aboutsummaryrefslogtreecommitdiff
path: root/sys/kern/kern_procctl.c
Commit message (Collapse)AuthorAgeFilesLines
* sys_procctl(): Make it clear that negative commands are invalidOlivier Certner2024-04-291-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | An initial reading of the preamble of sys_procctl() gives the impression that no test prevents a malicious user from passing a negative commands index (in 'uap->com'), which is soon used as an index into the static array procctl_cmds_info[]. However, a closer examination leads to the conclusion that the existing code is technically correct. Indeed, the comparison of 'uap->com' to the nitems() expression, which expands to a ratio of sizeof(), leads to a conversion of 'uap->com' to an 'unsigned int' as per Usual Arithmetic Conversions/Integer Promotions applied by '<=', because sizeof() returns 'size_t' values, and we define 'size_t' as an equivalent of 'unsigned int' (which is not mandated by the standard, the latter allowing, e.g., integers of lower ranks). With this conversion, negative values of 'uap->com' are automatically ruled-out since they are converted to very big unsigned integers which are caught by the test. An analysis of assembly code produced by LLVM 16 on amd64 and practical tests confirm that no exploitation is possible. However, the guard code as written is misleading to readers and might trip up static analysis tools. Make sure that negative values are explicitly excluded so that it is immediately clear that EINVAL will be returned in this case. Build tested with clang 16 and GCC 12. Approved by: markj (mentor) MFC after: 1 week Sponsored by: The FreeBSD Foundation (cherry picked from commit afc10f8bba3dd293a66461aaca41237c986b6ca7) Approved by: emaste (mentor)
* sys: Remove $FreeBSD$: one-line .c patternWarner Losh2023-08-231-2/+0
| | | | | | | Remove /^[\s*]*__FBSDID\("\$FreeBSD\$"\);?\s*\n/ Similar commit in current: (cherry picked from commit 685dc743dc3b)
* reapkill: handle possible pid reuse after the pid was recorded as signalledKonstantin Belousov2023-06-051-1/+35
| | | | (cherry picked from commit 8164032a495b53b9176814f7b08e093961fabdca)
* procctl: add state flags to PROC_REAP_GETPIDS reportsVal Packett2023-04-231-0/+6
| | | | (cherry picked from commit 77f0e198d9134b6ca2650d3a84d7db2d786ec0c0)
* Remove struct proc p_singlethr memberKonstantin Belousov2022-09-031-6/+0
| | | | (cherry picked from commit 5e5675cb4bfa80b6026b5c781d6fa2cc9254468f)
* REAP_KILL_PROC: kill processes in the threaded taskqueue contextKonstantin Belousov2022-09-031-59/+124
| | | | (cherry picked from commit 2842ec6d99ce3590eabb34d23eff5b0fed24eb98)
* reap_kill_proc_locked(): remove outdated part of the commentKonstantin Belousov2022-08-221-4/+0
| | | | (cherry picked from commit 5c78797e42497270d8719590d11243a4473114c4)
* reap_kill_proc(): avoid singlethreading any other process if we are exitingKonstantin Belousov2022-06-241-0/+1
| | | | | | Tested by: pho (whole series MFC) (cherry picked from commit 1575804961d2ba1768c9a6b28438d364421718f3)
* reap_kill_subtree(): hold the reaper when entering it into the queue to ↵Konstantin Belousov2022-06-241-2/+16
| | | | | | handle later (cherry picked from commit e0343eacf36588bf503c7a59c0cc436294223839)
* reap_kill_subtree_once(): handle proctree_lock unlock in reap_kill_proc()Konstantin Belousov2022-06-241-1/+13
| | | | (cherry picked from commit 1d4abf2cfa6e71f4e29ab1f1a6d366d11f3d6027)
* reap_kill_proc: do not retry on thread_single() failureKonstantin Belousov2022-06-241-21/+10
| | | | (cherry picked from commit addf103ce6b38583762bcb066f6ac3b160e826bb)
* Make stop_all_proc_block interruptible to avoid deadlock with parallel ↵Konstantin Belousov2022-06-241-2/+2
| | | | | | suspension (cherry picked from commit 008b2e65442a0d65bc5be9ca625616ddfa6f9ce2)
* Do not single-thread itself when the process single-threaded some another ↵Konstantin Belousov2022-06-241-0/+13
| | | | | | process (cherry picked from commit 4493a13e3bfbbdf8488993843281ec688057ee0f)
* P2_WEXIT: avoid thread_single() for exiting process earlierKonstantin Belousov2022-06-241-1/+1
| | | | (cherry picked from commit d3000939c7b94fc887f23dd8946861cf0fa1b73b)
* Fix another race between fork(2) and PROC_REAP_KILL subtreeKonstantin Belousov2022-06-241-14/+87
| | | | (cherry picked from commit 709783373e57069cc014019a14a806b580e1d62f)
* Fix a race between fork(2) and PROC_REAP_KILL subtreeKonstantin Belousov2022-06-241-4/+30
| | | | (cherry picked from commit 39794d80ad900915e5c4940e9917ba5cb59a8634)
* kern_procctl: add possibility to take stop_all_proc_block() around execKonstantin Belousov2022-06-241-1/+22
| | | | (cherry picked from commit d1df34736888f43e8fe1cdc460eac134d625c777)
* reap_kill(): split children and subtree killers into helpersKonstantin Belousov2022-06-241-27/+44
| | | | (cherry picked from commit 54a11adbd9c2b1fa9b42181ac883ed6ed2a6998c)
* reap_kill(): rename the reap variable to reaperKonstantin Belousov2022-06-241-5/+5
| | | | (cherry picked from commit 134529b11b5343aed09e220b49147873d052e4bf)
* reap_kill(): de-inline LIST_FOREACH(), twiceKonstantin Belousov2022-06-241-4/+3
| | | | (cherry picked from commit e4ce431e2a0255751fee0ad14b08bd006759ce4f)
* procctl: stop using SA_*LOCKED, define local enumKonstantin Belousov2021-10-261-26/+36
| | | | (cherry picked from commit c7f38a2df1f0d15346f4405407d89365f6ae3fe1)
* kern_procctl: skip zombies for process group operationsKonstantin Belousov2021-10-261-2/+4
| | | | (cherry picked from commit 49db81aa053beb131ba9dbf5519a5f0eacf28265)
* kern_procctl.c: use td->td_proc instead of curprocKonstantin Belousov2021-10-261-2/+2
| | | | (cherry picked from commit 3692877a6cf8fc374349f3d9b2cbb190fec484a0)
* procctl: actually require debug privileges over targetKonstantin Belousov2021-10-261-7/+7
| | | | (cherry picked from commit f5bb6e5a6d488740e451ad4acd82a70b95e786cd)
* procctl: make it possible to specify that some operations require debug ↵Konstantin Belousov2021-10-261-2/+27
| | | | | | privilege over the target (cherry picked from commit 1c4dbee5dd224c08241c0922ff577bb226171e81)
* sys_procctl(): zero the data buffer once, on syscall entryKonstantin Belousov2021-10-261-1/+2
| | | | (cherry picked from commit 32026f5983ed00e64829f8c20b09748077809729)
* sys_procctl(): use table data to do copyin/copyoutKonstantin Belousov2021-10-261-122/+88
| | | | (cherry picked from commit 56d5323b4d7d9ccbe1ca3e620400afd165519a12)
* kern_procctl_single(): convert to use table dataKonstantin Belousov2021-10-261-106/+114
| | | | (cherry picked from commit 68dc5b381a29aaa418064324519105a8c2a4a080)
* procctl: convert PDEATHSIG_CTL/STATUS to regular kern_procctl_single() casesKonstantin Belousov2021-10-261-45/+69
| | | | (cherry picked from commit 34f39a8c0e2a4100837eb406ae24a7d6a357d696)
* procctl(2): add consistent shortcut P_ID:0 as curprocKonstantin Belousov2021-10-261-5/+11
| | | | (cherry picked from commit f833ab9dd187328306fa1601330fbc8332392abe)
* kern_procctl(): convert the function to be table-drivenKonstantin Belousov2021-10-261-54/+69
| | | | (cherry picked from commit 7ae879b14a2086df521c59c4a379d3a072e08bc6)
* sys_procctl(2): remove sysproto and argusedKonstantin Belousov2021-10-261-9/+0
| | | | (cherry picked from commit 31faa565edea908a8caf71cc6783066c02fd6844)
* procctl(2): Add PROC_WXMAP_CTL/STATUSKonstantin Belousov2021-09-241-0/+76
| | | | (cherry picked from commit 796a8e1ad1ae3f7b8e4c9f97bebbef5d7d5a2c16)
* procctl(2): add PROC_NO_NEW_PRIVS_CTL, PROC_NO_NEW_PRIVS_STATUSEdward Tomasz Napierala2021-09-241-0/+32
| | | | (cherry picked from commit db8d680ebe9b12c7d9e0eb8bf9940fcef709f5ec)
* procctl(PROC_ASLR_STATUS): fix vmspace leakKonstantin Belousov2021-07-181-2/+3
| | | | (cherry picked from commit 0bdb2cbf9d7c4366a0668b4563c8630538a50086)
* correct procctl(PROC_PROTMAX_STATUS _NOFORCE returnEd Maste2020-05-011-1/+1
| | | | | | | | | | | | | Previously procctl(PROC_PROTMAX_STATUS, ... used the PROC_ASLR_NOFORCE macro for the "system-wide configured policy" status, instead of PROC_PROTMAX_NOFORCE. They both have a value of 3, so no functional change. Sponsored by: The FreeBSD Foundation Notes: svn path=/head/; revision=360535
* Add procctl(PROC_STACKGAP_CTL)Konstantin Belousov2019-09-031-0/+60
| | | | | | | | | | | | | | It allows a process to request that stack gap was not applied to its stacks, retroactively. Also it is possible to control the gaps in the process after exec. PR: 239894 Reviewed by: alc Sponsored by: The FreeBSD Foundation Differential revision: https://reviews.freebsd.org/D21352 Notes: svn path=/head/; revision=351773
* Control implicit PROT_MAX() using procctl(2) and the FreeBSD noteKonstantin Belousov2019-07-021-0/+57
| | | | | | | | | | | | | | | | | feature bit. In particular, allocate the bit to opt-out the image from implicit PROTMAX enablement. Provide procctl(2) verbs to set and query implicit PROTMAX handling. The knobs mimic the same per-image flag and per-process controls for ASLR. Reviewed by: emaste, markj (previous version) Discussed with: brooks Sponsored by: The FreeBSD Foundation Differential revision: https://reviews.freebsd.org/D20795 Notes: svn path=/head/; revision=349609
* amd64 KPTI: add control from procctl(2).Konstantin Belousov2019-03-161-0/+4
| | | | | | | | | | | | | | | | | Add the infrastructure to allow MD procctl(2) commands, and use it to introduce amd64 PTI control and reporting. PTI mode cannot be modified for existing pmap, the knob controls PTI of the new vmspace created on exec. Requested by: jhb Reviewed by: jhb, markj (previous version) Tested by: pho Sponsored by: The FreeBSD Foundation MFC after: 1 week Differential revision: https://reviews.freebsd.org/D19514 Notes: svn path=/head/; revision=345228
* Implement Address Space Layout Randomization (ASLR)Konstantin Belousov2019-02-101-0/+72
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | With this change, randomization can be enabled for all non-fixed mappings. It means that the base address for the mapping is selected with a guaranteed amount of entropy (bits). If the mapping was requested to be superpage aligned, the randomization honours the superpage attributes. Although the value of ASLR is diminshing over time as exploit authors work out simple ASLR bypass techniques, it elimintates the trivial exploitation of certain vulnerabilities, at least in theory. This implementation is relatively small and happens at the correct architectural level. Also, it is not expected to introduce regressions in existing cases when turned off (default for now), or cause any significant maintaince burden. The randomization is done on a best-effort basis - that is, the allocator falls back to a first fit strategy if fragmentation prevents entropy injection. It is trivial to implement a strong mode where failure to guarantee the requested amount of entropy results in mapping request failure, but I do not consider that to be usable. I have not fine-tuned the amount of entropy injected right now. It is only a quantitive change that will not change the implementation. The current amount is controlled by aslr_pages_rnd. To not spoil coalescing optimizations, to reduce the page table fragmentation inherent to ASLR, and to keep the transient superpage promotion for the malloced memory, locality clustering is implemented for anonymous private mappings, which are automatically grouped until fragmentation kicks in. The initial location for the anon group range is, of course, randomized. This is controlled by vm.cluster_anon, enabled by default. The default mode keeps the sbrk area unpopulated by other mappings, but this can be turned off, which gives much more breathing bits on architectures with small address space, such as i386. This is tied with the question of following an application's hint about the mmap(2) base address. Testing shows that ignoring the hint does not affect the function of common applications, but I would expect more demanding code could break. By default sbrk is preserved and mmap hints are satisfied, which can be changed by using the kern.elf{32,64}.aslr.honor_sbrk sysctl. ASLR is enabled on per-ABI basis, and currently it is only allowed on FreeBSD native i386 and amd64 (including compat 32bit) ABIs. Support for additional architectures will be added after further testing. Both per-process and per-image controls are implemented: - procctl(2) adds PROC_ASLR_CTL/PROC_ASLR_STATUS; - NT_FREEBSD_FCTL_ASLR_DISABLE feature control note bit makes it possible to force ASLR off for the given binary. (A tool to edit the feature control note is in development.) Global controls are: - kern.elf{32,64}.aslr.enable - for non-fixed mappings done by mmap(2); - kern.elf{32,64}.aslr.pie_enable - for PIE image activation mappings; - kern.elf{32,64}.aslr.honor_sbrk - allow to use sbrk area for mmap(2); - vm.cluster_anon - enables anon mapping clustering. PR: 208580 (exp runs) Exp-runs done by: antoine Reviewed by: markj (previous version) Discussed with: emaste Tested by: pho MFC after: 1 month Sponsored by: The FreeBSD Foundation Differential revision: https://reviews.freebsd.org/D5603 Notes: svn path=/head/; revision=343964
* Rename PROC_PDEATHSIG_SET -> PROC_PDEATHSIG_CTL and PROC_PDEATHSIG_GETKonstantin Belousov2018-04-201-7/+7
| | | | | | | | | | | | -> PROC_PDEATHSIG_STATUS for consistency with other procctl(2) operations names. Requested by: emaste Sponsored by: The FreeBSD Foundation MFC after: 13 days Notes: svn path=/head/; revision=332825
* Add PROC_PDEATHSIG_SET to procctl interface.Konstantin Belousov2018-04-181-1/+38
| | | | | | | | | | | | | Allow processes to request the delivery of a signal upon death of their parent process. Supposed consumer of the feature is PostgreSQL. Submitted by: Thomas Munro Reviewed by: jilles, mjg MFC after: 2 weeks Differential revision: https://reviews.freebsd.org/D15106 Notes: svn path=/head/; revision=332740
* Kill all descendants of the reaper, even if they are descendants of aKonstantin Belousov2017-11-231-23/+72
| | | | | | | | | | | | | | | | subordinate reaper. Also, mark reapers when listing pids. Reported by: Michael Zuo <muh.muhten@gmail.com> PR: 223745 Reviewed by: bapt Sponsored by: The FreeBSD Foundation MFC after: 1 week Differential revision: https://reviews.freebsd.org/D13183 Notes: svn path=/head/; revision=326122
* reaper: Make REAPER_KILL_SUBTREE actually work.Jilles Tjoelker2016-12-141-1/+1
| | | | | | | MFC after: 2 weeks Notes: svn path=/head/; revision=310096
* Add the foundation copyrights to procctl kernel sources.Konstantin Belousov2016-09-231-1/+1
| | | | | | | | Sponsored by: The FreeBSD Foundation MFC after: 1 week Notes: svn path=/head/; revision=306260
* Add PROC_TRAPCAP procctl(2) controls and global sysctl kern.trap_enocap.Konstantin Belousov2016-09-211-0/+38
| | | | | | | | | | | | | | | Both can be used to cause processes in capability mode to receive SIGTRAP when ENOTCAPABLE or ECAPMODE errors are returned from syscalls. Idea by: emaste Reviewed by: oshogbo (previous version), emaste Sponsored by: The FreeBSD Foundation MFC after: 1 week Differential revision: https://reviews.freebsd.org/D7965 Notes: svn path=/head/; revision=306081
* If process becomes reaper (procctl(PROC_REAP_ACQUIRE)) while alreadyKonstantin Belousov2015-08-201-2/+0
| | | | | | | | | | | | | | | | having some children, the children' reaper is not reset to the parent. This allows for the situation where reaper has children but not descendands and the too strict asserts in the reap_status() fire. Remove the wrong asserts, add some clarification for the situation to the procctl(2) REAP_STATUS. Reported and tested by: feld Sponsored by: The FreeBSD Foundation MFC after: 1 week Notes: svn path=/head/; revision=286975
* Reparenting done by debugger attach can leave reaper without directKonstantin Belousov2015-02-151-3/+5
| | | | | | | | | | | | children. Handle the situation instead asserting that it is impossible. Reported and tested by: emaste Sponsored by: The FreeBSD Foundation MFC after: 3 days Notes: svn path=/head/; revision=278795
* Return with the process locked, caller expects p still locked afterKonstantin Belousov2015-02-151-1/+1
| | | | | | | | | | | the call. Reported and tested by: bapt Sponsored by: The FreeBSD Foundation MFC after: 3 days Notes: svn path=/head/; revision=278794
* Add procctl(2) PROC_TRACE_CTL command to enable or disable debuggerKonstantin Belousov2015-01-181-1/+78
| | | | | | | | | | | | | | attachment to the process. Note that the command is not intended to be a security measure, rather it is an obfuscation feature, implemented for parity with other operating systems. Discussed with: jilles, rwatson Man page fixes by: rwatson Sponsored by: The FreeBSD Foundation MFC after: 1 week Notes: svn path=/head/; revision=277322
generated by cgit v1.2.3 (git 2.25.1) at 2025-03-10 22:02:52 +0000