Date: Sat, 20 Jun 2020 04:27:39 +0000 (UTC) From: Konstantin Belousov <kib@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-12@freebsd.org Subject: svn commit: r362425 - stable/12/lib/libc/sys Message-ID: <202006200427.05K4RdGU035319@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: kib Date: Sat Jun 20 04:27:38 2020 New Revision: 362425 URL: https://svnweb.freebsd.org/changeset/base/362425 Log: MFC r362151: procctl(2): document PROC_KPTI Modified: stable/12/lib/libc/sys/procctl.2 Directory Properties: stable/12/ (props changed) Modified: stable/12/lib/libc/sys/procctl.2 ============================================================================== --- stable/12/lib/libc/sys/procctl.2 Sat Jun 20 04:26:05 2020 (r362424) +++ stable/12/lib/libc/sys/procctl.2 Sat Jun 20 04:27:38 2020 (r362425) @@ -29,7 +29,7 @@ .\" .\" $FreeBSD$ .\" -.Dd April 25, 2020 +.Dd June 13, 2020 .Dt PROCCTL 2 .Os .Sh NAME @@ -524,6 +524,47 @@ Stack gaps are disabled in the process after .Xr execve 2 . .El .El +.Sh x86 MACHINE-SPECIFIC REQUESTS +.Bl -tag -width PROC_KPTI_STATUS +.It Dv PROC_KPTI_CTL +AMD64 only. +Controls the Kernel Page Table Isolation (KPTI) option for the children +of the specified process. +For the command to work, the +.Va vm.pmap.kpti +tunable must be enabled on boot. +It is not possible to change the KPTI setting for a running process, +except at the +.Xr execve 2 , +where the address space is reinitialized. +.Pp +The +.Fa data +parameter must point to an integer variable containing one of the +following commands: +.Bl -tag -width PROC_KPTI_CTL_DISABLE_ON_EXEC +.It Dv PROC_KPTI_CTL_ENABLE_ON_EXEC +Enable KPTI after +.Xr execve 2 . +.It Dv PROC_KPTI_CTL_DISABLE_ON_EXEC +Disable KPTI after +.Xr execve 2 . +Only root or a process having the +.Va PRIV_IO +privilege might use this option. +.El +.It Dv PROC_KPTI_STATUS +Returns the current KPTI status for the specified process. +.Fa data must point to the integer variable, which returns the +following statuses: +.Bl -tag -width PROC_KPTI_CTL_DISABLE_ON_EXEC +.It Dv PROC_KPTI_CTL_ENABLE_ON_EXEC +.It Dv PROC_KPTI_CTL_DISABLE_ON_EXEC +.El +.Pp +The status is or-ed with the +.Va PROC_KPTI_STATUS_ACTIVE +in case KPTI is active for the current address space of the process. .Sh NOTES Disabling tracing on a process should not be considered a security feature, as it is bypassable both by the kernel and privileged processes,
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202006200427.05K4RdGU035319>