git: e84d5425bf53 - stable/13 - dtrace.1: Document security.bsd.allow_destructive_dtrace

Wed, 20 Aug 2025 03:50:21 -0700 

The branch stable/13 has been updated by 0mp:

URL: 
https://cgit.FreeBSD.org/src/commit/?id=e84d5425bf533c61d00aaa8e52f505d328f4b02d

commit e84d5425bf533c61d00aaa8e52f505d328f4b02d
Author:     Mateusz Piotrowski <0...@freebsd.org>
AuthorDate: 2025-08-01 15:23:20 +0000
Commit:     Mateusz Piotrowski <0...@freebsd.org>
CommitDate: 2025-08-20 10:49:10 +0000

    dtrace.1: Document security.bsd.allow_destructive_dtrace
    
    PR:             288284
    Reviewed by:    bcr, markj
    MFC after:      3 days
    Sponsored by:   Klara, Inc.
    Differential Revision:  https://reviews.freebsd.org/D51633
    
    (cherry picked from commit 1acfb873cf2e59f9ddf53602cbc67fa810c878a6)
---
 cddl/contrib/opensolaris/cmd/dtrace/dtrace.1 | 25 ++++++++++++++++++++++++-
 1 file changed, 24 insertions(+), 1 deletion(-)

diff --git a/cddl/contrib/opensolaris/cmd/dtrace/dtrace.1 
b/cddl/contrib/opensolaris/cmd/dtrace/dtrace.1
index 609bf00655e7..a98d851b9998 100644
--- a/cddl/contrib/opensolaris/cmd/dtrace/dtrace.1
+++ b/cddl/contrib/opensolaris/cmd/dtrace/dtrace.1
@@ -20,7 +20,7 @@
 .\"
 .\" $FreeBSD$
 .\"
-.Dd July 16, 2025
+.Dd July 30, 2025
 .Dt DTRACE 1
 .Os
 .Sh NAME
@@ -517,6 +517,17 @@ option is not specified,
 .Nm
 does not permit the compilation or enabling of a D program that contains
 destructive actions.
+.Pp
+Set the
+.Va security.bsd.allow_destructive_dtrace
+.Xr loader 8
+tunable
+to
+.Ql 0
+to disallow the possibility of enabling destructive actions system-wide at any 
point at all.
+Any attempts to enable destructive actions will cause
+.Nm
+to exit with a runtime error.
 .It Fl x Ar arg Op Ns = Ns value
 Enable or modify a DTrace runtime option or D compiler option.
 Boolean options are enabled by specifying their name.
@@ -803,6 +814,18 @@ failed or that the specified request could not be 
satisfied.
 .It 2
 Invalid command line options or arguments were specified.
 .El
+.Sh DIAGNOSTICS
+.Bl -diag
+.It dtrace: could not enable tracing: Permission denied
+This can happen when
+.Nm
+fails to enable destructive actions because
+.Va security.bsd.allow_destructive_dtrace
+is set to
+.Ql 0
+in
+.Xr loader.conf 5 .
+.El
 .Sh SEE ALSO
 .Xr cpp 1 ,
 .Xr dtrace_audit 4 ,

Reply via email to