2 * Copyright (c) 2016 The FreeBSD Foundation
5 * This software was developed by Konstantin Belousov <kib@FreeBSD.org>
6 * under sponsorship from the FreeBSD Foundation.
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
11 * 1. Redistributions of source code must retain the above copyright
12 * notice, this list of conditions and the following disclaimer.
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
17 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
18 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
19 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
20 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
21 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
22 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
23 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
24 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
25 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
26 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
30 #include <sys/cdefs.h>
31 __FBSDID("$FreeBSD$");
33 #include <sys/procctl.h>
60 str2pid(const char *str)
65 res = strtol(str, &tail, 0);
67 warnx("non-numeric pid");
74 #define KPTI_USAGE "|kpti"
79 #define LA_USAGE "|la48|la57"
88 fprintf(stderr, "Usage: proccontrol -m (aslr|protmax|trace|trapcap|"
89 "stackgap|nonewprivs|wxmap"KPTI_USAGE LA_USAGE") [-q] "
90 "[-s (enable|disable)] [-p pid | command]\n");
95 main(int argc, char *argv[])
97 int arg, ch, error, mode;
99 bool enable, do_command, query;
105 while ((ch = getopt(argc, argv, "m:qs:p:")) != -1) {
108 if (strcmp(optarg, "aslr") == 0)
110 else if (strcmp(optarg, "protmax") == 0)
112 else if (strcmp(optarg, "trace") == 0)
114 else if (strcmp(optarg, "trapcap") == 0)
116 else if (strcmp(optarg, "stackgap") == 0)
117 mode = MODE_STACKGAP;
118 else if (strcmp(optarg, "nonewprivs") == 0)
119 mode = MODE_NO_NEW_PRIVS;
120 else if (strcmp(optarg, "wxmap") == 0)
123 else if (strcmp(optarg, "kpti") == 0)
127 else if (strcmp(optarg, "la57") == 0)
129 else if (strcmp(optarg, "la48") == 0)
136 if (strcmp(optarg, "enable") == 0)
138 else if (strcmp(optarg, "disable") == 0)
144 pid = str2pid(optarg);
157 do_command = argc != 0;
159 if (pid != -1 || query)
162 } else if (pid == -1) {
169 error = procctl(P_PID, pid, PROC_ASLR_STATUS, &arg);
172 error = procctl(P_PID, pid, PROC_TRACE_STATUS, &arg);
175 error = procctl(P_PID, pid, PROC_TRAPCAP_STATUS, &arg);
178 error = procctl(P_PID, pid, PROC_PROTMAX_STATUS, &arg);
181 error = procctl(P_PID, pid, PROC_STACKGAP_STATUS, &arg);
183 case MODE_NO_NEW_PRIVS:
184 error = procctl(P_PID, pid, PROC_NO_NEW_PRIVS_STATUS,
188 error = procctl(P_PID, pid, PROC_WXMAP_STATUS, &arg);
192 error = procctl(P_PID, pid, PROC_KPTI_STATUS, &arg);
198 error = procctl(P_PID, pid, PROC_LA_STATUS, &arg);
206 err(1, "procctl status");
209 switch (arg & ~PROC_ASLR_ACTIVE) {
210 case PROC_ASLR_FORCE_ENABLE:
211 printf("force enabled");
213 case PROC_ASLR_FORCE_DISABLE:
214 printf("force disabled");
216 case PROC_ASLR_NOFORCE:
217 printf("not forced");
220 if ((arg & PROC_ASLR_ACTIVE) != 0)
221 printf(", active\n");
223 printf(", not active\n");
227 printf("disabled\n");
229 printf("enabled, no debugger\n");
231 printf("enabled, traced by %d\n", arg);
235 case PROC_TRAPCAP_CTL_ENABLE:
238 case PROC_TRAPCAP_CTL_DISABLE:
239 printf("disabled\n");
244 switch (arg & ~PROC_PROTMAX_ACTIVE) {
245 case PROC_PROTMAX_FORCE_ENABLE:
246 printf("force enabled");
248 case PROC_PROTMAX_FORCE_DISABLE:
249 printf("force disabled");
251 case PROC_PROTMAX_NOFORCE:
252 printf("not forced");
255 if ((arg & PROC_PROTMAX_ACTIVE) != 0)
256 printf(", active\n");
258 printf(", not active\n");
261 switch (arg & (PROC_STACKGAP_ENABLE |
262 PROC_STACKGAP_DISABLE)) {
263 case PROC_STACKGAP_ENABLE:
266 case PROC_STACKGAP_DISABLE:
267 printf("disabled\n");
270 switch (arg & (PROC_STACKGAP_ENABLE_EXEC |
271 PROC_STACKGAP_DISABLE_EXEC)) {
272 case PROC_STACKGAP_ENABLE_EXEC:
273 printf("enabled after exec\n");
275 case PROC_STACKGAP_DISABLE_EXEC:
276 printf("disabled after exec\n");
280 case MODE_NO_NEW_PRIVS:
282 case PROC_NO_NEW_PRIVS_ENABLE:
285 case PROC_NO_NEW_PRIVS_DISABLE:
286 printf("disabled\n");
291 if ((arg & PROC_WX_MAPPINGS_PERMIT) != 0)
295 if ((arg & PROC_WX_MAPPINGS_DISALLOW_EXEC) != 0)
296 printf(", disabled on exec");
297 if ((arg & PROC_WXORX_ENFORCE) != 0)
298 printf(", wxorx enforced");
303 switch (arg & ~PROC_KPTI_STATUS_ACTIVE) {
304 case PROC_KPTI_CTL_ENABLE_ON_EXEC:
307 case PROC_KPTI_CTL_DISABLE_ON_EXEC:
311 if ((arg & PROC_KPTI_STATUS_ACTIVE) != 0)
312 printf(", active\n");
314 printf(", not active\n");
320 switch (arg & ~(PROC_LA_STATUS_LA48 |
321 PROC_LA_STATUS_LA57)) {
322 case PROC_LA_CTL_LA48_ON_EXEC:
323 printf("la48 on exec");
325 case PROC_LA_CTL_LA57_ON_EXEC:
326 printf("la57 on exec");
328 case PROC_LA_CTL_DEFAULT_ON_EXEC:
329 printf("default on exec");
332 if ((arg & PROC_LA_STATUS_LA48) != 0)
333 printf(", la48 active\n");
334 else if ((arg & PROC_LA_STATUS_LA57) != 0)
335 printf(", la57 active\n");
342 arg = enable ? PROC_ASLR_FORCE_ENABLE :
343 PROC_ASLR_FORCE_DISABLE;
344 error = procctl(P_PID, pid, PROC_ASLR_CTL, &arg);
347 arg = enable ? PROC_TRACE_CTL_ENABLE :
348 PROC_TRACE_CTL_DISABLE;
349 error = procctl(P_PID, pid, PROC_TRACE_CTL, &arg);
352 arg = enable ? PROC_TRAPCAP_CTL_ENABLE :
353 PROC_TRAPCAP_CTL_DISABLE;
354 error = procctl(P_PID, pid, PROC_TRAPCAP_CTL, &arg);
357 arg = enable ? PROC_PROTMAX_FORCE_ENABLE :
358 PROC_PROTMAX_FORCE_DISABLE;
359 error = procctl(P_PID, pid, PROC_PROTMAX_CTL, &arg);
362 arg = enable ? PROC_STACKGAP_ENABLE_EXEC :
363 (PROC_STACKGAP_DISABLE |
364 PROC_STACKGAP_DISABLE_EXEC);
365 error = procctl(P_PID, pid, PROC_STACKGAP_CTL, &arg);
367 case MODE_NO_NEW_PRIVS:
368 arg = enable ? PROC_NO_NEW_PRIVS_ENABLE :
369 PROC_NO_NEW_PRIVS_DISABLE;
370 error = procctl(P_PID, pid, PROC_NO_NEW_PRIVS_CTL,
374 arg = enable ? PROC_WX_MAPPINGS_PERMIT :
375 PROC_WX_MAPPINGS_DISALLOW_EXEC;
376 error = procctl(P_PID, pid, PROC_WXMAP_CTL, &arg);
380 arg = enable ? PROC_KPTI_CTL_ENABLE_ON_EXEC :
381 PROC_KPTI_CTL_DISABLE_ON_EXEC;
382 error = procctl(P_PID, pid, PROC_KPTI_CTL, &arg);
387 arg = enable ? PROC_LA_CTL_LA57_ON_EXEC :
388 PROC_LA_CTL_DEFAULT_ON_EXEC;
389 error = procctl(P_PID, pid, PROC_LA_CTL, &arg);
392 arg = enable ? PROC_LA_CTL_LA48_ON_EXEC :
393 PROC_LA_CTL_DEFAULT_ON_EXEC;
394 error = procctl(P_PID, pid, PROC_LA_CTL, &arg);
402 err(1, "procctl ctl");
404 error = execvp(argv[0], argv);