kern/56351: if non-root, kevent proc filter can't be attached to processes of other users nor suid processes

[david%netascale.com@localhost]

>Number:         56351
>Category:       kern
>Synopsis:       if non-root, kevent proc filter can't be attached to processes of other users nor suid processes
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Sun Aug 08 12:20:00 +0000 2021
>Originator:     David MacKay
>Release:        9.2
>Organization:
InitWare
>Environment:
NetBSD netbsd 9.2 NetBSD 9.2 (GENERIC) #0: Wed May 12 13:15:55 UTC 2021  mkrepro%mkrepro.NetBSD.org@localhost:/usr/src/sys/arch/amd64/compile/GENERIC amd64
>Description:
When not root, the kevent proc filter can't be attached to any process which does not belong to the current user, nor to any process of an SUID binary. This even extends to forked-off processes of processes to which the proc filter has been attached with NOTE_TRACK; if the child tries to exec an SUID binary, NOTE_TRACKERR is returned.

This check (see kern_event.c from line 246) was inherited when NetBSD imported kevent from FreeBSD. 

This behaviour is incorrect. It contradicts the kqueue(2) manual page: "If a process can normally see another process, it can attach an event to it." FreeBSD, DragonFly BSD, and OpenBSD have all deleted this check; in NetBSD, it ought to respect the 'curtain' mode sysctl.
>How-To-Repeat:
Try to attach the proc filter to a process not of your user; or fork off from a process attached to the proc filter with NOTE_TRACK and exec an SUID binary.
>Fix:
Unless 'curtain' mode is active, the check ought not to occur. And even with 'curtain', possibly not (?) in the case of a process which is to be automatically tracked because it is the child of a process to which the proc filter was attached with NOTE_TRACK.