The branch main has been updated by olce:
URL:
https://cgit.FreeBSD.org/src/commit/?id=f75d0dc533923345c653dcdcd5ebd1e53377a7c5
commit f75d0dc533923345c653dcdcd5ebd1e53377a7c5
Author: Olivier Certner <o...@freebsd.org>
AuthorDate: 2025-08-27 16:53:14 +0000
Commit: Olivier Certner <o...@freebsd.org>
CommitDate: 2025-09-17 12:16:03 +0000
cr_canseeothergids(): Make the logic easier to grasp
Invert the initial test on whether the policy is in force so that, if
there are no restrictions, the function bails out early, allowing to
de-indent the rest of the code and have it finish with a non-zero (deny)
'return'.
No functional change (intended).
MFC after: 5 days
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D52272
---
sys/kern/kern_prot.c | 23 +++++++++++++----------
1 file changed, 13 insertions(+), 10 deletions(-)
diff --git a/sys/kern/kern_prot.c b/sys/kern/kern_prot.c
index 6485254d300d..a4c5bcc52529 100644
--- a/sys/kern/kern_prot.c
+++ b/sys/kern/kern_prot.c
@@ -1885,19 +1885,22 @@ SYSCTL_INT(_security_bsd, OID_AUTO, see_other_gids,
CTLFLAG_RW,
static int
cr_canseeothergids(struct ucred *u1, struct ucred *u2)
{
- if (!see_other_gids) {
- if (realgroupmember(u1->cr_rgid, u2))
- return (0);
+ if (see_other_gids)
+ return (0);
- for (int i = 0; i < u1->cr_ngroups; i++)
- if (realgroupmember(u1->cr_groups[i], u2))
- return (0);
+ /* Restriction in force. */
- if (priv_check_cred(u1, PRIV_SEEOTHERGIDS) != 0)
- return (ESRCH);
- }
+ if (realgroupmember(u1->cr_rgid, u2))
+ return (0);
- return (0);
+ for (int i = 0; i < u1->cr_ngroups; i++)
+ if (realgroupmember(u1->cr_groups[i], u2))
+ return (0);
+
+ if (priv_check_cred(u1, PRIV_SEEOTHERGIDS) == 0)
+ return (0);
+
+ return (ESRCH);
}
/*
