diff --git a/sys/compat/freebsd32/freebsd32_misc.c b/sys/compat/freebsd32/freebsd32_misc.c --- a/sys/compat/freebsd32/freebsd32_misc.c +++ b/sys/compat/freebsd32/freebsd32_misc.c @@ -977,7 +977,11 @@ struct ptrace_sc_ret32 psr; } r32; void *addr; - int data, error = 0, i; + int data, error, i; + + if (!allow_ptrace) + return (ENOSYS); + error = 0; AUDIT_ARG_PID(uap->pid); AUDIT_ARG_CMD(uap->req); diff --git a/sys/kern/kern_prot.c b/sys/kern/kern_prot.c --- a/sys/kern/kern_prot.c +++ b/sys/kern/kern_prot.c @@ -58,6 +58,7 @@ #include #include #include +#include #include #include #include @@ -1460,10 +1461,12 @@ int p_cansee(struct thread *td, struct proc *p) { - /* Wrap cr_cansee() for all functionality. */ KASSERT(td == curthread, ("%s: td not curthread", __func__)); PROC_LOCK_ASSERT(p, MA_OWNED); + + if (td->td_proc == p) + return (0); return (cr_cansee(td->td_ucred, p->p_ucred)); } @@ -1681,10 +1684,10 @@ KASSERT(td == curthread, ("%s: td not curthread", __func__)); PROC_LOCK_ASSERT(p, MA_OWNED); - if ((error = priv_check(td, PRIV_DEBUG_UNPRIV))) - return (error); if (td->td_proc == p) return (0); + if ((error = priv_check(td, PRIV_DEBUG_UNPRIV))) + return (error); if ((error = prison_check(td->td_ucred, p->p_ucred))) return (error); #ifdef MAC @@ -2483,3 +2486,8 @@ newcred->cr_svgid = svgid; } + +bool allow_ptrace = true; +SYSCTL_BOOL(_debug, OID_AUTO, allow_ptrace, CTLFLAG_RWTUN, + &allow_ptrace, 0, + ""); diff --git a/sys/kern/sys_process.c b/sys/kern/sys_process.c --- a/sys/kern/sys_process.c +++ b/sys/kern/sys_process.c @@ -479,7 +479,11 @@ int ptevents; } r; void *addr; - int error = 0; + int error; + + if (!allow_ptrace) + return (ENOSYS); + error = 0; AUDIT_ARG_PID(uap->pid); AUDIT_ARG_CMD(uap->req); diff --git a/sys/sys/ptrace.h b/sys/sys/ptrace.h --- a/sys/sys/ptrace.h +++ b/sys/sys/ptrace.h @@ -243,6 +243,8 @@ void ptrace_unsuspend(struct proc *p); +extern bool allow_ptrace; + #else /* !_KERNEL */ #include