]>
Commit | Line | Data |
---|---|---|
c11b1abf | 1 | .\" Copyright (C) 2007 Michael Kerrisk <mtk.manpages@gmail.com> |
2a5e0dcd | 2 | .\" and Copyright (C) 1995 Michael Shields <shields@tembel.org>. |
fea681da | 3 | .\" |
93015253 | 4 | .\" %%%LICENSE_START(VERBATIM) |
fea681da MK |
5 | .\" Permission is granted to make and distribute verbatim copies of this |
6 | .\" manual provided the copyright notice and this permission notice are | |
7 | .\" preserved on all copies. | |
8 | .\" | |
9 | .\" Permission is granted to copy and distribute modified versions of this | |
10 | .\" manual under the conditions for verbatim copying, provided that the | |
11 | .\" entire resulting derived work is distributed under the terms of a | |
12 | .\" permission notice identical to this one. | |
c13182ef | 13 | .\" |
fea681da MK |
14 | .\" Since the Linux kernel and libraries are constantly changing, this |
15 | .\" manual page may be incorrect or out-of-date. The author(s) assume no | |
16 | .\" responsibility for errors or omissions, or for damages resulting from | |
17 | .\" the use of the information contained herein. The author(s) may not | |
18 | .\" have taken the same level of care in the production of this manual, | |
19 | .\" which is licensed free of charge, as they might when working | |
20 | .\" professionally. | |
c13182ef | 21 | .\" |
fea681da MK |
22 | .\" Formatted or processed versions of this manual, if unaccompanied by |
23 | .\" the source, must acknowledge the copyright and author of this work. | |
4b72fb64 | 24 | .\" %%%LICENSE_END |
fea681da MK |
25 | .\" |
26 | .\" Modified 1996-10-22 by Eric S. Raymond <esr@thyrsus.com> | |
27 | .\" Modified 1997-05-31 by Andries Brouwer <aeb@cwi.nl> | |
28 | .\" Modified 2003-08-24 by Andries Brouwer <aeb@cwi.nl> | |
29 | .\" Modified 2004-08-16 by Andi Kleen <ak@muc.de> | |
2a5e0dcd MK |
30 | .\" 2007-06-02, mtk: Fairly substantial rewrites and additions, and |
31 | .\" a much improved example program. | |
bea08fec | 32 | .\" |
9ba01802 | 33 | .TH MPROTECT 2 2019-03-06 "Linux" "Linux Programmer's Manual" |
fea681da | 34 | .SH NAME |
d800ae65 | 35 | mprotect, pkey_mprotect \- set protection on a region of memory |
fea681da MK |
36 | .SH SYNOPSIS |
37 | .nf | |
38 | .B #include <sys/mman.h> | |
68e4db0a | 39 | .PP |
a2f11be3 | 40 | .BI "int mprotect(void *" addr ", size_t " len ", int " prot ); |
d800ae65 | 41 | .BI "int pkey_mprotect(void *" addr ", size_t " len ", int " prot ", int " pkey "); |
fea681da MK |
42 | .fi |
43 | .SH DESCRIPTION | |
e511ffb6 | 44 | .BR mprotect () |
93d210fd | 45 | changes the access protections for the calling process's memory pages |
988db661 | 46 | containing any part of the address range in the |
657e762d | 47 | interval [\fIaddr\fP,\ \fIaddr\fP+\fIlen\fP\-1]. |
2a5e0dcd MK |
48 | .I addr |
49 | must be aligned to a page boundary. | |
efeece04 | 50 | .PP |
2a5e0dcd | 51 | If the calling process tries to access memory in a manner |
93d210fd | 52 | that violates the protections, then the kernel generates a |
2a5e0dcd MK |
53 | .B SIGSEGV |
54 | signal for the process. | |
fea681da MK |
55 | .PP |
56 | .I prot | |
a9799e8a | 57 | is a combination of the following access flags: |
2a5e0dcd MK |
58 | .B PROT_NONE |
59 | or a bitwise-or of the other values in the following list: | |
fea681da MK |
60 | .TP 1.1i |
61 | .B PROT_NONE | |
62 | The memory cannot be accessed at all. | |
63 | .TP | |
64 | .B PROT_READ | |
65 | The memory can be read. | |
66 | .TP | |
67 | .B PROT_WRITE | |
2a5e0dcd | 68 | The memory can be modified. |
fea681da MK |
69 | .TP |
70 | .B PROT_EXEC | |
fc15ae54 | 71 | The memory can be executed. |
a9799e8a ES |
72 | .TP |
73 | .BR PROT_SEM " (since Linux 2.5.7)" | |
be232513 | 74 | The memory can be used for atomic operations. |
d88d01c6 | 75 | This flag was introduced as part of the |
a9799e8a | 76 | .BR futex (2) |
d88d01c6 MK |
77 | implementation (in order to guarantee the ability to perform atomic |
78 | operations required by commands such as | |
a9799e8a | 79 | .BR FUTEX_WAIT ), |
d88d01c6 | 80 | but is not currently used in on any architecture. |
a9799e8a ES |
81 | .TP |
82 | .BR PROT_SAO " (since Linux 2.6.26)" | |
d88d01c6 MK |
83 | .\" commit aba46c5027cb59d98052231b36efcbbde9c77a1d |
84 | .\" commit ef3d3246a0d06be622867d21af25f997aeeb105f | |
be232513 MK |
85 | The memory should have strong access ordering. |
86 | This feature is specific to | |
d88d01c6 MK |
87 | the PowerPC architecture |
88 | (version 2.06 of the architecture specification adds the SAO CPU feature, | |
be232513 | 89 | and it is available on POWER 7 or PowerPC A2, for example). |
a9799e8a ES |
90 | .PP |
91 | Additionally (since Linux 2.6.0), | |
92 | .I prot | |
93 | can have one of the following flags set: | |
94 | .TP 1.1i | |
95 | .\" mm/mmap.c: | |
96 | .\" vm_flags |= calc_vm_prot_bits(prot, pkey) | calc_vm_flag_bits(flags) | | |
97 | .\" mm->def_flags | VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC; | |
98 | .\" And calc_vm_flag_bits converts only GROWSDOWN/DENYWRITE/LOCKED. | |
99 | .B PROT_GROWSUP | |
d88d01c6 MK |
100 | Apply the protection mode up to the end of a mapping |
101 | that grows upwards. | |
102 | (Such mappings are created for the stack area on | |
103 | architectures\(emfor example, HP-PARISC\(emthat | |
104 | have an upwardly growing stack.) | |
105 | .\" The VMA is one that was marked with VM_GROWSUP by the kernel | |
106 | .\" when the stack was created. Note that (unlike VM_GROWSDOWN), | |
107 | .\" there is no mmap() flag (analogous to MAP_GROWSDOWN) for | |
108 | .\" creating a VMA that is marked VM_GROWSUP. | |
a9799e8a ES |
109 | .TP |
110 | .B PROT_GROWSDOWN | |
d88d01c6 MK |
111 | Apply the protection mode down to the beginning of a mapping |
112 | that grows downward | |
113 | (which should be a stack segment or a segment mapped with the | |
a9799e8a | 114 | .B MAP_GROWSDOWN |
d88d01c6 | 115 | flag set). |
d800ae65 | 116 | .PP |
9e7d6be1 MK |
117 | Like |
118 | .BR mprotect (), | |
119 | .BR pkey_mprotect () | |
120 | changes the protection on the pages specified by | |
121 | .IR addr | |
122 | and | |
123 | .IR len . | |
124 | The | |
d800ae65 | 125 | .I pkey |
9e7d6be1 | 126 | argument specifies the protection key (see |
31e0cc44 | 127 | .BR pkeys (7)) |
9e7d6be1 MK |
128 | to assign to the memory. |
129 | The protection key must be allocated with | |
d800ae65 DH |
130 | .BR pkey_alloc (2) |
131 | before it is passed to | |
132 | .BR pkey_mprotect (). | |
9e7d6be1 | 133 | For an example of the use of this system call, see |
31e0cc44 | 134 | .BR pkeys (7). |
47297adb | 135 | .SH RETURN VALUE |
fea681da | 136 | On success, |
e511ffb6 | 137 | .BR mprotect () |
d800ae65 DH |
138 | and |
139 | .BR pkey_mprotect () | |
140 | return zero. | |
9e7d6be1 | 141 | On error, these system calls return \-1, and |
fea681da MK |
142 | .I errno |
143 | is set appropriately. | |
144 | .SH ERRORS | |
145 | .TP | |
146 | .B EACCES | |
c13182ef MK |
147 | The memory cannot be given the specified access. |
148 | This can happen, for example, if you | |
fea681da MK |
149 | .BR mmap (2) |
150 | a file to which you have read-only access, then ask | |
e511ffb6 | 151 | .BR mprotect () |
fea681da MK |
152 | to mark it |
153 | .BR PROT_WRITE . | |
154 | .TP | |
fea681da | 155 | .B EINVAL |
a8d55537 | 156 | \fIaddr\fP is not a valid pointer, |
2a5e0dcd | 157 | or not a multiple of the system page size. |
9e7d6be1 MK |
158 | .TP |
159 | .BR EINVAL | |
160 | .RB ( pkey_mprotect ()) | |
161 | \fIpkey\fP has not been allocated with | |
d800ae65 | 162 | .BR pkey_alloc (2) |
a9799e8a ES |
163 | .TP |
164 | .BR EINVAL | |
165 | Both | |
be232513 MK |
166 | .BR PROT_GROWSUP |
167 | and | |
168 | .BR PROT_GROWSDOWN | |
a9799e8a ES |
169 | were specified in |
170 | .IR prot . | |
171 | .TP | |
172 | .BR EINVAL | |
d88d01c6 | 173 | Invalid flags specified in |
a9799e8a ES |
174 | .IR prot . |
175 | .TP | |
176 | .BR EINVAL | |
177 | (PowerPC architecture) | |
178 | .B PROT_SAO | |
d88d01c6 | 179 | was specified in |
a9799e8a ES |
180 | .IR prot , |
181 | but SAO hardware feature is not available. | |
fea681da MK |
182 | .TP |
183 | .B ENOMEM | |
c13182ef | 184 | Internal kernel structures could not be allocated. |
22b22831 MK |
185 | .TP |
186 | .B ENOMEM | |
187 | Addresses in the range | |
f8ad0aeb | 188 | .RI [ addr , |
da2336b3 | 189 | .IR addr + len \-1] |
f8ad0aeb MK |
190 | are invalid for the address space of the process, |
191 | or specify one or more pages that are not mapped. | |
22b22831 MK |
192 | (Before kernel 2.4.19, the error |
193 | .BR EFAULT | |
194 | was incorrectly produced for these cases.) | |
4607213d MK |
195 | .TP |
196 | .B ENOMEM | |
197 | Changing the protection of a memory region would result in the total number of | |
198 | mappings with distinct attributes (e.g., read versus read/write protection) | |
199 | exceeding the allowed maximum. | |
ee8655b5 | 200 | .\" I.e., the number of VMAs would exceed the 64 kB maximum |
4607213d MK |
201 | (For example, making the protection of a range |
202 | .BR PROT_READ | |
203 | in the middle of a region currently protected as | |
204 | .BR PROT_READ|PROT_WRITE | |
205 | would result in three mappings: | |
206 | two read/write mappings at each end and a read-only mapping in the middle.) | |
f74aed0e MK |
207 | .SH VERSIONS |
208 | .BR pkey_mprotect () | |
fe110bff MK |
209 | first appeared in Linux 4.9; |
210 | library support was added in glibc 2.27. | |
47297adb | 211 | .SH CONFORMING TO |
8f5484f8 | 212 | .BR mprotect (): |
c22f5880 | 213 | POSIX.1-2001, POSIX.1-2008, SVr4. |
2b2581ee MK |
214 | .\" SVr4 defines an additional error |
215 | .\" code EAGAIN. The SVr4 error conditions don't map neatly onto Linux's. | |
d9bfdb9c | 216 | POSIX says that the behavior of |
2b2581ee | 217 | .BR mprotect () |
2a5e0dcd MK |
218 | is unspecified if it is applied to a region of memory that |
219 | was not obtained via | |
2b2581ee | 220 | .BR mmap (2). |
efeece04 | 221 | .PP |
8f5484f8 MK |
222 | .BR pkey_mprotect () |
223 | is a nonportable Linux extension. | |
2b2581ee | 224 | .SH NOTES |
329ad271 | 225 | On Linux, it is always permissible to call |
2b2581ee | 226 | .BR mprotect () |
fc7ba057 | 227 | on any address in a process's address space (except for the |
2b2581ee | 228 | kernel vsyscall area). |
3a06e3f7 | 229 | In particular, it can be used |
2b2581ee | 230 | to change existing code mappings to be writable. |
efeece04 | 231 | .PP |
2b2581ee MK |
232 | Whether |
233 | .B PROT_EXEC | |
234 | has any effect different from | |
235 | .B PROT_READ | |
28d01ac4 MK |
236 | depends on processor architecture, kernel version, and process state. |
237 | If | |
b22b377b MS |
238 | .B READ_IMPLIES_EXEC |
239 | is set in the process's personality flags (see | |
240 | .BR personality (2)), | |
241 | specifying | |
242 | .B PROT_READ | |
243 | will implicitly add | |
d8012462 | 244 | .BR PROT_EXEC . |
efeece04 | 245 | .PP |
34ccb744 | 246 | On some hardware architectures (e.g., i386), |
0daa9e92 | 247 | .B PROT_WRITE |
f3edaabb MK |
248 | implies |
249 | .BR PROT_READ . | |
efeece04 | 250 | .PP |
c22f5880 | 251 | POSIX.1 says that an implementation may permit access |
2a5e0dcd MK |
252 | other than that specified in |
253 | .IR prot , | |
33a0ccb2 | 254 | but at a minimum can allow write access only if |
2a5e0dcd MK |
255 | .B PROT_WRITE |
256 | has been set, and must not allow any access if | |
257 | .B PROT_NONE | |
258 | has been set. | |
efeece04 | 259 | .PP |
d800ae65 DH |
260 | Applications should be careful when mixing use of |
261 | .BR mprotect () | |
262 | and | |
9e7d6be1 | 263 | .BR pkey_mprotect (). |
d800ae65 DH |
264 | On x86, when |
265 | .BR mprotect () | |
266 | is used with | |
267 | .IR prot | |
268 | set to | |
269 | .B PROT_EXEC | |
270 | a pkey is may be allocated and set on the memory implicitly | |
271 | by the kernel, but only when the pkey was 0 previously. | |
efeece04 | 272 | .PP |
d800ae65 DH |
273 | On systems that do not support protection keys in hardware, |
274 | .BR pkey_mprotect () | |
275 | may still be used, but | |
276 | .IR pkey | |
a4a0b742 | 277 | must be set to -1. |
d800ae65 DH |
278 | When called this way, the operation of |
279 | .BR pkey_mprotect () | |
280 | is equivalent to | |
281 | .BR mprotect (). | |
fea681da | 282 | .SH EXAMPLE |
2720c2ed | 283 | .\" sigaction.2 refers to this example |
f20d7d8e | 284 | .PP |
9e7d6be1 | 285 | The program below demonstrates the use of |
9871c08c | 286 | .BR mprotect (). |
9e7d6be1 | 287 | The program allocates four pages of memory, makes the third |
5fab2e7c | 288 | of these pages read-only, and then executes a loop that walks upward |
f20d7d8e | 289 | through the allocated region modifying bytes. |
efeece04 | 290 | .PP |
f20d7d8e MK |
291 | An example of what we might see when running the program is the |
292 | following: | |
efeece04 | 293 | .PP |
088a639b | 294 | .in +4n |
b8302363 | 295 | .EX |
b43a3b30 | 296 | .RB "$" " ./a.out" |
f20d7d8e MK |
297 | Start of region: 0x804c000 |
298 | Got SIGSEGV at address: 0x804e000 | |
b8302363 | 299 | .EE |
1c32ee47 | 300 | .in |
9c330504 | 301 | .SS Program source |
d84d0300 | 302 | \& |
e7d0bb47 | 303 | .EX |
f20d7d8e MK |
304 | #include <unistd.h> |
305 | #include <signal.h> | |
fea681da | 306 | #include <stdio.h> |
f20d7d8e | 307 | #include <malloc.h> |
fea681da MK |
308 | #include <stdlib.h> |
309 | #include <errno.h> | |
310 | #include <sys/mman.h> | |
311 | ||
d1a71985 | 312 | #define handle_error(msg) \e |
6a578b88 | 313 | do { perror(msg); exit(EXIT_FAILURE); } while (0) |
d3b5ab82 | 314 | |
22617a74 | 315 | static char *buffer; |
f20d7d8e MK |
316 | |
317 | static void | |
318 | handler(int sig, siginfo_t *si, void *unused) | |
319 | { | |
e931e035 MK |
320 | /* Note: calling printf() from a signal handler is not safe |
321 | (and should not be done in production programs), since | |
322 | printf() is not async\-signal\-safe; see signal-safety(7). | |
323 | Nevertheless, we use printf() here as a simple way of | |
324 | showing that the handler was called. */ | |
325 | ||
d1a71985 | 326 | printf("Got SIGSEGV at address: 0x%lx\en", |
29059a65 | 327 | (long) si\->si_addr); |
f20d7d8e MK |
328 | exit(EXIT_FAILURE); |
329 | } | |
fea681da MK |
330 | |
331 | int | |
f20d7d8e | 332 | main(int argc, char *argv[]) |
fea681da MK |
333 | { |
334 | char *p; | |
f20d7d8e MK |
335 | int pagesize; |
336 | struct sigaction sa; | |
337 | ||
338 | sa.sa_flags = SA_SIGINFO; | |
339 | sigemptyset(&sa.sa_mask); | |
340 | sa.sa_sigaction = handler; | |
29059a65 | 341 | if (sigaction(SIGSEGV, &sa, NULL) == \-1) |
6a578b88 | 342 | handle_error("sigaction"); |
fea681da | 343 | |
f20d7d8e | 344 | pagesize = sysconf(_SC_PAGE_SIZE); |
29059a65 | 345 | if (pagesize == \-1) |
6a578b88 | 346 | handle_error("sysconf"); |
fea681da | 347 | |
988db661 | 348 | /* Allocate a buffer aligned on a page boundary; |
f20d7d8e MK |
349 | initial protection is PROT_READ | PROT_WRITE */ |
350 | ||
351 | buffer = memalign(pagesize, 4 * pagesize); | |
d3b5ab82 | 352 | if (buffer == NULL) |
6a578b88 | 353 | handle_error("memalign"); |
fea681da | 354 | |
d1a71985 | 355 | printf("Start of region: 0x%lx\en", (long) buffer); |
fea681da | 356 | |
988db661 | 357 | if (mprotect(buffer + pagesize * 2, pagesize, |
7d9da03f | 358 | PROT_READ) == \-1) |
6a578b88 | 359 | handle_error("mprotect"); |
fea681da | 360 | |
f20d7d8e | 361 | for (p = buffer ; ; ) |
f81fb444 | 362 | *(p++) = \(aqa\(aq; |
fea681da | 363 | |
d1a71985 | 364 | printf("Loop completed\en"); /* Should never happen */ |
646f46f0 | 365 | exit(EXIT_SUCCESS); |
fea681da | 366 | } |
e7d0bb47 | 367 | .EE |
47297adb | 368 | .SH SEE ALSO |
2a5e0dcd | 369 | .BR mmap (2), |
9e7d6be1 | 370 | .BR sysconf (3), |
31e0cc44 | 371 | .BR pkeys (7) |