security.7: add caveat about interim sysctl paths from r355436

r355436 moved mitigation sysctls to machdep.mitigations but did not rationalize the sense of the invidual knobs. Clarify that the old names remain the canonical way to set these mitigations. Backwards compatibility will be maintained for the original names (e.g. hw.ibrs_disable), but not from the interim names (e.g. machdep.mitigations.ibrs.disable). Sponsored by: The FreeBSD Foundation
2019-12-11 16:43:54 +00:00 · 2019-12-11 16:43:54 +00:00 · d777076f29
commit d777076f29
parent 037c0994bf
1 changed files with 12 additions and 1 deletions
--- a/share/man/man7/security.7
+++ b/share/man/man7/security.7
@ -28,7 +28,7 @@
 .\"
 .\" $FreeBSD$
 .\"
-.Dd November 12, 2019
+.Dd December 11, 2019
 .Dt SECURITY 7
 .Os
 .Sh NAME
@ -944,6 +944,17 @@ information access more restricted.
 Some people consider this as improving system security, so the knobs are
 briefly listed there, together with controls which enable some mitigations
 of the hardware state leaks.
+.Pp
+Hardware mitigation sysctl knobs described below have been moved under
+.Pa machdep.mitigations ,
+with backwards-compatibility shims to accept the existing names.
+A future change will rationalize the sense of the individual sysctls
+(so that enabled / true always indicates that the mitigation is active).
+For that reason the previous names remain the canonical way to set the
+mitigations, and are documented here.
+Backwards compatibility shims for the interim sysctls under
+.Pa machdep.mitigations
+will not be added.
 .Bl -tag -width security.bsd.unprivileged_proc_debug
 .It Dv security.bsd.see_other_uids
 Controls visibility of processes owned by different uid.