Changeset View
Standalone View
lib/libc/sys/procctl.2
Show All 23 Lines | ||||||||||
.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) | .\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) | |||||||||
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT | .\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT | |||||||||
.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY | .\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY | |||||||||
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF | .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF | |||||||||
.\" SUCH DAMAGE. | .\" SUCH DAMAGE. | |||||||||
.\" | .\" | |||||||||
.\" $FreeBSD$ | .\" $FreeBSD$ | |||||||||
.\" | .\" | |||||||||
.Dd July 1, 2021 | .Dd September 2, 2021 | |||||||||
.Dt PROCCTL 2 | .Dt PROCCTL 2 | |||||||||
.Os | .Os | |||||||||
.Sh NAME | .Sh NAME | |||||||||
.Nm procctl | .Nm procctl | |||||||||
.Nd control processes | .Nd control processes | |||||||||
.Sh LIBRARY | .Sh LIBRARY | |||||||||
.Lb libc | .Lb libc | |||||||||
.Sh SYNOPSIS | .Sh SYNOPSIS | |||||||||
▲ Show 20 Lines • Show All 553 Lines • ▼ Show 20 Lines | ||||||||||
The | The | |||||||||
.Fa data | .Fa data | |||||||||
parameter must point to the integer variable, where one of the | parameter must point to the integer variable, where one of the | |||||||||
following values is written: | following values is written: | |||||||||
.Bl -tag -width PROC_NO_NEW_PRIVS_DISABLE | .Bl -tag -width PROC_NO_NEW_PRIVS_DISABLE | |||||||||
.It Dv PROC_NO_NEW_PRIVS_ENABLE | .It Dv PROC_NO_NEW_PRIVS_ENABLE | |||||||||
.It Dv PROC_NO_NEW_PRIVS_DISABLE | .It Dv PROC_NO_NEW_PRIVS_DISABLE | |||||||||
.El | .El | |||||||||
.It Dv PROC_WXORX_CTL | ||||||||||
Controls the 'write exclusive against execution' permissions for the | ||||||||||
mappings in the process address space. | ||||||||||
It overrides the global settings established by the | ||||||||||
.Dv kern.elf{32/64}.allow_wx | ||||||||||
emaste: I'm concerned by the different sense of the two flags, WXORX being enabled is equivalent to… | ||||||||||
sysctl, | ||||||||||
and corresponding bit in the elf control note, see | ||||||||||
markjUnsubmitted Done Inline Actions
markj: | ||||||||||
.Xr elfctl 1 . | ||||||||||
.Pp | ||||||||||
The | ||||||||||
.Fa data | ||||||||||
parameter must point to the integer variable holding one of the | ||||||||||
following values: | ||||||||||
.Bl -tag -width PROC_WXORX_ENABLE_ON_EXEC | ||||||||||
.It Dv PROC_WXORX_DISABLE | ||||||||||
Enable creation of mappings that have both write and execute | ||||||||||
emasteUnsubmitted Done Inline Actionsthis is why I desire positive sense flags (and why sysctl(9) recommends positive sense): this *_DISABLE flag enables something, which can be confusing emaste: this is why I desire positive sense flags (and why sysctl(9) recommends positive sense): this… | ||||||||||
markjUnsubmitted Done Inline ActionsThis problem exists no matter what, it's just a question of what you're disabling: the mitigation, or the ability to create writeable, executable mappings. PROC_WXORX_DISABLE and PROC_WXORX_ENABLE_ON_EXEC both clearly refer to the mitigation. A more explicit naming scheme would be to have PROC_PERMIT_WX_MAPPINGS and PROC_PERMIT_WX_MAPPINGS_ON_EXEC or something similar. That is, instead of referring to the mitigation, refer to the underlying capability. I think I slightly prefer that approach since it's a bit clearer and agrees with the sysctl. markj: This problem exists no matter what, it's just a question of what you're disabling: the… | ||||||||||
protection attributes, in the specified process' address space. | ||||||||||
Done Inline Actions
markj: | ||||||||||
.It Dv PROC_WXORX_ENABLE_ON_EXEC | ||||||||||
In the new address space created by | ||||||||||
.Xr execve 2 , | ||||||||||
disallow creation of mappings that have both write and execute | ||||||||||
Done Inline Actions
markj: | ||||||||||
emasteUnsubmitted Done Inline Actionsand *_ENABLE_* prevents something emaste: and `*_ENABLE_*` prevents something | ||||||||||
permissions. | ||||||||||
.El | .El | |||||||||
.Pp | ||||||||||
Once creation of writeable and executable mappings is allowed, | ||||||||||
it is impossible (and pointless) to disallow it. | ||||||||||
The only way to ensure the absence of such mappings after they | ||||||||||
were enabled in a given process, is to set the | ||||||||||
Done Inline Actions
markj: | ||||||||||
.Dv PROC_WXORX_ENABLE_ON_EXEC | ||||||||||
flag and | ||||||||||
.Xr execve 2 | ||||||||||
an image. | ||||||||||
.It Dv PROC_WXORX_STATUS | ||||||||||
Returns the current status of the 'write exclusive against execution' | ||||||||||
enforcement for the specified process. | ||||||||||
The | ||||||||||
.Dv data | ||||||||||
parameter must point to the integer variable, where one of the | ||||||||||
following values is written: | ||||||||||
.Bl -tag -width PROC_WXORX_ENABLE_ON_EXEC | ||||||||||
.It Dv PROC_WXORX_DISABLE | ||||||||||
Creation of simultaneously writable and executable mapping is permitted, | ||||||||||
Done Inline Actions
markj: | ||||||||||
otherwise the process cannot create such mappings. | ||||||||||
Done Inline Actions
markj: | ||||||||||
.It Dv PROC_WXORX_ENABLE_ON_EXEC | ||||||||||
After | ||||||||||
.Xr execve 2 , | ||||||||||
the new address space should disallow creation of simultaneously | ||||||||||
Done Inline Actions
markj: | ||||||||||
writable and executable mappings. | ||||||||||
.El | ||||||||||
.Pp | ||||||||||
Additionally, if the address space of the process disallows | ||||||||||
creation of simultaneously writable and executable mappings and | ||||||||||
Done Inline Actions
markj: | ||||||||||
it is guaranteed that no such mapping was created since address space | ||||||||||
Done Inline Actions
markj: | ||||||||||
creation, the | ||||||||||
.Dv PROC_WXORX_ENFORCE | ||||||||||
flag is set in the returned value. | ||||||||||
.El | ||||||||||
.Sh x86 MACHINE-SPECIFIC REQUESTS | .Sh x86 MACHINE-SPECIFIC REQUESTS | |||||||||
.Bl -tag -width PROC_KPTI_STATUS | .Bl -tag -width PROC_KPTI_STATUS | |||||||||
.It Dv PROC_KPTI_CTL | .It Dv PROC_KPTI_CTL | |||||||||
AMD64 only. | AMD64 only. | |||||||||
Controls the Kernel Page Table Isolation (KPTI) option for the children | Controls the Kernel Page Table Isolation (KPTI) option for the children | |||||||||
of the specified process. | of the specified process. | |||||||||
For the command to work, the | For the command to work, the | |||||||||
.Va vm.pmap.kpti | .Va vm.pmap.kpti | |||||||||
Show All 32 Lines | ||||||||||
.Va PROC_KPTI_STATUS_ACTIVE | .Va PROC_KPTI_STATUS_ACTIVE | |||||||||
in case KPTI is active for the current address space of the process. | in case KPTI is active for the current address space of the process. | |||||||||
.Sh NOTES | .Sh NOTES | |||||||||
Disabling tracing on a process should not be considered a security | Disabling tracing on a process should not be considered a security | |||||||||
feature, as it is bypassable both by the kernel and privileged processes, | feature, as it is bypassable both by the kernel and privileged processes, | |||||||||
and via other system mechanisms. | and via other system mechanisms. | |||||||||
As such, it should not be utilized to reliably protect cryptographic | As such, it should not be utilized to reliably protect cryptographic | |||||||||
keying material or other confidential data. | keying material or other confidential data. | |||||||||
.Pp | ||||||||||
Note that processes can trivially bypass the 'no simultaneously | ||||||||||
Done Inline Actions
markj: | ||||||||||
writable and executable mappings' policy by first marking some mapping | ||||||||||
as writeable and write code to it, then removing write and adding | ||||||||||
execute permission. | ||||||||||
Done Inline ActionsI would perhaps s/like JIT// and add another sentence along the lines of, "This may be legitimately required by some programs, such as JIT compilers." markj: I would perhaps s/like JIT// and add another sentence along the lines of, "This may be… | ||||||||||
This may be legitimately required by some programs, such as JIT compilers. | ||||||||||
.Sh RETURN VALUES | .Sh RETURN VALUES | |||||||||
If an error occurs, a value of -1 is returned and | If an error occurs, a value of -1 is returned and | |||||||||
.Va errno | .Va errno | |||||||||
is set to indicate the error. | is set to indicate the error. | |||||||||
.Sh ERRORS | .Sh ERRORS | |||||||||
The | The | |||||||||
.Fn procctl | .Fn procctl | |||||||||
system call | system call | |||||||||
▲ Show 20 Lines • Show All 123 Lines • Show Last 20 Lines |
I'm concerned by the different sense of the two flags, WXORX being enabled is equivalent to allow_wx=0.