Page MenuHomeFreeBSD
Files F144706848

D19308.id54414.diff
No OneTemporary
Actions

D19308.id54414.diff
View Options

Index: lib/libc/sys/procctl.2
===================================================================
--- lib/libc/sys/procctl.2
+++ lib/libc/sys/procctl.2
@@ -29,7 +29,7 @@
.\"
.\" $FreeBSD$
.\"
-.Dd May 12, 2018
+.Dd February 23, 2019
.Dt PROCCTL 2
.Os
.Sh NAME
@@ -58,7 +58,7 @@
An error is only returned if no selected processes successfully complete
the request.
The following identifier types are supported:
-.Bl -tag -width "Dv P_PGID"
+.Bl -tag -width P_PGID
.It Dv P_PID
Control the process with the process ID
.Fa id .
@@ -71,7 +71,47 @@
.Fa cmd
argument.
The following commands are supported:
-.Bl -tag -width "Dv PROC_TRAPCAP_STATUS"
+.Bl -tag -width PROC_TRAPCAP_STATUS
+.It Dv PROC_ASLR_CTL
+Controls the Address Space Layout Randomization (ASLR) in the program
+images created
+by
+.Xr execve 2
+in the specified process or its descendants that did not changed
+the control nor modified it by other means.
+The
+.Xa arg
+parameter must point to the integer variable holding one of the following
+values:
+.Bl -tag -width PROC_ASLR_FORCE_DISABLE
+.It Dv PROC_ASLR_FORCE_ENABLE
+Request that ASLR is enabled after execution, even if it is disabled
+system-wide.
+The image flag and set-uid might prevent ASLR enablement still.
+.It Dv PROC_ASLR_FORCE_DISABLE
+Request that ASLR is disabled after execution.
+Same notes as for
+.Dv PROC_ASKR_FORCE_ENABLE
+apply.
+.It Dv PROC_ASLR_NOFORCE
+Use system-wide configured policy for ASLR.
+.El
+.It Dv PROC_ASLR_STATUS
+Returns the current status of ASLR enablement for the target process.
+The
+.Va arg
+parameter must point to the integer variable, where one of the
+following values is written:
+.Bl -tag -width PROC_ASLR_FORCE_DISABLE
+.It Dv PROC_ASLR_FORCE_ENABLE
+.It Dv PROC_ASLR_FORCE_DISABLE
+.It Dv PROC_ASLR_NOFORCE
+.El
+.Pp
+If the currently executed image in the process itself has ASLR enabled,
+the
+.Dv PROC_ASLR_ACTIVE
+flag is or-ed with the value listed above.
.It Dv PROC_SPROTECT
Set process protection state.
This is used to mark a process as protected from being killed if the system
@@ -81,7 +121,7 @@
parameter must point to an integer containing an operation and zero or more
optional flags.
The following operations are supported:
-.Bl -tag -width "Dv PPROT_CLEAR"
+.Bl -tag -width PPROT_CLEAR
.It Dv PPROT_SET
Mark the selected processes as protected.
.It Dv PPROT_CLEAR
@@ -89,7 +129,7 @@
.El
.Pp
The following optional flags are supported:
-.Bl -tag -width "Dv PPROT_DESCEND"
+.Bl -tag -width PPROT_DESCEND
.It Dv PPROT_DESCEND
Apply the requested operation to all child processes of each selected process
in addition to each selected process.
@@ -131,7 +171,7 @@
The
.Fa rs_flags
may have the following flags returned:
-.Bl -tag -width "Dv REAPER_STATUS_REALINIT"
+.Bl -tag -width REAPER_STATUS_REALINIT
.It Dv REAPER_STATUS_OWNED
The specified process has acquired reaper status and has not
released it.
@@ -211,7 +251,7 @@
The
.Fa pi_flags
field returns the following flags, further describing the descendant:
-.Bl -tag -width "Dv REAPER_PIDINFO_REAPER"
+.Bl -tag -width REAPER_PIDINFO_REAPER
.It Dv REAPER_PIDINFO_VALID
Set to indicate that the
.Vt procctl_reaper_pidinfo
@@ -255,7 +295,7 @@
.Fa rk_flags
field further directs the operation.
It is or-ed from the following flags:
-.Bl -tag -width "Dv REAPER_KILL_CHILDREN"
+.Bl -tag -width REAPER_KILL_CHILDREN
.It Dv REAPER_KILL_CHILDREN
Deliver the specified signal only to direct children of the reaper.
.It Dv REAPER_KILL_SUBTREE
@@ -296,7 +336,7 @@
Possible values for the
.Fa data
argument are:
-.Bl -tag -width "Dv PROC_TRACE_CTL_DISABLE_EXEC"
+.Bl -tag -width PROC_TRACE_CTL_DISABLE_EXEC
.It Dv PROC_TRACE_CTL_ENABLE
Enable tracing, after it was disabled by
.Dv PROC_TRACE_CTL_DISABLE .
@@ -346,7 +386,7 @@
Possible values for the
.Fa data
argument are:
-.Bl -tag -width "Dv PROC_TRAPCAP_CTL_DISABLE"
+.Bl -tag -width PROC_TRAPCAP_CTL_DISABLE
.It Dv PROC_TRAPCAP_CTL_ENABLE
Enable the
.Dv SIGTRAP
@@ -543,11 +583,16 @@
.Fn procctl
function appeared in
.Fx 10.0 .
+.Pp
The reaper facility is based on a similar feature of Linux and
DragonflyBSD, and first appeared in
.Fx 10.2 .
+.Pp
The
.Dv PROC_PDEATHSIG_CTL
facility is based on the prctl(PR_SET_PDEATHSIG, ...) feature of Linux,
and first appeared in
.Fx 11.2 .
+.Pp
+The ASLR support was added to system for the checklists compliance in
+.Fx 13.0 .
Index: usr.bin/proccontrol/Makefile
===================================================================
--- usr.bin/proccontrol/Makefile
+++ usr.bin/proccontrol/Makefile
@@ -2,6 +2,5 @@
PROG= proccontrol
WARNS?= 6
-MAN=
.include <bsd.prog.mk>
Index: usr.bin/proccontrol/proccontrol.1
===================================================================
--- /dev/null
+++ usr.bin/proccontrol/proccontrol.1
@@ -0,0 +1,123 @@
+.\" Copyright (c) 2019 The FreeBSD Foundation, Inc.
+.\" All rights reserved.
+.\"
+.\" This documentation was written by
+.\" Konstantin Belousov <kib@FreeBSD.org> under sponsorship
+.\" from the FreeBSD Foundation.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\" notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\" notice, this list of conditions and the following disclaimer in the
+.\" documentation and/or other materials provided with the distribution.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.\" $FreeBSD$
+.\"
+.Dd February 22, 2019
+.Dt PROCCONTROL 1
+.Os
+.Sh NAME
+.Nm proccontrol
+.Nd Control some process execution aspects
+.Sh SYNOPSIS
+.Nm
+.Fl m Ar mode
+.Op Fl s Ar control
+.Op Fl q
+.Fl p Ar pid | command
+.Sh DESCRIPTION
+The
+.Nm
+command modifies the execution parameter of existing process
+specified by the
+.Ar pid
+argument, or starts execution of the new program
+.Ar command
+with the execution parameter set for it.
+.Pp
+Which execution parameter is changed, selected by the mandatory
+parameter
+.Ar mode .
+Possible values for
+.Ar mode
+are:
+.Bl -tag -width trapcap
+.It Ar aslr
+Control the Address Space Layout Randomization.
+Only applicable to the new process spawned.
+.It Ar trace
+Control the permission for debuggers to attach.
+.It Ar trapcap
+Controls the signalling of capability mode access violations.
+.El
+.Pp
+The
+Ar control
+specifies if the selected
+.Ar mode
+should be enabled or disabled.
+Possible values are
+.Ar enable
+and
+.Ar disable ,
+with the default value being
+.Ar enable
+if not specified.
+See
+.Xr procctl 2
+for detailed description of each mode effects and interaction with other
+process control facilities.
+.Pp
+The
+.Op Fl q
+switch makes the utility query and print the current setting for
+the selected mode.
+.Sh EXIT STATUS
+.Ex -std
+.Sh EXAMPLES
+.Bl -bullet
+.It
+To disable debuggers attachment to the process 1020, execute
+.Dl "proccontrol -m trace -s disable -p 1020"
+.It
+To execute the
+.Xr uniq 1
+program in a mode where capability access violations cause
+.Dv SIGTRAP
+delivery, do
+.Dl "proccontrol -m trapcap uniq"
+.It
+To query the current ASLR enablement mode for the running
+process 1020, do
+.Dl "proccontrol -m aslr -q -p 1020"
+.El
+.Sh SEE ALSO
+.Xr kill 2 ,
+.Xr procctl 2 ,
+.Xr ptrace 2
+.Sh HISTORY
+The
+.Nm
+command appeared in
+.Fx 10.0 .
+.Sh AUTHORS
+The
+.Nm
+command and this manual page were written by
+.An Konstantin Belousov Aq Mt kib@freebsd.org
+under sponsorship from The FreeBSD Foundation.

File Metadata

Mime Type
text/plain
Expires
Thu, Feb 12, 11:04 AM (4 h, 43 m)
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
28666166
Default Alt Text
D19308.id54414.diff (8 KB)

Event Timeline