1.\" Copyright (c) 2013 Hudson River Trading LLC 2.\" Written by: John H. Baldwin <jhb@FreeBSD.org> 3.\" All rights reserved. 4.\" 5.\" Copyright (c) 2014 The FreeBSD Foundation 6.\" Portions of this documentation were written by Konstantin Belousov 7.\" under sponsorship from the FreeBSD Foundation. 8.\" 9.\" Redistribution and use in source and binary forms, with or without 10.\" modification, are permitted provided that the following conditions 11.\" are met: 12.\" 1. Redistributions of source code must retain the above copyright 13.\" notice, this list of conditions and the following disclaimer. 14.\" 2. Redistributions in binary form must reproduce the above copyright 15.\" notice, this list of conditions and the following disclaimer in the 16.\" documentation and/or other materials provided with the distribution. 17.\" 18.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 19.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 20.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 21.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 22.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 23.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 24.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 25.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 26.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 27.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 28.\" SUCH DAMAGE. 29.\" 30.Dd October 26, 2023 31.Dt PROCCTL 2 32.Os 33.Sh NAME 34.Nm procctl 35.Nd control processes 36.Sh LIBRARY 37.Lb libc 38.Sh SYNOPSIS 39.In sys/procctl.h 40.Ft int 41.Fn procctl "idtype_t idtype" "id_t id" "int cmd" "void *data" 42.Sh DESCRIPTION 43The 44.Fn procctl 45system call provides for control over processes. 46The 47.Fa idtype 48and 49.Fa id 50arguments specify the set of processes to control. 51If multiple processes match the identifier, 52.Nm 53will make a 54.Dq best effort 55to control as many of the selected processes as possible. 56An error is only returned if no selected processes successfully complete 57the request. 58The following identifier types are supported: 59.Bl -tag -width P_PGID 60.It Dv P_PID 61Control the process with the process ID 62.Fa id . 63.Fa id 64zero is a shortcut for the calling process ID. 65.It Dv P_PGID 66Control processes belonging to the process group with the ID 67.Fa id . 68.El 69.Pp 70The control request to perform is specified by the 71.Fa cmd 72argument. 73.Pp 74All status changing requests 75.Dv *_CTL 76require the caller to have the right to debug the target. 77All status query requests 78.Dv *_STATUS 79require the caller to have the right to observe the target. 80.Pp 81The following commands are supported: 82.Bl -tag -width PROC_TRAPCAP_STATUS 83.It Dv PROC_ASLR_CTL 84Controls the Address Space Layout Randomization (ASLR) in the program 85images created 86by 87.Xr execve 2 88in the specified process or its descendants that do not either change 89the control or modify it by other means. 90The 91.Fa data 92parameter must point to the integer variable holding one of the following 93values: 94.Bl -tag -width PROC_ASLR_FORCE_DISABLE 95.It Dv PROC_ASLR_FORCE_ENABLE 96Request that ASLR is enabled after execution, even if it is disabled 97system-wide. 98The image flag and set-uid might prevent ASLR enablement still. 99.It Dv PROC_ASLR_FORCE_DISABLE 100Request that ASLR is disabled after execution. 101Same notes as for 102.Dv PROC_ASLR_FORCE_ENABLE 103apply. 104.It Dv PROC_ASLR_NOFORCE 105Use the system-wide configured policy for ASLR. 106.El 107.It Dv PROC_ASLR_STATUS 108Returns the current status of ASLR enablement for the target process. 109The 110.Fa data 111parameter must point to the integer variable, where one of the 112following values is written: 113.Bl -tag -width PROC_ASLR_FORCE_DISABLE 114.It Dv PROC_ASLR_FORCE_ENABLE 115.It Dv PROC_ASLR_FORCE_DISABLE 116.It Dv PROC_ASLR_NOFORCE 117.El 118.Pp 119If the currently executed image in the process itself has ASLR enabled, 120the 121.Dv PROC_ASLR_ACTIVE 122flag is or-ed with the value listed above. 123.It Dv PROC_PROTMAX_CTL 124Controls implicit application of PROT_MAX protection equal to the 125.Fa prot 126argument of the 127.Xr mmap 2 128syscall, in the target process. 129The 130.Fa data 131parameter must point to the integer variable holding one of the following 132values: 133.Bl -tag -width PROC_PROTMAX_FORCE_DISABLE 134.It Dv PROC_PROTMAX_FORCE_ENABLE 135Enables implicit PROT_MAX application, 136even if it is disabled system-wide by the sysctl 137.Va vm.imply_prot_max . 138The image flag might still prevent the enablement. 139.It Dv PROC_PROTMAX_FORCE_DISABLE 140Request that implicit application of PROT_MAX be disabled. 141Same notes as for 142.Dv PROC_PROTMAX_FORCE_ENABLE 143apply. 144.It Dv PROC_PROTMAX_NOFORCE 145Use the system-wide configured policy for PROT_MAX. 146.El 147.It Dv PROC_PROTMAX_STATUS 148Returns the current status of implicit PROT_MAX enablement for the 149target process. 150The 151.Fa data 152parameter must point to the integer variable, where one of the 153following values is written: 154.Bl -tag -width PROC_PROTMAX_FORCE_DISABLE 155.It Dv PROC_PROTMAX_FORCE_ENABLE 156.It Dv PROC_PROTMAX_FORCE_DISABLE 157.It Dv PROC_PROTMAX_NOFORCE 158.El 159.Pp 160If the currently executed image in the process itself has implicit PROT_MAX 161application enabled, the 162.Dv PROC_PROTMAX_ACTIVE 163flag is or-ed with the value listed above. 164.It Dv PROC_SPROTECT 165Set process protection state. 166This is used to mark a process as protected from being killed if the system 167exhausts the available memory and swap. 168The 169.Fa data 170parameter must point to an integer containing an operation and zero or more 171optional flags. 172The following operations are supported: 173.Bl -tag -width PPROT_CLEAR 174.It Dv PPROT_SET 175Mark the selected processes as protected. 176.It Dv PPROT_CLEAR 177Clear the protected state of selected processes. 178.El 179.Pp 180The following optional flags are supported: 181.Bl -tag -width PPROT_DESCEND 182.It Dv PPROT_DESCEND 183Apply the requested operation to all child processes of each selected process 184in addition to each selected process. 185.It Dv PPROT_INHERIT 186When used with 187.Dv PPROT_SET , 188mark all future child processes of each selected process as protected. 189Future child processes will also mark all of their future child processes. 190.El 191.It Dv PROC_REAP_ACQUIRE 192Acquires the reaper status for the current process. 193Reaper status means that children orphaned by the reaper's descendants 194that were forked after the acquisition of reaper status are reparented to the 195reaper process. 196After system initialization, 197.Xr init 8 198is the default reaper. 199.It Dv PROC_REAP_RELEASE 200Release the reaper state for the current process. 201The reaper of the current process becomes the new reaper of the 202current process's descendants. 203.It Dv PROC_REAP_STATUS 204Provides information about the reaper of the specified process, 205or the process itself when it is a reaper. 206The 207.Fa data 208argument must point to a 209.Vt procctl_reaper_status 210structure which is filled in by the syscall on successful return. 211.Bd -literal 212struct procctl_reaper_status { 213 u_int rs_flags; 214 u_int rs_children; 215 u_int rs_descendants; 216 pid_t rs_reaper; 217 pid_t rs_pid; 218}; 219.Ed 220The 221.Fa rs_flags 222may have the following flags returned: 223.Bl -tag -width REAPER_STATUS_REALINIT 224.It Dv REAPER_STATUS_OWNED 225The specified process has acquired reaper status and has not 226released it. 227When the flag is returned, the specified process 228.Fa id , 229pid, identifies the reaper, otherwise the 230.Fa rs_reaper 231field of the structure is set to the pid of the reaper 232for the specified process id. 233.It Dv REAPER_STATUS_REALINIT 234The specified process is the root of the reaper tree, i.e., 235.Xr init 8 . 236.El 237.Pp 238The 239.Fa rs_children 240field returns the number of children of the reaper among the descendants. 241It is possible to have a child whose reaper is not the specified process, 242since the reaper for any existing children is not reset on the 243.Dv PROC_REAP_ACQUIRE 244operation. 245The 246.Fa rs_descendants 247field returns the total number of descendants of the reaper(s), 248not counting descendants of the reaper in the subtree. 249The 250.Fa rs_reaper 251field returns the reaper pid. 252The 253.Fa rs_pid 254returns the pid of one reaper child if there are any descendants. 255.It Dv PROC_REAP_GETPIDS 256Queries the list of descendants of the reaper of the specified process. 257The request takes a pointer to a 258.Vt procctl_reaper_pids 259structure in the 260.Fa data 261parameter. 262.Bd -literal 263struct procctl_reaper_pids { 264 u_int rp_count; 265 struct procctl_reaper_pidinfo *rp_pids; 266}; 267.Ed 268When called, the 269.Fa rp_pids 270field must point to an array of 271.Vt procctl_reaper_pidinfo 272structures, to be filled in on return, 273and the 274.Fa rp_count 275field must specify the size of the array, 276into which no more than 277.Fa rp_count 278elements will be filled in by the kernel. 279.Pp 280The 281.Vt "struct procctl_reaper_pidinfo" 282structure provides some information about one of the reaper's descendants. 283Note that for a descendant that is not a child, it may be incorrectly 284identified because of a race in which the original child process exited 285and the exited process's pid was reused for an unrelated process. 286.Bd -literal 287struct procctl_reaper_pidinfo { 288 pid_t pi_pid; 289 pid_t pi_subtree; 290 u_int pi_flags; 291}; 292.Ed 293The 294.Fa pi_pid 295field is the process id of the descendant. 296The 297.Fa pi_subtree 298field provides the pid of the child of the reaper, which is the (grand-)parent 299of the process. 300The 301.Fa pi_flags 302field returns the following flags, further describing the descendant: 303.Bl -tag -width REAPER_PIDINFO_EXITING 304.It Dv REAPER_PIDINFO_VALID 305Set to indicate that the 306.Vt procctl_reaper_pidinfo 307structure was filled in by the kernel. 308Zero-filling the 309.Fa rp_pids 310array and testing the 311.Dv REAPER_PIDINFO_VALID 312flag allows the caller to detect the end 313of the returned array. 314.It Dv REAPER_PIDINFO_CHILD 315The 316.Fa pi_pid 317field identifies the direct child of the reaper. 318.It Dv REAPER_PIDINFO_REAPER 319The reported process is itself a reaper. 320The descendants of the subordinate reaper are not reported. 321.It Dv REAPER_PIDINFO_ZOMBIE 322The reported process is in the zombie state, ready to be reaped. 323.It Dv REAPER_PIDINFO_STOPPED 324The reported process is stopped by a SIGSTOP/SIGTSTP signal. 325.It Dv REAPER_PIDINFO_EXITING 326The reported process is in the process of exiting (but not yet a zombie). 327.El 328.It Dv PROC_REAP_KILL 329Request to deliver a signal to some subset of the descendants of the reaper. 330The 331.Fa data 332parameter must point to a 333.Vt procctl_reaper_kill 334structure, which is used both for parameters and status return. 335.Bd -literal 336struct procctl_reaper_kill { 337 int rk_sig; 338 u_int rk_flags; 339 pid_t rk_subtree; 340 u_int rk_killed; 341 pid_t rk_fpid; 342}; 343.Ed 344The 345.Fa rk_sig 346field specifies the signal to be delivered. 347Zero is not a valid signal number, unlike for 348.Xr kill 2 . 349The 350.Fa rk_flags 351field further directs the operation. 352It is or-ed from the following flags: 353.Bl -tag -width REAPER_KILL_CHILDREN 354.It Dv REAPER_KILL_CHILDREN 355Deliver the specified signal only to direct children of the reaper. 356.It Dv REAPER_KILL_SUBTREE 357Deliver the specified signal only to descendants that were forked by 358the direct child with pid specified in the 359.Fa rk_subtree 360field. 361.El 362If neither the 363.Dv REAPER_KILL_CHILDREN 364nor the 365.Dv REAPER_KILL_SUBTREE 366flags are specified, all current descendants of the reaper are signalled. 367.Pp 368If a signal was delivered to any process, the return value from the request 369is zero. 370In this case, the 371.Fa rk_killed 372field identifies the number of processes signalled. 373The 374.Fa rk_fpid 375field is set to the pid of the first process for which signal 376delivery failed, e.g., due to permission problems. 377If no such process exists, the 378.Fa rk_fpid 379field is set to -1. 380.It Dv PROC_TRACE_CTL 381Enable or disable tracing of the specified process(es), according to the 382value of the integer argument. 383Tracing includes attachment to the process using the 384.Xr ptrace 2 385and 386.Xr ktrace 2 , 387debugging sysctls, 388.Xr hwpmc 4 , 389.Xr dtrace 1 , 390and core dumping. 391Possible values for the 392.Fa data 393argument are: 394.Bl -tag -width PROC_TRACE_CTL_DISABLE_EXEC 395.It Dv PROC_TRACE_CTL_ENABLE 396Enable tracing, after it was disabled by 397.Dv PROC_TRACE_CTL_DISABLE . 398Only allowed for self. 399.It Dv PROC_TRACE_CTL_DISABLE 400Disable tracing for the specified process. 401Tracing is re-enabled when the process changes the executing 402program with the 403.Xr execve 2 404syscall. 405A child inherits the trace settings from the parent on 406.Xr fork 2 . 407.It Dv PROC_TRACE_CTL_DISABLE_EXEC 408Same as 409.Dv PROC_TRACE_CTL_DISABLE , 410but the setting persists for the process even after 411.Xr execve 2 . 412.El 413.It Dv PROC_TRACE_STATUS 414Returns the current tracing status for the specified process in 415the integer variable pointed to by 416.Fa data . 417If tracing is disabled, 418.Fa data 419is set to -1. 420If tracing is enabled, but no debugger is attached by the 421.Xr ptrace 2 422syscall, 423.Fa data 424is set to 0. 425If a debugger is attached, 426.Fa data 427is set to the pid of the debugger process. 428.It Dv PROC_TRAPCAP_CTL 429Controls the capability mode sandbox actions for the specified 430sandboxed processes, 431on a return from any syscall which gives either a 432.Er ENOTCAPABLE 433or 434.Er ECAPMODE 435error. 436If the control is enabled, such errors from the syscalls cause 437delivery of the synchronous 438.Dv SIGTRAP 439signal to the thread immediately before returning from the syscalls. 440.Pp 441Possible values for the 442.Fa data 443argument are: 444.Bl -tag -width PROC_TRAPCAP_CTL_DISABLE 445.It Dv PROC_TRAPCAP_CTL_ENABLE 446Enable the 447.Dv SIGTRAP 448signal delivery on capability mode access violations. 449The enabled mode is inherited by the children of the process, 450and is kept after 451.Xr fexecve 2 452calls. 453.It Dv PROC_TRAPCAP_CTL_DISABLE 454Disable the signal delivery on capability mode access violations. 455Note that the global sysctl 456.Dv kern.trap_enotcap 457might still cause the signal to be delivered. 458See 459.Xr capsicum 4 . 460.El 461.Pp 462On signal delivery, the 463.Va si_errno 464member of the 465.Fa siginfo 466signal handler parameter is set to the syscall error value, 467and the 468.Va si_code 469member is set to 470.Dv TRAP_CAP . 471The system call number is stored in the 472.Va si_syscall 473field of the 474.Fa siginfo 475signal handler parameter. 476The other system call parameters can be read from the 477.Fa ucontext_t 478but the system call number is typically stored in the register 479that also contains the return value and so is unavailable in the 480signal handler. 481.Pp 482See 483.Xr capsicum 4 484for more information about the capability mode. 485.It Dv PROC_TRAPCAP_STATUS 486Return the current status of signalling capability mode access 487violations for the specified process. 488The integer value pointed to by the 489.Fa data 490argument is set to the 491.Dv PROC_TRAPCAP_CTL_ENABLE 492value if the process control enables signal delivery, and to 493.Dv PROC_TRAPCAP_CTL_DISABLE 494otherwise. 495.Pp 496See the note about sysctl 497.Dv kern.trap_enotcap 498above, which gives independent global control of signal delivery. 499.It Dv PROC_PDEATHSIG_CTL 500Request the delivery of a signal when the parent of the calling 501process exits. 502.Fa idtype 503must be 504.Dv P_PID 505and 506.Fa id 507must be the either caller's pid or zero, with no difference in effect. 508The value is cleared for child processes 509and when executing set-user-ID or set-group-ID binaries. 510.Fa data 511must point to a value of type 512.Vt int 513indicating the signal 514that should be delivered to the caller. 515Use zero to cancel a previously requested signal delivery. 516.It Dv PROC_PDEATHSIG_STATUS 517Query the current signal number that will be delivered when the parent 518of the calling process exits. 519.Fa idtype 520must be 521.Dv P_PID 522and 523.Fa id 524must be the either caller's pid or zero, with no difference in effect. 525.Fa data 526must point to a memory location that can hold a value of type 527.Vt int . 528If signal delivery has not been requested, it will contain zero 529on return. 530.It Dv PROC_STACKGAP_CTL 531Controls the stack gaps in the specified process. 532A stack gap is the part of the growth area for a 533.Dv MAP_STACK 534mapped region that is reserved and never filled by memory. 535Instead, the process is guaranteed to receive a 536.Dv SIGSEGV 537signal on accessing pages in the gap. 538Gaps protect against stack overflow corrupting memory adjacent 539to the stack. 540.Pp 541The 542.Fa data 543argument must point to an integer variable containing flags. 544The following flags are allowed: 545.Bl -tag -width PROC_STACKGAP_DISABLE_EXEC 546.It Dv PROC_STACKGAP_ENABLE 547This flag is only accepted for consistency with 548.Dv PROC_STACKGAP_STATUS . 549If stack gaps are enabled, the flag is ignored. 550If disabled, the flag causes an 551.Ev EINVAL 552error to be returned. 553After gaps are disabled in a process, they can only be re-enabled when an 554.Xr execve 2 555is performed. 556.It Dv PROC_STACKGAP_DISABLE 557Disable stack gaps for the process. 558For existing stacks, the gap is no longer a reserved part of the growth 559area and can be filled by memory on access. 560.It Dv PROC_STACKGAP_ENABLE_EXEC 561Enable stack gaps for programs started after an 562.Xr execve 2 563by the specified process. 564.It Dv PROC_STACKGAP_DISABLE_EXEC 565Inherit disabled stack gaps state after 566.Xr execve 2 . 567In other words, if the currently executing program has stack gaps disabled, 568they are kept disabled on exec. 569If gaps were enabled, they are kept enabled after exec. 570.El 571.Pp 572The stack gap state is inherited from the parent on 573.Xr fork 2 . 574.It Dv PROC_STACKGAP_STATUS 575Returns the current stack gap state for the specified process. 576.Fa data 577must point to an integer variable, which is used to return a bitmask 578consisting of the following flags: 579.Bl -tag -width PROC_STACKGAP_DISABLE_EXEC 580.It Dv PROC_STACKGAP_ENABLE 581Stack gaps are enabled. 582.It Dv PROC_STACKGAP_DISABLE 583Stack gaps are disabled. 584.It Dv PROC_STACKGAP_ENABLE_EXEC 585Stack gaps are enabled in the process after 586.Xr execve 2 . 587.It Dv PROC_STACKGAP_DISABLE_EXEC 588Stack gaps are disabled in the process after 589.Xr execve 2 . 590.El 591.It Dv PROC_NO_NEW_PRIVS_CTL 592Allows one to ignore the SUID and SGID bits on the program 593images activated by 594.Xr execve 2 595in the specified process and its future descendants. 596The 597.Fa data 598parameter must point to the integer variable holding the following 599value: 600.Bl -tag -width PROC_NO_NEW_PRIVS_ENABLE 601.It Dv PROC_NO_NEW_PRIVS_ENABLE 602Request SUID and SGID bits to be ignored. 603.El 604.Pp 605It is not possible to disable it once it has been enabled. 606.It Dv PROC_NO_NEW_PRIVS_STATUS 607Returns the current status of SUID/SGID enablement for the target process. 608The 609.Fa data 610parameter must point to the integer variable, where one of the 611following values is written: 612.Bl -tag -width PROC_NO_NEW_PRIVS_DISABLE 613.It Dv PROC_NO_NEW_PRIVS_ENABLE 614.It Dv PROC_NO_NEW_PRIVS_DISABLE 615.El 616.It Dv PROC_WXMAP_CTL 617Controls the 'write exclusive against execution' permissions for the 618mappings in the process address space. 619It overrides the global settings established by the 620.Dv kern.elf{32/64}.allow_wx 621sysctl, 622and the corresponding bit in the ELF control note, see 623.Xr elfctl 1 . 624.Pp 625The 626.Fa data 627parameter must point to the integer variable holding one of the 628following values: 629.Bl -tag -width PROC_WX_MAPPINGS_DISALLOW_EXEC 630.It Dv PROC_WX_MAPPINGS_PERMIT 631Enable creation of mappings that have both write and execute 632protection attributes, in the specified process' address space. 633.It Dv PROC_WX_MAPPINGS_DISALLOW_EXEC 634In the new address space created by 635.Xr execve 2 , 636disallow creation of mappings that have both write and execute 637permissions. 638.El 639.Pp 640Once creation of writeable and executable mappings is allowed, 641it is impossible (and pointless) to disallow it. 642The only way to ensure the absence of such mappings after they 643were enabled in a given process, is to set the 644.Dv PROC_WX_MAPPINGS_DISALLOW_EXEC 645flag and 646.Xr execve 2 647an image. 648.It Dv PROC_WXMAP_STATUS 649Returns the current status of the 'write exclusive against execution' 650enforcement for the specified process. 651The 652.Dv data 653parameter must point to the integer variable, where one of the 654following values is written: 655.Bl -tag -width PROC_WX_MAPPINGS_DISALLOW_EXEC 656.It Dv PROC_WX_MAPPINGS_PERMIT 657Creation of simultaneously writable and executable mapping is permitted, 658otherwise the process cannot create such mappings. 659.It Dv PROC_WX_MAPPINGS_DISALLOW_EXEC 660After 661.Xr execve 2 , 662the new address space should disallow creation of simultaneously 663writable and executable mappings. 664.El 665.Pp 666Additionally, if the address space of the process disallows 667creation of simultaneously writable and executable mappings and 668it is guaranteed that no such mapping was created since address space 669creation, the 670.Dv PROC_WXORX_ENFORCE 671flag is set in the returned value. 672.El 673.Sh x86 MACHINE-SPECIFIC REQUESTS 674.Bl -tag -width PROC_KPTI_STATUS 675.It Dv PROC_KPTI_CTL 676AMD64 only. 677Controls the Kernel Page Table Isolation (KPTI) option for the children 678of the specified process. 679For the command to work, the 680.Va vm.pmap.kpti 681tunable must be enabled on boot. 682It is not possible to change the KPTI setting for a running process, 683except at the 684.Xr execve 2 , 685where the address space is reinitialized. 686.Pp 687The 688.Fa data 689parameter must point to an integer variable containing one of the 690following commands: 691.Bl -tag -width PROC_KPTI_CTL_DISABLE_ON_EXEC 692.It Dv PROC_KPTI_CTL_ENABLE_ON_EXEC 693Enable KPTI after 694.Xr execve 2 . 695.It Dv PROC_KPTI_CTL_DISABLE_ON_EXEC 696Disable KPTI after 697.Xr execve 2 . 698Only root or a process having the 699.Va PRIV_IO 700privilege might use this option. 701.El 702.It Dv PROC_KPTI_STATUS 703Returns the current KPTI status for the specified process. 704.Fa data 705must point to the integer variable, which returns the 706following statuses: 707.Bl -tag -width PROC_KPTI_CTL_DISABLE_ON_EXEC 708.It Dv PROC_KPTI_CTL_ENABLE_ON_EXEC 709.It Dv PROC_KPTI_CTL_DISABLE_ON_EXEC 710.El 711.Pp 712The status is or-ed with the 713.Va PROC_KPTI_STATUS_ACTIVE 714in case KPTI is active for the current address space of the process. 715.El 716.Sh NOTES 717Disabling tracing on a process should not be considered a security 718feature, as it is bypassable both by the kernel and privileged processes, 719and via other system mechanisms. 720As such, it should not be utilized to reliably protect cryptographic 721keying material or other confidential data. 722.Pp 723Note that processes can trivially bypass the 'no simultaneously 724writable and executable mappings' policy by first marking some mapping 725as writeable and write code to it, then removing write and adding 726execute permission. 727This may be legitimately required by some programs, such as JIT compilers. 728.Sh RETURN VALUES 729If an error occurs, a value of -1 is returned and 730.Va errno 731is set to indicate the error. 732.Sh ERRORS 733The 734.Fn procctl 735system call 736will fail if: 737.Bl -tag -width Er 738.It Bq Er EFAULT 739The 740.Fa data 741parameter points outside the process's allocated address space. 742.It Bq Er EINVAL 743The 744.Fa cmd 745argument specifies an unsupported command. 746.Pp 747The 748.Fa idtype 749argument specifies an unsupported identifier type. 750.It Bq Er EPERM 751The calling process does not have permission to perform the requested 752operation on any of the selected processes. 753.It Bq Er ESRCH 754No processes matched the requested 755.Fa idtype 756and 757.Fa id . 758.It Bq Er ESRCH 759No descendant processes can be found matching criteria specified in the 760.Dv PROC_REAP_KILL 761request. 762.It Bq Er EINVAL 763An invalid operation or flag was passed in 764.Fa data 765for a 766.Dv PROC_SPROTECT 767command. 768.It Bq Er EPERM 769The 770.Fa idtype 771argument is not equal to 772.Dv P_PID , 773or 774.Fa id 775is not equal to the pid of the calling process, for 776.Dv PROC_REAP_ACQUIRE 777or 778.Dv PROC_REAP_RELEASE 779requests. 780.It Bq Er EINVAL 781Invalid or undefined flags were passed to a 782.Dv PROC_REAP_KILL 783request. 784.It Bq Er EINVAL 785An invalid or zero signal number was requested for a 786.Dv PROC_REAP_KILL 787request. 788.It Bq Er EINVAL 789The 790.Dv PROC_REAP_RELEASE 791request was issued by the 792.Xr init 8 793process. 794.It Bq Er EBUSY 795The 796.Dv PROC_REAP_ACQUIRE 797request was issued by a process that had already acquired reaper status 798and has not yet released it. 799.It Bq Er EBUSY 800The 801.Dv PROC_TRACE_CTL 802request was issued for a process already being traced. 803.It Bq Er EPERM 804The 805.Dv PROC_TRACE_CTL 806request to re-enable tracing of the process 807.Po Dv PROC_TRACE_CTL_ENABLE Pc , 808or to disable persistence of 809.Dv PROC_TRACE_CTL_DISABLE 810on 811.Xr execve 2 812was issued for a non-current process. 813.It Bq Er EINVAL 814The value of the integer 815.Fa data 816parameter for the 817.Dv PROC_TRACE_CTL 818or 819.Dv PROC_TRAPCAP_CTL 820request is invalid. 821.It Bq Er EINVAL 822The 823.Dv PROC_PDEATHSIG_CTL 824or 825.Dv PROC_PDEATHSIG_STATUS 826request referenced an unsupported 827.Fa id , 828.Fa idtype 829or invalid signal number. 830.El 831.Sh SEE ALSO 832.Xr dtrace 1 , 833.Xr proccontrol 1 , 834.Xr protect 1 , 835.Xr cap_enter 2 , 836.Xr kill 2 , 837.Xr ktrace 2 , 838.Xr mmap 2 , 839.Xr mprotect 2 , 840.Xr ptrace 2 , 841.Xr wait 2 , 842.Xr capsicum 4 , 843.Xr hwpmc 4 , 844.Xr init 8 845.Sh HISTORY 846The 847.Fn procctl 848function appeared in 849.Fx 9.3 . 850.Pp 851The reaper facility is based on a similar feature of Linux and 852DragonflyBSD, and first appeared in 853.Fx 10.2 . 854.Pp 855The 856.Dv PROC_PDEATHSIG_CTL 857facility is based on the prctl(PR_SET_PDEATHSIG, ...) feature of Linux, 858and first appeared in 859.Fx 11.2 . 860.Pp 861The ASLR support was added to system for the checklists compliance in 862.Fx 13.0 . 863