Date: Fri, 24 Sep 2021 00:40:04 GMT From: Konstantin Belousov <kib@FreeBSD.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org Subject: git: 425641290023 - stable/13 - proccontrol(1): implement 'nonewprivs' Message-ID: <202109240040.18O0e4Db050982@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help
The branch stable/13 has been updated by kib: URL: https://cgit.FreeBSD.org/src/commit/?id=42564129002352e1ff622125edc5d038aa15d4c4 commit 42564129002352e1ff622125edc5d038aa15d4c4 Author: Edward Tomasz Napierala <trasz@FreeBSD.org> AuthorDate: 2021-07-02 07:49:20 +0000 Commit: Konstantin Belousov <kib@FreeBSD.org> CommitDate: 2021-09-24 00:26:59 +0000 proccontrol(1): implement 'nonewprivs' (cherry picked from commit acb1f1269c6f4ff89a0d28ba742f6687e9ef779d) --- usr.bin/proccontrol/proccontrol.1 | 5 ++++- usr.bin/proccontrol/proccontrol.c | 23 ++++++++++++++++++++++- 2 files changed, 26 insertions(+), 2 deletions(-) diff --git a/usr.bin/proccontrol/proccontrol.1 b/usr.bin/proccontrol/proccontrol.1 index 4445bb5f9f8e..b4ed6c268a6a 100644 --- a/usr.bin/proccontrol/proccontrol.1 +++ b/usr.bin/proccontrol/proccontrol.1 @@ -28,7 +28,7 @@ .\" .\" $FreeBSD$ .\" -.Dd June 28, 2019 +.Dd July 2, 2021 .Dt PROCCONTROL 1 .Os .Sh NAME @@ -69,6 +69,9 @@ Controls the signalling of capability mode access violations. .It Ar protmax Controls the implicit PROT_MAX application for .Xr mmap 2 . +.It Ar nonewprivs +Controls disabling the setuid and sgid bits for +.Xr execve 2 . .It Ar kpti Controls the KPTI enable, AMD64 only. .It Ar la48 diff --git a/usr.bin/proccontrol/proccontrol.c b/usr.bin/proccontrol/proccontrol.c index edcc23a3cb34..9f185de025c1 100644 --- a/usr.bin/proccontrol/proccontrol.c +++ b/usr.bin/proccontrol/proccontrol.c @@ -45,6 +45,7 @@ enum { MODE_TRAPCAP, MODE_PROTMAX, MODE_STACKGAP, + MODE_NO_NEW_PRIVS, #ifdef PROC_KPTI_CTL MODE_KPTI, #endif @@ -84,7 +85,7 @@ usage(void) { fprintf(stderr, "Usage: proccontrol -m (aslr|protmax|trace|trapcap|" - "stackgap"KPTI_USAGE LA_USAGE") [-q] " + "stackgap|nonewprivs"KPTI_USAGE LA_USAGE") [-q] " "[-s (enable|disable)] [-p pid | command]\n"); exit(1); } @@ -113,6 +114,8 @@ main(int argc, char *argv[]) mode = MODE_TRAPCAP; else if (strcmp(optarg, "stackgap") == 0) mode = MODE_STACKGAP; + else if (strcmp(optarg, "nonewprivs") == 0) + mode = MODE_NO_NEW_PRIVS; #ifdef PROC_KPTI_CTL else if (strcmp(optarg, "kpti") == 0) mode = MODE_KPTI; @@ -174,6 +177,9 @@ main(int argc, char *argv[]) case MODE_STACKGAP: error = procctl(P_PID, pid, PROC_STACKGAP_STATUS, &arg); break; + case MODE_NO_NEW_PRIVS: + error = procctl(P_PID, pid, PROC_NO_NEW_PRIVS_STATUS, &arg); + break; #ifdef PROC_KPTI_CTL case MODE_KPTI: error = procctl(P_PID, pid, PROC_KPTI_STATUS, &arg); @@ -264,6 +270,16 @@ main(int argc, char *argv[]) break; } break; + case MODE_NO_NEW_PRIVS: + switch (arg) { + case PROC_NO_NEW_PRIVS_ENABLE: + printf("enabled\n"); + break; + case PROC_NO_NEW_PRIVS_DISABLE: + printf("disabled\n"); + break; + } + break; #ifdef PROC_KPTI_CTL case MODE_KPTI: switch (arg & ~PROC_KPTI_STATUS_ACTIVE) { @@ -330,6 +346,11 @@ main(int argc, char *argv[]) PROC_STACKGAP_DISABLE_EXEC); error = procctl(P_PID, pid, PROC_STACKGAP_CTL, &arg); break; + case MODE_NO_NEW_PRIVS: + arg = enable ? PROC_NO_NEW_PRIVS_ENABLE : + PROC_NO_NEW_PRIVS_DISABLE; + error = procctl(P_PID, pid, PROC_NO_NEW_PRIVS_CTL, &arg); + break; #ifdef PROC_KPTI_CTL case MODE_KPTI: arg = enable ? PROC_KPTI_CTL_ENABLE_ON_EXEC :
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202109240040.18O0e4Db050982>