git: 109b7712c3cb - stable/14 - ktrace: Record signal violations with KTR_CAPFAIL

Go to: [ bottom of page ] [ top of archives ] [ this month ]
From: Jake Freeland <jfree_at_FreeBSD.org>
Date: Sun, 12 May 2024 00:08:29 UTC
The branch stable/14 has been updated by jfree:

URL: https://cgit.FreeBSD.org/src/commit/?id=109b7712c3cbf2746b75f334abc75c39c32bc0b0

commit 109b7712c3cbf2746b75f334abc75c39c32bc0b0
Author:     Jake Freeland <jfree@FreeBSD.org>
AuthorDate: 2024-04-06 18:31:21 +0000
Commit:     Jake Freeland <jfree@FreeBSD.org>
CommitDate: 2024-05-11 23:57:44 +0000

    ktrace: Record signal violations with KTR_CAPFAIL
    
    Report the delivery of signals to processes other than self while
    Capsicum violation tracing with CAPFAIL_SIGNAL.
    
    Reviewed by:    markj
    Approved by:    markj (mentor)
    MFC after:      1 month
    Differential Revision:  https://reviews.freebsd.org/D40679
    
    (cherry picked from commit 6a4616a529c1e387d87376e48ceb670eef8141e7)
---
 sys/kern/kern_procctl.c | 4 ++++
 sys/kern/kern_sig.c     | 8 ++++++--
 2 files changed, 10 insertions(+), 2 deletions(-)

diff --git a/sys/kern/kern_procctl.c b/sys/kern/kern_procctl.c
index 9e860e7c80a5..23b3403fec4f 100644
--- a/sys/kern/kern_procctl.c
+++ b/sys/kern/kern_procctl.c
@@ -28,6 +28,8 @@
  */
 
 #include <sys/cdefs.h>
+#include "opt_ktrace.h"
+
 #include <sys/param.h>
 #include <sys/_unrhdr.h>
 #include <sys/systm.h>
@@ -543,6 +545,8 @@ reap_kill(struct thread *td, struct proc *p, void *data)
 
 	rk = data;
 	sx_assert(&proctree_lock, SX_LOCKED);
+	if (CAP_TRACING(td))
+		ktrcapfail(CAPFAIL_SIGNAL, &rk->rk_sig);
 	if (IN_CAPABILITY_MODE(td))
 		return (ECAPMODE);
 	if (rk->rk_sig <= 0 || rk->rk_sig > _SIG_MAXSIG ||
diff --git a/sys/kern/kern_sig.c b/sys/kern/kern_sig.c
index b1860bf23cf2..802231767762 100644
--- a/sys/kern/kern_sig.c
+++ b/sys/kern/kern_sig.c
@@ -1907,8 +1907,12 @@ kern_kill(struct thread *td, pid_t pid, int signum)
 	 * The main rationale behind this is that abort(3) is implemented as
 	 * kill(getpid(), SIGABRT).
 	 */
-	if (IN_CAPABILITY_MODE(td) && pid != td->td_proc->p_pid)
-		return (ECAPMODE);
+	if (pid != td->td_proc->p_pid) {
+		if (CAP_TRACING(td))
+			ktrcapfail(CAPFAIL_SIGNAL, &signum);
+		if (IN_CAPABILITY_MODE(td))
+			return (ECAPMODE);
+	}
 
 	AUDIT_ARG_SIGNUM(signum);
 	AUDIT_ARG_PID(pid);