Author: kib Date: Sat Jun 13 18:19:42 2020 New Revision: 362151 URL: https://svnweb.freebsd.org/changeset/base/362151
Log: procctl(2): document PROC_KPTI Reviewed by: bcr Sponsored by: The FreeBSD Foundation MFC after: 1 week Differential revision: https://reviews.freebsd.org/D25258 Modified: head/lib/libc/sys/procctl.2 Modified: head/lib/libc/sys/procctl.2 ============================================================================== --- head/lib/libc/sys/procctl.2 Sat Jun 13 18:18:34 2020 (r362150) +++ head/lib/libc/sys/procctl.2 Sat Jun 13 18:19:42 2020 (r362151) @@ -29,7 +29,7 @@ .\" .\" $FreeBSD$ .\" -.Dd May 16, 2020 +.Dd June 13, 2020 .Dt PROCCTL 2 .Os .Sh NAME @@ -565,6 +565,47 @@ Stack gaps are disabled in the process after .Xr execve 2 . .El .El +.Sh x86 MACHINE-SPECIFIC REQUESTS +.Bl -tag -width PROC_KPTI_STATUS +.It Dv PROC_KPTI_CTL +AMD64 only. +Controls the Kernel Page Table Isolation (KPTI) option for the children +of the specified process. +For the command to work, the +.Va vm.pmap.kpti +tunable must be enabled on boot. +It is not possible to change the KPTI setting for a running process, +except at the +.Xr execve 2 , +where the address space is reinitialized. +.Pp +The +.Fa data +parameter must point to an integer variable containing one of the +following commands: +.Bl -tag -width PROC_KPTI_CTL_DISABLE_ON_EXEC +.It Dv PROC_KPTI_CTL_ENABLE_ON_EXEC +Enable KPTI after +.Xr execve 2 . +.It Dv PROC_KPTI_CTL_DISABLE_ON_EXEC +Disable KPTI after +.Xr execve 2 . +Only root or a process having the +.Va PRIV_IO +privilege might use this option. +.El +.It Dv PROC_KPTI_STATUS +Returns the current KPTI status for the specified process. +.Fa data must point to the integer variable, which returns the +following statuses: +.Bl -tag -width PROC_KPTI_CTL_DISABLE_ON_EXEC +.It Dv PROC_KPTI_CTL_ENABLE_ON_EXEC +.It Dv PROC_KPTI_CTL_DISABLE_ON_EXEC +.El +.Pp +The status is or-ed with the +.Va PROC_KPTI_STATUS_ACTIVE +in case KPTI is active for the current address space of the process. .Sh NOTES Disabling tracing on a process should not be considered a security feature, as it is bypassable both by the kernel and privileged processes, _______________________________________________ svn-src-all@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/svn-src-all To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"
