From 469220742e615f00daed9802a62ba77b8ab5a189 Mon Sep 17 00:00:00 2001
From: Konstantin Belousov <kib@FreeBSD.org>
Date: Tue, 2 Jul 2019 19:12:02 +0000
Subject: [PATCH] Add implicit PROT_MAX() knob to proccontrol(1).

Reviewed by:	emaste, markj (previous version)
Discussed with:	brooks
Sponsored by:	The FreeBSD Foundation
Differential revision:	https://reviews.freebsd.org/D20795
---
 usr.bin/proccontrol/proccontrol.1 |  3 +++
 usr.bin/proccontrol/proccontrol.c | 30 +++++++++++++++++++++++++++++-
 2 files changed, 32 insertions(+), 1 deletion(-)

diff --git a/usr.bin/proccontrol/proccontrol.1 b/usr.bin/proccontrol/proccontrol.1
index 1bc672aa419..33dff9b34ff 100644
--- a/usr.bin/proccontrol/proccontrol.1
+++ b/usr.bin/proccontrol/proccontrol.1
@@ -66,6 +66,9 @@ Note that process is only allowed to enable tracing for itself,
 not for any other process.
 .It Ar trapcap
 Controls the signalling of capability mode access violations.
+.It Ar protmax
+Controls the implicit PROT_MAX application for
+.Xr mmap 2 .
 .It Ar kpti
 Controls the KPTI enable, AMD64 only.
 .El
diff --git a/usr.bin/proccontrol/proccontrol.c b/usr.bin/proccontrol/proccontrol.c
index a88c367b43e..f5026b87616 100644
--- a/usr.bin/proccontrol/proccontrol.c
+++ b/usr.bin/proccontrol/proccontrol.c
@@ -43,6 +43,7 @@ enum {
 	MODE_INVALID,
 	MODE_TRACE,
 	MODE_TRAPCAP,
+	MODE_PROTMAX,
 #ifdef PROC_KPTI_CTL
 	MODE_KPTI,
 #endif
@@ -72,7 +73,7 @@ static void __dead2
 usage(void)
 {
 
-	fprintf(stderr, "Usage: proccontrol -m (aslr|trace|trapcap"
+	fprintf(stderr, "Usage: proccontrol -m (aslr|protmax|trace|trapcap"
 	    KPTI_USAGE") [-q] "
 	    "[-s (enable|disable)] [-p pid | command]\n");
 	exit(1);
@@ -94,6 +95,8 @@ main(int argc, char *argv[])
 		case 'm':
 			if (strcmp(optarg, "aslr") == 0)
 				mode = MODE_ASLR;
+			else if (strcmp(optarg, "protmax") == 0)
+				mode = MODE_PROTMAX;
 			else if (strcmp(optarg, "trace") == 0)
 				mode = MODE_TRACE;
 			else if (strcmp(optarg, "trapcap") == 0)
@@ -147,6 +150,9 @@ main(int argc, char *argv[])
 		case MODE_TRAPCAP:
 			error = procctl(P_PID, pid, PROC_TRAPCAP_STATUS, &arg);
 			break;
+		case MODE_PROTMAX:
+			error = procctl(P_PID, pid, PROC_PROTMAX_STATUS, &arg);
+			break;
 #ifdef PROC_KPTI_CTL
 		case MODE_KPTI:
 			error = procctl(P_PID, pid, PROC_KPTI_STATUS, &arg);
@@ -194,6 +200,23 @@ main(int argc, char *argv[])
 				break;
 			}
 			break;
+		case MODE_PROTMAX:
+			switch (arg & ~PROC_PROTMAX_ACTIVE) {
+			case PROC_PROTMAX_FORCE_ENABLE:
+				printf("force enabled");
+				break;
+			case PROC_PROTMAX_FORCE_DISABLE:
+				printf("force disabled");
+				break;
+			case PROC_PROTMAX_NOFORCE:
+				printf("not forced");
+				break;
+			}
+			if ((arg & PROC_PROTMAX_ACTIVE) != 0)
+				printf(", active\n");
+			else
+				printf(", not active\n");
+			break;
 #ifdef PROC_KPTI_CTL
 		case MODE_KPTI:
 			switch (arg & ~PROC_KPTI_STATUS_ACTIVE) {
@@ -228,6 +251,11 @@ main(int argc, char *argv[])
 			    PROC_TRAPCAP_CTL_DISABLE;
 			error = procctl(P_PID, pid, PROC_TRAPCAP_CTL, &arg);
 			break;
+		case MODE_PROTMAX:
+			arg = enable ? PROC_PROTMAX_FORCE_ENABLE :
+			    PROC_PROTMAX_FORCE_DISABLE;
+			error = procctl(P_PID, pid, PROC_PROTMAX_CTL, &arg);
+			break;
 #ifdef PROC_KPTI_CTL
 		case MODE_KPTI:
 			arg = enable ? PROC_KPTI_CTL_ENABLE_ON_EXEC :