From owner-svn-src-all@freebsd.org Wed Dec 11 16:43:54 2019 Return-Path: Delivered-To: svn-src-all@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id EBF891DAAA3; Wed, 11 Dec 2019 16:43:54 +0000 (UTC) (envelope-from emaste@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 47Y2nQ5wXYz4KXn; Wed, 11 Dec 2019 16:43:54 +0000 (UTC) (envelope-from emaste@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id C6937E2ED; Wed, 11 Dec 2019 16:43:54 +0000 (UTC) (envelope-from emaste@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id xBBGhsgT038550; Wed, 11 Dec 2019 16:43:54 GMT (envelope-from emaste@FreeBSD.org) Received: (from emaste@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id xBBGhsfv038549; Wed, 11 Dec 2019 16:43:54 GMT (envelope-from emaste@FreeBSD.org) Message-Id: <201912111643.xBBGhsfv038549@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: emaste set sender to emaste@FreeBSD.org using -f From: Ed Maste Date: Wed, 11 Dec 2019 16:43:54 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r355613 - head/share/man/man7 X-SVN-Group: head X-SVN-Commit-Author: emaste X-SVN-Commit-Paths: head/share/man/man7 X-SVN-Commit-Revision: 355613 X-SVN-Commit-Repository: base MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Dec 2019 16:43:55 -0000 Author: emaste Date: Wed Dec 11 16:43:54 2019 New Revision: 355613 URL: https://svnweb.freebsd.org/changeset/base/355613 Log: security.7: add caveat about interim sysctl paths from r355436 r355436 moved mitigation sysctls to machdep.mitigations but did not rationalize the sense of the invidual knobs. Clarify that the old names remain the canonical way to set these mitigations. Backwards compatibility will be maintained for the original names (e.g. hw.ibrs_disable), but not from the interim names (e.g. machdep.mitigations.ibrs.disable). Sponsored by: The FreeBSD Foundation Modified: head/share/man/man7/security.7 Modified: head/share/man/man7/security.7 ============================================================================== --- head/share/man/man7/security.7 Wed Dec 11 16:09:57 2019 (r355612) +++ head/share/man/man7/security.7 Wed Dec 11 16:43:54 2019 (r355613) @@ -28,7 +28,7 @@ .\" .\" $FreeBSD$ .\" -.Dd November 12, 2019 +.Dd December 11, 2019 .Dt SECURITY 7 .Os .Sh NAME @@ -944,6 +944,17 @@ information access more restricted. Some people consider this as improving system security, so the knobs are briefly listed there, together with controls which enable some mitigations of the hardware state leaks. +.Pp +Hardware mitigation sysctl knobs described below have been moved under +.Pa machdep.mitigations , +with backwards-compatibility shims to accept the existing names. +A future change will rationalize the sense of the individual sysctls +(so that enabled / true always indicates that the mitigation is active). +For that reason the previous names remain the canonical way to set the +mitigations, and are documented here. +Backwards compatibility shims for the interim sysctls under +.Pa machdep.mitigations +will not be added. .Bl -tag -width security.bsd.unprivileged_proc_debug .It Dv security.bsd.see_other_uids Controls visibility of processes owned by different uid.