git: f5bb6e5a6d48 - main - procctl: actually require debug privileges over target

From: Konstantin Belousov <kib_at_FreeBSD.org>
Date: Tue, 19 Oct 2021 20:04:53 UTC
The branch main has been updated by kib:

URL: https://cgit.FreeBSD.org/src/commit/?id=f5bb6e5a6d488740e451ad4acd82a70b95e786cd

commit f5bb6e5a6d488740e451ad4acd82a70b95e786cd
Author:     Konstantin Belousov <kib@FreeBSD.org>
AuthorDate: 2021-10-15 20:09:39 +0000
Commit:     Konstantin Belousov <kib@FreeBSD.org>
CommitDate: 2021-10-19 20:04:34 +0000

    procctl: actually require debug privileges over target
    
    for state control over TRACE, TRAPCAP, ASLR, PROTMAX, STACKGAP,
    NO_NEWPRIVS, and WXMAP.
    
    Reported by:    emaste
    Reviewed by:    emaste, markj
    Sponsored by:   The FreeBSD Foundation
    MFC after:      1 week
    Differential revision:  https://reviews.freebsd.org/D32513
---
 lib/libc/sys/procctl.2  |  8 ++++++++
 sys/kern/kern_procctl.c | 14 +++++++-------
 2 files changed, 15 insertions(+), 7 deletions(-)

diff --git a/lib/libc/sys/procctl.2 b/lib/libc/sys/procctl.2
index 7412c2ee9d56..97509d0fbf06 100644
--- a/lib/libc/sys/procctl.2
+++ b/lib/libc/sys/procctl.2
@@ -72,6 +72,14 @@ Control processes belonging to the process group with the ID
 The control request to perform is specified by the
 .Fa cmd
 argument.
+.Pp
+All status changing requests
+.Dv *_CTL
+require the caller to have the right to debug the target.
+All status query requests
+.DV *_STATUS
+require the caller to have the right to observe the target.
+.Pp
 The following commands are supported:
 .Bl -tag -width PROC_TRAPCAP_STATUS
 .It Dv PROC_ASLR_CTL
diff --git a/sys/kern/kern_procctl.c b/sys/kern/kern_procctl.c
index 6229d2140228..c3f078f96e80 100644
--- a/sys/kern/kern_procctl.c
+++ b/sys/kern/kern_procctl.c
@@ -759,7 +759,7 @@ static const struct procctl_cmd_info procctl_cmds_info[] = {
 	[PROC_TRACE_CTL] =
 	    { .lock_tree = SA_SLOCKED, .one_proc = false,
 	      .esrch_is_einval = false, .no_nonnull_data = false,
-	      .need_candebug = false,
+	      .need_candebug = true,
 	      .copyin_sz = sizeof(int), .copyout_sz = 0,
 	      .exec = trace_ctl, .copyout_on_error = false, },
 	[PROC_TRACE_STATUS] =
@@ -771,7 +771,7 @@ static const struct procctl_cmd_info procctl_cmds_info[] = {
 	[PROC_TRAPCAP_CTL] =
 	    { .lock_tree = SA_SLOCKED, .one_proc = false,
 	      .esrch_is_einval = false, .no_nonnull_data = false,
-	      .need_candebug = false,
+	      .need_candebug = true,
 	      .copyin_sz = sizeof(int), .copyout_sz = 0,
 	      .exec = trapcap_ctl, .copyout_on_error = false, },
 	[PROC_TRAPCAP_STATUS] =
@@ -795,7 +795,7 @@ static const struct procctl_cmd_info procctl_cmds_info[] = {
 	[PROC_ASLR_CTL] =
 	    { .lock_tree = SA_UNLOCKED, .one_proc = true,
 	      .esrch_is_einval = false, .no_nonnull_data = false,
-	      .need_candebug = false,
+	      .need_candebug = true,
 	      .copyin_sz = sizeof(int), .copyout_sz = 0,
 	      .exec = aslr_ctl, .copyout_on_error = false, },
 	[PROC_ASLR_STATUS] =
@@ -807,7 +807,7 @@ static const struct procctl_cmd_info procctl_cmds_info[] = {
 	[PROC_PROTMAX_CTL] =
 	    { .lock_tree = SA_UNLOCKED, .one_proc = true,
 	      .esrch_is_einval = false, .no_nonnull_data = false,
-	      .need_candebug = false,
+	      .need_candebug = true,
 	      .copyin_sz = sizeof(int), .copyout_sz = 0,
 	      .exec = protmax_ctl, .copyout_on_error = false, },
 	[PROC_PROTMAX_STATUS] =
@@ -819,7 +819,7 @@ static const struct procctl_cmd_info procctl_cmds_info[] = {
 	[PROC_STACKGAP_CTL] =
 	    { .lock_tree = SA_UNLOCKED, .one_proc = true,
 	      .esrch_is_einval = false, .no_nonnull_data = false,
-	      .need_candebug = false,
+	      .need_candebug = true,
 	      .copyin_sz = sizeof(int), .copyout_sz = 0,
 	      .exec = stackgap_ctl, .copyout_on_error = false, },
 	[PROC_STACKGAP_STATUS] =
@@ -831,7 +831,7 @@ static const struct procctl_cmd_info procctl_cmds_info[] = {
 	[PROC_NO_NEW_PRIVS_CTL] =
 	    { .lock_tree = SA_SLOCKED, .one_proc = true,
 	      .esrch_is_einval = false, .no_nonnull_data = false,
-	      .need_candebug = false,
+	      .need_candebug = true,
 	      .copyin_sz = sizeof(int), .copyout_sz = 0,
 	      .exec = no_new_privs_ctl, .copyout_on_error = false, },
 	[PROC_NO_NEW_PRIVS_STATUS] =
@@ -843,7 +843,7 @@ static const struct procctl_cmd_info procctl_cmds_info[] = {
 	[PROC_WXMAP_CTL] =
 	    { .lock_tree = SA_UNLOCKED, .one_proc = true,
 	      .esrch_is_einval = false, .no_nonnull_data = false,
-	      .need_candebug = false,
+	      .need_candebug = true,
 	      .copyin_sz = sizeof(int), .copyout_sz = 0,
 	      .exec = wxmap_ctl, .copyout_on_error = false, },
 	[PROC_WXMAP_STATUS] =