Add security.bsd.allow_ptrace sysctl
that disables any access to ptrace(2) for all processes. Reviewed by: emaste Sponsored by: The FreeBSD Foundation MFC after: 1 week Differential revision: https://reviews.freebsd.org/D33986
This commit is contained in:
parent
55a0aa2162
commit
fe6db72708
@ -977,7 +977,11 @@ freebsd32_ptrace(struct thread *td, struct freebsd32_ptrace_args *uap)
|
|||||||
struct ptrace_sc_ret32 psr;
|
struct ptrace_sc_ret32 psr;
|
||||||
} r32;
|
} r32;
|
||||||
void *addr;
|
void *addr;
|
||||||
int data, error = 0, i;
|
int data, error, i;
|
||||||
|
|
||||||
|
if (!allow_ptrace)
|
||||||
|
return (ENOSYS);
|
||||||
|
error = 0;
|
||||||
|
|
||||||
AUDIT_ARG_PID(uap->pid);
|
AUDIT_ARG_PID(uap->pid);
|
||||||
AUDIT_ARG_CMD(uap->req);
|
AUDIT_ARG_CMD(uap->req);
|
||||||
|
@ -511,6 +511,9 @@ linux_ptrace(struct thread *td, struct linux_ptrace_args *uap)
|
|||||||
pid_t pid;
|
pid_t pid;
|
||||||
int error, sig;
|
int error, sig;
|
||||||
|
|
||||||
|
if (!allow_ptrace)
|
||||||
|
return (ENOSYS);
|
||||||
|
|
||||||
pid = (pid_t)uap->pid;
|
pid = (pid_t)uap->pid;
|
||||||
addr = (void *)uap->addr;
|
addr = (void *)uap->addr;
|
||||||
|
|
||||||
|
@ -58,6 +58,7 @@ __FBSDID("$FreeBSD$");
|
|||||||
#include <sys/loginclass.h>
|
#include <sys/loginclass.h>
|
||||||
#include <sys/malloc.h>
|
#include <sys/malloc.h>
|
||||||
#include <sys/mutex.h>
|
#include <sys/mutex.h>
|
||||||
|
#include <sys/ptrace.h>
|
||||||
#include <sys/refcount.h>
|
#include <sys/refcount.h>
|
||||||
#include <sys/sx.h>
|
#include <sys/sx.h>
|
||||||
#include <sys/priv.h>
|
#include <sys/priv.h>
|
||||||
@ -2485,3 +2486,8 @@ change_svgid(struct ucred *newcred, gid_t svgid)
|
|||||||
|
|
||||||
newcred->cr_svgid = svgid;
|
newcred->cr_svgid = svgid;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
bool allow_ptrace = true;
|
||||||
|
SYSCTL_BOOL(_security_bsd, OID_AUTO, allow_ptrace, CTLFLAG_RWTUN,
|
||||||
|
&allow_ptrace, 0,
|
||||||
|
"Deny ptrace(2) use by returning ENOSYS");
|
||||||
|
@ -479,7 +479,11 @@ sys_ptrace(struct thread *td, struct ptrace_args *uap)
|
|||||||
int ptevents;
|
int ptevents;
|
||||||
} r;
|
} r;
|
||||||
void *addr;
|
void *addr;
|
||||||
int error = 0;
|
int error;
|
||||||
|
|
||||||
|
if (!allow_ptrace)
|
||||||
|
return (ENOSYS);
|
||||||
|
error = 0;
|
||||||
|
|
||||||
AUDIT_ARG_PID(uap->pid);
|
AUDIT_ARG_PID(uap->pid);
|
||||||
AUDIT_ARG_CMD(uap->req);
|
AUDIT_ARG_CMD(uap->req);
|
||||||
|
@ -243,6 +243,8 @@ int proc_write_dbregs32(struct thread *_td, struct dbreg32 *_dbreg32);
|
|||||||
|
|
||||||
void ptrace_unsuspend(struct proc *p);
|
void ptrace_unsuspend(struct proc *p);
|
||||||
|
|
||||||
|
extern bool allow_ptrace;
|
||||||
|
|
||||||
#else /* !_KERNEL */
|
#else /* !_KERNEL */
|
||||||
|
|
||||||
#include <sys/cdefs.h>
|
#include <sys/cdefs.h>
|
||||||
|
Loading…
Reference in New Issue
Block a user