svn commit: r306366 - head/lib/libc/sys
Konstantin Belousov
kib at FreeBSD.org
Tue Sep 27 11:31:55 UTC 2016
Author: kib
Date: Tue Sep 27 11:31:53 2016
New Revision: 306366
URL: https://svnweb.freebsd.org/changeset/base/306366
Log:
Editing fixes for r306257, documentation for trapcap.
Suggested by: wblock
Discussed with: jilles
Reviewed by: cem (previous version)
Sponsored by: The FreeBSD Foundation
MFC after: 1 week
Differential revision: https://reviews.freebsd.org/D8023
Modified:
head/lib/libc/sys/cap_enter.2
head/lib/libc/sys/procctl.2
Modified: head/lib/libc/sys/cap_enter.2
==============================================================================
--- head/lib/libc/sys/cap_enter.2 Tue Sep 27 10:26:39 2016 (r306365)
+++ head/lib/libc/sys/cap_enter.2 Tue Sep 27 11:31:53 2016 (r306366)
@@ -28,7 +28,7 @@
.\"
.\" $FreeBSD$
.\"
-.Dd September 22, 2016
+.Dd September 27, 2016
.Dt CAP_ENTER 2
.Os
.Sh NAME
@@ -72,15 +72,15 @@ sandbox.
.Sh RUN-TIME SETTINGS
If the
.Dv kern.trap_enocap
-sysctl MIB is set to non-zero value, then for any process executing in a
+sysctl MIB is set to a non-zero value, then for any process executing in a
capability mode sandbox, any syscall which results in either
.Er ENOTCAPABLE
or
.Er ECAPMODE
-error, also generates the synchronous
+error also generates the synchronous
.Dv SIGTRAP
signal to the thread on the syscall return.
-On the signal delivery, the
+On signal delivery, the
.Va si_errno
member of the
.Fa siginfo
Modified: head/lib/libc/sys/procctl.2
==============================================================================
--- head/lib/libc/sys/procctl.2 Tue Sep 27 10:26:39 2016 (r306365)
+++ head/lib/libc/sys/procctl.2 Tue Sep 27 11:31:53 2016 (r306366)
@@ -29,7 +29,7 @@
.\"
.\" $FreeBSD$
.\"
-.Dd September 22, 2016
+.Dd September 27, 2016
.Dt PROCCTL 2
.Os
.Sh NAME
@@ -328,14 +328,17 @@ If a debugger is attached,
.Fa data
is set to the pid of the debugger process.
.It Dv PROC_TRAPCAP_CTL
-Enable or disable, for the specified processes which are executing in a
-capability mode sandbox, the synchronous
-.Dv SIGTRAP
-signal on return from any syscall which gives either
+Controls the capability mode sandbox actions for the specified
+sandboxed processes,
+on a return from any syscall which gives either a
.Er ENOTCAPABLE
or
.Er ECAPMODE
error.
+If the control is enabled, such errors from the syscalls cause
+delivery of the synchronous
+.Dv SIGTRAP
+signal to the thread immediately before returning from the syscalls.
.Pp
Possible values for the
.Fa data
@@ -353,7 +356,8 @@ calls.
Disable the signal delivery on capability mode access violations.
Note that the global sysctl
.Dv kern.trap_enocap
-might still cause the signal to be delivered; see
+might still cause the signal to be delivered.
+See
.Xr capsicum 4 .
.El
.Pp
@@ -371,7 +375,7 @@ See
.Xr capsicum 4
for more information about the capability mode.
.It Dv PROC_TRAPCAP_STATUS
-Returns the current status of signalling capability mode access
+Return the current status of signalling capability mode access
violations for the specified process.
The integer value pointed to by the
.Fa data
More information about the svn-src-head
mailing list