excluding processes from PTI
Ed Schouten
ed at nuxi.nl
Thu Apr 19 07:20:52 UTC 2018
Hi Tycho,
2018-04-16 21:33 GMT+02:00 Tycho Nightingale <tychon at freebsd.org>:
> - if (pti) {
> + if (pti && (jailed(cred) || cred->cr_ruid != 0)) {
>
> which excludes those processes running as superuser and are not in-jail.
>
> Another approach, suggested by kib, is to provide finer-grained control. Perhaps using procctl(2) instead.
Maybe it's sufficient to just use priv_check() here?
--
Ed Schouten <ed at nuxi.nl>
Nuxi, 's-Hertogenbosch, the Netherlands
More information about the freebsd-arch
mailing list