From nobody Fri Feb 6 00:27:58 2026 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4f6ZgL6VvVz6RRMv for ; Fri, 06 Feb 2026 00:27:58 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R13" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4f6ZgL54yYz3vkC for ; Fri, 06 Feb 2026 00:27:58 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1770337678; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=uuAkX4034RhTHcUDryiTeB3V8Xwz4Hc0OTLMxXVH56c=; b=EMtkTjy8tgycCUV7uBh02x+r3Yi1VuMVKWUZtZTeEsejUwpKEOyNgCXDfMQ+BBcwkNat8J 1BPtkaT4KJgYH+HEI94hmDVdMwRokBhJY/fIJ8Tg5t7JO1xx7SNCcu/5mfLdndQnH4iGMg Z17Ko9PqgaklUyTTFfyW7TN7Km1y4FTuKSx9Itm2eXFueiHnbJieesIutY4zhdb2qvMhDA UpOcOd6R8D6kIAukbmgiKQsIGWaU7DvSFI3Hg1lsKL0gRQlrR8gEYftAIMLycXYP1m0S2t Q4E6uUlxG3wzNHrX3Erg1BEzcuI4HyzRBIyEa3UsFcnmgFJNAKorp9homaUbEg== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1770337678; a=rsa-sha256; cv=none; b=xwBnabFijPt38zNz88RIVGI3qicwGYLKLeUJC9c7vcu085IchD8GoqcbrIYnfaBhvDK3DH dQ61Zc6104yjfJz9eKPXahZ5fswmXADSxm7B5wzppT9AcWTkj/WHEFQOgRqckB3hoOrfdu eOG5I+rziPRg7QYxTtJg/i2vHIhovszIvg589OCUo5v2TAB3f8pe1IGpPa9C5WLSvfAuO7 o32dwkNbRN5OzVF4rKslMy3BIQuXQo6wt9qLQNDWYQ2WrHhKImfC1Eum3pWHz/3oXBoVnN B8qImaheHTn143LptgZfe5U/UNzoWh5efCgKNRLk2rbwG4f4y93nVo8RuCdeSA== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1770337678; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=uuAkX4034RhTHcUDryiTeB3V8Xwz4Hc0OTLMxXVH56c=; b=X1cPha2c8ae6Tq/wiV8zJrAJLKXatl7C3UgEv4rV6CYDpr2fBxfxlToJJ9UnuT/kf2uzXW f7zAf7yw01jtZcybWcXeXUDL2AyYlErHMDfRA9qla8r6iYhdfEFGq6JY2nfvqf/h0k5rjE 5qZZOFO/zzjLVZ5f+Ds/Isy02ed//cKTF27Ju2GREAPLGrOVJOF84IFzizcQ+P9BTFo2Je iUGzq8cqtJrJ//Bgh697PzleZXFFqodVIMrU/prDtLcDkBlc3uCKrn4pwBy6IiNYg9YOnJ AZuqxXXMb8SQVTOkHpsNJaolfeJNJ/SIVeP0OF8jp5io3ZGZ7san/89y+RMSsg== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4f6ZgL4h9lzsts for ; Fri, 06 Feb 2026 00:27:58 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from git (uid 1279) (envelope-from git@FreeBSD.org) id 27dfd by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org); Fri, 06 Feb 2026 00:27:58 +0000 To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Alexander Ziaee Subject: git: e11d172209e2 - stable/14 - manuals: Correct some sysctl markup List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-all@freebsd.org Sender: owner-dev-commits-src-all@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: ziaee X-Git-Repository: src X-Git-Refname: refs/heads/stable/14 X-Git-Reftype: branch X-Git-Commit: e11d172209e2c7406ff934d64503ac4ea64b8d31 Auto-Submitted: auto-generated Date: Fri, 06 Feb 2026 00:27:58 +0000 Message-Id: <6985358e.27dfd.779f5ea2@gitrepo.freebsd.org> The branch stable/14 has been updated by ziaee: URL: https://cgit.FreeBSD.org/src/commit/?id=e11d172209e2c7406ff934d64503ac4ea64b8d31 commit e11d172209e2c7406ff934d64503ac4ea64b8d31 Author: Alexander Ziaee AuthorDate: 2026-01-06 16:02:24 +0000 Commit: Alexander Ziaee CommitDate: 2026-02-06 00:15:31 +0000 manuals: Correct some sysctl markup This enables additional searching the manual by sysctl variable. This syntax is standardized in style.mdoc(5). Reported by: bapt MFC after: 3 days (cherry picked from commit 75866d71e8d93fe1a1ff469b8a9c6c6c9908a6c8) --- lib/libc/sys/chroot.2 | 6 ++--- lib/libc/sys/ptrace.2 | 10 ++++---- share/man/man7/security.7 | 58 +++++++++++++++++++++++------------------------ usr.sbin/chroot/chroot.8 | 2 +- 4 files changed, 38 insertions(+), 38 deletions(-) diff --git a/lib/libc/sys/chroot.2 b/lib/libc/sys/chroot.2 index a1cf1adebb97..fa206d04d4fc 100644 --- a/lib/libc/sys/chroot.2 +++ b/lib/libc/sys/chroot.2 @@ -59,7 +59,7 @@ It should be noted that has no effect on the process's current directory. .Pp This call is restricted to the super-user, unless the -.Ql security.bsd.unprivileged_chroot +.Ql Va security.bsd.unprivileged_chroot sysctl variable is set to 1 and the process has enabled the .Dv PROC_NO_NEW_PRIVS_CTL @@ -107,7 +107,7 @@ will fail and the root directory will be unchanged if: .Bl -tag -width Er .It Bq Er EPERM The effective user ID is not the super-user and the -.Ql security.bsd.unprivileged_chroot +.Ql Va security.bsd.unprivileged_chroot sysctl is 0. .It Bq Er EPERM The effective user ID is not the super-user and the @@ -116,7 +116,7 @@ process has not enabled the .Xr procctl 2 . .It Bq Er EPERM One or more filedescriptors are open directories and the -.Ql kern.chroot_allow_open_directories +.Ql Va kern.chroot_allow_open_directories sysctl is not set to permit this. .It Bq Er EIO An I/O error occurred while reading from or writing to the file system. diff --git a/lib/libc/sys/ptrace.2 b/lib/libc/sys/ptrace.2 index 7aa24a3f820b..a6798bb22b27 100644 --- a/lib/libc/sys/ptrace.2 +++ b/lib/libc/sys/ptrace.2 @@ -148,31 +148,31 @@ Sometimes it may be desirable to disallow it either completely, or limit its scope. The following controls are provided for this: .Bl -tag -width security.bsd.unprivileged_proc_debug -.It Dv security.bsd.allow_ptrace +.It Va security.bsd.allow_ptrace Setting this sysctl to zero makes .Nm return .Er ENOSYS always as if the syscall is not implemented by the kernel. -.It Dv security.bsd.unprivileged_proc_debug +.It Va security.bsd.unprivileged_proc_debug Setting this sysctl to zero disallows the use of .Fn ptrace by unprivileged processes. -.It Dv security.bsd.see_other_uids +.It Va security.bsd.see_other_uids Setting this sysctl to zero prevents .Fn ptrace requests from targeting processes with a real user identifier different from the caller's. These requests will fail with error .Er ESRCH . -.It Dv security.bsd.see_other_gids +.It Va security.bsd.see_other_gids Setting this sysctl to zero disallows .Fn ptrace requests from processes that have no groups in common with the target process, considering their sets of real and supplementary groups. These requests will fail with error .Er ESRCH . -.It Dv security.bsd.see_jail_proc +.It Va security.bsd.see_jail_proc Setting this sysctl to zero disallows .Fn ptrace requests from processes belonging to a different jail than that of the target diff --git a/share/man/man7/security.7 b/share/man/man7/security.7 index cdb4d066d3e6..20334edef6c3 100644 --- a/share/man/man7/security.7 +++ b/share/man/man7/security.7 @@ -956,7 +956,7 @@ briefly listed there, together with controls which enable some mitigations of the hardware state leaks. .Pp Hardware mitigation sysctl knobs described below have been moved under -.Pa machdep.mitigations , +.Va machdep.mitigations , with backwards-compatibility shims to accept the existing names. A future change will rationalize the sense of the individual sysctls (so that enabled / true always indicates that the mitigation is active). @@ -966,20 +966,20 @@ Backwards compatibility shims for the interim sysctls under .Pa machdep.mitigations will not be added. .Bl -tag -width security.bsd.unprivileged_proc_debug -.It Dv security.bsd.see_other_uids +.It Va security.bsd.see_other_uids Controls visibility and reachability of subjects (e.g., processes) and objects (e.g., sockets) owned by a different uid. The knob directly affects the -.Dv kern.proc +.Va kern.proc sysctls filtering of data, which results in restricted output from utilities like .Xr ps 1 . -.It Dv security.bsd.see_other_gids +.It Va security.bsd.see_other_gids Same, for subjects and objects owned by a different gid. -.It Dv security.bsd.see_jail_proc +.It Va security.bsd.see_jail_proc Same, for subjects and objects belonging to a different jail, including sub-jails. -.It Dv security.bsd.conservative_signals +.It Va security.bsd.conservative_signals When enabled, unprivileged users are only allowed to send job control and usual termination signals like .Dv SIGKILL , @@ -987,13 +987,13 @@ and usual termination signals like and .Dv SIGTERM , to the processes executing programs with changed uids. -.It Dv security.bsd.unprivileged_proc_debug +.It Va security.bsd.unprivileged_proc_debug Controls availability of the process debugging facilities to non-root users. See also .Xr proccontrol 1 mode .Dv trace . -.It Dv vm.pmap.pti +.It Va vm.pmap.pti Tunable, amd64-only. Enables mode of operation of virtual memory system where usermode page tables are sanitized to prevent so-called Meltdown information leak on @@ -1004,25 +1004,25 @@ See also .Xr proccontrol 1 mode .Dv kpti . -.It Dv machdep.mitigations.flush_rsb_ctxsw +.It Va machdep.mitigations.flush_rsb_ctxsw amd64. Controls Return Stack Buffer flush on context switch, to prevent cross-process ret2spec attacks. Only needed, and only enabled by default, if the machine supports SMEP, otherwise IBRS would do necessary flushing on kernel entry anyway. -.It Dv hw.mds_disable +.It Va hw.mds_disable amd64 and i386. Controls Microarchitectural Data Sampling hardware information leak mitigation. -.It Dv hw.spec_store_bypass_disable +.It Va hw.spec_store_bypass_disable amd64 and i386. Controls Speculative Store Bypass hardware information leak mitigation. -.It Dv hw.ibrs_disable +.It Va hw.ibrs_disable amd64 and i386. Controls Indirect Branch Restricted Speculation hardware information leak mitigation. -.It Dv machdep.syscall_ret_flush_l1d +.It Va machdep.syscall_ret_flush_l1d amd64. Controls force-flush of L1D cache on return from syscalls which report errors other than @@ -1037,62 +1037,62 @@ This is mostly a paranoid setting added to prevent hypothetical exploitation of unknown gadgets for unknown hardware issues. The error codes exclusion list is composed of the most common errors which typically occurs on normal system operation. -.It Dv machdep.nmi_flush_l1d_sw +.It Va machdep.nmi_flush_l1d_sw amd64. Controls force-flush of L1D cache on NMI; this provides software assist for bhyve mitigation of L1 terminal fault hardware information leak. -.It Dv hw.vmm.vmx.l1d_flush +.It Va hw.vmm.vmx.l1d_flush amd64. Controls the mitigation of L1 Terminal Fault in bhyve hypervisor. -.It Dv vm.pmap.allow_2m_x_ept +.It Va vm.pmap.allow_2m_x_ept amd64. Allows the use of superpages for executable mappings under the EPT page table format used by hypervisors on Intel CPUs to map the guest physical address space to machine physical memory. May be disabled to work around a CPU Erratum called Machine Check Error Avoidance on Page Size Change. -.It Dv machdep.mitigations.rngds.enable +.It Va machdep.mitigations.rngds.enable amd64 and i386. Controls mitigation of Special Register Buffer Data Sampling versus optimization of the MCU access. When set to zero, the mitigation is disabled, and the RDSEED and RDRAND instructions do not incur serialization overhead for shared buffer accesses, and do not serialize off-core memory accesses. -.It Dv kern.elf32.aslr.enable +.It Va kern.elf32.aslr.enable Controls system-global Address Space Layout Randomization (ASLR) for normal non-PIE (Position Independent Executable) 32-bit ELF binaries. See also the .Xr proccontrol 1 .Dv aslr mode, also affected by the per-image control note flag. -.It Dv kern.elf32.aslr.pie_enable +.It Va kern.elf32.aslr.pie_enable Controls system-global Address Space Layout Randomization for position-independent (PIE) 32-bit binaries. -.It Dv kern.elf32.aslr.honor_sbrk +.It Va kern.elf32.aslr.honor_sbrk Makes ASLR less aggressive and more compatible with old binaries relying on the sbrk area. -.It Dv kern.elf32.aslr.stack +.It Va kern.elf32.aslr.stack Enable randomization of the stack for 32-bit binaries. Otherwise, the stack is mapped at a fixed location determined by the process ABI. -.It Dv kern.elf64.aslr.enable +.It Va kern.elf64.aslr.enable ASLR control for 64-bit ELF binaries. -.It Dv kern.elf64.aslr.pie_enable +.It Va kern.elf64.aslr.pie_enable ASLR control for 64-bit ELF PIEs. -.It Dv kern.elf64.aslr.honor_sbrk +.It Va kern.elf64.aslr.honor_sbrk ASLR sbrk compatibility control for 64-bit binaries. -.It Dv kern.elf64.aslr.stack +.It Va kern.elf64.aslr.stack Controls stack address randomization for 64-bit binaries. -.It Dv kern.elf32.nxstack +.It Va kern.elf32.nxstack Enables non-executable stack for 32-bit processes. Enabled by default if supported by hardware and corresponding binary. -.It Dv kern.elf64.nxstack +.It Va kern.elf64.nxstack Enables non-executable stack for 64-bit processes. -.It Dv kern.elf32.allow_wx +.It Va kern.elf32.allow_wx Enables mapping of simultaneously writable and executable pages for 32-bit processes. -.It Dv kern.elf64.allow_wx +.It Va kern.elf64.allow_wx Enables mapping of simultaneously writable and executable pages for 64-bit processes. .El diff --git a/usr.sbin/chroot/chroot.8 b/usr.sbin/chroot/chroot.8 index e434a5b99fbf..55679d876fbf 100644 --- a/usr.sbin/chroot/chroot.8 +++ b/usr.sbin/chroot/chroot.8 @@ -70,7 +70,7 @@ Use the command before chrooting, effectively disabling SUID/SGID bits for the calling process and its descendants. If -.Dv security.bsd.unprivileged_chroot +.Va security.bsd.unprivileged_chroot sysctl is set to 1, it will make it possible to chroot without superuser privileges. .El