git: f239981ed58c - main - proc_rwmem check PRIV_PROC_MEM_WRITE when writing

From: Simon J. Gerraty <sjg_at_FreeBSD.org>
Date: Sat, 09 Nov 2024 00:12:58 UTC
The branch main has been updated by sjg:

URL: https://cgit.FreeBSD.org/src/commit/?id=f239981ed58ca632d4dba39b2229c3152dd32a15

commit f239981ed58ca632d4dba39b2229c3152dd32a15
Author:     Simon J. Gerraty <sjg@FreeBSD.org>
AuthorDate: 2024-11-09 00:11:12 +0000
Commit:     Simon J. Gerraty <sjg@FreeBSD.org>
CommitDate: 2024-11-09 00:11:33 +0000

    proc_rwmem check PRIV_PROC_MEM_WRITE when writing
    
    This will fail when mac_veriexec is enforced.
    
    Move the check from procfs_doprocmem to proc_rwmem to ensure all
    cases are covered.
    
    Reviewed by:    olce, markj
    Sponsored by:   Juniper Networks, Inc.
    Differential Revision:  https://reviews.freebsd.org/D47484
---
 sys/fs/procfs/procfs_mem.c | 2 --
 sys/kern/sys_process.c     | 6 ++++++
 sys/sys/priv.h             | 2 +-
 3 files changed, 7 insertions(+), 3 deletions(-)

diff --git a/sys/fs/procfs/procfs_mem.c b/sys/fs/procfs/procfs_mem.c
index 159b40785172..0020b8f8a8d8 100644
--- a/sys/fs/procfs/procfs_mem.c
+++ b/sys/fs/procfs/procfs_mem.c
@@ -62,8 +62,6 @@ procfs_doprocmem(PFS_FILL_ARGS)
 
 	PROC_LOCK(p);
 	error = p_candebug(td, p);
-	if (error == 0 && uio->uio_rw == UIO_WRITE)
-		error = priv_check(td, PRIV_PROC_MEM_WRITE);
 	PROC_UNLOCK(p);
 	if (error == 0)
 		error = proc_rwmem(p, uio);
diff --git a/sys/kern/sys_process.c b/sys/kern/sys_process.c
index a3a7a22f4cd3..fe2e112dbcfa 100644
--- a/sys/kern/sys_process.c
+++ b/sys/kern/sys_process.c
@@ -361,6 +361,12 @@ proc_rwmem(struct proc *p, struct uio *uio)
 	reqprot = writing ? VM_PROT_COPY | VM_PROT_READ : VM_PROT_READ;
 	fault_flags = writing ? VM_FAULT_DIRTY : VM_FAULT_NORMAL;
 
+	if (writing) {
+		error = priv_check_cred(p->p_ucred, PRIV_PROC_MEM_WRITE);
+		if (error)
+			return (error);
+	}
+
 	/*
 	 * Only map in one page at a time.  We don't have to, but it
 	 * makes things easier.  This way is trivial - right?
diff --git a/sys/sys/priv.h b/sys/sys/priv.h
index 5e14fee2cce1..864fb5b9cdea 100644
--- a/sys/sys/priv.h
+++ b/sys/sys/priv.h
@@ -515,7 +515,7 @@
  */
 #define	PRIV_KMEM_READ		680	/* Open mem/kmem for reading. */
 #define	PRIV_KMEM_WRITE		681	/* Open mem/kmem for writing. */
-#define	PRIV_PROC_MEM_WRITE	682	/* Open /proc/<pid>/mem for writing. */
+#define	PRIV_PROC_MEM_WRITE	682	/* Writes via proc_rwmem */
 
 /*
  * Kernel debugger privileges.