From nobody Tue May 05 17:30:16 2026
X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4g95BK1V7hz6c1g2
	for <dev-commits-src-all@mlmmj.nyi.freebsd.org>; Tue, 05 May 2026 17:30:17 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R13" (not verified))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4g95BJ6CyZz43Rd
	for <dev-commits-src-all@FreeBSD.org>; Tue, 05 May 2026 17:30:16 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1778002216;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=DGTWj8n44XE+hpBAjQ5RtbOT4Kpsk1mVZ9b3jp4l6ck=;
	b=NUoYreDKON9MtWfq553JneUNFpJNEeS2rHCKL/U0l7lx7PZ35Ft2LdNCraZ5imn+9Qz5sS
	9iQlotoTTKZQfYXD8DdzTzu2Kjc514+i2xX0NNrx1Pn8qCMDmuMB6zh17pvZSJTYTQZSJ1
	WD/tlvDknvJxf3c2SdczKKfu9Vq+FdnBYMFH3CKNjOb0RzxNjykqfzeXKU2ILLnXqftcJe
	vPBTLEewmIhN9MYbZ6gyxdq9pE7xdo1UOk315p4lBnEUWr1EM7S9Sti0sc7YwJ3K95MVUX
	EihGCsxGpCZjRczR2hx/2gsLMoY+1W9alkJjlIvxFe7riHOg9B1Fx6/yrw3Xlw==
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1778002216; a=rsa-sha256; cv=none;
	b=u9kHlHR4s2izfY0CmjbR5hxKZIVqa0GTr4QWXiV8A8e5WvSDl+dNeBOIQMFa6JEmY0Gtdu
	SXJg4R0KheYBm2a2QRhHGzAWCXcJbleO9zOADWt04BMBGn7RVXsHM9VE6rb45E03BM6onV
	LMRBddmRo+Or19swg0+pgNb9AT/CC7CKj55MF66KYlnU0a95RJrHBvHKxHdsq6aCt0RXJK
	Rw9LqVssfm3IQZWhfOP1SC+iLgVamVslHNC6LAHq/NahZDvy7k4fYzsRAMSFuC/kAzYctP
	joxInoWDzNpvmL9uPqC0a+pkU9l7G5bg+WiCVBg6wv++A50GBM9tSN7s03DMww==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1778002216;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=DGTWj8n44XE+hpBAjQ5RtbOT4Kpsk1mVZ9b3jp4l6ck=;
	b=F0CKXtULfEZfleGcC9DsjieinJMd6KWKe8ZD9qMO9m1HRbHteM5wmZdfSLqZQ5j9cfj0Qv
	+Tcku8sZfDJNWyEkNjzT6CayAi31T1SU2hfutJlyzQmQrHZQCDLvj9rvMzgIpJPAorhVCB
	7bc2QQceotsovSvlZK/5dC4MxyJPbfoIHTQLbvyeZ8LCYtJ8oqA1jBjrNVCi/HEyk2IyML
	Uk+rygjSFQJFAVdiY/YjkIzU0l3nmGoEBJxQv91b1GjEiUdSDSTqBxp8K7c8a+uilw0YAA
	96VXyMMu02mIRpkdGZrcRk8Cj99UGDVIWeEw9XsCAP/rxDc4l3PUFiECwV04aQ==
Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5])
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4g95BJ5lwkz1FkW
	for <dev-commits-src-all@FreeBSD.org>; Tue, 05 May 2026 17:30:16 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from git (uid 1279)
	(envelope-from git@FreeBSD.org)
	id 33b54
	by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org);
	Tue, 05 May 2026 17:30:16 +0000
To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org
From: Simon J. Gerraty <sjg@FreeBSD.org>
Subject: git: adad6862228d - main - mac_veriexec_priv_check block proc_write_*regs*
List-Id: Commit messages for all branches of the src repository <dev-commits-src-all.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all
List-Help: <mailto:dev-commits-src-all+help@freebsd.org>
List-Post: <mailto:dev-commits-src-all@freebsd.org>
List-Subscribe: <mailto:dev-commits-src-all+subscribe@freebsd.org>
List-Unsubscribe: <mailto:dev-commits-src-all+unsubscribe@freebsd.org>
X-BeenThere: dev-commits-src-all@freebsd.org
Sender: owner-dev-commits-src-all@FreeBSD.org
List-Id: <dev-commits-src-all.FreeBSD.org>
List-Post: <mailto:dev-commits-src-all@FreeBSD.org>
List-Help: <mailto:dev-commits-src-all+help@FreeBSD.org>
List-Subscribe: <mailto:dev-commits-src-all+subscribe@FreeBSD.org>
List-Unsubscribe: <mailto:dev-commits-src-all+unsubscribe@FreeBSD.org>
List-Owner: <mailto:postmaster@FreeBSD.org>
Precedence: list
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Git-Committer: sjg
X-Git-Repository: src
X-Git-Refname: refs/heads/main
X-Git-Reftype: branch
X-Git-Commit: adad6862228d1799e7e12c724b2534b4184f7d45
Auto-Submitted: auto-generated
Date: Tue, 05 May 2026 17:30:16 +0000
Message-Id: <69fa2928.33b54.5ad14de3@gitrepo.freebsd.org>

The branch main has been updated by sjg:

URL: https://cgit.FreeBSD.org/src/commit/?id=adad6862228d1799e7e12c724b2534b4184f7d45

commit adad6862228d1799e7e12c724b2534b4184f7d45
Author:     Simon J. Gerraty <sjg@FreeBSD.org>
AuthorDate: 2026-05-05 17:29:54 +0000
Commit:     Simon J. Gerraty <sjg@FreeBSD.org>
CommitDate: 2026-05-05 17:29:54 +0000

    mac_veriexec_priv_check block proc_write_*regs*
    
    Writing to /proc/$pid/regs can also be leveraged to mess with memory.
    
    Only allow a trusted process to do so.
    
    Sponsored by: Hewlett Packard Enterprise Development LP.
    
    Reviewed by:    olce
    Differential Revision:  https://reviews.freebsd.org/D56763
---
 sys/kern/sys_process.c | 19 ++++++++++++++++---
 1 file changed, 16 insertions(+), 3 deletions(-)

diff --git a/sys/kern/sys_process.c b/sys/kern/sys_process.c
index c67996ad7df1..3a94f1c0ff20 100644
--- a/sys/kern/sys_process.c
+++ b/sys/kern/sys_process.c
@@ -72,6 +72,13 @@
 /* Assert it's safe to unlock a process, e.g. to allocate working memory */
 #define	PROC_ASSERT_TRACEREQ(p)	MPASS(((p)->p_flag2 & P2_PTRACEREQ) != 0)
 
+#define PROC_PRIV_CHECK(priv) do {	 			\
+		int _error;					\
+		_error = priv_check(currthread, priv);	\
+		if (_error)					\
+			return (_error);			\
+	} while (0)
+
 /*
  * Functions implemented below:
  *
@@ -109,6 +116,7 @@ int
 proc_write_regs(struct thread *td, struct reg *regs)
 {
 	PROC_LOCK_ASSERT(td->td_proc, MA_OWNED);
+	PROC_PRIV_CHECK(PRIV_PROC_MEM_WRITE);
 	return (set_regs(td, regs));
 }
 
@@ -123,6 +131,7 @@ int
 proc_write_dbregs(struct thread *td, struct dbreg *dbregs)
 {
 	PROC_LOCK_ASSERT(td->td_proc, MA_OWNED);
+	PROC_PRIV_CHECK(PRIV_PROC_MEM_WRITE);
 	return (set_dbregs(td, dbregs));
 }
 
@@ -141,6 +150,7 @@ int
 proc_write_fpregs(struct thread *td, struct fpreg *fpregs)
 {
 	PROC_LOCK_ASSERT(td->td_proc, MA_OWNED);
+	PROC_PRIV_CHECK(PRIV_PROC_MEM_WRITE);
 	return (set_fpregs(td, fpregs));
 }
 
@@ -261,6 +271,8 @@ proc_write_regset(struct thread *td, int note, struct iovec *iov)
 	if (regset->set == NULL)
 		return (EINVAL);
 
+	PROC_PRIV_CHECK(PRIV_PROC_MEM_WRITE);
+
 	p = td->td_proc;
 
 	/* Drop the proc lock while allocating the temp buffer */
@@ -294,6 +306,7 @@ int
 proc_write_regs32(struct thread *td, struct reg32 *regs32)
 {
 	PROC_LOCK_ASSERT(td->td_proc, MA_OWNED);
+	PROC_PRIV_CHECK(PRIV_PROC_MEM_WRITE);
 	return (set_regs32(td, regs32));
 }
 
@@ -308,6 +321,7 @@ int
 proc_write_dbregs32(struct thread *td, struct dbreg32 *dbregs32)
 {
 	PROC_LOCK_ASSERT(td->td_proc, MA_OWNED);
+	PROC_PRIV_CHECK(PRIV_PROC_MEM_WRITE);
 	return (set_dbregs32(td, dbregs32));
 }
 
@@ -322,6 +336,7 @@ int
 proc_write_fpregs32(struct thread *td, struct fpreg32 *fpregs32)
 {
 	PROC_LOCK_ASSERT(td->td_proc, MA_OWNED);
+	PROC_PRIV_CHECK(PRIV_PROC_MEM_WRITE);
 	return (set_fpregs32(td, fpregs32));
 }
 #endif
@@ -363,9 +378,7 @@ proc_rwmem(struct proc *p, struct uio *uio)
 	fault_flags = writing ? VM_FAULT_DIRTY : VM_FAULT_NORMAL;
 
 	if (writing) {
-		error = priv_check_cred(p->p_ucred, PRIV_PROC_MEM_WRITE);
-		if (error)
-			return (error);
+		PROC_PRIV_CHECK(PRIV_PROC_MEM_WRITE);
 	}
 
 	/*