One last thing before I commit this version. I'm trying to decide if I care about being able to detect PROT_MAX(PROT_NONE) and mostly leaning towards "no, use MAP_GUARD instead". Any alternative views?

In D18880#447385, @emaste wrote:

Interesting, NetBSD has a related change from 2017: https://github.com/NetBSD/src/commit/6508f5143a1028fc68b4de2151c3a33f65eece53
They list "extra" perms that may be added later rather than the full list.

Example from their test case: map = mmap(NULL, page, PROT_MPROTECT(PROT_EXEC)|PROT_WRITE|PROT_READ, MAP_ANON, -1, 0);

As far as I can tell there's only one non-test use in the NetBSD base system userland:

external/bsd/llvm/dist/llvm/lib/Support/Unix/Memory.inc
110:#if defined(__NetBSD__) && defined(PROT_MPROTECT)
111:  Protect |= PROT_MPROTECT(PROT_READ | PROT_WRITE | PROT_EXEC);

In D18880#446910, @alc wrote:

Are the "max protection" semantics what you would wish for or just convenient to implement? Do you have further extensions in mind, for example, don't allow deallocation of a region until address space termination?

• Make 'values' plural here.
• Grammer fixes from @alc.
• Document EINVAL when (prot & max_prot) != prot.
• Drop an assertion that is wrong when CAPABILITIES is no defined.

• Document new error case in mprotect(2).
• No period at the end of sysctl description.
• Verify that prot isn't larger than max_prot.
• Avoid the need for a goto in mmprotect().
• Add a KASSERT that cap_maxprot is contained in max_prot.

• Fix cut-n-pasto
• Add a check that no invalid prot flags have been passed.

In D18880#446473, @emaste wrote:

*** Check failed: /root/freebsd/tests/sys/vm/mmap_test.c:107: MAP_ANON with extra PROT flags succeeded
*** Check failed: /root/freebsd/tests/sys/vm/mmap_test.c:107: shm fd with garbage PROT succeeded

I'll start on updating the tests for this change, but as it is initially disabled by default (after correcting the copy-pasteo, at least) IMO it can go in now.

• Fix a typo resulting in unbootable systems.
• Don't imply max_prot when prot is PROT_NONE.

• Add some minimal docs for PROT_MAX.

• Simplify setting initial max_prot.
• style(9): spaces around '|'s.

The latest diff simplifies the whole change to add a sysctl to enable implying PROT_MAX system wide. I've also added mprotect() support. The current code compiles, but is untested.

• Move the EXTRACT macros into the PROT_ namespace.
• Make implying PROT_MAX values conditional on a sysctl.
• Allow mprotect() to set maximum protections.

• Use ${.CURDIR} instead of ".".

One commit is fine. Any revert except of the xe(4) removal will conflict on this file anyway.

It looks like there's a missing pkg-plist update. When I build under poudriere I get:

There are some other mentions, but most seem to be docs that haven't been updated in some time.

The pull request has been updated to not remove ae(4).

In D20230#435945, @jhb wrote:

Just don't forget 'Relnotes: yes' on each commit? (I assume you were planning to do that but didn't see it in my spot check of a GitHub commit log)

universe kernel's build (except for a few with unrelated errors) and amd64, i386, and powerpc universe builds.

LGTM

Since this is a new file, you might want to consider formatting it in the new, more readable style used in sys/kern/syscalls.master.

This generally looks good to me.

We can certainly delay removal if this is a significant loss. I didn't see this one since it's hard to see dependencies on platforms I don't run.

I confirm that I see no uses.