o Tighten restrictions on use of /proc/pid/ctl and move access checks

in ctl to using centralized p_can() inter-process access control interface. Reviewed by: sef
author: rwatson <rwatson@FreeBSD.org> 2000-12-13 04:28:24 +0000
committer: rwatson <rwatson@FreeBSD.org> 2000-12-13 04:28:24 +0000
commit: 22e2a468731b8345bdb73d114bf0c1b1d3ffed5f (patch)
tree: e549727475d13e7c1bda708cca4b2dad0ef3a127 /sys/fs
parent: 9f81ea48f8f21f7c5dc729379a5890662f8c5bf2 (diff)
download: FreeBSD-src-22e2a468731b8345bdb73d114bf0c1b1d3ffed5f.zip
FreeBSD-src-22e2a468731b8345bdb73d114bf0c1b1d3ffed5f.tar.gz
1 files changed, 10 insertions, 4 deletions
diff --git a/sys/fs/procfs/procfs_ctl.c b/sys/fs/procfs/procfs_ctl.c
index 72ad575..f445572 100644
--- a/sys/fs/procfs/procfs_ctl.c
+++ b/sys/fs/procfs/procfs_ctl.c
@@ -111,6 +111,16 @@ procfs_control(curp, p, op)
 	int error;
 
 	/*
+	 * Authorization check: rely on normal debugging protection, except
+	 * allow processes to disengage debugging on a process onto which
+	 * they have previously attached, but no longer have permission to
+	 * debug.
+	 */
+	if (op != PROCFS_CTL_DETACH &&
+	    ((error = p_can(curp, p, P_CAN_DEBUG, NULL))))
+		return (error);
+
+	/*
 	 * Attach - attaches the target process for debugging
 	 * by the calling process.
 	 */
@@ -123,10 +133,6 @@ procfs_control(curp, p, op)
 		if (p->p_pid == curp->p_pid)
 			return (EINVAL);
 
-		/* can't trace init when securelevel > 0 */
-		if (securelevel > 0 && p->p_pid == 1)
-			return (EPERM);
-
 		/*
 		 * Go ahead and set the trace flag.
 		 * Save the old parent (it's reset in
author	rwatson <rwatson@FreeBSD.org>	2000-12-13 04:28:24 +0000
committer	rwatson <rwatson@FreeBSD.org>	2000-12-13 04:28:24 +0000
commit	22e2a468731b8345bdb73d114bf0c1b1d3ffed5f (patch)
tree	e549727475d13e7c1bda708cca4b2dad0ef3a127 /sys/fs
parent	9f81ea48f8f21f7c5dc729379a5890662f8c5bf2 (diff)
download	FreeBSD-src-22e2a468731b8345bdb73d114bf0c1b1d3ffed5f.zip FreeBSD-src-22e2a468731b8345bdb73d114bf0c1b1d3ffed5f.tar.gz