Centralize documentation about exported sysctl variables in the relevant

secmodel's man-page.

sbin/mount/mount.8

@@ -1,4 +1,4 @@
-.\"	$NetBSD: mount.8,v 1.67 2009/02/23 08:14:53 wiz Exp $
+.\"	$NetBSD: mount.8,v 1.68 2009/10/02 20:31:19 elad Exp $
 .\"
 .\" Copyright (c) 1980, 1989, 1991, 1993
 .\"	The Regents of the University of California.  All rights reserved.
@@ -29,7 +29,7 @@
 .\"
 .\"     @(#)mount.8	8.8 (Berkeley) 6/16/94
 .\"
-.Dd February 22, 2009
+.Dd October 2, 2009
 .Dt MOUNT 8
 .Os
 .Sh NAME
@@ -133,23 +133,10 @@ removed in a future version of
 .Pp
 In
 .Nx ,
-a file system can only be mounted by an ordinary user who owns the
-point
-.Ar node
-and has access to the
-.Ar special
-device (at least read permissions).
-Also, the
-.Em vfs.generic.usermount
-.Xr sysctl 3
-must be set to 1 to permit file system mounting by ordinary users,
-see
-.Xr sysctl 8 .
-Finally, the flags
-.Cm nosuid
-and
-.Cm nodev
-must be given for non-superuser mounts.
+the file-system mounting policy is dictated by the running security models.
+The default security model may allow unprivileged mounting; see
+.Xr secmodel_suser 9
+for details. 
 .Pp
 The options are as follows:
 .Bl -tag -width indent

share/man/man7/sysctl.7

@@ -1,4 +1,4 @@
-.\"	$NetBSD: sysctl.7,v 1.24 2009/09/11 19:43:26 wiz Exp $
+.\"	$NetBSD: sysctl.7,v 1.25 2009/10/02 20:31:19 elad Exp $
 .\"
 .\" Copyright (c) 1993
 .\"	The Regents of the University of California.  All rights reserved.
@@ -29,7 +29,7 @@
 .\"
 .\"	@(#)sysctl.3	8.4 (Berkeley) 5/9/95
 .\"
-.Dd September 11, 2009
+.Dd October 2, 2009
 .Dt SYSCTL 7
 .Os
 .Sh NAME
@@ -713,9 +713,8 @@ Returns 1 if saved set-group and saved set-user ID is available.
 Maximum socket buffer size.
 .\" XXX units?
 .It Li kern.securelevel ( KERN_SECURELVL )
-The system security level.
-This level may be raised by processes with appropriate privilege.
-It may only be lowered by process 1.
+See
+.Xr secmodel_securelevel 9 .
 .It Li kern.somaxkva ( KERN_SOMAXKVA )
 Maximum amount of kernel memory to be used for socket buffers.
 .\" XXX units?

share/man/man9/secmodel_securelevel.9

@@ -1,4 +1,4 @@
-.\" $NetBSD: secmodel_securelevel.9,v 1.6 2009/07/25 16:20:11 mbalmer Exp $
+.\" $NetBSD: secmodel_securelevel.9,v 1.7 2009/10/02 20:31:19 elad Exp $
 .\"
 .\" Copyright (c) 2006 Elad Efrat <elad@NetBSD.org>
 .\" Copyright (c) 2000 Hugh Graham
@@ -180,6 +180,16 @@ Do not overlook the fact that shell scripts (or anything else fed to an
 interpreter, through any mechanism) and the kernel itself are "programs
 that run while the security level is 0" and must be considered part of
 the TCB.
+.Pp
+The following
+.Xr sysctl 3
+variables are exported:
+.Bl -tag -width compact
+.It security.models.securelevel.securelevel
+The system security level.
+This level may be raised by processes with appropriate privilege.
+It may only be lowered by process 1 (init).
+.El
 .Sh SEE ALSO
 .Xr kauth 9 ,
 .Xr secmodel 9 ,

share/man/man9/secmodel_suser.9

@@ -1,4 +1,4 @@
-.\" $NetBSD: secmodel_suser.9,v 1.2 2009/10/02 19:50:37 elad Exp $
+.\" $NetBSD: secmodel_suser.9,v 1.3 2009/10/02 20:31:19 elad Exp $
 .\"
 .\" Copyright (c) 2009 Elad Efrat <elad@NetBSD.org>
 .\" All rights reserved.
@@ -41,6 +41,43 @@ The
 .Em super-user
 is the host administrator, considered to have higher privileges than other
 users.
+.Pp
+The following
+.Xr sysctl 3
+variables are exported:
+.Bl -tag -width compact
+.It security.models.suser.curtain
+If non-zero, will filter returned objects according to the user-id
+requesting information about them, preventing from users any access to
+objects they don't own.
+.Pp
+At the moment, it affects
+.Xr ps 1 ,
+.Xr netstat 1
+(for
+.Dv PF_INET ,
+.Dv PF_INET6 ,
+and
+.Dv PF_UNIX
+PCBs), and
+.Xr w 1 .
+.It security.models.suser.usermount
+Allow non-superuser mounts.
+.Pp
+If non-zero, file-systems are allowed to be mounted by an ordinary user who
+owns the point
+.Ar node
+and has at least read access to the 
+.Ar special
+device 
+.Xr mount 8
+arguments.
+Finally, the flags
+.Cm nosuid
+and
+.Cm nodev
+must be given for non-superuser mounts.
+.El
 .Sh SEE ALSO
 .Xr kauth 9 ,
 .Xr secmodel 9 ,