Control implicit PROT_MAX() using procctl(2) and the FreeBSD note

feature bit.

In particular, allocate the bit to opt-out the image from implicit
PROTMAX enablement.  Provide procctl(2) verbs to set and query
implicit PROTMAX handling.  The knobs mimic the same per-image flag
and per-process controls for ASLR.

Reviewed by:	emaste, markj (previous version)
Discussed with:	brooks
Sponsored by:	The FreeBSD Foundation
Differential revision:	https://reviews.freebsd.org/D20795

4 files changed, 11 insertions, 0 deletions

diff --git a/sys/sys/elf_common.h b/sys/sys/elf_common.h
index 538ae4eb2db3..f7484bd41c1a 100644
--- a/sys/sys/elf_common.h
+++ b/sys/sys/elf_common.h
@@ -777,6 +777,7 @@ typedef struct {
 
 /* NT_FREEBSD_FEATURE_CTL desc[0] bits */
 #define	NT_FREEBSD_FCTL_ASLR_DISABLE	0x00000001
+#define	NT_FREEBSD_FCTL_PROTMAX_DISABLE	0x00000002
 
 /* Values for n_type.  Used in core files. */
 #define	NT_PRSTATUS	1	/* Process status. */
diff --git a/sys/sys/proc.h b/sys/sys/proc.h
index a257de430ba7..857bb5234d12 100644
--- a/sys/sys/proc.h
+++ b/sys/sys/proc.h
@@ -761,6 +761,8 @@ struct proc {
 #define	P2_ASLR_ENABLE	0x00000040	/* Force enable ASLR. */
 #define	P2_ASLR_DISABLE	0x00000080	/* Force disable ASLR. */
 #define	P2_ASLR_IGNSTART 0x00000100	/* Enable ASLR to consume sbrk area. */
+#define	P2_PROTMAX_ENABLE 0x00000200	/* Force enable implied PROT_MAX. */
+#define	P2_PROTMAX_DISABLE 0x00000400	/* Force disable implied PROT_MAX. */
 
 /* Flags protected by proctree_lock, kept in p_treeflags. */
 #define	P_TREE_ORPHANED		0x00000001	/* Reparented, on orphan list */
diff --git a/sys/sys/procctl.h b/sys/sys/procctl.h
index 80679f5eb972..f80dc023af19 100644
--- a/sys/sys/procctl.h
+++ b/sys/sys/procctl.h
@@ -59,6 +59,8 @@
 #define	PROC_PDEATHSIG_STATUS	12	/* get parent death signal */
 #define	PROC_ASLR_CTL		13	/* en/dis ASLR */
 #define	PROC_ASLR_STATUS	14	/* query ASLR status */
+#define	PROC_PROTMAX_CTL	15	/* en/dis implicit PROT_MAX */
+#define	PROC_PROTMAX_STATUS	16	/* query implicit PROT_MAX status */
 
 /* Operations for PROC_SPROTECT (passed in integer arg). */
 #define	PPROT_OP(x)	((x) & 0xf)
@@ -127,6 +129,11 @@ struct procctl_reaper_kill {
 #define	PROC_ASLR_NOFORCE		3
 #define	PROC_ASLR_ACTIVE		0x80000000
 
+#define	PROC_PROTMAX_FORCE_ENABLE	1
+#define	PROC_PROTMAX_FORCE_DISABLE	2
+#define	PROC_PROTMAX_NOFORCE		3
+#define	PROC_PROTMAX_ACTIVE		0x80000000
+
 #ifndef _KERNEL
 __BEGIN_DECLS
 int	procctl(idtype_t, id_t, int, void *);
diff --git a/sys/sys/syscallsubr.h b/sys/sys/syscallsubr.h
index 29bd01de841e..0c3ec79071d8 100644
--- a/sys/sys/syscallsubr.h
+++ b/sys/sys/syscallsubr.h
@@ -175,6 +175,7 @@ int	kern_mlock(struct proc *proc, struct ucred *cred, uintptr_t addr,
 	    size_t len);
 int	kern_mmap(struct thread *td, uintptr_t addr, size_t len, int prot,
 	    int flags, int fd, off_t pos);
+int	kern_mmap_maxprot(struct proc *p, int prot);
 int	kern_mprotect(struct thread *td, uintptr_t addr, size_t size, int prot);
 int	kern_msgctl(struct thread *, int, int, struct msqid_ds *);
 int	kern_msgrcv(struct thread *, int, void *, size_t, long, int, long *);