The branch main has been updated by olce:
URL:
https://cgit.FreeBSD.org/src/commit/?id=fa1cbb02d12055db0584882d586658be643f0949
commit fa1cbb02d12055db0584882d586658be643f0949
Author: Olivier Certner <o...@freebsd.org>
AuthorDate: 2025-08-27 14:28:15 +0000
Commit: Olivier Certner <o...@freebsd.org>
CommitDate: 2025-09-17 12:16:02 +0000
cred: Restore proper checking of effective groups in some security policies
The removal of 'cr_gid' from cr_groups[] as cr_groups[0] made
cr_canseeothergids() skip considering the subject's first supplementary
group, causing the 'security.bsd.see_other_gids' policy to be too
restrictive, and cr_xids_subset() miss a check on the effective GID,
relaxing the "can debug" and "can export KTLS keys" checks.
Fix these policies.
Fixes: be1f7435ef218b1d ("kern: start tracking cr_gid outside of
cr_groups[]")
MFC after: 5 days
MFC to: stable/15
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D52268
---
sys/kern/kern_prot.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/sys/kern/kern_prot.c b/sys/kern/kern_prot.c
index 591994e92e7d..6485254d300d 100644
--- a/sys/kern/kern_prot.c
+++ b/sys/kern/kern_prot.c
@@ -1889,7 +1889,7 @@ cr_canseeothergids(struct ucred *u1, struct ucred *u2)
if (realgroupmember(u1->cr_rgid, u2))
return (0);
- for (int i = 1; i < u1->cr_ngroups; i++)
+ for (int i = 0; i < u1->cr_ngroups; i++)
if (realgroupmember(u1->cr_groups[i], u2))
return (0);
@@ -2265,6 +2265,7 @@ cr_xids_subset(struct ucred *active_cred, struct ucred
*obj_cred)
}
}
grpsubset = grpsubset &&
+ groupmember(obj_cred->cr_gid, active_cred) &&
groupmember(obj_cred->cr_rgid, active_cred) &&
groupmember(obj_cred->cr_svgid, active_cred);
