1.\" Copyright (c) 2013 Hudson River Trading LLC 2.\" Written by: John H. Baldwin <jhb@FreeBSD.org> 3.\" All rights reserved. 4.\" 5.\" Copyright (c) 2014 The FreeBSD Foundation 6.\" Portions of this documentation were written by Konstantin Belousov 7.\" under sponsorship from the FreeBSD Foundation. 8.\" 9.\" Redistribution and use in source and binary forms, with or without 10.\" modification, are permitted provided that the following conditions 11.\" are met: 12.\" 1. Redistributions of source code must retain the above copyright 13.\" notice, this list of conditions and the following disclaimer. 14.\" 2. Redistributions in binary form must reproduce the above copyright 15.\" notice, this list of conditions and the following disclaimer in the 16.\" documentation and/or other materials provided with the distribution. 17.\" 18.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 19.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 20.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 21.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 22.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 23.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 24.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 25.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 26.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 27.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 28.\" SUCH DAMAGE. 29.\" 30.Dd December 14, 2024 31.Dt PROCCTL 2 32.Os 33.Sh NAME 34.Nm procctl 35.Nd control processes 36.Sh LIBRARY 37.Lb libc 38.Sh SYNOPSIS 39.In sys/procctl.h 40.Ft int 41.Fn procctl "idtype_t idtype" "id_t id" "int cmd" "void *data" 42.Sh DESCRIPTION 43The 44.Fn procctl 45system call provides for control over processes. 46The 47.Fa idtype 48and 49.Fa id 50arguments specify the set of processes to control. 51If multiple processes match the identifier, 52.Nm 53will make a 54.Dq best effort 55to control as many of the selected processes as possible. 56An error is only returned if no selected processes successfully complete 57the request. 58The following identifier types are supported: 59.Bl -tag -width P_PGID 60.It Dv P_PID 61Control the process with the process ID 62.Fa id . 63.Fa id 64zero is a shortcut for the calling process ID. 65.It Dv P_PGID 66Control processes belonging to the process group with the ID 67.Fa id . 68.El 69.Pp 70The control request to perform is specified by the 71.Fa cmd 72argument. 73.Pp 74All status changing requests 75.Pq Dv *_CTL 76require the caller to have the right to debug the target. 77All status query requests 78.Pq Dv *_STATUS 79require the caller to have the right to observe the target. 80.Pp 81The following commands are supported: 82.Bl -tag -width PROC_LOGSIGEXIT_STATUS 83.It Dv PROC_ASLR_CTL 84Controls Address Space Layout Randomization (ASLR) in program 85images created 86by 87.Xr execve 2 88in the specified process or its descendants that do not either change 89the control or modify it by other means. 90The 91.Fa data 92parameter must point to an integer variable holding one of the following 93values: 94.Bl -tag -width Ds 95.It Dv PROC_ASLR_FORCE_ENABLE 96Request that ASLR is enabled after execution, even if it is disabled 97system-wide. 98.It Dv PROC_ASLR_FORCE_DISABLE 99Request that ASLR is disabled after execution, even if it is enabled 100system-wide. 101.It Dv PROC_ASLR_NOFORCE 102Use the system-wide configured policy for ASLR. 103.El 104.Pp 105Note that the 106.Xr elfctl 1 107.Dq noaslr 108flag takes precedence over this control. 109Executing a binary with this flag set will never use ASLR. 110Similarly, executing a set-user-ID or set-group-ID binary ignores this 111control and only honors the 112.Xr elfctl 1 113flag and system-wide policy. 114.It Dv PROC_ASLR_STATUS 115Returns the current status of ASLR enablement for the target process. 116The 117.Fa data 118parameter must point to an integer variable, where one of the 119following values is written: 120.Bl -tag -width Ds 121.It Dv PROC_ASLR_FORCE_ENABLE 122.It Dv PROC_ASLR_FORCE_DISABLE 123.It Dv PROC_ASLR_NOFORCE 124.El 125.Pp 126If the currently executed image in the process itself has ASLR enabled, 127the 128.Dv PROC_ASLR_ACTIVE 129flag is or-ed with the value listed above. 130.It Dv PROC_LOGSIGEXIT_CTL 131Controls the logging of exits due to signals that would normally cause a core 132dump. 133The 134.Va arg 135parameter must point to an integer variable holding one of the following values: 136.Bl -tag -width PROC_LOGSIGEXIT_FORCE_DISABLE 137.It Dv PROC_LOGSIGEXIT_FORCE_ENABLE 138Enables logging of exits due to signals that would normally cause a core dump. 139Logging is done via 140.Xr log 9 141with a log level of 142.Dv LOG_INFO . 143.It Dv PROC_LOGSIGEXIT_FORCE_DISABLE 144Disables the logging of exits due to signals that would normally cause a core 145dump. 146.It Dv PROC_LOGSIGEXIT_NOFORCE 147The logging behavior is delegated to the 148.Xr sysctl 3 149MIB variable 150.Va kern.logsigexit . 151.El 152.It Dv PROC_LOGSIGEXIT_STATUS 153Returns the current status of logging for the target process. 154The 155.Va arg 156parameter must point to an integer variable, where one of the following values 157is written: 158.Bl -tag -width PROC_LOGSIGEXIT_FORCE_DISABLE 159.It Dv PROC_LOGSIGEXIT_FORCE_ENABLE 160.It Dv PROC_LOGSIGEXIT_FORCE_DISABLE 161.It Dv PROC_LOGSIGEXIT_NOFORCE 162.El 163.It Dv PROC_PROTMAX_CTL 164Controls the maximum protection used for 165.Xr mmap 2 166requests in the target process that do not specify 167an explicit maximum protection in the 168.Fa prot 169argument via 170.Dv PROT_MAX . 171The maximum protection limits the permissions a mapping can be assigned by 172.Xr mprotect 2 . 173If an explicit maximum protection is not provided, 174the maximum protection for a new mapping is set to either 175.Dv PROT_READ | PROT_WRITE | PROT_EXEC 176.Pq RWX 177or the protection specified in 178.Fa prot . 179Mappings created with 180.Fa prot 181set to 182.Dv PROT_NONE 183always use RWX maximum protection. 184.Pp 185The 186.Fa data 187parameter must point to an integer variable holding one of the following 188values: 189.Bl -tag -width Ds 190.It Dv PROC_PROTMAX_FORCE_ENABLE 191Use the permissions in 192.Fa prot 193as the implicit maximum protection, 194even if RWX permissions are requested by the sysctl 195.Va vm.imply_prot_max . 196.It Dv PROC_PROTMAX_FORCE_DISABLE 197Use RWX as the implicit maximum protection, 198even if constrained permissions are requested by the sysctl 199.Va vm.imply_prot_max . 200.It Dv PROC_PROTMAX_NOFORCE 201Use the system-wide configured policy for the implicit PROT_MAX control. 202.El 203.Pp 204Note that the 205.Xr elfctl 1 206.Dq noprotmax 207flag takes precedence over this control. 208Executing a binary with this flag set will always use RWX as the implicit 209maximum protection. 210.It Dv PROC_PROTMAX_STATUS 211Returns the current status of the implicit PROT_MAX control for the 212target process. 213The 214.Fa data 215parameter must point to an integer variable, where one of the 216following values is written: 217.Bl -tag -width Ds 218.It Dv PROC_PROTMAX_FORCE_ENABLE 219.It Dv PROC_PROTMAX_FORCE_DISABLE 220.It Dv PROC_PROTMAX_NOFORCE 221.El 222.Pp 223If the currently executed image in the process itself has the implicit PROT_MAX 224control enabled, the 225.Dv PROC_PROTMAX_ACTIVE 226flag is or-ed with the value listed above. 227.It Dv PROC_SPROTECT 228Set process protection state. 229This is used to mark a process as protected from being killed if the system 230exhausts available memory and swap. 231The 232.Fa data 233parameter must point to an integer containing an operation and zero or more 234optional flags. 235The following operations are supported: 236.Bl -tag -width Ds 237.It Dv PPROT_SET 238Mark the selected processes as protected. 239.It Dv PPROT_CLEAR 240Clear the protected state of selected processes. 241.El 242.Pp 243The following optional flags are supported: 244.Bl -tag -width Ds 245.It Dv PPROT_DESCEND 246Apply the requested operation to all child processes of each selected process 247in addition to each selected process. 248.It Dv PPROT_INHERIT 249When used with 250.Dv PPROT_SET , 251mark all future child processes of each selected process as protected. 252Future child processes will also mark all of their future child processes. 253.El 254.It Dv PROC_REAP_ACQUIRE 255Enable orphaned process reaping for future children of the current process. 256.Pp 257If a parent process exits before one or more of its children processes, 258the remaining children processes are orphaned. 259When an orphaned process exits, 260it is reparented to a reaper process that is responsible for harvesting 261the terminated process via 262.Xr wait 2 . 263When this control is enabled, 264the current process becomes the reaper process for future children and their 265descendants. 266Existing child processes continue to use the reaper assigned when the child 267was created via 268.Xr fork 2 . 269If a reaper process exits, 270all of the processes for whom it was the reaper are reassigned to the reaper 271process's reaper. 272.Pp 273After system initialization, 274.Xr init 8 275is the default reaper. 276.It Dv PROC_REAP_RELEASE 277Disable orphaned process reaping for the current process. 278.Pp 279Any processes for whom the current process was the reaper are reassigned to 280the current process's reaper. 281.It Dv PROC_REAP_STATUS 282Provides a consistent snapshot of information about the reaper 283of the specified process, 284or the process itself if it is a reaper. 285The 286.Fa data 287argument must point to a 288.Vt procctl_reaper_status 289structure which is filled in by the system call on successful return. 290.Bd -literal 291struct procctl_reaper_status { 292 u_int rs_flags; 293 u_int rs_children; 294 u_int rs_descendants; 295 pid_t rs_reaper; 296 pid_t rs_pid; 297}; 298.Ed 299.Pp 300The 301.Fa rs_flags 302may have the following flags returned: 303.Bl -tag -width Ds 304.It Dv REAPER_STATUS_OWNED 305The specified process is a reaper. 306When this flag is returned, the specified process 307.Fa id , 308pid, identifies a reaper, otherwise the 309.Fa rs_reaper 310field of the structure is set to the pid of the reaper 311for the specified process id. 312.It Dv REAPER_STATUS_REALINIT 313The specified process is the root of the reaper tree, i.e., 314.Xr init 8 . 315.El 316.Pp 317The 318.Fa rs_children 319field returns the number of processes that can be reaped by the reaper that 320are also children of the reaper. 321It is possible to have a child whose reaper is not the specified process, 322since the reaper for existing children is not changed by 323.Dv PROC_REAP_ACQUIRE . 324The 325.Fa rs_descendants 326field returns the total number of processes that can be reaped by the reaper. 327The 328.Fa rs_reaper 329field returns the reaper's pid. 330The 331.Fa rs_pid 332returns the pid of one reaper child if there are any processes that can be 333reapead; 334otherwise, it is set to \-1. 335.It Dv PROC_REAP_GETPIDS 336Queries the list of processes that can be reaped 337by the reaper of the specified process. 338The request takes a pointer to a 339.Vt procctl_reaper_pids 340structure in the 341.Fa data 342parameter. 343.Bd -literal 344struct procctl_reaper_pids { 345 u_int rp_count; 346 struct procctl_reaper_pidinfo *rp_pids; 347}; 348.Ed 349.Pp 350When called, the 351.Fa rp_pids 352field must point to an array of 353.Fa rp_count 354.Vt procctl_reaper_pidinfo 355structures. 356The kernel will populate these structures with information about the 357reaper's descendants. 358.Pp 359The 360.Vt "struct procctl_reaper_pidinfo" 361structure provides some information about one of the reaper's descendants. 362Note that for a descendant that is not a child, it may be incorrectly 363identified because of a race in which the original child process exited 364and the exited process's pid was reused for an unrelated process. 365.Bd -literal 366struct procctl_reaper_pidinfo { 367 pid_t pi_pid; 368 pid_t pi_subtree; 369 u_int pi_flags; 370}; 371.Ed 372.Pp 373The 374.Fa pi_pid 375field is the process id of the descendant. 376The 377.Fa pi_subtree 378field provides the pid of the direct child of the reaper which is 379the (grand-)parent of the descendant process. 380The 381.Fa pi_flags 382field returns the following flags, further describing the descendant: 383.Bl -tag -width Ds 384.It Dv REAPER_PIDINFO_VALID 385Set to indicate that the 386.Vt procctl_reaper_pidinfo 387structure was filled in by the kernel. 388Zero-filling the 389.Fa rp_pids 390array and testing the 391.Dv REAPER_PIDINFO_VALID 392flag allows the caller to detect the end 393of the returned array. 394.It Dv REAPER_PIDINFO_CHILD 395The 396.Fa pi_pid 397field identifies a direct child of the reaper. 398.It Dv REAPER_PIDINFO_REAPER 399The reported process is itself a reaper. 400The descendants of the subordinate reaper are not reported. 401.It Dv REAPER_PIDINFO_ZOMBIE 402The reported process is in the zombie state, ready to be reaped. 403.It Dv REAPER_PIDINFO_STOPPED 404The reported process is stopped by a SIGSTOP/SIGTSTP signal. 405.It Dv REAPER_PIDINFO_EXITING 406The reported process is in the process of exiting (but not yet a zombie). 407.El 408.It Dv PROC_REAP_KILL 409Request to deliver a signal to some subset of the descendants of the reaper. 410The 411.Fa data 412parameter must point to a 413.Vt procctl_reaper_kill 414structure, which is used both for parameters and status return. 415.Bd -literal 416struct procctl_reaper_kill { 417 int rk_sig; 418 u_int rk_flags; 419 pid_t rk_subtree; 420 u_int rk_killed; 421 pid_t rk_fpid; 422}; 423.Ed 424.Pp 425The 426.Fa rk_sig 427field specifies the signal to be delivered. 428Zero is not a valid signal number, unlike for 429.Xr kill 2 . 430The 431.Fa rk_flags 432field further directs the operation. 433It is or-ed from the following flags: 434.Bl -tag -width Ds 435.It Dv REAPER_KILL_CHILDREN 436Deliver the specified signal only to direct children of the reaper. 437.It Dv REAPER_KILL_SUBTREE 438Deliver the specified signal only to descendants that were forked by 439the direct child with pid specified in the 440.Fa rk_subtree 441field. 442.El 443.Pp 444If neither the 445.Dv REAPER_KILL_CHILDREN 446nor the 447.Dv REAPER_KILL_SUBTREE 448flags are specified, all current descendants of the reaper are signalled. 449.Pp 450If a signal was delivered to any process, the return value from the request 451is zero. 452In this case, the 453.Fa rk_killed 454field identifies the number of processes signalled. 455The 456.Fa rk_fpid 457field is set to the pid of the first process for which signal 458delivery failed, e.g., due to permission problems. 459If no such process exists, the 460.Fa rk_fpid 461field is set to \-1. 462.It Dv PROC_TRACE_CTL 463Enable or disable tracing of the specified process(es), according to the 464value of the integer argument. 465Tracing includes inspecting the process via 466.Xr ptrace 2 , 467.Xr ktrace 2 , 468debugging sysctls, 469.Xr hwpmc 4 , 470or 471.Xr dtrace 1 472as well as dumping core. 473Possible values for the 474.Fa data 475argument are: 476.Bl -tag -width Ds 477.It Dv PROC_TRACE_CTL_ENABLE 478Enable tracing, after it was disabled by 479.Dv PROC_TRACE_CTL_DISABLE . 480Only allowed for self. 481.It Dv PROC_TRACE_CTL_DISABLE 482Disable tracing for the specified process. 483Tracing is re-enabled when the process changes the executing 484program with the 485.Xr execve 2 486system call. 487A child inherits the trace settings from the parent on 488.Xr fork 2 . 489.It Dv PROC_TRACE_CTL_DISABLE_EXEC 490Same as 491.Dv PROC_TRACE_CTL_DISABLE , 492but the setting persists for the process even after 493.Xr execve 2 . 494.El 495.It Dv PROC_TRACE_STATUS 496Returns the current tracing status for the specified process in 497the integer variable pointed to by 498.Fa data . 499If tracing is disabled, 500.Fa data 501is set to \-1. 502If tracing is enabled, but no debugger is attached by the 503.Xr ptrace 2 504system call, 505.Fa data 506is set to 0. 507If a debugger is attached, 508.Fa data 509is set to the pid of the debugger process. 510.It Dv PROC_TRAPCAP_CTL 511Controls the capability mode sandbox actions for the specified 512sandboxed processes 513on a return from any system call which fails with either an 514.Er ENOTCAPABLE 515or 516.Er ECAPMODE 517error. 518If this control is enabled and a system call fails with one of these errors, 519a synchronous 520.Dv SIGTRAP 521signal is delivered to the thread immediately before returning from the 522system call. 523.Pp 524Possible values for the 525.Fa data 526argument are: 527.Bl -tag -width Ds 528.It Dv PROC_TRAPCAP_CTL_ENABLE 529Enable 530.Dv SIGTRAP 531signal delivery on capability mode access violations. 532The enabled mode is inherited by the children of the process, 533and is kept after 534.Xr fexecve 2 535calls. 536.It Dv PROC_TRAPCAP_CTL_DISABLE 537Disable 538.Dv SIGTRAP 539signal delivery on capability mode access violations. 540Note that the global sysctl 541.Dv kern.trap_enotcap 542might still cause the signal to be delivered. 543See 544.Xr capsicum 4 . 545.El 546.Pp 547On signal delivery, the 548.Va si_errno 549member of the 550.Fa siginfo 551signal handler parameter is set to the system call error value, 552and the 553.Va si_code 554member is set to 555.Dv TRAP_CAP . 556The system call number is stored in the 557.Va si_syscall 558field of the 559.Fa siginfo 560signal handler parameter. 561The other system call parameters can be read from the 562.Fa ucontext_t 563but the system call number is typically stored in the register 564that also contains the return value and so is unavailable in the 565signal handler. 566.Pp 567See 568.Xr capsicum 4 569for more information about capability mode. 570.It Dv PROC_TRAPCAP_STATUS 571Return the current status of raising 572.Dv SIGTRAP 573for capability mode access violations by the specified process. 574The integer value pointed to by the 575.Fa data 576argument is set to the 577.Dv PROC_TRAPCAP_CTL_ENABLE 578value if 579.Dv SIGTRAP 580delivery is enabled, and to 581.Dv PROC_TRAPCAP_CTL_DISABLE 582otherwise. 583.Pp 584See the note about sysctl 585.Dv kern.trap_enotcap 586above, which gives independent global control of signal delivery. 587.It Dv PROC_PDEATHSIG_CTL 588Request the delivery of a signal when the parent of the calling 589process exits. 590.Fa idtype 591must be 592.Dv P_PID 593and 594.Fa id 595must be the either caller's pid or zero, with no difference in effect. 596The value is cleared for child processes 597and when executing set-user-ID or set-group-ID binaries. 598.Fa data 599must point to a value of type 600.Vt int 601indicating the signal 602that should be delivered to the caller. 603Use zero to cancel a previously requested signal delivery. 604.It Dv PROC_PDEATHSIG_STATUS 605Query the current signal number that will be delivered when the parent 606of the calling process exits. 607.Fa idtype 608must be 609.Dv P_PID 610and 611.Fa id 612must be the either caller's pid or zero, with no difference in effect. 613.Fa data 614must point to a memory location that can hold a value of type 615.Vt int . 616If signal delivery has not been requested, it will contain zero 617on return. 618.It Dv PROC_STACKGAP_CTL 619Controls stack gaps in the specified process. 620A stack gap is one or more virtual memory pages at the end of the 621growth area for a 622.Dv MAP_STACK 623mapping that is reserved and never backed by memory. 624Instead, the process is guaranteed to receive a synchronous 625.Dv SIGSEGV 626signal for each access to pages in the gap. 627The number of pages reserved for each stack is set by the sysctl 628.Va security.bsd.stack_guard_page . 629.Pp 630Gaps protect against stack overflows by preventing them from corrupting memory 631adjacent to the stack. 632.Pp 633The 634.Fa data 635argument must point to an integer variable containing flags. 636The following flags are allowed: 637.Bl -tag -width Ds 638.It Dv PROC_STACKGAP_ENABLE 639This flag is only accepted for consistency with 640.Dv PROC_STACKGAP_STATUS . 641If stack gaps are enabled, the flag is ignored. 642If stack gaps are disabled, the request fails with 643.Ev EINVAL . 644After gaps are disabled in a process, they can only be re-enabled when an 645.Xr execve 2 646is performed. 647.It Dv PROC_STACKGAP_DISABLE 648Disable stack gaps for the process. 649For existing stacks, the gap is no longer reserved 650and can be filled by memory on access. 651.It Dv PROC_STACKGAP_ENABLE_EXEC 652Enable stack gaps for the new address space constructed by any future 653.Xr execve 2 654in the specified process. 655.It Dv PROC_STACKGAP_DISABLE_EXEC 656Inherit disabled stack gaps state after 657.Xr execve 2 . 658In other words, if the currently executing program has stack gaps disabled, 659they are kept disabled on exec. 660If gaps were enabled, they are kept enabled after exec. 661.El 662.Pp 663The stack gap state is inherited from the parent on 664.Xr fork 2 . 665.It Dv PROC_STACKGAP_STATUS 666Returns the current stack gap state for the specified process. 667.Fa data 668must point to an integer variable, which is used to return a bitmask 669consisting of the following flags: 670.Bl -tag -width Ds 671.It Dv PROC_STACKGAP_ENABLE 672Stack gaps are enabled. 673.It Dv PROC_STACKGAP_DISABLE 674Stack gaps are disabled. 675.It Dv PROC_STACKGAP_ENABLE_EXEC 676Stack gaps are enabled in the process after 677.Xr execve 2 . 678.It Dv PROC_STACKGAP_DISABLE_EXEC 679Stack gaps are disabled in the process after 680.Xr execve 2 . 681.El 682.Pp 683Note that the 684.Xr elfctl 1 685.Dq nostackgap 686flag takes precedence over this setting for individual process address spaces. 687Executing a binary with this flag set will never use stack gaps in the address 688space constructed by 689.Xr execve 2 . 690However, the controls value can still be inherited by child processes, and 691executing a binary without this flag set will revert to the behavior specified 692by the control. 693.It Dv PROC_NO_NEW_PRIVS_CTL 694Allows one to ignore the set-user-ID and set-group-ID bits on the program 695images activated by 696.Xr execve 2 697in the specified process and its future descendants. 698The 699.Fa data 700parameter must point to an integer variable holding the following 701value: 702.Bl -tag -width Ds 703.It Dv PROC_NO_NEW_PRIVS_ENABLE 704Request set-user-ID and set-group-ID bits to be ignored. 705.El 706.Pp 707It is not possible to disable this control once it has been enabled. 708.It Dv PROC_NO_NEW_PRIVS_STATUS 709Returns the current status of set-ID bits enablement for the target process. 710The 711.Fa data 712parameter must point to an integer variable, where one of the 713following values is written: 714.Bl -tag -width Ds 715.It Dv PROC_NO_NEW_PRIVS_ENABLE 716.It Dv PROC_NO_NEW_PRIVS_DISABLE 717.El 718.It Dv PROC_WXMAP_CTL 719Controls the creation of mappings with both write and execute permissions 720in a process's address space. 721The 722.Fa data 723parameter must point to an integer variable holding one of the 724following values: 725.Bl -tag -width Ds 726.It Dv PROC_WX_MAPPINGS_PERMIT 727Enable creation of mappings that have both write and execute 728permissions in the specified process' current and future address spaces. 729.It Dv PROC_WX_MAPPINGS_DISALLOW_EXEC 730In a new address space created by a future call to 731.Xr execve 2 , 732disallow creation of mappings that have both write and execute 733permissions. 734.El 735.Pp 736If both flags are set, 737.Dv PROC_WX_MAPPINGS_DISALLOW_EXEC 738takes precedence during 739.Xr execve 2 . 740If neither flag is set, 741mappings with write and execute permissions are only permitted if the 742.Dv kern.elf{32/64}.allow_wx 743sysctl is non-zero or the 744.Xr elfctl 1 745.Dq wxneeded 746flag is set in the ELF control note. 747.Pp 748Once creation of writeable and executable mappings is enabled for a process, 749it is impossible (and pointless) to disable it. 750The only way to ensure the absence of such mappings after they 751were enabled in a given process is to set the 752.Dv PROC_WX_MAPPINGS_DISALLOW_EXEC 753flag and 754.Xr execve 2 755an image. 756.It Dv PROC_WXMAP_STATUS 757Returns the current status of the controls over creation of mappings with 758both write and execute permissions for the specified process. 759The 760.Dv data 761parameter must point to an integer variable, where one of the 762following values is written: 763.Bl -tag -width Ds 764.It Dv PROC_WX_MAPPINGS_PERMIT 765Creation of simultaneously writable and executable mappings are permitted; 766otherwise, the process cannot create such mappings. 767.It Dv PROC_WX_MAPPINGS_DISALLOW_EXEC 768After 769.Xr execve 2 , 770the new address space will not permit creation of simultaneously 771writable and executable mappings. 772.El 773.Pp 774Additionally, if the address space of the process does not permit 775creation of simultaneously writable and executable mappings and 776it is guaranteed that no such mapping was created since address space 777creation, the 778.Dv PROC_WXORX_ENFORCE 779flag is set in the returned value. 780.El 781.Sh x86 MACHINE-SPECIFIC REQUESTS 782.Bl -tag -width PROC_KPTI_STATUS 783.It Dv PROC_KPTI_CTL 784AMD64 only. 785Controls the Kernel Page Table Isolation (KPTI) option for the children 786of the specified process. 787This control is only meaningful if KPTI has been enabled globally by the 788.Va vm.pmap.kpti 789tunable. 790It is not possible to change the KPTI setting for a running process, 791only for new address spaces constructed by a future 792.Xr execve 2 . 793.Pp 794The 795.Fa data 796parameter must point to an integer variable containing one of the 797following commands: 798.Bl -tag -width Ds 799.It Dv PROC_KPTI_CTL_ENABLE_ON_EXEC 800Enable KPTI after 801.Xr execve 2 . 802.It Dv PROC_KPTI_CTL_DISABLE_ON_EXEC 803Disable KPTI after 804.Xr execve 2 . 805Only root or a process having the 806.Va PRIV_IO 807privilege can use this option. 808.El 809.It Dv PROC_KPTI_STATUS 810Returns the current KPTI status for the specified process. 811.Fa data 812must point to an integer variable, where one of the 813following values is written: 814.Bl -tag -width Ds 815.It Dv PROC_KPTI_CTL_ENABLE_ON_EXEC 816.It Dv PROC_KPTI_CTL_DISABLE_ON_EXEC 817.El 818.Pp 819The status is or-ed with 820.Va PROC_KPTI_STATUS_ACTIVE 821if KPTI is active for the current address space of the process. 822.El 823.Sh NOTES 824Disabling tracing on a process should not be considered a security 825feature, as it is bypassable both by the kernel and privileged processes 826and via other system mechanisms. 827As such, it should not be utilized to reliably protect cryptographic 828keying material or other confidential data. 829.Pp 830Note that processes can trivially bypass the 'no simultaneously 831writable and executable mappings' policy by first marking some mapping 832as writeable, writing code to it, then removing write and adding 833execute permission. 834This may be legitimately required by some programs such as JIT compilers. 835.Sh RETURN VALUES 836If an error occurs, a value of \-1 is returned and 837.Va errno 838is set to indicate the error. 839.Sh ERRORS 840The 841.Fn procctl 842system call 843will fail if: 844.Bl -tag -width Er 845.It Bq Er EFAULT 846The 847.Fa data 848parameter points outside the process's allocated address space. 849.It Bq Er EINVAL 850The 851.Fa cmd 852argument specifies an unsupported command. 853.Pp 854The 855.Fa idtype 856argument specifies an unsupported identifier type. 857.It Bq Er EPERM 858The calling process does not have permission to perform the requested 859operation on any of the selected processes. 860.It Bq Er ESRCH 861No processes matched the requested 862.Fa idtype 863and 864.Fa id . 865.It Bq Er ESRCH 866No descendant processes can be found matching criteria specified in the 867.Dv PROC_REAP_KILL 868request. 869.It Bq Er EINVAL 870An invalid operation or flag was passed in 871.Fa data 872for a 873.Dv PROC_SPROTECT 874command. 875.It Bq Er EPERM 876The 877.Fa idtype 878argument is not equal to 879.Dv P_PID , 880or 881.Fa id 882is not equal to the pid of the calling process, for 883.Dv PROC_REAP_ACQUIRE 884or 885.Dv PROC_REAP_RELEASE 886requests. 887.It Bq Er EINVAL 888Invalid or undefined flags were passed to a 889.Dv PROC_REAP_KILL 890request. 891.It Bq Er EINVAL 892An invalid or zero signal number was requested for a 893.Dv PROC_REAP_KILL 894request. 895.It Bq Er EINVAL 896A 897.Dv PROC_REAP_RELEASE 898request was issued by the 899.Xr init 8 900process. 901.It Bq Er EBUSY 902A 903.Dv PROC_REAP_ACQUIRE 904request was issued by a process that is already a reaper process. 905.It Bq Er EBUSY 906A 907.Dv PROC_TRACE_CTL 908request was issued for a process being traced. 909.It Bq Er EPERM 910A 911.Dv PROC_TRACE_CTL 912request to re-enable tracing of the process 913.Po Dv PROC_TRACE_CTL_ENABLE Pc , 914or to disable persistence of 915.Dv PROC_TRACE_CTL_DISABLE 916on 917.Xr execve 2 918specified a target process other than the calling process. 919.It Bq Er EINVAL 920The value of the integer 921.Fa data 922parameter for the 923.Dv PROC_TRACE_CTL 924or 925.Dv PROC_TRAPCAP_CTL 926request is invalid. 927.It Bq Er EINVAL 928The 929.Dv PROC_PDEATHSIG_CTL 930or 931.Dv PROC_PDEATHSIG_STATUS 932request referenced an unsupported 933.Fa id , 934.Fa idtype 935or invalid signal number. 936.El 937.Sh SEE ALSO 938.Xr dtrace 1 , 939.Xr elfctl 1 , 940.Xr proccontrol 1 , 941.Xr protect 1 , 942.Xr cap_enter 2 , 943.Xr kill 2 , 944.Xr ktrace 2 , 945.Xr mmap 2 , 946.Xr mprotect 2 , 947.Xr ptrace 2 , 948.Xr wait 2 , 949.Xr capsicum 4 , 950.Xr hwpmc 4 , 951.Xr init 8 952.Sh HISTORY 953The 954.Fn procctl 955function appeared in 956.Fx 9.3 . 957.Pp 958The reaper facility is based on a similar feature in Linux and 959DragonflyBSD, and first appeared in 960.Fx 10.2 . 961.Pp 962The 963.Dv PROC_PDEATHSIG_CTL 964facility is based on the 965.Ql prctl(PR_SET_PDEATHSIG, ...) 966feature in Linux, 967and first appeared in 968.Fx 11.2 . 969.Pp 970ASLR support was added for checklist compliance in 971.Fx 13.0 . 972