feat: Added NetBSD man pages

1 files changed, 510 insertions, 0 deletions

diff --git a/static/netbsd/man7/security.7 b/static/netbsd/man7/security.7
new file mode 100644
index 00000000..1593de2e
--- /dev/null
+++ b/static/netbsd/man7/security.7
@@ -0,0 +1,510 @@
+.\" $NetBSD: security.7,v 1.18 2024/10/31 01:13:19 gutteridge Exp $
+.\"
+.\" Copyright (c) 2006, 2011 Elad Efrat <elad@NetBSD.org>
+.\" All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
+.\" 3. The name of the author may not be used to endorse or promote products
+.\"    derived from this software without specific prior written permission.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+.\"
+.Dd October 31, 2024
+.Dt SECURITY 7
+.Os
+.Sh NAME
+.Nm security
+.Nd
+.Nx
+security features
+.Sh DESCRIPTION
+.Nx
+supports a variety of security features.
+Below is a brief description of them with some quick usage examples
+that will help you get started.
+.Pp
+Contents:
+.Pp
+.Bl -hyphen -compact -offset indent
+.It
+Veriexec
+.Pq file integrity
+.It
+Exploit mitigation
+.It
+Per-user
+.Pa /tmp
+directory
+.It
+Information filtering
+.It
+Administrative security
+.El
+.Pp
+See also
+.Xr entropy 7 .
+.Ss Veriexec
+.Em Veriexec
+is a file integrity subsystem.
+.Pp
+For more information about it, and a quick guide on how to use it, please see
+.Xr veriexec 8 .
+.Pp
+In a nutshell, once enabled,
+.Em Veriexec
+can be started as follows:
+.Bd -literal -offset indent
+# veriexecgen && veriexecctl load
+.Ed
+.Ss Exploit mitigation
+.Nx
+incorporates some exploit mitigation features.
+The purpose of exploit mitigation features is to interfere
+with the way exploits work, in order to prevent them from succeeding.
+Due to that, some features may have other impacts on the system, so be sure to
+fully understand the implications of each feature.
+.Pp
+.Nx
+provides the following exploit mitigation features:
+.Pp
+.Bl -hyphen -compact -offset indent
+.It
+.Tn PaX ASLR
+.Pq Address Space Layout Randomization .
+.It
+.Tn PaX MPROTECT
+.Xr ( mprotect 2
+restrictions)
+.It
+.Tn PaX SegvGuard
+.It
+.Xr gcc 1
+stack-smashing protection
+.Pq Tn SSP
+.It
+bounds checked libc functions
+.Pq Tn FORTIFY_SOURCE
+.It
+Protections against
+.Dv NULL
+pointer dereferences
+.El
+.Ss PaX ASLR
+.Em PaX ASLR
+implements Address Space Layout Randomization
+.Pq Tn ASLR ,
+meant to complement non-executable mappings.
+Its purpose is to harden prediction of the address space layout, namely
+location of library and application functions that can be used by an attacker
+to circumvent non-executable mappings by using a technique called
+.Dq return to library
+to bypass the need to write new code to (potentially executable) regions of
+memory.
+.Pp
+When
+.Em PaX ASLR
+is used, it is more likely the attacker will fail to predict the addresses of
+such functions, causing the application to segfault.
+To detect cases where an attacker might try and brute-force the return address
+of respawning services,
+.Em PaX Segvguard
+can be used (see below).
+.Pp
+For non-PIE
+.Pq Position Independent Executable
+executables, the
+.Nx
+.Em PaX ASLR
+implementation introduces randomization to the following memory regions:
+.Pp
+.Bl -enum -compact -offset indent
+.It
+The stack
+.El
+.Pp
+For
+.Tn PIE
+executables:
+.Pp
+.Bl -enum -compact -offset indent
+.It
+The program itself (exec base)
+.It
+All shared libraries
+.It
+The data segment
+.It
+The stack
+.El
+.Pp
+While it can be enabled globally,
+.Nx
+provides a tool,
+.Xr paxctl 8 ,
+to enable
+.Em PaX ASLR
+on a per-program basis.
+.Pp
+Example usage:
+.Bd -literal -offset indent
+# paxctl +A /usr/sbin/sshd
+.Ed
+.Pp
+Enabling
+.Em PaX ASLR
+globally:
+.Bd -literal -offset indent
+# sysctl -w security.pax.aslr.global=1
+.Ed
+.Ss PaX MPROTECT
+.Em PaX MPROTECT
+implements memory protection restrictions,
+meant to complement non-executable mappings.
+The purpose is to prevent situations where malicious code attempts to mark
+writable memory regions as executable, often by trashing arguments to an
+.Xr mprotect 2
+call.
+.Pp
+While it can be enabled globally,
+.Nx
+provides a tool,
+.Xr paxctl 8 ,
+to enable
+.Em PaX MPROTECT
+on a per-program basis.
+.Pp
+Example usage:
+.Bd -literal -offset indent
+# paxctl +M /usr/sbin/sshd
+.Ed
+.Pp
+Enabling
+.Em PaX MPROTECT
+globally:
+.Bd -literal -offset indent
+# sysctl -w security.pax.mprotect.global=1
+.Ed
+.Pp
+PaX MPROTECT affects the following three uses:
+.Bl -bullet -offset indent
+.It
+Processes that utilize code generation (such as the JVM) might need to have
+MPROTECT disabled.
+.It
+Miscompiled programs that have text relocations, will now core dump instead
+of having their relocations corrected.
+You will need to fix those programs (recompile them properly).
+.It
+Debugger breakpoints:
+.Xr gdb 1
+needs to be able to write to the text segment in order to insert and
+delete breakpoints.
+This will not work unless MPROTECT is disabled on the executable.
+.El
+.Ss PaX Segvguard
+.Em PaX Segvguard
+monitors the number of segmentation faults in a program on a per-user basis,
+in an attempt to detect on-going exploitation attempts and possibly prevent
+them.
+For instance,
+.Em PaX Segvguard
+can help detect when an attacker tries to brute-force a function
+return address, when attempting to perform a return-to-lib attack.
+.Pp
+.Em PaX Segvguard
+consumes kernel memory, so use it wisely.
+While it provides rate-limiting protections, records are tracked for all
+users on a per-program basis, meaning that irresponsible use may result in
+tracking all segmentation faults in the system, possibly consuming all kernel
+memory.
+.Pp
+For this reason, it is highly recommended to have
+.Em PaX Segvguard
+enabled explicitly only for network services or
+other processes deemed as critical to system security.
+Enabling
+.Em PaX Segvguard
+explicitly works like this:
+.Bd -literal -offset indent
+# paxctl +G /usr/sbin/sshd
+.Ed
+.Pp
+However, a global knob is still provided, for use in strict environments
+with no local users (for example, some network appliances, embedded devices,
+and firewalls)
+.Bd -literal -offset indent
+# sysctl -w security.pax.segvguard.global=1
+.Ed
+.Pp
+Explicitly disabling
+.Em PaX Segvguard
+is also possible:
+.Bd -literal -offset indent
+# paxctl +g /bin/ls
+.Ed
+.Pp
+In addition,
+.Em PaX Segvguard
+provides several tunable options.
+For example, to limit a program to 5 segmentation faults from the same user in
+a 60 second timeframe:
+.Bd -literal -offset indent
+# sysctl -w security.pax.segvguard.max_crashes=5
+# sysctl -w security.pax.segvguard.expiry_timeout=60
+.Ed
+.Pp
+The number of seconds a user will be suspended from running the culprit
+program is also configurable.
+For example, 10 minutes seem like a sane setting:
+.Bd -literal -offset indent
+# sysctl -w security.pax.segvguard.suspend_timeout=600
+.Ed
+.Ss GCC Stack Smashing Protection ( SSP )
+As of
+.Nx 4.0 ,
+.Xr gcc 1
+includes
+.Em SSP ,
+a set of compiler extensions to raise the bar on exploitation attempts by
+detecting corruption of variables and buffer overruns, which may be used to
+affect program control flow.
+.Pp
+Upon detection of a buffer overrun,
+.Em SSP
+will immediately abort execution of the program and send a log message
+to
+.Xr syslog 3 .
+.Pp
+The system (userland and kernel) can be built with
+.Em SSP
+by using the
+.Dq USE_SSP
+flag in
+.Pa /etc/mk.conf :
+.Bd -literal -offset indent
+USE_SSP=yes
+.Ed
+.Pp
+You are encouraged to use
+.Em SSP
+for software you build, by providing one of the
+.Fl fstack-protector
+or
+.Fl fstack-protector-all
+flags to
+.Xr gcc 1 .
+Keep in mind, however, that
+.Em SSP
+will not work for functions that make use of
+.Xr alloca 3 ,
+as the latter modifies the stack size during run-time, while
+.Em SSP
+relies on it being a compile-time static.
+.Pp
+Use of
+.Em SSP
+is especially encouraged on platforms without per-page execute bit granularity
+such as i386.
+As of
+.Nx 6.0 ,
+.Em SSP
+is used by default on i386 and amd64 architectures.
+.Ss FORTIFY_SOURCE
+The so-called
+.Em FORTIFY_SOURCE
+is a relatively simple technique to detect a subset of buffer overflows
+before these can do damage.
+It is integrated to
+.Xr gcc 1
+together with some common memory and string functions in the standard
+C library of
+.Nx .
+.Pp
+The underlying idea builds on the observation that there are cases where
+the compiler knows the size of a buffer.
+If a buffer overflow is suspected in a function that does little or no
+bounds checking, either a compile time warning can be issued or a
+safer substitute function can be used at runtime.
+Refer to
+.Xr ssp 3
+for additional details.
+.Pp
+The
+.Em FORTIFY_SOURCE
+is enabled by default in some parts of the
+.Nx
+source tree.
+It is also possible to explicitly enable it by defining
+the following in
+.Xr mk.conf 5 :
+.Bd -literal -offset indent
+USE_FORT=yes
+.Ed
+.Ss Protections against NULL pointer dereferences
+A certain class of attacks rely on kernel bugs that dereference
+.Dv NULL
+pointers.
+If user processes are allowed to map the virtual address 0 with
+.Xr mmap 2
+or by other means, there is a risk that code or data
+can be injected into the kernel address space.
+.Pp
+In
+.Nx
+it is possible to restrict whether user processes are
+allowed to make mappings at the zero address.
+By default, address 0 mappings are restricted on all architectures.
+It is however known that some third-party programs
+may not function properly with the restriction.
+Such mappings can be allowed either by using the
+.Dv USER_VA0_DISABLE_DEFAULT
+kernel configuration option or by changing the following variable at runtime:
+.Bd -literal -offset indent
+# sysctl -w vm.user_va0_disable=0
+.Ed
+.Pp
+Note that if
+.Em securelevel
+(see
+.Xr secmodel_securelevel 9 )
+is greater than zero, it is not possible to change the
+.Xr sysctl 8
+variable.
+.Ss Per-user temporary storage
+It is possible to configure per-user temporary storage to avoid potential
+security issues (race conditions, etc.) in programs that do not make secure
+usage of
+.Pa /tmp .
+.Pp
+To enable per-user temporary storage, add the following line to
+.Xr rc.conf 5 :
+.Bd -literal -offset indent
+per_user_tmp=YES
+.Ed
+.Pp
+If
+.Pa /tmp
+is a mount point, you will also need to update its
+.Xr fstab 5
+entry to use
+.Dq /private/tmp
+(or whatever directory you want, if you override the default using the
+.Dq per_user_tmp_dir
+.Xr rc.conf 5
+keyword) instead of
+.Dq /tmp .
+.Pp
+Following that, run:
+.Bd -literal -offset indent
+# /etc/rc.d/perusertmp start
+.Ed
+.Pp
+The per-user temporary storage is implemented by using
+.Dq magic symlinks .
+These are further described in
+.Xr symlink 7 .
+.Pp
+Note that some programs will not work correctly with the present
+.Dq magic symlinks
+implementation, if they invoke
+.Xr realpath 3
+on temporary file paths, for example
+.Xr tmux 1 .
+In this case, resolution will fail, so this feature is not suited for
+all uses.
+.Ss Information filtering
+.Nx
+provides administrators the ability to restrict information passed from
+the kernel to userland so that users can only view information they
+.Dq own .
+.Pp
+The hooks that manage this restriction are located in various parts of the
+system and affect programs such as
+.Xr ps 1 ,
+.Xr fstat 1 ,
+and
+.Xr netstat 1 .
+Information filtering is enabled as follows:
+.Bd -literal -offset indent
+# sysctl -w security.curtain=1
+.Ed
+.Ss Administrative security
+Also certain administrative tasks are related to security.
+For instance, the daily maintenance script includes some basic
+consistency checks; see
+.Xr security.conf 5
+for more details.
+In particular, it is possible to configure
+.Nx
+to automatically audit all third-party packages installed via
+.Xr pkgsrc 7 .
+To audit for any known vulnerabilities on daily basis, set the following in
+.Pa /etc/daily.conf :
+.Bd -literal -offset indent
+fetch_pkg_vulnerabilities=YES
+.Ed
+.Sh SEE ALSO
+.Xr ssp 3 ,
+.Xr options 4 ,
+.Xr entropy 7 ,
+.Xr paxctl 8 ,
+.Xr sysctl 8 ,
+.Xr veriexec 8 ,
+.Xr kauth 9
+.\"
+.Rs
+.%A Joseph Kong
+.%B "Designing BSD Rootkits: An Introduction to Kernel Hacking"
+.%D 2007
+.%I "No Starch Press"
+.Re
+.\"
+.Rs
+.%A Enrico Perla
+.%A Massimiliano Oldani
+.%B "A Guide to Kernel Exploitation: Attacking the Core"
+.%D 2010
+.%I "Elsevier"
+.Re
+.\"
+.Rs
+.%A Erik Buchanan
+.%A Ryan Roemer
+.%A Hovav Shacham
+.%A Stefan Savage
+.%T "When Good Instructions Go Bad: \
+Generalizing Return-Oriented Programming to RISC"
+.%P 27-38
+.%O CCS '08: Proceedings of the 15th ACM Conference \
+on Computer and Communications Security
+.%I ACM Press
+.%D October 27-31, 2008
+.%U http://cseweb.ucsd.edu/~hovav/dist/sparc.pdf
+.Re
+.\"
+.Rs
+.%A Sebastian Krahmer
+.%T "x86-64 Buffer Overflow Exploits and \
+the Borrowed Code Chunks Exploitation Technique"
+.%D September 28, 2005
+.%U http://www.suse.de/~krahmer/no-nx.pdf
+.Re
+.Sh AUTHORS
+Many of the security features were pioneered by
+.An Elad Efrat Aq Mt elad@NetBSD.org .