sysctl(2): add kern.utc_offset: successor to the DST/TIMEZONE options(4)

The DST and TIMEZONE options(4) are incompatible with KARL, so we need
some other way to compensate for an RTC running with a

sysctl(2): add kern.utc_offset: successor to the DST/TIMEZONE options(4)

The DST and TIMEZONE options(4) are incompatible with KARL, so we need
some other way to compensate for an RTC running with a known offset.

Enter kern.utc_offset, an offset in minutes East of UTC. TIMEZONE has
always been minutes West, but this is inconsistent with how everyone
else talks about timezones, hence the flip.

TIMEZONE has the advantage of being compiled into the binary. Our new
sysctl(2) has no such luck, so it needs to be set as early as possible
in boot, from sysctl.conf(5), so we can correct the kernel clock from
the RTC's local time to UTC before daemons like ntpd(8) and cron(8)
start. To encourage this, kern.utc_offset is made immutable after the
securelevel(7) is raised to 1.

Prompted by yasuoka@. Discussed with deraadt@, kettenis@, yasuoka@.
Additional testing by yasuoka@.

ok deraadt@, yasuoka@

show more ...

Update the documentation regarding /dev/mem and /dev/kmem;
Theo already clamped down on these devices last year.
Triggered by a question from Nan Xiao <xiaonan830818 at gmail dot com>.
OK deraadt@

group the sysctls;

document kern.allowkmem; reminded by deraadt

there's no reason to point readers to options(4) now;

option INSECURE is obsolete

no modules

No more "securelevel" variable.

machdep.kbdreset enables a shutdown by Ctrl-Alt-Del on amd64 and
i386. Stop abusing it on other archs for controling a shutdown by
pressing the soft power button:

* Add a MI sysctl hw.allowpowerdow

machdep.kbdreset enables a shutdown by Ctrl-Alt-Del on amd64 and
i386. Stop abusing it on other archs for controling a shutdown by
pressing the soft power button:

* Add a MI sysctl hw.allowpowerdown; if set to 1 (the default) it
allows a power button shutdown.
* Make acpi(4)/acpibtn(4) honor hw.allowpowerdown.
* Switch the various power button intercepts on landisk, sgi, sparc64
and zaurus over to hw.allowpowerdown.
* Garbage collect the machdep.kbdreset sysctl on all archs other than
amd64 and i386.

ok miod@

show more ...

- mention that configuring new GPIO pins is locked out with securelevel>0,
discussed with jmc@ and Marc Balmer
- clear out some .Xr from SEE ALSO that are also in the main text and not
really necessa

- mention that configuring new GPIO pins is locked out with securelevel>0,
discussed with jmc@ and Marc Balmer
- clear out some .Xr from SEE ALSO that are also in the main text and not
really necessary to repeat, req by jmc@.

ok jmc.

show more ...

enforce DESCRIPTION-after-SYNOPSIS order, to appease man -h;

convert to new .Dd format;

document machdep.aperture; pointed out by andrew smith
ok deraadt

ddb.{console,panic} cannot be raised at securelevel 1 either;

from nicholas marriott;
ok miod ray

change pfctl reference to pf, since programs like authpf also attempt to
alter rulesets, not just pfctl interface;

from tamas tevesz;

- some sysctls may not be lowered either
- document machdep.kbdreset

diff from fgsch@
ok deraadt@

document that sysctls fs.posix.setuid and net.inet.ip.sourceroute may not
be set when securelevel > 0;

the latter from Ryan Leslie (PR 3631);

Clarify time handling at securelevel 2. Idea from mpech@ ok millert@

Restore reference to packet filter.

comment out references to ipf to be replaced in the future with whatever packet filter we end up using

Sort SEE ALSO entries; mpech@prosoft.org.lv

Give /etc/rc.securelevel the same FILES-style description as in init(8).

escape -1 with \& as per mdoc.samples

have mem(4) talk about securelevel(7)

Various cleanups.