p_candebug(), p_cansee(): always allow for curproc

Privilege checks in both functions should allow the current process to infer information about itself, as well as use the interfaces that are proclaimed 'debugging', for instance, procctl(2). Note that in p_cansee() case, explicit comparision of curproc and p avoids a race where the process might change credentials and cause thread to compare its cached stale credentials against updated process creds, effectively disallowing the process to observe itself. Reviewed by: emaste Sponsored by: The FreeBSD Foundation MFC after: 1 week Differential revision: https://reviews.freebsd.org/D33986
2022-01-21 17:29:17 +02:00 · 2022-01-21 17:29:17 +02:00 · 55a0aa2162
commit 55a0aa2162
parent 3de96d664a
1 changed files with 5 additions and 3 deletions
--- a/sys/kern/kern_prot.c
+++ b/sys/kern/kern_prot.c
@ -1460,10 +1460,12 @@ cr_cansee(struct ucred *u1, struct ucred *u2)
 int
 p_cansee(struct thread *td, struct proc *p)
 {
-
 	/* Wrap cr_cansee() for all functionality. */
 	KASSERT(td == curthread, ("%s: td not curthread", __func__));
 	PROC_LOCK_ASSERT(p, MA_OWNED);
+
+	if (td->td_proc == p)
+		return (0);
 	return (cr_cansee(td->td_ucred, p->p_ucred));
 }

@ -1681,10 +1683,10 @@ p_candebug(struct thread *td, struct proc *p)

 	KASSERT(td == curthread, ("%s: td not curthread", __func__));
 	PROC_LOCK_ASSERT(p, MA_OWNED);
-	if ((error = priv_check(td, PRIV_DEBUG_UNPRIV)))
-		return (error);
 	if (td->td_proc == p)
 		return (0);
+	if ((error = priv_check(td, PRIV_DEBUG_UNPRIV)))
+		return (error);
 	if ((error = prison_check(td->td_ucred, p->p_ucred)))
 		return (error);
 #ifdef MAC