git: fbdc76539b8a - stable/13 - Add security.bsd.allow_ptrace sysctl

The branch stable/13 has been updated by kib:

URL: https://cgit.FreeBSD.org/src/commit/?id=fbdc76539b8ad1364da0fb00f2c7e367df9d8fad

commit fbdc76539b8ad1364da0fb00f2c7e367df9d8fad
Author:     Konstantin Belousov <kib@FreeBSD.org>
AuthorDate: 2022-01-21 21:52:35 +0000
Commit:     Konstantin Belousov <kib@FreeBSD.org>
CommitDate: 2022-01-29 01:10:44 +0000

    Add security.bsd.allow_ptrace sysctl
    
    (cherry picked from commit fe6db727081936c43250f97a4ff4b9de20eb0091)
---
 sys/amd64/linux/linux_ptrace.c        | 3 +++
 sys/compat/freebsd32/freebsd32_misc.c | 6 +++++-
 sys/kern/kern_prot.c                  | 6 ++++++
 sys/kern/sys_process.c                | 6 +++++-
 sys/sys/ptrace.h                      | 2 ++
 5 files changed, 21 insertions(+), 2 deletions(-)

diff --git a/sys/amd64/linux/linux_ptrace.c b/sys/amd64/linux/linux_ptrace.c
index d209590e3680..e158059ec423 100644
--- a/sys/amd64/linux/linux_ptrace.c
+++ b/sys/amd64/linux/linux_ptrace.c
@@ -573,6 +573,9 @@ linux_ptrace(struct thread *td, struct linux_ptrace_args *uap)
 	pid_t pid;
 	int error, sig;
 
+	if (!allow_ptrace)
+		return (ENOSYS);
+
 	pid  = (pid_t)uap->pid;
 	addr = (void *)uap->addr;
 
diff --git a/sys/compat/freebsd32/freebsd32_misc.c b/sys/compat/freebsd32/freebsd32_misc.c
index 5e70a3194c1a..2360d28c15d0 100644
--- a/sys/compat/freebsd32/freebsd32_misc.c
+++ b/sys/compat/freebsd32/freebsd32_misc.c
@@ -937,7 +937,11 @@ freebsd32_ptrace(struct thread *td, struct freebsd32_ptrace_args *uap)
 		struct ptrace_sc_ret32 psr;
 	} r32;
 	void *addr;
-	int data, error = 0, i;
+	int data, error, i;
+
+	if (!allow_ptrace)
+		return (ENOSYS);
+	error = 0;
 
 	AUDIT_ARG_PID(uap->pid);
 	AUDIT_ARG_CMD(uap->req);
diff --git a/sys/kern/kern_prot.c b/sys/kern/kern_prot.c
index 484ebed95118..b39cc635e778 100644
--- a/sys/kern/kern_prot.c
+++ b/sys/kern/kern_prot.c
@@ -58,6 +58,7 @@ __FBSDID("$FreeBSD$");
 #include <sys/loginclass.h>
 #include <sys/malloc.h>
 #include <sys/mutex.h>
+#include <sys/ptrace.h>
 #include <sys/refcount.h>
 #include <sys/sx.h>
 #include <sys/priv.h>
@@ -2485,3 +2486,8 @@ change_svgid(struct ucred *newcred, gid_t svgid)
 
 	newcred->cr_svgid = svgid;
 }
+
+bool allow_ptrace = true;
+SYSCTL_BOOL(_security_bsd, OID_AUTO, allow_ptrace, CTLFLAG_RWTUN,
+    &allow_ptrace, 0,
+    "Deny ptrace(2) use by returning ENOSYS");
diff --git a/sys/kern/sys_process.c b/sys/kern/sys_process.c
index 2515a9cf1e4f..eb628c040cd9 100644
--- a/sys/kern/sys_process.c
+++ b/sys/kern/sys_process.c
@@ -480,7 +480,11 @@ sys_ptrace(struct thread *td, struct ptrace_args *uap)
 		int ptevents;
 	} r;
 	void *addr;
-	int error = 0;
+	int error;
+
+	if (!allow_ptrace)
+		return (ENOSYS);
+	error = 0;
 
 	AUDIT_ARG_PID(uap->pid);
 	AUDIT_ARG_CMD(uap->req);
diff --git a/sys/sys/ptrace.h b/sys/sys/ptrace.h
index 1e7c1c71056b..4cd7a3fceaec 100644
--- a/sys/sys/ptrace.h
+++ b/sys/sys/ptrace.h
@@ -243,6 +243,8 @@ int	proc_write_dbregs32(struct thread *_td, struct dbreg32 *_dbreg32);
 
 void	ptrace_unsuspend(struct proc *p);
 
+extern bool allow_ptrace;
+
 #else /* !_KERNEL */
 
 #include <sys/cdefs.h>