1 .\" Copyright (c) 2013 Hudson River Trading LLC
2 .\" Written by: John H. Baldwin <jhb@FreeBSD.org>
3 .\" All rights reserved.
5 .\" Copyright (c) 2014 The FreeBSD Foundation
6 .\" Portions of this documentation were written by Konstantin Belousov
7 .\" under sponsorship from the FreeBSD Foundation.
9 .\" Redistribution and use in source and binary forms, with or without
10 .\" modification, are permitted provided that the following conditions
12 .\" 1. Redistributions of source code must retain the above copyright
13 .\" notice, this list of conditions and the following disclaimer.
14 .\" 2. Redistributions in binary form must reproduce the above copyright
15 .\" notice, this list of conditions and the following disclaimer in the
16 .\" documentation and/or other materials provided with the distribution.
18 .\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
19 .\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
20 .\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
21 .\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
22 .\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
23 .\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
24 .\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
25 .\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
26 .\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
27 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
41 .Fn procctl "idtype_t idtype" "id_t id" "int cmd" "void *data"
45 system call provides for control over processes.
50 arguments specify the set of processes to control.
51 If multiple processes match the identifier,
55 to control as many of the selected processes as possible.
56 An error is only returned if no selected processes successfully complete
58 The following identifier types are supported:
59 .Bl -tag -width P_PGID
61 Control the process with the process ID
64 zero is a shortcut for the calling process ID.
66 Control processes belonging to the process group with the ID
70 The control request to perform is specified by the
74 All status changing requests
76 require the caller to have the right to debug the target.
77 All status query requests
79 require the caller to have the right to observe the target.
81 The following commands are supported:
82 .Bl -tag -width PROC_TRAPCAP_STATUS
84 Controls the Address Space Layout Randomization (ASLR) in the program
88 in the specified process or its descendants that do not either change
89 the control or modify it by other means.
92 parameter must point to the integer variable holding one of the following
94 .Bl -tag -width PROC_ASLR_FORCE_DISABLE
95 .It Dv PROC_ASLR_FORCE_ENABLE
96 Request that ASLR is enabled after execution, even if it is disabled
98 The image flag and set-uid might prevent ASLR enablement still.
99 .It Dv PROC_ASLR_FORCE_DISABLE
100 Request that ASLR is disabled after execution.
102 .Dv PROC_ASLR_FORCE_ENABLE
104 .It Dv PROC_ASLR_NOFORCE
105 Use the system-wide configured policy for ASLR.
107 .It Dv PROC_ASLR_STATUS
108 Returns the current status of ASLR enablement for the target process.
111 parameter must point to the integer variable, where one of the
112 following values is written:
113 .Bl -tag -width PROC_ASLR_FORCE_DISABLE
114 .It Dv PROC_ASLR_FORCE_ENABLE
115 .It Dv PROC_ASLR_FORCE_DISABLE
116 .It Dv PROC_ASLR_NOFORCE
119 If the currently executed image in the process itself has ASLR enabled,
122 flag is or-ed with the value listed above.
123 .It Dv PROC_PROTMAX_CTL
124 Controls implicit application of PROT_MAX protection equal to the
128 syscall, in the target process.
131 parameter must point to the integer variable holding one of the following
133 .Bl -tag -width PROC_PROTMAX_FORCE_DISABLE
134 .It Dv PROC_PROTMAX_FORCE_ENABLE
135 Enables implicit PROT_MAX application,
136 even if it is disabled system-wide by the sysctl
137 .Va vm.imply_prot_max .
138 The image flag might still prevent the enablement.
139 .It Dv PROC_PROTMAX_FORCE_DISABLE
140 Request that implicit application of PROT_MAX be disabled.
142 .Dv PROC_PROTMAX_FORCE_ENABLE
144 .It Dv PROC_PROTMAX_NOFORCE
145 Use the system-wide configured policy for PROT_MAX.
147 .It Dv PROC_PROTMAX_STATUS
148 Returns the current status of implicit PROT_MAX enablement for the
152 parameter must point to the integer variable, where one of the
153 following values is written:
154 .Bl -tag -width PROC_PROTMAX_FORCE_DISABLE
155 .It Dv PROC_PROTMAX_FORCE_ENABLE
156 .It Dv PROC_PROTMAX_FORCE_DISABLE
157 .It Dv PROC_PROTMAX_NOFORCE
160 If the currently executed image in the process itself has implicit PROT_MAX
161 application enabled, the
162 .Dv PROC_PROTMAX_ACTIVE
163 flag is or-ed with the value listed above.
165 Set process protection state.
166 This is used to mark a process as protected from being killed if the system
167 exhausts the available memory and swap.
170 parameter must point to an integer containing an operation and zero or more
172 The following operations are supported:
173 .Bl -tag -width PPROT_CLEAR
175 Mark the selected processes as protected.
177 Clear the protected state of selected processes.
180 The following optional flags are supported:
181 .Bl -tag -width PPROT_DESCEND
183 Apply the requested operation to all child processes of each selected process
184 in addition to each selected process.
188 mark all future child processes of each selected process as protected.
189 Future child processes will also mark all of their future child processes.
191 .It Dv PROC_REAP_ACQUIRE
192 Acquires the reaper status for the current process.
193 Reaper status means that children orphaned by the reaper's descendants
194 that were forked after the acquisition of reaper status are reparented to the
196 After system initialization,
198 is the default reaper.
199 .It Dv PROC_REAP_RELEASE
200 Release the reaper state for the current process.
201 The reaper of the current process becomes the new reaper of the
202 current process's descendants.
203 .It Dv PROC_REAP_STATUS
204 Provides information about the reaper of the specified process,
205 or the process itself when it is a reaper.
208 argument must point to a
209 .Vt procctl_reaper_status
210 structure which is filled in by the syscall on successful return.
212 struct procctl_reaper_status {
215 u_int rs_descendants;
222 may have the following flags returned:
223 .Bl -tag -width REAPER_STATUS_REALINIT
224 .It Dv REAPER_STATUS_OWNED
225 The specified process has acquired reaper status and has not
227 When the flag is returned, the specified process
229 pid, identifies the reaper, otherwise the
231 field of the structure is set to the pid of the reaper
232 for the specified process id.
233 .It Dv REAPER_STATUS_REALINIT
234 The specified process is the root of the reaper tree, i.e.,
240 field returns the number of children of the reaper among the descendants.
241 It is possible to have a child whose reaper is not the specified process,
242 since the reaper for any existing children is not reset on the
243 .Dv PROC_REAP_ACQUIRE
247 field returns the total number of descendants of the reaper(s),
248 not counting descendants of the reaper in the subtree.
251 field returns the reaper pid.
254 returns the pid of one reaper child if there are any descendants.
255 .It Dv PROC_REAP_GETPIDS
256 Queries the list of descendants of the reaper of the specified process.
257 The request takes a pointer to a
258 .Vt procctl_reaper_pids
263 struct procctl_reaper_pids {
265 struct procctl_reaper_pidinfo *rp_pids;
270 field must point to an array of
271 .Vt procctl_reaper_pidinfo
272 structures, to be filled in on return,
275 field must specify the size of the array,
276 into which no more than
278 elements will be filled in by the kernel.
281 .Vt "struct procctl_reaper_pidinfo"
282 structure provides some information about one of the reaper's descendants.
283 Note that for a descendant that is not a child, it may be incorrectly
284 identified because of a race in which the original child process exited
285 and the exited process's pid was reused for an unrelated process.
287 struct procctl_reaper_pidinfo {
295 field is the process id of the descendant.
298 field provides the pid of the child of the reaper, which is the (grand-)parent
302 field returns the following flags, further describing the descendant:
303 .Bl -tag -width REAPER_PIDINFO_EXITING
304 .It Dv REAPER_PIDINFO_VALID
305 Set to indicate that the
306 .Vt procctl_reaper_pidinfo
307 structure was filled in by the kernel.
310 array and testing the
311 .Dv REAPER_PIDINFO_VALID
312 flag allows the caller to detect the end
313 of the returned array.
314 .It Dv REAPER_PIDINFO_CHILD
317 field identifies the direct child of the reaper.
318 .It Dv REAPER_PIDINFO_REAPER
319 The reported process is itself a reaper.
320 The descendants of the subordinate reaper are not reported.
321 .It Dv REAPER_PIDINFO_ZOMBIE
322 The reported process is in the zombie state, ready to be reaped.
323 .It Dv REAPER_PIDINFO_STOPPED
324 The reported process is stopped by a SIGSTOP/SIGTSTP signal.
325 .It Dv REAPER_PIDINFO_EXITING
326 The reported process is in the process of exiting (but not yet a zombie).
328 .It Dv PROC_REAP_KILL
329 Request to deliver a signal to some subset of the descendants of the reaper.
332 parameter must point to a
333 .Vt procctl_reaper_kill
334 structure, which is used both for parameters and status return.
336 struct procctl_reaper_kill {
346 field specifies the signal to be delivered.
347 Zero is not a valid signal number, unlike for
351 field further directs the operation.
352 It is or-ed from the following flags:
353 .Bl -tag -width REAPER_KILL_CHILDREN
354 .It Dv REAPER_KILL_CHILDREN
355 Deliver the specified signal only to direct children of the reaper.
356 .It Dv REAPER_KILL_SUBTREE
357 Deliver the specified signal only to descendants that were forked by
358 the direct child with pid specified in the
363 .Dv REAPER_KILL_CHILDREN
365 .Dv REAPER_KILL_SUBTREE
366 flags are specified, all current descendants of the reaper are signalled.
368 If a signal was delivered to any process, the return value from the request
372 field identifies the number of processes signalled.
375 field is set to the pid of the first process for which signal
376 delivery failed, e.g., due to permission problems.
377 If no such process exists, the
380 .It Dv PROC_TRACE_CTL
381 Enable or disable tracing of the specified process(es), according to the
382 value of the integer argument.
383 Tracing includes attachment to the process using the
391 Possible values for the
394 .Bl -tag -width PROC_TRACE_CTL_DISABLE_EXEC
395 .It Dv PROC_TRACE_CTL_ENABLE
396 Enable tracing, after it was disabled by
397 .Dv PROC_TRACE_CTL_DISABLE .
398 Only allowed for self.
399 .It Dv PROC_TRACE_CTL_DISABLE
400 Disable tracing for the specified process.
401 Tracing is re-enabled when the process changes the executing
405 A child inherits the trace settings from the parent on
407 .It Dv PROC_TRACE_CTL_DISABLE_EXEC
409 .Dv PROC_TRACE_CTL_DISABLE ,
410 but the setting persists for the process even after
413 .It Dv PROC_TRACE_STATUS
414 Returns the current tracing status for the specified process in
415 the integer variable pointed to by
417 If tracing is disabled,
420 If tracing is enabled, but no debugger is attached by the
425 If a debugger is attached,
427 is set to the pid of the debugger process.
428 .It Dv PROC_TRAPCAP_CTL
429 Controls the capability mode sandbox actions for the specified
431 on a return from any syscall which gives either a
436 If the control is enabled, such errors from the syscalls cause
437 delivery of the synchronous
439 signal to the thread immediately before returning from the syscalls.
441 Possible values for the
444 .Bl -tag -width PROC_TRAPCAP_CTL_DISABLE
445 .It Dv PROC_TRAPCAP_CTL_ENABLE
448 signal delivery on capability mode access violations.
449 The enabled mode is inherited by the children of the process,
453 .It Dv PROC_TRAPCAP_CTL_DISABLE
454 Disable the signal delivery on capability mode access violations.
455 Note that the global sysctl
456 .Dv kern.trap_enotcap
457 might still cause the signal to be delivered.
462 On signal delivery, the
466 signal handler parameter is set to the syscall error value,
471 The system call number is stored in the
475 signal handler parameter.
476 The other system call parameters can be read from the
478 but the system call number is typically stored in the register
479 that also contains the return value and so is unavailable in the
484 for more information about the capability mode.
485 .It Dv PROC_TRAPCAP_STATUS
486 Return the current status of signalling capability mode access
487 violations for the specified process.
488 The integer value pointed to by the
490 argument is set to the
491 .Dv PROC_TRAPCAP_CTL_ENABLE
492 value if the process control enables signal delivery, and to
493 .Dv PROC_TRAPCAP_CTL_DISABLE
496 See the note about sysctl
497 .Dv kern.trap_enotcap
498 above, which gives independent global control of signal delivery.
499 .It Dv PROC_PDEATHSIG_CTL
500 Request the delivery of a signal when the parent of the calling
507 must be the either caller's pid or zero, with no difference in effect.
508 The value is cleared for child processes
509 and when executing set-user-ID or set-group-ID binaries.
511 must point to a value of type
513 indicating the signal
514 that should be delivered to the caller.
515 Use zero to cancel a previously requested signal delivery.
516 .It Dv PROC_PDEATHSIG_STATUS
517 Query the current signal number that will be delivered when the parent
518 of the calling process exits.
524 must be the either caller's pid or zero, with no difference in effect.
526 must point to a memory location that can hold a value of type
528 If signal delivery has not been requested, it will contain zero
530 .It Dv PROC_STACKGAP_CTL
531 Controls the stack gaps in the specified process.
532 A stack gap is the part of the growth area for a
534 mapped region that is reserved and never filled by memory.
535 Instead, the process is guaranteed to receive a
537 signal on accessing pages in the gap.
538 Gaps protect against stack overflow corrupting memory adjacent
543 argument must point to an integer variable containing flags.
544 The following flags are allowed:
545 .Bl -tag -width PROC_STACKGAP_DISABLE_EXEC
546 .It Dv PROC_STACKGAP_ENABLE
547 This flag is only accepted for consistency with
548 .Dv PROC_STACKGAP_STATUS .
549 If stack gaps are enabled, the flag is ignored.
550 If disabled, the flag causes an
552 error to be returned.
553 After gaps are disabled in a process, they can only be re-enabled when an
556 .It Dv PROC_STACKGAP_DISABLE
557 Disable stack gaps for the process.
558 For existing stacks, the gap is no longer a reserved part of the growth
559 area and can be filled by memory on access.
560 .It Dv PROC_STACKGAP_ENABLE_EXEC
561 Enable stack gaps for programs started after an
563 by the specified process.
564 .It Dv PROC_STACKGAP_DISABLE_EXEC
565 Inherit disabled stack gaps state after
567 In other words, if the currently executing program has stack gaps disabled,
568 they are kept disabled on exec.
569 If gaps were enabled, they are kept enabled after exec.
572 The stack gap state is inherited from the parent on
574 .It Dv PROC_STACKGAP_STATUS
575 Returns the current stack gap state for the specified process.
577 must point to an integer variable, which is used to return a bitmask
578 consisting of the following flags:
579 .Bl -tag -width PROC_STACKGAP_DISABLE_EXEC
580 .It Dv PROC_STACKGAP_ENABLE
581 Stack gaps are enabled.
582 .It Dv PROC_STACKGAP_DISABLE
583 Stack gaps are disabled.
584 .It Dv PROC_STACKGAP_ENABLE_EXEC
585 Stack gaps are enabled in the process after
587 .It Dv PROC_STACKGAP_DISABLE_EXEC
588 Stack gaps are disabled in the process after
591 .It Dv PROC_NO_NEW_PRIVS_CTL
592 Allows one to ignore the SUID and SGID bits on the program
595 in the specified process and its future descendants.
598 parameter must point to the integer variable holding the following
600 .Bl -tag -width PROC_NO_NEW_PRIVS_ENABLE
601 .It Dv PROC_NO_NEW_PRIVS_ENABLE
602 Request SUID and SGID bits to be ignored.
605 It is not possible to disable it once it has been enabled.
606 .It Dv PROC_NO_NEW_PRIVS_STATUS
607 Returns the current status of SUID/SGID enablement for the target process.
610 parameter must point to the integer variable, where one of the
611 following values is written:
612 .Bl -tag -width PROC_NO_NEW_PRIVS_DISABLE
613 .It Dv PROC_NO_NEW_PRIVS_ENABLE
614 .It Dv PROC_NO_NEW_PRIVS_DISABLE
616 .It Dv PROC_WXMAP_CTL
617 Controls the 'write exclusive against execution' permissions for the
618 mappings in the process address space.
619 It overrides the global settings established by the
620 .Dv kern.elf{32/64}.allow_wx
622 and the corresponding bit in the ELF control note, see
627 parameter must point to the integer variable holding one of the
629 .Bl -tag -width PROC_WX_MAPPINGS_DISALLOW_EXEC
630 .It Dv PROC_WX_MAPPINGS_PERMIT
631 Enable creation of mappings that have both write and execute
632 protection attributes, in the specified process' address space.
633 .It Dv PROC_WX_MAPPINGS_DISALLOW_EXEC
634 In the new address space created by
636 disallow creation of mappings that have both write and execute
640 Once creation of writeable and executable mappings is allowed,
641 it is impossible (and pointless) to disallow it.
642 The only way to ensure the absence of such mappings after they
643 were enabled in a given process, is to set the
644 .Dv PROC_WX_MAPPINGS_DISALLOW_EXEC
648 .It Dv PROC_WXMAP_STATUS
649 Returns the current status of the 'write exclusive against execution'
650 enforcement for the specified process.
653 parameter must point to the integer variable, where one of the
654 following values is written:
655 .Bl -tag -width PROC_WX_MAPPINGS_DISALLOW_EXEC
656 .It Dv PROC_WX_MAPPINGS_PERMIT
657 Creation of simultaneously writable and executable mapping is permitted,
658 otherwise the process cannot create such mappings.
659 .It Dv PROC_WX_MAPPINGS_DISALLOW_EXEC
662 the new address space should disallow creation of simultaneously
663 writable and executable mappings.
666 Additionally, if the address space of the process disallows
667 creation of simultaneously writable and executable mappings and
668 it is guaranteed that no such mapping was created since address space
670 .Dv PROC_WXORX_ENFORCE
671 flag is set in the returned value.
673 .Sh x86 MACHINE-SPECIFIC REQUESTS
674 .Bl -tag -width PROC_KPTI_STATUS
677 Controls the Kernel Page Table Isolation (KPTI) option for the children
678 of the specified process.
679 For the command to work, the
681 tunable must be enabled on boot.
682 It is not possible to change the KPTI setting for a running process,
685 where the address space is reinitialized.
689 parameter must point to an integer variable containing one of the
691 .Bl -tag -width PROC_KPTI_CTL_DISABLE_ON_EXEC
692 .It Dv PROC_KPTI_CTL_ENABLE_ON_EXEC
695 .It Dv PROC_KPTI_CTL_DISABLE_ON_EXEC
698 Only root or a process having the
700 privilege might use this option.
702 .It Dv PROC_KPTI_STATUS
703 Returns the current KPTI status for the specified process.
705 must point to the integer variable, which returns the
707 .Bl -tag -width PROC_KPTI_CTL_DISABLE_ON_EXEC
708 .It Dv PROC_KPTI_CTL_ENABLE_ON_EXEC
709 .It Dv PROC_KPTI_CTL_DISABLE_ON_EXEC
712 The status is or-ed with the
713 .Va PROC_KPTI_STATUS_ACTIVE
714 in case KPTI is active for the current address space of the process.
716 Disabling tracing on a process should not be considered a security
717 feature, as it is bypassable both by the kernel and privileged processes,
718 and via other system mechanisms.
719 As such, it should not be utilized to reliably protect cryptographic
720 keying material or other confidential data.
722 Note that processes can trivially bypass the 'no simultaneously
723 writable and executable mappings' policy by first marking some mapping
724 as writeable and write code to it, then removing write and adding
726 This may be legitimately required by some programs, such as JIT compilers.
728 If an error occurs, a value of -1 is returned and
730 is set to indicate the error.
740 parameter points outside the process's allocated address space.
744 argument specifies an unsupported command.
748 argument specifies an unsupported identifier type.
750 The calling process does not have permission to perform the requested
751 operation on any of the selected processes.
753 No processes matched the requested
758 An invalid operation or flag was passed in
766 argument is not equal to
770 is not equal to the pid of the calling process, for
771 .Dv PROC_REAP_ACQUIRE
773 .Dv PROC_REAP_RELEASE
776 Invalid or undefined flags were passed to a
780 An invalid or zero signal number was requested for a
785 .Dv PROC_REAP_RELEASE
786 request was issued by the
791 .Dv PROC_REAP_ACQUIRE
792 request was issued by a process that had already acquired reaper status
793 and has not yet released it.
797 request was issued for a process already being traced.
801 request to re-enable tracing of the process
802 .Po Dv PROC_TRACE_CTL_ENABLE Pc ,
803 or to disable persistence of
804 .Dv PROC_TRACE_CTL_DISABLE
807 was issued for a non-current process.
809 The value of the integer
818 .Dv PROC_PDEATHSIG_CTL
820 .Dv PROC_PDEATHSIG_STATUS
821 request referenced an unsupported
824 or invalid signal number.
846 The reaper facility is based on a similar feature of Linux and
847 DragonflyBSD, and first appeared in
851 .Dv PROC_PDEATHSIG_CTL
852 facility is based on the prctl(PR_SET_PDEATHSIG, ...) feature of Linux,
853 and first appeared in
856 The ASLR support was added to system for the checklists compliance in