ddb.tabstops ( DDBCTL_TABSTOPS ) Tab width. -.It Li ddb.onpanic ( DBCTL_ONPANIC ) +.It Li ddb.onpanic ( DDBCTL_ONPANIC ) If non-zero, DDB will be entered if the kernel panics. -.It Li ddb.fromconsole ( DBCTL_FROMCONSOLE ) +.It Li ddb.fromconsole ( DDBCTL_FROMCONSOLE ) If not zero, DDB may be entered by sending a break on a serial console or by a special key sequence on a graphics console. -.\" XXX tee_msgbuf maxwidth commandonenter +.It Li ddb.tee_msgbuf +If not zero, DDB will output also to the kernel message buffer. +.It Li ddb.commandonenter +If not empty, a command to be executed on each enter to the +.Tn DDB . +.\" +.\" XXX: (a) ddb.commandonenter is missing in ddb(4); +.\" (b) No DDBCTL definitions for tee_msgbuf and commandonenter. .El .Pp -These MIB nodes are also available as variables from within the DDB. +Some of these +.Tn MIB +nodes are also available as variables from within the debugger. See .Xr ddb 4 for more details. @@ -2010,13 +2097,22 @@ The .Li security level contains various security-related settings for the system. +The available second level names are: +.Bl -column "Second level name" "integer" "Changeable" -offset indent +.It Sy Second level name Type Changeable +.It Li security.curtain integer yes +.It Li security.models node not applicable +.It Li security.pax node not applicable +.El +.Pp Available settings are detailed below. .Pp .Bl -tag -width "123456" .It Li security.curtain -If non-zero, will filter return objects according to the user-id +If non-zero, will filter return objects according to the user +.Tn ID requesting information about them, preventing from users any -access to objects they don't own. +access to objects they do not own. .Pp At the moment, it affects .Xr ps 1 , @@ -2047,14 +2143,33 @@ For more information on any of the PaX f .Xr paxctl 8 and .Xr security 8 . +The available third and fourth level names are: +.Bl -column "security.pax.segvguard.suspend_timeout" "integer" "Changeable" \ +-offset 2n +.It Sy Third and fourth level names Ta Sy Type Ta Sy Changeable +.It Li security.pax.aslr.enabled integer yes +.\".It Li security.pax.aslr.exec_len integer yes +.It Li security.pax.aslr.global integer yes +.\".It Li security.pax.aslr.mmap_len integer yes +.\".It Li security.pax.aslr.stack_len integer yes +.It Li security.pax.mprotect.enabled integer yes +.It Li security.pax.mprotect.global integer yes +.It Li security.pax.segvguard.enabled integer yes +.It Li security.pax.segvguard.expiry_timeout integer yes +.It Li security.pax.segvguard.global integer yes +.It Li security.pax.segvguard.max_crashes integer yes +.It Li security.pax.segvguard.suspend_timeout integer yes +.El .Pp .Bl -tag -width "123456" -.It Li security.pax.aslr.enable +.It Li security.pax.aslr.enabled Enable PaX ASLR (Address Space Layout Randomization). .Pp The value of this knob must be non-zero for PaX ASLR to be enabled, even if a program is set to explicit enable. +.\".It Li security.pax.aslr.exec_len +.\" XXX: Undocumented. .It Li security.pax.aslr.global Specifies the default global policy for programs without an explicit enable/disable flag. @@ -2064,7 +2179,11 @@ When non-zero, all programs will get PaX Otherwise, all programs will not get PaX ASLR, except those specifically marked as such with .Xr paxctl 8 . -.It Li security.pax.mprotect.enable +.\".It Li security.pax.aslr.mmap_len +.\" XXX: Undocumented. +.\" .It Li security.pax.aslr.stack_len +.\" XXX: Undocumented. +.It Li security.pax.mprotect.enabled Enable PaX MPROTECT restrictions. .Pp These are @@ -2083,7 +2202,7 @@ except those exempted with Otherwise, all programs will not get the PaX MPROTECT restrictions, except those specifically marked as such with .Xr paxctl 8 . -.It Li security.pax.segvguard.enable +.It Li security.pax.segvguard.enabled Enable PaX Segvguard. .Pp PaX Segvguard can detect and prevent certain exploitation attempts, where @@ -2095,6 +2214,9 @@ The .Nx interface and implementation of the Segvguard is still experimental, and may change in future releases. +.It Li security.pax.segvguard.expiry_timeout +If the max number was not reached within this timeout (in seconds), the entry +will expire. .It Li security.pax.segvguard.global Specifies the default global policy for programs without an explicit enable/disable flag. @@ -2105,14 +2227,11 @@ except those exempted with Otherwise, no program will get the PaX Segvguard restrictions, except those specifically marked as such with .Xr paxctl 8 . -.It Li security.pax.segvguard.expiry_timeout -If the max number was not reached within this timeout (in seconds), the entry -will expire. +.It Li security.pax.segvguard.max_crashes +The maximum number of segfaults a program can receive before suspension. .It Li security.pax.segvguard.suspend_timeout Number of seconds to suspend a user from running a faulting program when the limit was exceeded. -.It Li security.pax.segvguard.max_crashes -Max number of segfaults a program can receive before suspension. .El .El .Sh The vendor.* subtree ( CTL_VENDOR )