From owner-svn-src-all@freebsd.org Tue Aug 6 17:05:58 2019 Return-Path: Delivered-To: svn-src-all@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id F0EADC5DC7; Tue, 6 Aug 2019 17:05:58 +0000 (UTC) (envelope-from kib@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4631HV5pH3z4DCm; Tue, 6 Aug 2019 17:05:58 +0000 (UTC) (envelope-from kib@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id A8D9D2F117; Tue, 6 Aug 2019 17:05:58 +0000 (UTC) (envelope-from kib@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id x76H5woC037480; Tue, 6 Aug 2019 17:05:58 GMT (envelope-from kib@FreeBSD.org) Received: (from kib@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id x76H5wZU037479; Tue, 6 Aug 2019 17:05:58 GMT (envelope-from kib@FreeBSD.org) Message-Id: <201908061705.x76H5wZU037479@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: kib set sender to kib@FreeBSD.org using -f From: Konstantin Belousov Date: Tue, 6 Aug 2019 17:05:58 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r350640 - head/share/man/man7 X-SVN-Group: head X-SVN-Commit-Author: kib X-SVN-Commit-Paths: head/share/man/man7 X-SVN-Commit-Revision: 350640 X-SVN-Commit-Repository: base MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 06 Aug 2019 17:05:59 -0000 Author: kib Date: Tue Aug 6 17:05:58 2019 New Revision: 350640 URL: https://svnweb.freebsd.org/changeset/base/350640 Log: Provide the list of knobs related to mitigations. Discussed with: bjk, emaste Sponsored by: The FreeBSD Foundation MFC after: 1 week Differential revision: https://reviews.freebsd.org/D21087 Modified: head/share/man/man7/security.7 Modified: head/share/man/man7/security.7 ============================================================================== --- head/share/man/man7/security.7 Tue Aug 6 16:53:25 2019 (r350639) +++ head/share/man/man7/security.7 Tue Aug 6 17:05:58 2019 (r350640) @@ -1,5 +1,10 @@ .\" Copyright (C) 1998 Matthew Dillon. All rights reserved. +.\" Copyright (c) 2019 The FreeBSD Foundation, Inc. .\" +.\" Parts of this documentation were written by +.\" Konstantin Belousov under sponsorship +.\" from the FreeBSD Foundation. +.\" .\" Redistribution and use in source and binary forms, with or without .\" modification, are permitted provided that the following conditions .\" are met: @@ -23,7 +28,7 @@ .\" .\" $FreeBSD$ .\" -.Dd December 25, 2013 +.Dd July 27, 2019 .Dt SECURITY 7 .Os .Sh NAME @@ -941,12 +946,125 @@ option that SSH allows in its .Pa authorized_keys file to make the key only usable to entities logging in from specific machines. +.Sh KNOBS AND TWEAKS +.Fx +provides several knobs and tweak handles that make some introspection +information access more restricted. +Some people consider this as improving system security, so the knobs are +briefly listed there, together with controls which enable some mitigations +of the hardware state leaks. +.Bl -tag -width security.bsd.unprivileged_proc_debug +.It Dv security.bsd.see_other_uids +Controls visibility of processes owned by different uid. +The knob directly affects the +.Dv kern.proc +sysctls filtering of data, which results in restricted output from +utilities like +.Xr ps 1 . +.It Dv security.bsd.see_other_gids +Same, for processes owned by different gid. +.It Dv security.bsd.see_jail_proc +Same, for processes belonging to a jail. +.It Dv security.bsd.conservative_signals +When enabled, unprivileged users are only allowed to send job control +and usual termination signals like +.Dv SIGKILL , +.Dv SIGINT , +and +.Dv SIGTERM , +to the processes executing programs with changed uids. +.It Dv security.bsd.unprivileged_proc_debug +Controls availability of the process debugging facilities to non-root users. +See also +.Xr proccontrol 1 +mode +.Dv trace . +.It Dv vm.pmap.pti +Tunable, amd64-only. +Enables mode of operation of virtual memory system where usermode page +tables are sanitized to prevent so-called Meltdown information leak on +some Intel CPUs. +By default, the system detects whether the CPU needs the workaround, +and enables it automatically. +See also +.Xr proccontrol 1 +mode +.Dv kpti . +.It Dv hw.mds_disable +amd64 and i386. +Controls Microarchitectural Data Sampling hardware information leak +mitigation. +.It Dv hw.spec_store_bypass_disable +amd64 and i386. +Controls Speculative Store Bypass hardware information leak mitigation. +.It Dv hw.ibrs_disable +amd64 and i386. +Controls Indirect Branch Restricted Speculation hardware information leak +mitigation. +.It Dv machdep.syscall_ret_l1d_flush +amd64. +Controls force-flush of L1D cache on return from syscalls which report +errors other than +.Ev EEXIST , +.Ev EAGAIN , +.Ev EXDEV , +.Ev ENOENT , +.Ev ENOTCONN , +and +.Ev EINPROGRESS . +This is mostly a paranoid setting added to prevent hypothetical exploitation +of unknown gadgets for unknown hardware issues. +The error codes exclusion list is composed of the most common errors which +typically occurs on normal system operation. +.It Dv machdep.nmi_flush_l1d_sw +amd64. +Controls force-flush of L1D cache on NMI; +this provides software assist for bhyve mitigation of L1 terminal fault +hardware information leak. +.It Dv hw.vmm.vmx.l1d_flush +amd64. +Controls the mitigation of L1 Terminal Fault in bhyve hypervisor. +.It Dv kern.elf32.aslr.enable +Controls system-global Address Space Layour Randomization (ASLR) for +normal non-PIE (Position Independent Executable) 32bit binaries. +See also +.Xr proccontrol 1 +mode +.Dv aslr , +also affected by the per-image control note flag. +.It Dv kern.elf32.aslr.pie_enable +Controls system-global Address Space Layout Randomization for +position-independent (PIE) 32bit binaries. +.It Dv kern.elf32.aslr.honor_sbrk +Makes ASLR less aggressive and more compatible with old binaries +relying on the sbrk area. +.It Dv kern.elf32.aslr.aslr_stack_gap +If ASLR is enabled for a binary, a non-zero value creates a randomized +stack gap between strings and the end of the aux vector. +The value is the maximum percentage of main stack to waste on the gap. +Cannot be greater than 50, i.e., at most half of the stack. +.It Dv kern.elf64.aslr.enable +64bit binaries ASLR control. +.It Dv kern.elf64.aslr.pie_enable +64bit PIE binaries ASLR control. +.It Dv kern.elf64.aslr.honor_sbrk +64bit binaries ASLR sbrk compatibility control. +.It Dv kern.elf32.aslr.aslr_stack_gap +Controls stack gap for 64bit binaries. +.It Dv kern.elf32.nxstack +Enables non-executable stack for 32bit processes. +Enabled by default if supported by hardware and corresponding binary. +.It Dv kern.elf64.nxstack +Enables non-executable stack for 64bit processes. +.El .Sh SEE ALSO .Xr chflags 1 , .Xr find 1 , .Xr md5 1 , .Xr netstat 1 , .Xr openssl 1 , +.Xr proccontrol 1 , +.Xr ps 1 , .Xr ssh 1 , .Xr xdm 1 Pq Pa ports/x11/xorg-clients , .Xr group 5 ,