proccontrol(1): implement 'nonewprivs'

This adds the 'nonewprivs' mode, corresponding to newly added procctl(2) commands PROC_NO_NEW_PRIVS_CTL and PROC_NO_NEW_PRIVS_STATUS. Reviewed By: kib Sponsored By: EPSRC Differential Revision: https://reviews.freebsd.org/D30940
2021-07-02 08:49:20 +01:00 · 2021-07-02 08:49:20 +01:00 · acb1f1269c
commit acb1f1269c
parent 3416513a41
2 changed files with 26 additions and 2 deletions
--- a/usr.bin/proccontrol/proccontrol.1
+++ b/usr.bin/proccontrol/proccontrol.1
@ -28,7 +28,7 @@
 .\"
 .\" $FreeBSD$
 .\"
-.Dd June 28, 2019
+.Dd July 2, 2021
 .Dt PROCCONTROL 1
 .Os
 .Sh NAME
@ -69,6 +69,9 @@ Controls the signalling of capability mode access violations.
 .It Ar protmax
 Controls the implicit PROT_MAX application for
 .Xr mmap 2 .
+.It Ar nonewprivs
+Controls disabling the setuid and sgid bits for
+.Xr execve 2 .
 .It Ar kpti
 Controls the KPTI enable, AMD64 only.
 .It Ar la48
--- a/usr.bin/proccontrol/proccontrol.c
+++ b/usr.bin/proccontrol/proccontrol.c
@ -45,6 +45,7 @@ enum {
 	MODE_TRAPCAP,
 	MODE_PROTMAX,
 	MODE_STACKGAP,
+	MODE_NO_NEW_PRIVS,
 #ifdef PROC_KPTI_CTL
 	MODE_KPTI,
 #endif
@ -84,7 +85,7 @@ usage(void)
 {

 	fprintf(stderr, "Usage: proccontrol -m (aslr|protmax|trace|trapcap|"
-	    "stackgap"KPTI_USAGE LA_USAGE") [-q] "
+	    "stackgap|nonewprivs"KPTI_USAGE LA_USAGE") [-q] "
 	    "[-s (enable|disable)] [-p pid | command]\n");
 	exit(1);
 }
@ -113,6 +114,8 @@ main(int argc, char *argv[])
 				mode = MODE_TRAPCAP;
 			else if (strcmp(optarg, "stackgap") == 0)
 				mode = MODE_STACKGAP;
+			else if (strcmp(optarg, "nonewprivs") == 0)
+				mode = MODE_NO_NEW_PRIVS;
 #ifdef PROC_KPTI_CTL
 			else if (strcmp(optarg, "kpti") == 0)
 				mode = MODE_KPTI;
@ -174,6 +177,9 @@ main(int argc, char *argv[])
 		case MODE_STACKGAP:
 			error = procctl(P_PID, pid, PROC_STACKGAP_STATUS, &arg);
 			break;
+		case MODE_NO_NEW_PRIVS:
+			error = procctl(P_PID, pid, PROC_NO_NEW_PRIVS_STATUS, &arg);
+			break;
 #ifdef PROC_KPTI_CTL
 		case MODE_KPTI:
 			error = procctl(P_PID, pid, PROC_KPTI_STATUS, &arg);
@ -264,6 +270,16 @@ main(int argc, char *argv[])
 				break;
 			}
 			break;
+		case MODE_NO_NEW_PRIVS:
+			switch (arg) {
+			case PROC_NO_NEW_PRIVS_ENABLE:
+				printf("enabled\n");
+				break;
+			case PROC_NO_NEW_PRIVS_DISABLE:
+				printf("disabled\n");
+				break;
+			}
+			break;
 #ifdef PROC_KPTI_CTL
 		case MODE_KPTI:
 			switch (arg & ~PROC_KPTI_STATUS_ACTIVE) {
@ -330,6 +346,11 @@ main(int argc, char *argv[])
 			    PROC_STACKGAP_DISABLE_EXEC);
 			error = procctl(P_PID, pid, PROC_STACKGAP_CTL, &arg);
 			break;
+		case MODE_NO_NEW_PRIVS:
+			arg = enable ? PROC_NO_NEW_PRIVS_ENABLE :
+			    PROC_NO_NEW_PRIVS_DISABLE;
+			error = procctl(P_PID, pid, PROC_NO_NEW_PRIVS_CTL, &arg);
+			break;
 #ifdef PROC_KPTI_CTL
 		case MODE_KPTI:
 			arg = enable ? PROC_KPTI_CTL_ENABLE_ON_EXEC :