diff options
| author | Ingo Schwarze <schwarze@cvs.openbsd.org> | 2017-09-12 02:22:17 +0000 |
|---|---|---|
| committer | Ingo Schwarze <schwarze@cvs.openbsd.org> | 2017-09-12 02:22:17 +0000 |
| commit | 430bfcc0dc1762cfa322df3d8b50b72ed951619b (patch) | |
| tree | 9ca9e222d099e5d64c1750962c6451191ab9b088 | |
| parent | 233ec8fc888d117728fe67bd3c1736e381f72824 (diff) | |
Update the documentation regarding /dev/mem and /dev/kmem;
Theo already clamped down on these devices last year.
Triggered by a question from Nan Xiao <xiaonan830818 at gmail dot com>.
OK deraadt@
| -rw-r--r-- | lib/libc/gen/sysctl.3 | 6 | ||||
| -rw-r--r-- | share/man/man4/man4.alpha/mem.4 | 19 | ||||
| -rw-r--r-- | share/man/man4/man4.amd64/mem.4 | 13 | ||||
| -rw-r--r-- | share/man/man4/man4.hppa/mem.4 | 18 | ||||
| -rw-r--r-- | share/man/man4/man4.i386/mem.4 | 13 | ||||
| -rw-r--r-- | share/man/man4/man4.landisk/mem.4 | 13 | ||||
| -rw-r--r-- | share/man/man4/man4.loongson/mem.4 | 13 | ||||
| -rw-r--r-- | share/man/man4/man4.luna88k/mem.4 | 13 | ||||
| -rw-r--r-- | share/man/man4/man4.macppc/mem.4 | 17 | ||||
| -rw-r--r-- | share/man/man4/man4.socppc/mem.4 | 13 | ||||
| -rw-r--r-- | share/man/man4/man4.sparc64/mem.4 | 15 | ||||
| -rw-r--r-- | share/man/man7/securelevel.7 | 6 |
12 files changed, 101 insertions, 58 deletions
diff --git a/lib/libc/gen/sysctl.3 b/lib/libc/gen/sysctl.3 index 08095c62466..e021e73f443 100644 --- a/lib/libc/gen/sysctl.3 +++ b/lib/libc/gen/sysctl.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: sysctl.3,v 1.282 2017/09/10 11:30:43 tom Exp $ +.\" $OpenBSD: sysctl.3,v 1.283 2017/09/12 02:22:15 schwarze Exp $ .\" .\" Copyright (c) 1993 .\" The Regents of the University of California. All rights reserved. @@ -27,7 +27,7 @@ .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.Dd $Mdocdate: September 10 2017 $ +.Dd $Mdocdate: September 12 2017 $ .Dt SYSCTL 3 .Os .Sh NAME @@ -484,6 +484,8 @@ information. .Bl -tag -width "123456" .It Dv KERN_ALLOWKMEM Pq Va kern.allowkmem Allow userland processes access to +.Pa /dev/mem +and .Pa /dev/kmem . When running with a .Xr securelevel 7 diff --git a/share/man/man4/man4.alpha/mem.4 b/share/man/man4/man4.alpha/mem.4 index 44f6a954abe..44da0332831 100644 --- a/share/man/man4/man4.alpha/mem.4 +++ b/share/man/man4/man4.alpha/mem.4 @@ -1,4 +1,4 @@ -.\" $OpenBSD: mem.4,v 1.4 2007/05/31 19:19:53 jmc Exp $ +.\" $OpenBSD: mem.4,v 1.5 2017/09/12 02:22:15 schwarze Exp $ .\" Copyright (c) 1992, 1993 .\" The Regents of the University of California. All rights reserved. .\" @@ -32,7 +32,7 @@ .\" .\" from: @(#)mem.4 8.1 (Berkeley) 6/5/93 .\" -.Dd $Mdocdate: May 31 2007 $ +.Dd $Mdocdate: September 12 2017 $ .Dt MEM 4 alpha .Os .Sh NAME @@ -56,15 +56,18 @@ Kernel virtual memory is accessed via the file in the same manner as .Pa /dev/mem . Only kernel virtual addresses that are currently mapped to memory are allowed. -.Sh ALPHA -On the -.Tn alpha , -physical memory may be discontiguous; +.Pp +On the alpha, physical memory may be discontiguous; kernel virtual memory begins at .Li 0xfffffc0000230000 . .Pp -Writeability of these devices is controlled by the system -.Xr securelevel 7 . +Even with sufficient file system permissions, +these devices can only be opened when the +.Xr securelevel 7 +is insecure or when the +.Va kern.allowkmem +.Xr sysctl 3 +variable is set. .Sh FILES .Bl -tag -width /dev/kmem -compact .It /dev/mem diff --git a/share/man/man4/man4.amd64/mem.4 b/share/man/man4/man4.amd64/mem.4 index bccd57a1f3d..3024dfe9082 100644 --- a/share/man/man4/man4.amd64/mem.4 +++ b/share/man/man4/man4.amd64/mem.4 @@ -1,4 +1,4 @@ -.\" $OpenBSD: mem.4,v 1.3 2007/05/31 19:19:53 jmc Exp $ +.\" $OpenBSD: mem.4,v 1.4 2017/09/12 02:22:15 schwarze Exp $ .\" .\" Copyright (c) 1991 The Regents of the University of California. .\" All rights reserved. @@ -29,7 +29,7 @@ .\" .\" from: @(#)mem.4 5.3 (Berkeley) 5/2/91 .\" -.Dd $Mdocdate: May 31 2007 $ +.Dd $Mdocdate: September 12 2017 $ .Dt MEM 4 amd64 .Os .Sh NAME @@ -62,8 +62,13 @@ to The kernel virtual memory begins at address .Li 0xffffffff80000000 . .Pp -Writeability of these devices is controlled by the system -.Xr securelevel 7 . +Even with sufficient file system permissions, +these devices can only be opened when the +.Xr securelevel 7 +is insecure or when the +.Va kern.allowkmem +.Xr sysctl 3 +variable is set. .Sh FILES .Bl -tag -width Pa -compact .It Pa /dev/mem diff --git a/share/man/man4/man4.hppa/mem.4 b/share/man/man4/man4.hppa/mem.4 index 0cf0e902392..92710b05cf6 100644 --- a/share/man/man4/man4.hppa/mem.4 +++ b/share/man/man4/man4.hppa/mem.4 @@ -1,4 +1,4 @@ -.\" $OpenBSD: mem.4,v 1.2 2007/05/31 19:19:54 jmc Exp $ +.\" $OpenBSD: mem.4,v 1.3 2017/09/12 02:22:15 schwarze Exp $ .\" .\" Copyright (c) 2004, Miodrag Vallat. .\" @@ -23,7 +23,7 @@ .\" ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE .\" POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: May 31 2007 $ +.Dd $Mdocdate: September 12 2017 $ .Dt MEM 4 hppa .Os .Sh NAME @@ -50,13 +50,13 @@ Access to kernel virtual addresses not currently mapped to memory will fail. On hppa, the physical memory range is always contiguous and starts at address 0; kernel virtual memory begins at address 0 as well. .Pp -The writeability of the -.Pa /dev/mem -and -.Pa /dev/kmem -special files are controlled by the system -.Xr securelevel 7 , -in addition to the filesystem permissions. +Even with sufficient file system permissions, +these devices can only be opened when the +.Xr securelevel 7 +is insecure or when the +.Va kern.allowkmem +.Xr sysctl 3 +variable is set. .Sh FILES .Bl -tag -width /dev/kmem -compact .It Pa /dev/mem diff --git a/share/man/man4/man4.i386/mem.4 b/share/man/man4/man4.i386/mem.4 index 22e08f714f3..fee71ae1cc1 100644 --- a/share/man/man4/man4.i386/mem.4 +++ b/share/man/man4/man4.i386/mem.4 @@ -1,4 +1,4 @@ -.\" $OpenBSD: mem.4,v 1.9 2007/05/31 19:19:55 jmc Exp $ +.\" $OpenBSD: mem.4,v 1.10 2017/09/12 02:22:15 schwarze Exp $ .\" .\" Copyright (c) 1991 The Regents of the University of California. .\" All rights reserved. @@ -29,7 +29,7 @@ .\" .\" from: @(#)mem.4 5.3 (Berkeley) 5/2/91 .\" -.Dd $Mdocdate: May 31 2007 $ +.Dd $Mdocdate: September 12 2017 $ .Dt MEM 4 i386 .Os .Sh NAME @@ -62,8 +62,13 @@ The per-process data size for the current process is long, and ends at virtual address .Li 0xfe000000 . .Pp -Writeability of these devices is controlled by the system -.Xr securelevel 7 . +Even with sufficient file system permissions, +these devices can only be opened when the +.Xr securelevel 7 +is insecure or when the +.Va kern.allowkmem +.Xr sysctl 3 +variable is set. .Sh FILES .Bl -tag -width Pa -compact .It Pa /dev/mem diff --git a/share/man/man4/man4.landisk/mem.4 b/share/man/man4/man4.landisk/mem.4 index 1bd4ffc89ac..084679aa1cb 100644 --- a/share/man/man4/man4.landisk/mem.4 +++ b/share/man/man4/man4.landisk/mem.4 @@ -1,4 +1,4 @@ -.\" $OpenBSD: mem.4,v 1.2 2007/05/31 19:19:55 jmc Exp $ +.\" $OpenBSD: mem.4,v 1.3 2017/09/12 02:22:15 schwarze Exp $ .\" .\" Copyright (c) 1991 The Regents of the University of California. .\" All rights reserved. @@ -29,7 +29,7 @@ .\" .\" from: @(#)mem.4 5.3 (Berkeley) 5/2/91 .\" -.Dd $Mdocdate: May 31 2007 $ +.Dd $Mdocdate: September 12 2017 $ .Dt MEM 4 landisk .Os .Sh NAME @@ -57,8 +57,13 @@ On landisk, physical memory is contiguous. The kernel virtual memory begins at address .Li 0xc0000000 . .Pp -Writeability of these devices is controlled by the system -.Xr securelevel 7 . +Even with sufficient file system permissions, +these devices can only be opened when the +.Xr securelevel 7 +is insecure or when the +.Va kern.allowkmem +.Xr sysctl 3 +variable is set. .Sh FILES .Bl -tag -width Pa -compact .It Pa /dev/mem diff --git a/share/man/man4/man4.loongson/mem.4 b/share/man/man4/man4.loongson/mem.4 index 0c08477570d..96a177a3d39 100644 --- a/share/man/man4/man4.loongson/mem.4 +++ b/share/man/man4/man4.loongson/mem.4 @@ -1,4 +1,4 @@ -.\" $OpenBSD: mem.4,v 1.2 2010/02/10 08:35:31 jmc Exp $ +.\" $OpenBSD: mem.4,v 1.3 2017/09/12 02:22:15 schwarze Exp $ .\" Copyright (c) 1992, 1993 .\" The Regents of the University of California. All rights reserved. .\" @@ -32,7 +32,7 @@ .\" .\" from: @(#)mem.4 8.1 (Berkeley) 6/5/93 .\" -.Dd $Mdocdate: February 10 2010 $ +.Dd $Mdocdate: September 12 2017 $ .Dt MEM 4 loongson .Os .Sh NAME @@ -87,8 +87,13 @@ address range. The kernel virtual memory begins at address .Ad 0xc000000000000000 . .Pp -Writeability of these devices is controlled by the system -.Xr securelevel 7 . +Even with sufficient file system permissions, +these devices can only be opened when the +.Xr securelevel 7 +is insecure or when the +.Va kern.allowkmem +.Xr sysctl 3 +variable is set. .Sh FILES .Bl -tag -width Pa -compact .It Pa /dev/mem diff --git a/share/man/man4/man4.luna88k/mem.4 b/share/man/man4/man4.luna88k/mem.4 index 94013f13420..5ef46797132 100644 --- a/share/man/man4/man4.luna88k/mem.4 +++ b/share/man/man4/man4.luna88k/mem.4 @@ -1,4 +1,4 @@ -.\" $OpenBSD: mem.4,v 1.2 2007/05/31 19:19:55 jmc Exp $ +.\" $OpenBSD: mem.4,v 1.3 2017/09/12 02:22:15 schwarze Exp $ .\" Copyright (c) 1992, 1993 .\" The Regents of the University of California. All rights reserved. .\" @@ -32,7 +32,7 @@ .\" .\" from: @(#)mem.4 8.1 (Berkeley) 6/5/93 .\" -.Dd $Mdocdate: May 31 2007 $ +.Dd $Mdocdate: September 12 2017 $ .Dt MEM 4 luna88k .Os .Sh NAME @@ -61,8 +61,13 @@ On the luna88k, physical memory is always contiguous; kernel virtual memory begins at .Ad 0x00000000 . .Pp -Writeability of these devices is controlled by the system -.Xr securelevel 7 . +Even with sufficient file system permissions, +these devices can only be opened when the +.Xr securelevel 7 +is insecure or when the +.Va kern.allowkmem +.Xr sysctl 3 +variable is set. .Sh FILES .Bl -tag -width /dev/kmem -compact .It Pa /dev/mem diff --git a/share/man/man4/man4.macppc/mem.4 b/share/man/man4/man4.macppc/mem.4 index 4e48ea53d3d..2a0ff9535b3 100644 --- a/share/man/man4/man4.macppc/mem.4 +++ b/share/man/man4/man4.macppc/mem.4 @@ -30,10 +30,10 @@ .\" SUCH DAMAGE. .\" .\" from: @(#)mem.4 8.1 (Berkeley) 6/5/93 -.\" $OpenBSD: mem.4,v 1.5 2007/05/31 19:19:55 jmc Exp $ +.\" $OpenBSD: mem.4,v 1.6 2017/09/12 02:22:15 schwarze Exp $ .\" $NetBSD: mem.4,v 1.1 1997/06/08 17:40:57 ender Exp $ .\" -.Dd $Mdocdate: May 31 2007 $ +.Dd $Mdocdate: September 12 2017 $ .Dt MEM 4 macppc .Os .Sh NAME @@ -57,14 +57,17 @@ in the same manner as .Pa /dev/mem . Only kernel virtual addresses that are currently mapped to memory are allowed. .Pp -On the -.Tn Macintosh , -physical memory may be discontiguous; +On the Macintosh, physical memory may be discontiguous; kernel virtual memory begins at .Ad 0x00000000 . .Pp -Writeability of these devices is controlled by the system -.Xr securelevel 7 . +Even with sufficient file system permissions, +these devices can only be opened when the +.Xr securelevel 7 +is insecure or when the +.Va kern.allowkmem +.Xr sysctl 3 +variable is set. .Sh FILES .Bl -tag -width /dev/kmem -compact .It /dev/mem diff --git a/share/man/man4/man4.socppc/mem.4 b/share/man/man4/man4.socppc/mem.4 index 4535058ec2b..a5e6c0d4496 100644 --- a/share/man/man4/man4.socppc/mem.4 +++ b/share/man/man4/man4.socppc/mem.4 @@ -30,10 +30,10 @@ .\" SUCH DAMAGE. .\" .\" from: @(#)mem.4 8.1 (Berkeley) 6/5/93 -.\" $OpenBSD: mem.4,v 1.1 2008/05/14 21:08:09 miod Exp $ +.\" $OpenBSD: mem.4,v 1.2 2017/09/12 02:22:15 schwarze Exp $ .\" $NetBSD: mem.4,v 1.1 1997/06/08 17:40:57 ender Exp $ .\" -.Dd $Mdocdate: May 14 2008 $ +.Dd $Mdocdate: September 12 2017 $ .Dt MEM 4 socppc .Os .Sh NAME @@ -61,8 +61,13 @@ On this platform, physical memory is always contiguous; kernel virtual memory begins at .Ad 0x00000000 . .Pp -Writeability of these devices is controlled by the system -.Xr securelevel 7 . +Even with sufficient file system permissions, +these devices can only be opened when the +.Xr securelevel 7 +is insecure or when the +.Va kern.allowkmem +.Xr sysctl 3 +variable is set. .Sh FILES .Bl -tag -width /dev/kmem -compact .It /dev/mem diff --git a/share/man/man4/man4.sparc64/mem.4 b/share/man/man4/man4.sparc64/mem.4 index 187d99beb33..3c804795061 100644 --- a/share/man/man4/man4.sparc64/mem.4 +++ b/share/man/man4/man4.sparc64/mem.4 @@ -1,4 +1,4 @@ -.\" $OpenBSD: mem.4,v 1.4 2007/05/31 19:19:57 jmc Exp $ +.\" $OpenBSD: mem.4,v 1.5 2017/09/12 02:22:16 schwarze Exp $ .\" Copyright (c) 1992, 1993 .\" The Regents of the University of California. All rights reserved. .\" @@ -32,7 +32,7 @@ .\" .\" from: @(#)mem.4 8.1 (Berkeley) 6/5/93 .\" -.Dd $Mdocdate: May 31 2007 $ +.Dd $Mdocdate: September 12 2017 $ .Dt MEM 4 sparc64 .Os .Sh NAME @@ -56,15 +56,20 @@ Kernel virtual memory is accessed via the file in the same manner as .Pa /dev/mem . Only kernel virtual addresses that are currently mapped to memory are allowed. -.Sh SPARC64 +.Pp On the sparc64, physical memory may be discontiguous; kernel virtual memory begins at .Li 0x001000000 . .Pp -Writeability of these devices is controlled by the system -.Xr securelevel 7 . +Even with sufficient file system permissions, +these devices can only be opened when the +.Xr securelevel 7 +is insecure or when the +.Va kern.allowkmem +.Xr sysctl 3 +variable is set. .Sh FILES .Bl -tag -width /dev/kmem -compact .It /dev/mem diff --git a/share/man/man7/securelevel.7 b/share/man/man7/securelevel.7 index 53dd5be0f46..eff3ceba45d 100644 --- a/share/man/man7/securelevel.7 +++ b/share/man/man7/securelevel.7 @@ -1,4 +1,4 @@ -.\" $OpenBSD: securelevel.7,v 1.29 2016/09/28 17:58:17 jmc Exp $ +.\" $OpenBSD: securelevel.7,v 1.30 2017/09/12 02:22:15 schwarze Exp $ .\" .\" Copyright (c) 2000 Hugh Graham .\" @@ -23,7 +23,7 @@ .\" IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE .\" POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: September 28 2016 $ +.Dd $Mdocdate: September 12 2017 $ .Dt SECURELEVEL 7 .Os .Sh NAME @@ -66,7 +66,7 @@ securelevel may no longer be lowered except by init .Pa /dev/mem and .Pa /dev/kmem -may not be written to +cannot be opened .It raw disk devices of mounted file systems are read-only .It |