Module Name: src
Committed By: kamil
Date: Sun Apr 8 14:46:32 UTC 2018
Modified Files:
src/sys/kern: sys_ptrace_common.c
src/sys/secmodel/extensions: secmodel_extensions.c
Log Message:
Add new sysctl(3) entry: security.models.extensions.user_set_dbregs
Model this new sysctl(3) entry after "user_set_cpu_affinity" in the same
level of sysctl(3) switches.
Allow to read unconditionally Debug Registers (no change here). This is
convenient as even if a user of a debugger does not use hardware assisted
watchpoints/breakpoints, a debugger can still prompt these values to store
in an internal cache with context of registers. Reading them should have
no security concerns.
Add a paranoid MI switch that prohibits by default setting these registers
by a regular user (non-superuser). Make this switch disabled by default.
There are enough reserved bits out there to allow using them
unconditionally on hardened hosts.
Features shipped with Debug Registers are optional features in debuggers.
There is no reduction in elementary functionality.
Reviewed by <christos>
Sponsored by <The NetBSD Foundation>
To generate a diff of this commit:
cvs rdiff -u -r1.35 -r1.36 src/sys/kern/sys_ptrace_common.c
cvs rdiff -u -r1.7 -r1.8 src/sys/secmodel/extensions/secmodel_extensions.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.