1 /* $OpenBSD: sys_process.c,v 1.77 2017/07/19 14:17:49 deraadt Exp $ */ 2 /* $NetBSD: sys_process.c,v 1.55 1996/05/15 06:17:47 tls Exp $ */ 3 4 /*- 5 * Copyright (c) 1994 Christopher G. Demetriou. All rights reserved. 6 * Copyright (c) 1982, 1986, 1989, 1993 7 * The Regents of the University of California. All rights reserved. 8 * (c) UNIX System Laboratories, Inc. 9 * All or some portions of this file are derived from material licensed 10 * to the University of California by American Telephone and Telegraph 11 * Co. or Unix System Laboratories, Inc. and are reproduced herein with 12 * the permission of UNIX System Laboratories, Inc. 13 * 14 * Redistribution and use in source and binary forms, with or without 15 * modification, are permitted provided that the following conditions 16 * are met: 17 * 1. Redistributions of source code must retain the above copyright 18 * notice, this list of conditions and the following disclaimer. 19 * 2. Redistributions in binary form must reproduce the above copyright 20 * notice, this list of conditions and the following disclaimer in the 21 * documentation and/or other materials provided with the distribution. 22 * 3. Neither the name of the University nor the names of its contributors 23 * may be used to endorse or promote products derived from this software 24 * without specific prior written permission. 25 * 26 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 27 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 28 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 29 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 30 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 31 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 32 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 33 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 34 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 35 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 36 * SUCH DAMAGE. 37 * 38 * from: @(#)sys_process.c 8.1 (Berkeley) 6/10/93 39 */ 40 41 /* 42 * References: 43 * (1) Bach's "The Design of the UNIX Operating System", 44 * (2) sys/miscfs/procfs from UCB's 4.4BSD-Lite distribution, 45 * (3) the "4.4BSD Programmer's Reference Manual" published 46 * by USENIX and O'Reilly & Associates. 47 * The 4.4BSD PRM does a reasonably good job of documenting what the various 48 * ptrace() requests should actually do, and its text is quoted several times 49 * in this file. 50 */ 51 52 #include <sys/param.h> 53 #include <sys/systm.h> 54 #include <sys/exec.h> 55 #include <sys/proc.h> 56 #include <sys/signalvar.h> 57 #include <sys/errno.h> 58 #include <sys/malloc.h> 59 #include <sys/ptrace.h> 60 #include <sys/uio.h> 61 #include <sys/sched.h> 62 63 #include <sys/mount.h> 64 #include <sys/syscallargs.h> 65 66 #include <uvm/uvm_extern.h> 67 68 #include <machine/reg.h> 69 70 int process_auxv_offset(struct proc *, struct process *, struct uio *); 71 72 #ifdef PTRACE 73 int global_ptrace; /* permit tracing of not children */ 74 /* 75 * Process debugging system call. 76 */ 77 int 78 sys_ptrace(struct proc *p, void *v, register_t *retval) 79 { 80 struct sys_ptrace_args /* { 81 syscallarg(int) req; 82 syscallarg(pid_t) pid; 83 syscallarg(caddr_t) addr; 84 syscallarg(int) data; 85 } */ *uap = v; 86 struct proc *t; /* target thread */ 87 struct process *tr; /* target process */ 88 struct uio uio; 89 struct iovec iov; 90 struct ptrace_io_desc piod; 91 struct ptrace_event pe; 92 struct ptrace_thread_state pts; 93 struct reg *regs; 94 #if defined (PT_SETFPREGS) || defined (PT_GETFPREGS) 95 struct fpreg *fpregs; 96 #endif 97 #if defined (PT_SETXMMREGS) || defined (PT_GETXMMREGS) 98 struct xmmregs *xmmregs; 99 #endif 100 #ifdef PT_WCOOKIE 101 register_t wcookie; 102 #endif 103 int error, write; 104 int temp = 0; 105 int req = SCARG(uap, req); 106 pid_t pid = SCARG(uap, pid); 107 caddr_t addr = SCARG(uap, addr); 108 int data = SCARG(uap, data); 109 int s; 110 111 /* "A foolish consistency..." XXX */ 112 switch (req) { 113 case PT_TRACE_ME: 114 t = p; 115 tr = t->p_p; 116 break; 117 118 /* calls that only operate on the PID */ 119 case PT_READ_I: 120 case PT_READ_D: 121 case PT_WRITE_I: 122 case PT_WRITE_D: 123 case PT_KILL: 124 case PT_ATTACH: 125 case PT_IO: 126 case PT_SET_EVENT_MASK: 127 case PT_GET_EVENT_MASK: 128 case PT_GET_PROCESS_STATE: 129 case PT_GET_THREAD_FIRST: 130 case PT_GET_THREAD_NEXT: 131 case PT_DETACH: 132 default: 133 /* Find the process we're supposed to be operating on. */ 134 if ((tr = prfind(pid)) == NULL) 135 return (ESRCH); 136 t = tr->ps_mainproc; /* XXX */ 137 break; 138 139 /* calls that accept a PID or a thread ID */ 140 case PT_CONTINUE: 141 #ifdef PT_STEP 142 case PT_STEP: 143 #endif 144 #ifdef PT_WCOOKIE 145 case PT_WCOOKIE: 146 #endif 147 case PT_GETREGS: 148 case PT_SETREGS: 149 #ifdef PT_GETFPREGS 150 case PT_GETFPREGS: 151 #endif 152 #ifdef PT_SETFPREGS 153 case PT_SETFPREGS: 154 #endif 155 #ifdef PT_GETXMMREGS 156 case PT_GETXMMREGS: 157 #endif 158 #ifdef PT_SETXMMREGS 159 case PT_SETXMMREGS: 160 #endif 161 if (pid > THREAD_PID_OFFSET) { 162 t = tfind(pid - THREAD_PID_OFFSET); 163 if (t == NULL) 164 return (ESRCH); 165 tr = t->p_p; 166 } else { 167 if ((tr = prfind(pid)) == NULL) 168 return (ESRCH); 169 t = tr->ps_mainproc; /* XXX */ 170 } 171 break; 172 } 173 174 if ((tr->ps_flags & PS_INEXEC) != 0) 175 return (EAGAIN); 176 177 /* Make sure we can operate on it. */ 178 switch (req) { 179 case PT_TRACE_ME: 180 /* Saying that you're being traced is always legal. */ 181 break; 182 183 case PT_ATTACH: 184 /* 185 * You can't attach to a process if: 186 * (1) it's the process that's doing the attaching, 187 */ 188 if (tr == p->p_p) 189 return (EINVAL); 190 191 /* 192 * (2) it's a system process 193 */ 194 if (ISSET(tr->ps_flags, PS_SYSTEM)) 195 return (EPERM); 196 197 /* 198 * (3) it's already being traced, or 199 */ 200 if (ISSET(tr->ps_flags, PS_TRACED)) 201 return (EBUSY); 202 203 /* 204 * (4) it's not owned by you, or the last exec 205 * gave us setuid/setgid privs (unless 206 * you're root), or... 207 * 208 * [Note: once PS_SUGID or PS_SUGIDEXEC gets set in 209 * execve(), they stay set until the process does 210 * another execve(). Hence this prevents a setuid 211 * process which revokes its special privileges using 212 * setuid() from being traced. This is good security.] 213 */ 214 if ((tr->ps_ucred->cr_ruid != p->p_ucred->cr_ruid || 215 ISSET(tr->ps_flags, PS_SUGIDEXEC | PS_SUGID)) && 216 (error = suser(p, 0)) != 0) 217 return (error); 218 219 /* 220 * (4.5) it's not a child of the tracing process. 221 */ 222 if (global_ptrace == 0 && !inferior(tr, p->p_p) && 223 (error = suser(p, 0)) != 0) 224 return (error); 225 226 /* 227 * (5) ...it's init, which controls the security level 228 * of the entire system, and the system was not 229 * compiled with permanently insecure mode turned 230 * on. 231 */ 232 if ((tr->ps_pid == 1) && (securelevel > -1)) 233 return (EPERM); 234 235 /* 236 * (6) it's an ancestor of the current process and 237 * not init (because that would create a loop in 238 * the process graph). 239 */ 240 if (tr->ps_pid != 1 && inferior(p->p_p, tr)) 241 return (EINVAL); 242 break; 243 244 case PT_READ_I: 245 case PT_READ_D: 246 case PT_WRITE_I: 247 case PT_WRITE_D: 248 case PT_IO: 249 case PT_CONTINUE: 250 case PT_KILL: 251 case PT_DETACH: 252 #ifdef PT_STEP 253 case PT_STEP: 254 #endif 255 case PT_SET_EVENT_MASK: 256 case PT_GET_EVENT_MASK: 257 case PT_GET_PROCESS_STATE: 258 case PT_GETREGS: 259 case PT_SETREGS: 260 #ifdef PT_GETFPREGS 261 case PT_GETFPREGS: 262 #endif 263 #ifdef PT_SETFPREGS 264 case PT_SETFPREGS: 265 #endif 266 #ifdef PT_GETXMMREGS 267 case PT_GETXMMREGS: 268 #endif 269 #ifdef PT_SETXMMREGS 270 case PT_SETXMMREGS: 271 #endif 272 #ifdef PT_WCOOKIE 273 case PT_WCOOKIE: 274 #endif 275 /* 276 * You can't do what you want to the process if: 277 * (1) It's not being traced at all, 278 */ 279 if (!ISSET(tr->ps_flags, PS_TRACED)) 280 return (EPERM); 281 282 /* 283 * (2) it's not being traced by _you_, or 284 */ 285 if (tr->ps_pptr != p->p_p) 286 return (EBUSY); 287 288 /* 289 * (3) it's not currently stopped. 290 */ 291 if (t->p_stat != SSTOP || !ISSET(tr->ps_flags, PS_WAITED)) 292 return (EBUSY); 293 break; 294 295 case PT_GET_THREAD_FIRST: 296 case PT_GET_THREAD_NEXT: 297 /* 298 * You can't do what you want to the process if: 299 * (1) It's not being traced at all, 300 */ 301 if (!ISSET(tr->ps_flags, PS_TRACED)) 302 return (EPERM); 303 304 /* 305 * (2) it's not being traced by _you_, or 306 */ 307 if (tr->ps_pptr != p->p_p) 308 return (EBUSY); 309 310 /* 311 * Do the work here because the request isn't actually 312 * associated with 't' 313 */ 314 if (data != sizeof(pts)) 315 return (EINVAL); 316 317 if (req == PT_GET_THREAD_NEXT) { 318 error = copyin(addr, &pts, sizeof(pts)); 319 if (error) 320 return (error); 321 322 t = tfind(pts.pts_tid - THREAD_PID_OFFSET); 323 if (t == NULL || ISSET(t->p_flag, P_WEXIT)) 324 return (ESRCH); 325 if (t->p_p != tr) 326 return (EINVAL); 327 t = TAILQ_NEXT(t, p_thr_link); 328 } else { 329 t = TAILQ_FIRST(&tr->ps_threads); 330 } 331 332 if (t == NULL) 333 pts.pts_tid = -1; 334 else 335 pts.pts_tid = t->p_tid + THREAD_PID_OFFSET; 336 return (copyout(&pts, addr, sizeof(pts))); 337 338 default: /* It was not a legal request. */ 339 return (EINVAL); 340 } 341 342 /* Do single-step fixup if needed. */ 343 FIX_SSTEP(t); 344 345 /* Now do the operation. */ 346 write = 0; 347 *retval = 0; 348 349 switch (req) { 350 case PT_TRACE_ME: 351 /* Just set the trace flag. */ 352 atomic_setbits_int(&tr->ps_flags, PS_TRACED); 353 tr->ps_oppid = tr->ps_pptr->ps_pid; 354 if (tr->ps_ptstat == NULL) 355 tr->ps_ptstat = malloc(sizeof(*tr->ps_ptstat), 356 M_SUBPROC, M_WAITOK); 357 memset(tr->ps_ptstat, 0, sizeof(*tr->ps_ptstat)); 358 return (0); 359 360 case PT_WRITE_I: /* XXX no separate I and D spaces */ 361 case PT_WRITE_D: 362 write = 1; 363 temp = data; 364 case PT_READ_I: /* XXX no separate I and D spaces */ 365 case PT_READ_D: 366 /* write = 0 done above. */ 367 iov.iov_base = (caddr_t)&temp; 368 iov.iov_len = sizeof(int); 369 uio.uio_iov = &iov; 370 uio.uio_iovcnt = 1; 371 uio.uio_offset = (off_t)(vaddr_t)addr; 372 uio.uio_resid = sizeof(int); 373 uio.uio_segflg = UIO_SYSSPACE; 374 uio.uio_rw = write ? UIO_WRITE : UIO_READ; 375 uio.uio_procp = p; 376 error = process_domem(p, tr, &uio, write ? PT_WRITE_I : 377 PT_READ_I); 378 if (write == 0) 379 *retval = temp; 380 return (error); 381 case PT_IO: 382 error = copyin(addr, &piod, sizeof(piod)); 383 if (error) 384 return (error); 385 iov.iov_base = piod.piod_addr; 386 iov.iov_len = piod.piod_len; 387 uio.uio_iov = &iov; 388 uio.uio_iovcnt = 1; 389 uio.uio_offset = (off_t)(vaddr_t)piod.piod_offs; 390 uio.uio_resid = piod.piod_len; 391 uio.uio_segflg = UIO_USERSPACE; 392 uio.uio_procp = p; 393 switch (piod.piod_op) { 394 case PIOD_READ_I: 395 req = PT_READ_I; 396 uio.uio_rw = UIO_READ; 397 break; 398 case PIOD_READ_D: 399 req = PT_READ_D; 400 uio.uio_rw = UIO_READ; 401 break; 402 case PIOD_WRITE_I: 403 req = PT_WRITE_I; 404 uio.uio_rw = UIO_WRITE; 405 break; 406 case PIOD_WRITE_D: 407 req = PT_WRITE_D; 408 uio.uio_rw = UIO_WRITE; 409 break; 410 case PIOD_READ_AUXV: 411 req = PT_READ_D; 412 uio.uio_rw = UIO_READ; 413 temp = tr->ps_emul->e_arglen * sizeof(char *); 414 if (uio.uio_offset > temp) 415 return (EIO); 416 if (uio.uio_resid > temp - uio.uio_offset) 417 uio.uio_resid = temp - uio.uio_offset; 418 piod.piod_len = iov.iov_len = uio.uio_resid; 419 error = process_auxv_offset(p, tr, &uio); 420 if (error) 421 return (error); 422 break; 423 default: 424 return (EINVAL); 425 } 426 error = process_domem(p, tr, &uio, req); 427 piod.piod_len -= uio.uio_resid; 428 (void) copyout(&piod, addr, sizeof(piod)); 429 return (error); 430 #ifdef PT_STEP 431 case PT_STEP: 432 /* 433 * From the 4.4BSD PRM: 434 * "Execution continues as in request PT_CONTINUE; however 435 * as soon as possible after execution of at least one 436 * instruction, execution stops again. [ ... ]" 437 */ 438 #endif 439 case PT_CONTINUE: 440 /* 441 * From the 4.4BSD PRM: 442 * "The data argument is taken as a signal number and the 443 * child's execution continues at location addr as if it 444 * incurred that signal. Normally the signal number will 445 * be either 0 to indicate that the signal that caused the 446 * stop should be ignored, or that value fetched out of 447 * the process's image indicating which signal caused 448 * the stop. If addr is (int *)1 then execution continues 449 * from where it stopped." 450 */ 451 452 if (pid < THREAD_PID_OFFSET && tr->ps_single) 453 t = tr->ps_single; 454 455 /* Check that the data is a valid signal number or zero. */ 456 if (data < 0 || data >= NSIG) 457 return (EINVAL); 458 459 /* If the address parameter is not (int *)1, set the pc. */ 460 if ((int *)addr != (int *)1) 461 if ((error = process_set_pc(t, addr)) != 0) 462 return error; 463 464 #ifdef PT_STEP 465 /* 466 * Arrange for a single-step, if that's requested and possible. 467 */ 468 error = process_sstep(t, req == PT_STEP); 469 if (error) 470 return error; 471 #endif 472 goto sendsig; 473 474 case PT_DETACH: 475 /* 476 * From the 4.4BSD PRM: 477 * "The data argument is taken as a signal number and the 478 * child's execution continues at location addr as if it 479 * incurred that signal. Normally the signal number will 480 * be either 0 to indicate that the signal that caused the 481 * stop should be ignored, or that value fetched out of 482 * the process's image indicating which signal caused 483 * the stop. If addr is (int *)1 then execution continues 484 * from where it stopped." 485 */ 486 487 if (pid < THREAD_PID_OFFSET && tr->ps_single) 488 t = tr->ps_single; 489 490 /* Check that the data is a valid signal number or zero. */ 491 if (data < 0 || data >= NSIG) 492 return (EINVAL); 493 494 #ifdef PT_STEP 495 /* 496 * Stop single stepping. 497 */ 498 error = process_sstep(t, 0); 499 if (error) 500 return error; 501 #endif 502 503 /* give process back to original parent or init */ 504 if (tr->ps_oppid != tr->ps_pptr->ps_pid) { 505 struct process *ppr; 506 507 ppr = prfind(tr->ps_oppid); 508 proc_reparent(tr, ppr ? ppr : initprocess); 509 } 510 511 /* not being traced any more */ 512 tr->ps_oppid = 0; 513 atomic_clearbits_int(&tr->ps_flags, PS_TRACED|PS_WAITED); 514 515 sendsig: 516 memset(tr->ps_ptstat, 0, sizeof(*tr->ps_ptstat)); 517 518 /* Finally, deliver the requested signal (or none). */ 519 if (t->p_stat == SSTOP) { 520 t->p_xstat = data; 521 SCHED_LOCK(s); 522 setrunnable(t); 523 SCHED_UNLOCK(s); 524 } else { 525 if (data != 0) 526 psignal(t, data); 527 } 528 529 return (0); 530 531 case PT_KILL: 532 if (pid < THREAD_PID_OFFSET && tr->ps_single) 533 t = tr->ps_single; 534 535 /* just send the process a KILL signal. */ 536 data = SIGKILL; 537 goto sendsig; /* in PT_CONTINUE, above. */ 538 539 case PT_ATTACH: 540 /* 541 * As was done in procfs: 542 * Go ahead and set the trace flag. 543 * Save the old parent (it's reset in 544 * _DETACH, and also in kern_exit.c:wait4() 545 * Reparent the process so that the tracing 546 * proc gets to see all the action. 547 * Stop the target. 548 */ 549 atomic_setbits_int(&tr->ps_flags, PS_TRACED); 550 tr->ps_oppid = tr->ps_pptr->ps_pid; 551 if (tr->ps_pptr != p->p_p) 552 proc_reparent(tr, p->p_p); 553 if (tr->ps_ptstat == NULL) 554 tr->ps_ptstat = malloc(sizeof(*tr->ps_ptstat), 555 M_SUBPROC, M_WAITOK); 556 data = SIGSTOP; 557 goto sendsig; 558 559 case PT_GET_EVENT_MASK: 560 if (data != sizeof(pe)) 561 return (EINVAL); 562 memset(&pe, 0, sizeof(pe)); 563 pe.pe_set_event = tr->ps_ptmask; 564 return (copyout(&pe, addr, sizeof(pe))); 565 case PT_SET_EVENT_MASK: 566 if (data != sizeof(pe)) 567 return (EINVAL); 568 if ((error = copyin(addr, &pe, sizeof(pe)))) 569 return (error); 570 tr->ps_ptmask = pe.pe_set_event; 571 return (0); 572 573 case PT_GET_PROCESS_STATE: 574 if (data != sizeof(*tr->ps_ptstat)) 575 return (EINVAL); 576 577 if (tr->ps_single) 578 tr->ps_ptstat->pe_tid = 579 tr->ps_single->p_tid + THREAD_PID_OFFSET; 580 581 return (copyout(tr->ps_ptstat, addr, sizeof(*tr->ps_ptstat))); 582 583 case PT_SETREGS: 584 KASSERT((p->p_flag & P_SYSTEM) == 0); 585 if ((error = process_checkioperm(p, tr)) != 0) 586 return (error); 587 588 regs = malloc(sizeof(*regs), M_TEMP, M_WAITOK); 589 error = copyin(addr, regs, sizeof(*regs)); 590 if (error == 0) { 591 error = process_write_regs(t, regs); 592 } 593 free(regs, M_TEMP, sizeof(*regs)); 594 return (error); 595 case PT_GETREGS: 596 KASSERT((p->p_flag & P_SYSTEM) == 0); 597 if ((error = process_checkioperm(p, tr)) != 0) 598 return (error); 599 600 regs = malloc(sizeof(*regs), M_TEMP, M_WAITOK); 601 error = process_read_regs(t, regs); 602 if (error == 0) 603 error = copyout(regs, addr, sizeof (*regs)); 604 free(regs, M_TEMP, sizeof(*regs)); 605 return (error); 606 #ifdef PT_SETFPREGS 607 case PT_SETFPREGS: 608 KASSERT((p->p_flag & P_SYSTEM) == 0); 609 if ((error = process_checkioperm(p, tr)) != 0) 610 return (error); 611 612 fpregs = malloc(sizeof(*fpregs), M_TEMP, M_WAITOK); 613 error = copyin(addr, fpregs, sizeof(*fpregs)); 614 if (error == 0) { 615 error = process_write_fpregs(t, fpregs); 616 } 617 free(fpregs, M_TEMP, sizeof(*fpregs)); 618 return (error); 619 #endif 620 #ifdef PT_GETFPREGS 621 case PT_GETFPREGS: 622 KASSERT((p->p_flag & P_SYSTEM) == 0); 623 if ((error = process_checkioperm(p, tr)) != 0) 624 return (error); 625 626 fpregs = malloc(sizeof(*fpregs), M_TEMP, M_WAITOK); 627 error = process_read_fpregs(t, fpregs); 628 if (error == 0) 629 error = copyout(fpregs, addr, sizeof(*fpregs)); 630 free(fpregs, M_TEMP, sizeof(*fpregs)); 631 return (error); 632 #endif 633 #ifdef PT_SETXMMREGS 634 case PT_SETXMMREGS: 635 KASSERT((p->p_flag & P_SYSTEM) == 0); 636 if ((error = process_checkioperm(p, tr)) != 0) 637 return (error); 638 639 xmmregs = malloc(sizeof(*xmmregs), M_TEMP, M_WAITOK); 640 error = copyin(addr, xmmregs, sizeof(*xmmregs)); 641 if (error == 0) { 642 error = process_write_xmmregs(t, xmmregs); 643 } 644 free(xmmregs, M_TEMP, sizeof(*xmmregs)); 645 return (error); 646 #endif 647 #ifdef PT_GETXMMREGS 648 case PT_GETXMMREGS: 649 KASSERT((p->p_flag & P_SYSTEM) == 0); 650 if ((error = process_checkioperm(p, tr)) != 0) 651 return (error); 652 653 xmmregs = malloc(sizeof(*xmmregs), M_TEMP, M_WAITOK); 654 error = process_read_xmmregs(t, xmmregs); 655 if (error == 0) 656 error = copyout(xmmregs, addr, sizeof(*xmmregs)); 657 free(xmmregs, M_TEMP, sizeof(*xmmregs)); 658 return (error); 659 #endif 660 #ifdef PT_WCOOKIE 661 case PT_WCOOKIE: 662 wcookie = process_get_wcookie (t); 663 return (copyout(&wcookie, addr, sizeof (register_t))); 664 #endif 665 } 666 667 #ifdef DIAGNOSTIC 668 panic("ptrace: impossible"); 669 #endif 670 return 0; 671 } 672 673 /* 674 * Check if a process is allowed to fiddle with the memory of another. 675 * 676 * p = tracer 677 * tr = tracee 678 * 679 * 1. You can't attach to a process not owned by you or one that has raised 680 * its privileges. 681 * 1a. ...unless you are root. 682 * 683 * 2. init is always off-limits because it can control the securelevel. 684 * 2a. ...unless securelevel is permanently set to insecure. 685 * 686 * 3. Processes that are in the process of doing an exec() are always 687 * off-limits because of the can of worms they are. Just wait a 688 * second. 689 */ 690 int 691 process_checkioperm(struct proc *p, struct process *tr) 692 { 693 int error; 694 695 if ((tr->ps_ucred->cr_ruid != p->p_ucred->cr_ruid || 696 ISSET(tr->ps_flags, PS_SUGIDEXEC | PS_SUGID)) && 697 (error = suser(p, 0)) != 0) 698 return (error); 699 700 if ((tr->ps_pid == 1) && (securelevel > -1)) 701 return (EPERM); 702 703 if (tr->ps_flags & PS_INEXEC) 704 return (EAGAIN); 705 706 return (0); 707 } 708 709 int 710 process_domem(struct proc *curp, struct process *tr, struct uio *uio, int req) 711 { 712 struct vmspace *vm; 713 int error; 714 vaddr_t addr; 715 vsize_t len; 716 717 len = uio->uio_resid; 718 if (len == 0) 719 return 0; 720 721 if ((error = process_checkioperm(curp, tr)) != 0) 722 return error; 723 724 /* XXXCDC: how should locking work here? */ 725 vm = tr->ps_vmspace; 726 if ((tr->ps_flags & PS_EXITING) || (vm->vm_refcnt < 1)) 727 return EFAULT; 728 addr = uio->uio_offset; 729 730 vm->vm_refcnt++; 731 732 error = uvm_io(&vm->vm_map, uio, 733 (uio->uio_rw == UIO_WRITE) ? UVM_IO_FIXPROT : 0); 734 735 uvmspace_free(vm); 736 737 if (error == 0 && req == PT_WRITE_I) 738 pmap_proc_iflush(tr, addr, len); 739 740 return error; 741 } 742 743 int 744 process_auxv_offset(struct proc *curp, struct process *tr, struct uio *uiop) 745 { 746 struct vmspace *vm; 747 struct ps_strings pss; 748 struct iovec iov; 749 struct uio uio; 750 int error; 751 752 iov.iov_base = &pss; 753 iov.iov_len = sizeof(pss); 754 uio.uio_iov = &iov; 755 uio.uio_iovcnt = 1; 756 uio.uio_offset = (off_t)tr->ps_strings; 757 uio.uio_resid = sizeof(pss); 758 uio.uio_segflg = UIO_SYSSPACE; 759 uio.uio_rw = UIO_READ; 760 uio.uio_procp = curp; 761 762 vm = tr->ps_vmspace; 763 if ((tr->ps_flags & PS_EXITING) || (vm->vm_refcnt < 1)) 764 return EFAULT; 765 766 vm->vm_refcnt++; 767 error = uvm_io(&vm->vm_map, &uio, 0); 768 uvmspace_free(vm); 769 770 if (error != 0) 771 return error; 772 773 if (pss.ps_envstr == NULL) 774 return EIO; 775 776 uiop->uio_offset += (off_t)(vaddr_t)(pss.ps_envstr + pss.ps_nenvstr + 1); 777 #ifdef MACHINE_STACK_GROWS_UP 778 if (uiop->uio_offset < (off_t)tr->ps_strings) 779 return EIO; 780 #else 781 if (uiop->uio_offset > (off_t)tr->ps_strings) 782 return EIO; 783 if ((uiop->uio_offset + uiop->uio_resid) > (off_t)tr->ps_strings) 784 uiop->uio_resid = (off_t)tr->ps_strings - uiop->uio_offset; 785 #endif 786 787 return 0; 788 } 789 #endif 790