1.\" Copyright (c) 2013 Hudson River Trading LLC 2.\" Written by: John H. Baldwin <jhb@FreeBSD.org> 3.\" All rights reserved. 4.\" 5.\" Copyright (c) 2014 The FreeBSD Foundation 6.\" Portions of this documentation were written by Konstantin Belousov 7.\" under sponsorship from the FreeBSD Foundation. 8.\" 9.\" Redistribution and use in source and binary forms, with or without 10.\" modification, are permitted provided that the following conditions 11.\" are met: 12.\" 1. Redistributions of source code must retain the above copyright 13.\" notice, this list of conditions and the following disclaimer. 14.\" 2. Redistributions in binary form must reproduce the above copyright 15.\" notice, this list of conditions and the following disclaimer in the 16.\" documentation and/or other materials provided with the distribution. 17.\" 18.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 19.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 20.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 21.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 22.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 23.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 24.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 25.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 26.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 27.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 28.\" SUCH DAMAGE. 29.\" 30.Dd December 4, 2024 31.Dt PROCCTL 2 32.Os 33.Sh NAME 34.Nm procctl 35.Nd control processes 36.Sh LIBRARY 37.Lb libc 38.Sh SYNOPSIS 39.In sys/procctl.h 40.Ft int 41.Fn procctl "idtype_t idtype" "id_t id" "int cmd" "void *data" 42.Sh DESCRIPTION 43The 44.Fn procctl 45system call provides for control over processes. 46The 47.Fa idtype 48and 49.Fa id 50arguments specify the set of processes to control. 51If multiple processes match the identifier, 52.Nm 53will make a 54.Dq best effort 55to control as many of the selected processes as possible. 56An error is only returned if no selected processes successfully complete 57the request. 58The following identifier types are supported: 59.Bl -tag -width P_PGID 60.It Dv P_PID 61Control the process with the process ID 62.Fa id . 63.Fa id 64zero is a shortcut for the calling process ID. 65.It Dv P_PGID 66Control processes belonging to the process group with the ID 67.Fa id . 68.El 69.Pp 70The control request to perform is specified by the 71.Fa cmd 72argument. 73.Pp 74All status changing requests 75.Pq Dv *_CTL 76require the caller to have the right to debug the target. 77All status query requests 78.Pq Dv *_STATUS 79require the caller to have the right to observe the target. 80.Pp 81The following commands are supported: 82.Bl -tag -width PROC_TRAPCAP_STATUS 83.It Dv PROC_ASLR_CTL 84Controls Address Space Layout Randomization (ASLR) in program 85images created 86by 87.Xr execve 2 88in the specified process or its descendants that do not either change 89the control or modify it by other means. 90The 91.Fa data 92parameter must point to an integer variable holding one of the following 93values: 94.Bl -tag -width Ds 95.It Dv PROC_ASLR_FORCE_ENABLE 96Request that ASLR is enabled after execution, even if it is disabled 97system-wide. 98.It Dv PROC_ASLR_FORCE_DISABLE 99Request that ASLR is disabled after execution, even if it is enabled 100system-wide. 101.It Dv PROC_ASLR_NOFORCE 102Use the system-wide configured policy for ASLR. 103.El 104.Pp 105Note that the 106.Xr elfctl 1 107.Dq noaslr 108flag takes precedence over this control. 109Executing a binary with this flag set will never use ASLR. 110Similarly, executing a set-user-ID or set-group-ID binary ignores this 111control and only honors the 112.Xr elfctl 1 113flag and system-wide policy. 114.It Dv PROC_ASLR_STATUS 115Returns the current status of ASLR enablement for the target process. 116The 117.Fa data 118parameter must point to an integer variable, where one of the 119following values is written: 120.Bl -tag -width Ds 121.It Dv PROC_ASLR_FORCE_ENABLE 122.It Dv PROC_ASLR_FORCE_DISABLE 123.It Dv PROC_ASLR_NOFORCE 124.El 125.Pp 126If the currently executed image in the process itself has ASLR enabled, 127the 128.Dv PROC_ASLR_ACTIVE 129flag is or-ed with the value listed above. 130.It Dv PROC_PROTMAX_CTL 131Controls the maximum protection used for 132.Xr mmap 2 133requests in the target process that do not specify 134an explicit maximum protection in the 135.Fa prot 136argument via 137.Dv PROT_MAX . 138The maximum protection limits the permissions a mapping can be assigned by 139.Xr mprotect 2 . 140If an explicit maximum protection is not provided, 141the maximum protection for a new mapping is set to either 142.Dv PROT_READ | PROT_WRITE | PROT_EXEC 143.Pq RWX 144or the protection specified in 145.Fa prot . 146Mappings created with 147.Fa prot 148set to 149.Dv PROT_NONE 150always use RWX maximum protection. 151.Pp 152The 153.Fa data 154parameter must point to an integer variable holding one of the following 155values: 156.Bl -tag -width Ds 157.It Dv PROC_PROTMAX_FORCE_ENABLE 158Use the permissions in 159.Fa prot 160as the implicit maximum protection, 161even if RWX permissions are requested by the sysctl 162.Va vm.imply_prot_max . 163.It Dv PROC_PROTMAX_FORCE_DISABLE 164Use RWX as the implicit maximum protection, 165even if constrained permissions are requested by the sysctl 166.Va vm.imply_prot_max . 167.It Dv PROC_PROTMAX_NOFORCE 168Use the system-wide configured policy for the implicit PROT_MAX control. 169.El 170.Pp 171Note that the 172.Xr elfctl 1 173.Dq noprotmax 174flag takes precedence over this control. 175Executing a binary with this flag set will always use RWX as the implicit 176maximum protection. 177.It Dv PROC_PROTMAX_STATUS 178Returns the current status of the implicit PROT_MAX control for the 179target process. 180The 181.Fa data 182parameter must point to an integer variable, where one of the 183following values is written: 184.Bl -tag -width Ds 185.It Dv PROC_PROTMAX_FORCE_ENABLE 186.It Dv PROC_PROTMAX_FORCE_DISABLE 187.It Dv PROC_PROTMAX_NOFORCE 188.El 189.Pp 190If the currently executed image in the process itself has the implicit PROT_MAX 191control enabled, the 192.Dv PROC_PROTMAX_ACTIVE 193flag is or-ed with the value listed above. 194.It Dv PROC_SPROTECT 195Set process protection state. 196This is used to mark a process as protected from being killed if the system 197exhausts available memory and swap. 198The 199.Fa data 200parameter must point to an integer containing an operation and zero or more 201optional flags. 202The following operations are supported: 203.Bl -tag -width Ds 204.It Dv PPROT_SET 205Mark the selected processes as protected. 206.It Dv PPROT_CLEAR 207Clear the protected state of selected processes. 208.El 209.Pp 210The following optional flags are supported: 211.Bl -tag -width Ds 212.It Dv PPROT_DESCEND 213Apply the requested operation to all child processes of each selected process 214in addition to each selected process. 215.It Dv PPROT_INHERIT 216When used with 217.Dv PPROT_SET , 218mark all future child processes of each selected process as protected. 219Future child processes will also mark all of their future child processes. 220.El 221.It Dv PROC_REAP_ACQUIRE 222Enable orphaned process reaping for future children of the current process. 223.Pp 224If a parent process exits before one or more of its children processes, 225the remaining children processes are orphaned. 226When an orphaned process exits, 227it is reparented to a reaper process that is responsible for harvesting 228the terminated process via 229.Xr wait 2 . 230When this control is enabled, 231the current process becomes the reaper process for future children and their 232descendants. 233Existing child processes continue to use the reaper assigned when the child 234was created via 235.Xr fork 2 . 236If a reaper process exits, 237all of the processes for whom it was the reaper are reassigned to the reaper 238process's reaper. 239.Pp 240After system initialization, 241.Xr init 8 242is the default reaper. 243.It Dv PROC_REAP_RELEASE 244Disable orphaned process reaping for the current process. 245.Pp 246Any processes for whom the current process was the reaper are reassigned to 247the current process's reaper. 248.It Dv PROC_REAP_STATUS 249Provides a consistent snapshot of information about the reaper 250of the specified process, 251or the process itself if it is a reaper. 252The 253.Fa data 254argument must point to a 255.Vt procctl_reaper_status 256structure which is filled in by the system call on successful return. 257.Bd -literal 258struct procctl_reaper_status { 259 u_int rs_flags; 260 u_int rs_children; 261 u_int rs_descendants; 262 pid_t rs_reaper; 263 pid_t rs_pid; 264}; 265.Ed 266.Pp 267The 268.Fa rs_flags 269may have the following flags returned: 270.Bl -tag -width Ds 271.It Dv REAPER_STATUS_OWNED 272The specified process is a reaper. 273When this flag is returned, the specified process 274.Fa id , 275pid, identifies a reaper, otherwise the 276.Fa rs_reaper 277field of the structure is set to the pid of the reaper 278for the specified process id. 279.It Dv REAPER_STATUS_REALINIT 280The specified process is the root of the reaper tree, i.e., 281.Xr init 8 . 282.El 283.Pp 284The 285.Fa rs_children 286field returns the number of processes that can be reaped by the reaper that 287are also children of the reaper. 288It is possible to have a child whose reaper is not the specified process, 289since the reaper for existing children is not changed by 290.Dv PROC_REAP_ACQUIRE . 291The 292.Fa rs_descendants 293field returns the total number of processes that can be reaped by the reaper. 294The 295.Fa rs_reaper 296field returns the reaper's pid. 297The 298.Fa rs_pid 299returns the pid of one reaper child if there are any processes that can be 300reapead; 301otherwise, it is set to \-1. 302.It Dv PROC_REAP_GETPIDS 303Queries the list of processes that can be reaped 304by the reaper of the specified process. 305The request takes a pointer to a 306.Vt procctl_reaper_pids 307structure in the 308.Fa data 309parameter. 310.Bd -literal 311struct procctl_reaper_pids { 312 u_int rp_count; 313 struct procctl_reaper_pidinfo *rp_pids; 314}; 315.Ed 316.Pp 317When called, the 318.Fa rp_pids 319field must point to an array of 320.Fa rp_count 321.Vt procctl_reaper_pidinfo 322structures. 323The kernel will populate these structures with information about the 324reaper's descendants. 325.Pp 326The 327.Vt "struct procctl_reaper_pidinfo" 328structure provides some information about one of the reaper's descendants. 329Note that for a descendant that is not a child, it may be incorrectly 330identified because of a race in which the original child process exited 331and the exited process's pid was reused for an unrelated process. 332.Bd -literal 333struct procctl_reaper_pidinfo { 334 pid_t pi_pid; 335 pid_t pi_subtree; 336 u_int pi_flags; 337}; 338.Ed 339.Pp 340The 341.Fa pi_pid 342field is the process id of the descendant. 343The 344.Fa pi_subtree 345field provides the pid of the direct child of the reaper which is 346the (grand-)parent of the descendant process. 347The 348.Fa pi_flags 349field returns the following flags, further describing the descendant: 350.Bl -tag -width Ds 351.It Dv REAPER_PIDINFO_VALID 352Set to indicate that the 353.Vt procctl_reaper_pidinfo 354structure was filled in by the kernel. 355Zero-filling the 356.Fa rp_pids 357array and testing the 358.Dv REAPER_PIDINFO_VALID 359flag allows the caller to detect the end 360of the returned array. 361.It Dv REAPER_PIDINFO_CHILD 362The 363.Fa pi_pid 364field identifies a direct child of the reaper. 365.It Dv REAPER_PIDINFO_REAPER 366The reported process is itself a reaper. 367The descendants of the subordinate reaper are not reported. 368.It Dv REAPER_PIDINFO_ZOMBIE 369The reported process is in the zombie state, ready to be reaped. 370.It Dv REAPER_PIDINFO_STOPPED 371The reported process is stopped by a SIGSTOP/SIGTSTP signal. 372.It Dv REAPER_PIDINFO_EXITING 373The reported process is in the process of exiting (but not yet a zombie). 374.El 375.It Dv PROC_REAP_KILL 376Request to deliver a signal to some subset of the descendants of the reaper. 377The 378.Fa data 379parameter must point to a 380.Vt procctl_reaper_kill 381structure, which is used both for parameters and status return. 382.Bd -literal 383struct procctl_reaper_kill { 384 int rk_sig; 385 u_int rk_flags; 386 pid_t rk_subtree; 387 u_int rk_killed; 388 pid_t rk_fpid; 389}; 390.Ed 391.Pp 392The 393.Fa rk_sig 394field specifies the signal to be delivered. 395Zero is not a valid signal number, unlike for 396.Xr kill 2 . 397The 398.Fa rk_flags 399field further directs the operation. 400It is or-ed from the following flags: 401.Bl -tag -width Ds 402.It Dv REAPER_KILL_CHILDREN 403Deliver the specified signal only to direct children of the reaper. 404.It Dv REAPER_KILL_SUBTREE 405Deliver the specified signal only to descendants that were forked by 406the direct child with pid specified in the 407.Fa rk_subtree 408field. 409.El 410.Pp 411If neither the 412.Dv REAPER_KILL_CHILDREN 413nor the 414.Dv REAPER_KILL_SUBTREE 415flags are specified, all current descendants of the reaper are signalled. 416.Pp 417If a signal was delivered to any process, the return value from the request 418is zero. 419In this case, the 420.Fa rk_killed 421field identifies the number of processes signalled. 422The 423.Fa rk_fpid 424field is set to the pid of the first process for which signal 425delivery failed, e.g., due to permission problems. 426If no such process exists, the 427.Fa rk_fpid 428field is set to \-1. 429.It Dv PROC_TRACE_CTL 430Enable or disable tracing of the specified process(es), according to the 431value of the integer argument. 432Tracing includes inspecting the process via 433.Xr ptrace 2 , 434.Xr ktrace 2 , 435debugging sysctls, 436.Xr hwpmc 4 , 437or 438.Xr dtrace 1 439as well as dumping core. 440Possible values for the 441.Fa data 442argument are: 443.Bl -tag -width Ds 444.It Dv PROC_TRACE_CTL_ENABLE 445Enable tracing, after it was disabled by 446.Dv PROC_TRACE_CTL_DISABLE . 447Only allowed for self. 448.It Dv PROC_TRACE_CTL_DISABLE 449Disable tracing for the specified process. 450Tracing is re-enabled when the process changes the executing 451program with the 452.Xr execve 2 453system call. 454A child inherits the trace settings from the parent on 455.Xr fork 2 . 456.It Dv PROC_TRACE_CTL_DISABLE_EXEC 457Same as 458.Dv PROC_TRACE_CTL_DISABLE , 459but the setting persists for the process even after 460.Xr execve 2 . 461.El 462.It Dv PROC_TRACE_STATUS 463Returns the current tracing status for the specified process in 464the integer variable pointed to by 465.Fa data . 466If tracing is disabled, 467.Fa data 468is set to \-1. 469If tracing is enabled, but no debugger is attached by the 470.Xr ptrace 2 471system call, 472.Fa data 473is set to 0. 474If a debugger is attached, 475.Fa data 476is set to the pid of the debugger process. 477.It Dv PROC_TRAPCAP_CTL 478Controls the capability mode sandbox actions for the specified 479sandboxed processes 480on a return from any system call which fails with either an 481.Er ENOTCAPABLE 482or 483.Er ECAPMODE 484error. 485If this control is enabled and a system call fails with one of these errors, 486a synchronous 487.Dv SIGTRAP 488signal is delivered to the thread immediately before returning from the 489system call. 490.Pp 491Possible values for the 492.Fa data 493argument are: 494.Bl -tag -width Ds 495.It Dv PROC_TRAPCAP_CTL_ENABLE 496Enable 497.Dv SIGTRAP 498signal delivery on capability mode access violations. 499The enabled mode is inherited by the children of the process, 500and is kept after 501.Xr fexecve 2 502calls. 503.It Dv PROC_TRAPCAP_CTL_DISABLE 504Disable 505.Dv SIGTRAP 506signal delivery on capability mode access violations. 507Note that the global sysctl 508.Dv kern.trap_enotcap 509might still cause the signal to be delivered. 510See 511.Xr capsicum 4 . 512.El 513.Pp 514On signal delivery, the 515.Va si_errno 516member of the 517.Fa siginfo 518signal handler parameter is set to the system call error value, 519and the 520.Va si_code 521member is set to 522.Dv TRAP_CAP . 523The system call number is stored in the 524.Va si_syscall 525field of the 526.Fa siginfo 527signal handler parameter. 528The other system call parameters can be read from the 529.Fa ucontext_t 530but the system call number is typically stored in the register 531that also contains the return value and so is unavailable in the 532signal handler. 533.Pp 534See 535.Xr capsicum 4 536for more information about capability mode. 537.It Dv PROC_TRAPCAP_STATUS 538Return the current status of raising 539.Dv SIGTRAP 540for capability mode access violations by the specified process. 541The integer value pointed to by the 542.Fa data 543argument is set to the 544.Dv PROC_TRAPCAP_CTL_ENABLE 545value if 546.Dv SIGTRAP 547delivery is enabled, and to 548.Dv PROC_TRAPCAP_CTL_DISABLE 549otherwise. 550.Pp 551See the note about sysctl 552.Dv kern.trap_enotcap 553above, which gives independent global control of signal delivery. 554.It Dv PROC_PDEATHSIG_CTL 555Request the delivery of a signal when the parent of the calling 556process exits. 557.Fa idtype 558must be 559.Dv P_PID 560and 561.Fa id 562must be the either caller's pid or zero, with no difference in effect. 563The value is cleared for child processes 564and when executing set-user-ID or set-group-ID binaries. 565.Fa data 566must point to a value of type 567.Vt int 568indicating the signal 569that should be delivered to the caller. 570Use zero to cancel a previously requested signal delivery. 571.It Dv PROC_PDEATHSIG_STATUS 572Query the current signal number that will be delivered when the parent 573of the calling process exits. 574.Fa idtype 575must be 576.Dv P_PID 577and 578.Fa id 579must be the either caller's pid or zero, with no difference in effect. 580.Fa data 581must point to a memory location that can hold a value of type 582.Vt int . 583If signal delivery has not been requested, it will contain zero 584on return. 585.It Dv PROC_STACKGAP_CTL 586Controls stack gaps in the specified process. 587A stack gap is one or more virtual memory pages at the end of the 588growth area for a 589.Dv MAP_STACK 590mapping that is reserved and never backed by memory. 591Instead, the process is guaranteed to receive a synchronous 592.Dv SIGSEGV 593signal for each access to pages in the gap. 594The number of pages reserved for each stack is set by the sysctl 595.Va security.bsd.stack_guard_page . 596.Pp 597Gaps protect against stack overflows by preventing them from corrupting memory 598adjacent to the stack. 599.Pp 600The 601.Fa data 602argument must point to an integer variable containing flags. 603The following flags are allowed: 604.Bl -tag -width Ds 605.It Dv PROC_STACKGAP_ENABLE 606This flag is only accepted for consistency with 607.Dv PROC_STACKGAP_STATUS . 608If stack gaps are enabled, the flag is ignored. 609If stack gaps are disabled, the request fails with 610.Ev EINVAL . 611After gaps are disabled in a process, they can only be re-enabled when an 612.Xr execve 2 613is performed. 614.It Dv PROC_STACKGAP_DISABLE 615Disable stack gaps for the process. 616For existing stacks, the gap is no longer reserved 617and can be filled by memory on access. 618.It Dv PROC_STACKGAP_ENABLE_EXEC 619Enable stack gaps for the new address space constructed by any future 620.Xr execve 2 621in the specified process. 622.It Dv PROC_STACKGAP_DISABLE_EXEC 623Inherit disabled stack gaps state after 624.Xr execve 2 . 625In other words, if the currently executing program has stack gaps disabled, 626they are kept disabled on exec. 627If gaps were enabled, they are kept enabled after exec. 628.El 629.Pp 630The stack gap state is inherited from the parent on 631.Xr fork 2 . 632.It Dv PROC_STACKGAP_STATUS 633Returns the current stack gap state for the specified process. 634.Fa data 635must point to an integer variable, which is used to return a bitmask 636consisting of the following flags: 637.Bl -tag -width Ds 638.It Dv PROC_STACKGAP_ENABLE 639Stack gaps are enabled. 640.It Dv PROC_STACKGAP_DISABLE 641Stack gaps are disabled. 642.It Dv PROC_STACKGAP_ENABLE_EXEC 643Stack gaps are enabled in the process after 644.Xr execve 2 . 645.It Dv PROC_STACKGAP_DISABLE_EXEC 646Stack gaps are disabled in the process after 647.Xr execve 2 . 648.El 649.Pp 650Note that the 651.Xr elfctl 1 652.Dq nostackgap 653flag takes precedence over this setting for individual process address spaces. 654Executing a binary with this flag set will never use stack gaps in the address 655space constructed by 656.Xr execve 2 . 657However, the controls value can still be inherited by child processes, and 658executing a binary without this flag set will revert to the behavior specified 659by the control. 660.It Dv PROC_NO_NEW_PRIVS_CTL 661Allows one to ignore the set-user-ID and set-group-ID bits on the program 662images activated by 663.Xr execve 2 664in the specified process and its future descendants. 665The 666.Fa data 667parameter must point to an integer variable holding the following 668value: 669.Bl -tag -width Ds 670.It Dv PROC_NO_NEW_PRIVS_ENABLE 671Request set-user-ID and set-group-ID bits to be ignored. 672.El 673.Pp 674It is not possible to disable this control once it has been enabled. 675.It Dv PROC_NO_NEW_PRIVS_STATUS 676Returns the current status of set-ID bits enablement for the target process. 677The 678.Fa data 679parameter must point to an integer variable, where one of the 680following values is written: 681.Bl -tag -width Ds 682.It Dv PROC_NO_NEW_PRIVS_ENABLE 683.It Dv PROC_NO_NEW_PRIVS_DISABLE 684.El 685.It Dv PROC_WXMAP_CTL 686Controls the creation of mappings with both write and execute permissions 687in a process's address space. 688The 689.Fa data 690parameter must point to an integer variable holding one of the 691following values: 692.Bl -tag -width Ds 693.It Dv PROC_WX_MAPPINGS_PERMIT 694Enable creation of mappings that have both write and execute 695permissions in the specified process' current and future address spaces. 696.It Dv PROC_WX_MAPPINGS_DISALLOW_EXEC 697In a new address space created by a future call to 698.Xr execve 2 , 699disallow creation of mappings that have both write and execute 700permissions. 701.El 702.Pp 703If both flags are set, 704.Dv PROC_WX_MAPPINGS_DISALLOW_EXEC 705takes precedence during 706.Xr execve 2 . 707If neither flag is set, 708mappings with write and execute permissions are only permitted if the 709.Dv kern.elf{32/64}.allow_wx 710sysctl is non-zero or the 711.Xr elfctl 1 712.Dq wxneeded 713flag is set in the ELF control note. 714.Pp 715Once creation of writeable and executable mappings is enabled for a process, 716it is impossible (and pointless) to disable it. 717The only way to ensure the absence of such mappings after they 718were enabled in a given process is to set the 719.Dv PROC_WX_MAPPINGS_DISALLOW_EXEC 720flag and 721.Xr execve 2 722an image. 723.It Dv PROC_WXMAP_STATUS 724Returns the current status of the controls over creation of mappings with 725both write and execute permissions for the specified process. 726The 727.Dv data 728parameter must point to an integer variable, where one of the 729following values is written: 730.Bl -tag -width Ds 731.It Dv PROC_WX_MAPPINGS_PERMIT 732Creation of simultaneously writable and executable mappings are permitted; 733otherwise, the process cannot create such mappings. 734.It Dv PROC_WX_MAPPINGS_DISALLOW_EXEC 735After 736.Xr execve 2 , 737the new address space will not permit creation of simultaneously 738writable and executable mappings. 739.El 740.Pp 741Additionally, if the address space of the process does not permit 742creation of simultaneously writable and executable mappings and 743it is guaranteed that no such mapping was created since address space 744creation, the 745.Dv PROC_WXORX_ENFORCE 746flag is set in the returned value. 747.El 748.Sh x86 MACHINE-SPECIFIC REQUESTS 749.Bl -tag -width PROC_KPTI_STATUS 750.It Dv PROC_KPTI_CTL 751AMD64 only. 752Controls the Kernel Page Table Isolation (KPTI) option for the children 753of the specified process. 754This control is only meaningful if KPTI has been enabled globally by the 755.Va vm.pmap.kpti 756tunable. 757It is not possible to change the KPTI setting for a running process, 758only for new address spaces constructed by a future 759.Xr execve 2 . 760.Pp 761The 762.Fa data 763parameter must point to an integer variable containing one of the 764following commands: 765.Bl -tag -width Ds 766.It Dv PROC_KPTI_CTL_ENABLE_ON_EXEC 767Enable KPTI after 768.Xr execve 2 . 769.It Dv PROC_KPTI_CTL_DISABLE_ON_EXEC 770Disable KPTI after 771.Xr execve 2 . 772Only root or a process having the 773.Va PRIV_IO 774privilege can use this option. 775.El 776.It Dv PROC_KPTI_STATUS 777Returns the current KPTI status for the specified process. 778.Fa data 779must point to an integer variable, where one of the 780following values is written: 781.Bl -tag -width Ds 782.It Dv PROC_KPTI_CTL_ENABLE_ON_EXEC 783.It Dv PROC_KPTI_CTL_DISABLE_ON_EXEC 784.El 785.Pp 786The status is or-ed with 787.Va PROC_KPTI_STATUS_ACTIVE 788if KPTI is active for the current address space of the process. 789.El 790.Sh NOTES 791Disabling tracing on a process should not be considered a security 792feature, as it is bypassable both by the kernel and privileged processes 793and via other system mechanisms. 794As such, it should not be utilized to reliably protect cryptographic 795keying material or other confidential data. 796.Pp 797Note that processes can trivially bypass the 'no simultaneously 798writable and executable mappings' policy by first marking some mapping 799as writeable, writing code to it, then removing write and adding 800execute permission. 801This may be legitimately required by some programs such as JIT compilers. 802.Sh RETURN VALUES 803If an error occurs, a value of \-1 is returned and 804.Va errno 805is set to indicate the error. 806.Sh ERRORS 807The 808.Fn procctl 809system call 810will fail if: 811.Bl -tag -width Er 812.It Bq Er EFAULT 813The 814.Fa data 815parameter points outside the process's allocated address space. 816.It Bq Er EINVAL 817The 818.Fa cmd 819argument specifies an unsupported command. 820.Pp 821The 822.Fa idtype 823argument specifies an unsupported identifier type. 824.It Bq Er EPERM 825The calling process does not have permission to perform the requested 826operation on any of the selected processes. 827.It Bq Er ESRCH 828No processes matched the requested 829.Fa idtype 830and 831.Fa id . 832.It Bq Er ESRCH 833No descendant processes can be found matching criteria specified in the 834.Dv PROC_REAP_KILL 835request. 836.It Bq Er EINVAL 837An invalid operation or flag was passed in 838.Fa data 839for a 840.Dv PROC_SPROTECT 841command. 842.It Bq Er EPERM 843The 844.Fa idtype 845argument is not equal to 846.Dv P_PID , 847or 848.Fa id 849is not equal to the pid of the calling process, for 850.Dv PROC_REAP_ACQUIRE 851or 852.Dv PROC_REAP_RELEASE 853requests. 854.It Bq Er EINVAL 855Invalid or undefined flags were passed to a 856.Dv PROC_REAP_KILL 857request. 858.It Bq Er EINVAL 859An invalid or zero signal number was requested for a 860.Dv PROC_REAP_KILL 861request. 862.It Bq Er EINVAL 863A 864.Dv PROC_REAP_RELEASE 865request was issued by the 866.Xr init 8 867process. 868.It Bq Er EBUSY 869A 870.Dv PROC_REAP_ACQUIRE 871request was issued by a process that is already a reaper process. 872.It Bq Er EBUSY 873A 874.Dv PROC_TRACE_CTL 875request was issued for a process being traced. 876.It Bq Er EPERM 877A 878.Dv PROC_TRACE_CTL 879request to re-enable tracing of the process 880.Po Dv PROC_TRACE_CTL_ENABLE Pc , 881or to disable persistence of 882.Dv PROC_TRACE_CTL_DISABLE 883on 884.Xr execve 2 885specified a target process other than the calling process. 886.It Bq Er EINVAL 887The value of the integer 888.Fa data 889parameter for the 890.Dv PROC_TRACE_CTL 891or 892.Dv PROC_TRAPCAP_CTL 893request is invalid. 894.It Bq Er EINVAL 895The 896.Dv PROC_PDEATHSIG_CTL 897or 898.Dv PROC_PDEATHSIG_STATUS 899request referenced an unsupported 900.Fa id , 901.Fa idtype 902or invalid signal number. 903.El 904.Sh SEE ALSO 905.Xr dtrace 1 , 906.Xr elfctl 1 , 907.Xr proccontrol 1 , 908.Xr protect 1 , 909.Xr cap_enter 2 , 910.Xr kill 2 , 911.Xr ktrace 2 , 912.Xr mmap 2 , 913.Xr mprotect 2 , 914.Xr ptrace 2 , 915.Xr wait 2 , 916.Xr capsicum 4 , 917.Xr hwpmc 4 , 918.Xr init 8 919.Sh HISTORY 920The 921.Fn procctl 922function appeared in 923.Fx 9.3 . 924.Pp 925The reaper facility is based on a similar feature in Linux and 926DragonflyBSD, and first appeared in 927.Fx 10.2 . 928.Pp 929The 930.Dv PROC_PDEATHSIG_CTL 931facility is based on the 932.Ql prctl(PR_SET_PDEATHSIG, ...) 933feature in Linux, 934and first appeared in 935.Fx 11.2 . 936.Pp 937ASLR support was added for checklist compliance in 938.Fx 13.0 . 939