Editing fixes for r306257, documentation for trapcap.
Suggested by: wblock Discussed with: jilles Reviewed by: cem (previous version) Sponsored by: The FreeBSD Foundation MFC after: 1 week Differential revision: https://reviews.freebsd.org/D8023
This commit is contained in:
@@ -28,7 +28,7 @@
|
|||||||
.\"
|
.\"
|
||||||
.\" $FreeBSD$
|
.\" $FreeBSD$
|
||||||
.\"
|
.\"
|
||||||
.Dd September 22, 2016
|
.Dd September 27, 2016
|
||||||
.Dt CAP_ENTER 2
|
.Dt CAP_ENTER 2
|
||||||
.Os
|
.Os
|
||||||
.Sh NAME
|
.Sh NAME
|
||||||
@@ -72,15 +72,15 @@ sandbox.
|
|||||||
.Sh RUN-TIME SETTINGS
|
.Sh RUN-TIME SETTINGS
|
||||||
If the
|
If the
|
||||||
.Dv kern.trap_enocap
|
.Dv kern.trap_enocap
|
||||||
sysctl MIB is set to non-zero value, then for any process executing in a
|
sysctl MIB is set to a non-zero value, then for any process executing in a
|
||||||
capability mode sandbox, any syscall which results in either
|
capability mode sandbox, any syscall which results in either
|
||||||
.Er ENOTCAPABLE
|
.Er ENOTCAPABLE
|
||||||
or
|
or
|
||||||
.Er ECAPMODE
|
.Er ECAPMODE
|
||||||
error, also generates the synchronous
|
error also generates the synchronous
|
||||||
.Dv SIGTRAP
|
.Dv SIGTRAP
|
||||||
signal to the thread on the syscall return.
|
signal to the thread on the syscall return.
|
||||||
On the signal delivery, the
|
On signal delivery, the
|
||||||
.Va si_errno
|
.Va si_errno
|
||||||
member of the
|
member of the
|
||||||
.Fa siginfo
|
.Fa siginfo
|
||||||
|
|||||||
+11
-7
@@ -29,7 +29,7 @@
|
|||||||
.\"
|
.\"
|
||||||
.\" $FreeBSD$
|
.\" $FreeBSD$
|
||||||
.\"
|
.\"
|
||||||
.Dd September 22, 2016
|
.Dd September 27, 2016
|
||||||
.Dt PROCCTL 2
|
.Dt PROCCTL 2
|
||||||
.Os
|
.Os
|
||||||
.Sh NAME
|
.Sh NAME
|
||||||
@@ -328,14 +328,17 @@ If a debugger is attached,
|
|||||||
.Fa data
|
.Fa data
|
||||||
is set to the pid of the debugger process.
|
is set to the pid of the debugger process.
|
||||||
.It Dv PROC_TRAPCAP_CTL
|
.It Dv PROC_TRAPCAP_CTL
|
||||||
Enable or disable, for the specified processes which are executing in a
|
Controls the capability mode sandbox actions for the specified
|
||||||
capability mode sandbox, the synchronous
|
sandboxed processes,
|
||||||
.Dv SIGTRAP
|
on a return from any syscall which gives either a
|
||||||
signal on return from any syscall which gives either
|
|
||||||
.Er ENOTCAPABLE
|
.Er ENOTCAPABLE
|
||||||
or
|
or
|
||||||
.Er ECAPMODE
|
.Er ECAPMODE
|
||||||
error.
|
error.
|
||||||
|
If the control is enabled, such errors from the syscalls cause
|
||||||
|
delivery of the synchronous
|
||||||
|
.Dv SIGTRAP
|
||||||
|
signal to the thread immediately before returning from the syscalls.
|
||||||
.Pp
|
.Pp
|
||||||
Possible values for the
|
Possible values for the
|
||||||
.Fa data
|
.Fa data
|
||||||
@@ -353,7 +356,8 @@ calls.
|
|||||||
Disable the signal delivery on capability mode access violations.
|
Disable the signal delivery on capability mode access violations.
|
||||||
Note that the global sysctl
|
Note that the global sysctl
|
||||||
.Dv kern.trap_enocap
|
.Dv kern.trap_enocap
|
||||||
might still cause the signal to be delivered; see
|
might still cause the signal to be delivered.
|
||||||
|
See
|
||||||
.Xr capsicum 4 .
|
.Xr capsicum 4 .
|
||||||
.El
|
.El
|
||||||
.Pp
|
.Pp
|
||||||
@@ -371,7 +375,7 @@ See
|
|||||||
.Xr capsicum 4
|
.Xr capsicum 4
|
||||||
for more information about the capability mode.
|
for more information about the capability mode.
|
||||||
.It Dv PROC_TRAPCAP_STATUS
|
.It Dv PROC_TRAPCAP_STATUS
|
||||||
Returns the current status of signalling capability mode access
|
Return the current status of signalling capability mode access
|
||||||
violations for the specified process.
|
violations for the specified process.
|
||||||
The integer value pointed to by the
|
The integer value pointed to by the
|
||||||
.Fa data
|
.Fa data
|
||||||
|
|||||||
Reference in New Issue
Block a user