From nobody Thu Jul 21 23:57:50 2022 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4LpqJH1009z4WcvY; Thu, 21 Jul 2022 23:57:51 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4LpqJG5MZWz46sL; Thu, 21 Jul 2022 23:57:50 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1658447870; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=8Fdo0wzSGo1xaDv8eYKTS/6XAjngOk8m4/Yzlq0K8XU=; b=bjRnBMeL8egvD41YUdfq1Awf8u+2HjJRZd98Uw8qjiRV8SV97xQQfFzCr4wGpSxCm0XtGp v1ctTBMaQoCfY9e97YdqHwJP98AUgA9fJ9s7xvW1hqvOIgy/X0MVh89oN9ejarh96pOIrA GNrD5YdAh/QWcUHBmY+/kAAo4miXVB3BUnBEBRmIcWjZQVcngas5FId2oAUV9DWM8Vm3gU UFut2ibdZrz1zpcBK+kxVxaDD6t4XzQJb2bqdjlLZxYTA9m6RaMzwMQ/lk1Dqmm9/I+16r spqcF+11bEpIMziI1/0lRSSWfowGcs3/h9ffeTL3oB5TBlCUJ3vZv92d6P02TA== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4LpqJG4T7pzh1K; Thu, 21 Jul 2022 23:57:50 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 26LNvo8h035299; Thu, 21 Jul 2022 23:57:50 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 26LNvosw035298; Thu, 21 Jul 2022 23:57:50 GMT (envelope-from git) Date: Thu, 21 Jul 2022 23:57:50 GMT Message-Id: <202207212357.26LNvosw035298@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Mateusz Piotrowski <0mp@FreeBSD.org> Subject: git: 8136944bb975 - stable/12 - protect.1: document existence of _oomprotect List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-src-all@freebsd.org X-BeenThere: dev-commits-src-all@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: 0mp X-Git-Repository: src X-Git-Refname: refs/heads/stable/12 X-Git-Reftype: branch X-Git-Commit: 8136944bb97505919099e8101ef8d8f5ed3e9e28 Auto-Submitted: auto-generated ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1658447870; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=8Fdo0wzSGo1xaDv8eYKTS/6XAjngOk8m4/Yzlq0K8XU=; b=RXksebJq38oBKwuvX/w1Ryqm035Rs4Z2Hfam8BnHuZPPBuWhjPlHvCVkdjDA12jofEggt5 UKETVGQg/6QUzmKkuOWmYxIaRKyFNZYaxs1IxIt2N8LaoXnnJlGb6Z0OYQuCVEOEWyvzHP znY/ThT+kxRr7bcLm7fPi2ur0JP0oxMkpdV9c4FLxoa4Dvm/86xv80v28gcrVMRT6q4hkP C8h9vvT+2OsRFa9Pr8x3Q8BC94TXkduHOUsKNf1XiQdkXFhqQM5B0iOU4Z8JCQx88IOKF2 FQywf6J8x9lRerLtlNjFUf5q/AaHzYNvAhz1nyrVJniWiqMvieHju0iIEoCTXQ== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1658447870; a=rsa-sha256; cv=none; b=c1RlxlN2TKBwdNLUNkb6aIl1oVSfmqQwOgmL4GFCj9niXZ0ijbsOs1yHS0wP0hg0aOZk8y ePUvNlL46x0liK5TwbJIl0KybTg6P/XwOxc3jENDb6ZSOCYMjyAtzP1KAag/PH4xb5eOw8 jGnbrWR+ChkO2hQYIDMkaQhWlei30sm2I28bQnVDrxnNBpyzK0ef2P76TVHABSCId6pCJR M4crqsPfsPlhR/l0+mvrAtWna+38ZrJCZxLoGWWC7MoaCU3xtRMuWAAb8F7k0JCXLpENJr RFhelcD0s8jXjByHu95S/INjPlQtNfAJ+Q8hr2gr5hSouxB86sB3n+g4PRWtCQ== ARC-Authentication-Results: i=1; mx1.freebsd.org; none X-ThisMailContainsUnwantedMimeParts: N The branch stable/12 has been updated by 0mp (doc, ports committer): URL: https://cgit.FreeBSD.org/src/commit/?id=8136944bb97505919099e8101ef8d8f5ed3e9e28 commit 8136944bb97505919099e8101ef8d8f5ed3e9e28 Author: Adam Wolk AuthorDate: 2022-04-11 22:23:43 +0000 Commit: Mateusz Piotrowski <0mp@FreeBSD.org> CommitDate: 2022-07-21 23:56:57 +0000 protect.1: document existence of _oomprotect Improve discoverability of the functionality by mentioning in the userland tool manual. Add a SEE ALSO entry to rc.conf(5) where more details are provided. Sponsored by: Fudo Security (a.wolk) Differential Revision: https://reviews.freebsd.org/D30334 (cherry picked from commit c8b6be0f7d1b92d11b279761685f61f6702700a1) --- usr.bin/protect/protect.1 | 32 ++++++++++++++++++++++++++++++-- 1 file changed, 30 insertions(+), 2 deletions(-) diff --git a/usr.bin/protect/protect.1 b/usr.bin/protect/protect.1 index b9be4afe04b8..d27a8898dad5 100644 --- a/usr.bin/protect/protect.1 +++ b/usr.bin/protect/protect.1 @@ -25,7 +25,7 @@ .\" .\" $FreeBSD$ .\" -.Dd September 19, 2013 +.Dd May 18, 2021 .Dt PROTECT 1 .Os .Sh NAME @@ -68,6 +68,11 @@ Note that only one of the or .Fl g flags may be specified when adjusting the state of existing processes. +.Pp +Daemons can be protected on startup using +.Ao Ar name Ac Ns Va _oomprotect +option from +.Xr rc.conf 5 . .Sh EXIT STATUS .Ex -std .Sh EXAMPLES @@ -82,8 +87,31 @@ Protect all ssh sessions and their child processes: Remove protection from all current and future processes: .Pp .Dl "protect -cdi -p 1" +.Pp +Using +.Xr ps 1 +to check if the protect flag has been applied to the process: +.Pp +.Dl "ps -O flags,flags2 -p 64430" +.Pp +.Dl " PID F F2 TT STAT TIME COMMAND" +.Dl "64430 10104002 00000001 5 S+ 0:00.00 ./main" +.Dl " ^P ^PI" +.Pp +In the above example +.Nm P +points at the protected flag and +.Nm PI +points at the iheritance flag. +The process is protected if +.Nm P +bit is set to 1. All children of this process will also be protected if +.Nm PI +bit is set to 1. .Sh SEE ALSO -.Xr procctl 2 +.Xr ps 1 , +.Xr procctl 2 , +.Xr rc.conf 5 .Sh BUGS If you protect a runaway process that allocates all memory the system will deadlock.