system/freebsd-src
system/freebsd-src
1
0
Fork 0
mirror of https://github.com/freebsd/freebsd-src synced 2024-10-03 15:15:01 +00:00
Code Issues Packages Projects Releases Wiki Activity

ptrace(2): Disabling: Describe influence of security.bsd.see_jail_proc

Browse source 
Reviewed by:            mhorne, emaste, pauamma_gundo.com
Sponsored by:           Kumacom SAS
Differential Revision:  https://reviews.freebsd.org/D41109

(cherry picked from commit d952820105)

Approved by:    markj (mentor)
This commit is contained in:
Olivier Certner 2023-08-18 01:54:48 +02:00 committed by Olivier Certner
parent 56f758066c
commit 0c01901f12
No known key found for this signature in database
GPG key ID: 8CA13040971E2627
1 changed files with 21 additions and 15 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

36
lib/libc/sys/ptrace.2
View file

@ -1,7 +1,7 @@
.\" $NetBSD: ptrace.2,v 1.2 1995/02/27 12:35:37 cgd Exp $
.\"
.\" This file is in the public domain.
.Dd December 15, 2022
.Dd August 18, 2023
.Dt PTRACE 2
.Os
.Sh NAME
@ -149,31 +149,37 @@ its scope.
The following controls are provided for this:
.Bl -tag -width security.bsd.unprivileged_proc_debug
.It Dv security.bsd.allow_ptrace
Setting this sysctl to zero value makes
Setting this sysctl to zero makes
.Nm
return
.Er ENOSYS
always as if the syscall is not implemented by the kernel.
.It Dv security.bsd.unprivileged_proc_debug
Setting this sysctl to zero disallows use of
Setting this sysctl to zero disallows the use of
.Fn ptrace
by unprivileged processes.
.It Dv security.bsd.see_other_uids
Setting this sysctl to zero value disallows
Setting this sysctl to zero prevents
.Fn ptrace
requests from targeting processes with the real user identifier different
from the real user identifier of the caller.
The requests return
.Er ESRCH
if policy is not met.
requests from targeting processes with a real user identifier different
from the caller's.
These requests will fail with error
.Er ESRCH .
.It Dv security.bsd.see_other_gids
Setting this sysctl to zero value disallows
Setting this sysctl to zero disallows
.Fn ptrace
requests from process belonging to a group that is not also one of
the group of the target process.
The requests return
.Er ESRCH
if policy is not met.
requests from processes that have no groups in common with the target process,
considering their sets of real and supplementary groups.
These requests will fail with error
.Er ESRCH .
.It Dv security.bsd.see_jail_proc
Setting this sysctl to zero disallows
.Fn ptrace
requests from processes belonging to a different jail than that of the target
process, even if the requesting process' jail is an ancestor of the target
process'.
These requests will fail with error
.Er ESRCH .
.It Dv securelevel and init
The
.Xr init 1