Date: Thu, 19 Apr 2018 09:20:19 +0200 From: Ed Schouten <ed@nuxi.nl> To: Tycho Nightingale <tychon@freebsd.org> Cc: "freebsd-arch@freebsd.org" <freebsd-arch@freebsd.org> Subject: Re: excluding processes from PTI Message-ID: <CABh_MKn_KOXfCOA1AT-xC1MQtMxq9rP%2B30ntSdfw3s8SNC%2Bx2w@mail.gmail.com> In-Reply-To: <F7439969-406B-45F9-B82E-BEDA813654F3@freebsd.org> References: <F7439969-406B-45F9-B82E-BEDA813654F3@freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi Tycho,
2018-04-16 21:33 GMT+02:00 Tycho Nightingale <tychon@freebsd.org>:
> - if (pti) {
> + if (pti && (jailed(cred) || cred->cr_ruid != 0)) {
>
> which excludes those processes running as superuser and are not in-jail.
>
> Another approach, suggested by kib, is to provide finer-grained control. Perhaps using procctl(2) instead.
Maybe it's sufficient to just use priv_check() here?
--
Ed Schouten <ed@nuxi.nl>
Nuxi, 's-Hertogenbosch, the Netherlands
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CABh_MKn_KOXfCOA1AT-xC1MQtMxq9rP%2B30ntSdfw3s8SNC%2Bx2w>