1
0
mirror of https://git.FreeBSD.org/src.git synced 2024-12-26 11:47:31 +00:00

security.7: add caveat about interim sysctl paths from r355436

r355436 moved mitigation sysctls to machdep.mitigations but did not
rationalize the sense of the invidual knobs.  Clarify that the old
names remain the canonical way to set these mitigations.

Backwards compatibility will be maintained for the original names
(e.g. hw.ibrs_disable), but not from the interim names
(e.g. machdep.mitigations.ibrs.disable).

Sponsored by:	The FreeBSD Foundation
This commit is contained in:
Ed Maste 2019-12-11 16:43:54 +00:00
parent 037c0994bf
commit d777076f29
Notes: svn2git 2020-12-20 02:59:44 +00:00
svn path=/head/; revision=355613

View File

@ -28,7 +28,7 @@
.\"
.\" $FreeBSD$
.\"
.Dd November 12, 2019
.Dd December 11, 2019
.Dt SECURITY 7
.Os
.Sh NAME
@ -944,6 +944,17 @@ information access more restricted.
Some people consider this as improving system security, so the knobs are
briefly listed there, together with controls which enable some mitigations
of the hardware state leaks.
.Pp
Hardware mitigation sysctl knobs described below have been moved under
.Pa machdep.mitigations ,
with backwards-compatibility shims to accept the existing names.
A future change will rationalize the sense of the individual sysctls
(so that enabled / true always indicates that the mitigation is active).
For that reason the previous names remain the canonical way to set the
mitigations, and are documented here.
Backwards compatibility shims for the interim sysctls under
.Pa machdep.mitigations
will not be added.
.Bl -tag -width security.bsd.unprivileged_proc_debug
.It Dv security.bsd.see_other_uids
Controls visibility of processes owned by different uid.