Turn the ptrace(2) syscall into a kernel compile option, option PTRACE in

your kernel configuration file.
By default, GENERIC will enable this.

When PTRACE is not enabled, several ptrace-like features of the procfs
filesystem will be disabled as well (namely, the ability to read and write
any process' registers, as well as attching, single stepping and detaching
to/from processes).

This should help paranoid people build better sandboxens, and us to build
smaller ramdisks.

1 files changed, 3 insertions, 1 deletions

diff --git a/sys/miscfs/procfs/procfs_subr.c b/sys/miscfs/procfs/procfs_subr.c
index 9d0f1c9fb5a..0ec024a1698 100644
--- a/sys/miscfs/procfs/procfs_subr.c
+++ b/sys/miscfs/procfs/procfs_subr.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: procfs_subr.c,v 1.16 2002/01/30 20:29:44 nordin Exp $	*/
+/*	$OpenBSD: procfs_subr.c,v 1.17 2002/03/14 00:42:25 miod Exp $	*/
 /*	$NetBSD: procfs_subr.c,v 1.15 1996/02/12 15:01:42 christos Exp $	*/
 
 /*
@@ -223,11 +223,13 @@ procfs_rw(v)
 	case Pnotepg:
 		return (procfs_donote(curp, p, pfs, uio));
 
+#ifdef PTRACE
 	case Pregs:
 		return (procfs_doregs(curp, p, pfs, uio));
 
 	case Pfpregs:
 		return (procfs_dofpregs(curp, p, pfs, uio));
+#endif
 
 	case Pctl:
 		return (procfs_doctl(curp, p, pfs, uio));