From nobody Mon Apr 11 01:19:59 2022 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 53E981A85FAE; Mon, 11 Apr 2022 01:20:00 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4Kc9y81rlKz3C6D; Mon, 11 Apr 2022 01:20:00 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1649640000; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=wbrbBjXEU3UAFD+rcUi2SBwSLBwoS6OBzWPQEr69IF8=; b=xA7uoAhiGS72JMHqyPK+S1lfLfJ8+dp5DAwWMuJyx8jYQ5tsR+kM96DKwRUMI0sy18/1Ot Xt6yT8+2aPrkpqFFWdhpS0c0gQv+j4QaChzyE9ncGzcDuBK4pJYhVdi0PPQcTupTyi5OKG xe1ZCMBz88XmvnP0Y23+KmjfFl0ZvmAcxgKbki4V6imosJe+/gTUAyHBoen+2uYjsXNJFE BcyFhTSxv+tJ60TkqbsEPEUvpl9ESmnIbjO7sCalGPseQAzkoDb3TA33ictxqmdaUMrhGh 2nej3i6yO2mH2Ds0aJUKUG9VDXgvnq6Y/0S+gl2AxMwhsh7QmZYZCge8FFjV+w== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 103A319916; Mon, 11 Apr 2022 01:20:00 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 23B1Jx3u018215; Mon, 11 Apr 2022 01:19:59 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 23B1Jxpj018214; Mon, 11 Apr 2022 01:19:59 GMT (envelope-from git) Date: Mon, 11 Apr 2022 01:19:59 GMT Message-Id: <202204110119.23B1Jxpj018214@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Enji Cooper Subject: git: 674f15c3d5fa - stable/12 - cap_enter(2): fix CAVEATS section List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-src-all@freebsd.org X-BeenThere: dev-commits-src-all@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: ngie X-Git-Repository: src X-Git-Refname: refs/heads/stable/12 X-Git-Reftype: branch X-Git-Commit: 674f15c3d5fa2c7905478e6f02b072ccbf3aba47 Auto-Submitted: auto-generated ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1649640000; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=wbrbBjXEU3UAFD+rcUi2SBwSLBwoS6OBzWPQEr69IF8=; b=s3uFjSCqLYyohG4kqWLpevoi7Y/obTzrujrlImrT2mdEYvLbf9AEijSqX1RYn9oLjk2x+g vp8xBdP+dQFBCiQTN2MWYaGNqqquivn019krkN+Cbd2auYPB84mAsVX4MR/PAQLsI1sxXG MDKTw40MGH+XPtLLoys7RmDDrChzErl0gUZCtQPiATrEPxGNdlXLywI5QhhMyVdeh3BuOu HVXkbaPyPwlBbrTM6REW86c5thZrfGBjrTe0zmgvJicvmcW6fpsr7/taGXTxAJCT3PB+eq VF2eraWQKQwAGjMBYsg45GbtA8yvrau+aL8YZHzPImWYnaojFNBWzzVUMJHNFg== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1649640000; a=rsa-sha256; cv=none; b=qJ1AKB2aAibyDusLhKnOsOdNhb5tPMn4uJkVTFQHtgDjiN0+/tDWcYjj4Ikmj3bHKekvEl 4B2nGfPlctoEwKMDBnAkYW8NbbkOEIcxx7R5XkouK8vcOwbWU8vekPQrSSzv4EdKLX5QP/ VHJin7kHAyqZIZ1TWRoNdzdBGwUg77iv+30hHfuzfb9/GELGQgthn3a+qXNjfk3xTTDATk 7oVPPpLV9xaWrh+ZauOpUb6cyp91nK4QxxiDDO+xlJriKzbB9WI/hVEzQ9NJAe2pBzOhds QzhImZR5rjSHrNIrsMBbZdFnMjKqenIs5Jj3kPsAOSiVbEVzBIC/YWTnzptvDg== ARC-Authentication-Results: i=1; mx1.freebsd.org; none X-ThisMailContainsUnwantedMimeParts: N The branch stable/12 has been updated by ngie: URL: https://cgit.FreeBSD.org/src/commit/?id=674f15c3d5fa2c7905478e6f02b072ccbf3aba47 commit 674f15c3d5fa2c7905478e6f02b072ccbf3aba47 Author: Enji Cooper AuthorDate: 2020-12-11 00:26:49 +0000 Commit: Enji Cooper CommitDate: 2022-04-11 01:19:50 +0000 cap_enter(2): fix CAVEATS section The CAVEATS section was misspelled as "CAVEAT" before this change. Fix the spelling to identify issues related to the section. Furthermore, given that the section order was incorrect, move the CAVEATS section down to the bottom of the manpage, per the conventional section order. MFC after: 1 week Reported by: make manlint Sponsored by: DellEMC Isilon (cherry picked from commit 20daf0ca6ea8ac82fa3a88f1d5e68507773c9644) --- lib/libc/sys/cap_enter.2 | 26 +++++++++++++------------- 1 file changed, 13 insertions(+), 13 deletions(-) diff --git a/lib/libc/sys/cap_enter.2 b/lib/libc/sys/cap_enter.2 index 7051a96266b9..428e0b0bcd09 100644 --- a/lib/libc/sys/cap_enter.2 +++ b/lib/libc/sys/cap_enter.2 @@ -97,19 +97,6 @@ and operations of the .Xr procctl 2 function for similar per-process functionality. -.Sh CAVEAT -Creating effective process sandboxes is a tricky process that involves -identifying the least possible rights required by the process and then -passing those rights into the process in a safe manner. -Consumers of -.Fn cap_enter -should also be aware of other inherited rights, such as access to VM -resources, memory contents, and other process properties that should be -considered. -It is advisable to use -.Xr fexecve 2 -to create a runtime environment inside the sandbox that has as few implicitly -acquired rights as possible. .Sh RETURN VALUES .Rv -std cap_enter cap_getmode .Pp @@ -162,3 +149,16 @@ These functions and the capability facility were created by .An "Robert N. M. Watson" at the University of Cambridge Computer Laboratory with support from a grant from Google, Inc. +.Sh CAVEATS +Creating effective process sandboxes is a tricky process that involves +identifying the least possible rights required by the process and then +passing those rights into the process in a safe manner. +Consumers of +.Fn cap_enter +should also be aware of other inherited rights, such as access to VM +resources, memory contents, and other process properties that should be +considered. +It is advisable to use +.Xr fexecve 2 +to create a runtime environment inside the sandbox that has as few implicitly +acquired rights as possible.