git: adad6862228d - main - mac_veriexec_priv_check block proc_write_*regs*

[Simon J . Gerraty]

The branch main has been updated by sjg:

URL: 
https://cgit.FreeBSD.org/src/commit/?id=adad6862228d1799e7e12c724b2534b4184f7d45

commit adad6862228d1799e7e12c724b2534b4184f7d45
Author:     Simon J. Gerraty <s...@freebsd.org>
AuthorDate: 2026-05-05 17:29:54 +0000
Commit:     Simon J. Gerraty <s...@freebsd.org>
CommitDate: 2026-05-05 17:29:54 +0000

    mac_veriexec_priv_check block proc_write_*regs*
    
    Writing to /proc/$pid/regs can also be leveraged to mess with memory.
    
    Only allow a trusted process to do so.
    
    Sponsored by: Hewlett Packard Enterprise Development LP.
    
    Reviewed by:    olce
    Differential Revision:  https://reviews.freebsd.org/D56763
---
 sys/kern/sys_process.c | 19 ++++++++++++++++---
 1 file changed, 16 insertions(+), 3 deletions(-)

diff --git a/sys/kern/sys_process.c b/sys/kern/sys_process.c
index c67996ad7df1..3a94f1c0ff20 100644
--- a/sys/kern/sys_process.c
+++ b/sys/kern/sys_process.c
@@ -72,6 +72,13 @@
 /* Assert it's safe to unlock a process, e.g. to allocate working memory */
 #define        PROC_ASSERT_TRACEREQ(p) MPASS(((p)->p_flag2 & P2_PTRACEREQ) != 
0)
 
+#define PROC_PRIV_CHECK(priv) do {                             \
+               int _error;                                     \
+               _error = priv_check(currthread, priv);  \
+               if (_error)                                     \
+                       return (_error);                        \
+       } while (0)
+
 /*
  * Functions implemented below:
  *
@@ -109,6 +116,7 @@ int
 proc_write_regs(struct thread *td, struct reg *regs)
 {
        PROC_LOCK_ASSERT(td->td_proc, MA_OWNED);
+       PROC_PRIV_CHECK(PRIV_PROC_MEM_WRITE);
        return (set_regs(td, regs));
 }
 
@@ -123,6 +131,7 @@ int
 proc_write_dbregs(struct thread *td, struct dbreg *dbregs)
 {
        PROC_LOCK_ASSERT(td->td_proc, MA_OWNED);
+       PROC_PRIV_CHECK(PRIV_PROC_MEM_WRITE);
        return (set_dbregs(td, dbregs));
 }
 
@@ -141,6 +150,7 @@ int
 proc_write_fpregs(struct thread *td, struct fpreg *fpregs)
 {
        PROC_LOCK_ASSERT(td->td_proc, MA_OWNED);
+       PROC_PRIV_CHECK(PRIV_PROC_MEM_WRITE);
        return (set_fpregs(td, fpregs));
 }
 
@@ -261,6 +271,8 @@ proc_write_regset(struct thread *td, int note, struct iovec 
*iov)
        if (regset->set == NULL)
                return (EINVAL);
 
+       PROC_PRIV_CHECK(PRIV_PROC_MEM_WRITE);
+
        p = td->td_proc;
 
        /* Drop the proc lock while allocating the temp buffer */
@@ -294,6 +306,7 @@ int
 proc_write_regs32(struct thread *td, struct reg32 *regs32)
 {
        PROC_LOCK_ASSERT(td->td_proc, MA_OWNED);
+       PROC_PRIV_CHECK(PRIV_PROC_MEM_WRITE);
        return (set_regs32(td, regs32));
 }
 
@@ -308,6 +321,7 @@ int
 proc_write_dbregs32(struct thread *td, struct dbreg32 *dbregs32)
 {
        PROC_LOCK_ASSERT(td->td_proc, MA_OWNED);
+       PROC_PRIV_CHECK(PRIV_PROC_MEM_WRITE);
        return (set_dbregs32(td, dbregs32));
 }
 
@@ -322,6 +336,7 @@ int
 proc_write_fpregs32(struct thread *td, struct fpreg32 *fpregs32)
 {
        PROC_LOCK_ASSERT(td->td_proc, MA_OWNED);
+       PROC_PRIV_CHECK(PRIV_PROC_MEM_WRITE);
        return (set_fpregs32(td, fpregs32));
 }
 #endif
@@ -363,9 +378,7 @@ proc_rwmem(struct proc *p, struct uio *uio)
        fault_flags = writing ? VM_FAULT_DIRTY : VM_FAULT_NORMAL;
 
        if (writing) {
-               error = priv_check_cred(p->p_ucred, PRIV_PROC_MEM_WRITE);
-               if (error)
-                       return (error);
+               PROC_PRIV_CHECK(PRIV_PROC_MEM_WRITE);
        }
 
        /*