===================================================================
RCS file: /cvsrepo/anoncvs/cvs/www/67.html,v
retrieving revision 1.1
retrieving revision 1.2
diff -c -r1.1 -r1.2
*** www/67.html	2020/05/06 12:20:45	1.1
--- www/67.html	2020/05/06 12:36:08	1.2
***************
*** 669,684 ****
  	features and auditing it. The kernel API accessible to these
  	programs is now restricted through <a
  	href="https://man.openbsd.org/pledge">pledge(2)</a>.
! 
! <!-- syscall call-from -->
!     <li><span style="color: red;">"syscall call-from" checking</span>
!     <li>Introduced <a
! 	href="https://man.openbsd.org/msyscall">msyscall(2)</a>, permitting
! 	system calls from selected code regions only: the main program, <a
! 	href="https://man.openbsd.org/ld.so">ld.so(1)</a>, libc.so and
! 	sigtramp. This is intended to harden against a mixture of W^X failures
! 	and JIT bugs allowing syscall misinterpretation.
! 
      <li>Prevented stack trace saving from inspecting untrusted data on
  	amd64, arm64 and i386.
      <li>Used lfence in place of stac/clac on pre-SMAP CPUs to protect
--- 669,680 ----
  	features and auditing it. The kernel API accessible to these
  	programs is now restricted through <a
  	href="https://man.openbsd.org/pledge">pledge(2)</a>.
!     <li>System calls may now only be performed from selected code regions:
! 	the main program, <a href="https://man.openbsd.org/ld.so">ld.so(1)</a>,
! 	libc.so and the signal trampoline. A new system call
! 	<a href="https://man.openbsd.org/msyscall">msyscall(2)</a> indicates
! 	the the libc range, and activates the locking.  This change hardens
! 	against some attack methods.
      <li>Prevented stack trace saving from inspecting untrusted data on
  	amd64, arm64 and i386.
      <li>Used lfence in place of stac/clac on pre-SMAP CPUs to protect