svn commit: r355613 - head/share/man/man7

[Ed Maste]

Author: emaste
Date: Wed Dec 11 16:43:54 2019
New Revision: 355613
URL: https://svnweb.freebsd.org/changeset/base/355613

Log:
  security.7: add caveat about interim sysctl paths from r355436
  
  r355436 moved mitigation sysctls to machdep.mitigations but did not
  rationalize the sense of the invidual knobs.  Clarify that the old
  names remain the canonical way to set these mitigations.
  
  Backwards compatibility will be maintained for the original names
  (e.g. hw.ibrs_disable), but not from the interim names
  (e.g. machdep.mitigations.ibrs.disable).
  
  Sponsored by:	The FreeBSD Foundation

Modified:
  head/share/man/man7/security.7

Modified: head/share/man/man7/security.7
==============================================================================
--- head/share/man/man7/security.7	Wed Dec 11 16:09:57 2019	(r355612)
+++ head/share/man/man7/security.7	Wed Dec 11 16:43:54 2019	(r355613)
@@ -28,7 +28,7 @@
 .\"
 .\" $FreeBSD$
 .\"
-.Dd November 12, 2019
+.Dd December 11, 2019
 .Dt SECURITY 7
 .Os
 .Sh NAME
@@ -944,6 +944,17 @@ information access more restricted.
 Some people consider this as improving system security, so the knobs are
 briefly listed there, together with controls which enable some mitigations
 of the hardware state leaks.
+.Pp
+Hardware mitigation sysctl knobs described below have been moved under
+.Pa machdep.mitigations ,
+with backwards-compatibility shims to accept the existing names.
+A future change will rationalize the sense of the individual sysctls
+(so that enabled / true always indicates that the mitigation is active).
+For that reason the previous names remain the canonical way to set the
+mitigations, and are documented here.
+Backwards compatibility shims for the interim sysctls under
+.Pa machdep.mitigations
+will not be added.
 .Bl -tag -width security.bsd.unprivileged_proc_debug
 .It Dv security.bsd.see_other_uids
 Controls visibility of processes owned by different uid.