proc_rwmem check PRIV_PROC_MEM_WRITE when writing

This will fail when mac_veriexec is enforced. Move the check from procfs_doprocmem to proc_rwmem to ensure all cases are covered. Reviewed by: olce, markj Sponsored by: Juniper Networks, Inc. Differential Revision: https://reviews.freebsd.org/D47484
2024-11-21 07:15:49 +00:00 · 2024-11-08 16:11:12 -08:00 · 2024-11-08 16:11:12 -08:00 · f239981ed5
commit f239981ed5
parent fd67ff5c7a
3 changed files with 7 additions and 3 deletions
--- a/sys/fs/procfs/procfs_mem.c
+++ b/sys/fs/procfs/procfs_mem.c
@ -62,8 +62,6 @@ procfs_doprocmem(PFS_FILL_ARGS)

 	PROC_LOCK(p);
 	error = p_candebug(td, p);
-	if (error == 0 && uio->uio_rw == UIO_WRITE)
-		error = priv_check(td, PRIV_PROC_MEM_WRITE);
 	PROC_UNLOCK(p);
 	if (error == 0)
 		error = proc_rwmem(p, uio);
--- a/sys/kern/sys_process.c
+++ b/sys/kern/sys_process.c
@ -361,6 +361,12 @@ proc_rwmem(struct proc *p, struct uio *uio)
 	reqprot = writing ? VM_PROT_COPY | VM_PROT_READ : VM_PROT_READ;
 	fault_flags = writing ? VM_FAULT_DIRTY : VM_FAULT_NORMAL;

+	if (writing) {
+		error = priv_check_cred(p->p_ucred, PRIV_PROC_MEM_WRITE);
+		if (error)
+			return (error);
+	}
+
 	/*
 	 * Only map in one page at a time.  We don't have to, but it
 	 * makes things easier.  This way is trivial - right?
--- a/sys/sys/priv.h
+++ b/sys/sys/priv.h
@ -515,7 +515,7 @@
 */
 #define	PRIV_KMEM_READ		680	/* Open mem/kmem for reading. */
 #define	PRIV_KMEM_WRITE		681	/* Open mem/kmem for writing. */
-#define	PRIV_PROC_MEM_WRITE	682	/* Open /proc/<pid>/mem for writing. */
+#define	PRIV_PROC_MEM_WRITE	682	/* Writes via proc_rwmem */

 /*
 * Kernel debugger privileges.