Introduce the new function

        p_trespass(struct proc *p1, struct proc *p2)
which returns zero or an errno depending on the legality of p1 trespassing
on p2.

Replace kern_sig.c:CANSIGNAL() with call to p_trespass() and one
extra signal related check.

Replace procfs.h:CHECKIO() macros with calls to p_trespass().

Only show command lines to process which can trespass on the target
process.

4 files changed, 33 insertions, 15 deletions

diff --git a/sys/kern/kern_proc.c b/sys/kern/kern_proc.c
index 124bf02..e0f9ec1 100644
--- a/sys/kern/kern_proc.c
+++ b/sys/kern/kern_proc.c
@@ -633,7 +633,7 @@ sysctl_kern_proc_args SYSCTL_HANDLER_ARGS
 	if (!p)
 		return (0);
 
-	if (!PRISON_CHECK(curproc, p))
+	if (p_trespass(curproc, p))
 		return (0);
 
 	if (req->newptr && curproc != p)
diff --git a/sys/kern/kern_prot.c b/sys/kern/kern_prot.c
index 63d4346..1611cc3 100644
--- a/sys/kern/kern_prot.c
+++ b/sys/kern/kern_prot.c
@@ -793,6 +793,31 @@ suser_xxx(cred, proc, flag)
 }
 
 /*
+ * Return zero if p1 can fondle p2, return errno (EPERM/ESRCH) otherwise.
+ */
+
+int
+p_trespass(struct proc *p1, struct proc *p2)
+{
+
+	if (p1 == p2)
+		return (0);
+	if (!PRISON_CHECK(p1, p2))
+		return (ESRCH);
+	if (p1->p_cred->p_ruid == p2->p_cred->p_ruid)
+		return (0);
+	if (p1->p_ucred->cr_uid == p2->p_cred->p_ruid)
+		return (0);
+	if (p1->p_cred->p_ruid == p2->p_ucred->cr_uid)
+		return (0);
+	if (p1->p_ucred->cr_uid == p2->p_ucred->cr_uid)
+		return (0);
+	if (!suser_xxx(0, p1, PRISON_ROOT))
+		return (0);
+	return (EPERM);
+}
+
+/*
  * Allocate a zeroed cred structure.
  */
 struct ucred *
diff --git a/sys/kern/kern_sig.c b/sys/kern/kern_sig.c
index a7b6499..cf27029 100644
--- a/sys/kern/kern_sig.c
+++ b/sys/kern/kern_sig.c
@@ -88,13 +88,9 @@ SYSCTL_INT(_kern, KERN_LOGSIGEXIT, logsigexit, CTLFLAG_RW,
 /*
  * Can process p, with pcred pc, send the signal sig to process q?
  */
-#define CANSIGNAL(p, pc, q, sig) \
-	(PRISON_CHECK(p, q) && ((pc)->pc_ucred->cr_uid == 0 || \
-	    (pc)->p_ruid == (q)->p_cred->p_ruid || \
-	    (pc)->pc_ucred->cr_uid == (q)->p_cred->p_ruid || \
-	    (pc)->p_ruid == (q)->p_ucred->cr_uid || \
-	    (pc)->pc_ucred->cr_uid == (q)->p_ucred->cr_uid || \
-	    ((sig) == SIGCONT && (q)->p_session == (p)->p_session)))
+#define CANSIGNAL(p, q, sig) \
+	(!p_trespass(p, q) || \
+	((sig) == SIGCONT && (q)->p_session == (p)->p_session))
 
 /*
  * Policy -- Can real uid ruid with ucred uc send a signal to process q?
@@ -799,7 +795,6 @@ killpg1(cp, sig, pgid, all)
 	int sig, pgid, all;
 {
 	register struct proc *p;
-	register struct pcred *pc = cp->p_cred;
 	struct pgrp *pgrp;
 	int nfound = 0;
 
@@ -809,7 +804,7 @@ killpg1(cp, sig, pgid, all)
 		 */
 		LIST_FOREACH(p, &allproc, p_list) {
 			if (p->p_pid <= 1 || p->p_flag & P_SYSTEM ||
-			    p == cp || !CANSIGNAL(cp, pc, p, sig))
+			    p == cp || !CANSIGNAL(cp, p, sig))
 				continue;
 			nfound++;
 			if (sig)
@@ -829,7 +824,7 @@ killpg1(cp, sig, pgid, all)
 		LIST_FOREACH(p, &pgrp->pg_members, p_pglist) {
 			if (p->p_pid <= 1 || p->p_flag & P_SYSTEM ||
 			    p->p_stat == SZOMB ||
-			    !CANSIGNAL(cp, pc, p, sig))
+			    !CANSIGNAL(cp, p, sig))
 				continue;
 			nfound++;
 			if (sig)
@@ -852,7 +847,6 @@ kill(cp, uap)
 	register struct kill_args *uap;
 {
 	register struct proc *p;
-	register struct pcred *pc = cp->p_cred;
 
 	if ((u_int)uap->signum > _SIG_MAXSIG)
 		return (EINVAL);
@@ -860,7 +854,7 @@ kill(cp, uap)
 		/* kill single process */
 		if ((p = pfind(uap->pid)) == NULL)
 			return (ESRCH);
-		if (!CANSIGNAL(cp, pc, p, uap->signum))
+		if (!CANSIGNAL(cp, p, uap->signum))
 			return (EPERM);
 		if (uap->signum)
 			psignal(p, uap->signum);
diff --git a/sys/kern/sys_process.c b/sys/kern/sys_process.c
index 75b72fb..4740476 100644
--- a/sys/kern/sys_process.c
+++ b/sys/kern/sys_process.c
@@ -420,8 +420,7 @@ ptrace(curp, uap)
 			return EFAULT;
 		}
 		if (ptrace_read_u_check(p,(vm_offset_t) uap->addr,
-					sizeof(int)) &&
-		    !procfs_kmemaccess(curp)) {
+					sizeof(int))) {
 			return EFAULT;
 		}
 		error = 0;