diff options
| author | Konstantin Belousov <kib@FreeBSD.org> | 2022-01-21 21:52:35 +0000 |
|---|---|---|
| committer | Konstantin Belousov <kib@FreeBSD.org> | 2022-01-29 01:10:44 +0000 |
| commit | fbdc76539b8ad1364da0fb00f2c7e367df9d8fad (patch) | |
| tree | be09fc0accfa15df6379c2ed7bde37750cddd321 | |
| parent | 704d2103c61363e46e9f4a61b1e61527e5bfe173 (diff) | |
Add security.bsd.allow_ptrace sysctl
(cherry picked from commit fe6db727081936c43250f97a4ff4b9de20eb0091)
| -rw-r--r-- | sys/amd64/linux/linux_ptrace.c | 3 | ||||
| -rw-r--r-- | sys/compat/freebsd32/freebsd32_misc.c | 6 | ||||
| -rw-r--r-- | sys/kern/kern_prot.c | 6 | ||||
| -rw-r--r-- | sys/kern/sys_process.c | 6 | ||||
| -rw-r--r-- | sys/sys/ptrace.h | 2 |
5 files changed, 21 insertions, 2 deletions
diff --git a/sys/amd64/linux/linux_ptrace.c b/sys/amd64/linux/linux_ptrace.c index d209590e3680..e158059ec423 100644 --- a/sys/amd64/linux/linux_ptrace.c +++ b/sys/amd64/linux/linux_ptrace.c @@ -573,6 +573,9 @@ linux_ptrace(struct thread *td, struct linux_ptrace_args *uap) pid_t pid; int error, sig; + if (!allow_ptrace) + return (ENOSYS); + pid = (pid_t)uap->pid; addr = (void *)uap->addr; diff --git a/sys/compat/freebsd32/freebsd32_misc.c b/sys/compat/freebsd32/freebsd32_misc.c index 5e70a3194c1a..2360d28c15d0 100644 --- a/sys/compat/freebsd32/freebsd32_misc.c +++ b/sys/compat/freebsd32/freebsd32_misc.c @@ -937,7 +937,11 @@ freebsd32_ptrace(struct thread *td, struct freebsd32_ptrace_args *uap) struct ptrace_sc_ret32 psr; } r32; void *addr; - int data, error = 0, i; + int data, error, i; + + if (!allow_ptrace) + return (ENOSYS); + error = 0; AUDIT_ARG_PID(uap->pid); AUDIT_ARG_CMD(uap->req); diff --git a/sys/kern/kern_prot.c b/sys/kern/kern_prot.c index 484ebed95118..b39cc635e778 100644 --- a/sys/kern/kern_prot.c +++ b/sys/kern/kern_prot.c @@ -58,6 +58,7 @@ __FBSDID("$FreeBSD$"); #include <sys/loginclass.h> #include <sys/malloc.h> #include <sys/mutex.h> +#include <sys/ptrace.h> #include <sys/refcount.h> #include <sys/sx.h> #include <sys/priv.h> @@ -2485,3 +2486,8 @@ change_svgid(struct ucred *newcred, gid_t svgid) newcred->cr_svgid = svgid; } + +bool allow_ptrace = true; +SYSCTL_BOOL(_security_bsd, OID_AUTO, allow_ptrace, CTLFLAG_RWTUN, + &allow_ptrace, 0, + "Deny ptrace(2) use by returning ENOSYS"); diff --git a/sys/kern/sys_process.c b/sys/kern/sys_process.c index 2515a9cf1e4f..eb628c040cd9 100644 --- a/sys/kern/sys_process.c +++ b/sys/kern/sys_process.c @@ -480,7 +480,11 @@ sys_ptrace(struct thread *td, struct ptrace_args *uap) int ptevents; } r; void *addr; - int error = 0; + int error; + + if (!allow_ptrace) + return (ENOSYS); + error = 0; AUDIT_ARG_PID(uap->pid); AUDIT_ARG_CMD(uap->req); diff --git a/sys/sys/ptrace.h b/sys/sys/ptrace.h index 1e7c1c71056b..4cd7a3fceaec 100644 --- a/sys/sys/ptrace.h +++ b/sys/sys/ptrace.h @@ -243,6 +243,8 @@ int proc_write_dbregs32(struct thread *_td, struct dbreg32 *_dbreg32); void ptrace_unsuspend(struct proc *p); +extern bool allow_ptrace; + #else /* !_KERNEL */ #include <sys/cdefs.h> |