mirror of
https://github.com/freebsd/freebsd-src.git
synced 2024-11-30 10:52:50 +00:00
7ca260df8c
Add a central table of modes and loop over it rather than spelling out 10 essentialy identical strcmp if statemnts. Use the stable to generate usage as well reducing the number of ifdefs. Disallow multiple -m options. Previouly multiple were allowed, but only the last one was used and there was no indication this happened. Reviewed by: kib, markj Differential Revision: https://reviews.freebsd.org/D46426
406 lines
9.6 KiB
C
406 lines
9.6 KiB
C
/*-
|
|
* Copyright (c) 2016 The FreeBSD Foundation
|
|
*
|
|
* This software was developed by Konstantin Belousov <kib@FreeBSD.org>
|
|
* under sponsorship from the FreeBSD Foundation.
|
|
*
|
|
* Redistribution and use in source and binary forms, with or without
|
|
* modification, are permitted provided that the following conditions
|
|
* are met:
|
|
* 1. Redistributions of source code must retain the above copyright
|
|
* notice, this list of conditions and the following disclaimer.
|
|
* 2. Redistributions in binary form must reproduce the above copyright
|
|
* notice, this list of conditions and the following disclaimer in the
|
|
* documentation and/or other materials provided with the distribution.
|
|
*
|
|
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
|
|
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
|
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
|
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
|
|
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
|
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
|
|
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
|
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
|
|
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
|
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
|
* SUCH DAMAGE.
|
|
*/
|
|
|
|
#include <sys/param.h>
|
|
#include <sys/procctl.h>
|
|
#include <err.h>
|
|
#include <stdbool.h>
|
|
#include <stdio.h>
|
|
#include <stdlib.h>
|
|
#include <string.h>
|
|
#include <unistd.h>
|
|
|
|
enum mode {
|
|
MODE_INVALID,
|
|
MODE_ASLR,
|
|
MODE_TRACE,
|
|
MODE_TRAPCAP,
|
|
MODE_PROTMAX,
|
|
MODE_STACKGAP,
|
|
MODE_NO_NEW_PRIVS,
|
|
MODE_WXMAP,
|
|
#ifdef PROC_KPTI_CTL
|
|
MODE_KPTI,
|
|
#endif
|
|
#ifdef PROC_LA_CTL
|
|
MODE_LA57,
|
|
MODE_LA48,
|
|
#endif
|
|
};
|
|
|
|
static const struct {
|
|
enum mode mode;
|
|
const char *name;
|
|
} modes[] = {
|
|
{ MODE_ASLR, "aslr" },
|
|
{ MODE_TRACE, "trace" },
|
|
{ MODE_TRAPCAP, "trapcap" },
|
|
{ MODE_PROTMAX, "protmax" },
|
|
{ MODE_STACKGAP, "stackgap" },
|
|
{ MODE_NO_NEW_PRIVS, "nonewprivs" },
|
|
{ MODE_WXMAP, "wxmap" },
|
|
#ifdef PROC_KPTI_CTL
|
|
{ MODE_KPTI, "kpti" },
|
|
#endif
|
|
#ifdef PROC_LA_CTL
|
|
{ MODE_LA57, "la57" },
|
|
{ MODE_LA48, "la48" },
|
|
#endif
|
|
};
|
|
|
|
static pid_t
|
|
str2pid(const char *str)
|
|
{
|
|
pid_t res;
|
|
char *tail;
|
|
|
|
res = strtol(str, &tail, 0);
|
|
if (*tail != '\0') {
|
|
warnx("non-numeric pid");
|
|
return (-1);
|
|
}
|
|
return (res);
|
|
}
|
|
|
|
static void __dead2
|
|
usage(void)
|
|
{
|
|
fprintf(stderr, "Usage:\n");
|
|
fprintf(stderr, " proccontrol -m mode -s (enable|disable) "
|
|
"(-p pid | command)\n");
|
|
fprintf(stderr, " proccontrol -m mode -q [-p pid]\n");
|
|
fprintf(stderr, "Modes: ");
|
|
for (size_t i = 0; i < nitems(modes); i++)
|
|
fprintf(stderr, "%s%s", i == 0 ? "" : "|", modes[i].name);
|
|
fprintf(stderr, "\n");
|
|
exit(1);
|
|
}
|
|
|
|
int
|
|
main(int argc, char *argv[])
|
|
{
|
|
int arg, ch, error, mode;
|
|
pid_t pid;
|
|
bool enable, do_command, query;
|
|
|
|
mode = MODE_INVALID;
|
|
enable = true;
|
|
pid = -1;
|
|
query = false;
|
|
while ((ch = getopt(argc, argv, "m:qs:p:")) != -1) {
|
|
switch (ch) {
|
|
case 'm':
|
|
if (mode != MODE_INVALID)
|
|
usage();
|
|
for (size_t i = 0; i < nitems(modes); i++) {
|
|
if (strcmp(optarg, modes[i].name) == 0) {
|
|
mode = modes[i].mode;
|
|
break;
|
|
}
|
|
}
|
|
if (mode == MODE_INVALID)
|
|
usage();
|
|
break;
|
|
case 's':
|
|
if (strcmp(optarg, "enable") == 0)
|
|
enable = true;
|
|
else if (strcmp(optarg, "disable") == 0)
|
|
enable = false;
|
|
else
|
|
usage();
|
|
break;
|
|
case 'p':
|
|
pid = str2pid(optarg);
|
|
break;
|
|
case 'q':
|
|
query = true;
|
|
break;
|
|
case '?':
|
|
default:
|
|
usage();
|
|
break;
|
|
}
|
|
}
|
|
argc -= optind;
|
|
argv += optind;
|
|
do_command = argc != 0;
|
|
if (do_command) {
|
|
if (pid != -1 || query)
|
|
usage();
|
|
pid = getpid();
|
|
} else if (pid == -1) {
|
|
if (!query)
|
|
usage();
|
|
pid = getpid();
|
|
}
|
|
|
|
if (query) {
|
|
switch (mode) {
|
|
case MODE_ASLR:
|
|
error = procctl(P_PID, pid, PROC_ASLR_STATUS, &arg);
|
|
break;
|
|
case MODE_TRACE:
|
|
error = procctl(P_PID, pid, PROC_TRACE_STATUS, &arg);
|
|
break;
|
|
case MODE_TRAPCAP:
|
|
error = procctl(P_PID, pid, PROC_TRAPCAP_STATUS, &arg);
|
|
break;
|
|
case MODE_PROTMAX:
|
|
error = procctl(P_PID, pid, PROC_PROTMAX_STATUS, &arg);
|
|
break;
|
|
case MODE_STACKGAP:
|
|
error = procctl(P_PID, pid, PROC_STACKGAP_STATUS, &arg);
|
|
break;
|
|
case MODE_NO_NEW_PRIVS:
|
|
error = procctl(P_PID, pid, PROC_NO_NEW_PRIVS_STATUS,
|
|
&arg);
|
|
break;
|
|
case MODE_WXMAP:
|
|
error = procctl(P_PID, pid, PROC_WXMAP_STATUS, &arg);
|
|
break;
|
|
#ifdef PROC_KPTI_CTL
|
|
case MODE_KPTI:
|
|
error = procctl(P_PID, pid, PROC_KPTI_STATUS, &arg);
|
|
break;
|
|
#endif
|
|
#ifdef PROC_LA_CTL
|
|
case MODE_LA57:
|
|
case MODE_LA48:
|
|
error = procctl(P_PID, pid, PROC_LA_STATUS, &arg);
|
|
break;
|
|
#endif
|
|
default:
|
|
usage();
|
|
break;
|
|
}
|
|
if (error != 0)
|
|
err(1, "procctl status");
|
|
switch (mode) {
|
|
case MODE_ASLR:
|
|
switch (arg & ~PROC_ASLR_ACTIVE) {
|
|
case PROC_ASLR_FORCE_ENABLE:
|
|
printf("force enabled");
|
|
break;
|
|
case PROC_ASLR_FORCE_DISABLE:
|
|
printf("force disabled");
|
|
break;
|
|
case PROC_ASLR_NOFORCE:
|
|
printf("not forced");
|
|
break;
|
|
}
|
|
if ((arg & PROC_ASLR_ACTIVE) != 0)
|
|
printf(", active\n");
|
|
else
|
|
printf(", not active\n");
|
|
break;
|
|
case MODE_TRACE:
|
|
if (arg == -1)
|
|
printf("disabled\n");
|
|
else if (arg == 0)
|
|
printf("enabled, no debugger\n");
|
|
else
|
|
printf("enabled, traced by %d\n", arg);
|
|
break;
|
|
case MODE_TRAPCAP:
|
|
switch (arg) {
|
|
case PROC_TRAPCAP_CTL_ENABLE:
|
|
printf("enabled\n");
|
|
break;
|
|
case PROC_TRAPCAP_CTL_DISABLE:
|
|
printf("disabled\n");
|
|
break;
|
|
}
|
|
break;
|
|
case MODE_PROTMAX:
|
|
switch (arg & ~PROC_PROTMAX_ACTIVE) {
|
|
case PROC_PROTMAX_FORCE_ENABLE:
|
|
printf("force enabled");
|
|
break;
|
|
case PROC_PROTMAX_FORCE_DISABLE:
|
|
printf("force disabled");
|
|
break;
|
|
case PROC_PROTMAX_NOFORCE:
|
|
printf("not forced");
|
|
break;
|
|
}
|
|
if ((arg & PROC_PROTMAX_ACTIVE) != 0)
|
|
printf(", active\n");
|
|
else
|
|
printf(", not active\n");
|
|
break;
|
|
case MODE_STACKGAP:
|
|
switch (arg & (PROC_STACKGAP_ENABLE |
|
|
PROC_STACKGAP_DISABLE)) {
|
|
case PROC_STACKGAP_ENABLE:
|
|
printf("enabled\n");
|
|
break;
|
|
case PROC_STACKGAP_DISABLE:
|
|
printf("disabled\n");
|
|
break;
|
|
}
|
|
switch (arg & (PROC_STACKGAP_ENABLE_EXEC |
|
|
PROC_STACKGAP_DISABLE_EXEC)) {
|
|
case PROC_STACKGAP_ENABLE_EXEC:
|
|
printf("enabled after exec\n");
|
|
break;
|
|
case PROC_STACKGAP_DISABLE_EXEC:
|
|
printf("disabled after exec\n");
|
|
break;
|
|
}
|
|
break;
|
|
case MODE_NO_NEW_PRIVS:
|
|
switch (arg) {
|
|
case PROC_NO_NEW_PRIVS_ENABLE:
|
|
printf("enabled\n");
|
|
break;
|
|
case PROC_NO_NEW_PRIVS_DISABLE:
|
|
printf("disabled\n");
|
|
break;
|
|
}
|
|
break;
|
|
case MODE_WXMAP:
|
|
if ((arg & PROC_WX_MAPPINGS_PERMIT) != 0)
|
|
printf("enabled");
|
|
else
|
|
printf("disabled");
|
|
if ((arg & PROC_WX_MAPPINGS_DISALLOW_EXEC) != 0)
|
|
printf(", disabled on exec");
|
|
if ((arg & PROC_WXORX_ENFORCE) != 0)
|
|
printf(", wxorx enforced");
|
|
printf("\n");
|
|
break;
|
|
#ifdef PROC_KPTI_CTL
|
|
case MODE_KPTI:
|
|
switch (arg & ~PROC_KPTI_STATUS_ACTIVE) {
|
|
case PROC_KPTI_CTL_ENABLE_ON_EXEC:
|
|
printf("enabled");
|
|
break;
|
|
case PROC_KPTI_CTL_DISABLE_ON_EXEC:
|
|
printf("disabled");
|
|
break;
|
|
}
|
|
if ((arg & PROC_KPTI_STATUS_ACTIVE) != 0)
|
|
printf(", active\n");
|
|
else
|
|
printf(", not active\n");
|
|
break;
|
|
#endif
|
|
#ifdef PROC_LA_CTL
|
|
case MODE_LA57:
|
|
case MODE_LA48:
|
|
switch (arg & ~(PROC_LA_STATUS_LA48 |
|
|
PROC_LA_STATUS_LA57)) {
|
|
case PROC_LA_CTL_LA48_ON_EXEC:
|
|
printf("la48 on exec");
|
|
break;
|
|
case PROC_LA_CTL_LA57_ON_EXEC:
|
|
printf("la57 on exec");
|
|
break;
|
|
case PROC_LA_CTL_DEFAULT_ON_EXEC:
|
|
printf("default on exec");
|
|
break;
|
|
}
|
|
if ((arg & PROC_LA_STATUS_LA48) != 0)
|
|
printf(", la48 active\n");
|
|
else if ((arg & PROC_LA_STATUS_LA57) != 0)
|
|
printf(", la57 active\n");
|
|
break;
|
|
#endif
|
|
}
|
|
} else {
|
|
switch (mode) {
|
|
case MODE_ASLR:
|
|
arg = enable ? PROC_ASLR_FORCE_ENABLE :
|
|
PROC_ASLR_FORCE_DISABLE;
|
|
error = procctl(P_PID, pid, PROC_ASLR_CTL, &arg);
|
|
break;
|
|
case MODE_TRACE:
|
|
arg = enable ? PROC_TRACE_CTL_ENABLE :
|
|
PROC_TRACE_CTL_DISABLE;
|
|
error = procctl(P_PID, pid, PROC_TRACE_CTL, &arg);
|
|
break;
|
|
case MODE_TRAPCAP:
|
|
arg = enable ? PROC_TRAPCAP_CTL_ENABLE :
|
|
PROC_TRAPCAP_CTL_DISABLE;
|
|
error = procctl(P_PID, pid, PROC_TRAPCAP_CTL, &arg);
|
|
break;
|
|
case MODE_PROTMAX:
|
|
arg = enable ? PROC_PROTMAX_FORCE_ENABLE :
|
|
PROC_PROTMAX_FORCE_DISABLE;
|
|
error = procctl(P_PID, pid, PROC_PROTMAX_CTL, &arg);
|
|
break;
|
|
case MODE_STACKGAP:
|
|
arg = enable ? PROC_STACKGAP_ENABLE_EXEC :
|
|
(PROC_STACKGAP_DISABLE |
|
|
PROC_STACKGAP_DISABLE_EXEC);
|
|
error = procctl(P_PID, pid, PROC_STACKGAP_CTL, &arg);
|
|
break;
|
|
case MODE_NO_NEW_PRIVS:
|
|
arg = enable ? PROC_NO_NEW_PRIVS_ENABLE :
|
|
PROC_NO_NEW_PRIVS_DISABLE;
|
|
error = procctl(P_PID, pid, PROC_NO_NEW_PRIVS_CTL,
|
|
&arg);
|
|
break;
|
|
case MODE_WXMAP:
|
|
arg = enable ? PROC_WX_MAPPINGS_PERMIT :
|
|
PROC_WX_MAPPINGS_DISALLOW_EXEC;
|
|
error = procctl(P_PID, pid, PROC_WXMAP_CTL, &arg);
|
|
break;
|
|
#ifdef PROC_KPTI_CTL
|
|
case MODE_KPTI:
|
|
arg = enable ? PROC_KPTI_CTL_ENABLE_ON_EXEC :
|
|
PROC_KPTI_CTL_DISABLE_ON_EXEC;
|
|
error = procctl(P_PID, pid, PROC_KPTI_CTL, &arg);
|
|
break;
|
|
#endif
|
|
#ifdef PROC_LA_CTL
|
|
case MODE_LA57:
|
|
arg = enable ? PROC_LA_CTL_LA57_ON_EXEC :
|
|
PROC_LA_CTL_DEFAULT_ON_EXEC;
|
|
error = procctl(P_PID, pid, PROC_LA_CTL, &arg);
|
|
break;
|
|
case MODE_LA48:
|
|
arg = enable ? PROC_LA_CTL_LA48_ON_EXEC :
|
|
PROC_LA_CTL_DEFAULT_ON_EXEC;
|
|
error = procctl(P_PID, pid, PROC_LA_CTL, &arg);
|
|
break;
|
|
#endif
|
|
default:
|
|
usage();
|
|
break;
|
|
}
|
|
if (error != 0)
|
|
err(1, "procctl ctl");
|
|
if (do_command) {
|
|
error = execvp(argv[0], argv);
|
|
err(1, "exec");
|
|
}
|
|
}
|
|
exit(0);
|
|
}
|