From f239981ed58ca632d4dba39b2229c3152dd32a15 Mon Sep 17 00:00:00 2001 From: "Simon J. Gerraty" Date: Fri, 8 Nov 2024 16:11:12 -0800 Subject: [PATCH] proc_rwmem check PRIV_PROC_MEM_WRITE when writing This will fail when mac_veriexec is enforced. Move the check from procfs_doprocmem to proc_rwmem to ensure all cases are covered. Reviewed by: olce, markj Sponsored by: Juniper Networks, Inc. Differential Revision: https://reviews.freebsd.org/D47484 --- sys/fs/procfs/procfs_mem.c | 2 -- sys/kern/sys_process.c | 6 ++++++ sys/sys/priv.h | 2 +- 3 files changed, 7 insertions(+), 3 deletions(-) diff --git a/sys/fs/procfs/procfs_mem.c b/sys/fs/procfs/procfs_mem.c index 159b40785172..0020b8f8a8d8 100644 --- a/sys/fs/procfs/procfs_mem.c +++ b/sys/fs/procfs/procfs_mem.c @@ -62,8 +62,6 @@ procfs_doprocmem(PFS_FILL_ARGS) PROC_LOCK(p); error = p_candebug(td, p); - if (error == 0 && uio->uio_rw == UIO_WRITE) - error = priv_check(td, PRIV_PROC_MEM_WRITE); PROC_UNLOCK(p); if (error == 0) error = proc_rwmem(p, uio); diff --git a/sys/kern/sys_process.c b/sys/kern/sys_process.c index a3a7a22f4cd3..fe2e112dbcfa 100644 --- a/sys/kern/sys_process.c +++ b/sys/kern/sys_process.c @@ -361,6 +361,12 @@ proc_rwmem(struct proc *p, struct uio *uio) reqprot = writing ? VM_PROT_COPY | VM_PROT_READ : VM_PROT_READ; fault_flags = writing ? VM_FAULT_DIRTY : VM_FAULT_NORMAL; + if (writing) { + error = priv_check_cred(p->p_ucred, PRIV_PROC_MEM_WRITE); + if (error) + return (error); + } + /* * Only map in one page at a time. We don't have to, but it * makes things easier. This way is trivial - right? diff --git a/sys/sys/priv.h b/sys/sys/priv.h index 5e14fee2cce1..864fb5b9cdea 100644 --- a/sys/sys/priv.h +++ b/sys/sys/priv.h @@ -515,7 +515,7 @@ */ #define PRIV_KMEM_READ 680 /* Open mem/kmem for reading. */ #define PRIV_KMEM_WRITE 681 /* Open mem/kmem for writing. */ -#define PRIV_PROC_MEM_WRITE 682 /* Open /proc//mem for writing. */ +#define PRIV_PROC_MEM_WRITE 682 /* Writes via proc_rwmem */ /* * Kernel debugger privileges.