diff --git a/lib/libc/sys/ptrace.2 b/lib/libc/sys/ptrace.2
index 504891597da..a0ca0ddee75 100644
--- a/lib/libc/sys/ptrace.2
+++ b/lib/libc/sys/ptrace.2
@@ -2,7 +2,7 @@
 .\"	$NetBSD: ptrace.2,v 1.2 1995/02/27 12:35:37 cgd Exp $
 .\"
 .\" This file is in the public domain.
-.Dd May 20, 2021
+.Dd January 22, 2022
 .Dt PTRACE 2
 .Os
 .Sh NAME
@@ -122,6 +122,55 @@ Kernel drops any
 signals queued to the traced children, which could be either generated by
 not yet consumed debug events, or sent by other means, the later should
 not be done anyway.
+.Sh DISABLING PTRACE
+The
+.Nm
+subsystem provides rich facilities to manipulate other processes state.
+Sometimes it may be desirable to disallow it either completely, or limit
+its scope.
+The following controls are provided for this:
+.Bl -tag -width security.bsd.unprivileged_proc_debug
+.It Dv security.bsd.allow_ptrace
+Setting this sysctl to zero value makes
+.Xr ptrace 2
+return
+.Er ENOSYS
+always as if the syscall is not implemented by the kernel.
+.It Dv security.bsd.unprivileged_proc_debug
+Setting this sysctl to zero disallows use of
+.Fn ptrace
+by unprivileged processes.
+.It Dv security.bsd.see_other_uids
+Setting this sysctl to zero value disallows
+.Fn ptrace
+requests from targeting processes with the real user identifier different
+from the real user identifier of the caller.
+The requests return
+.Er ESRCH
+if policy is not met.
+.It Dv security.bsd.see_other_gids
+Setting this sysctl to zero value disallows
+.Fn ptrace
+requests from process belonging to a group that is not also one of
+the group of the target process.
+The requests return
+.Er ESRCH
+if policy is not met.
+.It Dv securelevel and init
+The
+.Xr init 1
+process can only be traced with
+.Nm
+if securelevel is zero.
+.It Dv procctl(2) PROC_TRACE_CTL
+Process can deny attempts to trace itself with
+.Xr procctl 2
+.Dv PROC_TRACE_CTL
+request.
+In this case requests return
+.Xr EPERM
+error.
+.El
 .Sh TRACING EVENTS
 .Pp
 Each traced process has a tracing event mask.