git: acb1f1269c6f - main - proccontrol(1): implement 'nonewprivs'

Fri Jul 2 07:51:18 UTC 2021

The branch main has been updated by trasz:

URL: https://cgit.FreeBSD.org/src/commit/?id=acb1f1269c6f4ff89a0d28ba742f6687e9ef779d

commit acb1f1269c6f4ff89a0d28ba742f6687e9ef779d
Author:     Edward Tomasz Napierala <trasz at FreeBSD.org>
AuthorDate: 2021-07-02 07:49:20 +0000
Commit:     Edward Tomasz Napierala <trasz at FreeBSD.org>
CommitDate: 2021-07-02 07:50:36 +0000

    proccontrol(1): implement 'nonewprivs'
    
    This adds the 'nonewprivs' mode, corresponding to newly added
    procctl(2) commands PROC_NO_NEW_PRIVS_CTL and PROC_NO_NEW_PRIVS_STATUS.
    
    Reviewed By:    kib
    Sponsored By:   EPSRC
    Differential Revision:  https://reviews.freebsd.org/D30940
---
 usr.bin/proccontrol/proccontrol.1 |  5 ++++-
 usr.bin/proccontrol/proccontrol.c | 23 ++++++++++++++++++++++-
 2 files changed, 26 insertions(+), 2 deletions(-)

diff --git a/usr.bin/proccontrol/proccontrol.1 b/usr.bin/proccontrol/proccontrol.1
index 4445bb5f9f8e..b4ed6c268a6a 100644
--- a/usr.bin/proccontrol/proccontrol.1
+++ b/usr.bin/proccontrol/proccontrol.1
@@ -28,7 +28,7 @@
 .\"
 .\" $FreeBSD$
 .\"
-.Dd June 28, 2019
+.Dd July 2, 2021
 .Dt PROCCONTROL 1
 .Os
 .Sh NAME
@@ -69,6 +69,9 @@ Controls the signalling of capability mode access violations.
 .It Ar protmax
 Controls the implicit PROT_MAX application for
 .Xr mmap 2 .
+.It Ar nonewprivs
+Controls disabling the setuid and sgid bits for
+.Xr execve 2 .
 .It Ar kpti
 Controls the KPTI enable, AMD64 only.
 .It Ar la48
diff --git a/usr.bin/proccontrol/proccontrol.c b/usr.bin/proccontrol/proccontrol.c
index edcc23a3cb34..9f185de025c1 100644
--- a/usr.bin/proccontrol/proccontrol.c
+++ b/usr.bin/proccontrol/proccontrol.c
@@ -45,6 +45,7 @@ enum {
 	MODE_TRAPCAP,
 	MODE_PROTMAX,
 	MODE_STACKGAP,
+	MODE_NO_NEW_PRIVS,
 #ifdef PROC_KPTI_CTL
 	MODE_KPTI,
 #endif
@@ -84,7 +85,7 @@ usage(void)
 {
 
 	fprintf(stderr, "Usage: proccontrol -m (aslr|protmax|trace|trapcap|"
-	    "stackgap"KPTI_USAGE LA_USAGE") [-q] "
+	    "stackgap|nonewprivs"KPTI_USAGE LA_USAGE") [-q] "
 	    "[-s (enable|disable)] [-p pid | command]\n");
 	exit(1);
 }
@@ -113,6 +114,8 @@ main(int argc, char *argv[])
 				mode = MODE_TRAPCAP;
 			else if (strcmp(optarg, "stackgap") == 0)
 				mode = MODE_STACKGAP;
+			else if (strcmp(optarg, "nonewprivs") == 0)
+				mode = MODE_NO_NEW_PRIVS;
 #ifdef PROC_KPTI_CTL
 			else if (strcmp(optarg, "kpti") == 0)
 				mode = MODE_KPTI;
@@ -174,6 +177,9 @@ main(int argc, char *argv[])
 		case MODE_STACKGAP:
 			error = procctl(P_PID, pid, PROC_STACKGAP_STATUS, &arg);
 			break;
+		case MODE_NO_NEW_PRIVS:
+			error = procctl(P_PID, pid, PROC_NO_NEW_PRIVS_STATUS, &arg);
+			break;
 #ifdef PROC_KPTI_CTL
 		case MODE_KPTI:
 			error = procctl(P_PID, pid, PROC_KPTI_STATUS, &arg);
@@ -264,6 +270,16 @@ main(int argc, char *argv[])
 				break;
 			}
 			break;
+		case MODE_NO_NEW_PRIVS:
+			switch (arg) {
+			case PROC_NO_NEW_PRIVS_ENABLE:
+				printf("enabled\n");
+				break;
+			case PROC_NO_NEW_PRIVS_DISABLE:
+				printf("disabled\n");
+				break;
+			}
+			break;
 #ifdef PROC_KPTI_CTL
 		case MODE_KPTI:
 			switch (arg & ~PROC_KPTI_STATUS_ACTIVE) {
@@ -330,6 +346,11 @@ main(int argc, char *argv[])
 			    PROC_STACKGAP_DISABLE_EXEC);
 			error = procctl(P_PID, pid, PROC_STACKGAP_CTL, &arg);
 			break;
+		case MODE_NO_NEW_PRIVS:
+			arg = enable ? PROC_NO_NEW_PRIVS_ENABLE :
+			    PROC_NO_NEW_PRIVS_DISABLE;
+			error = procctl(P_PID, pid, PROC_NO_NEW_PRIVS_CTL, &arg);
+			break;
 #ifdef PROC_KPTI_CTL
 		case MODE_KPTI:
 			arg = enable ? PROC_KPTI_CTL_ENABLE_ON_EXEC :
