proccontrol(1): Add wxmap control

Reviewed by: brooks, emaste, markj Sponsored by: The FreeBSD Foundation MFC after: 1 week Differential revision: https://reviews.freebsd.org/D31779
2021-09-02 02:27:58 +03:00 · 2021-09-02 02:27:58 +03:00 · ac8af19380
commit ac8af19380
parent 796a8e1ad1
2 changed files with 26 additions and 2 deletions
--- a/usr.bin/proccontrol/proccontrol.1
+++ b/usr.bin/proccontrol/proccontrol.1
@ -28,7 +28,7 @@
 .\"
 .\" $FreeBSD$
 .\"
-.Dd July 2, 2021
+.Dd September 2, 2021
 .Dt PROCCONTROL 1
 .Os
 .Sh NAME
@ -72,6 +72,8 @@ Controls the implicit PROT_MAX application for
 .It Ar nonewprivs
 Controls disabling the setuid and sgid bits for
 .Xr execve 2 .
+.It Ar wxmap
+Controls the write exclusive execute mode for mappings.
 .It Ar kpti
 Controls the KPTI enable, AMD64 only.
 .It Ar la48
--- a/usr.bin/proccontrol/proccontrol.c
+++ b/usr.bin/proccontrol/proccontrol.c
@ -46,6 +46,7 @@ enum {
 	MODE_PROTMAX,
 	MODE_STACKGAP,
 	MODE_NO_NEW_PRIVS,
+	MODE_WXMAP,
 #ifdef PROC_KPTI_CTL
 	MODE_KPTI,
 #endif
@ -85,7 +86,7 @@ usage(void)
 {

 	fprintf(stderr, "Usage: proccontrol -m (aslr|protmax|trace|trapcap|"
-	    "stackgap|nonewprivs"KPTI_USAGE LA_USAGE") [-q] "
+	    "stackgap|nonewprivs|wxmap"KPTI_USAGE LA_USAGE") [-q] "
 	    "[-s (enable|disable)] [-p pid | command]\n");
 	exit(1);
 }
@ -116,6 +117,8 @@ main(int argc, char *argv[])
 				mode = MODE_STACKGAP;
 			else if (strcmp(optarg, "nonewprivs") == 0)
 				mode = MODE_NO_NEW_PRIVS;
+			else if (strcmp(optarg, "wxmap") == 0)
+				mode = MODE_WXMAP;
 #ifdef PROC_KPTI_CTL
 			else if (strcmp(optarg, "kpti") == 0)
 				mode = MODE_KPTI;
@ -181,6 +184,9 @@ main(int argc, char *argv[])
 			error = procctl(P_PID, pid, PROC_NO_NEW_PRIVS_STATUS,
 			    &arg);
 			break;
+		case MODE_WXMAP:
+			error = procctl(P_PID, pid, PROC_WXMAP_STATUS, &arg);
+			break;
 #ifdef PROC_KPTI_CTL
 		case MODE_KPTI:
 			error = procctl(P_PID, pid, PROC_KPTI_STATUS, &arg);
@ -281,6 +287,17 @@ main(int argc, char *argv[])
 				break;
 			}
 			break;
+		case MODE_WXMAP:
+			if ((arg & PROC_WX_MAPPINGS_PERMIT) != 0)
+				printf("enabled");
+			else
+				printf("disabled");
+			if ((arg & PROC_WX_MAPPINGS_DISALLOW_EXEC) != 0)
+				printf(", disabled on exec");
+			if ((arg & PROC_WXORX_ENFORCE) != 0)
+				printf(", wxorx enforced");
+			printf("\n");
+			break;
 #ifdef PROC_KPTI_CTL
 		case MODE_KPTI:
 			switch (arg & ~PROC_KPTI_STATUS_ACTIVE) {
@ -353,6 +370,11 @@ main(int argc, char *argv[])
 			error = procctl(P_PID, pid, PROC_NO_NEW_PRIVS_CTL,
 			    &arg);
 			break;
+		case MODE_WXMAP:
+			arg = enable ? PROC_WX_MAPPINGS_PERMIT :
+			    PROC_WX_MAPPINGS_DISALLOW_EXEC;
+			error = procctl(P_PID, pid, PROC_WXMAP_CTL, &arg);
+			break;
 #ifdef PROC_KPTI_CTL
 		case MODE_KPTI:
 			arg = enable ? PROC_KPTI_CTL_ENABLE_ON_EXEC :