git: adad6862228d - main - mac_veriexec_priv_check block proc_write_regs

Go to: [ bottom of page ] [ top of archives ] [ this month ]
From: Simon J. Gerraty <sjg_at_FreeBSD.org>
Date: Tue, 05 May 2026 17:30:16 UTC
The branch main has been updated by sjg:

URL: https://cgit.FreeBSD.org/src/commit/?id=adad6862228d1799e7e12c724b2534b4184f7d45

commit adad6862228d1799e7e12c724b2534b4184f7d45
Author:     Simon J. Gerraty <sjg@FreeBSD.org>
AuthorDate: 2026-05-05 17:29:54 +0000
Commit:     Simon J. Gerraty <sjg@FreeBSD.org>
CommitDate: 2026-05-05 17:29:54 +0000

    mac_veriexec_priv_check block proc_write_*regs*
    
    Writing to /proc/$pid/regs can also be leveraged to mess with memory.
    
    Only allow a trusted process to do so.
    
    Sponsored by: Hewlett Packard Enterprise Development LP.
    
    Reviewed by:    olce
    Differential Revision:  https://reviews.freebsd.org/D56763
---
 sys/kern/sys_process.c | 19 ++++++++++++++++---
 1 file changed, 16 insertions(+), 3 deletions(-)

diff --git a/sys/kern/sys_process.c b/sys/kern/sys_process.c
index c67996ad7df1..3a94f1c0ff20 100644
--- a/sys/kern/sys_process.c
+++ b/sys/kern/sys_process.c
@@ -72,6 +72,13 @@
 /* Assert it's safe to unlock a process, e.g. to allocate working memory */
 #define	PROC_ASSERT_TRACEREQ(p)	MPASS(((p)->p_flag2 & P2_PTRACEREQ) != 0)
 
+#define PROC_PRIV_CHECK(priv) do {	 			\
+		int _error;					\
+		_error = priv_check(currthread, priv);	\
+		if (_error)					\
+			return (_error);			\
+	} while (0)
+
 /*
  * Functions implemented below:
  *
@@ -109,6 +116,7 @@ int
 proc_write_regs(struct thread *td, struct reg *regs)
 {
 	PROC_LOCK_ASSERT(td->td_proc, MA_OWNED);
+	PROC_PRIV_CHECK(PRIV_PROC_MEM_WRITE);
 	return (set_regs(td, regs));
 }
 
@@ -123,6 +131,7 @@ int
 proc_write_dbregs(struct thread *td, struct dbreg *dbregs)
 {
 	PROC_LOCK_ASSERT(td->td_proc, MA_OWNED);
+	PROC_PRIV_CHECK(PRIV_PROC_MEM_WRITE);
 	return (set_dbregs(td, dbregs));
 }
 
@@ -141,6 +150,7 @@ int
 proc_write_fpregs(struct thread *td, struct fpreg *fpregs)
 {
 	PROC_LOCK_ASSERT(td->td_proc, MA_OWNED);
+	PROC_PRIV_CHECK(PRIV_PROC_MEM_WRITE);
 	return (set_fpregs(td, fpregs));
 }
 
@@ -261,6 +271,8 @@ proc_write_regset(struct thread *td, int note, struct iovec *iov)
 	if (regset->set == NULL)
 		return (EINVAL);
 
+	PROC_PRIV_CHECK(PRIV_PROC_MEM_WRITE);
+
 	p = td->td_proc;
 
 	/* Drop the proc lock while allocating the temp buffer */
@@ -294,6 +306,7 @@ int
 proc_write_regs32(struct thread *td, struct reg32 *regs32)
 {
 	PROC_LOCK_ASSERT(td->td_proc, MA_OWNED);
+	PROC_PRIV_CHECK(PRIV_PROC_MEM_WRITE);
 	return (set_regs32(td, regs32));
 }
 
@@ -308,6 +321,7 @@ int
 proc_write_dbregs32(struct thread *td, struct dbreg32 *dbregs32)
 {
 	PROC_LOCK_ASSERT(td->td_proc, MA_OWNED);
+	PROC_PRIV_CHECK(PRIV_PROC_MEM_WRITE);
 	return (set_dbregs32(td, dbregs32));
 }
 
@@ -322,6 +336,7 @@ int
 proc_write_fpregs32(struct thread *td, struct fpreg32 *fpregs32)
 {
 	PROC_LOCK_ASSERT(td->td_proc, MA_OWNED);
+	PROC_PRIV_CHECK(PRIV_PROC_MEM_WRITE);
 	return (set_fpregs32(td, fpregs32));
 }
 #endif
@@ -363,9 +378,7 @@ proc_rwmem(struct proc *p, struct uio *uio)
 	fault_flags = writing ? VM_FAULT_DIRTY : VM_FAULT_NORMAL;
 
 	if (writing) {
-		error = priv_check_cred(p->p_ucred, PRIV_PROC_MEM_WRITE);
-		if (error)
-			return (error);
+		PROC_PRIV_CHECK(PRIV_PROC_MEM_WRITE);
 	}
 
 	/*