From 1acfb873cf2e59f9ddf53602cbc67fa810c878a6 Mon Sep 17 00:00:00 2001 From: Mateusz Piotrowski <0mp@FreeBSD.org> Date: Fri, 1 Aug 2025 17:23:20 +0200 Subject: [PATCH] dtrace.1: Document security.bsd.allow_destructive_dtrace PR: 288284 Reviewed by: bcr, markj MFC after: 3 days Sponsored by: Klara, Inc. Differential Revision: https://reviews.freebsd.org/D51633 --- cddl/contrib/opensolaris/cmd/dtrace/dtrace.1 | 25 +++++++++++++++++++- 1 file changed, 24 insertions(+), 1 deletion(-) diff --git a/cddl/contrib/opensolaris/cmd/dtrace/dtrace.1 b/cddl/contrib/opensolaris/cmd/dtrace/dtrace.1 index da8cbd9ffe5..e263b936700 100644 --- a/cddl/contrib/opensolaris/cmd/dtrace/dtrace.1 +++ b/cddl/contrib/opensolaris/cmd/dtrace/dtrace.1 @@ -20,7 +20,7 @@ .\" .\" $FreeBSD$ .\" -.Dd July 16, 2025 +.Dd July 30, 2025 .Dt DTRACE 1 .Os .Sh NAME @@ -537,6 +537,17 @@ option is not specified, .Nm does not permit the compilation or enabling of a D program that contains destructive actions. +.Pp +Set the +.Va security.bsd.allow_destructive_dtrace +.Xr loader 8 +tunable +to +.Ql 0 +to disallow the possibility of enabling destructive actions system-wide at any point at all. +Any attempts to enable destructive actions will cause +.Nm +to exit with a runtime error. .It Fl x Ar arg Op Ns = Ns value Enable or modify a DTrace runtime option or D compiler option. Boolean options are enabled by specifying their name. @@ -1265,6 +1276,18 @@ failed or that the specified request could not be satisfied. .It 2 Invalid command line options or arguments were specified. .El +.Sh DIAGNOSTICS +.Bl -diag +.It dtrace: could not enable tracing: Permission denied +This can happen when +.Nm +fails to enable destructive actions because +.Va security.bsd.allow_destructive_dtrace +is set to +.Ql 0 +in +.Xr loader.conf 5 . +.El .Sh SEE ALSO .Xr cpp 1 , .Xr dwatch 1 ,