git: 4a5fa1086184 - main - procfs require PRIV_PROC_MEM_WRITE to write mem
Date: Thu, 19 Sep 2024 20:11:12 UTC
The branch main has been updated by sjg: URL: https://cgit.FreeBSD.org/src/commit/?id=4a5fa1086184f7450f63d4a8e403b16f40a78fce commit 4a5fa1086184f7450f63d4a8e403b16f40a78fce Author: Simon J. Gerraty <sjg@FreeBSD.org> AuthorDate: 2024-09-19 20:10:27 +0000 Commit: Simon J. Gerraty <sjg@FreeBSD.org> CommitDate: 2024-09-19 20:10:27 +0000 procfs require PRIV_PROC_MEM_WRITE to write mem Add a priv_check for PRIV_PROC_MEM_WRITE which will be blocked by mac_veriexec if being enforced, unless the process has a maclabel to grant priv. Reviewed by: stevek Sponsored by: Juniper Networks, Inc. Differential Revision: https://reviews.freebsd.org/D46692 --- sys/fs/procfs/procfs_mem.c | 3 +++ sys/kern/kern_priv.c | 4 +++- sys/security/mac_grantbylabel/mac_grantbylabel.c | 2 ++ sys/security/mac_veriexec/mac_veriexec.c | 1 + sys/sys/priv.h | 1 + 5 files changed, 10 insertions(+), 1 deletion(-) diff --git a/sys/fs/procfs/procfs_mem.c b/sys/fs/procfs/procfs_mem.c index 6ef725ee0ee7..159b40785172 100644 --- a/sys/fs/procfs/procfs_mem.c +++ b/sys/fs/procfs/procfs_mem.c @@ -41,6 +41,7 @@ #include <sys/ptrace.h> #include <sys/systm.h> #include <sys/uio.h> +#include <sys/priv.h> #include <fs/pseudofs/pseudofs.h> #include <fs/procfs/procfs.h> @@ -61,6 +62,8 @@ procfs_doprocmem(PFS_FILL_ARGS) PROC_LOCK(p); error = p_candebug(td, p); + if (error == 0 && uio->uio_rw == UIO_WRITE) + error = priv_check(td, PRIV_PROC_MEM_WRITE); PROC_UNLOCK(p); if (error == 0) error = proc_rwmem(p, uio); diff --git a/sys/kern/kern_priv.c b/sys/kern/kern_priv.c index c146f9e6f8d5..83fd246eef9b 100644 --- a/sys/kern/kern_priv.c +++ b/sys/kern/kern_priv.c @@ -242,7 +242,9 @@ priv_check_cred(struct ucred *cred, int priv) * but non-root users are expected to be able to read it (provided they * have permission to access /dev/[k]mem). */ - if (priv == PRIV_KMEM_READ) { + switch (priv) { + case PRIV_KMEM_READ: + case PRIV_PROC_MEM_WRITE: /* we already checked candebug */ error = 0; goto out; } diff --git a/sys/security/mac_grantbylabel/mac_grantbylabel.c b/sys/security/mac_grantbylabel/mac_grantbylabel.c index 848131e54590..4d14577820eb 100644 --- a/sys/security/mac_grantbylabel/mac_grantbylabel.c +++ b/sys/security/mac_grantbylabel/mac_grantbylabel.c @@ -218,6 +218,7 @@ mac_grantbylabel_priv_grant(struct ucred *cred, int priv) return rc; /* not interested */ switch (priv) { + case PRIV_PROC_MEM_WRITE: case PRIV_KMEM_READ: case PRIV_KMEM_WRITE: break; @@ -244,6 +245,7 @@ mac_grantbylabel_priv_grant(struct ucred *cred, int priv) if (label & GBL_IPC) rc = 0; break; + case PRIV_PROC_MEM_WRITE: case PRIV_KMEM_READ: case PRIV_KMEM_WRITE: if (label & GBL_KMEM) diff --git a/sys/security/mac_veriexec/mac_veriexec.c b/sys/security/mac_veriexec/mac_veriexec.c index 7ac09e2acf0f..490601863197 100644 --- a/sys/security/mac_veriexec/mac_veriexec.c +++ b/sys/security/mac_veriexec/mac_veriexec.c @@ -435,6 +435,7 @@ mac_veriexec_priv_check(struct ucred *cred, int priv) error = 0; switch (priv) { case PRIV_KMEM_WRITE: + case PRIV_PROC_MEM_WRITE: case PRIV_VERIEXEC_CONTROL: /* * Do not allow writing to memory or manipulating veriexec, diff --git a/sys/sys/priv.h b/sys/sys/priv.h index a61de8d32fe0..7a5773da220f 100644 --- a/sys/sys/priv.h +++ b/sys/sys/priv.h @@ -513,6 +513,7 @@ */ #define PRIV_KMEM_READ 680 /* Open mem/kmem for reading. */ #define PRIV_KMEM_WRITE 681 /* Open mem/kmem for writing. */ +#define PRIV_PROC_MEM_WRITE 682 /* Open /proc/<pid>/mem for writing. */ /* * Kernel debugger privileges.