git: a8af3aee4b45 - main - src.conf.5: regen after RELRO knob addition

From: Ed Maste <emaste_at_FreeBSD.org>
Date: Wed, 22 Jun 2022 16:21:46 UTC
The branch main has been updated by emaste:

URL: https://cgit.FreeBSD.org/src/commit/?id=a8af3aee4b45c619f4638789af518d068d5de682

commit a8af3aee4b45c619f4638789af518d068d5de682
Author:     Ed Maste <emaste@FreeBSD.org>
AuthorDate: 2022-06-22 16:21:31 +0000
Commit:     Ed Maste <emaste@FreeBSD.org>
CommitDate: 2022-06-22 16:21:31 +0000

    src.conf.5: regen after RELRO knob addition
---
 share/man/man5/src.conf.5 | 18 +++++++++++++++---
 1 file changed, 15 insertions(+), 3 deletions(-)

diff --git a/share/man/man5/src.conf.5 b/share/man/man5/src.conf.5
index fec3a7ab6069..f1ca36e5597d 100644
--- a/share/man/man5/src.conf.5
+++ b/share/man/man5/src.conf.5
@@ -1,6 +1,6 @@
 .\" DO NOT EDIT-- this file is @generated by tools/build/options/makeman.
 .\" $FreeBSD$
-.Dd June 8, 2022
+.Dd June 22, 2022
 .Dt SRC.CONF 5
 .Os
 .Sh NAME
@@ -196,6 +196,13 @@ Build all binaries with the
 .Dv DF_BIND_NOW
 flag set to indicate that the run-time loader should perform all relocation
 processing at process startup rather than on demand.
+The combination of the
+.Va BIND_NOW
+and
+.Va RELRO
+options provide "full" Relocation Read-Only (RELRO) support.
+With full RELRO the entire GOT is made read-only after performing relocation at
+startup, avoiding GOT overwrite attacks.
 .It Va WITHOUT_BLACKLIST
 Set this if you do not want to build
 .Xr blacklistd 8
@@ -651,8 +658,8 @@ Avoid installing examples to
 Include experimental features in the build.
 .It Va WITH_EXTRA_TCP_STACKS
 Build extra TCP stack modules.
-.It Va WITHOUT_FDT
-Do not build Flattened Device Tree support as part of the base system.
+.It Va WITH_FDT
+Build Flattened Device Tree support as part of the base system.
 This includes the device tree compiler (dtc) and libfdt support library.
 .It Va WITHOUT_FILE
 Do not build
@@ -1416,6 +1423,11 @@ by proxy.
 .It Va WITHOUT_RBOOTD
 Do not build or install
 .Xr rbootd 8 .
+.It Va WITHOUT_RELRO
+Do not apply the Relocation Read-Only (RELRO) vulnerability mitigation.
+See also the
+.Va BIND_NOW
+option.
 .It Va WITH_REPRODUCIBLE_BUILD
 Exclude build metadata (such as the build time, user, or host)
 from the kernel, boot loaders, and uname output, so that builds produce