D30940.id.diff
No OneTemporary
Actions

Size

2 KB

Referenced Files

None

Subscribers

None

D30940.id.diff
View Options

	diff --git a/usr.bin/proccontrol/proccontrol.1 b/usr.bin/proccontrol/proccontrol.1
	--- a/usr.bin/proccontrol/proccontrol.1
	+++ b/usr.bin/proccontrol/proccontrol.1
	@@ -28,7 +28,7 @@
	.\"
	.\" $FreeBSD$
	.\"
	-.Dd June 28, 2019
	+.Dd July 2, 2021
	.Dt PROCCONTROL 1
	.Os
	.Sh NAME
	@@ -69,6 +69,9 @@
	.It Ar protmax
	Controls the implicit PROT_MAX application for
	.Xr mmap 2 .
	+.It Ar nonewprivs
	+Controls disabling the setuid and sgid bits for
	+.Xr execve 2 .
	.It Ar kpti
	Controls the KPTI enable, AMD64 only.
	.It Ar la48
	diff --git a/usr.bin/proccontrol/proccontrol.c b/usr.bin/proccontrol/proccontrol.c
	--- a/usr.bin/proccontrol/proccontrol.c
	+++ b/usr.bin/proccontrol/proccontrol.c
	@@ -45,6 +45,7 @@
	MODE_TRAPCAP,
	MODE_PROTMAX,
	MODE_STACKGAP,
	+ MODE_NO_NEW_PRIVS,
	#ifdef PROC_KPTI_CTL
	MODE_KPTI,
	#endif
	@@ -84,7 +85,7 @@
	{

	fprintf(stderr, "Usage: proccontrol -m (aslr\|protmax\|trace\|trapcap\|"
	- "stackgap"KPTI_USAGE LA_USAGE") [-q] "
	+ "stackgap\|nonewprivs"KPTI_USAGE LA_USAGE") [-q] "
	"[-s (enable\|disable)] [-p pid \| command]\n");
	exit(1);
	}
	@@ -113,6 +114,8 @@
	mode = MODE_TRAPCAP;
	else if (strcmp(optarg, "stackgap") == 0)
	mode = MODE_STACKGAP;
	+ else if (strcmp(optarg, "nonewprivs") == 0)
	+ mode = MODE_NO_NEW_PRIVS;
	#ifdef PROC_KPTI_CTL
	else if (strcmp(optarg, "kpti") == 0)
	mode = MODE_KPTI;
	@@ -174,6 +177,9 @@
	case MODE_STACKGAP:
	error = procctl(P_PID, pid, PROC_STACKGAP_STATUS, &arg);
	break;
	+ case MODE_NO_NEW_PRIVS:
	+ error = procctl(P_PID, pid, PROC_NO_NEW_PRIVS_STATUS, &arg);
	+ break;
	#ifdef PROC_KPTI_CTL
	case MODE_KPTI:
	error = procctl(P_PID, pid, PROC_KPTI_STATUS, &arg);
	@@ -264,6 +270,16 @@
	break;
	}
	break;
	+ case MODE_NO_NEW_PRIVS:
	+ switch (arg) {
	+ case PROC_NO_NEW_PRIVS_ENABLE:
	+ printf("enabled\n");
	+ break;
	+ case PROC_NO_NEW_PRIVS_DISABLE:
	+ printf("disabled\n");
	+ break;
	+ }
	+ break;
	#ifdef PROC_KPTI_CTL
	case MODE_KPTI:
	switch (arg & ~PROC_KPTI_STATUS_ACTIVE) {
	@@ -330,6 +346,11 @@
	PROC_STACKGAP_DISABLE_EXEC);
	error = procctl(P_PID, pid, PROC_STACKGAP_CTL, &arg);
	break;
	+ case MODE_NO_NEW_PRIVS:
	+ arg = enable ? PROC_NO_NEW_PRIVS_ENABLE :
	+ PROC_NO_NEW_PRIVS_DISABLE;
	+ error = procctl(P_PID, pid, PROC_NO_NEW_PRIVS_CTL, &arg);
	+ break;
	#ifdef PROC_KPTI_CTL
	case MODE_KPTI:
	arg = enable ? PROC_KPTI_CTL_ENABLE_ON_EXEC :

File Metadata

Mime Type: text/plain
Expires: Sun, Feb 22, 4:23 AM (16 h, 21 m)
Storage Engine: blob
Storage Format: Raw Data
Storage Handle: 28932118
Default Alt Text: D30940.id.diff (2 KB)

D30940.id.diffNo OneTemporaryActions

D30940.id.diffView Options

File Metadata

Event Timeline

D30940.id.diff
No OneTemporary
Actions

D30940.id.diff
View Options