CVS commit: src

Elad Efrat Fri, 02 Oct 2009 13:31:32 -0700

Module Name:    src
Committed By:   elad
Date:           Fri Oct  2 20:31:19 UTC 2009


Modified Files:
        src/sbin/mount: mount.8
        src/share/man/man7: sysctl.7
        src/share/man/man9: secmodel_securelevel.9 secmodel_suser.9

Log Message:
Centralize documentation about exported sysctl variables in the relevant
secmodel's man-page.


To generate a diff of this commit:
cvs rdiff -u -r1.67 -r1.68 src/sbin/mount/mount.8
cvs rdiff -u -r1.24 -r1.25 src/share/man/man7/sysctl.7
cvs rdiff -u -r1.6 -r1.7 src/share/man/man9/secmodel_securelevel.9
cvs rdiff -u -r1.2 -r1.3 src/share/man/man9/secmodel_suser.9

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sbin/mount/mount.8
diff -u src/sbin/mount/mount.8:1.67 src/sbin/mount/mount.8:1.68
--- src/sbin/mount/mount.8:1.67	Mon Feb 23 08:14:53 2009
+++ src/sbin/mount/mount.8	Fri Oct  2 20:31:19 2009
@@ -1,4 +1,4 @@
-.\"	$NetBSD: mount.8,v 1.67 2009/02/23 08:14:53 wiz Exp $
+.\"	$NetBSD: mount.8,v 1.68 2009/10/02 20:31:19 elad Exp $
 .\"
 .\" Copyright (c) 1980, 1989, 1991, 1993
 .\"	The Regents of the University of California.  All rights reserved.
@@ -29,7 +29,7 @@
 .\"
 .\"     @(#)mount.8	8.8 (Berkeley) 6/16/94
 .\"
-.Dd February 22, 2009
+.Dd October 2, 2009
 .Dt MOUNT 8
 .Os
 .Sh NAME
@@ -133,23 +133,10 @@
 .Pp
 In
 .Nx ,
-a file system can only be mounted by an ordinary user who owns the
-point
-.Ar node
-and has access to the
-.Ar special
-device (at least read permissions).
-Also, the
-.Em vfs.generic.usermount
-.Xr sysctl 3
-must be set to 1 to permit file system mounting by ordinary users,
-see
-.Xr sysctl 8 .
-Finally, the flags
-.Cm nosuid
-and
-.Cm nodev
-must be given for non-superuser mounts.
+the file-system mounting policy is dictated by the running security models.
+The default security model may allow unprivileged mounting; see
+.Xr secmodel_suser 9
+for details. 
 .Pp
 The options are as follows:
 .Bl -tag -width indent

Index: src/share/man/man7/sysctl.7
diff -u src/share/man/man7/sysctl.7:1.24 src/share/man/man7/sysctl.7:1.25
--- src/share/man/man7/sysctl.7:1.24	Fri Sep 11 19:43:26 2009
+++ src/share/man/man7/sysctl.7	Fri Oct  2 20:31:19 2009
@@ -1,4 +1,4 @@
-.\"	$NetBSD: sysctl.7,v 1.24 2009/09/11 19:43:26 wiz Exp $
+.\"	$NetBSD: sysctl.7,v 1.25 2009/10/02 20:31:19 elad Exp $
 .\"
 .\" Copyright (c) 1993
 .\"	The Regents of the University of California.  All rights reserved.
@@ -29,7 +29,7 @@
 .\"
 .\"	@(#)sysctl.3	8.4 (Berkeley) 5/9/95
 .\"
-.Dd September 11, 2009
+.Dd October 2, 2009
 .Dt SYSCTL 7
 .Os
 .Sh NAME
@@ -713,9 +713,8 @@
 Maximum socket buffer size.
 .\" XXX units?
 .It Li kern.securelevel ( KERN_SECURELVL )
-The system security level.
-This level may be raised by processes with appropriate privilege.
-It may only be lowered by process 1.
+See
+.Xr secmodel_securelevel 9 .
 .It Li kern.somaxkva ( KERN_SOMAXKVA )
 Maximum amount of kernel memory to be used for socket buffers.
 .\" XXX units?

Index: src/share/man/man9/secmodel_securelevel.9
diff -u src/share/man/man9/secmodel_securelevel.9:1.6 src/share/man/man9/secmodel_securelevel.9:1.7
--- src/share/man/man9/secmodel_securelevel.9:1.6	Sat Jul 25 16:20:11 2009
+++ src/share/man/man9/secmodel_securelevel.9	Fri Oct  2 20:31:19 2009
@@ -1,4 +1,4 @@
-.\" $NetBSD: secmodel_securelevel.9,v 1.6 2009/07/25 16:20:11 mbalmer Exp $
+.\" $NetBSD: secmodel_securelevel.9,v 1.7 2009/10/02 20:31:19 elad Exp $
 .\"
 .\" Copyright (c) 2006 Elad Efrat <e...@netbsd.org>
 .\" Copyright (c) 2000 Hugh Graham
@@ -180,6 +180,16 @@
 interpreter, through any mechanism) and the kernel itself are "programs
 that run while the security level is 0" and must be considered part of
 the TCB.
+.Pp
+The following
+.Xr sysctl 3
+variables are exported:
+.Bl -tag -width compact
+.It security.models.securelevel.securelevel
+The system security level.
+This level may be raised by processes with appropriate privilege.
+It may only be lowered by process 1 (init).
+.El
 .Sh SEE ALSO
 .Xr kauth 9 ,
 .Xr secmodel 9 ,

Index: src/share/man/man9/secmodel_suser.9
diff -u src/share/man/man9/secmodel_suser.9:1.2 src/share/man/man9/secmodel_suser.9:1.3
--- src/share/man/man9/secmodel_suser.9:1.2	Fri Oct  2 19:50:37 2009
+++ src/share/man/man9/secmodel_suser.9	Fri Oct  2 20:31:19 2009
@@ -1,4 +1,4 @@
-.\" $NetBSD: secmodel_suser.9,v 1.2 2009/10/02 19:50:37 elad Exp $
+.\" $NetBSD: secmodel_suser.9,v 1.3 2009/10/02 20:31:19 elad Exp $
 .\"
 .\" Copyright (c) 2009 Elad Efrat <e...@netbsd.org>
 .\" All rights reserved.
@@ -41,6 +41,43 @@
 .Em super-user
 is the host administrator, considered to have higher privileges than other
 users.
+.Pp
+The following
+.Xr sysctl 3
+variables are exported:
+.Bl -tag -width compact
+.It security.models.suser.curtain
+If non-zero, will filter returned objects according to the user-id
+requesting information about them, preventing from users any access to
+objects they don't own.
+.Pp
+At the moment, it affects
+.Xr ps 1 ,
+.Xr netstat 1
+(for
+.Dv PF_INET ,
+.Dv PF_INET6 ,
+and
+.Dv PF_UNIX
+PCBs), and
+.Xr w 1 .
+.It security.models.suser.usermount
+Allow non-superuser mounts.
+.Pp
+If non-zero, file-systems are allowed to be mounted by an ordinary user who
+owns the point
+.Ar node
+and has at least read access to the 
+.Ar special
+device 
+.Xr mount 8
+arguments.
+Finally, the flags
+.Cm nosuid
+and
+.Cm nodev
+must be given for non-superuser mounts.
+.El
 .Sh SEE ALSO
 .Xr kauth 9 ,
 .Xr secmodel 9 ,

CVS commit: src

Reply via email to