1 /*- 2 * Copyright (c) 2014 John Baldwin 3 * Copyright (c) 2014, 2016 The FreeBSD Foundation 4 * 5 * Portions of this software were developed by Konstantin Belousov 6 * under sponsorship from the FreeBSD Foundation. 7 * 8 * Redistribution and use in source and binary forms, with or without 9 * modification, are permitted provided that the following conditions 10 * are met: 11 * 1. Redistributions of source code must retain the above copyright 12 * notice, this list of conditions and the following disclaimer. 13 * 2. Redistributions in binary form must reproduce the above copyright 14 * notice, this list of conditions and the following disclaimer in the 15 * documentation and/or other materials provided with the distribution. 16 * 17 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 18 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 19 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 20 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 21 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 22 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 23 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 24 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 25 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 26 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 27 * SUCH DAMAGE. 28 */ 29 30 #include <sys/param.h> 31 #include <sys/_unrhdr.h> 32 #include <sys/systm.h> 33 #include <sys/capsicum.h> 34 #include <sys/lock.h> 35 #include <sys/mman.h> 36 #include <sys/mutex.h> 37 #include <sys/priv.h> 38 #include <sys/proc.h> 39 #include <sys/procctl.h> 40 #include <sys/sx.h> 41 #include <sys/syscallsubr.h> 42 #include <sys/sysproto.h> 43 #include <sys/taskqueue.h> 44 #include <sys/wait.h> 45 46 #include <vm/vm.h> 47 #include <vm/pmap.h> 48 #include <vm/vm_map.h> 49 #include <vm/vm_extern.h> 50 51 static int 52 protect_setchild(struct thread *td, struct proc *p, int flags) 53 { 54 55 PROC_LOCK_ASSERT(p, MA_OWNED); 56 if (p->p_flag & P_SYSTEM || p_cansched(td, p) != 0) 57 return (0); 58 if (flags & PPROT_SET) { 59 p->p_flag |= P_PROTECTED; 60 if (flags & PPROT_INHERIT) 61 p->p_flag2 |= P2_INHERIT_PROTECTED; 62 } else { 63 p->p_flag &= ~P_PROTECTED; 64 p->p_flag2 &= ~P2_INHERIT_PROTECTED; 65 } 66 return (1); 67 } 68 69 static int 70 protect_setchildren(struct thread *td, struct proc *top, int flags) 71 { 72 struct proc *p; 73 int ret; 74 75 p = top; 76 ret = 0; 77 sx_assert(&proctree_lock, SX_LOCKED); 78 for (;;) { 79 ret |= protect_setchild(td, p, flags); 80 PROC_UNLOCK(p); 81 /* 82 * If this process has children, descend to them next, 83 * otherwise do any siblings, and if done with this level, 84 * follow back up the tree (but not past top). 85 */ 86 if (!LIST_EMPTY(&p->p_children)) 87 p = LIST_FIRST(&p->p_children); 88 else for (;;) { 89 if (p == top) { 90 PROC_LOCK(p); 91 return (ret); 92 } 93 if (LIST_NEXT(p, p_sibling)) { 94 p = LIST_NEXT(p, p_sibling); 95 break; 96 } 97 p = p->p_pptr; 98 } 99 PROC_LOCK(p); 100 } 101 } 102 103 static int 104 protect_set(struct thread *td, struct proc *p, void *data) 105 { 106 int error, flags, ret; 107 108 flags = *(int *)data; 109 switch (PPROT_OP(flags)) { 110 case PPROT_SET: 111 case PPROT_CLEAR: 112 break; 113 default: 114 return (EINVAL); 115 } 116 117 if ((PPROT_FLAGS(flags) & ~(PPROT_DESCEND | PPROT_INHERIT)) != 0) 118 return (EINVAL); 119 120 error = priv_check(td, PRIV_VM_MADV_PROTECT); 121 if (error) 122 return (error); 123 124 if (flags & PPROT_DESCEND) 125 ret = protect_setchildren(td, p, flags); 126 else 127 ret = protect_setchild(td, p, flags); 128 if (ret == 0) 129 return (EPERM); 130 return (0); 131 } 132 133 static int 134 reap_acquire(struct thread *td, struct proc *p, void *data __unused) 135 { 136 137 sx_assert(&proctree_lock, SX_XLOCKED); 138 if (p != td->td_proc) 139 return (EPERM); 140 if ((p->p_treeflag & P_TREE_REAPER) != 0) 141 return (EBUSY); 142 p->p_treeflag |= P_TREE_REAPER; 143 /* 144 * We do not reattach existing children and the whole tree 145 * under them to us, since p->p_reaper already seen them. 146 */ 147 return (0); 148 } 149 150 static int 151 reap_release(struct thread *td, struct proc *p, void *data __unused) 152 { 153 154 sx_assert(&proctree_lock, SX_XLOCKED); 155 if (p != td->td_proc) 156 return (EPERM); 157 if (p == initproc) 158 return (EINVAL); 159 if ((p->p_treeflag & P_TREE_REAPER) == 0) 160 return (EINVAL); 161 reaper_abandon_children(p, false); 162 return (0); 163 } 164 165 static int 166 reap_status(struct thread *td, struct proc *p, void *data) 167 { 168 struct proc *reap, *p2, *first_p; 169 struct procctl_reaper_status *rs; 170 171 rs = data; 172 sx_assert(&proctree_lock, SX_LOCKED); 173 if ((p->p_treeflag & P_TREE_REAPER) == 0) { 174 reap = p->p_reaper; 175 } else { 176 reap = p; 177 rs->rs_flags |= REAPER_STATUS_OWNED; 178 } 179 if (reap == initproc) 180 rs->rs_flags |= REAPER_STATUS_REALINIT; 181 rs->rs_reaper = reap->p_pid; 182 rs->rs_descendants = 0; 183 rs->rs_children = 0; 184 if (!LIST_EMPTY(&reap->p_reaplist)) { 185 first_p = LIST_FIRST(&reap->p_children); 186 if (first_p == NULL) 187 first_p = LIST_FIRST(&reap->p_reaplist); 188 rs->rs_pid = first_p->p_pid; 189 LIST_FOREACH(p2, &reap->p_reaplist, p_reapsibling) { 190 if (proc_realparent(p2) == reap) 191 rs->rs_children++; 192 rs->rs_descendants++; 193 } 194 } else { 195 rs->rs_pid = -1; 196 } 197 return (0); 198 } 199 200 static int 201 reap_getpids(struct thread *td, struct proc *p, void *data) 202 { 203 struct proc *reap, *p2; 204 struct procctl_reaper_pidinfo *pi, *pip; 205 struct procctl_reaper_pids *rp; 206 u_int i, n; 207 int error; 208 209 rp = data; 210 sx_assert(&proctree_lock, SX_LOCKED); 211 PROC_UNLOCK(p); 212 reap = (p->p_treeflag & P_TREE_REAPER) == 0 ? p->p_reaper : p; 213 n = i = 0; 214 error = 0; 215 LIST_FOREACH(p2, &reap->p_reaplist, p_reapsibling) 216 n++; 217 sx_unlock(&proctree_lock); 218 if (rp->rp_count < n) 219 n = rp->rp_count; 220 pi = malloc(n * sizeof(*pi), M_TEMP, M_WAITOK); 221 sx_slock(&proctree_lock); 222 LIST_FOREACH(p2, &reap->p_reaplist, p_reapsibling) { 223 if (i == n) 224 break; 225 pip = &pi[i]; 226 bzero(pip, sizeof(*pip)); 227 pip->pi_pid = p2->p_pid; 228 pip->pi_subtree = p2->p_reapsubtree; 229 pip->pi_flags = REAPER_PIDINFO_VALID; 230 if (proc_realparent(p2) == reap) 231 pip->pi_flags |= REAPER_PIDINFO_CHILD; 232 if ((p2->p_treeflag & P_TREE_REAPER) != 0) 233 pip->pi_flags |= REAPER_PIDINFO_REAPER; 234 if ((p2->p_flag & P_STOPPED) != 0) 235 pip->pi_flags |= REAPER_PIDINFO_STOPPED; 236 if (p2->p_state == PRS_ZOMBIE) 237 pip->pi_flags |= REAPER_PIDINFO_ZOMBIE; 238 else if ((p2->p_flag & P_WEXIT) != 0) 239 pip->pi_flags |= REAPER_PIDINFO_EXITING; 240 i++; 241 } 242 sx_sunlock(&proctree_lock); 243 error = copyout(pi, rp->rp_pids, i * sizeof(*pi)); 244 free(pi, M_TEMP); 245 sx_slock(&proctree_lock); 246 PROC_LOCK(p); 247 return (error); 248 } 249 250 struct reap_kill_proc_work { 251 struct ucred *cr; 252 struct proc *target; 253 ksiginfo_t *ksi; 254 struct procctl_reaper_kill *rk; 255 int *error; 256 struct task t; 257 }; 258 259 static void 260 reap_kill_proc_locked(struct reap_kill_proc_work *w) 261 { 262 int error1; 263 bool need_stop; 264 265 PROC_LOCK_ASSERT(w->target, MA_OWNED); 266 PROC_ASSERT_HELD(w->target); 267 268 error1 = cr_cansignal(w->cr, w->target, w->rk->rk_sig); 269 if (error1 != 0) { 270 if (*w->error == ESRCH) { 271 w->rk->rk_fpid = w->target->p_pid; 272 *w->error = error1; 273 } 274 return; 275 } 276 277 /* 278 * The need_stop indicates if the target process needs to be 279 * suspended before being signalled. This is needed when we 280 * guarantee that all processes in subtree are signalled, 281 * avoiding the race with some process not yet fully linked 282 * into all structures during fork, ignored by iterator, and 283 * then escaping signalling. 284 * 285 * The thread cannot usefully stop itself anyway, and if other 286 * thread of the current process forks while the current 287 * thread signals the whole subtree, it is an application 288 * race. 289 */ 290 if ((w->target->p_flag & (P_KPROC | P_SYSTEM | P_STOPPED)) == 0) 291 need_stop = thread_single(w->target, SINGLE_ALLPROC) == 0; 292 else 293 need_stop = false; 294 295 (void)pksignal(w->target, w->rk->rk_sig, w->ksi); 296 w->rk->rk_killed++; 297 *w->error = error1; 298 299 if (need_stop) 300 thread_single_end(w->target, SINGLE_ALLPROC); 301 } 302 303 static void 304 reap_kill_proc_work(void *arg, int pending __unused) 305 { 306 struct reap_kill_proc_work *w; 307 308 w = arg; 309 PROC_LOCK(w->target); 310 if ((w->target->p_flag2 & P2_WEXIT) == 0) 311 reap_kill_proc_locked(w); 312 PROC_UNLOCK(w->target); 313 314 sx_xlock(&proctree_lock); 315 w->target = NULL; 316 wakeup(&w->target); 317 sx_xunlock(&proctree_lock); 318 } 319 320 struct reap_kill_tracker { 321 struct proc *parent; 322 TAILQ_ENTRY(reap_kill_tracker) link; 323 }; 324 325 TAILQ_HEAD(reap_kill_tracker_head, reap_kill_tracker); 326 327 static void 328 reap_kill_sched(struct reap_kill_tracker_head *tracker, struct proc *p2) 329 { 330 struct reap_kill_tracker *t; 331 332 PROC_LOCK(p2); 333 if ((p2->p_flag2 & P2_WEXIT) != 0) { 334 PROC_UNLOCK(p2); 335 return; 336 } 337 _PHOLD_LITE(p2); 338 PROC_UNLOCK(p2); 339 t = malloc(sizeof(struct reap_kill_tracker), M_TEMP, M_WAITOK); 340 t->parent = p2; 341 TAILQ_INSERT_TAIL(tracker, t, link); 342 } 343 344 static void 345 reap_kill_sched_free(struct reap_kill_tracker *t) 346 { 347 PRELE(t->parent); 348 free(t, M_TEMP); 349 } 350 351 static void 352 reap_kill_children(struct thread *td, struct proc *reaper, 353 struct procctl_reaper_kill *rk, ksiginfo_t *ksi, int *error) 354 { 355 struct proc *p2; 356 int error1; 357 358 LIST_FOREACH(p2, &reaper->p_children, p_sibling) { 359 PROC_LOCK(p2); 360 if ((p2->p_flag2 & P2_WEXIT) == 0) { 361 error1 = p_cansignal(td, p2, rk->rk_sig); 362 if (error1 != 0) { 363 if (*error == ESRCH) { 364 rk->rk_fpid = p2->p_pid; 365 *error = error1; 366 } 367 368 /* 369 * Do not end the loop on error, 370 * signal everything we can. 371 */ 372 } else { 373 (void)pksignal(p2, rk->rk_sig, ksi); 374 rk->rk_killed++; 375 } 376 } 377 PROC_UNLOCK(p2); 378 } 379 } 380 381 static bool 382 reap_kill_subtree_once(struct thread *td, struct proc *p, struct proc *reaper, 383 struct unrhdr *pids, struct reap_kill_proc_work *w) 384 { 385 struct reap_kill_tracker_head tracker; 386 struct reap_kill_tracker *t; 387 struct proc *p2; 388 int r, xlocked; 389 bool res, st; 390 391 res = false; 392 TAILQ_INIT(&tracker); 393 reap_kill_sched(&tracker, reaper); 394 while ((t = TAILQ_FIRST(&tracker)) != NULL) { 395 TAILQ_REMOVE(&tracker, t, link); 396 397 /* 398 * Since reap_kill_proc() drops proctree_lock sx, it 399 * is possible that the tracked reaper is no longer. 400 * In this case the subtree is reparented to the new 401 * reaper, which should handle it. 402 */ 403 if ((t->parent->p_treeflag & P_TREE_REAPER) == 0) { 404 reap_kill_sched_free(t); 405 res = true; 406 continue; 407 } 408 409 LIST_FOREACH(p2, &t->parent->p_reaplist, p_reapsibling) { 410 if (t->parent == reaper && 411 (w->rk->rk_flags & REAPER_KILL_SUBTREE) != 0 && 412 p2->p_reapsubtree != w->rk->rk_subtree) 413 continue; 414 if ((p2->p_treeflag & P_TREE_REAPER) != 0) 415 reap_kill_sched(&tracker, p2); 416 417 /* 418 * Handle possible pid reuse. If we recorded 419 * p2 as killed but its p_flag2 does not 420 * confirm it, that means that the process 421 * terminated and its id was reused by other 422 * process in the reaper subtree. 423 * 424 * Unlocked read of p2->p_flag2 is fine, it is 425 * our thread that set the tested flag. 426 */ 427 if (alloc_unr_specific(pids, p2->p_pid) != p2->p_pid && 428 (atomic_load_int(&p2->p_flag2) & 429 (P2_REAPKILLED | P2_WEXIT)) != 0) 430 continue; 431 432 if (p2 == td->td_proc) { 433 if ((p2->p_flag & P_HADTHREADS) != 0 && 434 (p2->p_flag2 & P2_WEXIT) == 0) { 435 xlocked = sx_xlocked(&proctree_lock); 436 sx_unlock(&proctree_lock); 437 st = true; 438 } else { 439 st = false; 440 } 441 PROC_LOCK(p2); 442 /* 443 * sapblk ensures that only one thread 444 * in the system sets this flag. 445 */ 446 p2->p_flag2 |= P2_REAPKILLED; 447 if (st) 448 r = thread_single(p2, SINGLE_NO_EXIT); 449 (void)pksignal(p2, w->rk->rk_sig, w->ksi); 450 w->rk->rk_killed++; 451 if (st && r == 0) 452 thread_single_end(p2, SINGLE_NO_EXIT); 453 PROC_UNLOCK(p2); 454 if (st) { 455 if (xlocked) 456 sx_xlock(&proctree_lock); 457 else 458 sx_slock(&proctree_lock); 459 } 460 } else { 461 PROC_LOCK(p2); 462 if ((p2->p_flag2 & P2_WEXIT) == 0) { 463 _PHOLD_LITE(p2); 464 p2->p_flag2 |= P2_REAPKILLED; 465 PROC_UNLOCK(p2); 466 w->target = p2; 467 taskqueue_enqueue(taskqueue_thread, 468 &w->t); 469 while (w->target != NULL) { 470 sx_sleep(&w->target, 471 &proctree_lock, PWAIT, 472 "reapst", 0); 473 } 474 PROC_LOCK(p2); 475 _PRELE(p2); 476 } 477 PROC_UNLOCK(p2); 478 } 479 res = true; 480 } 481 reap_kill_sched_free(t); 482 } 483 return (res); 484 } 485 486 static void 487 reap_kill_subtree(struct thread *td, struct proc *p, struct proc *reaper, 488 struct reap_kill_proc_work *w) 489 { 490 struct unrhdr pids; 491 void *ihandle; 492 struct proc *p2; 493 int pid; 494 495 /* 496 * pids records processes which were already signalled, to 497 * avoid doubling signals to them if iteration needs to be 498 * repeated. 499 */ 500 init_unrhdr(&pids, 1, PID_MAX, UNR_NO_MTX); 501 PROC_LOCK(td->td_proc); 502 if ((td->td_proc->p_flag2 & P2_WEXIT) != 0) { 503 PROC_UNLOCK(td->td_proc); 504 goto out; 505 } 506 PROC_UNLOCK(td->td_proc); 507 while (reap_kill_subtree_once(td, p, reaper, &pids, w)) 508 ; 509 510 ihandle = create_iter_unr(&pids); 511 while ((pid = next_iter_unr(ihandle)) != -1) { 512 p2 = pfind(pid); 513 if (p2 != NULL) { 514 p2->p_flag2 &= ~P2_REAPKILLED; 515 PROC_UNLOCK(p2); 516 } 517 } 518 free_iter_unr(ihandle); 519 520 out: 521 clean_unrhdr(&pids); 522 clear_unrhdr(&pids); 523 } 524 525 static bool 526 reap_kill_sapblk(struct thread *td __unused, void *data) 527 { 528 struct procctl_reaper_kill *rk; 529 530 rk = data; 531 return ((rk->rk_flags & REAPER_KILL_CHILDREN) == 0); 532 } 533 534 static int 535 reap_kill(struct thread *td, struct proc *p, void *data) 536 { 537 struct reap_kill_proc_work w; 538 struct proc *reaper; 539 ksiginfo_t ksi; 540 struct procctl_reaper_kill *rk; 541 int error; 542 543 rk = data; 544 sx_assert(&proctree_lock, SX_LOCKED); 545 if (IN_CAPABILITY_MODE(td)) 546 return (ECAPMODE); 547 if (rk->rk_sig <= 0 || rk->rk_sig > _SIG_MAXSIG || 548 (rk->rk_flags & ~(REAPER_KILL_CHILDREN | 549 REAPER_KILL_SUBTREE)) != 0 || (rk->rk_flags & 550 (REAPER_KILL_CHILDREN | REAPER_KILL_SUBTREE)) == 551 (REAPER_KILL_CHILDREN | REAPER_KILL_SUBTREE)) 552 return (EINVAL); 553 PROC_UNLOCK(p); 554 reaper = (p->p_treeflag & P_TREE_REAPER) == 0 ? p->p_reaper : p; 555 ksiginfo_init(&ksi); 556 ksi.ksi_signo = rk->rk_sig; 557 ksi.ksi_code = SI_USER; 558 ksi.ksi_pid = td->td_proc->p_pid; 559 ksi.ksi_uid = td->td_ucred->cr_ruid; 560 error = ESRCH; 561 rk->rk_killed = 0; 562 rk->rk_fpid = -1; 563 if ((rk->rk_flags & REAPER_KILL_CHILDREN) != 0) { 564 reap_kill_children(td, reaper, rk, &ksi, &error); 565 } else { 566 w.cr = crhold(td->td_ucred); 567 w.ksi = &ksi; 568 w.rk = rk; 569 w.error = &error; 570 TASK_INIT(&w.t, 0, reap_kill_proc_work, &w); 571 572 /* 573 * Prevent swapout, since w, ksi, and possibly rk, are 574 * allocated on the stack. We sleep in 575 * reap_kill_subtree_once() waiting for task to 576 * complete single-threading. 577 */ 578 PHOLD(td->td_proc); 579 580 reap_kill_subtree(td, p, reaper, &w); 581 PRELE(td->td_proc); 582 crfree(w.cr); 583 } 584 PROC_LOCK(p); 585 return (error); 586 } 587 588 static int 589 trace_ctl(struct thread *td, struct proc *p, void *data) 590 { 591 int state; 592 593 PROC_LOCK_ASSERT(p, MA_OWNED); 594 state = *(int *)data; 595 596 /* 597 * Ktrace changes p_traceflag from or to zero under the 598 * process lock, so the test does not need to acquire ktrace 599 * mutex. 600 */ 601 if ((p->p_flag & P_TRACED) != 0 || p->p_traceflag != 0) 602 return (EBUSY); 603 604 switch (state) { 605 case PROC_TRACE_CTL_ENABLE: 606 if (td->td_proc != p) 607 return (EPERM); 608 p->p_flag2 &= ~(P2_NOTRACE | P2_NOTRACE_EXEC); 609 break; 610 case PROC_TRACE_CTL_DISABLE_EXEC: 611 p->p_flag2 |= P2_NOTRACE_EXEC | P2_NOTRACE; 612 break; 613 case PROC_TRACE_CTL_DISABLE: 614 if ((p->p_flag2 & P2_NOTRACE_EXEC) != 0) { 615 KASSERT((p->p_flag2 & P2_NOTRACE) != 0, 616 ("dandling P2_NOTRACE_EXEC")); 617 if (td->td_proc != p) 618 return (EPERM); 619 p->p_flag2 &= ~P2_NOTRACE_EXEC; 620 } else { 621 p->p_flag2 |= P2_NOTRACE; 622 } 623 break; 624 default: 625 return (EINVAL); 626 } 627 return (0); 628 } 629 630 static int 631 trace_status(struct thread *td, struct proc *p, void *data) 632 { 633 int *status; 634 635 status = data; 636 if ((p->p_flag2 & P2_NOTRACE) != 0) { 637 KASSERT((p->p_flag & P_TRACED) == 0, 638 ("%d traced but tracing disabled", p->p_pid)); 639 *status = -1; 640 } else if ((p->p_flag & P_TRACED) != 0) { 641 *status = p->p_pptr->p_pid; 642 } else { 643 *status = 0; 644 } 645 return (0); 646 } 647 648 static int 649 trapcap_ctl(struct thread *td, struct proc *p, void *data) 650 { 651 int state; 652 653 PROC_LOCK_ASSERT(p, MA_OWNED); 654 state = *(int *)data; 655 656 switch (state) { 657 case PROC_TRAPCAP_CTL_ENABLE: 658 p->p_flag2 |= P2_TRAPCAP; 659 break; 660 case PROC_TRAPCAP_CTL_DISABLE: 661 p->p_flag2 &= ~P2_TRAPCAP; 662 break; 663 default: 664 return (EINVAL); 665 } 666 return (0); 667 } 668 669 static int 670 trapcap_status(struct thread *td, struct proc *p, void *data) 671 { 672 int *status; 673 674 status = data; 675 *status = (p->p_flag2 & P2_TRAPCAP) != 0 ? PROC_TRAPCAP_CTL_ENABLE : 676 PROC_TRAPCAP_CTL_DISABLE; 677 return (0); 678 } 679 680 static int 681 no_new_privs_ctl(struct thread *td, struct proc *p, void *data) 682 { 683 int state; 684 685 PROC_LOCK_ASSERT(p, MA_OWNED); 686 state = *(int *)data; 687 688 if (state != PROC_NO_NEW_PRIVS_ENABLE) 689 return (EINVAL); 690 p->p_flag2 |= P2_NO_NEW_PRIVS; 691 return (0); 692 } 693 694 static int 695 no_new_privs_status(struct thread *td, struct proc *p, void *data) 696 { 697 698 *(int *)data = (p->p_flag2 & P2_NO_NEW_PRIVS) != 0 ? 699 PROC_NO_NEW_PRIVS_ENABLE : PROC_NO_NEW_PRIVS_DISABLE; 700 return (0); 701 } 702 703 static int 704 protmax_ctl(struct thread *td, struct proc *p, void *data) 705 { 706 int state; 707 708 PROC_LOCK_ASSERT(p, MA_OWNED); 709 state = *(int *)data; 710 711 switch (state) { 712 case PROC_PROTMAX_FORCE_ENABLE: 713 p->p_flag2 &= ~P2_PROTMAX_DISABLE; 714 p->p_flag2 |= P2_PROTMAX_ENABLE; 715 break; 716 case PROC_PROTMAX_FORCE_DISABLE: 717 p->p_flag2 |= P2_PROTMAX_DISABLE; 718 p->p_flag2 &= ~P2_PROTMAX_ENABLE; 719 break; 720 case PROC_PROTMAX_NOFORCE: 721 p->p_flag2 &= ~(P2_PROTMAX_ENABLE | P2_PROTMAX_DISABLE); 722 break; 723 default: 724 return (EINVAL); 725 } 726 return (0); 727 } 728 729 static int 730 protmax_status(struct thread *td, struct proc *p, void *data) 731 { 732 int d; 733 734 switch (p->p_flag2 & (P2_PROTMAX_ENABLE | P2_PROTMAX_DISABLE)) { 735 case 0: 736 d = PROC_PROTMAX_NOFORCE; 737 break; 738 case P2_PROTMAX_ENABLE: 739 d = PROC_PROTMAX_FORCE_ENABLE; 740 break; 741 case P2_PROTMAX_DISABLE: 742 d = PROC_PROTMAX_FORCE_DISABLE; 743 break; 744 } 745 if (kern_mmap_maxprot(p, PROT_READ) == PROT_READ) 746 d |= PROC_PROTMAX_ACTIVE; 747 *(int *)data = d; 748 return (0); 749 } 750 751 static int 752 aslr_ctl(struct thread *td, struct proc *p, void *data) 753 { 754 int state; 755 756 PROC_LOCK_ASSERT(p, MA_OWNED); 757 state = *(int *)data; 758 759 switch (state) { 760 case PROC_ASLR_FORCE_ENABLE: 761 p->p_flag2 &= ~P2_ASLR_DISABLE; 762 p->p_flag2 |= P2_ASLR_ENABLE; 763 break; 764 case PROC_ASLR_FORCE_DISABLE: 765 p->p_flag2 |= P2_ASLR_DISABLE; 766 p->p_flag2 &= ~P2_ASLR_ENABLE; 767 break; 768 case PROC_ASLR_NOFORCE: 769 p->p_flag2 &= ~(P2_ASLR_ENABLE | P2_ASLR_DISABLE); 770 break; 771 default: 772 return (EINVAL); 773 } 774 return (0); 775 } 776 777 static int 778 aslr_status(struct thread *td, struct proc *p, void *data) 779 { 780 struct vmspace *vm; 781 int d; 782 783 switch (p->p_flag2 & (P2_ASLR_ENABLE | P2_ASLR_DISABLE)) { 784 case 0: 785 d = PROC_ASLR_NOFORCE; 786 break; 787 case P2_ASLR_ENABLE: 788 d = PROC_ASLR_FORCE_ENABLE; 789 break; 790 case P2_ASLR_DISABLE: 791 d = PROC_ASLR_FORCE_DISABLE; 792 break; 793 } 794 if ((p->p_flag & P_WEXIT) == 0) { 795 _PHOLD(p); 796 PROC_UNLOCK(p); 797 vm = vmspace_acquire_ref(p); 798 if (vm != NULL) { 799 if ((vm->vm_map.flags & MAP_ASLR) != 0) 800 d |= PROC_ASLR_ACTIVE; 801 vmspace_free(vm); 802 } 803 PROC_LOCK(p); 804 _PRELE(p); 805 } 806 *(int *)data = d; 807 return (0); 808 } 809 810 static int 811 stackgap_ctl(struct thread *td, struct proc *p, void *data) 812 { 813 int state; 814 815 PROC_LOCK_ASSERT(p, MA_OWNED); 816 state = *(int *)data; 817 818 if ((state & ~(PROC_STACKGAP_ENABLE | PROC_STACKGAP_DISABLE | 819 PROC_STACKGAP_ENABLE_EXEC | PROC_STACKGAP_DISABLE_EXEC)) != 0) 820 return (EINVAL); 821 switch (state & (PROC_STACKGAP_ENABLE | PROC_STACKGAP_DISABLE)) { 822 case PROC_STACKGAP_ENABLE: 823 if ((p->p_flag2 & P2_STKGAP_DISABLE) != 0) 824 return (EINVAL); 825 break; 826 case PROC_STACKGAP_DISABLE: 827 p->p_flag2 |= P2_STKGAP_DISABLE; 828 break; 829 case 0: 830 break; 831 default: 832 return (EINVAL); 833 } 834 switch (state & (PROC_STACKGAP_ENABLE_EXEC | 835 PROC_STACKGAP_DISABLE_EXEC)) { 836 case PROC_STACKGAP_ENABLE_EXEC: 837 p->p_flag2 &= ~P2_STKGAP_DISABLE_EXEC; 838 break; 839 case PROC_STACKGAP_DISABLE_EXEC: 840 p->p_flag2 |= P2_STKGAP_DISABLE_EXEC; 841 break; 842 case 0: 843 break; 844 default: 845 return (EINVAL); 846 } 847 return (0); 848 } 849 850 static int 851 stackgap_status(struct thread *td, struct proc *p, void *data) 852 { 853 int d; 854 855 PROC_LOCK_ASSERT(p, MA_OWNED); 856 857 d = (p->p_flag2 & P2_STKGAP_DISABLE) != 0 ? PROC_STACKGAP_DISABLE : 858 PROC_STACKGAP_ENABLE; 859 d |= (p->p_flag2 & P2_STKGAP_DISABLE_EXEC) != 0 ? 860 PROC_STACKGAP_DISABLE_EXEC : PROC_STACKGAP_ENABLE_EXEC; 861 *(int *)data = d; 862 return (0); 863 } 864 865 static int 866 wxmap_ctl(struct thread *td, struct proc *p, void *data) 867 { 868 struct vmspace *vm; 869 vm_map_t map; 870 int state; 871 872 PROC_LOCK_ASSERT(p, MA_OWNED); 873 if ((p->p_flag & P_WEXIT) != 0) 874 return (ESRCH); 875 state = *(int *)data; 876 877 switch (state) { 878 case PROC_WX_MAPPINGS_PERMIT: 879 p->p_flag2 |= P2_WXORX_DISABLE; 880 _PHOLD(p); 881 PROC_UNLOCK(p); 882 vm = vmspace_acquire_ref(p); 883 if (vm != NULL) { 884 map = &vm->vm_map; 885 vm_map_lock(map); 886 map->flags &= ~MAP_WXORX; 887 vm_map_unlock(map); 888 vmspace_free(vm); 889 } 890 PROC_LOCK(p); 891 _PRELE(p); 892 break; 893 case PROC_WX_MAPPINGS_DISALLOW_EXEC: 894 p->p_flag2 |= P2_WXORX_ENABLE_EXEC; 895 break; 896 default: 897 return (EINVAL); 898 } 899 900 return (0); 901 } 902 903 static int 904 wxmap_status(struct thread *td, struct proc *p, void *data) 905 { 906 struct vmspace *vm; 907 int d; 908 909 PROC_LOCK_ASSERT(p, MA_OWNED); 910 if ((p->p_flag & P_WEXIT) != 0) 911 return (ESRCH); 912 913 d = 0; 914 if ((p->p_flag2 & P2_WXORX_DISABLE) != 0) 915 d |= PROC_WX_MAPPINGS_PERMIT; 916 if ((p->p_flag2 & P2_WXORX_ENABLE_EXEC) != 0) 917 d |= PROC_WX_MAPPINGS_DISALLOW_EXEC; 918 _PHOLD(p); 919 PROC_UNLOCK(p); 920 vm = vmspace_acquire_ref(p); 921 if (vm != NULL) { 922 if ((vm->vm_map.flags & MAP_WXORX) != 0) 923 d |= PROC_WXORX_ENFORCE; 924 vmspace_free(vm); 925 } 926 PROC_LOCK(p); 927 _PRELE(p); 928 *(int *)data = d; 929 return (0); 930 } 931 932 static int 933 pdeathsig_ctl(struct thread *td, struct proc *p, void *data) 934 { 935 int signum; 936 937 signum = *(int *)data; 938 if (p != td->td_proc || (signum != 0 && !_SIG_VALID(signum))) 939 return (EINVAL); 940 p->p_pdeathsig = signum; 941 return (0); 942 } 943 944 static int 945 pdeathsig_status(struct thread *td, struct proc *p, void *data) 946 { 947 if (p != td->td_proc) 948 return (EINVAL); 949 *(int *)data = p->p_pdeathsig; 950 return (0); 951 } 952 953 enum { 954 PCTL_SLOCKED, 955 PCTL_XLOCKED, 956 PCTL_UNLOCKED, 957 }; 958 959 struct procctl_cmd_info { 960 int lock_tree; 961 bool one_proc : 1; 962 bool esrch_is_einval : 1; 963 bool copyout_on_error : 1; 964 bool no_nonnull_data : 1; 965 bool need_candebug : 1; 966 int copyin_sz; 967 int copyout_sz; 968 int (*exec)(struct thread *, struct proc *, void *); 969 bool (*sapblk)(struct thread *, void *); 970 }; 971 static const struct procctl_cmd_info procctl_cmds_info[] = { 972 [PROC_SPROTECT] = 973 { .lock_tree = PCTL_SLOCKED, .one_proc = false, 974 .esrch_is_einval = false, .no_nonnull_data = false, 975 .need_candebug = false, 976 .copyin_sz = sizeof(int), .copyout_sz = 0, 977 .exec = protect_set, .copyout_on_error = false, }, 978 [PROC_REAP_ACQUIRE] = 979 { .lock_tree = PCTL_XLOCKED, .one_proc = true, 980 .esrch_is_einval = false, .no_nonnull_data = true, 981 .need_candebug = false, 982 .copyin_sz = 0, .copyout_sz = 0, 983 .exec = reap_acquire, .copyout_on_error = false, }, 984 [PROC_REAP_RELEASE] = 985 { .lock_tree = PCTL_XLOCKED, .one_proc = true, 986 .esrch_is_einval = false, .no_nonnull_data = true, 987 .need_candebug = false, 988 .copyin_sz = 0, .copyout_sz = 0, 989 .exec = reap_release, .copyout_on_error = false, }, 990 [PROC_REAP_STATUS] = 991 { .lock_tree = PCTL_SLOCKED, .one_proc = true, 992 .esrch_is_einval = false, .no_nonnull_data = false, 993 .need_candebug = false, 994 .copyin_sz = 0, 995 .copyout_sz = sizeof(struct procctl_reaper_status), 996 .exec = reap_status, .copyout_on_error = false, }, 997 [PROC_REAP_GETPIDS] = 998 { .lock_tree = PCTL_SLOCKED, .one_proc = true, 999 .esrch_is_einval = false, .no_nonnull_data = false, 1000 .need_candebug = false, 1001 .copyin_sz = sizeof(struct procctl_reaper_pids), 1002 .copyout_sz = 0, 1003 .exec = reap_getpids, .copyout_on_error = false, }, 1004 [PROC_REAP_KILL] = 1005 { .lock_tree = PCTL_SLOCKED, .one_proc = true, 1006 .esrch_is_einval = false, .no_nonnull_data = false, 1007 .need_candebug = false, 1008 .copyin_sz = sizeof(struct procctl_reaper_kill), 1009 .copyout_sz = sizeof(struct procctl_reaper_kill), 1010 .exec = reap_kill, .copyout_on_error = true, 1011 .sapblk = reap_kill_sapblk, }, 1012 [PROC_TRACE_CTL] = 1013 { .lock_tree = PCTL_SLOCKED, .one_proc = false, 1014 .esrch_is_einval = false, .no_nonnull_data = false, 1015 .need_candebug = true, 1016 .copyin_sz = sizeof(int), .copyout_sz = 0, 1017 .exec = trace_ctl, .copyout_on_error = false, }, 1018 [PROC_TRACE_STATUS] = 1019 { .lock_tree = PCTL_UNLOCKED, .one_proc = true, 1020 .esrch_is_einval = false, .no_nonnull_data = false, 1021 .need_candebug = false, 1022 .copyin_sz = 0, .copyout_sz = sizeof(int), 1023 .exec = trace_status, .copyout_on_error = false, }, 1024 [PROC_TRAPCAP_CTL] = 1025 { .lock_tree = PCTL_SLOCKED, .one_proc = false, 1026 .esrch_is_einval = false, .no_nonnull_data = false, 1027 .need_candebug = true, 1028 .copyin_sz = sizeof(int), .copyout_sz = 0, 1029 .exec = trapcap_ctl, .copyout_on_error = false, }, 1030 [PROC_TRAPCAP_STATUS] = 1031 { .lock_tree = PCTL_UNLOCKED, .one_proc = true, 1032 .esrch_is_einval = false, .no_nonnull_data = false, 1033 .need_candebug = false, 1034 .copyin_sz = 0, .copyout_sz = sizeof(int), 1035 .exec = trapcap_status, .copyout_on_error = false, }, 1036 [PROC_PDEATHSIG_CTL] = 1037 { .lock_tree = PCTL_UNLOCKED, .one_proc = true, 1038 .esrch_is_einval = true, .no_nonnull_data = false, 1039 .need_candebug = false, 1040 .copyin_sz = sizeof(int), .copyout_sz = 0, 1041 .exec = pdeathsig_ctl, .copyout_on_error = false, }, 1042 [PROC_PDEATHSIG_STATUS] = 1043 { .lock_tree = PCTL_UNLOCKED, .one_proc = true, 1044 .esrch_is_einval = true, .no_nonnull_data = false, 1045 .need_candebug = false, 1046 .copyin_sz = 0, .copyout_sz = sizeof(int), 1047 .exec = pdeathsig_status, .copyout_on_error = false, }, 1048 [PROC_ASLR_CTL] = 1049 { .lock_tree = PCTL_UNLOCKED, .one_proc = true, 1050 .esrch_is_einval = false, .no_nonnull_data = false, 1051 .need_candebug = true, 1052 .copyin_sz = sizeof(int), .copyout_sz = 0, 1053 .exec = aslr_ctl, .copyout_on_error = false, }, 1054 [PROC_ASLR_STATUS] = 1055 { .lock_tree = PCTL_UNLOCKED, .one_proc = true, 1056 .esrch_is_einval = false, .no_nonnull_data = false, 1057 .need_candebug = false, 1058 .copyin_sz = 0, .copyout_sz = sizeof(int), 1059 .exec = aslr_status, .copyout_on_error = false, }, 1060 [PROC_PROTMAX_CTL] = 1061 { .lock_tree = PCTL_UNLOCKED, .one_proc = true, 1062 .esrch_is_einval = false, .no_nonnull_data = false, 1063 .need_candebug = true, 1064 .copyin_sz = sizeof(int), .copyout_sz = 0, 1065 .exec = protmax_ctl, .copyout_on_error = false, }, 1066 [PROC_PROTMAX_STATUS] = 1067 { .lock_tree = PCTL_UNLOCKED, .one_proc = true, 1068 .esrch_is_einval = false, .no_nonnull_data = false, 1069 .need_candebug = false, 1070 .copyin_sz = 0, .copyout_sz = sizeof(int), 1071 .exec = protmax_status, .copyout_on_error = false, }, 1072 [PROC_STACKGAP_CTL] = 1073 { .lock_tree = PCTL_UNLOCKED, .one_proc = true, 1074 .esrch_is_einval = false, .no_nonnull_data = false, 1075 .need_candebug = true, 1076 .copyin_sz = sizeof(int), .copyout_sz = 0, 1077 .exec = stackgap_ctl, .copyout_on_error = false, }, 1078 [PROC_STACKGAP_STATUS] = 1079 { .lock_tree = PCTL_UNLOCKED, .one_proc = true, 1080 .esrch_is_einval = false, .no_nonnull_data = false, 1081 .need_candebug = false, 1082 .copyin_sz = 0, .copyout_sz = sizeof(int), 1083 .exec = stackgap_status, .copyout_on_error = false, }, 1084 [PROC_NO_NEW_PRIVS_CTL] = 1085 { .lock_tree = PCTL_SLOCKED, .one_proc = true, 1086 .esrch_is_einval = false, .no_nonnull_data = false, 1087 .need_candebug = true, 1088 .copyin_sz = sizeof(int), .copyout_sz = 0, 1089 .exec = no_new_privs_ctl, .copyout_on_error = false, }, 1090 [PROC_NO_NEW_PRIVS_STATUS] = 1091 { .lock_tree = PCTL_UNLOCKED, .one_proc = true, 1092 .esrch_is_einval = false, .no_nonnull_data = false, 1093 .need_candebug = false, 1094 .copyin_sz = 0, .copyout_sz = sizeof(int), 1095 .exec = no_new_privs_status, .copyout_on_error = false, }, 1096 [PROC_WXMAP_CTL] = 1097 { .lock_tree = PCTL_UNLOCKED, .one_proc = true, 1098 .esrch_is_einval = false, .no_nonnull_data = false, 1099 .need_candebug = true, 1100 .copyin_sz = sizeof(int), .copyout_sz = 0, 1101 .exec = wxmap_ctl, .copyout_on_error = false, }, 1102 [PROC_WXMAP_STATUS] = 1103 { .lock_tree = PCTL_UNLOCKED, .one_proc = true, 1104 .esrch_is_einval = false, .no_nonnull_data = false, 1105 .need_candebug = false, 1106 .copyin_sz = 0, .copyout_sz = sizeof(int), 1107 .exec = wxmap_status, .copyout_on_error = false, }, 1108 }; 1109 1110 int 1111 sys_procctl(struct thread *td, struct procctl_args *uap) 1112 { 1113 union { 1114 struct procctl_reaper_status rs; 1115 struct procctl_reaper_pids rp; 1116 struct procctl_reaper_kill rk; 1117 int flags; 1118 } x; 1119 const struct procctl_cmd_info *cmd_info; 1120 int error, error1; 1121 1122 if (uap->com >= PROC_PROCCTL_MD_MIN) 1123 return (cpu_procctl(td, uap->idtype, uap->id, 1124 uap->com, uap->data)); 1125 if (uap->com == 0 || uap->com >= nitems(procctl_cmds_info)) 1126 return (EINVAL); 1127 cmd_info = &procctl_cmds_info[uap->com]; 1128 bzero(&x, sizeof(x)); 1129 1130 if (cmd_info->copyin_sz > 0) { 1131 error = copyin(uap->data, &x, cmd_info->copyin_sz); 1132 if (error != 0) 1133 return (error); 1134 } else if (cmd_info->no_nonnull_data && uap->data != NULL) { 1135 return (EINVAL); 1136 } 1137 1138 error = kern_procctl(td, uap->idtype, uap->id, uap->com, &x); 1139 1140 if (cmd_info->copyout_sz > 0 && (error == 0 || 1141 cmd_info->copyout_on_error)) { 1142 error1 = copyout(&x, uap->data, cmd_info->copyout_sz); 1143 if (error == 0) 1144 error = error1; 1145 } 1146 return (error); 1147 } 1148 1149 static int 1150 kern_procctl_single(struct thread *td, struct proc *p, int com, void *data) 1151 { 1152 1153 PROC_LOCK_ASSERT(p, MA_OWNED); 1154 return (procctl_cmds_info[com].exec(td, p, data)); 1155 } 1156 1157 int 1158 kern_procctl(struct thread *td, idtype_t idtype, id_t id, int com, void *data) 1159 { 1160 struct pgrp *pg; 1161 struct proc *p; 1162 const struct procctl_cmd_info *cmd_info; 1163 int error, first_error, ok; 1164 bool sapblk; 1165 1166 MPASS(com > 0 && com < nitems(procctl_cmds_info)); 1167 cmd_info = &procctl_cmds_info[com]; 1168 if (idtype != P_PID && cmd_info->one_proc) 1169 return (EINVAL); 1170 1171 sapblk = false; 1172 if (cmd_info->sapblk != NULL) { 1173 sapblk = cmd_info->sapblk(td, data); 1174 if (sapblk && !stop_all_proc_block()) 1175 return (ERESTART); 1176 } 1177 1178 switch (cmd_info->lock_tree) { 1179 case PCTL_XLOCKED: 1180 sx_xlock(&proctree_lock); 1181 break; 1182 case PCTL_SLOCKED: 1183 sx_slock(&proctree_lock); 1184 break; 1185 default: 1186 break; 1187 } 1188 1189 switch (idtype) { 1190 case P_PID: 1191 if (id == 0) { 1192 p = td->td_proc; 1193 error = 0; 1194 PROC_LOCK(p); 1195 } else { 1196 p = pfind(id); 1197 if (p == NULL) { 1198 error = cmd_info->esrch_is_einval ? 1199 EINVAL : ESRCH; 1200 break; 1201 } 1202 error = cmd_info->need_candebug ? p_candebug(td, p) : 1203 p_cansee(td, p); 1204 } 1205 if (error == 0) 1206 error = kern_procctl_single(td, p, com, data); 1207 PROC_UNLOCK(p); 1208 break; 1209 case P_PGID: 1210 /* 1211 * Attempt to apply the operation to all members of the 1212 * group. Ignore processes in the group that can't be 1213 * seen. Ignore errors so long as at least one process is 1214 * able to complete the request successfully. 1215 */ 1216 pg = pgfind(id); 1217 if (pg == NULL) { 1218 error = ESRCH; 1219 break; 1220 } 1221 PGRP_UNLOCK(pg); 1222 ok = 0; 1223 first_error = 0; 1224 LIST_FOREACH(p, &pg->pg_members, p_pglist) { 1225 PROC_LOCK(p); 1226 if (p->p_state == PRS_NEW || 1227 p->p_state == PRS_ZOMBIE || 1228 (cmd_info->need_candebug ? p_candebug(td, p) : 1229 p_cansee(td, p)) != 0) { 1230 PROC_UNLOCK(p); 1231 continue; 1232 } 1233 error = kern_procctl_single(td, p, com, data); 1234 PROC_UNLOCK(p); 1235 if (error == 0) 1236 ok = 1; 1237 else if (first_error == 0) 1238 first_error = error; 1239 } 1240 if (ok) 1241 error = 0; 1242 else if (first_error != 0) 1243 error = first_error; 1244 else 1245 /* 1246 * Was not able to see any processes in the 1247 * process group. 1248 */ 1249 error = ESRCH; 1250 break; 1251 default: 1252 error = EINVAL; 1253 break; 1254 } 1255 1256 switch (cmd_info->lock_tree) { 1257 case PCTL_XLOCKED: 1258 sx_xunlock(&proctree_lock); 1259 break; 1260 case PCTL_SLOCKED: 1261 sx_sunlock(&proctree_lock); 1262 break; 1263 default: 1264 break; 1265 } 1266 if (sapblk) 1267 stop_all_proc_unblock(); 1268 return (error); 1269 } 1270