procctl: actually require debug privileges over target

(cherry picked from commit f5bb6e5a6d488740e451ad4acd82a70b95e786cd)

2 files changed, 15 insertions, 7 deletions

diff --git a/lib/libc/sys/procctl.2 b/lib/libc/sys/procctl.2
index 9ceea00191e0..02979e934451 100644
--- a/lib/libc/sys/procctl.2
+++ b/lib/libc/sys/procctl.2
@@ -72,6 +72,14 @@ Control processes belonging to the process group with the ID
 The control request to perform is specified by the
 .Fa cmd
 argument.
+.Pp
+All status changing requests
+.Dv *_CTL
+require the caller to have the right to debug the target.
+All status query requests
+.DV *_STATUS
+require the caller to have the right to observe the target.
+.Pp
 The following commands are supported:
 .Bl -tag -width PROC_TRAPCAP_STATUS
 .It Dv PROC_ASLR_CTL
diff --git a/sys/kern/kern_procctl.c b/sys/kern/kern_procctl.c
index 6229d2140228..c3f078f96e80 100644
--- a/sys/kern/kern_procctl.c
+++ b/sys/kern/kern_procctl.c
@@ -759,7 +759,7 @@ static const struct procctl_cmd_info procctl_cmds_info[] = {
 	[PROC_TRACE_CTL] =
 	    { .lock_tree = SA_SLOCKED, .one_proc = false,
 	      .esrch_is_einval = false, .no_nonnull_data = false,
-	      .need_candebug = false,
+	      .need_candebug = true,
 	      .copyin_sz = sizeof(int), .copyout_sz = 0,
 	      .exec = trace_ctl, .copyout_on_error = false, },
 	[PROC_TRACE_STATUS] =
@@ -771,7 +771,7 @@ static const struct procctl_cmd_info procctl_cmds_info[] = {
 	[PROC_TRAPCAP_CTL] =
 	    { .lock_tree = SA_SLOCKED, .one_proc = false,
 	      .esrch_is_einval = false, .no_nonnull_data = false,
-	      .need_candebug = false,
+	      .need_candebug = true,
 	      .copyin_sz = sizeof(int), .copyout_sz = 0,
 	      .exec = trapcap_ctl, .copyout_on_error = false, },
 	[PROC_TRAPCAP_STATUS] =
@@ -795,7 +795,7 @@ static const struct procctl_cmd_info procctl_cmds_info[] = {
 	[PROC_ASLR_CTL] =
 	    { .lock_tree = SA_UNLOCKED, .one_proc = true,
 	      .esrch_is_einval = false, .no_nonnull_data = false,
-	      .need_candebug = false,
+	      .need_candebug = true,
 	      .copyin_sz = sizeof(int), .copyout_sz = 0,
 	      .exec = aslr_ctl, .copyout_on_error = false, },
 	[PROC_ASLR_STATUS] =
@@ -807,7 +807,7 @@ static const struct procctl_cmd_info procctl_cmds_info[] = {
 	[PROC_PROTMAX_CTL] =
 	    { .lock_tree = SA_UNLOCKED, .one_proc = true,
 	      .esrch_is_einval = false, .no_nonnull_data = false,
-	      .need_candebug = false,
+	      .need_candebug = true,
 	      .copyin_sz = sizeof(int), .copyout_sz = 0,
 	      .exec = protmax_ctl, .copyout_on_error = false, },
 	[PROC_PROTMAX_STATUS] =
@@ -819,7 +819,7 @@ static const struct procctl_cmd_info procctl_cmds_info[] = {
 	[PROC_STACKGAP_CTL] =
 	    { .lock_tree = SA_UNLOCKED, .one_proc = true,
 	      .esrch_is_einval = false, .no_nonnull_data = false,
-	      .need_candebug = false,
+	      .need_candebug = true,
 	      .copyin_sz = sizeof(int), .copyout_sz = 0,
 	      .exec = stackgap_ctl, .copyout_on_error = false, },
 	[PROC_STACKGAP_STATUS] =
@@ -831,7 +831,7 @@ static const struct procctl_cmd_info procctl_cmds_info[] = {
 	[PROC_NO_NEW_PRIVS_CTL] =
 	    { .lock_tree = SA_SLOCKED, .one_proc = true,
 	      .esrch_is_einval = false, .no_nonnull_data = false,
-	      .need_candebug = false,
+	      .need_candebug = true,
 	      .copyin_sz = sizeof(int), .copyout_sz = 0,
 	      .exec = no_new_privs_ctl, .copyout_on_error = false, },
 	[PROC_NO_NEW_PRIVS_STATUS] =
@@ -843,7 +843,7 @@ static const struct procctl_cmd_info procctl_cmds_info[] = {
 	[PROC_WXMAP_CTL] =
 	    { .lock_tree = SA_UNLOCKED, .one_proc = true,
 	      .esrch_is_einval = false, .no_nonnull_data = false,
-	      .need_candebug = false,
+	      .need_candebug = true,
 	      .copyin_sz = sizeof(int), .copyout_sz = 0,
 	      .exec = wxmap_ctl, .copyout_on_error = false, },
 	[PROC_WXMAP_STATUS] =