Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. =================================================================== RCS file: /ftp/cvs/cvsroot/src/share/man/man7/sysctl.7,v rcsdiff: /ftp/cvs/cvsroot/src/share/man/man7/sysctl.7,v: warning: Unknown phrases like `commitid ...;' are present. retrieving revision 1.4 retrieving revision 1.48 diff -u -p -r1.4 -r1.48 --- src/share/man/man7/sysctl.7 2007/02/02 02:39:13 1.4 +++ src/share/man/man7/sysctl.7 2010/07/28 20:49:12 1.48 @@ -1,4 +1,4 @@ -.\" $NetBSD: sysctl.7,v 1.4 2007/02/02 02:39:13 elad Exp $ +.\" $NetBSD: sysctl.7,v 1.48 2010/07/28 20:49:12 jruoho Exp $ .\" .\" Copyright (c) 1993 .\" The Regents of the University of California. All rights reserved. @@ -29,7 +29,7 @@ .\" .\" @(#)sysctl.3 8.4 (Berkeley) 5/9/95 .\" -.Dd February 2, 2007 +.Dd July 28, 2010 .Dt SYSCTL 7 .Os .Sh NAME @@ -70,25 +70,25 @@ See the manual page for programming examples. .Sh Top level names The top level names are defined with a CTL_ prefix in -.Aq Pa sys/sysctl.h , +.In sys/sysctl.h , and are as follows. The next and subsequent levels down are found in the include files listed here, and described in separate sections below. -.Bl -column securityXX CTLXSECURITYXX "Next level namesXX" +.Bl -column security CTL_SECURITY "Next level names" "High kernel limits" .It Sy Name Constant Next level names Description -.It kern CTL\_KERN sys/sysctl.h High kernel limits -.It vm CTL\_VM uvm/uvm_param.h Virtual memory -.It vfs CTL\_VFS sys/mount.h Filesystem -.It net CTL\_NET sys/socket.h Networking -.It debug CTL\_DEBUG sys/sysctl.h Debugging -.It hw CTL\_HW sys/sysctl.h Generic CPU, I/O -.It machdep CTL\_MACHDEP sys/sysctl.h Machine dependent -.It user CTL\_USER sys/sysctl.h User-level -.It ddb CTL\_DDB sys/sysctl.h In-kernel debugger -.It proc CTL\_PROC sys/sysctl.h Per-process -.It vendor CTL\_VENDOR ? Vendor specific -.It emul CTL\_EMUL sys/sysctl.h Emulation settings -.It security CTL\_SECURITY sys/sysctl.h Security settings +.It kern CTL_KERN sys/sysctl.h High kernel limits +.It vm CTL_VM uvm/uvm_param.h Virtual memory +.It vfs CTL_VFS sys/mount.h Filesystem +.It net CTL_NET sys/socket.h Networking +.It debug CTL_DEBUG sys/sysctl.h Debugging +.It hw CTL_HW sys/sysctl.h Generic CPU, I/O +.It machdep CTL_MACHDEP sys/sysctl.h Machine dependent +.It user CTL_USER sys/sysctl.h User-level +.It ddb CTL_DDB sys/sysctl.h In-kernel debugger +.It proc CTL_PROC sys/sysctl.h Per-process +.It vendor CTL_VENDOR ? Vendor specific +.It emul CTL_EMUL sys/sysctl.h Emulation settings +.It security CTL_SECURITY sys/sysctl.h Security settings .El .Sh The debug.* subtree The debugging variables vary from system to system. @@ -112,6 +112,7 @@ if a variable is initialized in more tha For example, to export the variable .Dv dospecialcheck as a debugging variable, the following declaration would be used: +.Pp .Bd -literal -offset indent -compact int dospecialcheck = 1; struct ctldebug debug5 = { "dospecialcheck", \*[Am]dospecialcheck }; @@ -131,15 +132,17 @@ for more information. A distinguished second level name, .Li vfs.generic ( VFS_GENERIC ) , is used to get general information about all filesystems. -One of its third level identifiers is -.Li vfs.generic.maxtypenum ( VFS_MAXTYPENUM ) -that gives the highest valid filesystem type number. -Its other third level identifier is -.Li vfs.generic.conf ( VFS_CONF ) -that returns configuration information about the filesystem -type given as a fourth level identifier. -The remaining second level identifiers are the -filesystem type number returned by a +It has the following third level identifiers: +.Bl -tag -width compact +.It vfs.generic.maxtypenum ( VFS_MAXTYPENUM ) +The highest valid filesystem type number. +.It vfs.generic.conf ( VFS_CONF ) +Returns configuration information about the file-system type given as a fourth +level identifier. +.El +.Pp +The remaining second level identifiers are the file-system names, identified +by the type number returned by a .Xr statvfs 2 call or from .Li vfs.generic.conf . @@ -152,7 +155,7 @@ The string and integer information avail level is detailed below. The changeable column shows whether a process with appropriate privilege may change the value. -.Bl -column "Second level nameXXXXXX" "struct disk_sysctlXXX" -offset indent +.Bl -column "hw.machine_arch" "integer" "Changeable" -offset indent .It Sy Second level name Type Changeable .It hw.alignbytes integer no .It hw.byteorder integer no @@ -215,7 +218,6 @@ The machine CPU class. The machine model. .It Li hw.ncpu ( HW_NCPU ) The number of CPUs. -.ne 1i .It Li hw.pagesize ( HW_PAGESIZE ) The software page size. .It Li hw.physmem ( HW_PHYSMEM ) @@ -228,44 +230,47 @@ The bytes of non-kernel memory as a 32-b The bytes of non-kernel memory as a 64-bit integer. .El .Sh The kern.* subtree +This subtree includes data generally related to the kernel. The string and integer information available for the .Li kern level is detailed below. The changeable column shows whether a process with appropriate privilege may change the value. -The types of data currently available are process information, -system vnodes, the open file entries, routing table entries, -virtual memory statistics, load average history, and clock rate -information. -.Bl -column "kern.posix_reader_writer_locks" "struct clockrateXXX" -offset indent +.Bl -column "kern.posix_reader_writer_locks" \ +"struct kinfo_drivers" "not applicable" .It Sy Second level name Type Changeable +.It kern.arandom integer no .It kern.argmax integer no -.It kern.autonicetime integer yes -.It kern.autoniceval integer yes +.It kern.boothowto integer no .It kern.boottime struct timeval no -.It kern.bufq node not applicable +.\".It kern.bufq node not applicable .It kern.ccpu integer no .It kern.clockrate struct clockinfo no .It kern.consdev integer no -.It kern.cp\_id struct no -.It kern.cp\_time uint64_t[\|] no +.It kern.coredump node not applicable +.It kern.cp_id struct no +.It kern.cp_time uint64_t[\|] no +.It kern.cryptodevallowsoft integer yes .It kern.defcorename string yes +.It kern.detachall integer yes .It kern.domainname string yes .It kern.drivers struct kinfo_drivers no +.It kern.dump_on_panic integer yes .It kern.file struct file no .It kern.forkfsleep integer yes .It kern.fscale integer no .It kern.fsync integer no -.It kern.hardclock\_ticks integer no +.It kern.hardclock_ticks integer no .It kern.hostid integer yes .It kern.hostname string yes -.It kern.iov\_max integer no -.It kern.job\_control integer no +.It kern.iov_max integer no +.It kern.ipc node not applicable +.It kern.job_control integer no .It kern.labeloffset integer no .It kern.labelsector integer no -.It kern.login\_name\_max integer no +.It kern.login_name_max integer no .It kern.logsigexit integer yes -.It kern.mapped\_files integer no +.It kern.mapped_files integer no .It kern.maxfiles integer yes .It kern.maxpartitions integer no .It kern.maxphys integer no @@ -274,60 +279,75 @@ information. .It kern.maxvnodes integer yes .It kern.mbuf node not applicable .It kern.memlock integer no -.It kern.memlock\_range integer no -.It kern.memory\_protection integer no -.It kern.monotonic\_clock integer no +.It kern.memlock_range integer no +.It kern.memory_protection integer no +.It kern.module node not applicable +.It kern.monotonic_clock integer no .It kern.msgbuf integer no .It kern.msgbufsize integer no .It kern.ngroups integer no +.\".It kern.no_sa_support integer yes .It kern.ntptime struct ntptimeval no .It kern.osrelease string no -.It kern.osrev integer no +.It kern.osrevision integer no .It kern.ostype string no +.\".It kern.panic_now integer yes .It kern.pipe node not applicable -.It kern.posix1 integer no -.It kern.posix\_barriers integer no -.It kern.posix\_reader\_writer\_locks integer no -.It kern.posix\_semaphores integer no -.It kern.posix\_spin\_locks integer no -.It kern.posix\_threads integer no -.It kern.posix\_timers integer no +.\" .It kern.posix node not applicable +.It kern.posix1version integer no +.It kern.posix_barriers integer no +.It kern.posix_reader_writer_locks integer no +.\".It kern.posix_sched integer yes +.It kern.posix_semaphores integer no +.It kern.posix_spin_locks integer no +.It kern.posix_threads integer no +.It kern.posix_timers integer no .It kern.proc struct kinfo_proc no .It kern.proc2 struct kinfo_proc2 no -.It kern.proc\_args string no -.It kern.prof node not applicable +.It kern.proc_args string no +.It kern.profiling node not applicable +.\".It kern.pset node not applicable .It kern.rawpartition integer no -.It kern.root\_device string no -.It kern.root\_partition integer no -.It kern.rtc\_offset integer yes -.It kern.saved\_ids integer no +.It kern.root_device string no +.It kern.root_partition integer no +.It kern.rtc_offset integer yes +.It kern.saved_ids integer no +.It kern.sbmax integer yes +.\".It kern.sched node not applicable .It kern.securelevel integer raise only -.It kern.synchronized\_io integer no -.It kern.ipc node not applicable +.It kern.somaxkva integer yes +.It kern.synchronized_io integer no +.It kern.timecounter node not applicable .It kern.timex struct no .It kern.tkstat node not applicable .It kern.urandom integer no +.It kern.usercrypto integer yes +.It kern.userasymcrypto integer yes +.It kern.veriexec node not applicable .It kern.version string no .It kern.vnode struct vnode no .El -.ne 1i -.Pp .Bl -tag -width "123456" +.It Li kern.arandom +This variable picks a random number each time it is queried. +The used random number generator +.Pq Tn RNG +is based on +.Xr arc4random 3 . .It Li kern.argmax ( KERN_ARGMAX ) The maximum bytes of argument to .Xr execve 2 . -.It Li kern.autonicetime ( KERN_AUTONICETIME ) -The number of seconds of CPU-time a non-root process may accumulate before -having its priority lowered from the default to the value of KERN_AUTONICEVAL. -If set to 0, automatic lowering of priority is not performed, and if set to \-1 -all non-root processes are immediately lowered. -.It Li kern.autoniceval ( KERN_AUTONICEVAL ) -The priority assigned for automatically niced processes. +.It Li kern.boothowto +Flags passed from the boot loader; see +.Xr reboot 2 +for the meanings of the flags. .It Li kern.boottime ( KERN_BOOTTIME ) A .Va struct timeval structure is returned. This structure contains the time that the system was booted. +.\" .It Li kern.bufq +.\" XXX: Undocumented. .It Li kern.ccpu ( KERN_CCPU ) The scheduler exponential decay value. .It Li kern.clockrate ( KERN_CLOCKRATE ) @@ -337,8 +357,45 @@ structure is returned. This structure contains the clock, statistics clock and profiling clock frequencies, the number of micro-seconds per hz tick, and the clock skew rate. +Refer to +.Xr hz 9 +for additional details. .It Li kern.consdev ( KERN_CONSDEV ) Console device. +.It Li kern.coredump +Settings related to set-id processes coredumps. +By default, set-id processes do not dump core in situations where +other processes would. +The settings in this node allows an administrator to change this +behavior. +.Pp +The third level name is +.Dv kern.coredump.setid +and fourth level variables are described below. +.Bl -column "kern.coredump.setid.group" "integer" "Changeable" -offset indent +.It Sy Fourth level name Type Changeable +.It kern.coredump.setid.dump integer yes +.It kern.coredump.setid.group integer yes +.It kern.coredump.setid.mode integer yes +.It kern.coredump.setid.owner integer yes +.It kern.coredump.setid.path string yes +.El +.Bl -tag -width "123456" +.It Li kern.coredump.setid.dump +If non-zero, set-id processes will dump core. +.It Li kern.coredump.setid.group +The group-id for the set-id processes' coredump. +.It Li kern.coredump.setid.mode +The mode for the set-id processes' coredump. +See +.Xr chmod 1 . +.It Li kern.coredump.setid.owner +The user-id that will be used as the owner of the set-id processes' +coredump. +.It Li kern.coredump.setid.path +The path to which set-id processes' coredumps will be saved to. +Same syntax as kern.defcorename. +.El .It Li kern.cp_id ( KERN_CP_ID ) Mapping of CPU number to CPU id. .It Li kern.cp_time ( KERN_CP_TIME ) @@ -349,6 +406,21 @@ On multi-processor systems, the sum acro appropriate space is given for one data set for each CPU. Data for a specific CPU can also be obtained by adding the number of the CPU at the end of the MIB, enlarging it by one. +.It Li kern.cryptodevallowsoft +This variable controls userland access to hardware versus software transforms +in the +.Xr crypto 4 +system. +The available values are as follows: +.Bl -tag -width XX0 -offset indent +.It Dv \*[Lt] 0 +Always force userlevel requests to use software transforms. +.It Dv = 0 +If present, use hardware and grant userlevel requests for +non-accelerated transforms (handling the latter in software). +.It Dv \*[Gt] 0 +Allow user requests only for transforms which are hardware-accelerated. +.El .It Li kern.defcorename ( KERN_DEFCORENAME ) Default template for the name of core dump files (see also .Li proc.pid.corename @@ -364,10 +436,10 @@ and can be changed with the kernel confi (see .Xr options 4 ). +.It Li kern.detachall +Detach all devices at shutdown. .It Li kern.domainname ( KERN_DOMAINNAME ) Get or set the YP domain name. -.It Li kern.dump_on_panic ( KERN_DUMP_ON_PANIC ) -Perform a crash dump on system panic. .It Li kern.drivers ( KERN_DRIVERS ) Return an array of .Va struct kinfo_drivers @@ -379,6 +451,9 @@ field is always a NUL terminated string. The .Va d_bmajor field will be set to \-1 if the driver doesn't have a block device. +.It Li kern.dump_on_panic ( KERN_DUMP_ON_PANIC ) +Perform a crash dump on system +.Xr panic 9 . .It Li kern.file ( KERN_FILE ) Return the entire file table. The returned data consists of a single @@ -408,9 +483,15 @@ Returns the number of .Xr hardclock 9 ticks. .It Li kern.hostid ( KERN_HOSTID ) -Get or set the host id. +Get or set the host identifier. +This is aimed to replace the legacy +.Xr gethostid 3 +and +.Xr sethostid 3 +system calls. .It Li kern.hostname ( KERN_HOSTNAME ) -Get or set the hostname. +Get or set the +.Xr hostname 1 . .It Li kern.iov_max ( KERN_IOV_MAX ) Return the maximum number of .Va iovec @@ -422,6 +503,92 @@ structures that a process has available .Xr sendmsg 2 and .Xr writev 2 . +.It Li kern.ipc ( KERN_SYSVIPC ) +Return information about the SysV IPC parameters. +The third level names for the ipc variables are detailed below. +.Bl -column "kern.ipc.shm_use_phys" "integer" "Changeable" -offset indent +.It Sy Third level name Type Changeable +.It kern.ipc.sysvmsg integer no +.It kern.ipc.sysvsem integer no +.It kern.ipc.sysvshm integer no +.It kern.ipc.sysvipc_info struct no +.It kern.ipc.shmmax integer yes +.It kern.ipc.shmmni integer yes +.It kern.ipc.shmseg integer yes +.It kern.ipc.shmmaxpgs integer yes +.It kern.ipc.shm_use_phys integer yes +.It kern.ipc.msgmni integer yes +.It kern.ipc.msgseg integer yes +.It kern.ipc.semmni integer yes +.It kern.ipc.semmns integer yes +.It kern.ipc.semmnu integer yes +.El +.Bl -tag -width "123456" +.It Li kern.ipc.sysvmsg ( KERN_SYSVIPC_MSG ) +Returns 1 if System V style message queue functionality is available +on this system, +otherwise 0. +.It Li kern.ipc.sysvsem ( KERN_SYSVIPC_SEM ) +Returns 1 if System V style semaphore functionality is available +on this system, +otherwise 0. +.It Li kern.ipc.sysvshm ( KERN_SYSVIPC_SHM ) +Returns 1 if System V style share memory functionality is available +on this system, +otherwise 0. +.It Li kern.ipc.sysvipc_info ( KERN_SYSVIPC_INFO ) +Return System V style IPC configuration and run-time information. +The fourth level name selects the System V style IPC facility. +.Bl -column "KERN_SYSVIPC_MSG_INFO" "struct shm_sysctl_info" -offset indent +.It Sy Fourth level name Type +.It KERN_SYSVIPC_MSG_INFO struct msg_sysctl_info +.It KERN_SYSVIPC_SEM_INFO struct sem_sysctl_info +.It KERN_SYSVIPC_SHM_INFO struct shm_sysctl_info +.El +.Pp +.Bl -tag -width "123456" +.It Li KERN_SYSVIPC_MSG_INFO +Return information on the System V style message facility. +The +.Sy msg_sysctl_info +structure is defined in +.In sys/msg.h . +.It Li KERN_SYSVIPC_SEM_INFO +Return information on the System V style semaphore facility. +The +.Sy sem_sysctl_info +structure is defined in +.In sys/sem.h . +.It Li KERN_SYSVIPC_SHM_INFO +Return information on the System V style shared memory facility. +The +.Sy shm_sysctl_info +structure is defined in +.In sys/shm.h . +.El +.It Li kern.ipc.shmmax ( KERN_SYSVIPC_SHMMAX ) +Max shared memory segment size in bytes. +.It Li kern.ipc.shmmni ( KERN_SYSVIPC_SHMMNI ) +Max number of shared memory identifiers. +.It Li kern.ipc.shmseg ( KERN_SYSVIPC_SHMSEG ) +Max shared memory segments per process. +.It Li kern.ipc.shmmaxpgs ( KERN_SYSVIPC_SHMMAXPGS ) +Max amount of shared memory in pages. +.It Li kern.ipc.shm_use_phys ( KERN_SYSVIPC_SHMUSEPHYS ) +Locking of shared memory in physical memory. +If 0, memory can be swapped +out, otherwise it will be locked in physical memory. +.It Li kern.ipc.msgmni +Max number of message queue identifiers. +.It Li kern.ipc.msgseg +Max number of number of message segments. +.It Li kern.ipc.semmni +Max number of number of semaphore identifiers. +.It Li kern.ipc.semmns +Max number of number of semaphores in system. +.It Li kern.ipc.semmnu +Max number of undo structures in system. +.El .It Li kern.job_control ( KERN_JOB_CONTROL ) Return 1 if job control is available on this system, otherwise 0. .It Li kern.labeloffset ( KERN_LABELOFFSET ) @@ -468,7 +635,7 @@ structures in the networking code, see The third level names for the mbuf variables are detailed below. The changeable column shows whether a process with appropriate privilege may change the value. -.Bl -column "kern.mbuf.nmbclusters" "struct integerXXX" -offset indent +.Bl -column "kern.mbuf.nmbclusters" "integer" "Changeable" -offset indent .It Sy Third level name Type Changeable .\" XXX Changeable? really? .It kern.mbuf.mblowat integer yes @@ -505,6 +672,56 @@ otherwise 0. Returns 1 if the POSIX 1003.1b Memory Protection Option is available on this system, otherwise 0. +.It Li kern.module +Settings related to kernel modules. +The third level names for the settings are described below. +.Bl -column "kern.module.autoload" "integer" "Changeable" -offset indent +.It Sy Third level name Type Changeable +.It kern.module.autoload integer yes +.It kern.module.verbose integer yes +.El +.Pp +The variables are as follows: +.Bl -tag -width "123456" +.It Li kern.module.autoload +A boolean that controls whether kernel modules are loaded automatically. +See for example +.Xr modstat 8 +for additional details. +.It Li kern.module.verbose +A boolean that enables or disables verbose +debug messages related to kernel modules. +.El +.It Li kern.mqueue +Settings related to +.Tn POSIX +message queues; see +.Xr mqueue 3 . +This node is created dynamically when +the corresponding kernel module is loaded. +The third level names for the settings are described below. +.Bl -column "kern.mqueue.mq_max_msgsize" "integer" "Changeable" -offset indent +.It Sy Third level name Type Changeable +.It kern.mqueue.mq_open_max integer yes +.It kern.mqueue.mq_prio_max integer yes +.It kern.mqueue.mq_max_msgsize integer yes +.It kern.mqueue.mq_def_maxmsg integer yes +.It kern.mqueue.mq_max_maxmsg integer yes +.El +.Pp +The variables are: +.Bl -tag -width "123456" +.It Li kern.mqueue.mq_open_max +The maximum number of message queue descriptors any single process can open. +.It Li kern.mqueue.mq_prio_max +The maximum priority of a message. +.It Li kern.mqueue.mq_max_msgsize +The maximum size of a message in a message queue. +.It Li kern.mqueue.mq_def_maxmsg +The default maximum message count. +.It Li kern.mqueue.mq_max_maxmsg +The maximum number of messages in a message queue. +.El .It Li kern.monotonic_clock ( KERN_MONOTONIC_CLOCK ) Returns the standard version the implementation of the POSIX 1003.1b Monotonic Clock Option conforms to, @@ -517,6 +734,8 @@ The returned data may contain NUL bytes. The maximum number of characters that the kernel message buffer can hold. .It Li kern.ngroups ( KERN_NGROUPS ) The maximum number of supplemental groups. +.\" .It Li kern.no_sa_support +.\" XXX: Undocumented. .It Li kern.ntptime ( KERN_NTPTIME ) A .Va struct ntptimeval @@ -530,12 +749,14 @@ The system release string. The system revision string. .It Li kern.ostype ( KERN_OSTYPE ) The system type string. +.\".It Li kern.panic_now +.\" XXX: Undocumented. .It Li kern.pipe ( KERN_PIPE ) Pipe settings. The third level names for the integer pipe settings is detailed below. The changeable column shows whether a process with appropriate privilege may change the value. -.Bl -column "kern.pipe.maxbigpipesXXX" "integerXXX" -offset indent +.Bl -column "kern.pipe.maxbigpipes" "integer" "Changeable" -offset indent .It Sy Third level name Type Changeable .It kern.pipe.kvasiz integer yes .It kern.pipe.maxbigpipes integer yes @@ -557,6 +778,8 @@ Limit for direct transfers via page loan .It Li kern.pipe.nbigpipes ( KERN_PIPE_NBIGPIPES ) Number of "big" pipes. .El +.\" XXX: Undocumented .It Li kern.posix ( ? ) +.\" This is a node in which the only variable is semmax. .It Li kern.posix1version ( KERN_POSIX1 ) The version of ISO/IEC 9945 (POSIX 1003.1) with which the system attempts to comply. @@ -574,6 +797,8 @@ and its Read-Write Locks option to which the system attempts to conform, otherwise 0. +.\".It Li kern.posix_sched +.\" XXX: Undocumented. .It Li kern.posix_semaphores ( KERN_POSIX_SEMAPHORES ) The version of .St -p1003.1 @@ -609,17 +834,17 @@ An array of structures is returned, whose size depends on the current number of such objects in the system. The third and fourth level numeric names are as follows: -.Bl -column "Third level nameXXXXXX" "Fourth level is:XXXXXX" -offset indent +.Bl -column "KERN_PROC_SESSION" "Fourth level is:" -offset indent .It Sy Third level name Fourth level is: -.It KERN\_PROC\_ALL None -.It KERN\_PROC\_GID A group ID -.It KERN\_PROC\_PID A process ID -.It KERN\_PROC\_PGRP A process group -.It KERN\_PROC\_RGID A real group ID -.It KERN\_PROC\_RUID A real user ID -.It KERN\_PROC\_SESSION A session ID -.It KERN\_PROC\_TTY A tty device -.It KERN\_PROC\_UID A user ID +.It KERN_PROC_ALL None +.It KERN_PROC_GID A group ID +.It KERN_PROC_PID A process ID +.It KERN_PROC_PGRP A process group +.It KERN_PROC_RGID A real group ID +.It KERN_PROC_RUID A real user ID +.It KERN_PROC_SESSION A session ID +.It KERN_PROC_TTY A tty device +.It KERN_PROC_UID A user ID .El .It Li kern.proc2 ( KERN_PROC2 ) As for KERN_PROC, but an array of @@ -634,11 +859,11 @@ of a process. Multiple strings are returned separated by NUL characters. The third level name is the process ID. The fourth level name is as follows: -.Bl -column "Third level nameXXXXXX" -offset indent -.It KERN\_PROC\_ARGV The argv strings -.It KERN\_PROC\_ENV The environ strings -.It KERN\_PROC\_NARGV The number of argv strings -.It KERN\_PROC\_NENV The number of environ strings +.Bl -column "KERN_PROG_NARGV" "The number of environ strings" -offset indent +.It KERN_PROC_ARGV The argv strings +.It KERN_PROC_ENV The environ strings +.It KERN_PROC_NARGV The number of argv strings +.It KERN_PROC_NENV The number of environ strings .El .It Li kern.profiling ( KERN_PROF ) Return profiling information about the kernel. @@ -650,7 +875,7 @@ The third level names for the string and is detailed below. The changeable column shows whether a process with appropriate privilege may change the value. -.Bl -column "kern.profiling.gmonparam" "struct gmonparam" -offset indent +.Bl -column "kern.profiling.gmonparam" "struct gmonparam" "Changeable" -offset indent .It Sy Third level name Type Changeable .It kern.profiling.count u_short[\|] yes .It kern.profiling.froms u_short[\|] yes @@ -676,6 +901,8 @@ Array of .Va struct tostruct describing destination of calls and their counts. .El +.\" .It Li kern.pset +.\" XXX: Undocumented. .It Li kern.rawpartition ( KERN_RAWPARTITION ) The raw partition of a disk (a == 0). .It Li kern.root_device ( KERN_ROOT_DEVICE ) @@ -691,9 +918,10 @@ Returns 1 if saved set-group and saved s Maximum socket buffer size. .\" XXX units? .It Li kern.securelevel ( KERN_SECURELVL ) -The system security level. -This level may be raised by processes with appropriate privilege. -It may only be lowered by process 1. +See +.Xr secmodel_securelevel 9 . +.\" .It Li kern.sched +.\" XXX: Undocumented. .It Li kern.somaxkva ( KERN_SOMAXKVA ) Maximum amount of kernel memory to be used for socket buffers. .\" XXX units? @@ -701,76 +929,23 @@ Maximum amount of kernel memory to be us Returns 1 if the POSIX 1003.1b Synchronized I/O Option is available on this system, otherwise 0. -.It Li kern.ipc ( KERN_SYSVIPC ) -Return information about the SysV IPC parameters. -The third level names for the ipc variables are detailed below. -.Bl -column "KERN_SYSVIPC_MSGXXX" "integerXXX" "noXXX" -offset indent -.It Sy Third level name Type Changeable -.It kern.ipc.sysvmsg integer no -.It kern.ipc.sysvsem integer no -.It kern.ipc.sysvshm integer no -.It kern.ipc.sysvipc_info struct no -.It kern.ipc.shmmax integer no -.It kern.ipc.shmmni integer yes -.It kern.ipc.shmseg integer yes -.It kern.ipc.shmmaxpgs integer yes -.It kern.ipc.shm_use_phys integer yes -.El -.Bl -tag -width "123456" -.It Li kern.ipc.sysvmsg ( KERN_SYSVIPC_MSG ) -Returns 1 if System V style message queue functionality is available -on this system, -otherwise 0. -.It Li kern.ipc.sysvsem ( KERN_SYSVIPC_SEM ) -Returns 1 if System V style semaphore functionality is available -on this system, -otherwise 0. -.It Li kern.ipc.sysvshm ( KERN_SYSVIPC_SHM ) -Returns 1 if System V style share memory functionality is available -on this system, -otherwise 0. -.It Li kern.ipc.sysvipc_info ( KERN_SYSVIPC_INFO ) -Return System V style IPC configuration and run-time information. -The fourth level name selects the System V style IPC facility. -.Bl -column "KERN_SYSVIPC_MSG_INFOXXX" "struct shm_sysctl_infoXXX" -offset indent -.It Sy Fourth level name Type -.It KERN\_SYSVIPC\_MSG\_INFO struct msg_sysctl_info -.It KERN\_SYSVIPC\_SEM\_INFO struct sem_sysctl_info -.It KERN\_SYSVIPC\_SHM\_INFO struct shm_sysctl_info +.It Li kern.timecounter ( dynamic ) +Display and control the timecounter source of the system. +.Bl -column "kern.timecounter.timestepwarnings" "integer" "Changeable" -offset indent +.It Sy Third level name Type Changeable +.It kern.timecounter.choice string no +.It kern.timecounter.hardware string yes +.It kern.timecounter.timestepwarnings integer yes .El .Pp +The variables are as follows: .Bl -tag -width "123456" -.It Li KERN_SYSVIPC_MSG_INFO -Return information on the System V style message facility. -The -.Sy msg_sysctl_info -structure is defined in -.Aq Pa sys/msg.h . -.It Li KERN_SYSVIPC_SEM_INFO -Return information on the System V style semaphore facility. -The -.Sy sem_sysctl_info -structure is defined in -.Aq Pa sys/sem.h . -.It Li KERN_SYSVIPC_SHM_INFO -Return information on the System V style shared memory facility. -The -.Sy shm_sysctl_info -structure is defined in -.Aq Pa sys/shm.h . -.El -.It Li kern.ipc.shmmax ( KERN_SYSVIPC_SHMMAX ) -Max shared memory segment size in bytes. -.It Li kern.ipc.shmmni ( KERN_SYSVIPC_SHMMNI ) -Max number of shared memory identifiers. -.It Li kern.ipc.shmseg ( KERN_SYSVIPC_SHMSEG ) -Max shared memory segments per process. -.It Li kern.ipc.shmmaxpgs ( KERN_SYSVIPC_SHMMAXPGS ) -Max amount of shared memory in pages. -.It Li kern.ipc.shm_use_phys ( KERN_SYSVIPC_SHMUSEPHYS ) -Locking of shared memory in physical memory. -If 0, memory can be swapped -out, otherwise it will be locked in physical memory. +.It Li kern.timecounter.choice ( dynamic ) +The list of available timecounters with their quality and frequency. +.It Li kern.timecounter.hardware ( dynamic ) +The currently selected timecounter source. +.It Li kern.timecounter.timestepwarnings ( dynamic ) +If non-zero display a message each time the time is stepped. .El .It Li kern.timex ( KERN_TIMEX ) Not available. @@ -780,7 +955,7 @@ on ttys. The third level names for the tty statistic variables are detailed below. The changeable column shows whether a process with appropriate privilege may change the value. -.Bl -column "KERNXTKSTATXRAWCCXXX" "struct integerXXX" -offset indent +.Bl -column "kern.tkstat.cancc" "quad" "Changeable" -offset indent .It Sy Third level name Type Changeable .It kern.tkstat.cancc quad no .It kern.tkstat.nin quad no @@ -801,8 +976,28 @@ The number of raw input characters. .El .It Li kern.urandom ( KERN_URND ) Random integer value. +.It Li kern.usercrypto +When enabled, allows userland to +.Xr open 2 +the +.Pa /dev/crypto +special device, used by the +.Xr crypto 4 +system. +.It Li kern.userasymcrypto +Enables or disables the use of software asymmetric crypto support in the +.Xr crypto 4 +system. .It Li kern.veriexec -Tunings for Verixec. +Runtime information for +.Xr veriexec 8 . +.Bl -column "kern.veriexec.algorithms" "integer" "Changeable" -offset indent +.It Sy Third level name Type Changeable +.It kern.veriexec.algorithms string no +.It kern.veriexec.count node not applicable +.It kern.veriexec.strict integer yes +.It kern.veriexec.verbose integer yes +.El .Bl -tag -width "123456" .It Li kern.veriexec.algorithms Returns a string with the supported algorithms in Veriexec. @@ -840,38 +1035,16 @@ Each element of the array contains the k .Va struct vnode * followed by the vnode itself .Va struct vnode . -.It Li kern.coredump.setid -Settings related to set-id processes coredumps. -By default, set-id processes do not dump core in situations where -other processes would. -The settings in this node allows an administrator to change this -behavior. -.Pp -.Bl -tag -width "123456" -.It Li kern.coredump.setid.dump -If non-zero, set-id processes will dump core. -.It Li kern.coredump.setid.group -The group-id for the set-id processes' coredump. -.It Li kern.coredump.setid.mode -The mode for the set-id processes' coredump. -See -.Xr chmod 1 . -.It Li kern.coredump.setid.owner -The user-id that will be used as the owner of the set-id processes' -coredump. -.It Li kern.coredump.setid.path -The path to which set-id processes' coredumps will be saved to. -Same syntax as kern.defcorename. -.El -.\" XXX kern.lwp +.\" XXX: Undocumented: kern.lwp: no children? .El .Sh The machdep.* subtree The set of variables defined is architecture dependent. Most architectures define at least the following variables. -.Bl -column "CONSOLE_DEVICEXXX" "integerXXX" -offset indent +.Bl -column "machdep.booted_kernel" "Type" "Changeable" -offset indent .It Sy Second level name Type Changeable -.It Li CPU_CONSDEV dev_t no +.It Li machdep.booted_kernel string no .El +.\" XXX: Document the above. .Sh The net.* subtree The string and integer information available for the .Li net @@ -880,7 +1053,7 @@ The changeable column shows whether a pr privilege may change the value. The second and third levels are typically the protocol family and protocol number, though this is not always the case. -.Bl -column "Second level nameX" "IPsec key management valuesX" -offset indent +.Bl -column "Second level name" "IPsec key management values" "Changeable" -offset indent .It Sy Second level name Type Changeable .It net.route routing messages no .It net.inet IPv4 values yes @@ -901,11 +1074,11 @@ The third level name is a protocol numbe The fourth level name is an address family, which may be set to 0 to select all address families. The fifth and sixth level names are as follows: -.Bl -column "Fifth level nameXXXXXX" "Sixth level is:XXX" -offset indent +.Bl -column "Fifth level name" "Sixth level is:" -offset indent .It Sy Fifth level name Sixth level is: -.It NET\_RT\_FLAGS rtflags -.It NET\_RT\_DUMP None -.It NET\_RT\_IFLIST None +.It NET_RT_FLAGS rtflags +.It NET_RT_DUMP None +.It NET_RT_IFLIST None .El .It Li net.inet ( PF_INET ) Get or set various global information about the IPv4 @@ -913,7 +1086,7 @@ Get or set various global information ab The third level name is the protocol. The fourth level name is the variable name. The currently defined protocols and names are: -.Bl -column "Protocol name" "sack.globalmaxholes" "integer" -offset 4n +.Bl -column "Protocol name" "sack.globalmaxholes" "integer" "Changeable" -offset 4n .It Sy Protocol name Variable name Type Changeable .It arp down integer yes .It arp keep integer yes @@ -927,6 +1100,7 @@ The currently defined protocols and name .It icmp maskrepl integer yes .It icmp rediraccept integer yes .It icmp redirtimeout integer yes +.It icmp bmcastecho integer yes .It ip allowsrcrt integer yes .It ip anonportmax integer yes .It ip anonportmin integer yes @@ -937,6 +1111,7 @@ The currently defined protocols and name .It ip forwsrcrt integer yes .It ip gifttl integer yes .It ip grettl integer yes +.It ip hashsize integer yes .It ip hostzerobroadcast integer yes .It ip lowportmin integer yes .It ip lowportmax integer yes @@ -968,9 +1143,11 @@ The currently defined protocols and name .It tcp keepintvl integer yes .It tcp keepcnt integer yes .It tcp slowhz integer no +.It tcp keepinit integer yes .It tcp log_refused integer yes .It tcp rstppslimit integer yes .It tcp ident struct no +.It tcp drop struct no .It tcp sack.enable integer yes .It tcp sack.globalholes integer no .It tcp sack.globalmaxholes integer yes @@ -1060,6 +1237,12 @@ tunnel interface. The maximum time-to-live (hop count) value for an IPv4 packet generated by .Xr gre 4 tunnel interface. +.It Li ip.hashsize +The size of IPv4 Fast Forward hash table. +This value must be a power of 2 (64, 256...). +A larger hash table size results in fewer collisions. +Also see +.Li ip.maxflows . .It Li ip.hostzerobroadcast All zeroes address is broadcast address. .It Li ip.lowportmax @@ -1073,8 +1256,8 @@ This cannot be set to less than 0 or gre be smaller than .Li ip.lowportmax . .It Li ip.maxflows -IP Fast Forwarding is enabled by default. -If set to 0, IP Fast Forwarding is disabled. +IPv4 Fast Forwarding is enabled by default. +If set to 0, IPv4 Fast Forwarding is disabled. .Li ip.maxflows controls the maximum amount of flows which can be created. The default value is 256. @@ -1127,6 +1310,9 @@ ICMP redirect. This defaults to 600 seconds. .It Li icmp.returndatabytes Number of bytes to return in an ICMP error message. +.It Li icmp.bmcastecho +If set to 1, enables responding to ICMP echo or timestamp request to the +broadcast address. .It Li tcp.ack_on_push If set to 1, TCP is to immediately transmit an ACK upon reception of a packet with PUSH set. @@ -1177,6 +1363,8 @@ another probe is sent. See also tcp.slowhz. .It Li tcp.log_refused If set to 1, refused TCP connections to the host will be logged. +.It Li tcp.keepinit +Timeout in seconds during connection establishment. .It Li tcp.mss_ifmtu If set to 1, TCP calculates the outgoing maximum segment size based on the MTU of the appropriate interface. @@ -1189,10 +1377,6 @@ us during connection setup or Path MTU D .Li ( ip.mtudisc ) is disabled. Do not change this value unless you really know what you are doing. -.It Li tcp.newreno -If set to 1, enables the use of J. -Hoe's NewReno congestion control algorithm. -This algorithm improves the start-up behavior of TCP connections. .It Li tcp.recvspace The default TCP receive buffer size. .It Li tcp.rfc1323 @@ -1203,6 +1387,11 @@ per second. TCP RST packet that exceeded the value are subject to rate limitation and will not go out from the node. Negative value disables rate limitation. +.It Li tcp.ident +Return the user ID of a connected socket pair. +(RFC1413 Identification Protocol lookups.) +.It Li tcp.drop +Drop a TCP socket pair connection. .It Li tcp.sack.enable If set to 1, enables RFC 2018 Selective ACKnowledgement. .It Li tcp.sack.globalholes @@ -1265,7 +1454,7 @@ Get or set various global information ab The third level name is the protocol. The fourth level name is the variable name. The currently defined protocols and names are: -.Bl -column "Protocol name" "Variable nameXX" "integer" "yes" -offset indent +.Bl -column "Protocol name" "do_loopback_cksum" "integer" "Changeable" -offset indent .It Sy Protocol name Variable name Type Changeable .It icmp6 errppslimit integer yes .It icmp6 mtudisc_hiwat integer yes @@ -1288,6 +1477,7 @@ The currently defined protocols and name .It ip6 defmcasthlim integer yes .It ip6 forwarding integer yes .It ip6 gifhlim integer yes +.It ip6 hashsize integer yes .It ip6 hlim integer yes .It ip6 hdrnestlimit integer yes .It ip6 kame_version string no @@ -1295,6 +1485,7 @@ The currently defined protocols and name .It ip6 log_interval integer yes .It ip6 lowportmax integer yes .It ip6 lowportmin integer yes +.It ip6 maxflows integer yes .It ip6 maxfragpackets integer yes .It ip6 maxfrags integer yes .It ip6 redirect integer yes @@ -1355,6 +1546,12 @@ tunnel interface. .It Li ip6.hdrnestlimit The number of IPv6 extension headers permitted on incoming IPv6 packets. If set to 0, the node will accept as many extension headers as possible. +.It Li ip6.hashsize +The size of IPv6 Fast Forward hash table. +This value must be a power of 2 (64, 256...). +A larger hash table size results in fewer collisions. +Also see +.Li ip6.maxflows . .It Li ip6.hlim The default hop limit value for an IPv6 unicast packet sourced by the node. This value applies to all the transport protocols on top of IPv6. @@ -1385,6 +1582,12 @@ The lowest port number to use for TCP an This cannot be set to less than 0 or greater than 1024, and must be smaller than .Li ip6.lowportmax . +.It Li ip6.maxflows +IPv6 Fast Forwarding is enabled by default. +If set to 0, IPv6 Fast Forwarding is disabled. +.Li ip6.maxflows +controls the maximum amount of flows which can be created. +The default value is 256. .It Li ip6.maxfragpackets The maximum number of fragmented packets the node will accept. 0 means that the node will not accept any fragmented packets. @@ -1517,7 +1720,7 @@ For variables net.*.ipsec6, please refer Get or set various global information about the IPsec key management. The third level name is the variable name. The currently defined variable and names are: -.Bl -column "blockacq_lifetime" "integer" "yes" -offset indent +.Bl -column "blockacq_lifetime" "integer" "Changeable" -offset indent .It Sy Variable name Type Changeable .It debug integer yes .It spi_try integer yes @@ -1530,6 +1733,7 @@ The currently defined variable and names .It esp_auth integer yes .It ah_keymin integer yes .El +.Pp The variables are as follows: .Bl -tag -width "123456" .It Li debug @@ -1580,7 +1784,7 @@ When a set-user-ID or set-group-ID binar value of PROC_PID_CORENAME is reset to the system default value. The second level name is either the magic value PROC_CURPROC, which points to the current process, or the PID of the target process. -.Bl -column "USER_COLL_WEIGHTS_MAXXXX" "integerXXX" "yes" -offset indent +.Bl -column "proc.pid.corename" "string" "not applicable" -offset indent .It Sy Third level name Type Changeable .It proc.pid.corename string yes .It proc.pid.rlimit node not applicable @@ -1589,7 +1793,6 @@ points to the current process, or the PI .It proc.pid.stopexit int yes .El .Bl -tag -width "123456" -.Pp .It Li proc.pid.corename ( PROC_PID_CORENAME ) The template used for the core dump file name (see .Xr core 5 @@ -1638,7 +1841,14 @@ function. The maximum number of simultaneous processes for this user id. .It Li proc.pid.rlimit.descriptors ( PROC_PID_LIMIT_NOFILE ) The maximum number of open files for this process. -.\" XXX proc.pid.rlimit.sbsize +.It Li proc.pid.rlimit.sbsize ( PROC_PID_LIMIT_SBSIZE ) +The maximum size (in bytes) of the socket buffers +set by the +.Xr setsockopt 2 +.Dv SO_RCVBUF +and +.Dv SO_SNDBUF +options. .El .Pp The fifth level name is one of @@ -1698,7 +1908,7 @@ The string and integer information avail level is detailed below. The changeable column shows whether a process with appropriate privilege may change the value. -.Bl -column "USER_COLL_WEIGHTS_MAXXXX" "integerXXX" -offset indent +.Bl -column "user.coll_weights_max" "integer" "Changeable" -offset indent .It Sy Second level name Type Changeable .It user.atexit_max integer no .It user.bc_base_max integer no @@ -1724,7 +1934,6 @@ privilege may change the value. .It user.tzname_max integer no .El .Bl -tag -width "123456" -.Pp .It Li user.atexit_max ( USER_ATEXIT_MAX ) The maximum number of functions that may be registered with .Xr atexit 3 . @@ -1787,7 +1996,6 @@ The version of POSIX 1003.2 with which t .It Li user.re_dup_max ( USER_RE_DUP_MAX ) The maximum number of repeated occurrences of a regular expression permitted when using interval notation. -.ne 1i .It Li user.stream_max ( USER_STREAM_MAX ) The minimum maximum number of streams that a process may have open at any one time. @@ -1801,7 +2009,7 @@ The string and integer information avail level is detailed below. The changeable column shows whether a process with appropriate privilege may change the value. -.Bl -column "Second level nameXXXXXX" "struct uvmexp_sysctlXXX" -offset indent +.Bl -column "Second level name" "struct uvmexp_sysctl" "Changeable" -offset indent .It Sy Second level name Type Changeable .It vm.anonmax int yes .It vm.anonmin int yes @@ -1862,6 +2070,8 @@ The value of the maxslp kernel global va Return system wide virtual memory statistics. The returned data consists of a .Va struct vmtotal . +.It vm.user_va0_disable +A flag which controls whether user processes can map virtual address 0. .It Li vm.uspace ( VM_USPACE ) The number of bytes allocated for each kernel stack. .It Li vm.uvmexp ( VM_UVMEXP ) @@ -1875,40 +2085,54 @@ The returned data consists of a .\" XXX vm.idlezero .El .Sh The ddb.* subtree ( CTL_DDB ) -The integer information available for the +The information available for the .Li ddb level is detailed below. The changeable column shows whether a process with appropriate privilege may change the value. .\" XXX sort -.Bl -column "ddb.fromconsoleXXX" "integerXXX" -offset indent +.Bl -column "Second level name" "integer" "Changeable" -offset indent .It Sy Second level name Type Changeable .It ddb.radix integer yes .It ddb.maxoff integer yes +.It ddb.maxwidth integer yes .It ddb.lines integer yes .It ddb.tabstops integer yes .It ddb.onpanic integer yes .It ddb.fromconsole integer yes +.It ddb.tee_msgbuf integer yes +.It ddb.commandonenter string yes .El .Pp .Bl -tag -width "123456" -.It Li ddb.radix ( DBCTL_RADIX ) +.It Li ddb.radix ( DDBCTL_RADIX ) The input and output radix. -.It Li ddb.maxoff ( DBCTL_MAXOFF ) +.It Li ddb.maxoff ( DDBCTL_MAXOFF ) The maximum symbol offset. -.It Li ddb.lines ( DBCTL_LINES ) +.It Li ddb.maxwidth ( DDBCTL_MAXWIDTH ) +The maximum output line width. +.It Li ddb.lines ( DDBCTL_LINES ) Number of display lines. -.It Li ddb.tabstops ( DBCTL_TABSTOPS ) +.It Li ddb.tabstops ( DDBCTL_TABSTOPS ) Tab width. -.It Li ddb.onpanic ( DBCTL_ONPANIC ) -If non-zero, DDB will be entered when the kernel panics. -.It Li ddb.fromconsole ( DBCTL_FROMCONSOLE ) +.It Li ddb.onpanic ( DDBCTL_ONPANIC ) +If non-zero, DDB will be entered if the kernel panics. +.It Li ddb.fromconsole ( DDBCTL_FROMCONSOLE ) If not zero, DDB may be entered by sending a break on a serial console or by a special key sequence on a graphics console. -.\" XXX tee_msgbuf maxwidth commandonenter +.It Li ddb.tee_msgbuf +If not zero, DDB will output also to the kernel message buffer. +.It Li ddb.commandonenter +If not empty, a command to be executed on each enter to the +.Tn DDB . +.\" +.\" XXX: (a) ddb.commandonenter is missing in ddb(4); +.\" (b) No DDBCTL definitions for tee_msgbuf and commandonenter. .El .Pp -These MIB nodes are also available as variables from within the DDB. +Some of these +.Tn MIB +nodes are also available as variables from within the debugger. See .Xr ddb 4 for more details. @@ -1917,13 +2141,22 @@ The .Li security level contains various security-related settings for the system. +The available second level names are: +.Bl -column "Second level name" "integer" "Changeable" -offset indent +.It Sy Second level name Type Changeable +.It Li security.curtain integer yes +.It Li security.models node not applicable +.It Li security.pax node not applicable +.El +.Pp Available settings are detailed below. .Pp .Bl -tag -width "123456" .It Li security.curtain -If non-zero, will filter return objects according to the user-id +If non-zero, will filter return objects according to the user +.Tn ID requesting information about them, preventing from users any -access to objects they don't own. +access to objects they do not own. .Pp At the moment, it affects .Xr ps 1 , @@ -1938,7 +2171,7 @@ PCBs), and .It Li security.models .Nx supports pluggable security models. -Every security model used, whether if loaded as an LKM or built with the system, +Every security model used, whether if loaded as a module or built with the system, is required to add an entry to this node with at least one element, .Dq name , indicating the name of the security model. @@ -1954,9 +2187,47 @@ For more information on any of the PaX f .Xr paxctl 8 and .Xr security 8 . +The available third and fourth level names are: +.Bl -column "security.pax.segvguard.suspend_timeout" "integer" "Changeable" \ +-offset 2n +.It Sy Third and fourth level names Ta Sy Type Ta Sy Changeable +.It Li security.pax.aslr.enabled integer yes +.\".It Li security.pax.aslr.exec_len integer yes +.It Li security.pax.aslr.global integer yes +.\".It Li security.pax.aslr.mmap_len integer yes +.\".It Li security.pax.aslr.stack_len integer yes +.It Li security.pax.mprotect.enabled integer yes +.It Li security.pax.mprotect.global integer yes +.It Li security.pax.segvguard.enabled integer yes +.It Li security.pax.segvguard.expiry_timeout integer yes +.It Li security.pax.segvguard.global integer yes +.It Li security.pax.segvguard.max_crashes integer yes +.It Li security.pax.segvguard.suspend_timeout integer yes +.El .Pp .Bl -tag -width "123456" -.It Li security.pax.mprotect.enable +.It Li security.pax.aslr.enabled +Enable PaX ASLR (Address Space Layout Randomization). +.Pp +The value of this +knob must be non-zero for PaX ASLR to be enabled, even if a program is set to +explicit enable. +.\".It Li security.pax.aslr.exec_len +.\" XXX: Undocumented. +.It Li security.pax.aslr.global +Specifies the default global policy for programs without an +explicit enable/disable flag. +.Pp +When non-zero, all programs will get PaX ASLR, except those exempted with +.Xr paxctl 8 . +Otherwise, all programs will not get PaX ASLR, except those specifically +marked as such with +.Xr paxctl 8 . +.\".It Li security.pax.aslr.mmap_len +.\" XXX: Undocumented. +.\" .It Li security.pax.aslr.stack_len +.\" XXX: Undocumented. +.It Li security.pax.mprotect.enabled Enable PaX MPROTECT restrictions. .Pp These are @@ -1975,7 +2246,7 @@ except those exempted with Otherwise, all programs will not get the PaX MPROTECT restrictions, except those specifically marked as such with .Xr paxctl 8 . -.It Li security.pax.segvguard.enable +.It Li security.pax.segvguard.enabled Enable PaX Segvguard. .Pp PaX Segvguard can detect and prevent certain exploitation attempts, where @@ -1987,6 +2258,9 @@ The .Nx interface and implementation of the Segvguard is still experimental, and may change in future releases. +.It Li security.pax.segvguard.expiry_timeout +If the max number was not reached within this timeout (in seconds), the entry +will expire. .It Li security.pax.segvguard.global Specifies the default global policy for programs without an explicit enable/disable flag. @@ -1997,14 +2271,11 @@ except those exempted with Otherwise, no program will get the PaX Segvguard restrictions, except those specifically marked as such with .Xr paxctl 8 . -.It Li security.pax.segvguard.expiry_timeout -If the max number was not reached within this timeout (in seconds), the entry -will expire. +.It Li security.pax.segvguard.max_crashes +The maximum number of segfaults a program can receive before suspension. .It Li security.pax.segvguard.suspend_timeout Number of seconds to suspend a user from running a faulting program when the limit was exceeded. -.It Li security.pax.segvguard.max_crashes -Max number of segfaults a program can receive before suspension. .El .El .Sh The vendor.* subtree ( CTL_VENDOR )