Date: Tue, 27 Sep 2016 11:31:54 +0000 (UTC) From: Konstantin Belousov <kib@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r306366 - head/lib/libc/sys Message-ID: <201609271131.u8RBVsTH074760@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: kib Date: Tue Sep 27 11:31:53 2016 New Revision: 306366 URL: https://svnweb.freebsd.org/changeset/base/306366 Log: Editing fixes for r306257, documentation for trapcap. Suggested by: wblock Discussed with: jilles Reviewed by: cem (previous version) Sponsored by: The FreeBSD Foundation MFC after: 1 week Differential revision: https://reviews.freebsd.org/D8023 Modified: head/lib/libc/sys/cap_enter.2 head/lib/libc/sys/procctl.2 Modified: head/lib/libc/sys/cap_enter.2 ============================================================================== --- head/lib/libc/sys/cap_enter.2 Tue Sep 27 10:26:39 2016 (r306365) +++ head/lib/libc/sys/cap_enter.2 Tue Sep 27 11:31:53 2016 (r306366) @@ -28,7 +28,7 @@ .\" .\" $FreeBSD$ .\" -.Dd September 22, 2016 +.Dd September 27, 2016 .Dt CAP_ENTER 2 .Os .Sh NAME @@ -72,15 +72,15 @@ sandbox. .Sh RUN-TIME SETTINGS If the .Dv kern.trap_enocap -sysctl MIB is set to non-zero value, then for any process executing in a +sysctl MIB is set to a non-zero value, then for any process executing in a capability mode sandbox, any syscall which results in either .Er ENOTCAPABLE or .Er ECAPMODE -error, also generates the synchronous +error also generates the synchronous .Dv SIGTRAP signal to the thread on the syscall return. -On the signal delivery, the +On signal delivery, the .Va si_errno member of the .Fa siginfo Modified: head/lib/libc/sys/procctl.2 ============================================================================== --- head/lib/libc/sys/procctl.2 Tue Sep 27 10:26:39 2016 (r306365) +++ head/lib/libc/sys/procctl.2 Tue Sep 27 11:31:53 2016 (r306366) @@ -29,7 +29,7 @@ .\" .\" $FreeBSD$ .\" -.Dd September 22, 2016 +.Dd September 27, 2016 .Dt PROCCTL 2 .Os .Sh NAME @@ -328,14 +328,17 @@ If a debugger is attached, .Fa data is set to the pid of the debugger process. .It Dv PROC_TRAPCAP_CTL -Enable or disable, for the specified processes which are executing in a -capability mode sandbox, the synchronous -.Dv SIGTRAP -signal on return from any syscall which gives either +Controls the capability mode sandbox actions for the specified +sandboxed processes, +on a return from any syscall which gives either a .Er ENOTCAPABLE or .Er ECAPMODE error. +If the control is enabled, such errors from the syscalls cause +delivery of the synchronous +.Dv SIGTRAP +signal to the thread immediately before returning from the syscalls. .Pp Possible values for the .Fa data @@ -353,7 +356,8 @@ calls. Disable the signal delivery on capability mode access violations. Note that the global sysctl .Dv kern.trap_enocap -might still cause the signal to be delivered; see +might still cause the signal to be delivered. +See .Xr capsicum 4 . .El .Pp @@ -371,7 +375,7 @@ See .Xr capsicum 4 for more information about the capability mode. .It Dv PROC_TRAPCAP_STATUS -Returns the current status of signalling capability mode access +Return the current status of signalling capability mode access violations for the specified process. The integer value pointed to by the .Fa data
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201609271131.u8RBVsTH074760>