don't attach to system processes.

art@ niklas@ markus@ millert@ deraadt@ ok.

2 files changed, 15 insertions, 5 deletions

diff --git a/lib/libc/sys/ptrace.2 b/lib/libc/sys/ptrace.2
index 1229e0b865b..7152f1c8ae0 100644
--- a/lib/libc/sys/ptrace.2
+++ b/lib/libc/sys/ptrace.2
@@ -1,4 +1,4 @@
-.\"	$OpenBSD: ptrace.2,v 1.10 2002/03/12 14:38:12 art Exp $
+.\"	$OpenBSD: ptrace.2,v 1.11 2002/04/10 17:31:59 fgsch Exp $
 .\"	$NetBSD: ptrace.2,v 1.3 1996/02/23 01:39:41 jtc Exp $
 .\"
 .\" This file is in the public domain.
@@ -434,6 +434,10 @@ An attempt was made to use
 on a process in violation of the requirements listed under
 .Dv PT_ATTACH
 above.
+.It
+An attempt was made to use
+.Dv PT_ATTACH
+on a system process.
 .El
 .El
 .Sh BUGS
diff --git a/sys/kern/sys_process.c b/sys/kern/sys_process.c
index 562fe227661..2921ef101f9 100644
--- a/sys/kern/sys_process.c
+++ b/sys/kern/sys_process.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: sys_process.c,v 1.21 2002/03/12 14:37:40 art Exp $	*/
+/*	$OpenBSD: sys_process.c,v 1.22 2002/04/10 17:31:59 fgsch Exp $	*/
 /*	$NetBSD: sys_process.c,v 1.55 1996/05/15 06:17:47 tls Exp $	*/
 
 /*-
@@ -121,13 +121,19 @@ sys_ptrace(p, v, retval)
 			return (EINVAL);
 
 		/*
-		 *	(2) it's already being traced, or
+		 *	(2) it's a system process
+		 */
+		if (ISSET(t->p_flag, P_SYSTEM))
+			return (EPERM);
+
+		/*
+		 *	(3) it's already being traced, or
 		 */
 		if (ISSET(t->p_flag, P_TRACED))
 			return (EBUSY);
 
 		/*
-		 *	(3) it's not owned by you, or the last exec
+		 *	(4) it's not owned by you, or the last exec
 		 *	    gave us setuid/setgid privs (unless
 		 *	    you're root), or...
 		 * 
@@ -143,7 +149,7 @@ sys_ptrace(p, v, retval)
 			return (error);
 
 		/*
-		 *	(4) ...it's init, which controls the security level
+		 *	(5) ...it's init, which controls the security level
 		 *	    of the entire system, and the system was not
 		 *          compiled with permanently insecure mode turned
 		 *	    on.