summaryrefslogtreecommitdiff
path: root/static/netbsd/man9/secmodel_extensions.9 3.html
diff options
context:
space:
mode:
Diffstat (limited to 'static/netbsd/man9/secmodel_extensions.9 3.html')
-rw-r--r--static/netbsd/man9/secmodel_extensions.9 3.html103
1 files changed, 0 insertions, 103 deletions
diff --git a/static/netbsd/man9/secmodel_extensions.9 3.html b/static/netbsd/man9/secmodel_extensions.9 3.html
deleted file mode 100644
index e5aa5184..00000000
--- a/static/netbsd/man9/secmodel_extensions.9 3.html
+++ /dev/null
@@ -1,103 +0,0 @@
-<table class="head">
- <tr>
- <td class="head-ltitle">SECMODEL_EXTENSIONS(9)</td>
- <td class="head-vol">Kernel Developer's Manual</td>
- <td class="head-rtitle">SECMODEL_EXTENSIONS(9)</td>
- </tr>
-</table>
-<div class="manual-text">
-<section class="Sh">
-<h1 class="Sh" id="NAME"><a class="permalink" href="#NAME">NAME</a></h1>
-<p class="Pp"><code class="Nm">secmodel_extensions</code> &#x2014;
- <span class="Nd">extensions security model</span></p>
-</section>
-<section class="Sh">
-<h1 class="Sh" id="DESCRIPTION"><a class="permalink" href="#DESCRIPTION">DESCRIPTION</a></h1>
-<p class="Pp"><code class="Nm">secmodel_extensions</code> implements extensions
- to the traditional security model based on the original
- <span class="Ux">4.4BSD</span>. They can be used to grant additional
- privileges to ordinary users, or enable specific security measures like
- curtain mode.</p>
-<p class="Pp">The extensions are described below.</p>
-</section>
-<section class="Sh">
-<h1 class="Sh" id="Curtain_mode"><a class="permalink" href="#Curtain_mode">Curtain
- mode</a></h1>
-<p class="Pp">When enabled, all returned objects will be filtered according to
- the user-id requesting information about them, preventing users from
- accessing objects they do not own.</p>
-<p class="Pp">It affects the output of many commands, including
- <a class="Xr">fstat(1)</a>, <a class="Xr">netstat(1)</a>,
- <a class="Xr">ps(1)</a>, <a class="Xr">sockstat(1)</a>, and
- <a class="Xr">w(1)</a>.</p>
-<p class="Pp">This extension is enabled by setting
- <span class="Pa">security.models.extensions.curtain</span> or
- <span class="Pa">security.curtain</span> <a class="Xr">sysctl(7)</a> to a
- non-zero value.</p>
-<p class="Pp">It can be enabled at any time, but cannot be disabled anymore when
- the <i class="Em">securelevel</i> of the system is above 0.</p>
-</section>
-<section class="Sh">
-<h1 class="Sh" id="Non-superuser_mounts"><a class="permalink" href="#Non-superuser_mounts">Non-superuser
- mounts</a></h1>
-<p class="Pp">When enabled, it allows file-systems to be mounted by an ordinary
- user who owns the point <var class="Ar">node</var> and has at least read
- access to the <var class="Ar">special</var> device
- <a class="Xr">mount(8)</a> arguments. Note that the
- <code class="Cm">nosuid</code> and <code class="Cm">nodev</code> flags must
- be given for non-superuser mounts.</p>
-<p class="Pp">This extension is enabled by setting
- <span class="Pa">security.models.extensions.usermount</span> or
- <span class="Pa">vfs.generic.usermount</span> <a class="Xr">sysctl(7)</a> to
- a non-zero value.</p>
-<p class="Pp">It can be disabled at any time, but cannot be enabled anymore when
- the <i class="Em">securelevel</i> of the system is above 0.</p>
-</section>
-<section class="Sh">
-<h1 class="Sh" id="Non-superuser_control_of_CPU_sets"><a class="permalink" href="#Non-superuser_control_of_CPU_sets">Non-superuser
- control of CPU sets</a></h1>
-<p class="Pp">When enabled, an ordinary user is allowed to control the CPU
- <a class="Xr">affinity(3)</a> of the processes and threads they own.</p>
-<p class="Pp">This extension is enabled by setting
- <span class="Pa">security.models.extensions.user_set_cpu_affinity</span>
- <a class="Xr">sysctl(7)</a> to a non-zero value.</p>
-<p class="Pp">It can be disabled at any time, but cannot be enabled anymore when
- the <i class="Em">securelevel</i> of the system is above 0.</p>
-</section>
-<section class="Sh">
-<h1 class="Sh" id="Hardlink_restrictions"><a class="permalink" href="#Hardlink_restrictions">Hardlink
- restrictions</a></h1>
-<p class="Pp">Prevent hardlinks to files that the user does not own or has group
- access to.</p>
-<p class="Pp">To enable user ownership checks, set the
- <a class="Xr">sysctl(7)</a> variable
- <span class="Pa">security.models.extensions.hardlink_check_uid</span> to a
- non-zero value.</p>
-<p class="Pp">To enable group membership checks, set the
- <a class="Xr">sysctl(7)</a> variable
- <span class="Pa">security.models.extensions.hardlink_check_gid</span> to a
- non-zero value.</p>
-<p class="Pp">These variables can be enabled anytime, but cannot be disabled
- anymore when the <i class="Em">securelevel</i> of the system is above 0.</p>
-</section>
-<section class="Sh">
-<h1 class="Sh" id="SEE_ALSO"><a class="permalink" href="#SEE_ALSO">SEE
- ALSO</a></h1>
-<p class="Pp"><a class="Xr">affinity(3)</a>, <a class="Xr">sched(3)</a>,
- <a class="Xr">sysctl(7)</a>, <a class="Xr">kauth(9)</a>,
- <a class="Xr">secmodel(9)</a>, <a class="Xr">secmodel_bsd44(9)</a>,
- <a class="Xr">secmodel_securelevel(9)</a>,
- <a class="Xr">secmodel_suser(9)</a></p>
-</section>
-<section class="Sh">
-<h1 class="Sh" id="AUTHORS"><a class="permalink" href="#AUTHORS">AUTHORS</a></h1>
-<p class="Pp"><span class="An">Elad Efrat</span>
- &lt;<a class="Mt" href="mailto:elad@NetBSD.org">elad@NetBSD.org</a>&gt;</p>
-</section>
-</div>
-<table class="foot">
- <tr>
- <td class="foot-date">March 27, 2022</td>
- <td class="foot-os">NetBSD 10.1</td>
- </tr>
-</table>
generated by cgit v1.2.3 (git 2.46.0) at 2026-05-15 12:31:52 +0000