From owner-freebsd-arch Sat Oct 6 18:57:36 2001 Delivered-To: freebsd-arch@freebsd.org Received: from mailman.zeta.org.au (mailman.zeta.org.au [203.26.10.16]) by hub.freebsd.org (Postfix) with ESMTP id 4C4B437B403; Sat, 6 Oct 2001 18:57:31 -0700 (PDT) Received: from bde.zeta.org.au (bde.zeta.org.au [203.2.228.102]) by mailman.zeta.org.au (8.9.3/8.8.7) with ESMTP id LAA32651; Sun, 7 Oct 2001 11:57:22 +1000 Date: Sun, 7 Oct 2001 11:56:41 +1000 (EST) From: Bruce Evans X-X-Sender: To: Robert Watson Cc: Dag-Erling Smorgrav , Peter Wemm , Subject: Re: Removing ptrace(2)'s dependency on procfs(5) In-Reply-To: Message-ID: <20011007114736.D5499-100000@delplex.bde.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-arch@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Sat, 6 Oct 2001, Robert Watson wrote: > Well, I guess the decision I was trying to look at was: > > (1) Is it a global security policy that debugging primitives may never be > applied to kernel processes. > > (2) Is it a syntactic property of the debugging primitive that it *cannot* > be applied to kernel processes. I'd like to have separate flags for these attributes. We currently abuse P_SYSTEM for init to prevent debugging and/or swapping of them. This breaks harmless things like /proc/1/map and obfuscates the security checks for init. Most places depend on the P_SYSTEM check to handle init, but at least kern_sig.c still uses both the P_SYSTEM check and a check of init's magic pid. Bruce To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-arch" in the body of the message