- bit clearer about sysctls/securelevel (text lifted from i386_iopl(2))

- EPERM only applies to _set_ioperm

help kettenis
original diff From: Paul Kelly

1 files changed, 17 insertions, 4 deletions

diff --git a/lib/libarch/i386/i386_get_ioperm.2 b/lib/libarch/i386/i386_get_ioperm.2
index 00259e24c57..afdd955864f 100644
--- a/lib/libarch/i386/i386_get_ioperm.2
+++ b/lib/libarch/i386/i386_get_ioperm.2
@@ -1,4 +1,4 @@
-.\"	$OpenBSD: i386_get_ioperm.2,v 1.14 2008/06/26 05:42:04 ray Exp $
+.\"	$OpenBSD: i386_get_ioperm.2,v 1.15 2013/09/14 14:58:54 jmc Exp $
 .\"	$NetBSD: i386_get_ioperm.2,v 1.3 1996/02/27 22:57:17 jtc Exp $
 .\"
 .\" Copyright (c) 1996 The NetBSD Foundation, Inc.
@@ -28,7 +28,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
 .\" POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: June 26 2008 $
+.Dd $Mdocdate: September 14 2013 $
 .Dt I386_GET_IOPERM 2 i386
 .Os
 .Sh NAME
@@ -50,7 +50,12 @@ copies the current I/O permission bitmap into the memory referenced by
 .Fn i386_set_ioperm
 sets the I/O permission bitmap from the data pointed to by
 .Fa iomap .
-This call is restricted to the superuser.
+This call may only be made by the superuser.
+Additionally, it is only permitted when the
+.Xr securelevel 7
+is less than or equal to 0 or the
+.Va machdep.allowaperture
+sysctl has been set to a non-zero value.
 .Pp
 The permission bitmap contains 1024 bits in 32 longwords.
 If bit
@@ -90,8 +95,16 @@ will fail if:
 .It Bq Er EFAULT
 .Fa iomap
 points outside the process's allocated address space.
+.El
+.Pp
+Additionally
+.Fn i386_set_ioperm
+will fail if:
+.Bl -tag -width [EINVAL]
 .It Bq Er EPERM
-The caller was not the superuser.
+The caller was not the superuser, or the securelevel is greater than zero and
+.Va machdep.allowaperture
+has not been set to a non-zero value.
 .El
 .Sh SEE ALSO
 .Xr i386_iopl 2