The branch main has been updated by trasz: URL: https://cgit.FreeBSD.org/src/commit/?id=acb1f1269c6f4ff89a0d28ba742f6687e9ef779d
commit acb1f1269c6f4ff89a0d28ba742f6687e9ef779d Author: Edward Tomasz Napierala <[email protected]> AuthorDate: 2021-07-02 07:49:20 +0000 Commit: Edward Tomasz Napierala <[email protected]> CommitDate: 2021-07-02 07:50:36 +0000 proccontrol(1): implement 'nonewprivs' This adds the 'nonewprivs' mode, corresponding to newly added procctl(2) commands PROC_NO_NEW_PRIVS_CTL and PROC_NO_NEW_PRIVS_STATUS. Reviewed By: kib Sponsored By: EPSRC Differential Revision: https://reviews.freebsd.org/D30940 --- usr.bin/proccontrol/proccontrol.1 | 5 ++++- usr.bin/proccontrol/proccontrol.c | 23 ++++++++++++++++++++++- 2 files changed, 26 insertions(+), 2 deletions(-) diff --git a/usr.bin/proccontrol/proccontrol.1 b/usr.bin/proccontrol/proccontrol.1 index 4445bb5f9f8e..b4ed6c268a6a 100644 --- a/usr.bin/proccontrol/proccontrol.1 +++ b/usr.bin/proccontrol/proccontrol.1 @@ -28,7 +28,7 @@ .\" .\" $FreeBSD$ .\" -.Dd June 28, 2019 +.Dd July 2, 2021 .Dt PROCCONTROL 1 .Os .Sh NAME @@ -69,6 +69,9 @@ Controls the signalling of capability mode access violations. .It Ar protmax Controls the implicit PROT_MAX application for .Xr mmap 2 . +.It Ar nonewprivs +Controls disabling the setuid and sgid bits for +.Xr execve 2 . .It Ar kpti Controls the KPTI enable, AMD64 only. .It Ar la48 diff --git a/usr.bin/proccontrol/proccontrol.c b/usr.bin/proccontrol/proccontrol.c index edcc23a3cb34..9f185de025c1 100644 --- a/usr.bin/proccontrol/proccontrol.c +++ b/usr.bin/proccontrol/proccontrol.c @@ -45,6 +45,7 @@ enum { MODE_TRAPCAP, MODE_PROTMAX, MODE_STACKGAP, + MODE_NO_NEW_PRIVS, #ifdef PROC_KPTI_CTL MODE_KPTI, #endif @@ -84,7 +85,7 @@ usage(void) { fprintf(stderr, "Usage: proccontrol -m (aslr|protmax|trace|trapcap|" - "stackgap"KPTI_USAGE LA_USAGE") [-q] " + "stackgap|nonewprivs"KPTI_USAGE LA_USAGE") [-q] " "[-s (enable|disable)] [-p pid | command]\n"); exit(1); } @@ -113,6 +114,8 @@ main(int argc, char *argv[]) mode = MODE_TRAPCAP; else if (strcmp(optarg, "stackgap") == 0) mode = MODE_STACKGAP; + else if (strcmp(optarg, "nonewprivs") == 0) + mode = MODE_NO_NEW_PRIVS; #ifdef PROC_KPTI_CTL else if (strcmp(optarg, "kpti") == 0) mode = MODE_KPTI; @@ -174,6 +177,9 @@ main(int argc, char *argv[]) case MODE_STACKGAP: error = procctl(P_PID, pid, PROC_STACKGAP_STATUS, &arg); break; + case MODE_NO_NEW_PRIVS: + error = procctl(P_PID, pid, PROC_NO_NEW_PRIVS_STATUS, &arg); + break; #ifdef PROC_KPTI_CTL case MODE_KPTI: error = procctl(P_PID, pid, PROC_KPTI_STATUS, &arg); @@ -264,6 +270,16 @@ main(int argc, char *argv[]) break; } break; + case MODE_NO_NEW_PRIVS: + switch (arg) { + case PROC_NO_NEW_PRIVS_ENABLE: + printf("enabled\n"); + break; + case PROC_NO_NEW_PRIVS_DISABLE: + printf("disabled\n"); + break; + } + break; #ifdef PROC_KPTI_CTL case MODE_KPTI: switch (arg & ~PROC_KPTI_STATUS_ACTIVE) { @@ -330,6 +346,11 @@ main(int argc, char *argv[]) PROC_STACKGAP_DISABLE_EXEC); error = procctl(P_PID, pid, PROC_STACKGAP_CTL, &arg); break; + case MODE_NO_NEW_PRIVS: + arg = enable ? PROC_NO_NEW_PRIVS_ENABLE : + PROC_NO_NEW_PRIVS_DISABLE; + error = procctl(P_PID, pid, PROC_NO_NEW_PRIVS_CTL, &arg); + break; #ifdef PROC_KPTI_CTL case MODE_KPTI: arg = enable ? PROC_KPTI_CTL_ENABLE_ON_EXEC : _______________________________________________ [email protected] mailing list https://lists.freebsd.org/mailman/listinfo/dev-commits-src-main To unsubscribe, send any mail to "[email protected]"
