From nobody Thu Jul 21 23:57:46 2022 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4LpqJC0MNBz4WdvN; Thu, 21 Jul 2022 23:57:47 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4LpqJB5rzdz46MC; Thu, 21 Jul 2022 23:57:46 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1658447866; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=5598l+Ri/9TtiKhOJvF8rlmvcvCMgJARZmNm+KQuwL4=; b=lHVJ9lt6YHsh8oQC5W4K+VeU4PiUzipiz8w9D2p+UB20OzvjskKmcmBQbqAg4D0bMThV8D f++I8ZhhV3+QDAINhX2q2sWpcoh6q1JIOWip+ShbMRC0dWh3ODX5g1CeKY/tDcr+vQjD24 Ae1q79AB/186KNqyjL0KQAVuNTaLSfyBTmtrVKtRJbCo5hAskDHZInJJdxqF4pWzQcNGUK huI1b69t93FE9fYGi0nNEZuzPwraRx81zDqyjOGVd/qOVTqiTByO3ibTxVl35smx8QDUWe awcP98SGAdrnHgrFLqht4nEgmyjU2bjW2oMFx83yDt5fY6JUPT0JfP8rWDW0kA== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4LpqJB4xrQzgVC; Thu, 21 Jul 2022 23:57:46 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 26LNvkMD035108; Thu, 21 Jul 2022 23:57:46 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 26LNvksC035107; Thu, 21 Jul 2022 23:57:46 GMT (envelope-from git) Date: Thu, 21 Jul 2022 23:57:46 GMT Message-Id: <202207212357.26LNvksC035107@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Mateusz Piotrowski <0mp@FreeBSD.org> Subject: git: 16a44c124272 - stable/13 - protect.1: document existence of _oomprotect List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-src-all@freebsd.org X-BeenThere: dev-commits-src-all@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: 0mp X-Git-Repository: src X-Git-Refname: refs/heads/stable/13 X-Git-Reftype: branch X-Git-Commit: 16a44c124272d3d42ca0821eca31cd79068da71b Auto-Submitted: auto-generated ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1658447866; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=5598l+Ri/9TtiKhOJvF8rlmvcvCMgJARZmNm+KQuwL4=; b=SQI/VVtcJZQDGNI+T6b4BMlpnZDDOKXVsMakGZnPowKU7aBB4+NbD+xMEyX7kjvpncVtM2 ghzoDYnBwbr3QwddSHiMe5jkfSbeLQ1nhoYsYZ6O5+lOSo7wnw0qRR71cUZhfBOZy/VOo0 b7VpIOAMdedD5+AuTczg3y8nnh7AXir1OsVM9+jb+NkojmekQjrBWxWWskhnarRzC6bGZj 6k47bLx4MUBZCHSUqqtLWoOnDR0dFGxUEkcaJdbAE7HPAFUx4XkE9m/65aY/jeCo4vUjPl N7gAiQJG20lSlvGnAJGI70LnDhsbLZcO2hwtzbbC9ZbChVRgo1bPMYjECjS1qA== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1658447866; a=rsa-sha256; cv=none; b=U0ZLmMkJecrvZTy+TdhAfUqDBUmny0dJRVQy496MwJueVJM+Btn8+4dW6v1JGefZzIZyu/ A4ZuivWXSJUY34jZgVaJQL7Tsieuft6WAuutTBbCsPEZiyHO4hWLArhRpLwkd8a47liLJJ J9vuYrrOOkQ3bA661GKS1aAMmikIvRXRaeg7P5j0vpjBNH5XTkOmLdzzLDzlm9KbcC1+QY GE4hM8BDBYTCwb6VT8ZrwOqtQcGTCuuJwMrU0djnaU1kL93UQM6DQhIJ9/LfRud1L8VjZu QNtLns75zq+Y5jJNH7Kfu7VWIN2vMEk2shOuTGryNpMmFYraE2vGNHd+RjGGXQ== ARC-Authentication-Results: i=1; mx1.freebsd.org; none X-ThisMailContainsUnwantedMimeParts: N The branch stable/13 has been updated by 0mp (doc, ports committer): URL: https://cgit.FreeBSD.org/src/commit/?id=16a44c124272d3d42ca0821eca31cd79068da71b commit 16a44c124272d3d42ca0821eca31cd79068da71b Author: Adam Wolk AuthorDate: 2022-04-11 22:23:43 +0000 Commit: Mateusz Piotrowski <0mp@FreeBSD.org> CommitDate: 2022-07-21 23:56:27 +0000 protect.1: document existence of _oomprotect Improve discoverability of the functionality by mentioning in the userland tool manual. Add a SEE ALSO entry to rc.conf(5) where more details are provided. Sponsored by: Fudo Security (a.wolk) Differential Revision: https://reviews.freebsd.org/D30334 (cherry picked from commit c8b6be0f7d1b92d11b279761685f61f6702700a1) --- usr.bin/protect/protect.1 | 32 ++++++++++++++++++++++++++++++-- 1 file changed, 30 insertions(+), 2 deletions(-) diff --git a/usr.bin/protect/protect.1 b/usr.bin/protect/protect.1 index b9be4afe04b8..d27a8898dad5 100644 --- a/usr.bin/protect/protect.1 +++ b/usr.bin/protect/protect.1 @@ -25,7 +25,7 @@ .\" .\" $FreeBSD$ .\" -.Dd September 19, 2013 +.Dd May 18, 2021 .Dt PROTECT 1 .Os .Sh NAME @@ -68,6 +68,11 @@ Note that only one of the or .Fl g flags may be specified when adjusting the state of existing processes. +.Pp +Daemons can be protected on startup using +.Ao Ar name Ac Ns Va _oomprotect +option from +.Xr rc.conf 5 . .Sh EXIT STATUS .Ex -std .Sh EXAMPLES @@ -82,8 +87,31 @@ Protect all ssh sessions and their child processes: Remove protection from all current and future processes: .Pp .Dl "protect -cdi -p 1" +.Pp +Using +.Xr ps 1 +to check if the protect flag has been applied to the process: +.Pp +.Dl "ps -O flags,flags2 -p 64430" +.Pp +.Dl " PID F F2 TT STAT TIME COMMAND" +.Dl "64430 10104002 00000001 5 S+ 0:00.00 ./main" +.Dl " ^P ^PI" +.Pp +In the above example +.Nm P +points at the protected flag and +.Nm PI +points at the iheritance flag. +The process is protected if +.Nm P +bit is set to 1. All children of this process will also be protected if +.Nm PI +bit is set to 1. .Sh SEE ALSO -.Xr procctl 2 +.Xr ps 1 , +.Xr procctl 2 , +.Xr rc.conf 5 .Sh BUGS If you protect a runaway process that allocates all memory the system will deadlock.