git: 492a76bcd6d5 - stable/13 - proccontrol(1): Add wxmap control

[Konstantin Belousov]

The branch stable/13 has been updated by kib:

URL: https://cgit.FreeBSD.org/src/commit/?id=492a76bcd6d50ae8fea4ed770af53cbc7d1c82b3

commit 492a76bcd6d50ae8fea4ed770af53cbc7d1c82b3
Author:     Konstantin Belousov <kib at FreeBSD.org>
AuthorDate: 2021-09-01 23:27:58 +0000
Commit:     Konstantin Belousov <kib at FreeBSD.org>
CommitDate: 2021-09-24 00:26:59 +0000

    proccontrol(1): Add wxmap control
    
    (cherry picked from commit ac8af1938085dae0df32db3229c9d5cb659b90a4)
---
 usr.bin/proccontrol/proccontrol.1 |  4 +++-
 usr.bin/proccontrol/proccontrol.c | 24 +++++++++++++++++++++++-
 2 files changed, 26 insertions(+), 2 deletions(-)

diff --git a/usr.bin/proccontrol/proccontrol.1 b/usr.bin/proccontrol/proccontrol.1
index b4ed6c268a6a..09ec49431293 100644
--- a/usr.bin/proccontrol/proccontrol.1
+++ b/usr.bin/proccontrol/proccontrol.1
@@ -28,7 +28,7 @@
 .\"
 .\" $FreeBSD$
 .\"
-.Dd July 2, 2021
+.Dd September 2, 2021
 .Dt PROCCONTROL 1
 .Os
 .Sh NAME
@@ -72,6 +72,8 @@ Controls the implicit PROT_MAX application for
 .It Ar nonewprivs
 Controls disabling the setuid and sgid bits for
 .Xr execve 2 .
+.It Ar wxmap
+Controls the write exclusive execute mode for mappings.
 .It Ar kpti
 Controls the KPTI enable, AMD64 only.
 .It Ar la48
diff --git a/usr.bin/proccontrol/proccontrol.c b/usr.bin/proccontrol/proccontrol.c
index 8b34ecbb06d4..d9237c4c6b33 100644
--- a/usr.bin/proccontrol/proccontrol.c
+++ b/usr.bin/proccontrol/proccontrol.c
@@ -46,6 +46,7 @@ enum {
 	MODE_PROTMAX,
 	MODE_STACKGAP,
 	MODE_NO_NEW_PRIVS,
+	MODE_WXMAP,
 #ifdef PROC_KPTI_CTL
 	MODE_KPTI,
 #endif
@@ -85,7 +86,7 @@ usage(void)
 {
 
 	fprintf(stderr, "Usage: proccontrol -m (aslr|protmax|trace|trapcap|"
-	    "stackgap|nonewprivs"KPTI_USAGE LA_USAGE") [-q] "
+	    "stackgap|nonewprivs|wxmap"KPTI_USAGE LA_USAGE") [-q] "
 	    "[-s (enable|disable)] [-p pid | command]\n");
 	exit(1);
 }
@@ -116,6 +117,8 @@ main(int argc, char *argv[])
 				mode = MODE_STACKGAP;
 			else if (strcmp(optarg, "nonewprivs") == 0)
 				mode = MODE_NO_NEW_PRIVS;
+			else if (strcmp(optarg, "wxmap") == 0)
+				mode = MODE_WXMAP;
 #ifdef PROC_KPTI_CTL
 			else if (strcmp(optarg, "kpti") == 0)
 				mode = MODE_KPTI;
@@ -181,6 +184,9 @@ main(int argc, char *argv[])
 			error = procctl(P_PID, pid, PROC_NO_NEW_PRIVS_STATUS,
 			    &arg);
 			break;
+		case MODE_WXMAP:
+			error = procctl(P_PID, pid, PROC_WXMAP_STATUS, &arg);
+			break;
 #ifdef PROC_KPTI_CTL
 		case MODE_KPTI:
 			error = procctl(P_PID, pid, PROC_KPTI_STATUS, &arg);
@@ -281,6 +287,17 @@ main(int argc, char *argv[])
 				break;
 			}
 			break;
+		case MODE_WXMAP:
+			if ((arg & PROC_WX_MAPPINGS_PERMIT) != 0)
+				printf("enabled");
+			else
+				printf("disabled");
+			if ((arg & PROC_WX_MAPPINGS_DISALLOW_EXEC) != 0)
+				printf(", disabled on exec");
+			if ((arg & PROC_WXORX_ENFORCE) != 0)
+				printf(", wxorx enforced");
+			printf("\n");
+			break;
 #ifdef PROC_KPTI_CTL
 		case MODE_KPTI:
 			switch (arg & ~PROC_KPTI_STATUS_ACTIVE) {
@@ -353,6 +370,11 @@ main(int argc, char *argv[])
 			error = procctl(P_PID, pid, PROC_NO_NEW_PRIVS_CTL,
 			    &arg);
 			break;
+		case MODE_WXMAP:
+			arg = enable ? PROC_WX_MAPPINGS_PERMIT :
+			    PROC_WX_MAPPINGS_DISALLOW_EXEC;
+			error = procctl(P_PID, pid, PROC_WXMAP_CTL, &arg);
+			break;
 #ifdef PROC_KPTI_CTL
 		case MODE_KPTI:
 			arg = enable ? PROC_KPTI_CTL_ENABLE_ON_EXEC :