Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. =================================================================== RCS file: /ftp/cvs/cvsroot/src/share/man/man7/sysctl.7,v rcsdiff: /ftp/cvs/cvsroot/src/share/man/man7/sysctl.7,v: warning: Unknown phrases like `commitid ...;' are present. retrieving revision 1.24 retrieving revision 1.52 diff -u -p -r1.24 -r1.52 --- src/share/man/man7/sysctl.7 2009/09/11 19:43:26 1.24 +++ src/share/man/man7/sysctl.7 2010/12/11 19:55:53 1.52 @@ -1,4 +1,4 @@ -.\" $NetBSD: sysctl.7,v 1.24 2009/09/11 19:43:26 wiz Exp $ +.\" $NetBSD: sysctl.7,v 1.52 2010/12/11 19:55:53 jruoho Exp $ .\" .\" Copyright (c) 1993 .\" The Regents of the University of California. All rights reserved. @@ -29,7 +29,7 @@ .\" .\" @(#)sysctl.3 8.4 (Berkeley) 5/9/95 .\" -.Dd September 11, 2009 +.Dd December 11, 2010 .Dt SYSCTL 7 .Os .Sh NAME @@ -68,9 +68,9 @@ sysctl variable relative to the upper le See the .Xr sysctl 3 manual page for programming examples. -.Sh Top level names +.Ss Top level names The top level names are defined with a CTL_ prefix in -.Aq Pa sys/sysctl.h , +.In sys/sysctl.h , and are as follows. The next and subsequent levels down are found in the include files listed here, and described in separate sections below. @@ -90,7 +90,7 @@ listed here, and described in separate s .It emul CTL_EMUL sys/sysctl.h Emulation settings .It security CTL_SECURITY sys/sysctl.h Security settings .El -.Sh The debug.* subtree +.Ss The debug.* subtree The debugging variables vary from system to system. A debugging variable may be added or deleted without need to recompile .Nm @@ -112,6 +112,7 @@ if a variable is initialized in more tha For example, to export the variable .Dv dospecialcheck as a debugging variable, the following declaration would be used: +.Pp .Bd -literal -offset indent -compact int dospecialcheck = 1; struct ctldebug debug5 = { "dospecialcheck", \*[Am]dospecialcheck }; @@ -127,34 +128,35 @@ See .\" and .\" .Xr sysctl 9 for more information. -.Sh The vfs.* subtree +.Ss The vfs.* subtree A distinguished second level name, .Li vfs.generic ( VFS_GENERIC ) , is used to get general information about all filesystems. -One of its third level identifiers is -.Li vfs.generic.maxtypenum ( VFS_MAXTYPENUM ) -that gives the highest valid filesystem type number. -Its other third level identifier is -.Li vfs.generic.conf ( VFS_CONF ) -that returns configuration information about the filesystem -type given as a fourth level identifier. -The remaining second level identifiers are the -filesystem type number returned by a +It has the following third level identifiers: +.Bl -tag -width compact +.It vfs.generic.maxtypenum ( VFS_MAXTYPENUM ) +The highest valid filesystem type number. +.It vfs.generic.conf ( VFS_CONF ) +Returns configuration information about the file-system type given as a fourth +level identifier. +.El +.Pp +The remaining second level identifiers are the file-system names, identified +by the type number returned by a .Xr statvfs 2 call or from .Li vfs.generic.conf . The third level identifiers available for each filesystem are given in the header file that defines the mount argument structure for that filesystem. -.Sh The hw.* subtree +.Ss The hw.* subtree The string and integer information available for the .Li hw level is detailed below. The changeable column shows whether a process with appropriate privilege may change the value. -.Bl -column "hw.acpi.supported_states" "integer" "Changeable" -offset indent +.Bl -column "hw.machine_arch" "integer" "Changeable" -offset indent .It Sy Second level name Type Changeable -.It hw.acpi.supported_states string no .It hw.alignbytes integer no .It hw.byteorder integer no .It hw.cnmagic string yes @@ -172,25 +174,6 @@ privilege may change the value. .El .Pp .Bl -tag -width "123456" -.It Li hw.acpi.support_states -List of possible -.Tn ACPI -sleep states. -The list can contain the following values: -.Bl -tag -width XS1X -.It S0 -fully running -.It S1 -power on suspend (CPU and hard disks are off) -.It S2 -similar to S3, usually not implemented -.It S3 -suspend-to-RAM -.It S4 -suspend-to-disk (needs BIOS support) -.It S5 -power off -.El .It Li hw.alignbytes ( HW_ALIGNBYTES ) Alignment constraint for all possible data types. This shows the value @@ -246,31 +229,35 @@ The bytes of non-kernel memory as a 32-b .It Li hw.usermem64 ( HW_USERMEM64 ) The bytes of non-kernel memory as a 64-bit integer. .El -.Sh The kern.* subtree +.Ss The kern.* subtree +This subtree includes data generally related to the kernel. The string and integer information available for the .Li kern level is detailed below. The changeable column shows whether a process with appropriate privilege may change the value. -The types of data currently available are process information, -system vnodes, the open file entries, routing table entries, -virtual memory statistics, load average history, and clock rate -information. -.Bl -column "kern.posix_reader_writer_locks" "struct kinfo_drivers" "not applicable" +.Bl -column "kern.posix_reader_writer_locks" \ +"struct kinfo_drivers" "not applicable" .It Sy Second level name Type Changeable +.It kern.aio_listio_max integer yes +.It kern.aio_max integer yes +.It kern.arandom integer no .It kern.argmax integer no -.It kern.autonicetime integer yes -.It kern.autoniceval integer yes +.It kern.boothowto integer no .It kern.boottime struct timeval no -.It kern.bufq node not applicable +.\".It kern.bufq node not applicable .It kern.ccpu integer no .It kern.clockrate struct clockinfo no .It kern.consdev integer no +.It kern.coredump node not applicable .It kern.cp_id struct no .It kern.cp_time uint64_t[\|] no +.It kern.cryptodevallowsoft integer yes .It kern.defcorename string yes +.It kern.detachall integer yes .It kern.domainname string yes .It kern.drivers struct kinfo_drivers no +.It kern.dump_on_panic integer yes .It kern.file struct file no .It kern.forkfsleep integer yes .It kern.fscale integer no @@ -279,6 +266,7 @@ information. .It kern.hostid integer yes .It kern.hostname string yes .It kern.iov_max integer no +.It kern.ipc node not applicable .It kern.job_control integer no .It kern.labeloffset integer no .It kern.labelsector integer no @@ -295,18 +283,25 @@ information. .It kern.memlock integer no .It kern.memlock_range integer no .It kern.memory_protection integer no +.It kern.module node not applicable .It kern.monotonic_clock integer no +.It kern.mqueue node not applicable .It kern.msgbuf integer no .It kern.msgbufsize integer no .It kern.ngroups integer no +.\".It kern.no_sa_support integer yes .It kern.ntptime struct ntptimeval no .It kern.osrelease string no -.It kern.osrev integer no +.It kern.osrevision integer no .It kern.ostype string no +.\".It kern.panic_now integer yes .It kern.pipe node not applicable -.It kern.posix1 integer no +.\" .It kern.posix node not applicable +.It kern.posix1version integer no +.It kern.posix_aio integer no .It kern.posix_barriers integer no .It kern.posix_reader_writer_locks integer no +.\".It kern.posix_sched integer yes .It kern.posix_semaphores integer no .It kern.posix_spin_locks integer no .It kern.posix_threads integer no @@ -314,33 +309,48 @@ information. .It kern.proc struct kinfo_proc no .It kern.proc2 struct kinfo_proc2 no .It kern.proc_args string no -.It kern.prof node not applicable +.It kern.profiling node not applicable +.\".It kern.pset node not applicable .It kern.rawpartition integer no .It kern.root_device string no .It kern.root_partition integer no .It kern.rtc_offset integer yes .It kern.saved_ids integer no +.It kern.sbmax integer yes +.\".It kern.sched node not applicable .It kern.securelevel integer raise only +.It kern.somaxkva integer yes .It kern.synchronized_io integer no -.It kern.ipc node not applicable .It kern.timecounter node not applicable .It kern.timex struct no .It kern.tkstat node not applicable .It kern.urandom integer no +.It kern.usercrypto integer yes +.It kern.userasymcrypto integer yes +.It kern.veriexec node not applicable .It kern.version string no .It kern.vnode struct vnode no .El .Bl -tag -width "123456" +.It Li kern.aio_listio_max +The maximum number of asynchronous +.Tn I/O +operations in a single list I/O call. +Like with all variables related to +.Xr aio 3 , +the variable may be created and removed dynamically +upon loading or unloading the corresponding kernel module. +.It Li kern.aio_max +The maximum number of asynchronous I/O operations. +.It Li kern.arandom +This variable picks a random number each time it is queried. +The used random number generator +.Pq Tn RNG +is based on +.Xr arc4random 3 . .It Li kern.argmax ( KERN_ARGMAX ) The maximum bytes of argument to .Xr execve 2 . -.It Li kern.autonicetime ( KERN_AUTONICETIME ) -The number of seconds of CPU-time a non-root process may accumulate before -having its priority lowered from the default to the value of KERN_AUTONICEVAL. -If set to 0, automatic lowering of priority is not performed, and if set to \-1 -all non-root processes are immediately lowered. -.It Li kern.autoniceval ( KERN_AUTONICEVAL ) -The priority assigned for automatically niced processes. .It Li kern.boothowto Flags passed from the boot loader; see .Xr reboot 2 @@ -350,6 +360,8 @@ A .Va struct timeval structure is returned. This structure contains the time that the system was booted. +.\" .It Li kern.bufq +.\" XXX: Undocumented. .It Li kern.ccpu ( KERN_CCPU ) The scheduler exponential decay value. .It Li kern.clockrate ( KERN_CLOCKRATE ) @@ -359,8 +371,45 @@ structure is returned. This structure contains the clock, statistics clock and profiling clock frequencies, the number of micro-seconds per hz tick, and the clock skew rate. +Refer to +.Xr hz 9 +for additional details. .It Li kern.consdev ( KERN_CONSDEV ) Console device. +.It Li kern.coredump +Settings related to set-id processes coredumps. +By default, set-id processes do not dump core in situations where +other processes would. +The settings in this node allows an administrator to change this +behavior. +.Pp +The third level name is +.Dv kern.coredump.setid +and fourth level variables are described below. +.Bl -column "kern.coredump.setid.group" "integer" "Changeable" -offset indent +.It Sy Fourth level name Type Changeable +.It kern.coredump.setid.dump integer yes +.It kern.coredump.setid.group integer yes +.It kern.coredump.setid.mode integer yes +.It kern.coredump.setid.owner integer yes +.It kern.coredump.setid.path string yes +.El +.Bl -tag -width "123456" +.It Li kern.coredump.setid.dump +If non-zero, set-id processes will dump core. +.It Li kern.coredump.setid.group +The group-id for the set-id processes' coredump. +.It Li kern.coredump.setid.mode +The mode for the set-id processes' coredump. +See +.Xr chmod 1 . +.It Li kern.coredump.setid.owner +The user-id that will be used as the owner of the set-id processes' +coredump. +.It Li kern.coredump.setid.path +The path to which set-id processes' coredumps will be saved to. +Same syntax as kern.defcorename. +.El .It Li kern.cp_id ( KERN_CP_ID ) Mapping of CPU number to CPU id. .It Li kern.cp_time ( KERN_CP_TIME ) @@ -371,6 +420,21 @@ On multi-processor systems, the sum acro appropriate space is given for one data set for each CPU. Data for a specific CPU can also be obtained by adding the number of the CPU at the end of the MIB, enlarging it by one. +.It Li kern.cryptodevallowsoft +This variable controls userland access to hardware versus software transforms +in the +.Xr crypto 4 +system. +The available values are as follows: +.Bl -tag -width XX0 -offset indent +.It Dv \*[Lt] 0 +Always force userlevel requests to use software transforms. +.It Dv = 0 +If present, use hardware and grant userlevel requests for +non-accelerated transforms (handling the latter in software). +.It Dv \*[Gt] 0 +Allow user requests only for transforms which are hardware-accelerated. +.El .It Li kern.defcorename ( KERN_DEFCORENAME ) Default template for the name of core dump files (see also .Li proc.pid.corename @@ -386,10 +450,10 @@ and can be changed with the kernel confi (see .Xr options 4 ). +.It Li kern.detachall +Detach all devices at shutdown. .It Li kern.domainname ( KERN_DOMAINNAME ) Get or set the YP domain name. -.It Li kern.dump_on_panic ( KERN_DUMP_ON_PANIC ) -Perform a crash dump on system panic. .It Li kern.drivers ( KERN_DRIVERS ) Return an array of .Va struct kinfo_drivers @@ -401,6 +465,9 @@ field is always a NUL terminated string. The .Va d_bmajor field will be set to \-1 if the driver doesn't have a block device. +.It Li kern.dump_on_panic ( KERN_DUMP_ON_PANIC ) +Perform a crash dump on system +.Xr panic 9 . .It Li kern.file ( KERN_FILE ) Return the entire file table. The returned data consists of a single @@ -430,9 +497,15 @@ Returns the number of .Xr hardclock 9 ticks. .It Li kern.hostid ( KERN_HOSTID ) -Get or set the host id. +Get or set the host identifier. +This is aimed to replace the legacy +.Xr gethostid 3 +and +.Xr sethostid 3 +system calls. .It Li kern.hostname ( KERN_HOSTNAME ) -Get or set the hostname. +Get or set the +.Xr hostname 1 . .It Li kern.iov_max ( KERN_IOV_MAX ) Return the maximum number of .Va iovec @@ -444,6 +517,92 @@ structures that a process has available .Xr sendmsg 2 and .Xr writev 2 . +.It Li kern.ipc ( KERN_SYSVIPC ) +Return information about the SysV IPC parameters. +The third level names for the ipc variables are detailed below. +.Bl -column "kern.ipc.shm_use_phys" "integer" "Changeable" -offset indent +.It Sy Third level name Type Changeable +.It kern.ipc.sysvmsg integer no +.It kern.ipc.sysvsem integer no +.It kern.ipc.sysvshm integer no +.It kern.ipc.sysvipc_info struct no +.It kern.ipc.shmmax integer yes +.It kern.ipc.shmmni integer yes +.It kern.ipc.shmseg integer yes +.It kern.ipc.shmmaxpgs integer yes +.It kern.ipc.shm_use_phys integer yes +.It kern.ipc.msgmni integer yes +.It kern.ipc.msgseg integer yes +.It kern.ipc.semmni integer yes +.It kern.ipc.semmns integer yes +.It kern.ipc.semmnu integer yes +.El +.Bl -tag -width "123456" +.It Li kern.ipc.sysvmsg ( KERN_SYSVIPC_MSG ) +Returns 1 if System V style message queue functionality is available +on this system, +otherwise 0. +.It Li kern.ipc.sysvsem ( KERN_SYSVIPC_SEM ) +Returns 1 if System V style semaphore functionality is available +on this system, +otherwise 0. +.It Li kern.ipc.sysvshm ( KERN_SYSVIPC_SHM ) +Returns 1 if System V style share memory functionality is available +on this system, +otherwise 0. +.It Li kern.ipc.sysvipc_info ( KERN_SYSVIPC_INFO ) +Return System V style IPC configuration and run-time information. +The fourth level name selects the System V style IPC facility. +.Bl -column "KERN_SYSVIPC_MSG_INFO" "struct shm_sysctl_info" -offset indent +.It Sy Fourth level name Type +.It KERN_SYSVIPC_MSG_INFO struct msg_sysctl_info +.It KERN_SYSVIPC_SEM_INFO struct sem_sysctl_info +.It KERN_SYSVIPC_SHM_INFO struct shm_sysctl_info +.El +.Pp +.Bl -tag -width "123456" +.It Li KERN_SYSVIPC_MSG_INFO +Return information on the System V style message facility. +The +.Sy msg_sysctl_info +structure is defined in +.In sys/msg.h . +.It Li KERN_SYSVIPC_SEM_INFO +Return information on the System V style semaphore facility. +The +.Sy sem_sysctl_info +structure is defined in +.In sys/sem.h . +.It Li KERN_SYSVIPC_SHM_INFO +Return information on the System V style shared memory facility. +The +.Sy shm_sysctl_info +structure is defined in +.In sys/shm.h . +.El +.It Li kern.ipc.shmmax ( KERN_SYSVIPC_SHMMAX ) +Max shared memory segment size in bytes. +.It Li kern.ipc.shmmni ( KERN_SYSVIPC_SHMMNI ) +Max number of shared memory identifiers. +.It Li kern.ipc.shmseg ( KERN_SYSVIPC_SHMSEG ) +Max shared memory segments per process. +.It Li kern.ipc.shmmaxpgs ( KERN_SYSVIPC_SHMMAXPGS ) +Max amount of shared memory in pages. +.It Li kern.ipc.shm_use_phys ( KERN_SYSVIPC_SHMUSEPHYS ) +Locking of shared memory in physical memory. +If 0, memory can be swapped +out, otherwise it will be locked in physical memory. +.It Li kern.ipc.msgmni +Max number of message queue identifiers. +.It Li kern.ipc.msgseg +Max number of number of message segments. +.It Li kern.ipc.semmni +Max number of number of semaphore identifiers. +.It Li kern.ipc.semmns +Max number of number of semaphores in system. +.It Li kern.ipc.semmnu +Max number of undo structures in system. +.El .It Li kern.job_control ( KERN_JOB_CONTROL ) Return 1 if job control is available on this system, otherwise 0. .It Li kern.labeloffset ( KERN_LABELOFFSET ) @@ -527,10 +686,60 @@ otherwise 0. Returns 1 if the POSIX 1003.1b Memory Protection Option is available on this system, otherwise 0. +.It Li kern.module +Settings related to kernel modules. +The third level names for the settings are described below. +.Bl -column "kern.module.autoload" "integer" "Changeable" -offset indent +.It Sy Third level name Type Changeable +.It kern.module.autoload integer yes +.It kern.module.verbose integer yes +.El +.Pp +The variables are as follows: +.Bl -tag -width "123456" +.It Li kern.module.autoload +A boolean that controls whether kernel modules are loaded automatically. +See +.Xr module 9 +for additional details. +.It Li kern.module.verbose +A boolean that enables or disables verbose +debug messages related to kernel modules. +.El .It Li kern.monotonic_clock ( KERN_MONOTONIC_CLOCK ) Returns the standard version the implementation of the POSIX 1003.1b Monotonic Clock Option conforms to, otherwise 0. +.It Li kern.mqueue +Settings related to +.Tn POSIX +message queues; see +.Xr mqueue 3 . +This node is created dynamically when +the corresponding kernel module is loaded. +The third level names for the settings are described below. +.Bl -column "kern.mqueue.mq_max_msgsize" "integer" "Changeable" -offset indent +.It Sy Third level name Type Changeable +.It kern.mqueue.mq_open_max integer yes +.It kern.mqueue.mq_prio_max integer yes +.It kern.mqueue.mq_max_msgsize integer yes +.It kern.mqueue.mq_def_maxmsg integer yes +.It kern.mqueue.mq_max_maxmsg integer yes +.El +.Pp +The variables are: +.Bl -tag -width "123456" +.It Li kern.mqueue.mq_open_max +The maximum number of message queue descriptors any single process can open. +.It Li kern.mqueue.mq_prio_max +The maximum priority of a message. +.It Li kern.mqueue.mq_max_msgsize +The maximum size of a message in a message queue. +.It Li kern.mqueue.mq_def_maxmsg +The default maximum message count. +.It Li kern.mqueue.mq_max_maxmsg +The maximum number of messages in a message queue. +.El .It Li kern.msgbuf ( KERN_MSGBUF ) The kernel message buffer, rotated so that the head of the circular kernel message buffer is at the start of the returned data. @@ -539,6 +748,8 @@ The returned data may contain NUL bytes. The maximum number of characters that the kernel message buffer can hold. .It Li kern.ngroups ( KERN_NGROUPS ) The maximum number of supplemental groups. +.\" .It Li kern.no_sa_support +.\" XXX: Undocumented. .It Li kern.ntptime ( KERN_NTPTIME ) A .Va struct ntptimeval @@ -552,6 +763,8 @@ The system release string. The system revision string. .It Li kern.ostype ( KERN_OSTYPE ) The system type string. +.\".It Li kern.panic_now +.\" XXX: Undocumented. .It Li kern.pipe ( KERN_PIPE ) Pipe settings. The third level names for the integer pipe settings is detailed below. @@ -579,9 +792,15 @@ Limit for direct transfers via page loan .It Li kern.pipe.nbigpipes ( KERN_PIPE_NBIGPIPES ) Number of "big" pipes. .El +.\" XXX: Undocumented .It Li kern.posix ( ? ) +.\" This is a node in which the only variable is semmax. .It Li kern.posix1version ( KERN_POSIX1 ) The version of ISO/IEC 9945 (POSIX 1003.1) with which the system attempts to comply. +.It Li kern.posix_aio +The version of +.St -p1003.1 +and its Asynchronous I/O option to which the system attempts to conform. .It Li kern.posix_barriers ( KERN_POSIX_BARRIERS ) The version of .St -p1003.1 @@ -596,6 +815,8 @@ and its Read-Write Locks option to which the system attempts to conform, otherwise 0. +.\".It Li kern.posix_sched +.\" XXX: Undocumented. .It Li kern.posix_semaphores ( KERN_POSIX_SEMAPHORES ) The version of .St -p1003.1 @@ -698,6 +919,8 @@ Array of .Va struct tostruct describing destination of calls and their counts. .El +.\" .It Li kern.pset +.\" XXX: Undocumented. .It Li kern.rawpartition ( KERN_RAWPARTITION ) The raw partition of a disk (a == 0). .It Li kern.root_device ( KERN_ROOT_DEVICE ) @@ -713,9 +936,10 @@ Returns 1 if saved set-group and saved s Maximum socket buffer size. .\" XXX units? .It Li kern.securelevel ( KERN_SECURELVL ) -The system security level. -This level may be raised by processes with appropriate privilege. -It may only be lowered by process 1. +See +.Xr secmodel_securelevel 9 . +.\" .It Li kern.sched +.\" XXX: Undocumented. .It Li kern.somaxkva ( KERN_SOMAXKVA ) Maximum amount of kernel memory to be used for socket buffers. .\" XXX units? @@ -723,92 +947,6 @@ Maximum amount of kernel memory to be us Returns 1 if the POSIX 1003.1b Synchronized I/O Option is available on this system, otherwise 0. -.It Li kern.ipc ( KERN_SYSVIPC ) -Return information about the SysV IPC parameters. -The third level names for the ipc variables are detailed below. -.Bl -column "kern.ipc.shm_use_phys" "integer" "Changeable" -offset indent -.It Sy Third level name Type Changeable -.It kern.ipc.sysvmsg integer no -.It kern.ipc.sysvsem integer no -.It kern.ipc.sysvshm integer no -.It kern.ipc.sysvipc_info struct no -.It kern.ipc.shmmax integer yes -.It kern.ipc.shmmni integer yes -.It kern.ipc.shmseg integer yes -.It kern.ipc.shmmaxpgs integer yes -.It kern.ipc.shm_use_phys integer yes -.It kern.ipc.msgmni integer yes -.It kern.ipc.msgseg integer yes -.It kern.ipc.semmni integer yes -.It kern.ipc.semmns integer yes -.It kern.ipc.semmnu integer yes -.El -.Bl -tag -width "123456" -.It Li kern.ipc.sysvmsg ( KERN_SYSVIPC_MSG ) -Returns 1 if System V style message queue functionality is available -on this system, -otherwise 0. -.It Li kern.ipc.sysvsem ( KERN_SYSVIPC_SEM ) -Returns 1 if System V style semaphore functionality is available -on this system, -otherwise 0. -.It Li kern.ipc.sysvshm ( KERN_SYSVIPC_SHM ) -Returns 1 if System V style share memory functionality is available -on this system, -otherwise 0. -.It Li kern.ipc.sysvipc_info ( KERN_SYSVIPC_INFO ) -Return System V style IPC configuration and run-time information. -The fourth level name selects the System V style IPC facility. -.Bl -column "KERN_SYSVIPC_MSG_INFO" "struct shm_sysctl_info" -offset indent -.It Sy Fourth level name Type -.It KERN_SYSVIPC_MSG_INFO struct msg_sysctl_info -.It KERN_SYSVIPC_SEM_INFO struct sem_sysctl_info -.It KERN_SYSVIPC_SHM_INFO struct shm_sysctl_info -.El -.Pp -.Bl -tag -width "123456" -.It Li KERN_SYSVIPC_MSG_INFO -Return information on the System V style message facility. -The -.Sy msg_sysctl_info -structure is defined in -.Aq Pa sys/msg.h . -.It Li KERN_SYSVIPC_SEM_INFO -Return information on the System V style semaphore facility. -The -.Sy sem_sysctl_info -structure is defined in -.Aq Pa sys/sem.h . -.It Li KERN_SYSVIPC_SHM_INFO -Return information on the System V style shared memory facility. -The -.Sy shm_sysctl_info -structure is defined in -.Aq Pa sys/shm.h . -.El -.It Li kern.ipc.shmmax ( KERN_SYSVIPC_SHMMAX ) -Max shared memory segment size in bytes. -.It Li kern.ipc.shmmni ( KERN_SYSVIPC_SHMMNI ) -Max number of shared memory identifiers. -.It Li kern.ipc.shmseg ( KERN_SYSVIPC_SHMSEG ) -Max shared memory segments per process. -.It Li kern.ipc.shmmaxpgs ( KERN_SYSVIPC_SHMMAXPGS ) -Max amount of shared memory in pages. -.It Li kern.ipc.shm_use_phys ( KERN_SYSVIPC_SHMUSEPHYS ) -Locking of shared memory in physical memory. -If 0, memory can be swapped -out, otherwise it will be locked in physical memory. -.It Li kern.ipc.msgmni -Max number of message queue identifiers. -.It Li kern.ipc.msgseg -Max number of number of message segments. -.It Li kern.ipc.semmni -Max number of number of semaphore identifiers. -.It Li kern.ipc.semmns -Max number of number of semaphores in system. -.It Li kern.ipc.semmnu -Max number of undo structures in system. -.El .It Li kern.timecounter ( dynamic ) Display and control the timecounter source of the system. .Bl -column "kern.timecounter.timestepwarnings" "integer" "Changeable" -offset indent @@ -856,8 +994,28 @@ The number of raw input characters. .El .It Li kern.urandom ( KERN_URND ) Random integer value. +.It Li kern.usercrypto +When enabled, allows userland to +.Xr open 2 +the +.Pa /dev/crypto +special device, used by the +.Xr crypto 4 +system. +.It Li kern.userasymcrypto +Enables or disables the use of software asymmetric crypto support in the +.Xr crypto 4 +system. .It Li kern.veriexec -Tunings for Verixec. +Runtime information for +.Xr veriexec 8 . +.Bl -column "kern.veriexec.algorithms" "integer" "Changeable" -offset indent +.It Sy Third level name Type Changeable +.It kern.veriexec.algorithms string no +.It kern.veriexec.count node not applicable +.It kern.veriexec.strict integer yes +.It kern.veriexec.verbose integer yes +.El .Bl -tag -width "123456" .It Li kern.veriexec.algorithms Returns a string with the supported algorithms in Veriexec. @@ -895,39 +1053,17 @@ Each element of the array contains the k .Va struct vnode * followed by the vnode itself .Va struct vnode . -.It Li kern.coredump.setid -Settings related to set-id processes coredumps. -By default, set-id processes do not dump core in situations where -other processes would. -The settings in this node allows an administrator to change this -behavior. -.Pp -.Bl -tag -width "123456" -.It Li kern.coredump.setid.dump -If non-zero, set-id processes will dump core. -.It Li kern.coredump.setid.group -The group-id for the set-id processes' coredump. -.It Li kern.coredump.setid.mode -The mode for the set-id processes' coredump. -See -.Xr chmod 1 . -.It Li kern.coredump.setid.owner -The user-id that will be used as the owner of the set-id processes' -coredump. -.It Li kern.coredump.setid.path -The path to which set-id processes' coredumps will be saved to. -Same syntax as kern.defcorename. +.\" XXX: Undocumented: kern.lwp: no children? .El -.\" XXX kern.lwp -.El -.Sh The machdep.* subtree +.Ss The machdep.* subtree The set of variables defined is architecture dependent. Most architectures define at least the following variables. -.Bl -column "Second level name" "Type" "Changeable" -offset indent +.Bl -column "machdep.booted_kernel" "Type" "Changeable" -offset indent .It Sy Second level name Type Changeable -.It Li CPU_CONSDEV dev_t no +.It Li machdep.booted_kernel string no .El -.Sh The net.* subtree +.\" XXX: Document the above. +.Ss The net.* subtree The string and integer information available for the .Li net level is detailed below. @@ -982,6 +1118,7 @@ The currently defined protocols and name .It icmp maskrepl integer yes .It icmp rediraccept integer yes .It icmp redirtimeout integer yes +.It icmp bmcastecho integer yes .It ip allowsrcrt integer yes .It ip anonportmax integer yes .It ip anonportmin integer yes @@ -1191,6 +1328,9 @@ ICMP redirect. This defaults to 600 seconds. .It Li icmp.returndatabytes Number of bytes to return in an ICMP error message. +.It Li icmp.bmcastecho +If set to 1, enables responding to ICMP echo or timestamp request to the +broadcast address. .It Li tcp.ack_on_push If set to 1, TCP is to immediately transmit an ACK upon reception of a packet with PUSH set. @@ -1648,7 +1788,7 @@ The value is used when the kernel create on ACQUIRE PF_KEY message. .El .El -.Sh The proc.* subtree +.Ss The proc.* subtree The string and integer information available for the .Li proc level is detailed below. @@ -1780,7 +1920,7 @@ before it disappears. .Pp This value is also inherited by the process's children. .El -.Sh The user.* subtree ( CTL_USER ) +.Ss The user.* subtree ( CTL_USER ) The string and integer information available for the .Li user level is detailed below. @@ -1881,7 +2021,7 @@ at any one time. The minimum maximum number of types supported for the name of a timezone. .El -.Sh The vm.* subtree ( CTL_VM ) +.Ss The vm.* subtree ( CTL_VM ) The string and integer information available for the .Li vm level is detailed below. @@ -1948,6 +2088,8 @@ The value of the maxslp kernel global va Return system wide virtual memory statistics. The returned data consists of a .Va struct vmtotal . +.It vm.user_va0_disable +A flag which controls whether user processes can map virtual address 0. .It Li vm.uspace ( VM_USPACE ) The number of bytes allocated for each kernel stack. .It Li vm.uvmexp ( VM_UVMEXP ) @@ -1960,8 +2102,8 @@ The returned data consists of a .Va struct uvmexp_sysctl . .\" XXX vm.idlezero .El -.Sh The ddb.* subtree ( CTL_DDB ) -The integer information available for the +.Ss The ddb.* subtree ( CTL_DDB ) +The information available for the .Li ddb level is detailed below. The changeable column shows whether a process with appropriate @@ -1971,45 +2113,68 @@ privilege may change the value. .It Sy Second level name Type Changeable .It ddb.radix integer yes .It ddb.maxoff integer yes +.It ddb.maxwidth integer yes .It ddb.lines integer yes .It ddb.tabstops integer yes .It ddb.onpanic integer yes .It ddb.fromconsole integer yes +.It ddb.tee_msgbuf integer yes +.It ddb.commandonenter string yes .El .Pp .Bl -tag -width "123456" -.It Li ddb.radix ( DBCTL_RADIX ) +.It Li ddb.radix ( DDBCTL_RADIX ) The input and output radix. -.It Li ddb.maxoff ( DBCTL_MAXOFF ) +.It Li ddb.maxoff ( DDBCTL_MAXOFF ) The maximum symbol offset. -.It Li ddb.lines ( DBCTL_LINES ) +.It Li ddb.maxwidth ( DDBCTL_MAXWIDTH ) +The maximum output line width. +.It Li ddb.lines ( DDBCTL_LINES ) Number of display lines. -.It Li ddb.tabstops ( DBCTL_TABSTOPS ) +.It Li ddb.tabstops ( DDBCTL_TABSTOPS ) Tab width. -.It Li ddb.onpanic ( DBCTL_ONPANIC ) +.It Li ddb.onpanic ( DDBCTL_ONPANIC ) If non-zero, DDB will be entered if the kernel panics. -.It Li ddb.fromconsole ( DBCTL_FROMCONSOLE ) +.It Li ddb.fromconsole ( DDBCTL_FROMCONSOLE ) If not zero, DDB may be entered by sending a break on a serial console or by a special key sequence on a graphics console. -.\" XXX tee_msgbuf maxwidth commandonenter +.It Li ddb.tee_msgbuf +If not zero, DDB will output also to the kernel message buffer. +.It Li ddb.commandonenter +If not empty, a command to be executed on each enter to the +.Tn DDB . +.\" +.\" XXX: (a) ddb.commandonenter is missing in ddb(4); +.\" (b) No DDBCTL definitions for tee_msgbuf and commandonenter. .El .Pp -These MIB nodes are also available as variables from within the DDB. +Some of these +.Tn MIB +nodes are also available as variables from within the debugger. See .Xr ddb 4 for more details. -.Sh The security.* subtree ( CTL_SECURITY ) +.Ss The security.* subtree ( CTL_SECURITY ) The .Li security level contains various security-related settings for the system. +The available second level names are: +.Bl -column "Second level name" "integer" "Changeable" -offset indent +.It Sy Second level name Type Changeable +.It Li security.curtain integer yes +.It Li security.models node not applicable +.It Li security.pax node not applicable +.El +.Pp Available settings are detailed below. .Pp .Bl -tag -width "123456" .It Li security.curtain -If non-zero, will filter return objects according to the user-id +If non-zero, will filter return objects according to the user +.Tn ID requesting information about them, preventing from users any -access to objects they don't own. +access to objects they do not own. .Pp At the moment, it affects .Xr ps 1 , @@ -2040,14 +2205,33 @@ For more information on any of the PaX f .Xr paxctl 8 and .Xr security 8 . +The available third and fourth level names are: +.Bl -column "security.pax.segvguard.suspend_timeout" "integer" "Changeable" \ +-offset 2n +.It Sy Third and fourth level names Ta Sy Type Ta Sy Changeable +.It Li security.pax.aslr.enabled integer yes +.\".It Li security.pax.aslr.exec_len integer yes +.It Li security.pax.aslr.global integer yes +.\".It Li security.pax.aslr.mmap_len integer yes +.\".It Li security.pax.aslr.stack_len integer yes +.It Li security.pax.mprotect.enabled integer yes +.It Li security.pax.mprotect.global integer yes +.It Li security.pax.segvguard.enabled integer yes +.It Li security.pax.segvguard.expiry_timeout integer yes +.It Li security.pax.segvguard.global integer yes +.It Li security.pax.segvguard.max_crashes integer yes +.It Li security.pax.segvguard.suspend_timeout integer yes +.El .Pp .Bl -tag -width "123456" -.It Li security.pax.aslr.enable +.It Li security.pax.aslr.enabled Enable PaX ASLR (Address Space Layout Randomization). .Pp The value of this knob must be non-zero for PaX ASLR to be enabled, even if a program is set to explicit enable. +.\".It Li security.pax.aslr.exec_len +.\" XXX: Undocumented. .It Li security.pax.aslr.global Specifies the default global policy for programs without an explicit enable/disable flag. @@ -2057,7 +2241,11 @@ When non-zero, all programs will get PaX Otherwise, all programs will not get PaX ASLR, except those specifically marked as such with .Xr paxctl 8 . -.It Li security.pax.mprotect.enable +.\".It Li security.pax.aslr.mmap_len +.\" XXX: Undocumented. +.\" .It Li security.pax.aslr.stack_len +.\" XXX: Undocumented. +.It Li security.pax.mprotect.enabled Enable PaX MPROTECT restrictions. .Pp These are @@ -2076,7 +2264,7 @@ except those exempted with Otherwise, all programs will not get the PaX MPROTECT restrictions, except those specifically marked as such with .Xr paxctl 8 . -.It Li security.pax.segvguard.enable +.It Li security.pax.segvguard.enabled Enable PaX Segvguard. .Pp PaX Segvguard can detect and prevent certain exploitation attempts, where @@ -2088,6 +2276,9 @@ The .Nx interface and implementation of the Segvguard is still experimental, and may change in future releases. +.It Li security.pax.segvguard.expiry_timeout +If the max number was not reached within this timeout (in seconds), the entry +will expire. .It Li security.pax.segvguard.global Specifies the default global policy for programs without an explicit enable/disable flag. @@ -2098,17 +2289,14 @@ except those exempted with Otherwise, no program will get the PaX Segvguard restrictions, except those specifically marked as such with .Xr paxctl 8 . -.It Li security.pax.segvguard.expiry_timeout -If the max number was not reached within this timeout (in seconds), the entry -will expire. +.It Li security.pax.segvguard.max_crashes +The maximum number of segfaults a program can receive before suspension. .It Li security.pax.segvguard.suspend_timeout Number of seconds to suspend a user from running a faulting program when the limit was exceeded. -.It Li security.pax.segvguard.max_crashes -Max number of segfaults a program can receive before suspension. .El .El -.Sh The vendor.* subtree ( CTL_VENDOR ) +.Ss The vendor.* subtree ( CTL_VENDOR ) The .Li vendor toplevel name is reserved to be used by vendors who wish to