Created attachment 214280 [details]
Decrease the procstat fd access restriction to PGET_CANSEE
Currently "procstat fd [pid]" cannot view anything, even for other processes owned by the user making the call, not even their current working directory (CWD), unless it has PGET_CANDEBUG permission.
linprocfs however allows reading the CWD for any process because it doesn't perform that check (sys/compat/linprocfs/linprocfs.c, function linprocfs_doproccwd()).
Applications use this, eg. xfce4-terminal relies on /compat/linux/proc/<pid>/cwd to find the shell's CWD, so that when you open a new tab, it starts in the same CWD as the tab you opened it from (https://github.com/xfce-mirror/xfce4-terminal/blob/master/terminal/terminal-screen.c#L2343). I would like to patch xfce4-terminal to use libprocstat for that instead of needing linprocfs to be mounted, but since procstat is more restrictive, it will break it.
Can we please downgrade PGET_CANDEBUG to at least PGET_CANSEE, so you can view the CWD for processes you own? Maybe other open files still need to be hidden, but the CWD doesn't seem like a major security concern.
Linux's own /proc filesystem never hides the CWD (lrwxrwxrwx), and only hides file descriptors for processes you don't own.
The attached patch decreases the access restriction to PGET_CANSEE, and works as intended in my tests.
Why is PGET_CANDEBUG a problem?
(In reply to Conrad Meyer from comment #1)
Indeed, I can't quite understand why PGET_CANDEBUG is a problem.
Can you see exactly what check is failing? Does xfce4-terminal run as a different user than the shell?
(In reply to Mark Johnston from comment #2)
xfce4-terminal runs child shells as the same user, but PGET_CANDEBUG doesn't allow reading even the same user's file descriptors when security.bsd.unprivileged_proc_debug=0.
It really should be PGET_CANSEE, as you should be able to see your user's/group's processes and examine their file descriptors, like you can on Linux.
I think you've identified the problem: don't set security.bsd.unprivileged_proc_debug if you want this functionality to work. The point of that sysctl is to disable functionality like this.