protect.1: document existence of _oomprotect

Improve discoverability of the functionality by mentioning in the
userland tool manual. Add a SEE ALSO entry to rc.conf(5) where more
details are provided.

Sponsored by:   Fudo Security (a.wolk)
Differential Revision:	https://reviews.freebsd.org/D30334

1 files changed, 30 insertions, 2 deletions

diff --git a/usr.bin/protect/protect.1 b/usr.bin/protect/protect.1
index b9be4afe04b8..d27a8898dad5 100644
--- a/usr.bin/protect/protect.1
+++ b/usr.bin/protect/protect.1
@@ -25,7 +25,7 @@
 .\"
 .\" $FreeBSD$
 .\"
-.Dd September 19, 2013
+.Dd May 18, 2021
 .Dt PROTECT 1
 .Os
 .Sh NAME
@@ -68,6 +68,11 @@ Note that only one of the
 or
 .Fl g
 flags may be specified when adjusting the state of existing processes.
+.Pp
+Daemons can be protected on startup using
+.Ao Ar name Ac Ns Va _oomprotect
+option from
+.Xr rc.conf 5 .
 .Sh EXIT STATUS
 .Ex -std
 .Sh EXAMPLES
@@ -82,8 +87,31 @@ Protect all ssh sessions and their child processes:
 Remove protection from all current and future processes:
 .Pp
 .Dl "protect -cdi -p 1"
+.Pp
+Using
+.Xr ps 1
+to check if the protect flag has been applied to the process:
+.Pp
+.Dl "ps -O flags,flags2 -p 64430"
+.Pp
+.Dl " PID        F       F2 TT  STAT    TIME COMMAND"
+.Dl "64430 10104002 00000001  5  S+   0:00.00 ./main"
+.Dl "        ^P            ^PI"
+.Pp
+In the above example
+.Nm P
+points at the protected flag and
+.Nm PI
+points at the iheritance flag.
+The process is protected if
+.Nm P
+bit is set to 1. All children of this process will also be protected if
+.Nm PI
+bit is set to 1.
 .Sh SEE ALSO
-.Xr procctl 2
+.Xr ps 1 ,
+.Xr procctl 2 ,
+.Xr rc.conf 5
 .Sh BUGS
 If you protect a runaway process that allocates all memory the system will
 deadlock.