proccontrol: use a table for modes

Add a central table of modes and loop over it rather than spelling out
10 essentialy identical strcmp if statemnts. Use the stable to generate
usage as well reduc

proccontrol: use a table for modes

Add a central table of modes and loop over it rather than spelling out
10 essentialy identical strcmp if statemnts. Use the stable to generate
usage as well reducing the number of ifdefs.

Disallow multiple -m options. Previouly multiple were allowed, but only
the last one was used and there was no indication this happened.

Reviewed by: kib, markj
Differential Revision: https://reviews.freebsd.org/D46426

show more ...

proccontrol: make -s require a target

Require a command to exec or a pid to target and update usage and the
manpage to make this more clear.

It makes no sense to invoke a procctl(2) command on the

proccontrol: make -s require a target

Require a command to exec or a pid to target and update usage and the
manpage to make this more clear.

It makes no sense to invoke a procctl(2) command on the current process
only to exit. Users are sometimes confused about how proccontrol works
and think it effects their shell environment when invoked without a
target. Disallowing this nonsensical behavior and clarifiying usage
will hopefully reduce confusion.

Reviewed by: kib
Differential Revision: https://reviews.freebsd.org/D46422

show more ...

Remove "All Rights Reserved" from FreeBSD Foundation copyrights

These ones were unambiguous cases where the Foundation was the only
listed copyright holder.

Sponsored by: The FreeBSD Foundation

Remove $FreeBSD$: one-line .c pattern

Remove /^[\s*]*__FBSDID\("\$FreeBSD\$"\);?\s*\n/

proccontrol(1): Add wxmap control

Reviewed by: brooks, emaste, markj
Sponsored by: The FreeBSD Foundation
MFC after: 1 week
Differential revision: https://reviews.freebsd.org/D31779

Style

Reviewed by: brooks, emaste, markj
Sponsored by: The FreeBSD Foundation
MFC after: 1 week
Differential revision: https://reviews.freebsd.org/D31779

proccontrol(1): implement 'nonewprivs'

This adds the 'nonewprivs' mode, corresponding to newly added
procctl(2) commands PROC_NO_NEW_PRIVS_CTL and PROC_NO_NEW_PRIVS_STATUS.

Reviewed By: kib
Sponsor

proccontrol(1): implement 'nonewprivs'

This adds the 'nonewprivs' mode, corresponding to newly added
procctl(2) commands PROC_NO_NEW_PRIVS_CTL and PROC_NO_NEW_PRIVS_STATUS.

Reviewed By: kib
Sponsored By: EPSRC
Differential Revision: https://reviews.freebsd.org/D30940

show more ...

MFH

Sponsored by: Rubicon Communications, LLC (netgate.com)

procctl(8): usermode bits to force LA58/LA57 on exec.

Sponsored by: The FreeBSD Foundation
Differential revision: https://reviews.freebsd.org/D25273

Merge ^/head r351732 through r352104.

Add stackgap control mode to proccontrol(1).

PR: 239894
Reviewed by: alc
Sponsored by: The FreeBSD Foundation
MFC after: 1 week
Differential revision: https://reviews.freebsd.org/D21352

MFHead @r350386

Sponsored by: The FreeBSD Foundation

Add implicit PROT_MAX() knob to proccontrol(1).

Reviewed by: emaste, markj (previous version)
Discussed with: brooks
Sponsored by: The FreeBSD Foundation
Differential revision: https://reviews.freeb

Add implicit PROT_MAX() knob to proccontrol(1).

Reviewed by: emaste, markj (previous version)
Discussed with: brooks
Sponsored by: The FreeBSD Foundation
Differential revision: https://reviews.freebsd.org/D20795

show more ...

MFHead@r345275

proccontrol(1): Add kpti control mode.

Requested by: jhb
Reviewed by: jhb, markj (previous version)
Tested by: pho
Sponsored by: The FreeBSD Foundation
MFC after: 1 week
Differential revision: https

proccontrol(1): Add kpti control mode.

Requested by: jhb
Reviewed by: jhb, markj (previous version)
Tested by: pho
Sponsored by: The FreeBSD Foundation
MFC after: 1 week
Differential revision: https://reviews.freebsd.org/D19514

show more ...

Merge ^/head r343956 through r344177.

Implement Address Space Layout Randomization (ASLR)

With this change, randomization can be enabled for all non-fixed
mappings. It means that the base address for the mapping is selected
with a guar

Implement Address Space Layout Randomization (ASLR)

With this change, randomization can be enabled for all non-fixed
mappings. It means that the base address for the mapping is selected
with a guaranteed amount of entropy (bits). If the mapping was
requested to be superpage aligned, the randomization honours the
superpage attributes.

Although the value of ASLR is diminshing over time as exploit authors
work out simple ASLR bypass techniques, it elimintates the trivial
exploitation of certain vulnerabilities, at least in theory. This
implementation is relatively small and happens at the correct
architectural level. Also, it is not expected to introduce
regressions in existing cases when turned off (default for now), or
cause any significant maintaince burden.

The randomization is done on a best-effort basis - that is, the
allocator falls back to a first fit strategy if fragmentation prevents
entropy injection. It is trivial to implement a strong mode where
failure to guarantee the requested amount of entropy results in
mapping request failure, but I do not consider that to be usable.

I have not fine-tuned the amount of entropy injected right now. It is
only a quantitive change that will not change the implementation. The
current amount is controlled by aslr_pages_rnd.

To not spoil coalescing optimizations, to reduce the page table
fragmentation inherent to ASLR, and to keep the transient superpage
promotion for the malloced memory, locality clustering is implemented
for anonymous private mappings, which are automatically grouped until
fragmentation kicks in. The initial location for the anon group range
is, of course, randomized. This is controlled by vm.cluster_anon,
enabled by default.

The default mode keeps the sbrk area unpopulated by other mappings,
but this can be turned off, which gives much more breathing bits on
architectures with small address space, such as i386. This is tied
with the question of following an application's hint about the mmap(2)
base address. Testing shows that ignoring the hint does not affect the
function of common applications, but I would expect more demanding
code could break. By default sbrk is preserved and mmap hints are
satisfied, which can be changed by using the
kern.elf{32,64}.aslr.honor_sbrk sysctl.

ASLR is enabled on per-ABI basis, and currently it is only allowed on
FreeBSD native i386 and amd64 (including compat 32bit) ABIs. Support
for additional architectures will be added after further testing.

Both per-process and per-image controls are implemented:
- procctl(2) adds PROC_ASLR_CTL/PROC_ASLR_STATUS;
- NT_FREEBSD_FCTL_ASLR_DISABLE feature control note bit makes it possible
to force ASLR off for the given binary. (A tool to edit the feature
control note is in development.)
Global controls are:
- kern.elf{32,64}.aslr.enable - for non-fixed mappings done by mmap(2);
- kern.elf{32,64}.aslr.pie_enable - for PIE image activation mappings;
- kern.elf{32,64}.aslr.honor_sbrk - allow to use sbrk area for mmap(2);
- vm.cluster_anon - enables anon mapping clustering.

PR: 208580 (exp runs)
Exp-runs done by: antoine
Reviewed by: markj (previous version)
Discussed with: emaste
Tested by: pho
MFC after: 1 month
Sponsored by: The FreeBSD Foundation
Differential revision: https://reviews.freebsd.org/D5603

show more ...

Merge ^/head r305892 through r306302.

Provide proccontrol(1), an utility to control processes behaviour, related
to procctl(2).

Sponsored by: The FreeBSD Foundation
MFC after: 1 week