From: Martin Pieuchot <mpi@grenadille.net>
Subject: Re: examples/sysctl.conf
To: tech@openbsd.org
Date: Wed, 4 Dec 2024 09:54:49 +0100

On 03/12/24(Tue) 15:38, Claudio Jeker wrote:
> On Tue, Dec 03, 2024 at 02:12:34PM +0000, Stuart Henderson wrote:
> > On 2024/12/03 15:02, Marc Espie wrote:
> > > On Tue, Dec 03, 2024 at 01:15:02PM +0000, Stuart Henderson wrote:
> > > > On 2024/12/03 12:08, Marc Espie wrote:
> > > > > I always forget about these when I need some instrumentation
> > > > > 
> > > > > Since the ddb knobs are already there, is there an issue to having
> > > > > more "dangerous" sysctl(8)  that need to happen before securelevel in there ?
> > > > > ...
> > > > > 
> > > > > Index: sysctl.conf
> > > > > ===================================================================
> > > > > RCS file: /build/data/openbsd/cvs/src/etc/examples/sysctl.conf,v
> > > > > diff -u -p -r1.5 sysctl.conf
> > > > > --- sysctl.conf	18 Sep 2019 08:39:06 -0000	1.5
> > > > > +++ sysctl.conf	3 Dec 2024 11:06:31 -0000
> > > > > @@ -25,6 +25,8 @@
> > > > >  #ddb.panic=0			# 0=Do not drop into ddb on a kernel panic
> > > > >  #ddb.console=1			# 1=Permit entry of ddb from the console
> > > > >  #ddb.log=1			# 1=Log ddb output in kernel message buffer
> > > > > +#kern.allowdt=1			# 1=Enable dtrace(8)
> > > > > +#kern.allowkmem=1		# 1=Enable procmap(8)
> > > > >  #fs.posix.setuid=0		# 0=Traditional BSD chown() semantics
> > > > >  #vm.swapencrypt.enable=0	# 0=Do not encrypt pages that go to swap
> > > > >  #vfs.nfs.iothreads=4		# Number of nfsio kernel threads
> > > > > 
> > > > 
> > > > I think allowkmem would need a more strongly-worded description.
> > > > "Allow userland access to all physical and kernel memory"?
> > > > 
> > > 
> > > Better ?
> > > 
> > > Index: sysctl.conf
> > > ===================================================================
> > > RCS file: /build/data/openbsd/cvs/src/etc/examples/sysctl.conf,v
> > > diff -u -p -r1.5 sysctl.conf
> > > --- sysctl.conf	18 Sep 2019 08:39:06 -0000	1.5
> > > +++ sysctl.conf	3 Dec 2024 14:01:57 -0000
> > > @@ -25,6 +25,8 @@
> > >  #ddb.panic=0			# 0=Do not drop into ddb on a kernel panic
> > >  #ddb.console=1			# 1=Permit entry of ddb from the console
> > >  #ddb.log=1			# 1=Log ddb output in kernel message buffer
> > > +#kern.allowdt=1			# 1=Enable dt(4) device for btrace(8) support
> > > +#kern.allowkmem=1		# 1=Allow access to all memory, needed for procmap(8)
> > >  #fs.posix.setuid=0		# 0=Traditional BSD chown() semantics
> > >  #vm.swapencrypt.enable=0	# 0=Do not encrypt pages that go to swap
> > >  #vfs.nfs.iothreads=4		# Number of nfsio kernel threads
> > > 
> > 
> > that's ok with me, but it seems like something that should wait for
> > more feedback before it goes in.
> 
> I use those buttons frequently so I don't mind them to be in the example
> file. At the same time I never use the example for sysctl but instead just
> dump in the few bits I want. 
> 
> OK claudio@

ok mpi@