git: fe6db7270819 - main - Add security.bsd.allow_ptrace sysctl

Go to: [ bottom of page ] [ top of archives ] [ this month ]
From: Konstantin Belousov <kib_at_FreeBSD.org>
Date: Sat, 22 Jan 2022 17:37:24 UTC
The branch main has been updated by kib:

URL: https://cgit.FreeBSD.org/src/commit/?id=fe6db727081936c43250f97a4ff4b9de20eb0091

commit fe6db727081936c43250f97a4ff4b9de20eb0091
Author:     Konstantin Belousov <kib@FreeBSD.org>
AuthorDate: 2022-01-21 21:52:35 +0000
Commit:     Konstantin Belousov <kib@FreeBSD.org>
CommitDate: 2022-01-22 17:36:56 +0000

    Add security.bsd.allow_ptrace sysctl
    
    that disables any access to ptrace(2) for all processes.
    
    Reviewed by:    emaste
    Sponsored by:   The FreeBSD Foundation
    MFC after:      1 week
    Differential revision:  https://reviews.freebsd.org/D33986
---
 sys/compat/freebsd32/freebsd32_misc.c | 6 +++++-
 sys/compat/linux/linux_ptrace.c       | 3 +++
 sys/kern/kern_prot.c                  | 6 ++++++
 sys/kern/sys_process.c                | 6 +++++-
 sys/sys/ptrace.h                      | 2 ++
 5 files changed, 21 insertions(+), 2 deletions(-)

diff --git a/sys/compat/freebsd32/freebsd32_misc.c b/sys/compat/freebsd32/freebsd32_misc.c
index 60f46ad2cfba..28262f011830 100644
--- a/sys/compat/freebsd32/freebsd32_misc.c
+++ b/sys/compat/freebsd32/freebsd32_misc.c
@@ -977,7 +977,11 @@ freebsd32_ptrace(struct thread *td, struct freebsd32_ptrace_args *uap)
 		struct ptrace_sc_ret32 psr;
 	} r32;
 	void *addr;
-	int data, error = 0, i;
+	int data, error, i;
+
+	if (!allow_ptrace)
+		return (ENOSYS);
+	error = 0;
 
 	AUDIT_ARG_PID(uap->pid);
 	AUDIT_ARG_CMD(uap->req);
diff --git a/sys/compat/linux/linux_ptrace.c b/sys/compat/linux/linux_ptrace.c
index 590a3474a006..151355d2bb3f 100644
--- a/sys/compat/linux/linux_ptrace.c
+++ b/sys/compat/linux/linux_ptrace.c
@@ -511,6 +511,9 @@ linux_ptrace(struct thread *td, struct linux_ptrace_args *uap)
 	pid_t pid;
 	int error, sig;
 
+	if (!allow_ptrace)
+		return (ENOSYS);
+
 	pid  = (pid_t)uap->pid;
 	addr = (void *)uap->addr;
 
diff --git a/sys/kern/kern_prot.c b/sys/kern/kern_prot.c
index 0031465f081d..808dd04ba1d3 100644
--- a/sys/kern/kern_prot.c
+++ b/sys/kern/kern_prot.c
@@ -58,6 +58,7 @@ __FBSDID("$FreeBSD$");
 #include <sys/loginclass.h>
 #include <sys/malloc.h>
 #include <sys/mutex.h>
+#include <sys/ptrace.h>
 #include <sys/refcount.h>
 #include <sys/sx.h>
 #include <sys/priv.h>
@@ -2485,3 +2486,8 @@ change_svgid(struct ucred *newcred, gid_t svgid)
 
 	newcred->cr_svgid = svgid;
 }
+
+bool allow_ptrace = true;
+SYSCTL_BOOL(_security_bsd, OID_AUTO, allow_ptrace, CTLFLAG_RWTUN,
+    &allow_ptrace, 0,
+    "Deny ptrace(2) use by returning ENOSYS");
diff --git a/sys/kern/sys_process.c b/sys/kern/sys_process.c
index 2c212edd0ae7..0b3a34550506 100644
--- a/sys/kern/sys_process.c
+++ b/sys/kern/sys_process.c
@@ -479,7 +479,11 @@ sys_ptrace(struct thread *td, struct ptrace_args *uap)
 		int ptevents;
 	} r;
 	void *addr;
-	int error = 0;
+	int error;
+
+	if (!allow_ptrace)
+		return (ENOSYS);
+	error = 0;
 
 	AUDIT_ARG_PID(uap->pid);
 	AUDIT_ARG_CMD(uap->req);
diff --git a/sys/sys/ptrace.h b/sys/sys/ptrace.h
index 1e7c1c71056b..4cd7a3fceaec 100644
--- a/sys/sys/ptrace.h
+++ b/sys/sys/ptrace.h
@@ -243,6 +243,8 @@ int	proc_write_dbregs32(struct thread *_td, struct dbreg32 *_dbreg32);
 
 void	ptrace_unsuspend(struct proc *p);
 
+extern bool allow_ptrace;
+
 #else /* !_KERNEL */
 
 #include <sys/cdefs.h>