NAME¶
p_candebug
—
determine debuggability of a process
SYNOPSIS¶
#include
<sys/param.h>
#include
<sys/proc.h>
int
p_candebug
(
struct
thread *td,
struct proc *p);
DESCRIPTION¶
This function can be used to determine if a given process
p is debuggable by the thread
td.
SYSCTL VARIABLES¶
The following
sysctl(8) variables directly
influence the behaviour of
p_candebug
():
- kern.securelevel
- Debugging of the init process is not allowed if this variable is
1
or greater.
- security.bsd.unprivileged_proc_debug
- Must be set to a non-zero value to allow unprivileged processes access to
the kernel's debug facilities.
RETURN VALUES¶
The
p_candebug
() function returns
0
if the process denoted by
p is debuggable by thread
td, or a non-zero error return value
otherwise.
ERRORS¶
- [
EACCESS
]
- The MAC subsystem denied debuggability.
- [
EAGAIN
]
- Process p is in the process of being
exec
()'ed.
- [
EPERM
]
- Thread td lacks super-user credentials
and process p is executing a set-user-ID
or set-group-ID executable.
- [
EPERM
]
- Thread td lacks super-user credentials
and process p's group set is not a subset
of td's effective group set.
- [
EPERM
]
- Thread td lacks super-user credentials
and process p's user IDs do not match
thread td's effective user ID.
- [
EPERM
]
- Process p denotes the initial process
initproc
() and the
sysctl(8) variable
kern.securelevel is greater than
zero.
- [
ESRCH
]
- Process p is not visible to thread
td as determined by
cr_seeotheruids(9) or
cr_seeothergids(9).
- [
ESRCH
]
- Thread td has been jailed and process
p does not belong to the same jail as
td.
- [
ESRCH
]
- The MAC subsystem denied debuggability.
SEE ALSO¶
jail(2),
sysctl(8),
cr_seeothergids(9),
cr_seeotheruids(9),
mac(9),
p_cansee(9),
prison_check(9)