NAME
p_candebug —
determine debuggability of a
process
SYNOPSIS
#include
<sys/param.h>
#include <sys/proc.h>
int
p_candebug(struct
thread *td, struct proc
*p);
DESCRIPTION
This function determines if a given process p is debuggable by some thread td.
The following
sysctl(8) variables directly influence the behaviour of
p_candebug():
- security.bsd.unprivileged_proc_debug
- Must be set to a non-zero value to allow unprivileged processes access to the kernel's debug facilities.
- kern.securelevel
- Debugging of the init process is not allowed if this variable is
1or greater.
Other such variables indirectly influence it; see cr_bsd_visible(9).
RETURN VALUES
The p_candebug() function returns
0 if the process denoted by p
is debuggable by thread td, or a non-zero error return
value otherwise.
ERRORS
- [
EPERM] - An unprivileged process attempted to debug another process but the system is configured to deny it (see sysctl(8) variable security.bsd.unprivileged_proc_debug above).
- [
ESRCH] - Thread td has been jailed and the process to debug does not belong to the same jail or one of its sub-jails, as determined by prison_check(9).
- [
ESRCH] - cr_bsd_visible(9) denied visibility according to the BSD security policies in force.
- [
EPERM] - Thread td lacks superuser credentials and its (effective) group set is not a superset of process p's whole group set (including real, effective and saved group IDs).
- [
EPERM] - Thread td lacks superuser credentials and its (effective) user ID does not match all user IDs of process p.
- [
EPERM] - Thread td lacks superuser credentials and process p is executing a set-user-ID or set-group-ID executable.
- [
EPERM] - Process p denotes the initial process
initproc() and the sysctl(8) variable kern.securelevel is greater than zero. - [
EBUSY] - Process p is in the process of being
exec()'ed. - [
EPERM] - Process p denied debuggability (see
procctl(2), command
PROC_TRACE_CTL).
SEE ALSO
procctl(2), cr_bsd_visible(9), mac(9), p_cansee(9), prison_check(9)