NAME
p_candebug - determine debuggability of a process
SYNOPSIS
#include <sys/param.h>
#include <sys/proc.h>
int
p_candebug(struct thread *td, struct proc *p);
DESCRIPTION
This function can be used to determine if a given process p is debuggable
by the thread td.
SYSCTL VARIABLES
The following sysctl(8) variables directly influence the behaviour of
p_candebug():
kern.securelevel
Debugging of the init process is not allowed if this variable is
1 or greater.
security.bsd.unprivileged_proc_debug
Must be set to a non-zero value to allow unprivileged processes
access to the kernel’s debug facilities.
RETURN VALUES
The p_candebug() function returns 0 if the process denoted by p is
debuggable by thread td, or a non-zero error return value otherwise.
ERRORS
[EACCESS] The MAC subsystem denied debuggability.
[EAGAIN] Process p is in the process of being exec()’ed.
[EPERM] Thread td lacks super-user credentials and process p
is executing a set-user-ID or set-group-ID executable.
[EPERM] Thread td lacks super-user credentials and process p’s
group set is not a subset of td’s effective group set.
[EPERM] Thread td lacks super-user credentials and process p’s
user IDs do not match thread td’s effective user ID.
[EPERM] Process p denotes the initial process initproc() and
the sysctl(8) variable kern.securelevel is greater
than zero.
[ESRCH] Process p is not visible to thread td as determined by
cr_seeotheruids(9) or cr_seeothergids(9).
[ESRCH] Thread td has been jailed and process p does not
belong to the same jail as td.
[ESRCH] The MAC subsystem denied debuggability.
SEE ALSO
jail(2), sysctl(8), cr_seeothergids(9), cr_seeotheruids(9), mac(9),
p_cansee(9), prison_check(9)