git: b09a75d675dc - stable/14 - dtrace.1: Document security.bsd.allow_destructive_dtrace

Wed, 20 Aug 2025 03:46:31 -0700 

The branch stable/14 has been updated by 0mp:

URL: 
https://cgit.FreeBSD.org/src/commit/?id=b09a75d675dcaa9a1e5dcc63f7cfbb5df85419e6

commit b09a75d675dcaa9a1e5dcc63f7cfbb5df85419e6
Author:     Mateusz Piotrowski <0...@freebsd.org>
AuthorDate: 2025-08-01 15:23:20 +0000
Commit:     Mateusz Piotrowski <0...@freebsd.org>
CommitDate: 2025-08-20 10:46:18 +0000

    dtrace.1: Document security.bsd.allow_destructive_dtrace
    
    PR:             288284
    Reviewed by:    bcr, markj
    MFC after:      3 days
    Sponsored by:   Klara, Inc.
    Differential Revision:  https://reviews.freebsd.org/D51633
    
    (cherry picked from commit 1acfb873cf2e59f9ddf53602cbc67fa810c878a6)
---
 cddl/contrib/opensolaris/cmd/dtrace/dtrace.1 | 25 ++++++++++++++++++++++++-
 1 file changed, 24 insertions(+), 1 deletion(-)

diff --git a/cddl/contrib/opensolaris/cmd/dtrace/dtrace.1 
b/cddl/contrib/opensolaris/cmd/dtrace/dtrace.1
index 0603a32da5e2..eafc25f187d5 100644
--- a/cddl/contrib/opensolaris/cmd/dtrace/dtrace.1
+++ b/cddl/contrib/opensolaris/cmd/dtrace/dtrace.1
@@ -20,7 +20,7 @@
 .\"
 .\" $FreeBSD$
 .\"
-.Dd July 16, 2025
+.Dd July 30, 2025
 .Dt DTRACE 1
 .Os
 .Sh NAME
@@ -537,6 +537,17 @@ option is not specified,
 .Nm
 does not permit the compilation or enabling of a D program that contains
 destructive actions.
+.Pp
+Set the
+.Va security.bsd.allow_destructive_dtrace
+.Xr loader 8
+tunable
+to
+.Ql 0
+to disallow the possibility of enabling destructive actions system-wide at any 
point at all.
+Any attempts to enable destructive actions will cause
+.Nm
+to exit with a runtime error.
 .It Fl x Ar arg Op Ns = Ns value
 Enable or modify a DTrace runtime option or D compiler option.
 Boolean options are enabled by specifying their name.
@@ -1219,6 +1230,18 @@ failed or that the specified request could not be 
satisfied.
 .It 2
 Invalid command line options or arguments were specified.
 .El
+.Sh DIAGNOSTICS
+.Bl -diag
+.It dtrace: could not enable tracing: Permission denied
+This can happen when
+.Nm
+fails to enable destructive actions because
+.Va security.bsd.allow_destructive_dtrace
+is set to
+.Ql 0
+in
+.Xr loader.conf 5 .
+.El
 .Sh SEE ALSO
 .Xr cpp 1 ,
 .Xr dtrace_audit 4 ,

Reply via email to