mprotect(2) mprotect(2) NAME mprotect - set protection of memory mapping SYNOPSIS #include <sys/types.h> #include <sys/mman.h> int mprotect(void *addr, size_t len, int prot); DESCRIPTION The function mprotect changes the access protections on the mappings specified by the range [addr, addr + len) to be that specified by prot. Legitimate values for prot are the same as those permitted for mmap and are defined in <sys/mman.h> as: PROT_READ /* page can be read */ PROT_WRITE /* page can be written */ PROT_EXEC /* page can be executed */ PROT_NONE /* page can not be accessed */ PROT_EXEC_NOFLUSH /* page can be executed - cache not synced */ Not all implementations literally provide all possible combinations. PROT_WRITE is often implemented as PROT_READ|PROT_WRITE and PROT_EXEC as PROT_READ|PROT_EXEC. This is true for all SGI implementations. In particular, MIPS processors do not support a separate execute permission. Any page that can be read can be executed from, even if PROT_EXEC is not specified. As described below, the operating system uses PROT_EXEC as a flag to indicate it may need to perform certain platform dependent functions that may be needed to properly execute instructions from the associated page. However, no implementation will permit a store to succeed where PROT_WRITE has not been set. Applications such as compiling interpreters that generate code in their data areas and then wish to execute it, should use mprotect to add PROT_EXEC permission to the corresponding pages. This must be done after the code has been generated, but before it is executed. This causes any necessary machine dependent activities, such as cache flushing, to occur that are required prior to executing from any part of the process's address space other than the program or library text segments. If the generated instructions are altered after the previous call to mprotect was made to mark the data as executable, then mprotect must be called to again add PROT_EXEC before the new code is executed in order to prepare the new contents of the page(s) for proper execution. In some cases, it may be better for performance reasons to keep execute permissions on a page without syncing the instruction and data cache. In these cases, specify PROT_EXEC_NOFLUSH to keep the cache from being flushed. However, it is then up to the programmer to call mprotect with PROT_EXEC to sync the cache when instructions in a page change. RETURN VALUE On success, mprotect returns 0; on failure, mprotect returns -1 and sets errno to indicate an error. ERRORS Under the following conditions, the function mprotect fails and sets errno to: EACCES prot specifies a protection that violates the access permission the process has to the underlying memory object. EAGAIN prot specifies PROT_WRITE over a MAP_PRIVATE mapping and there are insufficient memory resources to reserve for locking the private page. EINVAL addr is not a multiple of the page size as returned by sysconf. ENOMEM The argument len has a value less than or equal to 0. ENOMEM Addresses in the range [addr, addr + len) are invalid for the address space of a process, or specify one or more pages which are not mapped. When mprotect fails for reasons other than EINVAL, the protections on some of the pages in the range [addr, addr + len) may have been changed. If the error occurs on some page at addr2, then the protections of all whole pages in the range [addr, addr2] will have been modified. SEE ALSO mmap(2), plock(2), sysconf(3C) Page 2