From nobody Sat Sep 21 13:13:41 2024
X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4X9qT83bZ6z5WQBx;
	Sat, 21 Sep 2024 13:13:48 +0000 (UTC)
	(envelope-from markjdb@gmail.com)
Received: from mail-il1-x12f.google.com (mail-il1-x12f.google.com [IPv6:2607:f8b0:4864:20::12f])
	(using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (2048 bits) client-digest SHA256)
	(Client CN "smtp.gmail.com", Issuer "WR4" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4X9qT75nVZz47Bc;
	Sat, 21 Sep 2024 13:13:47 +0000 (UTC)
	(envelope-from markjdb@gmail.com)
Authentication-Results: mx1.freebsd.org;
	dkim=pass header.d=gmail.com header.s=20230601 header.b=B3vORMf6;
	dmarc=fail reason="SPF not aligned (relaxed), DKIM not aligned (relaxed)" header.from=freebsd.org (policy=none);
	spf=pass (mx1.freebsd.org: domain of markjdb@gmail.com designates 2607:f8b0:4864:20::12f as permitted sender) smtp.mailfrom=markjdb@gmail.com
Received: by mail-il1-x12f.google.com with SMTP id e9e14a558f8ab-3a0c870ff25so10014805ab.2;
        Sat, 21 Sep 2024 06:13:47 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1726924426; x=1727529226; darn=freebsd.org;
        h=in-reply-to:content-disposition:mime-version:references:message-id
         :subject:cc:to:from:date:sender:from:to:cc:subject:date:message-id
         :reply-to;
        bh=S3T7gbL3AVm6jma+KRI33LbPBGRq/Tve5339DtHt8Hc=;
        b=B3vORMf64f5qhB/L5yYc9zgh5pc3Z7//wTn60k1RJC1Cnd/EYiPSKpWvvm/8YWSLJK
         O9eaLrDWCuPoUtEDrVx5/3n0KgOf7qR7IiYgoqiFf0j/DE1rM6KiaQAuQuysrPAKoFlB
         0kUVJVhxHSRElZUn/l5S+3uRlc9dyz5JT8frim5itFKKL9g5tTv4ro5pkwfJxSU1pyqe
         i34rfeItf+NIVNNg4HKzmlostWxe7pBSJ7s5OyTd67FVfuvQ0259XFIZijIxRXvtZ/jF
         j84nGVhRntzY2Di7ajfWdM39Tnig3eiPD0jfpNMBjlI+tz27A8j6eaLqhcp62vwjbxwt
         BkGw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1726924426; x=1727529226;
        h=in-reply-to:content-disposition:mime-version:references:message-id
         :subject:cc:to:from:date:sender:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=S3T7gbL3AVm6jma+KRI33LbPBGRq/Tve5339DtHt8Hc=;
        b=pG4vGy6BUjj1QQJTSw2G9wyTlp8VdIftQIck0TdD0JGjmo2nn7bQQ+eftFjYLkUyOY
         Tf5Xv5kxtP27ZxJCQ1i/GC/WHoZKo0Z/L92JOZtBdwrVmQkhmAbgXVVp7gKUoQe/qTGs
         C3EWdfqiREeDL9DQeKrb2FrZjTiE/rEjzCnx2021FaSMOxqDW5YxcJN2lEO2t7jgi49B
         q3HVwpX1Dt+4cYynSuCvcW+dRCRuxrxR0aGuZxiYJYUpyOu+dm4j6QqmRCnYaJibT+a5
         nVJWb+OqXS2B+knZJtgYnBwx+ZcFRJbbIK9534p+7FjJQA6sHpcbezEt//2CsS6tem8H
         ZRLw==
X-Forwarded-Encrypted: i=1; AJvYcCV6QKI8eXKqYlloqoaFryFmBqu62EGFCxpX/yr+zsSHnzXgim6pmoJLm4/vNrPPZO284O5eZLN3rV7jNIzkwIn/E1+B@freebsd.org, AJvYcCXFpggQN1AqnMcBgal0Ezzl+XDp1mjtEFgim2bhhWkf9GWKnFv9MQ5gt59h6t4Lu4jB1LxJOLv6sP3a/a1GD6fk+fjXiRc=@freebsd.org
X-Gm-Message-State: AOJu0YzGQ0u343UuLRrgHzbuoXU32gLf0ZKD9TY48C4ZteuBpH8f0Uw4
	1q/JC2QSVNTvHivorb1xtE0nnAEaR4K1wowjumI0EaI1qGB9GxTPgZjpOQOZ
X-Google-Smtp-Source: AGHT+IEM2CE8jT/tU9lPkhRQtMJiXCAH+d4Jd5Mu1NWx/QuUmsirtTEQcvqAA5ekc8hUrZIKIKyZeQ==
X-Received: by 2002:a05:6e02:1e03:b0:39f:6f8c:45f3 with SMTP id e9e14a558f8ab-3a0c8d25d74mr50479615ab.16.1726924426080;
        Sat, 21 Sep 2024 06:13:46 -0700 (PDT)
Received: from nuc (192-0-220-237.cpe.teksavvy.com. [192.0.220.237])
        by smtp.gmail.com with ESMTPSA id 8926c6da1cb9f-4d37ec21a80sm4114629173.65.2024.09.21.06.13.43
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Sat, 21 Sep 2024 06:13:44 -0700 (PDT)
Date: Sat, 21 Sep 2024 09:13:41 -0400
From: Mark Johnston <markj@freebsd.org>
To: "Simon J. Gerraty" <sjg@freebsd.org>
Cc: src-committers@freebsd.org, dev-commits-src-all@freebsd.org,
	dev-commits-src-main@freebsd.org
Subject: Re: git: 4a5fa1086184 - main - procfs require PRIV_PROC_MEM_WRITE to
 write mem
Message-ID: <Zu7GhRloxu5xgBg-@nuc>
References: <202409192011.48JKBCr5030825@gitrepo.freebsd.org>
List-Id: Commit messages for all branches of the src repository <dev-commits-src-all.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all
List-Help: <mailto:dev-commits-src-all+help@freebsd.org>
List-Post: <mailto:dev-commits-src-all@freebsd.org>
List-Subscribe: <mailto:dev-commits-src-all+subscribe@freebsd.org>
List-Unsubscribe: <mailto:dev-commits-src-all+unsubscribe@freebsd.org>
X-BeenThere: dev-commits-src-all@freebsd.org
Sender: owner-dev-commits-src-all@FreeBSD.org
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <202409192011.48JKBCr5030825@gitrepo.freebsd.org>
X-Spamd-Result: default: False [-2.60 / 15.00];
	NEURAL_HAM_LONG(-1.00)[-1.000];
	NEURAL_HAM_MEDIUM(-1.00)[-1.000];
	NEURAL_HAM_SHORT(-1.00)[-0.996];
	MID_RHS_NOT_FQDN(0.50)[];
	FORGED_SENDER(0.30)[markj@freebsd.org,markjdb@gmail.com];
	R_SPF_ALLOW(-0.20)[+ip6:2607:f8b0:4000::/36:c];
	R_DKIM_ALLOW(-0.20)[gmail.com:s=20230601];
	DMARC_POLICY_SOFTFAIL(0.10)[freebsd.org : SPF not aligned (relaxed), DKIM not aligned (relaxed),none];
	MIME_GOOD(-0.10)[text/plain];
	FROM_HAS_DN(0.00)[];
	MIME_TRACE(0.00)[0:+];
	ARC_NA(0.00)[];
	FREEMAIL_ENVFROM(0.00)[gmail.com];
	TO_DN_SOME(0.00)[];
	RCVD_TLS_LAST(0.00)[];
	RCPT_COUNT_THREE(0.00)[4];
	DKIM_TRACE(0.00)[gmail.com:+];
	MLMMJ_DEST(0.00)[dev-commits-src-all@freebsd.org,dev-commits-src-main@freebsd.org];
	RCVD_COUNT_TWO(0.00)[2];
	FROM_NEQ_ENVFROM(0.00)[markj@freebsd.org,markjdb@gmail.com];
	TO_MATCH_ENVRCPT_ALL(0.00)[];
	RCVD_VIA_SMTP_AUTH(0.00)[];
	MISSING_XM_UA(0.00)[];
	ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US];
	RCVD_IN_DNSWL_NONE(0.00)[2607:f8b0:4864:20::12f:from];
	DWL_DNSWL_NONE(0.00)[gmail.com:dkim]
X-Rspamd-Queue-Id: 4X9qT75nVZz47Bc
X-Spamd-Bar: --

On Thu, Sep 19, 2024 at 08:11:12PM +0000, Simon J. Gerraty wrote:
> The branch main has been updated by sjg:
> 
> URL: https://cgit.FreeBSD.org/src/commit/?id=4a5fa1086184f7450f63d4a8e403b16f40a78fce
> 
> commit 4a5fa1086184f7450f63d4a8e403b16f40a78fce
> Author:     Simon J. Gerraty <sjg@FreeBSD.org>
> AuthorDate: 2024-09-19 20:10:27 +0000
> Commit:     Simon J. Gerraty <sjg@FreeBSD.org>
> CommitDate: 2024-09-19 20:10:27 +0000
> 
>     procfs require PRIV_PROC_MEM_WRITE to write mem
>     
>     Add a priv_check for PRIV_PROC_MEM_WRITE which will be blocked
>     by mac_veriexec if being enforced, unless the process has a maclabel
>     to grant priv.
>     
>     Reviewed by:    stevek
>     Sponsored by:   Juniper Networks, Inc.
>     Differential Revision:  https://reviews.freebsd.org/D46692
> ---
>  sys/fs/procfs/procfs_mem.c                       | 3 +++
>  sys/kern/kern_priv.c                             | 4 +++-
>  sys/security/mac_grantbylabel/mac_grantbylabel.c | 2 ++
>  sys/security/mac_veriexec/mac_veriexec.c         | 1 +
>  sys/sys/priv.h                                   | 1 +
>  5 files changed, 10 insertions(+), 1 deletion(-)
> 
> diff --git a/sys/fs/procfs/procfs_mem.c b/sys/fs/procfs/procfs_mem.c
> index 6ef725ee0ee7..159b40785172 100644
> --- a/sys/fs/procfs/procfs_mem.c
> +++ b/sys/fs/procfs/procfs_mem.c
> @@ -41,6 +41,7 @@
>  #include <sys/ptrace.h>
>  #include <sys/systm.h>
>  #include <sys/uio.h>
> +#include <sys/priv.h>
>  
>  #include <fs/pseudofs/pseudofs.h>
>  #include <fs/procfs/procfs.h>
> @@ -61,6 +62,8 @@ procfs_doprocmem(PFS_FILL_ARGS)
>  
>  	PROC_LOCK(p);
>  	error = p_candebug(td, p);
> +	if (error == 0 && uio->uio_rw == UIO_WRITE)
> +		error = priv_check(td, PRIV_PROC_MEM_WRITE);

Why is this check here and not in proc_rwmem()?  procfs isn't the only
interface to this kind of functionality, and it isn't even the main one.

>  	PROC_UNLOCK(p);
>  	if (error == 0)
>  		error = proc_rwmem(p, uio);
> diff --git a/sys/kern/kern_priv.c b/sys/kern/kern_priv.c
> index c146f9e6f8d5..83fd246eef9b 100644
> --- a/sys/kern/kern_priv.c
> +++ b/sys/kern/kern_priv.c
> @@ -242,7 +242,9 @@ priv_check_cred(struct ucred *cred, int priv)
>  	 * but non-root users are expected to be able to read it (provided they
>  	 * have permission to access /dev/[k]mem).
>  	 */
> -	if (priv == PRIV_KMEM_READ) {
> +	switch (priv) {
> +	case PRIV_KMEM_READ:
> +	case PRIV_PROC_MEM_WRITE:	/* we already checked candebug */
>  		error = 0;
>  		goto out;
>  	}
> diff --git a/sys/security/mac_grantbylabel/mac_grantbylabel.c b/sys/security/mac_grantbylabel/mac_grantbylabel.c
> index 848131e54590..4d14577820eb 100644
> --- a/sys/security/mac_grantbylabel/mac_grantbylabel.c
> +++ b/sys/security/mac_grantbylabel/mac_grantbylabel.c
> @@ -218,6 +218,7 @@ mac_grantbylabel_priv_grant(struct ucred *cred, int priv)
>  		return rc;		/* not interested */
>  
>  	switch (priv) {
> +	case PRIV_PROC_MEM_WRITE:
>  	case PRIV_KMEM_READ:
>  	case PRIV_KMEM_WRITE:
>  		break;
> @@ -244,6 +245,7 @@ mac_grantbylabel_priv_grant(struct ucred *cred, int priv)
>  		if (label & GBL_IPC)
>  			rc = 0;
>  		break;
> +	case PRIV_PROC_MEM_WRITE:
>  	case PRIV_KMEM_READ:
>  	case PRIV_KMEM_WRITE:
>  		if (label & GBL_KMEM)
> diff --git a/sys/security/mac_veriexec/mac_veriexec.c b/sys/security/mac_veriexec/mac_veriexec.c
> index 7ac09e2acf0f..490601863197 100644
> --- a/sys/security/mac_veriexec/mac_veriexec.c
> +++ b/sys/security/mac_veriexec/mac_veriexec.c
> @@ -435,6 +435,7 @@ mac_veriexec_priv_check(struct ucred *cred, int priv)
>  	error = 0;
>  	switch (priv) {
>  	case PRIV_KMEM_WRITE:
> +	case PRIV_PROC_MEM_WRITE:
>  	case PRIV_VERIEXEC_CONTROL:
>  		/*
>  		 * Do not allow writing to memory or manipulating veriexec,
> diff --git a/sys/sys/priv.h b/sys/sys/priv.h
> index a61de8d32fe0..7a5773da220f 100644
> --- a/sys/sys/priv.h
> +++ b/sys/sys/priv.h
> @@ -513,6 +513,7 @@
>   */
>  #define	PRIV_KMEM_READ		680	/* Open mem/kmem for reading. */
>  #define	PRIV_KMEM_WRITE		681	/* Open mem/kmem for writing. */
> +#define	PRIV_PROC_MEM_WRITE	682	/* Open /proc/<pid>/mem for writing. */
>  
>  /*
>   * Kernel debugger privileges.