Index: lib/libc/sys/procctl.2 =================================================================== --- lib/libc/sys/procctl.2 +++ lib/libc/sys/procctl.2 @@ -112,6 +112,47 @@ the .Dv PROC_ASLR_ACTIVE flag is or-ed with the value listed above. +.It Dv PROC_PROTMAX_CTL +Controls implicit application of PROT_MAX protection equal to the +.Fa prot +argument of the +.Xr mmap 2 +syscall, in the target process. +The +.Va arg +parameter must point to the integer variable holding one of the following +values: +.Bl -tag -width PROC_PROTMAX_FORCE_DISABLE +.It Dv PROC_PROTMAX_FORCE_ENABLE +Enables implicit PROT_MAX application, +even if it is disabled system-wide by default. +The image flag might prevent the enablement still. +.It Dv PROC_ASLR_FORCE_DISABLE +Request that implicit application of PROT_MAX is disabled. +Same notes as for +.Dv PROC_PROT_MAX_FORCE_ENABLE +apply. +.It Dv PROC_PROTMAX_NOFORCE +Use system-wide configured policy for PROT_MAX. +.El +.It Dv PROC_PROTMAX_STATUS +Returns the current status of implicit PROT_MAX enablement for the +target process. +The +.Va arg +parameter must point to the integer variable, where one of the +following values is written: +.Bl -tag -width PROC_PROTMAX_FORCE_DISABLE +.It Dv PROC_PROTMAX_FORCE_ENABLE +.It Dv PROC_PROTMAX_FORCE_DISABLE +.It Dv PROC_PROTMAX_NOFORCE +.El +.Pp +If the currently executed image in the process itself has implicit PROT_MAX +application enabled, +the +.Dv PROC_PROTMAX_ACTIVE +flag is or-ed with the value listed above. .It Dv PROC_SPROTECT Set process protection state. This is used to mark a process as protected from being killed if the system @@ -575,6 +616,7 @@ .Xr cap_enter 2, .Xr kill 2 , .Xr ktrace 2 , +.Xr mmap 2 , .Xr ptrace 2 , .Xr wait 2 , .Xr capsicum 4 , Index: sys/compat/freebsd32/freebsd32_misc.c =================================================================== --- sys/compat/freebsd32/freebsd32_misc.c +++ sys/compat/freebsd32/freebsd32_misc.c @@ -3334,6 +3334,7 @@ switch (uap->com) { case PROC_ASLR_CTL: case PROC_SPROTECT: + case PROC_PROTMAX_CTL: case PROC_TRACE_CTL: case PROC_TRAPCAP_CTL: error = copyin(PTRIN(uap->data), &flags, sizeof(flags)); @@ -3365,6 +3366,7 @@ data = &x.rk; break; case PROC_ASLR_STATUS: + case PROC_PROTMAX_STATUS: case PROC_TRACE_STATUS: case PROC_TRAPCAP_STATUS: data = &flags; @@ -3394,6 +3396,7 @@ error = error1; break; case PROC_ASLR_STATUS: + case PROC_PROTMAX_STATUS: case PROC_TRACE_STATUS: case PROC_TRAPCAP_STATUS: if (error == 0) Index: sys/kern/kern_procctl.c =================================================================== --- sys/kern/kern_procctl.c +++ sys/kern/kern_procctl.c @@ -34,6 +34,7 @@ #include #include #include +#include #include #include #include @@ -418,6 +419,51 @@ return (0); } +static int +protmax_ctl(struct thread *td, struct proc *p, int state) +{ + PROC_LOCK_ASSERT(p, MA_OWNED); + + switch (state) { + case PROC_PROTMAX_FORCE_ENABLE: + p->p_flag2 &= ~P2_PROTMAX_DISABLE; + p->p_flag2 |= P2_PROTMAX_ENABLE; + break; + case PROC_PROTMAX_FORCE_DISABLE: + p->p_flag2 |= P2_PROTMAX_DISABLE; + p->p_flag2 &= ~P2_PROTMAX_ENABLE; + break; + case PROC_PROTMAX_NOFORCE: + p->p_flag2 &= ~(P2_PROTMAX_ENABLE | P2_PROTMAX_DISABLE); + break; + default: + return (EINVAL); + } + return (0); +} + +static int +protmax_status(struct thread *td, struct proc *p, int *data) +{ + int d; + + switch (p->p_flag2 & (P2_PROTMAX_ENABLE | P2_PROTMAX_DISABLE)) { + case 0: + d = PROC_ASLR_NOFORCE; + break; + case P2_PROTMAX_ENABLE: + d = PROC_PROTMAX_FORCE_ENABLE; + break; + case P2_PROTMAX_DISABLE: + d = PROC_PROTMAX_FORCE_DISABLE; + break; + } + if (kern_mmap_maxprot(p, PROT_READ) == PROT_READ) + d |= PROC_PROTMAX_ACTIVE; + *data = d; + return (0); +} + static int aslr_ctl(struct thread *td, struct proc *p, int state) { @@ -500,6 +546,7 @@ switch (uap->com) { case PROC_ASLR_CTL: + case PROC_PROTMAX_CTL: case PROC_SPROTECT: case PROC_TRACE_CTL: case PROC_TRAPCAP_CTL: @@ -530,6 +577,7 @@ data = &x.rk; break; case PROC_ASLR_STATUS: + case PROC_PROTMAX_STATUS: case PROC_TRACE_STATUS: case PROC_TRAPCAP_STATUS: data = &flags; @@ -558,6 +606,7 @@ error = error1; break; case PROC_ASLR_STATUS: + case PROC_PROTMAX_STATUS: case PROC_TRACE_STATUS: case PROC_TRAPCAP_STATUS: if (error == 0) @@ -583,6 +632,10 @@ return (aslr_status(td, p, data)); case PROC_SPROTECT: return (protect_set(td, p, *(int *)data)); + case PROC_PROTMAX_CTL: + return (protmax_ctl(td, p, *(int *)data)); + case PROC_PROTMAX_STATUS: + return (protmax_status(td, p, data)); case PROC_REAP_ACQUIRE: return (reap_acquire(td, p)); case PROC_REAP_RELEASE: @@ -618,6 +671,8 @@ switch (com) { case PROC_ASLR_CTL: case PROC_ASLR_STATUS: + case PROC_PROTMAX_CTL: + case PROC_PROTMAX_STATUS: case PROC_REAP_ACQUIRE: case PROC_REAP_RELEASE: case PROC_REAP_STATUS: @@ -669,6 +724,8 @@ break; case PROC_ASLR_CTL: case PROC_ASLR_STATUS: + case PROC_PROTMAX_CTL: + case PROC_PROTMAX_STATUS: case PROC_TRACE_STATUS: case PROC_TRAPCAP_STATUS: tree_locked = false; Index: sys/sys/elf_common.h =================================================================== --- sys/sys/elf_common.h +++ sys/sys/elf_common.h @@ -777,6 +777,7 @@ /* NT_FREEBSD_FEATURE_CTL desc[0] bits */ #define NT_FREEBSD_FCTL_ASLR_DISABLE 0x00000001 +#define NT_FREEBSD_FCTL_PROTMAX_DISABLE 0x00000002 /* Values for n_type. Used in core files. */ #define NT_PRSTATUS 1 /* Process status. */ Index: sys/sys/proc.h =================================================================== --- sys/sys/proc.h +++ sys/sys/proc.h @@ -761,6 +761,8 @@ #define P2_ASLR_ENABLE 0x00000040 /* Force enable ASLR. */ #define P2_ASLR_DISABLE 0x00000080 /* Force disable ASLR. */ #define P2_ASLR_IGNSTART 0x00000100 /* Enable ASLR to consume sbrk area. */ +#define P2_PROTMAX_ENABLE 0x00000200 /* Force enable implied PROT_MAX. */ +#define P2_PROTMAX_DISABLE 0x00000400 /* Force disable implied PROT_MAX. */ /* Flags protected by proctree_lock, kept in p_treeflags. */ #define P_TREE_ORPHANED 0x00000001 /* Reparented, on orphan list */ Index: sys/sys/procctl.h =================================================================== --- sys/sys/procctl.h +++ sys/sys/procctl.h @@ -59,6 +59,8 @@ #define PROC_PDEATHSIG_STATUS 12 /* get parent death signal */ #define PROC_ASLR_CTL 13 /* en/dis ASLR */ #define PROC_ASLR_STATUS 14 /* query ASLR status */ +#define PROC_PROTMAX_CTL 15 /* en/dis implicit PROT_MAX */ +#define PROC_PROTMAX_STATUS 16 /* query implicit PROT_MAX status */ /* Operations for PROC_SPROTECT (passed in integer arg). */ #define PPROT_OP(x) ((x) & 0xf) @@ -127,6 +129,11 @@ #define PROC_ASLR_NOFORCE 3 #define PROC_ASLR_ACTIVE 0x80000000 +#define PROC_PROTMAX_FORCE_ENABLE 1 +#define PROC_PROTMAX_FORCE_DISABLE 2 +#define PROC_PROTMAX_NOFORCE 3 +#define PROC_PROTMAX_ACTIVE 0x80000000 + #ifndef _KERNEL __BEGIN_DECLS int procctl(idtype_t, id_t, int, void *); Index: sys/sys/syscallsubr.h =================================================================== --- sys/sys/syscallsubr.h +++ sys/sys/syscallsubr.h @@ -175,6 +175,7 @@ size_t len); int kern_mmap(struct thread *td, uintptr_t addr, size_t len, int prot, int flags, int fd, off_t pos); +int kern_mmap_maxprot(struct proc *p, int prot); int kern_mprotect(struct thread *td, uintptr_t addr, size_t size, int prot); int kern_msgctl(struct thread *, int, int, struct msqid_ds *); int kern_msgrcv(struct thread *, int, void *, size_t, long, int, long *); Index: sys/vm/vm_mmap.c =================================================================== --- sys/vm/vm_mmap.c +++ sys/vm/vm_mmap.c @@ -56,6 +56,7 @@ #include #include #include +#include #include #include #include @@ -181,12 +182,26 @@ uap->flags, uap->fd, uap->pos)); } +int +kern_mmap_maxprot(struct proc *p, int prot) +{ + + if ((p->p_flag2 & P2_PROTMAX_DISABLE) != 0 || + (p->p_fctl0 & NT_FREEBSD_FCTL_PROTMAX_DISABLE) != 0) + return (_PROT_ALL); + if (((p->p_flag2 & P2_PROTMAX_ENABLE) != 0 || imply_prot_max) && + prot != PROT_NONE) + return (prot); + return (_PROT_ALL); +} + int kern_mmap(struct thread *td, uintptr_t addr0, size_t len, int prot, int flags, int fd, off_t pos) { struct vmspace *vms; struct file *fp; + struct proc *p; vm_offset_t addr; vm_size_t pageoff, size; vm_prot_t cap_maxprot; @@ -199,17 +214,17 @@ prot = PROT_EXTRACT(prot); if (max_prot != 0 && (max_prot & prot) != prot) return (EINVAL); + + p = td->td_proc; + /* * Always honor PROT_MAX if set. If not, default to all * permissions unless we're implying maximum permissions. - * - * XXX: should be tunable per process and ABI. */ if (max_prot == 0) - max_prot = (imply_prot_max && prot != PROT_NONE) ? - prot : _PROT_ALL; + max_prot = kern_mmap_maxprot(p, prot); - vms = td->td_proc->p_vmspace; + vms = p->p_vmspace; fp = NULL; AUDIT_ARG_FD(fd); addr = addr0; @@ -229,7 +244,7 @@ * pos. */ if (!SV_CURPROC_FLAG(SV_AOUT)) { - if ((len == 0 && curproc->p_osrel >= P_OSREL_MAP_ANON) || + if ((len == 0 && p->p_osrel >= P_OSREL_MAP_ANON) || ((flags & MAP_ANON) != 0 && (fd != -1 || pos != 0))) return (EINVAL); } else { @@ -375,7 +390,7 @@ if (error != 0) goto done; if ((flags & (MAP_SHARED | MAP_PRIVATE)) == 0 && - td->td_proc->p_osrel >= P_OSREL_MAP_FSTRICT) { + p->p_osrel >= P_OSREL_MAP_FSTRICT) { error = EINVAL; goto done; } Index: usr.bin/proccontrol/proccontrol.1 =================================================================== --- usr.bin/proccontrol/proccontrol.1 +++ usr.bin/proccontrol/proccontrol.1 @@ -66,6 +66,9 @@ not for any other process. .It Ar trapcap Controls the signalling of capability mode access violations. +.It Ar protmax +Controls the implicit PROT_MAX application for +.Xr mmap 2 . .It Ar kpti Controls the KPTI enable, AMD64 only. .El Index: usr.bin/proccontrol/proccontrol.c =================================================================== --- usr.bin/proccontrol/proccontrol.c +++ usr.bin/proccontrol/proccontrol.c @@ -43,6 +43,7 @@ MODE_INVALID, MODE_TRACE, MODE_TRAPCAP, + MODE_PROTMAX, #ifdef PROC_KPTI_CTL MODE_KPTI, #endif @@ -72,7 +73,7 @@ usage(void) { - fprintf(stderr, "Usage: proccontrol -m (aslr|trace|trapcap" + fprintf(stderr, "Usage: proccontrol -m (aslr|trace|trapcap|protmax" KPTI_USAGE") [-q] " "[-s (enable|disable)] [-p pid | command]\n"); exit(1); @@ -98,6 +99,8 @@ mode = MODE_TRACE; else if (strcmp(optarg, "trapcap") == 0) mode = MODE_TRAPCAP; + else if (strcmp(optarg, "protmax") == 0) + mode = MODE_PROTMAX; #ifdef PROC_KPTI_CTL else if (strcmp(optarg, "kpti") == 0) mode = MODE_KPTI; @@ -147,6 +150,9 @@ case MODE_TRAPCAP: error = procctl(P_PID, pid, PROC_TRAPCAP_STATUS, &arg); break; + case MODE_PROTMAX: + error = procctl(P_PID, pid, PROC_PROTMAX_STATUS, &arg); + break; #ifdef PROC_KPTI_CTL case MODE_KPTI: error = procctl(P_PID, pid, PROC_KPTI_STATUS, &arg); @@ -194,6 +200,23 @@ break; } break; + case MODE_PROTMAX: + switch (arg & ~PROC_PROTMAX_ACTIVE) { + case PROC_PROTMAX_FORCE_ENABLE: + printf("force enabled"); + break; + case PROC_PROTMAX_FORCE_DISABLE: + printf("force disabled"); + break; + case PROC_PROTMAX_NOFORCE: + printf("not forced"); + break; + } + if ((arg & PROC_PROTMAX_ACTIVE) != 0) + printf(", active\n"); + else + printf(", not active\n"); + break; #ifdef PROC_KPTI_CTL case MODE_KPTI: switch (arg & ~PROC_KPTI_STATUS_ACTIVE) { @@ -228,6 +251,11 @@ PROC_TRAPCAP_CTL_DISABLE; error = procctl(P_PID, pid, PROC_TRAPCAP_CTL, &arg); break; + case MODE_PROTMAX: + arg = enable ? PROC_PROTMAX_FORCE_ENABLE : + PROC_PROTMAX_FORCE_DISABLE; + error = procctl(P_PID, pid, PROC_PROTMAX_CTL, &arg); + break; #ifdef PROC_KPTI_CTL case MODE_KPTI: arg = enable ? PROC_KPTI_CTL_ENABLE_ON_EXEC :