pdrfork(2): do require RFPROCDESC | RFPROC

when RFSPAWN is not specified, as stated in the man page.
rfork(2) cannot modify non-curproc, which is why RFPROC is required,
the syscall cannot act on arbitrary process descriptor.
If RFPROCDESC is not specified, the syscall does not make sense,
use rfork(2).

Reported and tested by:	pho
Reviewed by:	markj
Sponsored by:	The FreeBSD Foundation
MFC after:	1 week
Differential revision:	https://reviews.freebsd.org/D55306

2 files changed, 10 insertions, 3 deletions

diff --git a/lib/libsys/pdfork.2 b/lib/libsys/pdfork.2
index ad7eecb00dae..9cbeb65bc4fc 100644
--- a/lib/libsys/pdfork.2
+++ b/lib/libsys/pdfork.2
@@ -114,11 +114,13 @@ for a description of the possible
 flags.
 The
 .Fn pdrfork
-system call requires that the
+system call requires that both the
 .Va RFPROC
-or
+and
+.Va RFPROCDESC
+flags, or
 .Va RFSPAWN
-flag is specified.
+flag are specified.
 .Pp
 .Fn pdgetpid
 queries the process ID (PID) in the process descriptor
diff --git a/sys/kern/kern_fork.c b/sys/kern/kern_fork.c
index 6313bf3bb651..36647ae44f08 100644
--- a/sys/kern/kern_fork.c
+++ b/sys/kern/kern_fork.c
@@ -214,6 +214,11 @@ sys_pdrfork(struct thread *td, struct pdrfork_args *uap)
 		fr.fr_flags = RFFDG | RFPROC | RFPPWAIT | RFMEM | RFPROCDESC;
 		fr.fr_flags2 = FR2_DROPSIG_CAUGHT;
 	} else {
+		if ((uap->rfflags & (RFPROC | RFPROCDESC)) !=
+		    (RFPROC | RFPROCDESC)) {
+			return (EXTERROR(EINVAL,
+			    "RFPROC|RFPROCDESC required %#jx", uap->rfflags));
+		}
 		fr.fr_flags = uap->rfflags;
 	}