MAC/do: allow to call setuid if real user id is 0

This fixed sshd not able to call restore_uid when MAC/do policy is
loaded
This commit is contained in:
Baptiste Daroussin
2024-05-23 12:09:11 +02:00
parent 56a8aca83a
commit 61b07f8aa5
+1 -1
View File
@@ -489,7 +489,7 @@ check_setuid(struct ucred *cred, uid_t uid)
if (do_enabled == 0)
return (0);
if (cred->cr_uid == uid || cred->cr_uid == 0)
if (cred->cr_uid == uid || cred->cr_uid == 0 || cred->cr_ruid == 0)
return (0);
if (vn_fullpath(curproc->p_textvp, &fullpath, &freebuf) != 0)