1 .\" Copyright (c) 2013 Hudson River Trading LLC
2 .\" Written by: John H. Baldwin <jhb@FreeBSD.org>
3 .\" All rights reserved.
5 .\" Copyright (c) 2014 The FreeBSD Foundation
6 .\" Portions of this documentation were written by Konstantin Belousov
7 .\" under sponsorship from the FreeBSD Foundation.
9 .\" Redistribution and use in source and binary forms, with or without
10 .\" modification, are permitted provided that the following conditions
12 .\" 1. Redistributions of source code must retain the above copyright
13 .\" notice, this list of conditions and the following disclaimer.
14 .\" 2. Redistributions in binary form must reproduce the above copyright
15 .\" notice, this list of conditions and the following disclaimer in the
16 .\" documentation and/or other materials provided with the distribution.
18 .\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
19 .\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
20 .\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
21 .\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
22 .\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
23 .\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
24 .\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
25 .\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
26 .\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
27 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
43 .Fn procctl "idtype_t idtype" "id_t id" "int cmd" "void *arg"
47 system call provides for control over processes.
52 arguments specify the set of processes to control.
53 If multiple processes match the identifier,
57 to control as many of the selected processes as possible.
58 An error is only returned if no selected processes successfully complete
60 The following identifier types are supported:
61 .Bl -tag -width P_PGID
63 Control the process with the process ID
66 Control processes belonging to the process group with the ID
70 The control request to perform is specified by the
73 The following commands are supported:
74 .Bl -tag -width PROC_TRAPCAP_STATUS
76 Set process protection state.
77 This is used to mark a process as protected from being killed if the system
78 exhausts the available memory and swap.
81 parameter must point to an integer containing an operation and zero or more
83 The following operations are supported:
84 .Bl -tag -width PPROT_CLEAR
86 Mark the selected processes as protected.
88 Clear the protected state of selected processes.
91 The following optional flags are supported:
92 .Bl -tag -width PPROT_DESCEND
94 Apply the requested operation to all child processes of each selected process
95 in addition to each selected process.
99 mark all future child processes of each selected process as protected.
100 Future child processes will also mark all of their future child processes.
102 .It Dv PROC_REAP_ACQUIRE
103 Acquires the reaper status for the current process.
104 Reaper status means that children orphaned by the reaper's descendants
105 that were forked after the acquisition of reaper status are reparented to the
107 After system initialization,
109 is the default reaper.
110 .It Dv PROC_REAP_RELEASE
111 Release the reaper state for the current process.
112 The reaper of the current process becomes the new reaper of the
113 current process's descendants.
114 .It Dv PROC_REAP_STATUS
115 Provides information about the reaper of the specified process,
116 or the process itself when it is a reaper.
119 argument must point to a
120 .Vt procctl_reaper_status
121 structure which is filled in by the syscall on successful return.
123 struct procctl_reaper_status {
126 u_int rs_descendants;
133 may have the following flags returned:
134 .Bl -tag -width REAPER_STATUS_REALINIT
135 .It Dv REAPER_STATUS_OWNED
136 The specified process has acquired reaper status and has not
138 When the flag is returned, the specified process
140 pid, identifies the reaper, otherwise the
142 field of the structure is set to the pid of the reaper
143 for the specified process id.
144 .It Dv REAPER_STATUS_REALINIT
145 The specified process is the root of the reaper tree, i.e.,
151 field returns the number of children of the reaper among the descendants.
152 It is possible to have a child whose reaper is not the specified process,
153 since the reaper for any existing children is not reset on the
154 .Dv PROC_REAP_ACQUIRE
158 field returns the total number of descendants of the reaper(s),
159 not counting descendants of the reaper in the subtree.
162 field returns the reaper pid.
165 returns the pid of one reaper child if there are any descendants.
166 .It Dv PROC_REAP_GETPIDS
167 Queries the list of descendants of the reaper of the specified process.
168 The request takes a pointer to a
169 .Vt procctl_reaper_pids
174 struct procctl_reaper_pids {
176 struct procctl_reaper_pidinfo *rp_pids;
181 field must point to an array of
182 .Vt procctl_reaper_pidinfo
183 structures, to be filled in on return,
186 field must specify the size of the array,
187 into which no more than
189 elements will be filled in by the kernel.
192 .Vt "struct procctl_reaper_pidinfo"
193 structure provides some information about one of the reaper's descendants.
194 Note that for a descendant that is not a child, it may be incorrectly
195 identified because of a race in which the original child process exited
196 and the exited process's pid was reused for an unrelated process.
198 struct procctl_reaper_pidinfo {
206 field is the process id of the descendant.
209 field provides the pid of the child of the reaper, which is the (grand-)parent
213 field returns the following flags, further describing the descendant:
214 .Bl -tag -width REAPER_PIDINFO_REAPER
215 .It Dv REAPER_PIDINFO_VALID
216 Set to indicate that the
217 .Vt procctl_reaper_pidinfo
218 structure was filled in by the kernel.
221 array and testing the
222 .Dv REAPER_PIDINFO_VALID
223 flag allows the caller to detect the end
224 of the returned array.
225 .It Dv REAPER_PIDINFO_CHILD
228 field identifies the direct child of the reaper.
229 .It Dv REAPER_PIDINFO_REAPER
230 The reported process is itself a reaper.
231 The descendants of the subordinate reaper are not reported.
233 .It Dv PROC_REAP_KILL
234 Request to deliver a signal to some subset of the descendants of the reaper.
237 parameter must point to a
238 .Vt procctl_reaper_kill
239 structure, which is used both for parameters and status return.
241 struct procctl_reaper_kill {
251 field specifies the signal to be delivered.
252 Zero is not a valid signal number, unlike for
256 field further directs the operation.
257 It is or-ed from the following flags:
258 .Bl -tag -width REAPER_KILL_CHILDREN
259 .It Dv REAPER_KILL_CHILDREN
260 Deliver the specified signal only to direct children of the reaper.
261 .It Dv REAPER_KILL_SUBTREE
262 Deliver the specified signal only to descendants that were forked by
263 the direct child with pid specified in the
268 .Dv REAPER_KILL_CHILDREN
270 .Dv REAPER_KILL_SUBTREE
271 flags are specified, all current descendants of the reaper are signalled.
273 If a signal was delivered to any process, the return value from the request
277 field identifies the number of processes signalled.
280 field is set to the pid of the first process for which signal
281 delivery failed, e.g., due to permission problems.
282 If no such process exists, the
285 .It Dv PROC_TRACE_CTL
286 Enable or disable tracing of the specified process(es), according to the
287 value of the integer argument.
288 Tracing includes attachment to the process using the
296 Possible values for the
299 .Bl -tag -width PROC_TRACE_CTL_DISABLE_EXEC
300 .It Dv PROC_TRACE_CTL_ENABLE
301 Enable tracing, after it was disabled by
302 .Dv PROC_TRACE_CTL_DISABLE .
303 Only allowed for self.
304 .It Dv PROC_TRACE_CTL_DISABLE
305 Disable tracing for the specified process.
306 Tracing is re-enabled when the process changes the executing
310 A child inherits the trace settings from the parent on
312 .It Dv PROC_TRACE_CTL_DISABLE_EXEC
314 .Dv PROC_TRACE_CTL_DISABLE ,
315 but the setting persists for the process even after
318 .It Dv PROC_TRACE_STATUS
319 Returns the current tracing status for the specified process in
320 the integer variable pointed to by
322 If tracing is disabled,
325 If tracing is enabled, but no debugger is attached by the
330 If a debugger is attached,
332 is set to the pid of the debugger process.
333 .It Dv PROC_TRAPCAP_CTL
334 Controls the capability mode sandbox actions for the specified
336 on a return from any syscall which gives either a
341 If the control is enabled, such errors from the syscalls cause
342 delivery of the synchronous
344 signal to the thread immediately before returning from the syscalls.
346 Possible values for the
349 .Bl -tag -width PROC_TRAPCAP_CTL_DISABLE
350 .It Dv PROC_TRAPCAP_CTL_ENABLE
353 signal delivery on capability mode access violations.
354 The enabled mode is inherited by the children of the process,
358 .It Dv PROC_TRAPCAP_CTL_DISABLE
359 Disable the signal delivery on capability mode access violations.
360 Note that the global sysctl
362 might still cause the signal to be delivered.
367 On signal delivery, the
371 signal handler parameter is set to the syscall error value,
379 for more information about the capability mode.
380 .It Dv PROC_TRAPCAP_STATUS
381 Return the current status of signalling capability mode access
382 violations for the specified process.
383 The integer value pointed to by the
385 argument is set to the
386 .Dv PROC_TRAPCAP_CTL_ENABLE
387 value if the process control enables signal delivery, and to
388 .Dv PROC_TRAPCAP_CTL_DISABLE
391 See the note about sysctl
393 above, which gives independent global control of signal delivery.
394 .It Dv PROC_PDEATHSIG_CTL
395 Request the delivery of a signal when the parent of the calling
402 must be the either caller's pid or zero, with no difference in effect.
403 The value is cleared for child processes
404 and when executing set-user-ID or set-group-ID binaries.
406 must point to a value of type
408 indicating the signal
409 that should be delivered to the caller.
410 Use zero to cancel a previously requested signal delivery.
411 .It Dv PROC_PDEATHSIG_STATUS
412 Query the current signal number that will be delivered when the parent
413 of the calling process exits.
419 must be the either caller's pid or zero, with no difference in effect.
421 must point to a memory location that can hold a value of type
423 If signal delivery has not been requested, it will contain zero
427 Disabling tracing on a process should not be considered a security
428 feature, as it is bypassable both by the kernel and privileged processes,
429 and via other system mechanisms.
430 As such, it should not be utilized to reliably protect cryptographic
431 keying material or other confidential data.
433 If an error occurs, a value of -1 is returned and
435 is set to indicate the error.
445 parameter points outside the process's allocated address space.
449 argument specifies an unsupported command.
453 argument specifies an unsupported identifier type.
455 The calling process does not have permission to perform the requested
456 operation on any of the selected processes.
458 No processes matched the requested
463 An invalid operation or flag was passed in
471 argument is not equal to
475 is not equal to the pid of the calling process, for
476 .Dv PROC_REAP_ACQUIRE
478 .Dv PROC_REAP_RELEASE
481 Invalid or undefined flags were passed to a
485 An invalid or zero signal number was requested for a
490 .Dv PROC_REAP_RELEASE
491 request was issued by the
496 .Dv PROC_REAP_ACQUIRE
497 request was issued by a process that had already acquired reaper status
498 and has not yet released it.
502 request was issued for a process already being traced.
506 request to re-enable tracing of the process
507 .Po Dv PROC_TRACE_CTL_ENABLE Pc ,
508 or to disable persistence of
509 .Dv PROC_TRACE_CTL_DISABLE
512 was issued for a non-current process.
514 The value of the integer
523 .Dv PROC_PDEATHSIG_CTL
525 .Dv PROC_PDEATHSIG_STATUS
526 request referenced an unsupported
529 or invalid signal number.
546 The reaper facility is based on a similar feature of Linux and
547 DragonflyBSD, and first appeared in
550 .Dv PROC_PDEATHSIG_CTL
551 facility is based on the prctl(PR_SET_PDEATHSIG, ...) feature of Linux,
552 and first appeared in