Subject: procfs/ptrace/systrace/ktrace diff
To: None <tech-kern@NetBSD.org>
From: Elad Efrat <elad@NetBSD.org>
List: tech-kern
Date: 11/23/2006 18:43:40
This is a multi-part message in MIME format.

--Boundary_(ID_JHNFraipZEqn3oToTMoQGw)
Content-type: text/plain; charset=ISO-8859-1
Content-transfer-encoding: 7BIT

hi,

attached diff affects procfs/ptrace/systrace/ktrace.

it tackles a few issues:
  - ktrace: now uses its own kauth(9) request. (only ktrace change)

  - systrace: indirectly used process_checkioperm() via process_domem(),
    and checked securelevel. now uses its own kauth(9) request. (only
    systrace change)

  - procfs/ptrace on i386/powerpc: these architectures support get/set
    regs operations, commonly used by procfs/ptrace via process_doregs()
    and process_dofpregs(). permission checks taken out of both and
    replaced by procfs/ptrace-specific kauth(9) calls before them in
    their callers.

  - procfs/ptrace: relies on process_domem(), process_doregs(), and
    process_dofpregs(), in turn relying on process_checkioperm(), which
    checks securelevel.

    simplified call graphs:

      sys_ptrace() -> process_domem()
      sys_ptrace() -> process_doregs()
      sys_ptrace() -> process_dofpregs()

      procfs_rw() -> procfs_domem() -> process_domem()
      procfs_rw() -> procfs_doregs() -> process_doregs()
      procfs_rw() -> procfs_dofpregs() -> process_dofpregs()

    the removed process_checkioperm() calls from process_domem(),
    process_doregs(), and process_dofpregs() were replaced by kauth(9)
    calls in sys_ptrace() before the calls to the above three, and by
    a single call in procfs_rw().

notes:
  - the diff offers poor context to kauth(9). this should probably be
    addressed by passing the specific ptrace request, procfs pfsnode
    (already done), uio request (if any), and tracer lwp. this can also
    move the proc_isunder() calls to the secmodel code.

  - mildly tested under amd64. please make sure it at least compiles on
    i386 and powerpc.

  - I don't do extensive use (or use at all) any of the four affected
    subsystems. please at least try to use them to see if they retain
    functionality. if you feel helpful, try to break them: root should
    not be able to touch pid 1 if securelevel > -1, you should not be
    able to attach (or touch?) processes you don't own with these, and
    you should not be able to attach (or touch?) processes outside your
    chroot.

comments?

-e.

-- 
Elad Efrat

--Boundary_(ID_JHNFraipZEqn3oToTMoQGw)
Content-type: text/plain; name=proc.diff
Content-transfer-encoding: 7BIT
Content-disposition: inline; filename=proc.diff

Index: arch/i386/i386/process_machdep.c
===================================================================
RCS file: /usr/cvs/src/sys/arch/i386/i386/process_machdep.c,v
retrieving revision 1.59
diff -u -p -r1.59 process_machdep.c
--- arch/i386/i386/process_machdep.c	16 Nov 2006 01:32:38 -0000	1.59
+++ arch/i386/i386/process_machdep.c	22 Nov 2006 13:40:21 -0000
@@ -73,6 +73,7 @@ __KERNEL_RCSID(0, "$NetBSD: process_mach
 #include <sys/user.h>
 #include <sys/vnode.h>
 #include <sys/ptrace.h>
+#include <sys/kauth.h>
 
 #include <uvm/uvm_extern.h>
 
@@ -472,6 +473,14 @@ ptrace_machdep_dorequest(
 	struct iovec iov;
 	int write = 0;
 
+	if (kauth_authorize_process(l->l_cred, KAUTH_PROCESS_CANTRACE,
+	    lt->l_proc, (void *)KAUTH_REQ_PROCESS_CANTRACE_PTRACE, NULL,
+	    NULL) != 0)
+		return (EPERM);
+
+	if (!proc_isunder(lt->l_proc, l))
+		return (EPERM);
+
 	switch (req) {
 	case PT_SETXMMREGS:
 		write = 1;
@@ -524,9 +533,6 @@ process_machdep_doxmmregs(curl, l, uio)
 	char *kv;
 	int kl;
 
-	if ((error = process_checkioperm(curl, l->l_proc)) != 0)
-		return (error);
-
 	kl = sizeof(r);
 	kv = (char *) &r;
 
Index: arch/i386/i386/procfs_machdep.c
===================================================================
RCS file: /usr/cvs/src/sys/arch/i386/i386/procfs_machdep.c,v
retrieving revision 1.25
diff -u -p -r1.25 procfs_machdep.c
--- arch/i386/i386/procfs_machdep.c	16 Nov 2006 01:32:38 -0000	1.25
+++ arch/i386/i386/procfs_machdep.c	22 Nov 2006 13:27:16 -0000
@@ -49,6 +49,7 @@ __KERNEL_RCSID(0, "$NetBSD: procfs_machd
 #include <sys/mount.h>
 #include <sys/stat.h>
 #include <sys/vnode.h>
+#include <sys/kauth.h>
 
 #include <miscfs/procfs/procfs.h>
 
@@ -214,6 +215,14 @@ procfs_machdep_rw(struct lwp *curl, stru
     struct uio *uio)
 {
 
+	if (kauth_authorize_process(curl->l_cred, KAUTH_PROCESS_CANTRACE,
+	    l->l_proc, (void *)KAUTH_REQ_PROCESS_CANTRACE_PROCFS, pfs,
+	    NULL) != 0)
+		return (EPERM);
+
+	if (!proc_isunder(l->l_proc, curl))
+		return (EPERM);
+
 	switch (pfs->pfs_type) {
 	case Pmachdep_xmmregs:
 		return (procfs_machdep_doxmmregs(curl, l, pfs, uio));
Index: arch/powerpc/powerpc/process_machdep.c
===================================================================
RCS file: /usr/cvs/src/sys/arch/powerpc/powerpc/process_machdep.c,v
retrieving revision 1.21
diff -u -p -r1.21 process_machdep.c
--- arch/powerpc/powerpc/process_machdep.c	1 Mar 2006 12:38:12 -0000	1.21
+++ arch/powerpc/powerpc/process_machdep.c	22 Nov 2006 13:26:07 -0000
@@ -41,6 +41,7 @@ __KERNEL_RCSID(0, "$NetBSD: process_mach
 #include <sys/user.h>
 #include <sys/systm.h>
 #include <sys/ptrace.h>
+#include <sys/kauth.h>
 
 #include <machine/fpu.h>
 #include <machine/pcb.h>
@@ -187,6 +188,14 @@ ptrace_machdep_dorequest(struct lwp *l, 
 	struct iovec iov;
 	int write = 0;
 
+	if (kauth_authorize_process(l->l_cred, KAUTH_PROCESS_CANTRACE,
+	    lt->l_proc, (void *)KAUTH_REQ_PROCESS_CANTRACE_PTRACE, NULL,
+	    NULL) != 0)
+		return (EPERM);
+
+	if (!proc_isunder(lt->l_proc, l))
+		return (EPERM);
+
 	switch (req) {
 	case PT_SETVECREGS:
 		write = 1;
@@ -225,9 +234,6 @@ process_machdep_dovecregs(struct lwp *cu
 	char *kv;
 	int kl;
 
-	if ((error = process_checkioperm(curl, l->l_proc)) != 0)
-		return (error);
-
 	kl = sizeof(r);
 	kv = (char *) &r;
 
Index: arch/powerpc/powerpc/procfs_machdep.c
===================================================================
RCS file: /usr/cvs/src/sys/arch/powerpc/powerpc/procfs_machdep.c,v
retrieving revision 1.5
diff -u -p -r1.5 procfs_machdep.c
--- arch/powerpc/powerpc/procfs_machdep.c	11 Dec 2005 12:18:46 -0000	1.5
+++ arch/powerpc/powerpc/procfs_machdep.c	22 Nov 2006 13:26:29 -0000
@@ -8,6 +8,7 @@ __KERNEL_RCSID(0, "$NetBSD: procfs_machd
 #include <sys/mount.h>
 #include <sys/stat.h>
 #include <sys/vnode.h>
+#include <sys/kauth.h>
 #include <miscfs/procfs/procfs.h>
 
 #include <machine/reg.h>
@@ -47,6 +48,14 @@ procfs_machdep_rw(struct lwp *curl, stru
     struct uio *uio)
 {
 
+	if (kauth_authorize_process(curl->l_cred, KAUTH_PROCESS_CANTRACE,
+	    l->l_proc, (void *)KAUTH_REQ_PROCESS_CANTRACE_PROCFS, pfs,
+	    NULL) != 0)
+		return (EPERM);
+
+	if (!proc_isunder(l, curl->l_proc))
+		return (EPERM);
+
 	switch (pfs->pfs_type) {
 	case Pmachdep_vecregs:
 		return (procfs_machdep_dovecregs(curl, l, pfs, uio));
Index: miscfs/procfs/procfs_subr.c
===================================================================
RCS file: /usr/cvs/src/sys/miscfs/procfs/procfs_subr.c,v
retrieving revision 1.72
diff -u -p -r1.72 procfs_subr.c
--- miscfs/procfs/procfs_subr.c	16 Nov 2006 01:33:38 -0000	1.72
+++ miscfs/procfs/procfs_subr.c	21 Nov 2006 17:55:11 -0000
@@ -85,6 +85,7 @@ __KERNEL_RCSID(0, "$NetBSD: procfs_subr.
 #include <sys/stat.h>
 #include <sys/file.h>
 #include <sys/filedesc.h>
+#include <sys/kauth.h>
 
 #include <miscfs/procfs/procfs.h>
 
@@ -314,7 +315,8 @@ procfs_rw(v)
 	 * Do not allow init to be modified while in secure mode; it
 	 * could be duped into changing the security level.
 	 */
-	if (uio->uio_rw == UIO_WRITE && p == initproc && securelevel > -1)
+	if (kauth_authorize_process(kauth_cred_get(), KAUTH_PROCESS_CANTRACE,
+	    p, (void *)KAUTH_REQ_PROCESS_CANTRACE_PROCFS, pfs, NULL) != 0)
 		return EPERM;
 
 	curl = curlwp;
Index: miscfs/procfs/procfs_vnops.c
===================================================================
RCS file: /usr/cvs/src/sys/miscfs/procfs/procfs_vnops.c,v
retrieving revision 1.138
diff -u -p -r1.138 procfs_vnops.c
--- miscfs/procfs/procfs_vnops.c	16 Nov 2006 01:33:38 -0000	1.138
+++ miscfs/procfs/procfs_vnops.c	22 Nov 2006 13:28:24 -0000
@@ -280,7 +280,6 @@ procfs_open(v)
 	struct pfsnode *pfs = VTOPFS(ap->a_vp);
 	struct lwp *l1;
 	struct proc *p2;
-	int error;
 
 	l1 = ap->a_l;				/* tracer */
 	p2 = PFIND(pfs->pfs_pid);		/* traced */
@@ -288,15 +287,19 @@ procfs_open(v)
 	if (p2 == NULL)
 		return (ENOENT);		/* was ESRCH, jsp */
 
+	if (kauth_authorize_process(kauth_cred_get(), KAUTH_PROCESS_CANTRACE,
+	    p2, (void *)KAUTH_REQ_PROCESS_CANTRACE_PROCFS, pfs, NULL) != 0)
+		return (EPERM);
+
+	if (!proc_isunder(p2, l1))
+		return (EPERM);
+
 	switch (pfs->pfs_type) {
 	case PFSmem:
 		if (((pfs->pfs_flags & FWRITE) && (ap->a_mode & O_EXCL)) ||
 		    ((pfs->pfs_flags & O_EXCL) && (ap->a_mode & FWRITE)))
 			return (EBUSY);
 
-		if ((error = process_checkioperm(l1, p2)) != 0)
-			return (error);
-
 		if (ap->a_mode & FWRITE)
 			pfs->pfs_flags = ap->a_mode & (FWRITE|O_EXCL);
 
Index: kern/sys_process.c
===================================================================
RCS file: /usr/cvs/src/sys/kern/sys_process.c,v
retrieving revision 1.114
diff -u -p -r1.114 sys_process.c
--- kern/sys_process.c	13 Nov 2006 02:52:08 -0000	1.114
+++ kern/sys_process.c	22 Nov 2006 14:50:52 -0000
@@ -184,19 +184,16 @@ sys_ptrace(struct lwp *l, void *v, regis
 		 *	(4) it's not owned by you, or is set-id on exec
 		 *	    (unless you're root), or...
 		 */
-		if ((kauth_cred_getuid(t->p_cred) !=
-		    kauth_cred_getuid(l->l_cred) ||
-		    ISSET(t->p_flag, P_SUGID)) &&
-		    (error = kauth_authorize_generic(l->l_cred,
-		    KAUTH_GENERIC_ISSUSER, &l->l_acflag)) != 0)
-			return (error);
 
 		/*
 		 *	(5) ...it's init, which controls the security level
 		 *	    of the entire system, and the system was not
 		 *	    compiled with permanently insecure mode turned on
 		 */
-		if (t == initproc && securelevel > -1)
+
+		if (kauth_authorize_process(l->l_cred, KAUTH_PROCESS_CANTRACE,
+		    t, (void *)KAUTH_REQ_PROCESS_CANTRACE_PTRACE, NULL,
+		    NULL) != 0)
 			return (EPERM);
 
 		/*
@@ -329,6 +326,12 @@ sys_ptrace(struct lwp *l, void *v, regis
 		uio.uio_resid = sizeof(tmp);
 		uio.uio_rw = write ? UIO_WRITE : UIO_READ;
 		UIO_SETUP_SYSSPACE(&uio);
+
+		if (kauth_authorize_process(l->l_cred, KAUTH_PROCESS_CANTRACE,
+		    t, (void *)KAUTH_REQ_PROCESS_CANTRACE_PTRACE, NULL,
+		    NULL) != 0)
+			return (EPERM);
+
 		error = process_domem(l, lt, &uio);
 		if (!write)
 			*retval = tmp;
@@ -361,6 +364,12 @@ sys_ptrace(struct lwp *l, void *v, regis
 		default:
 			return (EINVAL);
 		}
+
+		if (kauth_authorize_process(l->l_cred, KAUTH_PROCESS_CANTRACE,
+		    t, (void *)KAUTH_REQ_PROCESS_CANTRACE_PTRACE, NULL,
+		    NULL) != 0)
+			return (EPERM);
+
 		error = process_domem(l, lt, &uio);
 		piod.piod_len -= uio.uio_resid;
 		(void) copyout(&piod, SCARG(uap, addr), sizeof(piod));
@@ -573,6 +582,13 @@ sys_ptrace(struct lwp *l, void *v, regis
 			uio.uio_resid = sizeof(struct reg);
 			uio.uio_rw = write ? UIO_WRITE : UIO_READ;
 			uio.uio_vmspace = vm;
+
+			if (kauth_authorize_process(l->l_cred,
+			    KAUTH_PROCESS_CANTRACE, t,
+			    (void *)KAUTH_REQ_PROCESS_CANTRACE_PTRACE,
+			    NULL, NULL) != 0)
+				return (EPERM);
+
 			error = process_doregs(l, lt, &uio);
 			uvmspace_free(vm);
 			return error;
@@ -611,6 +627,13 @@ sys_ptrace(struct lwp *l, void *v, regis
 			uio.uio_resid = sizeof(struct fpreg);
 			uio.uio_rw = write ? UIO_WRITE : UIO_READ;
 			uio.uio_vmspace = vm;
+
+			if (kauth_authorize_process(l->l_cred,
+			    KAUTH_PROCESS_CANTRACE, t,
+			    (void *)KAUTH_REQ_PROCESS_CANTRACE_PTRACE,
+			    NULL, NULL) != 0)
+				return (EPERM);
+
 			error = process_dofpregs(l, lt, &uio);
 			uvmspace_free(vm);
 			return error;
@@ -637,7 +660,6 @@ process_doregs(struct lwp *curl /*tracer
     struct uio *uio)
 {
 #if defined(PT_GETREGS) || defined(PT_SETREGS)
-	struct proc *p = l->l_proc;
 	int error;
 	struct reg r;
 	char *kv;
@@ -646,9 +668,6 @@ process_doregs(struct lwp *curl /*tracer
 	if (uio->uio_offset < 0 || uio->uio_offset > (off_t)sizeof(r))
 		return EINVAL;
 
-	if ((error = process_checkioperm(curl, p)) != 0)
-		return error;
-
 	kl = sizeof(r);
 	kv = (char *)&r;
 
@@ -695,7 +714,6 @@ process_dofpregs(struct lwp *curl /*trac
     struct uio *uio)
 {
 #if defined(PT_GETFPREGS) || defined(PT_SETFPREGS)
-	struct proc *p = l->l_proc;
 	int error;
 	struct fpreg r;
 	char *kv;
@@ -704,9 +722,6 @@ process_dofpregs(struct lwp *curl /*trac
 	if (uio->uio_offset < 0 || uio->uio_offset > (off_t)sizeof(r))
 		return EINVAL;
 
-	if ((error = process_checkioperm(curl, p)) != 0)
-		return (error);
-
 	kl = sizeof(r);
 	kv = (char *)&r;
 
@@ -772,9 +787,6 @@ process_domem(struct lwp *curl /*tracer*
 	addr = uio->uio_offset;
 #endif
 
-	if ((error = process_checkioperm(curl, p)) != 0)
-		return (error);
-
 	vm = p->p_vmspace;
 
 	simple_lock(&vm->vm_map.ref_lock);
Index: kern/kern_systrace.c
===================================================================
RCS file: /usr/cvs/src/sys/kern/kern_systrace.c,v
retrieving revision 1.61
diff -u -p -r1.61 kern_systrace.c
--- kern/kern_systrace.c	1 Nov 2006 10:17:58 -0000	1.61
+++ kern/kern_systrace.c	22 Nov 2006 14:31:15 -0000
@@ -1204,6 +1204,10 @@ systrace_io(struct str_process *strp, st
 	uio.uio_resid = io->strio_len;
 	uio.uio_vmspace = l->l_proc->p_vmspace;
 
+	if (kauth_authorize_process(l->l_cred, KAUTH_PROCESS_CANTRACE, t,
+	    (void *)KAUTH_REQ_PROCESS_CANTRACE_SYSTRACE, NULL, NULL) != 0)
+		return (EPERM);
+
 #ifdef __NetBSD__
 	error = process_domem(l, proc_representative_lwp(t), &uio);
 #else
@@ -1267,11 +1271,6 @@ systrace_attach(struct fsystrace *fst, p
 	 *	special privileges using setuid() from being
 	 *	traced. This is good security.]
 	 */
-	if ((kauth_cred_getuid(proc->p_cred) != kauth_cred_getuid(p->p_cred) ||
-		ISSET(proc->p_flag, P_SUGID)) &&
-	    (error = kauth_authorize_generic(p->p_cred, KAUTH_GENERIC_ISSUSER,
-				       &p->p_acflag)) != 0)
-		goto out;
 
 	/*
 	 *	(5) ...it's init, which controls the security level
@@ -1279,7 +1278,10 @@ systrace_attach(struct fsystrace *fst, p
 	 *          compiled with permanently insecure mode turned
 	 *	    on.
 	 */
-	if ((proc->p_pid == 1) && (securelevel > -1)) {
+
+	if (kauth_authorize_process(kauth_cred_get(), KAUTH_PROCESS_CANTRACE,
+	    proc, (void *)KAUTH_REQ_PROCESS_CANTRACE_SYSTRACE, NULL,
+	    NULL) != 0) {
 		error = EPERM;
 		goto out;
 	}
Index: kern/kern_ktrace.c
===================================================================
RCS file: /usr/cvs/src/sys/kern/kern_ktrace.c,v
retrieving revision 1.111
diff -u -p -r1.111 kern_ktrace.c
--- kern/kern_ktrace.c	1 Nov 2006 10:17:58 -0000	1.111
+++ kern/kern_ktrace.c	21 Nov 2006 14:05:27 -0000
@@ -1292,16 +1292,9 @@ ktrace_thread(void *arg)
 int
 ktrcanset(struct lwp *calll, struct proc *targetp)
 {
-	kauth_cred_t caller = calll->l_cred;
-	kauth_cred_t target = targetp->p_cred;
-
-	if ((kauth_cred_geteuid(caller) == kauth_cred_getuid(target) &&
-	    kauth_cred_getuid(target) == kauth_cred_getsvuid(target) &&
-	    kauth_cred_getgid(caller) == kauth_cred_getgid(target) &&	/* XXX */
-	    kauth_cred_getgid(target) == kauth_cred_getsvgid(target) &&
-	    (targetp->p_traceflag & KTRFAC_ROOT) == 0 &&
-	    (targetp->p_flag & P_SUGID) == 0) ||
-	    kauth_cred_geteuid(caller) == 0)
+	if (kauth_authorize_process(calll->l_cred, KAUTH_PROCESS_CANTRACE,
+	    targetp, (void *)KAUTH_REQ_PROCESS_CANTRACE_KTRACE, NULL,
+	    NULL) == 0)
 		return (1);
 
 	return (0);
Index: sys/kauth.h
===================================================================
RCS file: /usr/cvs/src/sys/sys/kauth.h,v
retrieving revision 1.22
diff -u -p -r1.22 kauth.h
--- sys/kauth.h	22 Nov 2006 13:59:27 -0000	1.22
+++ sys/kauth.h	21 Nov 2006 13:43:37 -0000
@@ -118,6 +118,7 @@ enum kauth_system_req {
 enum {
 	KAUTH_PROCESS_CANSEE=1,
 	KAUTH_PROCESS_CANSIGNAL,
+	KAUTH_PROCESS_CANTRACE,
 	KAUTH_PROCESS_CORENAME,
 	KAUTH_PROCESS_RESOURCE,
 	KAUTH_PROCESS_SETID
@@ -127,7 +128,11 @@ enum {
  * Process scope - sub-actions.
  */
 enum {
-	KAUTH_REQ_PROCESS_RESOURCE_NICE=1,
+	KAUTH_REQ_PROCESS_CANTRACE_KTRACE=1,
+	KAUTH_REQ_PROCESS_CANTRACE_PROCFS,
+	KAUTH_REQ_PROCESS_CANTRACE_PTRACE,
+	KAUTH_REQ_PROCESS_CANTRACE_SYSTRACE,
+	KAUTH_REQ_PROCESS_RESOURCE_NICE,
 	KAUTH_REQ_PROCESS_RESOURCE_RLIMIT
 };
 
Index: secmodel/bsd44/secmodel_bsd44_suser.c
===================================================================
RCS file: /usr/cvs/src/sys/secmodel/bsd44/secmodel_bsd44_suser.c,v
retrieving revision 1.16
diff -u -p -r1.16 secmodel_bsd44_suser.c
--- secmodel/bsd44/secmodel_bsd44_suser.c	16 Nov 2006 01:33:51 -0000	1.16
+++ secmodel/bsd44/secmodel_bsd44_suser.c	21 Nov 2006 16:06:17 -0000
@@ -211,6 +211,74 @@ secmodel_bsd44_suser_process_cb(kauth_cr
 			result = KAUTH_RESULT_ALLOW;
 		break;
 
+	case KAUTH_PROCESS_CANTRACE:
+		switch ((u_long)arg1) {
+		case KAUTH_REQ_PROCESS_CANTRACE_KTRACE:
+			if (isroot) {
+				result = KAUTH_RESULT_ALLOW;
+				break;
+			}
+
+			if ((p->p_traceflag & KTRFAC_ROOT) ||
+			    (p->p_flag & P_SUGID)) {
+				result = KAUTH_RESULT_DENY;
+				break;
+			}
+
+			if (kauth_cred_geteuid(cred) ==
+			     kauth_cred_getuid(p->p_cred) &&
+			    kauth_cred_getuid(cred) ==
+			     kauth_cred_getsvuid(p->p_cred) &&
+			    kauth_cred_getgid(cred) ==
+			     kauth_cred_getgid(p->p_cred) && /* XXX */
+			    kauth_cred_getgid(cred) ==
+			     kauth_cred_getsvgid(p->p_cred)) {
+				result = KAUTH_RESULT_ALLOW;
+				break;
+			}
+
+			result = KAUTH_RESULT_DENY;
+			break;
+
+		case KAUTH_REQ_PROCESS_CANTRACE_PTRACE:
+			if (isroot) {
+				result = KAUTH_RESULT_ALLOW;
+				break;
+			}
+
+			if ((kauth_cred_getuid(cred) !=
+			     kauth_cred_getuid(p->p_cred)) ||
+			    ISSET(p->p_flag, P_SUGID)) {
+				result = KAUTH_RESULT_DENY;
+				break;
+			}
+
+			result = KAUTH_RESULT_ALLOW;
+
+			break;
+
+		case KAUTH_REQ_PROCESS_CANTRACE_SYSTRACE:
+			if (isroot) {
+				result = KAUTH_RESULT_ALLOW;
+				break;
+			}
+
+			if ((kauth_cred_getuid(cred) !=
+			     kauth_cred_getuid(p->p_cred)) ||
+			    ISSET(p->p_flag, P_SUGID)) {
+				result = KAUTH_RESULT_DENY;
+				break;
+			}
+
+			result = KAUTH_RESULT_ALLOW;
+			break;
+
+		default:
+			result = KAUTH_RESULT_DEFER;
+			break;
+		}
+		break;
+
 	case KAUTH_PROCESS_RESOURCE:
 		switch ((u_long)arg1) {
 		case KAUTH_REQ_PROCESS_RESOURCE_NICE:
Index: secmodel/bsd44/secmodel_bsd44_securelevel.c
===================================================================
RCS file: /usr/cvs/src/sys/secmodel/bsd44/secmodel_bsd44_securelevel.c,v
retrieving revision 1.16
diff -u -p -r1.16 secmodel_bsd44_securelevel.c
--- secmodel/bsd44/secmodel_bsd44_securelevel.c	22 Nov 2006 20:57:52 -0000	1.16
+++ secmodel/bsd44/secmodel_bsd44_securelevel.c	22 Nov 2006 14:54:19 -0000
@@ -227,11 +227,50 @@ secmodel_bsd44_securelevel_process_cb(ka
     kauth_action_t action, void *cookie, void *arg0,
     void *arg1, void *arg2, void *arg3)
 {
+	struct proc *p;
 	int result;
 
 	result = KAUTH_RESULT_DENY;
+	p = arg0;
 
 	switch (action) {
+	case KAUTH_PROCESS_CANTRACE:
+		switch ((u_long)arg1) {
+		case KAUTH_REQ_PROCESS_CANTRACE_PROCFS:
+			if ((p == initproc) && (securelevel >= 0)) {
+				result = KAUTH_RESULT_DENY;
+				break;
+			}
+
+			result = KAUTH_RESULT_ALLOW;
+
+			break;
+
+		case KAUTH_REQ_PROCESS_CANTRACE_PTRACE:
+			if ((p == initproc) && (securelevel >= 0)) {
+				result = KAUTH_RESULT_DENY;
+				break;
+			}
+
+			result = KAUTH_RESULT_ALLOW;
+
+			break;
+
+		case KAUTH_REQ_PROCESS_CANTRACE_SYSTRACE:
+			if ((p == initproc) && (securelevel >= 0)) {
+				result = KAUTH_RESULT_DENY;
+				break;
+			}
+
+			result = KAUTH_RESULT_ALLOW;
+
+			break;
+		default:
+			result = KAUTH_RESULT_DEFER;
+			break;
+		}
+		break;
+
 	case KAUTH_PROCESS_CORENAME:
 		if (securelevel < 2)
 			result = KAUTH_RESULT_ALLOW;

--Boundary_(ID_JHNFraipZEqn3oToTMoQGw)--