git: 0c01901f122d - stable/13 - ptrace(2): Disabling: Describe influence of security.bsd.see_jail_proc
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Thu, 21 Dec 2023 13:43:44 UTC
The branch stable/13 has been updated by olce:
URL: https://cgit.FreeBSD.org/src/commit/?id=0c01901f122d1d9590f00c9b6fbd9f4d79e7d4f0
commit 0c01901f122d1d9590f00c9b6fbd9f4d79e7d4f0
Author: Olivier Certner <olce.freebsd@certner.fr>
AuthorDate: 2023-08-17 23:54:48 +0000
Commit: Olivier Certner <olce@FreeBSD.org>
CommitDate: 2023-12-21 13:38:31 +0000
ptrace(2): Disabling: Describe influence of security.bsd.see_jail_proc
Reviewed by: mhorne, emaste, pauamma_gundo.com
Sponsored by: Kumacom SAS
Differential Revision: https://reviews.freebsd.org/D41109
(cherry picked from commit d952820105d6a2ad87ddf3bdc6c5fc5215d13b87)
Approved by: markj (mentor)
---
lib/libc/sys/ptrace.2 | 36 +++++++++++++++++++++---------------
1 file changed, 21 insertions(+), 15 deletions(-)
diff --git a/lib/libc/sys/ptrace.2 b/lib/libc/sys/ptrace.2
index f417b4f021af..25c7663114a5 100644
--- a/lib/libc/sys/ptrace.2
+++ b/lib/libc/sys/ptrace.2
@@ -1,7 +1,7 @@
.\" $NetBSD: ptrace.2,v 1.2 1995/02/27 12:35:37 cgd Exp $
.\"
.\" This file is in the public domain.
-.Dd December 15, 2022
+.Dd August 18, 2023
.Dt PTRACE 2
.Os
.Sh NAME
@@ -149,31 +149,37 @@ its scope.
The following controls are provided for this:
.Bl -tag -width security.bsd.unprivileged_proc_debug
.It Dv security.bsd.allow_ptrace
-Setting this sysctl to zero value makes
+Setting this sysctl to zero makes
.Nm
return
.Er ENOSYS
always as if the syscall is not implemented by the kernel.
.It Dv security.bsd.unprivileged_proc_debug
-Setting this sysctl to zero disallows use of
+Setting this sysctl to zero disallows the use of
.Fn ptrace
by unprivileged processes.
.It Dv security.bsd.see_other_uids
-Setting this sysctl to zero value disallows
+Setting this sysctl to zero prevents
.Fn ptrace
-requests from targeting processes with the real user identifier different
-from the real user identifier of the caller.
-The requests return
-.Er ESRCH
-if policy is not met.
+requests from targeting processes with a real user identifier different
+from the caller's.
+These requests will fail with error
+.Er ESRCH .
.It Dv security.bsd.see_other_gids
-Setting this sysctl to zero value disallows
+Setting this sysctl to zero disallows
.Fn ptrace
-requests from process belonging to a group that is not also one of
-the group of the target process.
-The requests return
-.Er ESRCH
-if policy is not met.
+requests from processes that have no groups in common with the target process,
+considering their sets of real and supplementary groups.
+These requests will fail with error
+.Er ESRCH .
+.It Dv security.bsd.see_jail_proc
+Setting this sysctl to zero disallows
+.Fn ptrace
+requests from processes belonging to a different jail than that of the target
+process, even if the requesting process' jail is an ancestor of the target
+process'.
+These requests will fail with error
+.Er ESRCH .
.It Dv securelevel and init
The
.Xr init 1