xref: /freebsd/lib/libsys/procctl.2 (revision ce3fbcdd14a1a2ef90890fb8da9592fb4c349b35)
1.\" Copyright (c) 2013 Hudson River Trading LLC
2.\" Written by: John H. Baldwin <jhb@FreeBSD.org>
3.\" All rights reserved.
4.\"
5.\" Copyright (c) 2014 The FreeBSD Foundation
6.\" Portions of this documentation were written by Konstantin Belousov
7.\" under sponsorship from the FreeBSD Foundation.
8.\"
9.\" Redistribution and use in source and binary forms, with or without
10.\" modification, are permitted provided that the following conditions
11.\" are met:
12.\" 1. Redistributions of source code must retain the above copyright
13.\"    notice, this list of conditions and the following disclaimer.
14.\" 2. Redistributions in binary form must reproduce the above copyright
15.\"    notice, this list of conditions and the following disclaimer in the
16.\"    documentation and/or other materials provided with the distribution.
17.\"
18.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
19.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
20.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
21.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
22.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
23.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
24.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
25.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
26.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
27.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
28.\" SUCH DAMAGE.
29.\"
30.Dd December 14, 2024
31.Dt PROCCTL 2
32.Os
33.Sh NAME
34.Nm procctl
35.Nd control processes
36.Sh LIBRARY
37.Lb libc
38.Sh SYNOPSIS
39.In sys/procctl.h
40.Ft int
41.Fn procctl "idtype_t idtype" "id_t id" "int cmd" "void *data"
42.Sh DESCRIPTION
43The
44.Fn procctl
45system call provides for control over processes.
46The
47.Fa idtype
48and
49.Fa id
50arguments specify the set of processes to control.
51If multiple processes match the identifier,
52.Nm
53will make a
54.Dq best effort
55to control as many of the selected processes as possible.
56An error is only returned if no selected processes successfully complete
57the request.
58The following identifier types are supported:
59.Bl -tag -width P_PGID
60.It Dv P_PID
61Control the process with the process ID
62.Fa id .
63.Fa id
64zero is a shortcut for the calling process ID.
65.It Dv P_PGID
66Control processes belonging to the process group with the ID
67.Fa id .
68.El
69.Pp
70The control request to perform is specified by the
71.Fa cmd
72argument.
73.Pp
74All status changing requests
75.Pq Dv *_CTL
76require the caller to have the right to debug the target.
77All status query requests
78.Pq Dv *_STATUS
79require the caller to have the right to observe the target.
80.Pp
81The following commands are supported:
82.Bl -tag -width PROC_LOGSIGEXIT_STATUS
83.It Dv PROC_ASLR_CTL
84Controls Address Space Layout Randomization (ASLR) in program
85images created
86by
87.Xr execve 2
88in the specified process or its descendants that do not either change
89the control or modify it by other means.
90The
91.Fa data
92parameter must point to an integer variable holding one of the following
93values:
94.Bl -tag -width Ds
95.It Dv PROC_ASLR_FORCE_ENABLE
96Request that ASLR is enabled after execution, even if it is disabled
97system-wide.
98.It Dv PROC_ASLR_FORCE_DISABLE
99Request that ASLR is disabled after execution, even if it is enabled
100system-wide.
101.It Dv PROC_ASLR_NOFORCE
102Use the system-wide configured policy for ASLR.
103.El
104.Pp
105Note that the
106.Xr elfctl 1
107.Dq noaslr
108flag takes precedence over this control.
109Executing a binary with this flag set will never use ASLR.
110Similarly, executing a set-user-ID or set-group-ID binary ignores this
111control and only honors the
112.Xr elfctl 1
113flag and system-wide policy.
114.It Dv PROC_ASLR_STATUS
115Returns the current status of ASLR enablement for the target process.
116The
117.Fa data
118parameter must point to an integer variable, where one of the
119following values is written:
120.Bl -tag -width Ds
121.It Dv PROC_ASLR_FORCE_ENABLE
122.It Dv PROC_ASLR_FORCE_DISABLE
123.It Dv PROC_ASLR_NOFORCE
124.El
125.Pp
126If the currently executed image in the process itself has ASLR enabled,
127the
128.Dv PROC_ASLR_ACTIVE
129flag is or-ed with the value listed above.
130.It Dv PROC_LOGSIGEXIT_CTL
131Controls the logging of exits due to signals that would normally cause a core
132dump.
133The
134.Va arg
135parameter must point to an integer variable holding one of the following values:
136.Bl -tag -width PROC_LOGSIGEXIT_FORCE_DISABLE
137.It Dv PROC_LOGSIGEXIT_FORCE_ENABLE
138Enables logging of exits due to signals that would normally cause a core dump.
139Logging is done via
140.Xr log 9
141with a log level of
142.Dv LOG_INFO .
143.It Dv PROC_LOGSIGEXIT_FORCE_DISABLE
144Disables the logging of exits due to signals that would normally cause a core
145dump.
146.It Dv PROC_LOGSIGEXIT_NOFORCE
147The logging behavior is delegated to the
148.Xr sysctl 3
149MIB variable
150.Va kern.logsigexit .
151.El
152.It Dv PROC_LOGSIGEXIT_STATUS
153Returns the current status of logging for the target process.
154The
155.Va arg
156parameter must point to an integer variable, where one of the following values
157is written:
158.Bl -tag -width PROC_LOGSIGEXIT_FORCE_DISABLE
159.It Dv PROC_LOGSIGEXIT_FORCE_ENABLE
160.It Dv PROC_LOGSIGEXIT_FORCE_DISABLE
161.It Dv PROC_LOGSIGEXIT_NOFORCE
162.El
163.It Dv PROC_PROTMAX_CTL
164Controls the maximum protection used for
165.Xr mmap 2
166requests in the target process that do not specify
167an explicit maximum protection in the
168.Fa prot
169argument via
170.Dv PROT_MAX .
171The maximum protection limits the permissions a mapping can be assigned by
172.Xr mprotect 2 .
173If an explicit maximum protection is not provided,
174the maximum protection for a new mapping is set to either
175.Dv PROT_READ | PROT_WRITE | PROT_EXEC
176.Pq RWX
177or the protection specified in
178.Fa prot .
179Mappings created with
180.Fa prot
181set to
182.Dv PROT_NONE
183always use RWX maximum protection.
184.Pp
185The
186.Fa data
187parameter must point to an integer variable holding one of the following
188values:
189.Bl -tag -width Ds
190.It Dv PROC_PROTMAX_FORCE_ENABLE
191Use the permissions in
192.Fa prot
193as the implicit maximum protection,
194even if RWX permissions are requested by the sysctl
195.Va vm.imply_prot_max .
196.It Dv PROC_PROTMAX_FORCE_DISABLE
197Use RWX as the implicit maximum protection,
198even if constrained permissions are requested by the sysctl
199.Va vm.imply_prot_max .
200.It Dv PROC_PROTMAX_NOFORCE
201Use the system-wide configured policy for the implicit PROT_MAX control.
202.El
203.Pp
204Note that the
205.Xr elfctl 1
206.Dq noprotmax
207flag takes precedence over this control.
208Executing a binary with this flag set will always use RWX as the implicit
209maximum protection.
210.It Dv PROC_PROTMAX_STATUS
211Returns the current status of the implicit PROT_MAX control for the
212target process.
213The
214.Fa data
215parameter must point to an integer variable, where one of the
216following values is written:
217.Bl -tag -width Ds
218.It Dv PROC_PROTMAX_FORCE_ENABLE
219.It Dv PROC_PROTMAX_FORCE_DISABLE
220.It Dv PROC_PROTMAX_NOFORCE
221.El
222.Pp
223If the currently executed image in the process itself has the implicit PROT_MAX
224control enabled, the
225.Dv PROC_PROTMAX_ACTIVE
226flag is or-ed with the value listed above.
227.It Dv PROC_SPROTECT
228Set process protection state.
229This is used to mark a process as protected from being killed if the system
230exhausts available memory and swap.
231The
232.Fa data
233parameter must point to an integer containing an operation and zero or more
234optional flags.
235The following operations are supported:
236.Bl -tag -width Ds
237.It Dv PPROT_SET
238Mark the selected processes as protected.
239.It Dv PPROT_CLEAR
240Clear the protected state of selected processes.
241.El
242.Pp
243The following optional flags are supported:
244.Bl -tag -width Ds
245.It Dv PPROT_DESCEND
246Apply the requested operation to all child processes of each selected process
247in addition to each selected process.
248.It Dv PPROT_INHERIT
249When used with
250.Dv PPROT_SET ,
251mark all future child processes of each selected process as protected.
252Future child processes will also mark all of their future child processes.
253.El
254.It Dv PROC_REAP_ACQUIRE
255Enable orphaned process reaping for future children of the current process.
256.Pp
257If a parent process exits before one or more of its children processes,
258the remaining children processes are orphaned.
259When an orphaned process exits,
260it is reparented to a reaper process that is responsible for harvesting
261the terminated process via
262.Xr wait 2 .
263When this control is enabled,
264the current process becomes the reaper process for future children and their
265descendants.
266Existing child processes continue to use the reaper assigned when the child
267was created via
268.Xr fork 2 .
269If a reaper process exits,
270all of the processes for whom it was the reaper are reassigned to the reaper
271process's reaper.
272.Pp
273After system initialization,
274.Xr init 8
275is the default reaper.
276.It Dv PROC_REAP_RELEASE
277Disable orphaned process reaping for the current process.
278.Pp
279Any processes for whom the current process was the reaper are reassigned to
280the current process's reaper.
281.It Dv PROC_REAP_STATUS
282Provides a consistent snapshot of information about the reaper
283of the specified process,
284or the process itself if it is a reaper.
285The
286.Fa data
287argument must point to a
288.Vt procctl_reaper_status
289structure which is filled in by the system call on successful return.
290.Bd -literal
291struct procctl_reaper_status {
292	u_int	rs_flags;
293	u_int	rs_children;
294	u_int	rs_descendants;
295	pid_t	rs_reaper;
296	pid_t	rs_pid;
297};
298.Ed
299.Pp
300The
301.Fa rs_flags
302may have the following flags returned:
303.Bl -tag -width Ds
304.It Dv REAPER_STATUS_OWNED
305The specified process is a reaper.
306When this flag is returned, the specified process
307.Fa id ,
308pid, identifies a reaper, otherwise the
309.Fa rs_reaper
310field of the structure is set to the pid of the reaper
311for the specified process id.
312.It Dv REAPER_STATUS_REALINIT
313The specified process is the root of the reaper tree, i.e.,
314.Xr init 8 .
315.El
316.Pp
317The
318.Fa rs_children
319field returns the number of processes that can be reaped by the reaper that
320are also children of the reaper.
321It is possible to have a child whose reaper is not the specified process,
322since the reaper for existing children is not changed by
323.Dv PROC_REAP_ACQUIRE .
324The
325.Fa rs_descendants
326field returns the total number of processes that can be reaped by the reaper.
327The
328.Fa rs_reaper
329field returns the reaper's pid.
330The
331.Fa rs_pid
332returns the pid of one reaper child if there are any processes that can be
333reapead;
334otherwise, it is set to \-1.
335.It Dv PROC_REAP_GETPIDS
336Queries the list of processes that can be reaped
337by the reaper of the specified process.
338The request takes a pointer to a
339.Vt procctl_reaper_pids
340structure in the
341.Fa data
342parameter.
343.Bd -literal
344struct procctl_reaper_pids {
345	u_int	rp_count;
346	struct procctl_reaper_pidinfo *rp_pids;
347};
348.Ed
349.Pp
350When called, the
351.Fa rp_pids
352field must point to an array of
353.Fa rp_count
354.Vt procctl_reaper_pidinfo
355structures.
356The kernel will populate these structures with information about the
357reaper's descendants.
358.Pp
359The
360.Vt "struct procctl_reaper_pidinfo"
361structure provides some information about one of the reaper's descendants.
362Note that for a descendant that is not a child, it may be incorrectly
363identified because of a race in which the original child process exited
364and the exited process's pid was reused for an unrelated process.
365.Bd -literal
366struct procctl_reaper_pidinfo {
367	pid_t	pi_pid;
368	pid_t	pi_subtree;
369	u_int	pi_flags;
370};
371.Ed
372.Pp
373The
374.Fa pi_pid
375field is the process id of the descendant.
376The
377.Fa pi_subtree
378field provides the pid of the direct child of the reaper which is
379the (grand-)parent of the descendant process.
380The
381.Fa pi_flags
382field returns the following flags, further describing the descendant:
383.Bl -tag -width Ds
384.It Dv REAPER_PIDINFO_VALID
385Set to indicate that the
386.Vt procctl_reaper_pidinfo
387structure was filled in by the kernel.
388Zero-filling the
389.Fa rp_pids
390array and testing the
391.Dv REAPER_PIDINFO_VALID
392flag allows the caller to detect the end
393of the returned array.
394.It Dv REAPER_PIDINFO_CHILD
395The
396.Fa pi_pid
397field identifies a direct child of the reaper.
398.It Dv REAPER_PIDINFO_REAPER
399The reported process is itself a reaper.
400The descendants of the subordinate reaper are not reported.
401.It Dv REAPER_PIDINFO_ZOMBIE
402The reported process is in the zombie state, ready to be reaped.
403.It Dv REAPER_PIDINFO_STOPPED
404The reported process is stopped by a SIGSTOP/SIGTSTP signal.
405.It Dv REAPER_PIDINFO_EXITING
406The reported process is in the process of exiting (but not yet a zombie).
407.El
408.It Dv PROC_REAP_KILL
409Request to deliver a signal to some subset of the descendants of the reaper.
410The
411.Fa data
412parameter must point to a
413.Vt procctl_reaper_kill
414structure, which is used both for parameters and status return.
415.Bd -literal
416struct procctl_reaper_kill {
417	int	rk_sig;
418	u_int	rk_flags;
419	pid_t	rk_subtree;
420	u_int	rk_killed;
421	pid_t	rk_fpid;
422};
423.Ed
424.Pp
425The
426.Fa rk_sig
427field specifies the signal to be delivered.
428Zero is not a valid signal number, unlike for
429.Xr kill 2 .
430The
431.Fa rk_flags
432field further directs the operation.
433It is or-ed from the following flags:
434.Bl -tag -width Ds
435.It Dv REAPER_KILL_CHILDREN
436Deliver the specified signal only to direct children of the reaper.
437.It Dv REAPER_KILL_SUBTREE
438Deliver the specified signal only to descendants that were forked by
439the direct child with pid specified in the
440.Fa rk_subtree
441field.
442.El
443.Pp
444If neither the
445.Dv REAPER_KILL_CHILDREN
446nor the
447.Dv REAPER_KILL_SUBTREE
448flags are specified, all current descendants of the reaper are signalled.
449.Pp
450If a signal was delivered to any process, the return value from the request
451is zero.
452In this case, the
453.Fa rk_killed
454field identifies the number of processes signalled.
455The
456.Fa rk_fpid
457field is set to the pid of the first process for which signal
458delivery failed, e.g., due to permission problems.
459If no such process exists, the
460.Fa rk_fpid
461field is set to \-1.
462.It Dv PROC_TRACE_CTL
463Enable or disable tracing of the specified process(es), according to the
464value of the integer argument.
465Tracing includes inspecting the process via
466.Xr ptrace 2 ,
467.Xr ktrace 2 ,
468debugging sysctls,
469.Xr hwpmc 4 ,
470or
471.Xr dtrace 1
472as well as dumping core.
473Possible values for the
474.Fa data
475argument are:
476.Bl -tag -width Ds
477.It Dv PROC_TRACE_CTL_ENABLE
478Enable tracing, after it was disabled by
479.Dv PROC_TRACE_CTL_DISABLE .
480Only allowed for self.
481.It Dv PROC_TRACE_CTL_DISABLE
482Disable tracing for the specified process.
483Tracing is re-enabled when the process changes the executing
484program with the
485.Xr execve 2
486system call.
487A child inherits the trace settings from the parent on
488.Xr fork 2 .
489.It Dv PROC_TRACE_CTL_DISABLE_EXEC
490Same as
491.Dv PROC_TRACE_CTL_DISABLE ,
492but the setting persists for the process even after
493.Xr execve 2 .
494.El
495.It Dv PROC_TRACE_STATUS
496Returns the current tracing status for the specified process in
497the integer variable pointed to by
498.Fa data .
499If tracing is disabled,
500.Fa data
501is set to \-1.
502If tracing is enabled, but no debugger is attached by the
503.Xr ptrace 2
504system call,
505.Fa data
506is set to 0.
507If a debugger is attached,
508.Fa data
509is set to the pid of the debugger process.
510.It Dv PROC_TRAPCAP_CTL
511Controls the capability mode sandbox actions for the specified
512sandboxed processes
513on a return from any system call which fails with either an
514.Er ENOTCAPABLE
515or
516.Er ECAPMODE
517error.
518If this control is enabled and a system call fails with one of these errors,
519a synchronous
520.Dv SIGTRAP
521signal is delivered to the thread immediately before returning from the
522system call.
523.Pp
524Possible values for the
525.Fa data
526argument are:
527.Bl -tag -width Ds
528.It Dv PROC_TRAPCAP_CTL_ENABLE
529Enable
530.Dv SIGTRAP
531signal delivery on capability mode access violations.
532The enabled mode is inherited by the children of the process,
533and is kept after
534.Xr fexecve 2
535calls.
536.It Dv PROC_TRAPCAP_CTL_DISABLE
537Disable
538.Dv SIGTRAP
539signal delivery on capability mode access violations.
540Note that the global sysctl
541.Dv kern.trap_enotcap
542might still cause the signal to be delivered.
543See
544.Xr capsicum 4 .
545.El
546.Pp
547On signal delivery, the
548.Va si_errno
549member of the
550.Fa siginfo
551signal handler parameter is set to the system call error value,
552and the
553.Va si_code
554member is set to
555.Dv TRAP_CAP .
556The system call number is stored in the
557.Va si_syscall
558field of the
559.Fa siginfo
560signal handler parameter.
561The other system call parameters can be read from the
562.Fa ucontext_t
563but the system call number is typically stored in the register
564that also contains the return value and so is unavailable in the
565signal handler.
566.Pp
567See
568.Xr capsicum 4
569for more information about capability mode.
570.It Dv PROC_TRAPCAP_STATUS
571Return the current status of raising
572.Dv SIGTRAP
573for capability mode access violations by the specified process.
574The integer value pointed to by the
575.Fa data
576argument is set to the
577.Dv PROC_TRAPCAP_CTL_ENABLE
578value if
579.Dv SIGTRAP
580delivery is enabled, and to
581.Dv PROC_TRAPCAP_CTL_DISABLE
582otherwise.
583.Pp
584See the note about sysctl
585.Dv kern.trap_enotcap
586above, which gives independent global control of signal delivery.
587.It Dv PROC_PDEATHSIG_CTL
588Request the delivery of a signal when the parent of the calling
589process exits.
590.Fa idtype
591must be
592.Dv P_PID
593and
594.Fa id
595must be the either caller's pid or zero, with no difference in effect.
596The value is cleared for child processes
597and when executing set-user-ID or set-group-ID binaries.
598.Fa data
599must point to a value of type
600.Vt int
601indicating the signal
602that should be delivered to the caller.
603Use zero to cancel a previously requested signal delivery.
604.It Dv PROC_PDEATHSIG_STATUS
605Query the current signal number that will be delivered when the parent
606of the calling process exits.
607.Fa idtype
608must be
609.Dv P_PID
610and
611.Fa id
612must be the either caller's pid or zero, with no difference in effect.
613.Fa data
614must point to a memory location that can hold a value of type
615.Vt int .
616If signal delivery has not been requested, it will contain zero
617on return.
618.It Dv PROC_STACKGAP_CTL
619Controls stack gaps in the specified process.
620A stack gap is one or more virtual memory pages at the end of the
621growth area for a
622.Dv MAP_STACK
623mapping that is reserved and never backed by memory.
624Instead, the process is guaranteed to receive a synchronous
625.Dv SIGSEGV
626signal for each access to pages in the gap.
627The number of pages reserved for each stack is set by the sysctl
628.Va security.bsd.stack_guard_page .
629.Pp
630Gaps protect against stack overflows by preventing them from corrupting memory
631adjacent to the stack.
632.Pp
633The
634.Fa data
635argument must point to an integer variable containing flags.
636The following flags are allowed:
637.Bl -tag -width Ds
638.It Dv PROC_STACKGAP_ENABLE
639This flag is only accepted for consistency with
640.Dv PROC_STACKGAP_STATUS .
641If stack gaps are enabled, the flag is ignored.
642If stack gaps are disabled, the request fails with
643.Ev EINVAL .
644After gaps are disabled in a process, they can only be re-enabled when an
645.Xr execve 2
646is performed.
647.It Dv PROC_STACKGAP_DISABLE
648Disable stack gaps for the process.
649For existing stacks, the gap is no longer reserved
650and can be filled by memory on access.
651.It Dv PROC_STACKGAP_ENABLE_EXEC
652Enable stack gaps for the new address space constructed by any future
653.Xr execve 2
654in the specified process.
655.It Dv PROC_STACKGAP_DISABLE_EXEC
656Inherit disabled stack gaps state after
657.Xr execve 2 .
658In other words, if the currently executing program has stack gaps disabled,
659they are kept disabled on exec.
660If gaps were enabled, they are kept enabled after exec.
661.El
662.Pp
663The stack gap state is inherited from the parent on
664.Xr fork 2 .
665.It Dv PROC_STACKGAP_STATUS
666Returns the current stack gap state for the specified process.
667.Fa data
668must point to an integer variable, which is used to return a bitmask
669consisting of the following flags:
670.Bl -tag -width Ds
671.It Dv PROC_STACKGAP_ENABLE
672Stack gaps are enabled.
673.It Dv PROC_STACKGAP_DISABLE
674Stack gaps are disabled.
675.It Dv PROC_STACKGAP_ENABLE_EXEC
676Stack gaps are enabled in the process after
677.Xr execve 2 .
678.It Dv PROC_STACKGAP_DISABLE_EXEC
679Stack gaps are disabled in the process after
680.Xr execve 2 .
681.El
682.Pp
683Note that the
684.Xr elfctl 1
685.Dq nostackgap
686flag takes precedence over this setting for individual process address spaces.
687Executing a binary with this flag set will never use stack gaps in the address
688space constructed by
689.Xr execve 2 .
690However, the controls value can still be inherited by child processes, and
691executing a binary without this flag set will revert to the behavior specified
692by the control.
693.It Dv PROC_NO_NEW_PRIVS_CTL
694Allows one to ignore the set-user-ID and set-group-ID bits on the program
695images activated by
696.Xr execve 2
697in the specified process and its future descendants.
698The
699.Fa data
700parameter must point to an integer variable holding the following
701value:
702.Bl -tag -width Ds
703.It Dv PROC_NO_NEW_PRIVS_ENABLE
704Request set-user-ID and set-group-ID bits to be ignored.
705.El
706.Pp
707It is not possible to disable this control once it has been enabled.
708.It Dv PROC_NO_NEW_PRIVS_STATUS
709Returns the current status of set-ID bits enablement for the target process.
710The
711.Fa data
712parameter must point to an integer variable, where one of the
713following values is written:
714.Bl -tag -width Ds
715.It Dv PROC_NO_NEW_PRIVS_ENABLE
716.It Dv PROC_NO_NEW_PRIVS_DISABLE
717.El
718.It Dv PROC_WXMAP_CTL
719Controls the creation of mappings with both write and execute permissions
720in a process's address space.
721The
722.Fa data
723parameter must point to an integer variable holding one of the
724following values:
725.Bl -tag -width Ds
726.It Dv PROC_WX_MAPPINGS_PERMIT
727Enable creation of mappings that have both write and execute
728permissions in the specified process' current and future address spaces.
729.It Dv PROC_WX_MAPPINGS_DISALLOW_EXEC
730In a new address space created by a future call to
731.Xr execve 2 ,
732disallow creation of mappings that have both write and execute
733permissions.
734.El
735.Pp
736If both flags are set,
737.Dv PROC_WX_MAPPINGS_DISALLOW_EXEC
738takes precedence during
739.Xr execve 2 .
740If neither flag is set,
741mappings with write and execute permissions are only permitted if the
742.Dv kern.elf{32/64}.allow_wx
743sysctl is non-zero or the
744.Xr elfctl 1
745.Dq wxneeded
746flag is set in the ELF control note.
747.Pp
748Once creation of writeable and executable mappings is enabled for a process,
749it is impossible (and pointless) to disable it.
750The only way to ensure the absence of such mappings after they
751were enabled in a given process is to set the
752.Dv PROC_WX_MAPPINGS_DISALLOW_EXEC
753flag and
754.Xr execve 2
755an image.
756.It Dv PROC_WXMAP_STATUS
757Returns the current status of the controls over creation of mappings with
758both write and execute permissions for the specified process.
759The
760.Dv data
761parameter must point to an integer variable, where one of the
762following values is written:
763.Bl -tag -width Ds
764.It Dv PROC_WX_MAPPINGS_PERMIT
765Creation of simultaneously writable and executable mappings are permitted;
766otherwise, the process cannot create such mappings.
767.It Dv PROC_WX_MAPPINGS_DISALLOW_EXEC
768After
769.Xr execve 2 ,
770the new address space will not permit creation of simultaneously
771writable and executable mappings.
772.El
773.Pp
774Additionally, if the address space of the process does not permit
775creation of simultaneously writable and executable mappings and
776it is guaranteed that no such mapping was created since address space
777creation, the
778.Dv PROC_WXORX_ENFORCE
779flag is set in the returned value.
780.El
781.Sh x86 MACHINE-SPECIFIC REQUESTS
782.Bl -tag -width PROC_KPTI_STATUS
783.It Dv PROC_KPTI_CTL
784AMD64 only.
785Controls the Kernel Page Table Isolation (KPTI) option for the children
786of the specified process.
787This control is only meaningful if KPTI has been enabled globally by the
788.Va vm.pmap.kpti
789tunable.
790It is not possible to change the KPTI setting for a running process,
791only for new address spaces constructed by a future
792.Xr execve 2 .
793.Pp
794The
795.Fa data
796parameter must point to an integer variable containing one of the
797following commands:
798.Bl -tag -width Ds
799.It Dv PROC_KPTI_CTL_ENABLE_ON_EXEC
800Enable KPTI after
801.Xr execve 2 .
802.It Dv PROC_KPTI_CTL_DISABLE_ON_EXEC
803Disable KPTI after
804.Xr execve 2 .
805Only root or a process having the
806.Va PRIV_IO
807privilege can use this option.
808.El
809.It Dv PROC_KPTI_STATUS
810Returns the current KPTI status for the specified process.
811.Fa data
812must point to an integer variable, where one of the
813following values is written:
814.Bl -tag -width Ds
815.It Dv PROC_KPTI_CTL_ENABLE_ON_EXEC
816.It Dv PROC_KPTI_CTL_DISABLE_ON_EXEC
817.El
818.Pp
819The status is or-ed with
820.Va PROC_KPTI_STATUS_ACTIVE
821if KPTI is active for the current address space of the process.
822.El
823.Sh NOTES
824Disabling tracing on a process should not be considered a security
825feature, as it is bypassable both by the kernel and privileged processes
826and via other system mechanisms.
827As such, it should not be utilized to reliably protect cryptographic
828keying material or other confidential data.
829.Pp
830Note that processes can trivially bypass the 'no simultaneously
831writable and executable mappings' policy by first marking some mapping
832as writeable, writing code to it, then removing write and adding
833execute permission.
834This may be legitimately required by some programs such as JIT compilers.
835.Sh RETURN VALUES
836If an error occurs, a value of \-1 is returned and
837.Va errno
838is set to indicate the error.
839.Sh ERRORS
840The
841.Fn procctl
842system call
843will fail if:
844.Bl -tag -width Er
845.It Bq Er EFAULT
846The
847.Fa data
848parameter points outside the process's allocated address space.
849.It Bq Er EINVAL
850The
851.Fa cmd
852argument specifies an unsupported command.
853.Pp
854The
855.Fa idtype
856argument specifies an unsupported identifier type.
857.It Bq Er EPERM
858The calling process does not have permission to perform the requested
859operation on any of the selected processes.
860.It Bq Er ESRCH
861No processes matched the requested
862.Fa idtype
863and
864.Fa id .
865.It Bq Er ESRCH
866No descendant processes can be found matching criteria specified in the
867.Dv PROC_REAP_KILL
868request.
869.It Bq Er EINVAL
870An invalid operation or flag was passed in
871.Fa data
872for a
873.Dv PROC_SPROTECT
874command.
875.It Bq Er EPERM
876The
877.Fa idtype
878argument is not equal to
879.Dv P_PID ,
880or
881.Fa id
882is not equal to the pid of the calling process, for
883.Dv PROC_REAP_ACQUIRE
884or
885.Dv PROC_REAP_RELEASE
886requests.
887.It Bq Er EINVAL
888Invalid or undefined flags were passed to a
889.Dv PROC_REAP_KILL
890request.
891.It Bq Er EINVAL
892An invalid or zero signal number was requested for a
893.Dv PROC_REAP_KILL
894request.
895.It Bq Er EINVAL
896A
897.Dv PROC_REAP_RELEASE
898request was issued by the
899.Xr init 8
900process.
901.It Bq Er EBUSY
902A
903.Dv PROC_REAP_ACQUIRE
904request was issued by a process that is already a reaper process.
905.It Bq Er EBUSY
906A
907.Dv PROC_TRACE_CTL
908request was issued for a process being traced.
909.It Bq Er EPERM
910A
911.Dv PROC_TRACE_CTL
912request to re-enable tracing of the process
913.Po Dv PROC_TRACE_CTL_ENABLE Pc ,
914or to disable persistence of
915.Dv PROC_TRACE_CTL_DISABLE
916on
917.Xr execve 2
918specified a target process other than the calling process.
919.It Bq Er EINVAL
920The value of the integer
921.Fa data
922parameter for the
923.Dv PROC_TRACE_CTL
924or
925.Dv PROC_TRAPCAP_CTL
926request is invalid.
927.It Bq Er EINVAL
928The
929.Dv PROC_PDEATHSIG_CTL
930or
931.Dv PROC_PDEATHSIG_STATUS
932request referenced an unsupported
933.Fa id ,
934.Fa idtype
935or invalid signal number.
936.El
937.Sh SEE ALSO
938.Xr dtrace 1 ,
939.Xr elfctl 1 ,
940.Xr proccontrol 1 ,
941.Xr protect 1 ,
942.Xr cap_enter 2 ,
943.Xr kill 2 ,
944.Xr ktrace 2 ,
945.Xr mmap 2 ,
946.Xr mprotect 2 ,
947.Xr ptrace 2 ,
948.Xr wait 2 ,
949.Xr capsicum 4 ,
950.Xr hwpmc 4 ,
951.Xr init 8
952.Sh HISTORY
953The
954.Fn procctl
955function appeared in
956.Fx 9.3 .
957.Pp
958The reaper facility is based on a similar feature in Linux and
959DragonflyBSD, and first appeared in
960.Fx 10.2 .
961.Pp
962The
963.Dv PROC_PDEATHSIG_CTL
964facility is based on the
965.Ql prctl(PR_SET_PDEATHSIG, ...)
966feature in Linux,
967and first appeared in
968.Fx 11.2 .
969.Pp
970ASLR support was added for checklist compliance in
971.Fx 13.0 .
972