From nobody Mon Apr 11 22:26:14 2022 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 161ED11E1D58; Mon, 11 Apr 2022 22:26:15 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4Kck3C03xcz4Xbx; Mon, 11 Apr 2022 22:26:15 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1649715975; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=ag4kK+eWnQGC0tOwTskqJY4MFFc2de9qvh90nK736ns=; b=UsEXwsJukIXQFn19vQjAJvmc+XKchsmSjh5j+UJfNqIEp8teaL5UwHz/72iJ4StmUxVz51 aXUsEnfao08T1ns3h705Fm07nna9AHM47iIEAsK+rKdkJwp3i9xycW/SyhVLRws4aQupm1 XQc/aNDJ6qynDifyESVq+H7JLBKNn4DhIX9WuXu+VdTyTBH/xzpexo4vuSUTEJWImJYGxK 7oc0kg05AZNsrCApnoBXQ0VqnBfFjybNgZJVjsSAX552l19EcbUKrzhCfDCtC+nI5tnEAW 9v476+ThGa7XKvP8yD4plXOez/DhIEjBMOLK1fWlAq8kk//bacGshLbgQsagzg== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id D60122D73; Mon, 11 Apr 2022 22:26:14 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 23BMQEP1031460; Mon, 11 Apr 2022 22:26:14 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 23BMQEid031459; Mon, 11 Apr 2022 22:26:14 GMT (envelope-from git) Date: Mon, 11 Apr 2022 22:26:14 GMT Message-Id: <202204112226.23BMQEid031459@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org From: Daniel Ebdrup Jensen Subject: git: c8b6be0f7d1b - main - protect.1: document existence of _oomprotect List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-src-all@freebsd.org X-BeenThere: dev-commits-src-all@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: debdrup X-Git-Repository: src X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: c8b6be0f7d1b92d11b279761685f61f6702700a1 Auto-Submitted: auto-generated ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1649715975; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=ag4kK+eWnQGC0tOwTskqJY4MFFc2de9qvh90nK736ns=; b=OLAA/g3wK1mvS6qRoIhZ2aKViHcGxMlRFTkstCXhWj3dZM6rH1UL9fNWEtb+qNamqpA1Ow fKNrng3dZbQ8OWQ6nFzPIf12hhtiCa3pwxmwyU5rW5+8NHeWmgdbN09fHnsD5QjczHIz6F veD4vpI/rRqYIs10y4vpgDZ59PY+bkUJrkdEVqnfGMZ3BTqGDmLZ4m0n+lQ0rIV2j5KwWN WdHPw74jYYPoGdVuPxuGaOEQpPM12QJ0qnijOMwmVobTwr5+fg0NRkZhNfjjas/B/cjVr1 iW5q/twHs5uZTeMCiwYUw8sJaHS64+39Fxo+eEpHdmolRIVkEG8OKGbKF3DztQ== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1649715975; a=rsa-sha256; cv=none; b=p3xtvaNktq9gnfgdG2pFexhGotD+qkt/B2U18pC3WuSAAlq+Hw0ewBc9wkFP0vzPPW/IUx wyO4uVGOajVWrWX+zsYOatS5X3ZvuE9p2Y0AWQ7tExO2OG7tWWHOHN++FUo+B28IjwBhC9 VqGZDDgzsYzmRD87sjrSFsNWc+/fNi1Y8JPbSE6xCWU+R5Q0A/ajY5uieCS4gzX51qlMVn DoSDAYAZwQNGr3Ju31V0wX5LKC/Ea5zb6SJjo5DN9gfzTFMwkY67hEzcZSuIIpPrDc9Fic Lil8+ThqLT1Eh+61HLI9IxjWT/dUtkPF9a8T4mlJwLaNl+lahyAzlr6HCsTU8Q== ARC-Authentication-Results: i=1; mx1.freebsd.org; none X-ThisMailContainsUnwantedMimeParts: N The branch main has been updated by debdrup (doc committer): URL: https://cgit.FreeBSD.org/src/commit/?id=c8b6be0f7d1b92d11b279761685f61f6702700a1 commit c8b6be0f7d1b92d11b279761685f61f6702700a1 Author: Adam Wolk AuthorDate: 2022-04-11 22:23:43 +0000 Commit: Daniel Ebdrup Jensen CommitDate: 2022-04-11 22:23:43 +0000 protect.1: document existence of _oomprotect Improve discoverability of the functionality by mentioning in the userland tool manual. Add a SEE ALSO entry to rc.conf(5) where more details are provided. Sponsored by: Fudo Security (a.wolk) Differential Revision: https://reviews.freebsd.org/D30334 --- usr.bin/protect/protect.1 | 32 ++++++++++++++++++++++++++++++-- 1 file changed, 30 insertions(+), 2 deletions(-) diff --git a/usr.bin/protect/protect.1 b/usr.bin/protect/protect.1 index b9be4afe04b8..d27a8898dad5 100644 --- a/usr.bin/protect/protect.1 +++ b/usr.bin/protect/protect.1 @@ -25,7 +25,7 @@ .\" .\" $FreeBSD$ .\" -.Dd September 19, 2013 +.Dd May 18, 2021 .Dt PROTECT 1 .Os .Sh NAME @@ -68,6 +68,11 @@ Note that only one of the or .Fl g flags may be specified when adjusting the state of existing processes. +.Pp +Daemons can be protected on startup using +.Ao Ar name Ac Ns Va _oomprotect +option from +.Xr rc.conf 5 . .Sh EXIT STATUS .Ex -std .Sh EXAMPLES @@ -82,8 +87,31 @@ Protect all ssh sessions and their child processes: Remove protection from all current and future processes: .Pp .Dl "protect -cdi -p 1" +.Pp +Using +.Xr ps 1 +to check if the protect flag has been applied to the process: +.Pp +.Dl "ps -O flags,flags2 -p 64430" +.Pp +.Dl " PID F F2 TT STAT TIME COMMAND" +.Dl "64430 10104002 00000001 5 S+ 0:00.00 ./main" +.Dl " ^P ^PI" +.Pp +In the above example +.Nm P +points at the protected flag and +.Nm PI +points at the iheritance flag. +The process is protected if +.Nm P +bit is set to 1. All children of this process will also be protected if +.Nm PI +bit is set to 1. .Sh SEE ALSO -.Xr procctl 2 +.Xr ps 1 , +.Xr procctl 2 , +.Xr rc.conf 5 .Sh BUGS If you protect a runaway process that allocates all memory the system will deadlock.