netbsd-bugs: Re: kern/30817

Subject: Re: kern/30817
To: Elad Efrat <elad@NetBSD.org>
From: None <erh@swapsimple.com>
List: netbsd-bugs
Date: 10/13/2005 18:06:26
On Fri, Oct 14, 2005 at 12:19:13AM +0200, Elad Efrat wrote:
> erh@swapsimple.com wrote:
> 
> > 	So how I am supposed to know this?  Given that the veriexec man page
> > mentions NOTHING about how to turn it on (a mysterious reference to
> > sysctl, especially just after a reference to kern.sercurelevel, doesn't
> > count), 
> 
> Veriexec does not care about securelevel:

	oops, you're right.  I had an outdated version of the veriexec man page.

> If there is a man-page in the ``SEE ALSO'' part of the man-page, then
> you might have a look. sysctl(8) lists the entire hierarchy of the
> sysctl tree, and sysctl(3) gives a description for each element.
	
> veriexec(4) describes the veriexec pseudo-device and what ioctls
> it accepts. veriexecctl(8) describes the program used to load
> signatures.

	and nothing in those says that I should grovel through the 
(rather long) _C_FUNCTION_API_ in sysctl(3) even though I'm not trying to 
write a C program.

> > I think either this bug, or 30818, should still be open until
> > the man page is updated a little.
> 
> With what? duplicate text from sysctl(3)?
> 
> > 	The solution of "man 3 sysctl" that you mentions in 30818 is bs, since
> > just knowing that there is a veriexec sysctl setting is only marginally
> > helpful when you don't know what changing it does.
> 
> Ah -- but you failed to read that man-page. Let me paste:
> 
> VERIEXEC_STRICT
> 	Controls the strict level of Verified Exec.  The strict
[...snip...]

	ah, of course.  Why bother to document the details of veriexec
under the veriexec man page when it can go in a general sysctl man page.
Well, whatever.  I'll agree that duplication of information is bad, but the
veriexec.4 page at least deserves to have an explicit mention of what can be
found in the other man pages and why I should spend time looking through
docs that don't at first glace seem to be what I need.
e.g., maybe under SEE ALSO, something like:

"For details on the values for kern.veriexec.strict see VERIEXEC_STRICT in
sysctl(3).  For a more in depth discussion of veriexec see the NetBSD guide
at http://netbsd.org/guide/en/chap-veriexec.html."

or maybe even an entire veriexec.8 page.

eric