mprotect - set protection of memory mapping
int mprotect(void *addr, size_t len, int prot);
The function mprotect changes the access protections on the mappings
specified by the range [addr, addr + len) to be that specified by prot.
Legitimate values for prot are the same as those permitted for mmap and
are defined in <sys/mman.h> as:
PROT_READ /* page can be read */
PROT_WRITE /* page can be written */
PROT_EXEC /* page can be executed */
PROT_NONE /* page can not be accessed */
PROT_EXEC_NOFLUSH /* page can be executed - cache not synced */
Not all implementations literally provide all possible combinations.
PROT_WRITE is often implemented as PROT_READ|PROT_WRITE and PROT_EXEC as
PROT_READ|PROT_EXEC. This is true for all SGI implementations. In
particular, MIPS processors do not support a separate execute permission.
Any page that can be read can be executed from, even if PROT_EXEC is not
specified. As described below, the operating system uses PROT_EXEC as a
flag to indicate it may need to perform certain platform dependent
functions that may be needed to properly execute instructions from the
associated page. However, no implementation will permit a store to
succeed where PROT_WRITE has not been set.
Applications such as compiling interpreters that generate code in their
data areas and then wish to execute it, should use mprotect to add
PROT_EXEC permission to the corresponding pages. This must be done after
the code has been generated, but before it is executed. This causes any
necessary machine dependent activities, such as cache flushing, to occur
that are required prior to executing from any part of the process's
address space other than the program or library text segments. If the
generated instructions are altered after the previous call to mprotect
was made to mark the data as executable, then mprotect must be called to
again add PROT_EXEC before the new code is executed in order to prepare
the new contents of the page(s) for proper execution.
In some cases, it may be better for performance reasons to keep execute
permissions on a page without syncing the instruction and data cache. In
these cases, specify PROT_EXEC_NOFLUSH to keep the cache from being
flushed. However, it is then up to the programmer to call mprotect with
PROT_EXEC to sync the cache when instructions in a page change.
On success, mprotect returns 0; on failure, mprotect returns -1 and sets
errno to indicate an error.
Under the following conditions, the function mprotect fails and sets
EACCES prot specifies a protection that violates the access permission
the process has to the underlying memory object.
EAGAIN prot specifies PROT_WRITE over a MAP_PRIVATE mapping and there are
insufficient memory resources to reserve for locking the private
EINVAL addr is not a multiple of the page size as returned by sysconf.
ENOMEM The argument len has a value less than or equal to 0.
ENOMEM Addresses in the range [addr, addr + len) are invalid for the
address space of a process, or specify one or more pages which are
When mprotect fails for reasons other than EINVAL, the protections on
some of the pages in the range [addr, addr + len) may have been changed.
If the error occurs on some page at addr2, then the protections of all
whole pages in the range [addr, addr2] will have been modified.
mmap(2), plock(2), sysconf(3C)
PPPPaaaaggggeeee 2222 [ Back ]