1.\" Copyright (c) 2013 Hudson River Trading LLC 2.\" Written by: John H. Baldwin <[email protected]> 3.\" All rights reserved. 4.\" 5.\" Copyright (c) 2014 The FreeBSD Foundation 6.\" Portions of this documentation were written by Konstantin Belousov 7.\" under sponsorship from the FreeBSD Foundation. 8.\" 9.\" Redistribution and use in source and binary forms, with or without 10.\" modification, are permitted provided that the following conditions 11.\" are met: 12.\" 1. Redistributions of source code must retain the above copyright 13.\" notice, this list of conditions and the following disclaimer. 14.\" 2. Redistributions in binary form must reproduce the above copyright 15.\" notice, this list of conditions and the following disclaimer in the 16.\" documentation and/or other materials provided with the distribution. 17.\" 18.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 19.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 20.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 21.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 22.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 23.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 24.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 25.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 26.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 27.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 28.\" SUCH DAMAGE. 29.\" 30.\" $FreeBSD$ 31.\" 32.Dd September 2, 2021 33.Dt PROCCTL 2 34.Os 35.Sh NAME 36.Nm procctl 37.Nd control processes 38.Sh LIBRARY 39.Lb libc 40.Sh SYNOPSIS 41.In sys/procctl.h 42.Ft int 43.Fn procctl "idtype_t idtype" "id_t id" "int cmd" "void *data" 44.Sh DESCRIPTION 45The 46.Fn procctl 47system call provides for control over processes. 48The 49.Fa idtype 50and 51.Fa id 52arguments specify the set of processes to control. 53If multiple processes match the identifier, 54.Nm 55will make a 56.Dq best effort 57to control as many of the selected processes as possible. 58An error is only returned if no selected processes successfully complete 59the request. 60The following identifier types are supported: 61.Bl -tag -width P_PGID 62.It Dv P_PID 63Control the process with the process ID 64.Fa id . 65.It Dv P_PGID 66Control processes belonging to the process group with the ID 67.Fa id . 68.El 69.Pp 70The control request to perform is specified by the 71.Fa cmd 72argument. 73The following commands are supported: 74.Bl -tag -width PROC_TRAPCAP_STATUS 75.It Dv PROC_ASLR_CTL 76Controls the Address Space Layout Randomization (ASLR) in the program 77images created 78by 79.Xr execve 2 80in the specified process or its descendants that did not changed 81the control nor modified it by other means. 82The 83.Fa data 84parameter must point to the integer variable holding one of the following 85values: 86.Bl -tag -width PROC_ASLR_FORCE_DISABLE 87.It Dv PROC_ASLR_FORCE_ENABLE 88Request that ASLR is enabled after execution, even if it is disabled 89system-wide. 90The image flag and set-uid might prevent ASLR enablement still. 91.It Dv PROC_ASLR_FORCE_DISABLE 92Request that ASLR is disabled after execution. 93Same notes as for 94.Dv PROC_ASLR_FORCE_ENABLE 95apply. 96.It Dv PROC_ASLR_NOFORCE 97Use the system-wide configured policy for ASLR. 98.El 99.It Dv PROC_ASLR_STATUS 100Returns the current status of ASLR enablement for the target process. 101The 102.Fa data 103parameter must point to the integer variable, where one of the 104following values is written: 105.Bl -tag -width PROC_ASLR_FORCE_DISABLE 106.It Dv PROC_ASLR_FORCE_ENABLE 107.It Dv PROC_ASLR_FORCE_DISABLE 108.It Dv PROC_ASLR_NOFORCE 109.El 110.Pp 111If the currently executed image in the process itself has ASLR enabled, 112the 113.Dv PROC_ASLR_ACTIVE 114flag is or-ed with the value listed above. 115.It Dv PROC_PROTMAX_CTL 116Controls implicit application of PROT_MAX protection equal to the 117.Fa prot 118argument of the 119.Xr mmap 2 120syscall, in the target process. 121The 122.Fa data 123parameter must point to the integer variable holding one of the following 124values: 125.Bl -tag -width PROC_PROTMAX_FORCE_DISABLE 126.It Dv PROC_PROTMAX_FORCE_ENABLE 127Enables implicit PROT_MAX application, 128even if it is disabled system-wide by the sysctl 129.Va vm.imply_prot_max . 130The image flag might still prevent the enablement. 131.It Dv PROC_PROTMAX_FORCE_DISABLE 132Request that implicit application of PROT_MAX be disabled. 133Same notes as for 134.Dv PROC_PROTMAX_FORCE_ENABLE 135apply. 136.It Dv PROC_PROTMAX_NOFORCE 137Use the system-wide configured policy for PROT_MAX. 138.El 139.It Dv PROC_PROTMAX_STATUS 140Returns the current status of implicit PROT_MAX enablement for the 141target process. 142The 143.Fa data 144parameter must point to the integer variable, where one of the 145following values is written: 146.Bl -tag -width PROC_PROTMAX_FORCE_DISABLE 147.It Dv PROC_PROTMAX_FORCE_ENABLE 148.It Dv PROC_PROTMAX_FORCE_DISABLE 149.It Dv PROC_PROTMAX_NOFORCE 150.El 151.Pp 152If the currently executed image in the process itself has implicit PROT_MAX 153application enabled, the 154.Dv PROC_PROTMAX_ACTIVE 155flag is or-ed with the value listed above. 156.It Dv PROC_SPROTECT 157Set process protection state. 158This is used to mark a process as protected from being killed if the system 159exhausts the available memory and swap. 160The 161.Fa data 162parameter must point to an integer containing an operation and zero or more 163optional flags. 164The following operations are supported: 165.Bl -tag -width PPROT_CLEAR 166.It Dv PPROT_SET 167Mark the selected processes as protected. 168.It Dv PPROT_CLEAR 169Clear the protected state of selected processes. 170.El 171.Pp 172The following optional flags are supported: 173.Bl -tag -width PPROT_DESCEND 174.It Dv PPROT_DESCEND 175Apply the requested operation to all child processes of each selected process 176in addition to each selected process. 177.It Dv PPROT_INHERIT 178When used with 179.Dv PPROT_SET , 180mark all future child processes of each selected process as protected. 181Future child processes will also mark all of their future child processes. 182.El 183.It Dv PROC_REAP_ACQUIRE 184Acquires the reaper status for the current process. 185Reaper status means that children orphaned by the reaper's descendants 186that were forked after the acquisition of reaper status are reparented to the 187reaper process. 188After system initialization, 189.Xr init 8 190is the default reaper. 191.It Dv PROC_REAP_RELEASE 192Release the reaper state for the current process. 193The reaper of the current process becomes the new reaper of the 194current process's descendants. 195.It Dv PROC_REAP_STATUS 196Provides information about the reaper of the specified process, 197or the process itself when it is a reaper. 198The 199.Fa data 200argument must point to a 201.Vt procctl_reaper_status 202structure which is filled in by the syscall on successful return. 203.Bd -literal 204struct procctl_reaper_status { 205 u_int rs_flags; 206 u_int rs_children; 207 u_int rs_descendants; 208 pid_t rs_reaper; 209 pid_t rs_pid; 210}; 211.Ed 212The 213.Fa rs_flags 214may have the following flags returned: 215.Bl -tag -width REAPER_STATUS_REALINIT 216.It Dv REAPER_STATUS_OWNED 217The specified process has acquired reaper status and has not 218released it. 219When the flag is returned, the specified process 220.Fa id , 221pid, identifies the reaper, otherwise the 222.Fa rs_reaper 223field of the structure is set to the pid of the reaper 224for the specified process id. 225.It Dv REAPER_STATUS_REALINIT 226The specified process is the root of the reaper tree, i.e., 227.Xr init 8 . 228.El 229.Pp 230The 231.Fa rs_children 232field returns the number of children of the reaper among the descendants. 233It is possible to have a child whose reaper is not the specified process, 234since the reaper for any existing children is not reset on the 235.Dv PROC_REAP_ACQUIRE 236operation. 237The 238.Fa rs_descendants 239field returns the total number of descendants of the reaper(s), 240not counting descendants of the reaper in the subtree. 241The 242.Fa rs_reaper 243field returns the reaper pid. 244The 245.Fa rs_pid 246returns the pid of one reaper child if there are any descendants. 247.It Dv PROC_REAP_GETPIDS 248Queries the list of descendants of the reaper of the specified process. 249The request takes a pointer to a 250.Vt procctl_reaper_pids 251structure in the 252.Fa data 253parameter. 254.Bd -literal 255struct procctl_reaper_pids { 256 u_int rp_count; 257 struct procctl_reaper_pidinfo *rp_pids; 258}; 259.Ed 260When called, the 261.Fa rp_pids 262field must point to an array of 263.Vt procctl_reaper_pidinfo 264structures, to be filled in on return, 265and the 266.Fa rp_count 267field must specify the size of the array, 268into which no more than 269.Fa rp_count 270elements will be filled in by the kernel. 271.Pp 272The 273.Vt "struct procctl_reaper_pidinfo" 274structure provides some information about one of the reaper's descendants. 275Note that for a descendant that is not a child, it may be incorrectly 276identified because of a race in which the original child process exited 277and the exited process's pid was reused for an unrelated process. 278.Bd -literal 279struct procctl_reaper_pidinfo { 280 pid_t pi_pid; 281 pid_t pi_subtree; 282 u_int pi_flags; 283}; 284.Ed 285The 286.Fa pi_pid 287field is the process id of the descendant. 288The 289.Fa pi_subtree 290field provides the pid of the child of the reaper, which is the (grand-)parent 291of the process. 292The 293.Fa pi_flags 294field returns the following flags, further describing the descendant: 295.Bl -tag -width REAPER_PIDINFO_REAPER 296.It Dv REAPER_PIDINFO_VALID 297Set to indicate that the 298.Vt procctl_reaper_pidinfo 299structure was filled in by the kernel. 300Zero-filling the 301.Fa rp_pids 302array and testing the 303.Dv REAPER_PIDINFO_VALID 304flag allows the caller to detect the end 305of the returned array. 306.It Dv REAPER_PIDINFO_CHILD 307The 308.Fa pi_pid 309field identifies the direct child of the reaper. 310.It Dv REAPER_PIDINFO_REAPER 311The reported process is itself a reaper. 312The descendants of the subordinate reaper are not reported. 313.El 314.It Dv PROC_REAP_KILL 315Request to deliver a signal to some subset of the descendants of the reaper. 316The 317.Fa data 318parameter must point to a 319.Vt procctl_reaper_kill 320structure, which is used both for parameters and status return. 321.Bd -literal 322struct procctl_reaper_kill { 323 int rk_sig; 324 u_int rk_flags; 325 pid_t rk_subtree; 326 u_int rk_killed; 327 pid_t rk_fpid; 328}; 329.Ed 330The 331.Fa rk_sig 332field specifies the signal to be delivered. 333Zero is not a valid signal number, unlike for 334.Xr kill 2 . 335The 336.Fa rk_flags 337field further directs the operation. 338It is or-ed from the following flags: 339.Bl -tag -width REAPER_KILL_CHILDREN 340.It Dv REAPER_KILL_CHILDREN 341Deliver the specified signal only to direct children of the reaper. 342.It Dv REAPER_KILL_SUBTREE 343Deliver the specified signal only to descendants that were forked by 344the direct child with pid specified in the 345.Fa rk_subtree 346field. 347.El 348If neither the 349.Dv REAPER_KILL_CHILDREN 350nor the 351.Dv REAPER_KILL_SUBTREE 352flags are specified, all current descendants of the reaper are signalled. 353.Pp 354If a signal was delivered to any process, the return value from the request 355is zero. 356In this case, the 357.Fa rk_killed 358field identifies the number of processes signalled. 359The 360.Fa rk_fpid 361field is set to the pid of the first process for which signal 362delivery failed, e.g., due to permission problems. 363If no such process exists, the 364.Fa rk_fpid 365field is set to -1. 366.It Dv PROC_TRACE_CTL 367Enable or disable tracing of the specified process(es), according to the 368value of the integer argument. 369Tracing includes attachment to the process using the 370.Xr ptrace 2 371and 372.Xr ktrace 2 , 373debugging sysctls, 374.Xr hwpmc 4 , 375.Xr dtrace 1 , 376and core dumping. 377Possible values for the 378.Fa data 379argument are: 380.Bl -tag -width PROC_TRACE_CTL_DISABLE_EXEC 381.It Dv PROC_TRACE_CTL_ENABLE 382Enable tracing, after it was disabled by 383.Dv PROC_TRACE_CTL_DISABLE . 384Only allowed for self. 385.It Dv PROC_TRACE_CTL_DISABLE 386Disable tracing for the specified process. 387Tracing is re-enabled when the process changes the executing 388program with the 389.Xr execve 2 390syscall. 391A child inherits the trace settings from the parent on 392.Xr fork 2 . 393.It Dv PROC_TRACE_CTL_DISABLE_EXEC 394Same as 395.Dv PROC_TRACE_CTL_DISABLE , 396but the setting persists for the process even after 397.Xr execve 2 . 398.El 399.It Dv PROC_TRACE_STATUS 400Returns the current tracing status for the specified process in 401the integer variable pointed to by 402.Fa data . 403If tracing is disabled, 404.Fa data 405is set to -1. 406If tracing is enabled, but no debugger is attached by the 407.Xr ptrace 2 408syscall, 409.Fa data 410is set to 0. 411If a debugger is attached, 412.Fa data 413is set to the pid of the debugger process. 414.It Dv PROC_TRAPCAP_CTL 415Controls the capability mode sandbox actions for the specified 416sandboxed processes, 417on a return from any syscall which gives either a 418.Er ENOTCAPABLE 419or 420.Er ECAPMODE 421error. 422If the control is enabled, such errors from the syscalls cause 423delivery of the synchronous 424.Dv SIGTRAP 425signal to the thread immediately before returning from the syscalls. 426.Pp 427Possible values for the 428.Fa data 429argument are: 430.Bl -tag -width PROC_TRAPCAP_CTL_DISABLE 431.It Dv PROC_TRAPCAP_CTL_ENABLE 432Enable the 433.Dv SIGTRAP 434signal delivery on capability mode access violations. 435The enabled mode is inherited by the children of the process, 436and is kept after 437.Xr fexecve 2 438calls. 439.It Dv PROC_TRAPCAP_CTL_DISABLE 440Disable the signal delivery on capability mode access violations. 441Note that the global sysctl 442.Dv kern.trap_enotcap 443might still cause the signal to be delivered. 444See 445.Xr capsicum 4 . 446.El 447.Pp 448On signal delivery, the 449.Va si_errno 450member of the 451.Fa siginfo 452signal handler parameter is set to the syscall error value, 453and the 454.Va si_code 455member is set to 456.Dv TRAP_CAP . 457The system call number is stored in the 458.Va si_syscall 459field of the 460.Fa siginfo 461signal handler parameter. 462The other system call parameters can be read from the 463.Fa ucontext_t 464but the system call number is typically stored in the register 465that also contains the return value and so is unavailable in the 466signal handler. 467.Pp 468See 469.Xr capsicum 4 470for more information about the capability mode. 471.It Dv PROC_TRAPCAP_STATUS 472Return the current status of signalling capability mode access 473violations for the specified process. 474The integer value pointed to by the 475.Fa data 476argument is set to the 477.Dv PROC_TRAPCAP_CTL_ENABLE 478value if the process control enables signal delivery, and to 479.Dv PROC_TRAPCAP_CTL_DISABLE 480otherwise. 481.Pp 482See the note about sysctl 483.Dv kern.trap_enotcap 484above, which gives independent global control of signal delivery. 485.It Dv PROC_PDEATHSIG_CTL 486Request the delivery of a signal when the parent of the calling 487process exits. 488.Fa idtype 489must be 490.Dv P_PID 491and 492.Fa id 493must be the either caller's pid or zero, with no difference in effect. 494The value is cleared for child processes 495and when executing set-user-ID or set-group-ID binaries. 496.Fa data 497must point to a value of type 498.Vt int 499indicating the signal 500that should be delivered to the caller. 501Use zero to cancel a previously requested signal delivery. 502.It Dv PROC_PDEATHSIG_STATUS 503Query the current signal number that will be delivered when the parent 504of the calling process exits. 505.Fa idtype 506must be 507.Dv P_PID 508and 509.Fa id 510must be the either caller's pid or zero, with no difference in effect. 511.Fa data 512must point to a memory location that can hold a value of type 513.Vt int . 514If signal delivery has not been requested, it will contain zero 515on return. 516.It Dv PROC_STACKGAP_CTL 517Controls the stack gaps in the specified process. 518A stack gap is the part of the growth area for a 519.Dv MAP_STACK 520mapped region that is reserved and never filled by memory. 521Instead, the process is guaranteed to receive a 522.Dv SIGSEGV 523signal on accessing pages in the gap. 524Gaps protect against stack overflow corrupting memory adjacent 525to the stack. 526.Pp 527The 528.Fa data 529argument must point to an integer variable containing flags. 530The following flags are allowed: 531.Bl -tag -width PROC_STACKGAP_DISABLE_EXEC 532.It Dv PROC_STACKGAP_ENABLE 533This flag is only accepted for consistency with 534.Dv PROC_STACKGAP_STATUS . 535If stack gaps are enabled, the flag is ignored. 536If disabled, the flag causes an 537.Ev EINVAL 538error to be returned. 539After gaps are disabled in a process, they can only be re-enabled when an 540.Xr execve 2 541is performed. 542.It Dv PROC_STACKGAP_DISABLE 543Disable stack gaps for the process. 544For existing stacks, the gap is no longer a reserved part of the growth 545area and can be filled by memory on access. 546.It Dv PROC_STACKGAP_ENABLE_EXEC 547Enable stack gaps for programs started after an 548.Xr execve 2 549by the specified process. 550.It Dv PROC_STACKGAP_DISABLE_EXEC 551Inherit disabled stack gaps state after 552.Xr execve 2 . 553In other words, if the currently executing program has stack gaps disabled, 554they are kept disabled on exec. 555If gaps were enabled, they are kept enabled after exec. 556.El 557.Pp 558The stack gap state is inherited from the parent on 559.Xr fork 2 . 560.It Dv PROC_STACKGAP_STATUS 561Returns the current stack gap state for the specified process. 562.Fa data 563must point to an integer variable, which is used to return a bitmask 564consisting of the following flags: 565.Bl -tag -width PROC_STACKGAP_DISABLE_EXEC 566.It Dv PROC_STACKGAP_ENABLE 567Stack gaps are enabled. 568.It Dv PROC_STACKGAP_DISABLE 569Stack gaps are disabled. 570.It Dv PROC_STACKGAP_ENABLE_EXEC 571Stack gaps are enabled in the process after 572.Xr execve 2 . 573.It Dv PROC_STACKGAP_DISABLE_EXEC 574Stack gaps are disabled in the process after 575.Xr execve 2 . 576.El 577.It Dv PROC_NO_NEW_PRIVS_CTL 578Allows one to ignore the SUID and SGID bits on the program 579images activated by 580.Xr execve 2 581in the specified process and its future descendants. 582The 583.Fa data 584parameter must point to the integer variable holding the following 585value: 586.Bl -tag -width PROC_NO_NEW_PRIVS_ENABLE 587.It Dv PROC_NO_NEW_PRIVS_ENABLE 588Request SUID and SGID bits to be ignored. 589.El 590.Pp 591It is not possible to disable it once it has been enabled. 592.It Dv PROC_NO_NEW_PRIVS_STATUS 593Returns the current status of SUID/SGID enablement for the target process. 594The 595.Fa data 596parameter must point to the integer variable, where one of the 597following values is written: 598.Bl -tag -width PROC_NO_NEW_PRIVS_DISABLE 599.It Dv PROC_NO_NEW_PRIVS_ENABLE 600.It Dv PROC_NO_NEW_PRIVS_DISABLE 601.El 602.It Dv PROC_WXMAP_CTL 603Controls the 'write exclusive against execution' permissions for the 604mappings in the process address space. 605It overrides the global settings established by the 606.Dv kern.elf{32/64}.allow_wx 607sysctl, 608and the corresponding bit in the ELF control note, see 609.Xr elfctl 1 . 610.Pp 611The 612.Fa data 613parameter must point to the integer variable holding one of the 614following values: 615.Bl -tag -width PROC_WX_MAPPINGS_DISALLOW_EXEC 616.It Dv PROC_WX_MAPPINGS_PERMIT 617Enable creation of mappings that have both write and execute 618protection attributes, in the specified process' address space. 619.It Dv PROC_WX_MAPPINGS_DISALLOW_EXEC 620In the new address space created by 621.Xr execve 2 , 622disallow creation of mappings that have both write and execute 623permissions. 624.El 625.Pp 626Once creation of writeable and executable mappings is allowed, 627it is impossible (and pointless) to disallow it. 628The only way to ensure the absence of such mappings after they 629were enabled in a given process, is to set the 630.Dv PROC_WX_MAPPINGS_DISALLOW_EXEC 631flag and 632.Xr execve 2 633an image. 634.It Dv PROC_WXMAP_STATUS 635Returns the current status of the 'write exclusive against execution' 636enforcement for the specified process. 637The 638.Dv data 639parameter must point to the integer variable, where one of the 640following values is written: 641.Bl -tag -width PROC_WX_MAPPINGS_DISALLOW_EXEC 642.It Dv PROC_WX_MAPPINGS_PERMIT 643Creation of simultaneously writable and executable mapping is permitted, 644otherwise the process cannot create such mappings. 645.It Dv PROC_WX_MAPPINGS_DISALLOW_EXEC 646After 647.Xr execve 2 , 648the new address space should disallow creation of simultaneously 649writable and executable mappings. 650.El 651.Pp 652Additionally, if the address space of the process disallows 653creation of simultaneously writable and executable mappings and 654it is guaranteed that no such mapping was created since address space 655creation, the 656.Dv PROC_WXORX_ENFORCE 657flag is set in the returned value. 658.El 659.Sh x86 MACHINE-SPECIFIC REQUESTS 660.Bl -tag -width PROC_KPTI_STATUS 661.It Dv PROC_KPTI_CTL 662AMD64 only. 663Controls the Kernel Page Table Isolation (KPTI) option for the children 664of the specified process. 665For the command to work, the 666.Va vm.pmap.kpti 667tunable must be enabled on boot. 668It is not possible to change the KPTI setting for a running process, 669except at the 670.Xr execve 2 , 671where the address space is reinitialized. 672.Pp 673The 674.Fa data 675parameter must point to an integer variable containing one of the 676following commands: 677.Bl -tag -width PROC_KPTI_CTL_DISABLE_ON_EXEC 678.It Dv PROC_KPTI_CTL_ENABLE_ON_EXEC 679Enable KPTI after 680.Xr execve 2 . 681.It Dv PROC_KPTI_CTL_DISABLE_ON_EXEC 682Disable KPTI after 683.Xr execve 2 . 684Only root or a process having the 685.Va PRIV_IO 686privilege might use this option. 687.El 688.It Dv PROC_KPTI_STATUS 689Returns the current KPTI status for the specified process. 690.Fa data 691must point to the integer variable, which returns the 692following statuses: 693.Bl -tag -width PROC_KPTI_CTL_DISABLE_ON_EXEC 694.It Dv PROC_KPTI_CTL_ENABLE_ON_EXEC 695.It Dv PROC_KPTI_CTL_DISABLE_ON_EXEC 696.El 697.Pp 698The status is or-ed with the 699.Va PROC_KPTI_STATUS_ACTIVE 700in case KPTI is active for the current address space of the process. 701.Sh NOTES 702Disabling tracing on a process should not be considered a security 703feature, as it is bypassable both by the kernel and privileged processes, 704and via other system mechanisms. 705As such, it should not be utilized to reliably protect cryptographic 706keying material or other confidential data. 707.Pp 708Note that processes can trivially bypass the 'no simultaneously 709writable and executable mappings' policy by first marking some mapping 710as writeable and write code to it, then removing write and adding 711execute permission. 712This may be legitimately required by some programs, such as JIT compilers. 713.Sh RETURN VALUES 714If an error occurs, a value of -1 is returned and 715.Va errno 716is set to indicate the error. 717.Sh ERRORS 718The 719.Fn procctl 720system call 721will fail if: 722.Bl -tag -width Er 723.It Bq Er EFAULT 724The 725.Fa data 726parameter points outside the process's allocated address space. 727.It Bq Er EINVAL 728The 729.Fa cmd 730argument specifies an unsupported command. 731.Pp 732The 733.Fa idtype 734argument specifies an unsupported identifier type. 735.It Bq Er EPERM 736The calling process does not have permission to perform the requested 737operation on any of the selected processes. 738.It Bq Er ESRCH 739No processes matched the requested 740.Fa idtype 741and 742.Fa id . 743.It Bq Er EINVAL 744An invalid operation or flag was passed in 745.Fa data 746for a 747.Dv PROC_SPROTECT 748command. 749.It Bq Er EPERM 750The 751.Fa idtype 752argument is not equal to 753.Dv P_PID , 754or 755.Fa id 756is not equal to the pid of the calling process, for 757.Dv PROC_REAP_ACQUIRE 758or 759.Dv PROC_REAP_RELEASE 760requests. 761.It Bq Er EINVAL 762Invalid or undefined flags were passed to a 763.Dv PROC_REAP_KILL 764request. 765.It Bq Er EINVAL 766An invalid or zero signal number was requested for a 767.Dv PROC_REAP_KILL 768request. 769.It Bq Er EINVAL 770The 771.Dv PROC_REAP_RELEASE 772request was issued by the 773.Xr init 8 774process. 775.It Bq Er EBUSY 776The 777.Dv PROC_REAP_ACQUIRE 778request was issued by a process that had already acquired reaper status 779and has not yet released it. 780.It Bq Er EBUSY 781The 782.Dv PROC_TRACE_CTL 783request was issued for a process already being traced. 784.It Bq Er EPERM 785The 786.Dv PROC_TRACE_CTL 787request to re-enable tracing of the process 788.Po Dv PROC_TRACE_CTL_ENABLE Pc , 789or to disable persistence of 790.Dv PROC_TRACE_CTL_DISABLE 791on 792.Xr execve 2 793was issued for a non-current process. 794.It Bq Er EINVAL 795The value of the integer 796.Fa data 797parameter for the 798.Dv PROC_TRACE_CTL 799or 800.Dv PROC_TRAPCAP_CTL 801request is invalid. 802.It Bq Er EINVAL 803The 804.Dv PROC_PDEATHSIG_CTL 805or 806.Dv PROC_PDEATHSIG_STATUS 807request referenced an unsupported 808.Fa id , 809.Fa idtype 810or invalid signal number. 811.El 812.Sh SEE ALSO 813.Xr dtrace 1 , 814.Xr proccontrol 1 , 815.Xr protect 1 , 816.Xr cap_enter 2 , 817.Xr kill 2 , 818.Xr ktrace 2 , 819.Xr mmap 2 , 820.Xr mprotect 2 , 821.Xr ptrace 2 , 822.Xr wait 2 , 823.Xr capsicum 4 , 824.Xr hwpmc 4 , 825.Xr init 8 826.Sh HISTORY 827The 828.Fn procctl 829function appeared in 830.Fx 10.0 . 831.Pp 832The reaper facility is based on a similar feature of Linux and 833DragonflyBSD, and first appeared in 834.Fx 10.2 . 835.Pp 836The 837.Dv PROC_PDEATHSIG_CTL 838facility is based on the prctl(PR_SET_PDEATHSIG, ...) feature of Linux, 839and first appeared in 840.Fx 11.2 . 841.Pp 842The ASLR support was added to system for the checklists compliance in 843.Fx 13.0 . 844