Date: Sat, 13 Jun 2020 18:19:42 +0000 (UTC) From: Konstantin Belousov <kib@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r362151 - head/lib/libc/sys Message-ID: <202006131819.05DIJgZG050578@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: kib Date: Sat Jun 13 18:19:42 2020 New Revision: 362151 URL: https://svnweb.freebsd.org/changeset/base/362151 Log: procctl(2): document PROC_KPTI Reviewed by: bcr Sponsored by: The FreeBSD Foundation MFC after: 1 week Differential revision: https://reviews.freebsd.org/D25258 Modified: head/lib/libc/sys/procctl.2 Modified: head/lib/libc/sys/procctl.2 ============================================================================== --- head/lib/libc/sys/procctl.2 Sat Jun 13 18:18:34 2020 (r362150) +++ head/lib/libc/sys/procctl.2 Sat Jun 13 18:19:42 2020 (r362151) @@ -29,7 +29,7 @@ .\" .\" $FreeBSD$ .\" -.Dd May 16, 2020 +.Dd June 13, 2020 .Dt PROCCTL 2 .Os .Sh NAME @@ -565,6 +565,47 @@ Stack gaps are disabled in the process after .Xr execve 2 . .El .El +.Sh x86 MACHINE-SPECIFIC REQUESTS +.Bl -tag -width PROC_KPTI_STATUS +.It Dv PROC_KPTI_CTL +AMD64 only. +Controls the Kernel Page Table Isolation (KPTI) option for the children +of the specified process. +For the command to work, the +.Va vm.pmap.kpti +tunable must be enabled on boot. +It is not possible to change the KPTI setting for a running process, +except at the +.Xr execve 2 , +where the address space is reinitialized. +.Pp +The +.Fa data +parameter must point to an integer variable containing one of the +following commands: +.Bl -tag -width PROC_KPTI_CTL_DISABLE_ON_EXEC +.It Dv PROC_KPTI_CTL_ENABLE_ON_EXEC +Enable KPTI after +.Xr execve 2 . +.It Dv PROC_KPTI_CTL_DISABLE_ON_EXEC +Disable KPTI after +.Xr execve 2 . +Only root or a process having the +.Va PRIV_IO +privilege might use this option. +.El +.It Dv PROC_KPTI_STATUS +Returns the current KPTI status for the specified process. +.Fa data must point to the integer variable, which returns the +following statuses: +.Bl -tag -width PROC_KPTI_CTL_DISABLE_ON_EXEC +.It Dv PROC_KPTI_CTL_ENABLE_ON_EXEC +.It Dv PROC_KPTI_CTL_DISABLE_ON_EXEC +.El +.Pp +The status is or-ed with the +.Va PROC_KPTI_STATUS_ACTIVE +in case KPTI is active for the current address space of the process. .Sh NOTES Disabling tracing on a process should not be considered a security feature, as it is bypassable both by the kernel and privileged processes,
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202006131819.05DIJgZG050578>