diff options
author | deraadt <deraadt@openbsd.org> | 2016-09-25 15:23:36 +0000 |
---|---|---|
committer | deraadt <deraadt@openbsd.org> | 2016-09-25 15:23:36 +0000 |
commit | 19aedf236181e81baf170421900911c82671fae4 (patch) | |
tree | dc5c83dfa6b2e64cd1504fb28d9fef4a7a55f08d /usr.sbin | |
parent | Remove more duplicated includes (diff) | |
download | wireguard-openbsd-19aedf236181e81baf170421900911c82671fae4.tar.xz wireguard-openbsd-19aedf236181e81baf170421900911c82671fae4.zip |
Make a move towards ending 4 decades of kernel snooping.
Add sysctl kern.allowkmem (default 0) which controls the ability to open
/dev/mem or /dev/kmem at securelevel > 0. Over 15 years we converted 99%
of utilities in the tree to operate on sysctl-nodes (either by themselves
or via code hiding in the guts of -lkvm).
pstat -d and -v & procmap are affected and continued use of them will
require kern.allowkmem=1 in /etc/sysctl.conf. acpidump (and it's
buddy sendbug) are affected, but we'll work out a solution soon.
There will be some impact in ports.
ok kettenis guenther
Diffstat (limited to 'usr.sbin')
-rw-r--r-- | usr.sbin/acpidump/acpidump.8 | 11 | ||||
-rw-r--r-- | usr.sbin/procmap/procmap.1 | 11 | ||||
-rw-r--r-- | usr.sbin/pstat/pstat.8 | 20 |
3 files changed, 36 insertions, 6 deletions
diff --git a/usr.sbin/acpidump/acpidump.8 b/usr.sbin/acpidump/acpidump.8 index 650c683acd1..ff8747898a2 100644 --- a/usr.sbin/acpidump/acpidump.8 +++ b/usr.sbin/acpidump/acpidump.8 @@ -1,4 +1,4 @@ -.\" $OpenBSD: acpidump.8,v 1.15 2014/03/13 21:14:08 brynet Exp $ +.\" $OpenBSD: acpidump.8,v 1.16 2016/09/25 15:23:37 deraadt Exp $ .\" .\" Copyright (c) 1999 Doug Rabson <dfr@FreeBSD.org> .\" Copyright (c) 2000 Mitsuru IWASAKI <iwasaki@FreeBSD.org> @@ -29,7 +29,7 @@ .\" .\" $FreeBSD: src/usr.sbin/acpi/acpidump/acpidump.8,v 1.9 2001/09/05 19:21:25 dd Exp $ .\" -.Dd $Mdocdate: March 13 2014 $ +.Dd $Mdocdate: September 25 2016 $ .Dt ACPIDUMP 8 .Os .Sh NAME @@ -60,6 +60,13 @@ ports tree or package system: # pkg_add acpica $ iasl -d <prefix>.<sig>.<id> .Ed +.Pp +.Nm +requires the ability to open +.Pa /dev/kmem +which may be restricted based upon the value of the +.Ar kern.allowkmem +.Xr sysctl 8 . .Sh FILES .Bl -tag -width /dev/mem .It Pa /dev/mem diff --git a/usr.sbin/procmap/procmap.1 b/usr.sbin/procmap/procmap.1 index 850fb50be0a..c1edf188f83 100644 --- a/usr.sbin/procmap/procmap.1 +++ b/usr.sbin/procmap/procmap.1 @@ -1,4 +1,4 @@ -.\" $OpenBSD: procmap.1,v 1.21 2016/05/26 17:23:49 stefan Exp $ +.\" $OpenBSD: procmap.1,v 1.22 2016/09/25 15:23:37 deraadt Exp $ .\" $NetBSD: pmap.1,v 1.6 2003/01/19 21:25:43 atatat Exp $ .\" .\" Copyright (c) 2002 The NetBSD Foundation, Inc. @@ -28,7 +28,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE .\" POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: May 26 2016 $ +.Dd $Mdocdate: September 25 2016 $ .Dt PROCMAP 1 .Os .Sh NAME @@ -53,6 +53,13 @@ address, the underlying file's device and inode numbers, and various protection information will be displayed, along with the path to the file, if such data is available. .Pp +.Nm +requires the ability to open +.Pa /dev/kmem +which may be restricted based upon the value of the +.Ar kern.allowkmem +.Xr sysctl 8 . +.Pp By default, .Nm displays information for its parent process, so that when run from a diff --git a/usr.sbin/pstat/pstat.8 b/usr.sbin/pstat/pstat.8 index f0ed5fc1403..627ff32a8b4 100644 --- a/usr.sbin/pstat/pstat.8 +++ b/usr.sbin/pstat/pstat.8 @@ -1,4 +1,4 @@ -.\" $OpenBSD: pstat.8,v 1.50 2016/06/03 20:38:48 deraadt Exp $ +.\" $OpenBSD: pstat.8,v 1.51 2016/09/25 15:23:37 deraadt Exp $ .\" $NetBSD: pstat.8,v 1.9.4.1 1996/06/02 09:08:17 mrg Exp $ .\" .\" Copyright (c) 1980, 1991, 1993, 1994 @@ -30,7 +30,7 @@ .\" .\" from: @(#)pstat.8 8.4 (Berkeley) 4/19/94 .\" -.Dd $Mdocdate: June 3 2016 $ +.Dd $Mdocdate: September 25 2016 $ .Dt PSTAT 8 .Os .Sh NAME @@ -72,6 +72,14 @@ or .Ar llx . Symbol names are read from the remaining command line arguments. Addresses may also be specified in hex. +.Pp +The +.Fl d +option requires the ability to open +.Pa /dev/kmem +which may be restricted based upon the value of the +.Ar kern.allowkmem +.Xr sysctl 8 . .It Fl f Print the open file table with these headings: .Bl -tag -width indent @@ -335,6 +343,14 @@ special file times changed Number of bytes in an ordinary file, or major and minor device of special file. .El +.Pp +The +.Fl v +option requires the ability to open +.Pa /dev/kmem +which may be restricted based upon the value of the +.Ar kern.allowkmem +.Xr sysctl 8 . .El .Sh ENVIRONMENT .Bl -tag -width BLOCKSIZE |