[src/trunk]: src Centralize documentation about exported sysctl variables in ...

To: source-changes-hg%NetBSD.org@localhost
Subject: [src/trunk]: src Centralize documentation about exported sysctl variables in ...
From: elad <elad%NetBSD.org@localhost>
Date: Mon, 06 Apr 2020 17:58:28 +0000

details:   https://anonhg.NetBSD.org/src/rev/0b1ae5b53a3a
branches:  trunk
changeset: 747812:0b1ae5b53a3a
user:      elad <elad%NetBSD.org@localhost>
date:      Fri Oct 02 20:31:19 2009 +0000

description:
Centralize documentation about exported sysctl variables in the relevant
secmodel's man-page.

diffstat:

 sbin/mount/mount.8                    |  25 +++++-----------------
 share/man/man7/sysctl.7               |   9 +++----
 share/man/man9/secmodel_securelevel.9 |  12 +++++++++-
 share/man/man9/secmodel_suser.9       |  39 ++++++++++++++++++++++++++++++++++-
 4 files changed, 59 insertions(+), 26 deletions(-)

diffs (155 lines):

diff -r b368176e4c98 -r 0b1ae5b53a3a sbin/mount/mount.8
--- a/sbin/mount/mount.8        Fri Oct 02 20:15:07 2009 +0000
+++ b/sbin/mount/mount.8        Fri Oct 02 20:31:19 2009 +0000
@@ -1,4 +1,4 @@
-.\"    $NetBSD: mount.8,v 1.67 2009/02/23 08:14:53 wiz Exp $
+.\"    $NetBSD: mount.8,v 1.68 2009/10/02 20:31:19 elad Exp $
 .\"
 .\" Copyright (c) 1980, 1989, 1991, 1993
 .\"    The Regents of the University of California.  All rights reserved.
@@ -29,7 +29,7 @@
 .\"
 .\"     @(#)mount.8    8.8 (Berkeley) 6/16/94
 .\"
-.Dd February 22, 2009
+.Dd October 2, 2009
 .Dt MOUNT 8
 .Os
 .Sh NAME
@@ -133,23 +133,10 @@
 .Pp
 In
 .Nx ,
-a file system can only be mounted by an ordinary user who owns the
-point
-.Ar node
-and has access to the
-.Ar special
-device (at least read permissions).
-Also, the
-.Em vfs.generic.usermount
-.Xr sysctl 3
-must be set to 1 to permit file system mounting by ordinary users,
-see
-.Xr sysctl 8 .
-Finally, the flags
-.Cm nosuid
-and
-.Cm nodev
-must be given for non-superuser mounts.
+the file-system mounting policy is dictated by the running security models.
+The default security model may allow unprivileged mounting; see
+.Xr secmodel_suser 9
+for details. 
 .Pp
 The options are as follows:
 .Bl -tag -width indent
diff -r b368176e4c98 -r 0b1ae5b53a3a share/man/man7/sysctl.7
--- a/share/man/man7/sysctl.7   Fri Oct 02 20:15:07 2009 +0000
+++ b/share/man/man7/sysctl.7   Fri Oct 02 20:31:19 2009 +0000
@@ -1,4 +1,4 @@
-.\"    $NetBSD: sysctl.7,v 1.24 2009/09/11 19:43:26 wiz Exp $
+.\"    $NetBSD: sysctl.7,v 1.25 2009/10/02 20:31:19 elad Exp $
 .\"
 .\" Copyright (c) 1993
 .\"    The Regents of the University of California.  All rights reserved.
@@ -29,7 +29,7 @@
 .\"
 .\"    @(#)sysctl.3    8.4 (Berkeley) 5/9/95
 .\"
-.Dd September 11, 2009
+.Dd October 2, 2009
 .Dt SYSCTL 7
 .Os
 .Sh NAME
@@ -713,9 +713,8 @@
 Maximum socket buffer size.
 .\" XXX units?
 .It Li kern.securelevel ( KERN_SECURELVL )
-The system security level.
-This level may be raised by processes with appropriate privilege.
-It may only be lowered by process 1.
+See
+.Xr secmodel_securelevel 9 .
 .It Li kern.somaxkva ( KERN_SOMAXKVA )
 Maximum amount of kernel memory to be used for socket buffers.
 .\" XXX units?
diff -r b368176e4c98 -r 0b1ae5b53a3a share/man/man9/secmodel_securelevel.9
--- a/share/man/man9/secmodel_securelevel.9     Fri Oct 02 20:15:07 2009 +0000
+++ b/share/man/man9/secmodel_securelevel.9     Fri Oct 02 20:31:19 2009 +0000
@@ -1,4 +1,4 @@
-.\" $NetBSD: secmodel_securelevel.9,v 1.6 2009/07/25 16:20:11 mbalmer Exp $
+.\" $NetBSD: secmodel_securelevel.9,v 1.7 2009/10/02 20:31:19 elad Exp $
 .\"
 .\" Copyright (c) 2006 Elad Efrat <elad%NetBSD.org@localhost>
 .\" Copyright (c) 2000 Hugh Graham
@@ -180,6 +180,16 @@
 interpreter, through any mechanism) and the kernel itself are "programs
 that run while the security level is 0" and must be considered part of
 the TCB.
+.Pp
+The following
+.Xr sysctl 3
+variables are exported:
+.Bl -tag -width compact
+.It security.models.securelevel.securelevel
+The system security level.
+This level may be raised by processes with appropriate privilege.
+It may only be lowered by process 1 (init).
+.El
 .Sh SEE ALSO
 .Xr kauth 9 ,
 .Xr secmodel 9 ,
diff -r b368176e4c98 -r 0b1ae5b53a3a share/man/man9/secmodel_suser.9
--- a/share/man/man9/secmodel_suser.9   Fri Oct 02 20:15:07 2009 +0000
+++ b/share/man/man9/secmodel_suser.9   Fri Oct 02 20:31:19 2009 +0000
@@ -1,4 +1,4 @@
-.\" $NetBSD: secmodel_suser.9,v 1.2 2009/10/02 19:50:37 elad Exp $
+.\" $NetBSD: secmodel_suser.9,v 1.3 2009/10/02 20:31:19 elad Exp $
 .\"
 .\" Copyright (c) 2009 Elad Efrat <elad%NetBSD.org@localhost>
 .\" All rights reserved.
@@ -41,6 +41,43 @@
 .Em super-user
 is the host administrator, considered to have higher privileges than other
 users.
+.Pp
+The following
+.Xr sysctl 3
+variables are exported:
+.Bl -tag -width compact
+.It security.models.suser.curtain
+If non-zero, will filter returned objects according to the user-id
+requesting information about them, preventing from users any access to
+objects they don't own.
+.Pp
+At the moment, it affects
+.Xr ps 1 ,
+.Xr netstat 1
+(for
+.Dv PF_INET ,
+.Dv PF_INET6 ,
+and
+.Dv PF_UNIX
+PCBs), and
+.Xr w 1 .
+.It security.models.suser.usermount
+Allow non-superuser mounts.
+.Pp
+If non-zero, file-systems are allowed to be mounted by an ordinary user who
+owns the point
+.Ar node
+and has at least read access to the 
+.Ar special
+device 
+.Xr mount 8
+arguments.
+Finally, the flags
+.Cm nosuid
+and
+.Cm nodev
+must be given for non-superuser mounts.
+.El
 .Sh SEE ALSO
 .Xr kauth 9 ,
 .Xr secmodel 9 ,

Prev by Date: [src/trunk]: src/usr.bin/xlint/lint1 remove debugging
Next by Date: [src/trunk]: src/sys/secmodel/securelevel Create securelevel variable under s...
Previous by Thread: [src/trunk]: src/usr.bin/xlint/lint1 remove debugging
Next by Thread: [src/trunk]: src/sys/secmodel/securelevel Create securelevel variable under s...
Indexes:

Home | Main Index | Thread Index | Old Index