diff options
author | Konstantin Belousov <kib@FreeBSD.org> | 2021-10-15 20:09:39 +0000 |
---|---|---|
committer | Konstantin Belousov <kib@FreeBSD.org> | 2021-10-26 02:26:27 +0000 |
commit | c802b970a5434eb622eed7176f31cdf41170cb1f (patch) | |
tree | f45e822666b055b7f2bc03a3f19fe8693d104fbb | |
parent | c7d4bd74773e78a243531678052902f09f912409 (diff) | |
download | src-c802b970a5434eb622eed7176f31cdf41170cb1f.tar.gz src-c802b970a5434eb622eed7176f31cdf41170cb1f.zip |
procctl: actually require debug privileges over target
(cherry picked from commit f5bb6e5a6d488740e451ad4acd82a70b95e786cd)
-rw-r--r-- | lib/libc/sys/procctl.2 | 8 | ||||
-rw-r--r-- | sys/kern/kern_procctl.c | 14 |
2 files changed, 15 insertions, 7 deletions
diff --git a/lib/libc/sys/procctl.2 b/lib/libc/sys/procctl.2 index 9ceea00191e0..02979e934451 100644 --- a/lib/libc/sys/procctl.2 +++ b/lib/libc/sys/procctl.2 @@ -72,6 +72,14 @@ Control processes belonging to the process group with the ID The control request to perform is specified by the .Fa cmd argument. +.Pp +All status changing requests +.Dv *_CTL +require the caller to have the right to debug the target. +All status query requests +.DV *_STATUS +require the caller to have the right to observe the target. +.Pp The following commands are supported: .Bl -tag -width PROC_TRAPCAP_STATUS .It Dv PROC_ASLR_CTL diff --git a/sys/kern/kern_procctl.c b/sys/kern/kern_procctl.c index 6229d2140228..c3f078f96e80 100644 --- a/sys/kern/kern_procctl.c +++ b/sys/kern/kern_procctl.c @@ -759,7 +759,7 @@ static const struct procctl_cmd_info procctl_cmds_info[] = { [PROC_TRACE_CTL] = { .lock_tree = SA_SLOCKED, .one_proc = false, .esrch_is_einval = false, .no_nonnull_data = false, - .need_candebug = false, + .need_candebug = true, .copyin_sz = sizeof(int), .copyout_sz = 0, .exec = trace_ctl, .copyout_on_error = false, }, [PROC_TRACE_STATUS] = @@ -771,7 +771,7 @@ static const struct procctl_cmd_info procctl_cmds_info[] = { [PROC_TRAPCAP_CTL] = { .lock_tree = SA_SLOCKED, .one_proc = false, .esrch_is_einval = false, .no_nonnull_data = false, - .need_candebug = false, + .need_candebug = true, .copyin_sz = sizeof(int), .copyout_sz = 0, .exec = trapcap_ctl, .copyout_on_error = false, }, [PROC_TRAPCAP_STATUS] = @@ -795,7 +795,7 @@ static const struct procctl_cmd_info procctl_cmds_info[] = { [PROC_ASLR_CTL] = { .lock_tree = SA_UNLOCKED, .one_proc = true, .esrch_is_einval = false, .no_nonnull_data = false, - .need_candebug = false, + .need_candebug = true, .copyin_sz = sizeof(int), .copyout_sz = 0, .exec = aslr_ctl, .copyout_on_error = false, }, [PROC_ASLR_STATUS] = @@ -807,7 +807,7 @@ static const struct procctl_cmd_info procctl_cmds_info[] = { [PROC_PROTMAX_CTL] = { .lock_tree = SA_UNLOCKED, .one_proc = true, .esrch_is_einval = false, .no_nonnull_data = false, - .need_candebug = false, + .need_candebug = true, .copyin_sz = sizeof(int), .copyout_sz = 0, .exec = protmax_ctl, .copyout_on_error = false, }, [PROC_PROTMAX_STATUS] = @@ -819,7 +819,7 @@ static const struct procctl_cmd_info procctl_cmds_info[] = { [PROC_STACKGAP_CTL] = { .lock_tree = SA_UNLOCKED, .one_proc = true, .esrch_is_einval = false, .no_nonnull_data = false, - .need_candebug = false, + .need_candebug = true, .copyin_sz = sizeof(int), .copyout_sz = 0, .exec = stackgap_ctl, .copyout_on_error = false, }, [PROC_STACKGAP_STATUS] = @@ -831,7 +831,7 @@ static const struct procctl_cmd_info procctl_cmds_info[] = { [PROC_NO_NEW_PRIVS_CTL] = { .lock_tree = SA_SLOCKED, .one_proc = true, .esrch_is_einval = false, .no_nonnull_data = false, - .need_candebug = false, + .need_candebug = true, .copyin_sz = sizeof(int), .copyout_sz = 0, .exec = no_new_privs_ctl, .copyout_on_error = false, }, [PROC_NO_NEW_PRIVS_STATUS] = @@ -843,7 +843,7 @@ static const struct procctl_cmd_info procctl_cmds_info[] = { [PROC_WXMAP_CTL] = { .lock_tree = SA_UNLOCKED, .one_proc = true, .esrch_is_einval = false, .no_nonnull_data = false, - .need_candebug = false, + .need_candebug = true, .copyin_sz = sizeof(int), .copyout_sz = 0, .exec = wxmap_ctl, .copyout_on_error = false, }, [PROC_WXMAP_STATUS] = |