1 .\" Copyright (c) 2013 Hudson River Trading LLC
2 .\" Written by: John H. Baldwin <jhb@FreeBSD.org>
3 .\" All rights reserved.
5 .\" Copyright (c) 2014 The FreeBSD Foundation
6 .\" Portions of this documentation were written by Konstantin Belousov
7 .\" under sponsorship from the FreeBSD Foundation.
9 .\" Redistribution and use in source and binary forms, with or without
10 .\" modification, are permitted provided that the following conditions
12 .\" 1. Redistributions of source code must retain the above copyright
13 .\" notice, this list of conditions and the following disclaimer.
14 .\" 2. Redistributions in binary form must reproduce the above copyright
15 .\" notice, this list of conditions and the following disclaimer in the
16 .\" documentation and/or other materials provided with the distribution.
18 .\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
19 .\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
20 .\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
21 .\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
22 .\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
23 .\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
24 .\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
25 .\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
26 .\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
27 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
43 .Fn procctl "idtype_t idtype" "id_t id" "int cmd" "void *data"
47 system call provides for control over processes.
52 arguments specify the set of processes to control.
53 If multiple processes match the identifier,
57 to control as many of the selected processes as possible.
58 An error is only returned if no selected processes successfully complete
60 The following identifier types are supported:
61 .Bl -tag -width P_PGID
63 Control the process with the process ID
66 Control processes belonging to the process group with the ID
70 The control request to perform is specified by the
73 The following commands are supported:
74 .Bl -tag -width PROC_TRAPCAP_STATUS
76 Controls the Address Space Layout Randomization (ASLR) in the program
80 in the specified process or its descendants that did not changed
81 the control nor modified it by other means.
84 parameter must point to the integer variable holding one of the following
86 .Bl -tag -width PROC_ASLR_FORCE_DISABLE
87 .It Dv PROC_ASLR_FORCE_ENABLE
88 Request that ASLR is enabled after execution, even if it is disabled
90 The image flag and set-uid might prevent ASLR enablement still.
91 .It Dv PROC_ASLR_FORCE_DISABLE
92 Request that ASLR is disabled after execution.
94 .Dv PROC_ASLR_FORCE_ENABLE
96 .It Dv PROC_ASLR_NOFORCE
97 Use the system-wide configured policy for ASLR.
99 .It Dv PROC_ASLR_STATUS
100 Returns the current status of ASLR enablement for the target process.
103 parameter must point to the integer variable, where one of the
104 following values is written:
105 .Bl -tag -width PROC_ASLR_FORCE_DISABLE
106 .It Dv PROC_ASLR_FORCE_ENABLE
107 .It Dv PROC_ASLR_FORCE_DISABLE
108 .It Dv PROC_ASLR_NOFORCE
111 If the currently executed image in the process itself has ASLR enabled,
114 flag is or-ed with the value listed above.
115 .It Dv PROC_PROTMAX_CTL
116 Controls implicit application of PROT_MAX protection equal to the
120 syscall, in the target process.
123 parameter must point to the integer variable holding one of the following
125 .Bl -tag -width PROC_PROTMAX_FORCE_DISABLE
126 .It Dv PROC_PROTMAX_FORCE_ENABLE
127 Enables implicit PROT_MAX application,
128 even if it is disabled system-wide by the sysctl
129 .Va vm.imply_prot_max .
130 The image flag might still prevent the enablement.
131 .It Dv PROC_PROTMAX_FORCE_DISABLE
132 Request that implicit application of PROT_MAX be disabled.
134 .Dv PROC_PROTMAX_FORCE_ENABLE
136 .It Dv PROC_PROTMAX_NOFORCE
137 Use the system-wide configured policy for PROT_MAX.
139 .It Dv PROC_PROTMAX_STATUS
140 Returns the current status of implicit PROT_MAX enablement for the
144 parameter must point to the integer variable, where one of the
145 following values is written:
146 .Bl -tag -width PROC_PROTMAX_FORCE_DISABLE
147 .It Dv PROC_PROTMAX_FORCE_ENABLE
148 .It Dv PROC_PROTMAX_FORCE_DISABLE
149 .It Dv PROC_PROTMAX_NOFORCE
152 If the currently executed image in the process itself has implicit PROT_MAX
153 application enabled, the
154 .Dv PROC_PROTMAX_ACTIVE
155 flag is or-ed with the value listed above.
157 Set process protection state.
158 This is used to mark a process as protected from being killed if the system
159 exhausts the available memory and swap.
162 parameter must point to an integer containing an operation and zero or more
164 The following operations are supported:
165 .Bl -tag -width PPROT_CLEAR
167 Mark the selected processes as protected.
169 Clear the protected state of selected processes.
172 The following optional flags are supported:
173 .Bl -tag -width PPROT_DESCEND
175 Apply the requested operation to all child processes of each selected process
176 in addition to each selected process.
180 mark all future child processes of each selected process as protected.
181 Future child processes will also mark all of their future child processes.
183 .It Dv PROC_REAP_ACQUIRE
184 Acquires the reaper status for the current process.
185 Reaper status means that children orphaned by the reaper's descendants
186 that were forked after the acquisition of reaper status are reparented to the
188 After system initialization,
190 is the default reaper.
191 .It Dv PROC_REAP_RELEASE
192 Release the reaper state for the current process.
193 The reaper of the current process becomes the new reaper of the
194 current process's descendants.
195 .It Dv PROC_REAP_STATUS
196 Provides information about the reaper of the specified process,
197 or the process itself when it is a reaper.
200 argument must point to a
201 .Vt procctl_reaper_status
202 structure which is filled in by the syscall on successful return.
204 struct procctl_reaper_status {
207 u_int rs_descendants;
214 may have the following flags returned:
215 .Bl -tag -width REAPER_STATUS_REALINIT
216 .It Dv REAPER_STATUS_OWNED
217 The specified process has acquired reaper status and has not
219 When the flag is returned, the specified process
221 pid, identifies the reaper, otherwise the
223 field of the structure is set to the pid of the reaper
224 for the specified process id.
225 .It Dv REAPER_STATUS_REALINIT
226 The specified process is the root of the reaper tree, i.e.,
232 field returns the number of children of the reaper among the descendants.
233 It is possible to have a child whose reaper is not the specified process,
234 since the reaper for any existing children is not reset on the
235 .Dv PROC_REAP_ACQUIRE
239 field returns the total number of descendants of the reaper(s),
240 not counting descendants of the reaper in the subtree.
243 field returns the reaper pid.
246 returns the pid of one reaper child if there are any descendants.
247 .It Dv PROC_REAP_GETPIDS
248 Queries the list of descendants of the reaper of the specified process.
249 The request takes a pointer to a
250 .Vt procctl_reaper_pids
255 struct procctl_reaper_pids {
257 struct procctl_reaper_pidinfo *rp_pids;
262 field must point to an array of
263 .Vt procctl_reaper_pidinfo
264 structures, to be filled in on return,
267 field must specify the size of the array,
268 into which no more than
270 elements will be filled in by the kernel.
273 .Vt "struct procctl_reaper_pidinfo"
274 structure provides some information about one of the reaper's descendants.
275 Note that for a descendant that is not a child, it may be incorrectly
276 identified because of a race in which the original child process exited
277 and the exited process's pid was reused for an unrelated process.
279 struct procctl_reaper_pidinfo {
287 field is the process id of the descendant.
290 field provides the pid of the child of the reaper, which is the (grand-)parent
294 field returns the following flags, further describing the descendant:
295 .Bl -tag -width REAPER_PIDINFO_REAPER
296 .It Dv REAPER_PIDINFO_VALID
297 Set to indicate that the
298 .Vt procctl_reaper_pidinfo
299 structure was filled in by the kernel.
302 array and testing the
303 .Dv REAPER_PIDINFO_VALID
304 flag allows the caller to detect the end
305 of the returned array.
306 .It Dv REAPER_PIDINFO_CHILD
309 field identifies the direct child of the reaper.
310 .It Dv REAPER_PIDINFO_REAPER
311 The reported process is itself a reaper.
312 The descendants of the subordinate reaper are not reported.
314 .It Dv PROC_REAP_KILL
315 Request to deliver a signal to some subset of the descendants of the reaper.
318 parameter must point to a
319 .Vt procctl_reaper_kill
320 structure, which is used both for parameters and status return.
322 struct procctl_reaper_kill {
332 field specifies the signal to be delivered.
333 Zero is not a valid signal number, unlike for
337 field further directs the operation.
338 It is or-ed from the following flags:
339 .Bl -tag -width REAPER_KILL_CHILDREN
340 .It Dv REAPER_KILL_CHILDREN
341 Deliver the specified signal only to direct children of the reaper.
342 .It Dv REAPER_KILL_SUBTREE
343 Deliver the specified signal only to descendants that were forked by
344 the direct child with pid specified in the
349 .Dv REAPER_KILL_CHILDREN
351 .Dv REAPER_KILL_SUBTREE
352 flags are specified, all current descendants of the reaper are signalled.
354 If a signal was delivered to any process, the return value from the request
358 field identifies the number of processes signalled.
361 field is set to the pid of the first process for which signal
362 delivery failed, e.g., due to permission problems.
363 If no such process exists, the
366 .It Dv PROC_TRACE_CTL
367 Enable or disable tracing of the specified process(es), according to the
368 value of the integer argument.
369 Tracing includes attachment to the process using the
377 Possible values for the
380 .Bl -tag -width PROC_TRACE_CTL_DISABLE_EXEC
381 .It Dv PROC_TRACE_CTL_ENABLE
382 Enable tracing, after it was disabled by
383 .Dv PROC_TRACE_CTL_DISABLE .
384 Only allowed for self.
385 .It Dv PROC_TRACE_CTL_DISABLE
386 Disable tracing for the specified process.
387 Tracing is re-enabled when the process changes the executing
391 A child inherits the trace settings from the parent on
393 .It Dv PROC_TRACE_CTL_DISABLE_EXEC
395 .Dv PROC_TRACE_CTL_DISABLE ,
396 but the setting persists for the process even after
399 .It Dv PROC_TRACE_STATUS
400 Returns the current tracing status for the specified process in
401 the integer variable pointed to by
403 If tracing is disabled,
406 If tracing is enabled, but no debugger is attached by the
411 If a debugger is attached,
413 is set to the pid of the debugger process.
414 .It Dv PROC_TRAPCAP_CTL
415 Controls the capability mode sandbox actions for the specified
417 on a return from any syscall which gives either a
422 If the control is enabled, such errors from the syscalls cause
423 delivery of the synchronous
425 signal to the thread immediately before returning from the syscalls.
427 Possible values for the
430 .Bl -tag -width PROC_TRAPCAP_CTL_DISABLE
431 .It Dv PROC_TRAPCAP_CTL_ENABLE
434 signal delivery on capability mode access violations.
435 The enabled mode is inherited by the children of the process,
439 .It Dv PROC_TRAPCAP_CTL_DISABLE
440 Disable the signal delivery on capability mode access violations.
441 Note that the global sysctl
442 .Dv kern.trap_enotcap
443 might still cause the signal to be delivered.
448 On signal delivery, the
452 signal handler parameter is set to the syscall error value,
457 The system call number is stored in the
461 signal handler parameter.
462 The other system call parameters can be read from the
464 but the system call number is typically stored in the register
465 that also contains the return value and so is unavailable in the
470 for more information about the capability mode.
471 .It Dv PROC_TRAPCAP_STATUS
472 Return the current status of signalling capability mode access
473 violations for the specified process.
474 The integer value pointed to by the
476 argument is set to the
477 .Dv PROC_TRAPCAP_CTL_ENABLE
478 value if the process control enables signal delivery, and to
479 .Dv PROC_TRAPCAP_CTL_DISABLE
482 See the note about sysctl
483 .Dv kern.trap_enotcap
484 above, which gives independent global control of signal delivery.
485 .It Dv PROC_PDEATHSIG_CTL
486 Request the delivery of a signal when the parent of the calling
493 must be the either caller's pid or zero, with no difference in effect.
494 The value is cleared for child processes
495 and when executing set-user-ID or set-group-ID binaries.
497 must point to a value of type
499 indicating the signal
500 that should be delivered to the caller.
501 Use zero to cancel a previously requested signal delivery.
502 .It Dv PROC_PDEATHSIG_STATUS
503 Query the current signal number that will be delivered when the parent
504 of the calling process exits.
510 must be the either caller's pid or zero, with no difference in effect.
512 must point to a memory location that can hold a value of type
514 If signal delivery has not been requested, it will contain zero
516 .It Dv PROC_STACKGAP_CTL
517 Controls the stack gaps in the specified process.
518 A stack gap is the part of the growth area for a
520 mapped region that is reserved and never filled by memory.
521 Instead, the process is guaranteed to receive a
523 signal on accessing pages in the gap.
524 Gaps protect against stack overflow corrupting memory adjacent
529 argument must point to an integer variable containing flags.
530 The following flags are allowed:
531 .Bl -tag -width PROC_STACKGAP_DISABLE_EXEC
532 .It Dv PROC_STACKGAP_ENABLE
533 This flag is only accepted for consistency with
534 .Dv PROC_STACKGAP_STATUS .
535 If stack gaps are enabled, the flag is ignored.
536 If disabled, the flag causes an
538 error to be returned.
539 After gaps are disabled in a process, they can only be re-enabled when an
542 .It Dv PROC_STACKGAP_DISABLE
543 Disable stack gaps for the process.
544 For existing stacks, the gap is no longer a reserved part of the growth
545 area and can be filled by memory on access.
546 .It Dv PROC_STACKGAP_ENABLE_EXEC
547 Enable stack gaps for programs started after an
549 by the specified process.
550 .It Dv PROC_STACKGAP_DISABLE_EXEC
551 Inherit disabled stack gaps state after
553 In other words, if the currently executing program has stack gaps disabled,
554 they are kept disabled on exec.
555 If gaps were enabled, they are kept enabled after exec.
558 The stack gap state is inherited from the parent on
560 .It Dv PROC_STACKGAP_STATUS
561 Returns the current stack gap state for the specified process.
563 must point to an integer variable, which is used to return a bitmask
564 consisting of the following flags:
565 .Bl -tag -width PROC_STACKGAP_DISABLE_EXEC
566 .It Dv PROC_STACKGAP_ENABLE
567 Stack gaps are enabled.
568 .It Dv PROC_STACKGAP_DISABLE
569 Stack gaps are disabled.
570 .It Dv PROC_STACKGAP_ENABLE_EXEC
571 Stack gaps are enabled in the process after
573 .It Dv PROC_STACKGAP_DISABLE_EXEC
574 Stack gaps are disabled in the process after
577 .It Dv PROC_NO_NEW_PRIVS_CTL
578 Allows one to ignore the SUID and SGID bits on the program
581 in the specified process and its future descendants.
584 parameter must point to the integer variable holding the following
586 .Bl -tag -width PROC_NO_NEW_PRIVS_ENABLE
587 .It Dv PROC_NO_NEW_PRIVS_ENABLE
588 Request SUID and SGID bits to be ignored.
591 It is not possible to disable it once it has been enabled.
592 .It Dv PROC_NO_NEW_PRIVS_STATUS
593 Returns the current status of SUID/SGID enablement for the target process.
596 parameter must point to the integer variable, where one of the
597 following values is written:
598 .Bl -tag -width PROC_NO_NEW_PRIVS_DISABLE
599 .It Dv PROC_NO_NEW_PRIVS_ENABLE
600 .It Dv PROC_NO_NEW_PRIVS_DISABLE
603 .Sh x86 MACHINE-SPECIFIC REQUESTS
604 .Bl -tag -width PROC_KPTI_STATUS
607 Controls the Kernel Page Table Isolation (KPTI) option for the children
608 of the specified process.
609 For the command to work, the
611 tunable must be enabled on boot.
612 It is not possible to change the KPTI setting for a running process,
615 where the address space is reinitialized.
619 parameter must point to an integer variable containing one of the
621 .Bl -tag -width PROC_KPTI_CTL_DISABLE_ON_EXEC
622 .It Dv PROC_KPTI_CTL_ENABLE_ON_EXEC
625 .It Dv PROC_KPTI_CTL_DISABLE_ON_EXEC
628 Only root or a process having the
630 privilege might use this option.
632 .It Dv PROC_KPTI_STATUS
633 Returns the current KPTI status for the specified process.
635 must point to the integer variable, which returns the
637 .Bl -tag -width PROC_KPTI_CTL_DISABLE_ON_EXEC
638 .It Dv PROC_KPTI_CTL_ENABLE_ON_EXEC
639 .It Dv PROC_KPTI_CTL_DISABLE_ON_EXEC
642 The status is or-ed with the
643 .Va PROC_KPTI_STATUS_ACTIVE
644 in case KPTI is active for the current address space of the process.
646 Disabling tracing on a process should not be considered a security
647 feature, as it is bypassable both by the kernel and privileged processes,
648 and via other system mechanisms.
649 As such, it should not be utilized to reliably protect cryptographic
650 keying material or other confidential data.
652 If an error occurs, a value of -1 is returned and
654 is set to indicate the error.
664 parameter points outside the process's allocated address space.
668 argument specifies an unsupported command.
672 argument specifies an unsupported identifier type.
674 The calling process does not have permission to perform the requested
675 operation on any of the selected processes.
677 No processes matched the requested
682 An invalid operation or flag was passed in
690 argument is not equal to
694 is not equal to the pid of the calling process, for
695 .Dv PROC_REAP_ACQUIRE
697 .Dv PROC_REAP_RELEASE
700 Invalid or undefined flags were passed to a
704 An invalid or zero signal number was requested for a
709 .Dv PROC_REAP_RELEASE
710 request was issued by the
715 .Dv PROC_REAP_ACQUIRE
716 request was issued by a process that had already acquired reaper status
717 and has not yet released it.
721 request was issued for a process already being traced.
725 request to re-enable tracing of the process
726 .Po Dv PROC_TRACE_CTL_ENABLE Pc ,
727 or to disable persistence of
728 .Dv PROC_TRACE_CTL_DISABLE
731 was issued for a non-current process.
733 The value of the integer
742 .Dv PROC_PDEATHSIG_CTL
744 .Dv PROC_PDEATHSIG_STATUS
745 request referenced an unsupported
748 or invalid signal number.
770 The reaper facility is based on a similar feature of Linux and
771 DragonflyBSD, and first appeared in
775 .Dv PROC_PDEATHSIG_CTL
776 facility is based on the prctl(PR_SET_PDEATHSIG, ...) feature of Linux,
777 and first appeared in
780 The ASLR support was added to system for the checklists compliance in