diff --git a/lib/libc/sys/ptrace.2 b/lib/libc/sys/ptrace.2 --- a/lib/libc/sys/ptrace.2 +++ b/lib/libc/sys/ptrace.2 @@ -2,7 +2,7 @@ .\" $NetBSD: ptrace.2,v 1.2 1995/02/27 12:35:37 cgd Exp $ .\" .\" This file is in the public domain. -.Dd May 20, 2021 +.Dd January 22, 2022 .Dt PTRACE 2 .Os .Sh NAME @@ -122,6 +122,55 @@ signals queued to the traced children, which could be either generated by not yet consumed debug events, or sent by other means, the later should not be done anyway. +.Sh DISABLING PTRACE +The +.Nm +subsystem provides rich facilities to manipulate other processes state. +Sometimes it may be desirable to disallow it either completely, or limit +its scope. +The following controls are provided for this: +.Bl -tag -width security.bsd.unprivileged_proc_debug +.It Dv security.bsd.allow_ptrace +Setting this sysctl to zero value makes +.Xr ptrace 2 +return +.Er ENOSYS +always as if the syscall is not implemented by the kernel. +.It Dv security.bsd.unprivileged_proc_debug +Setting this sysctl to zero disallows use of +.Fn ptrace +by unprivileged processes. +.It Dv security.bsd.see_other_uids +Setting this sysctl to zero value disallows +.Fn ptrace +requests from targeting processes with the real user identifier different +from the real user identifier of the caller. +The requests return +.Er ESRCH +if policy is not met. +.It Dv security.bsd.see_other_gids +Setting this sysctl to zero value disallows +.Fn ptrace +requests from process belonging to a group that is not also one of +the group of the target process. +The requests return +.Er ESRCH +if policy is not met. +.It Dv securelevel and init +The +.Xr init 1 +process can only be traced with +.Nm +if securelevel is zero. +.It Dv procctl(2) PROC_TRACE_CTL +Process can deny attempts to trace itself with +.Xr procctl 2 +.Dv PROC_TRACE_CTL +request. +In this case requests return +.Xr EPERM +error. +.El .Sh TRACING EVENTS .Pp Each traced process has a tracing event mask. diff --git a/sys/compat/freebsd32/freebsd32_misc.c b/sys/compat/freebsd32/freebsd32_misc.c --- a/sys/compat/freebsd32/freebsd32_misc.c +++ b/sys/compat/freebsd32/freebsd32_misc.c @@ -977,7 +977,11 @@ struct ptrace_sc_ret32 psr; } r32; void *addr; - int data, error = 0, i; + int data, error, i; + + if (!allow_ptrace) + return (ENOSYS); + error = 0; AUDIT_ARG_PID(uap->pid); AUDIT_ARG_CMD(uap->req); diff --git a/sys/compat/linux/linux_ptrace.c b/sys/compat/linux/linux_ptrace.c --- a/sys/compat/linux/linux_ptrace.c +++ b/sys/compat/linux/linux_ptrace.c @@ -511,6 +511,9 @@ pid_t pid; int error, sig; + if (!allow_ptrace) + return (ENOSYS); + pid = (pid_t)uap->pid; addr = (void *)uap->addr; diff --git a/sys/kern/kern_prot.c b/sys/kern/kern_prot.c --- a/sys/kern/kern_prot.c +++ b/sys/kern/kern_prot.c @@ -58,6 +58,7 @@ #include #include #include +#include #include #include #include @@ -1460,10 +1461,12 @@ int p_cansee(struct thread *td, struct proc *p) { - /* Wrap cr_cansee() for all functionality. */ KASSERT(td == curthread, ("%s: td not curthread", __func__)); PROC_LOCK_ASSERT(p, MA_OWNED); + + if (td->td_proc == p) + return (0); return (cr_cansee(td->td_ucred, p->p_ucred)); } @@ -1681,10 +1684,10 @@ KASSERT(td == curthread, ("%s: td not curthread", __func__)); PROC_LOCK_ASSERT(p, MA_OWNED); - if ((error = priv_check(td, PRIV_DEBUG_UNPRIV))) - return (error); if (td->td_proc == p) return (0); + if ((error = priv_check(td, PRIV_DEBUG_UNPRIV))) + return (error); if ((error = prison_check(td->td_ucred, p->p_ucred))) return (error); #ifdef MAC @@ -2483,3 +2486,8 @@ newcred->cr_svgid = svgid; } + +bool allow_ptrace = true; +SYSCTL_BOOL(_security_bsd, OID_AUTO, allow_ptrace, CTLFLAG_RWTUN, + &allow_ptrace, 0, + "Deny ptrace(2) use by returning ENOSYS"); diff --git a/sys/kern/sys_process.c b/sys/kern/sys_process.c --- a/sys/kern/sys_process.c +++ b/sys/kern/sys_process.c @@ -479,7 +479,11 @@ int ptevents; } r; void *addr; - int error = 0; + int error; + + if (!allow_ptrace) + return (ENOSYS); + error = 0; AUDIT_ARG_PID(uap->pid); AUDIT_ARG_CMD(uap->req); diff --git a/sys/sys/ptrace.h b/sys/sys/ptrace.h --- a/sys/sys/ptrace.h +++ b/sys/sys/ptrace.h @@ -243,6 +243,8 @@ void ptrace_unsuspend(struct proc *p); +extern bool allow_ptrace; + #else /* !_KERNEL */ #include