procfs require PRIV_PROC_MEM_WRITE to write mem

Add a priv_check for PRIV_PROC_MEM_WRITE which will be blocked
by mac_veriexec if being enforced, unless the process has a maclabel
to grant priv.

Reviewed by:	stevek
Sponsored by:	Juniper Networks, Inc.
Differential Revision:	https://reviews.freebsd.org/D46692

sys/fs/procfs/procfs_mem.c

@@ -41,6 +41,7 @@
 #include <sys/ptrace.h>
 #include <sys/systm.h>
 #include <sys/uio.h>
+#include <sys/priv.h>
 
 #include <fs/pseudofs/pseudofs.h>
 #include <fs/procfs/procfs.h>
@@ -61,6 +62,8 @@ procfs_doprocmem(PFS_FILL_ARGS)
 
 	PROC_LOCK(p);
 	error = p_candebug(td, p);
+	if (error == 0 && uio->uio_rw == UIO_WRITE)
+		error = priv_check(td, PRIV_PROC_MEM_WRITE);
 	PROC_UNLOCK(p);
 	if (error == 0)
 		error = proc_rwmem(p, uio);

sys/kern/kern_priv.c

@@ -242,7 +242,9 @@ priv_check_cred(struct ucred *cred, int priv)
 	 * but non-root users are expected to be able to read it (provided they
 	 * have permission to access /dev/[k]mem).
 	 */
-	if (priv == PRIV_KMEM_READ) {
+	switch (priv) {
+	case PRIV_KMEM_READ:
+	case PRIV_PROC_MEM_WRITE:	/* we already checked candebug */
 		error = 0;
 		goto out;
 	}

sys/security/mac_grantbylabel/mac_grantbylabel.c

@@ -218,6 +218,7 @@ mac_grantbylabel_priv_grant(struct ucred *cred, int priv)
 		return rc;		/* not interested */
 
 	switch (priv) {
+	case PRIV_PROC_MEM_WRITE:
 	case PRIV_KMEM_READ:
 	case PRIV_KMEM_WRITE:
 		break;
@@ -244,6 +245,7 @@ mac_grantbylabel_priv_grant(struct ucred *cred, int priv)
 		if (label & GBL_IPC)
 			rc = 0;
 		break;
+	case PRIV_PROC_MEM_WRITE:
 	case PRIV_KMEM_READ:
 	case PRIV_KMEM_WRITE:
 		if (label & GBL_KMEM)

sys/security/mac_veriexec/mac_veriexec.c

@@ -435,6 +435,7 @@ mac_veriexec_priv_check(struct ucred *cred, int priv)
 	error = 0;
 	switch (priv) {
 	case PRIV_KMEM_WRITE:
+	case PRIV_PROC_MEM_WRITE:
 	case PRIV_VERIEXEC_CONTROL:
 		/*
 		 * Do not allow writing to memory or manipulating veriexec,

sys/sys/priv.h

@@ -513,6 +513,7 @@
  */
 #define	PRIV_KMEM_READ		680	/* Open mem/kmem for reading. */
 #define	PRIV_KMEM_WRITE		681	/* Open mem/kmem for writing. */
+#define	PRIV_PROC_MEM_WRITE	682	/* Open /proc/<pid>/mem for writing. */
 
 /*
  * Kernel debugger privileges.