The branch stable/15 has been updated by olce: URL: https://cgit.FreeBSD.org/src/commit/?id=7bab0263aafef686e8ca22e28bb0604cf9372f5d
commit 7bab0263aafef686e8ca22e28bb0604cf9372f5d Author: Olivier Certner <[email protected]> AuthorDate: 2025-08-27 16:53:14 +0000 Commit: Olivier Certner <[email protected]> CommitDate: 2025-09-23 12:02:43 +0000 cr_canseeothergids(): Make the logic easier to grasp Invert the initial test on whether the policy is in force so that, if there are no restrictions, the function bails out early, allowing to de-indent the rest of the code and have it finish with a non-zero (deny) 'return'. No functional change (intended). MFC after: 5 days Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D52272 (cherry picked from commit f75d0dc533923345c653dcdcd5ebd1e53377a7c5) --- sys/kern/kern_prot.c | 23 +++++++++++++---------- 1 file changed, 13 insertions(+), 10 deletions(-) diff --git a/sys/kern/kern_prot.c b/sys/kern/kern_prot.c index 6485254d300d..a4c5bcc52529 100644 --- a/sys/kern/kern_prot.c +++ b/sys/kern/kern_prot.c @@ -1885,19 +1885,22 @@ SYSCTL_INT(_security_bsd, OID_AUTO, see_other_gids, CTLFLAG_RW, static int cr_canseeothergids(struct ucred *u1, struct ucred *u2) { - if (!see_other_gids) { - if (realgroupmember(u1->cr_rgid, u2)) - return (0); + if (see_other_gids) + return (0); - for (int i = 0; i < u1->cr_ngroups; i++) - if (realgroupmember(u1->cr_groups[i], u2)) - return (0); + /* Restriction in force. */ - if (priv_check_cred(u1, PRIV_SEEOTHERGIDS) != 0) - return (ESRCH); - } + if (realgroupmember(u1->cr_rgid, u2)) + return (0); - return (0); + for (int i = 0; i < u1->cr_ngroups; i++) + if (realgroupmember(u1->cr_groups[i], u2)) + return (0); + + if (priv_check_cred(u1, PRIV_SEEOTHERGIDS) == 0) + return (0); + + return (ESRCH); } /*
