mac_seeotheruids: allow specificgid to be a list of groups

The specificgid functionality has historically allowed only a single
group to be exempt, but in practice one might want a few services to
be exempt for reasons.  From a security perspective, we probably don't
want to encourage unrelated users to be grouped together solely for
this purpose, as that creates one point of shared access that could be
used for nefarious purposes.

Normalize the group list as we do cr_groups to allow for linear matching
rather than quadratic, we just need to account for the differences in
FreeBSD 15.0+ where cr_groups is entirely supplementary groups vs.
earlier versions, where cr_groups[0] is the egid and the rest is
sorted.

Reviewed by:	csjp, des (earlier version)
Sponsored by:	Klara, Inc.
Differential Revision:	https://reviews.freebsd.org/D56592
This commit is contained in:
Kyle Evans
2026-02-28 21:42:25 -06:00
parent a46205a100
commit b675ff8eed
2 changed files with 166 additions and 12 deletions
+2 -2
View File
@@ -28,7 +28,7 @@
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
.Dd July 25, 2015
.Dd Februrary 26, 2026
.Dt MAC_SEEOTHERUIDS 4
.Os
.Sh NAME
@@ -80,7 +80,7 @@ set the sysctl OID
.Va security.mac.seeotheruids.specificgid_enabled
to 1, and
.Va security.mac.seeotheruids.specificgid
to the group ID to be exempted.
to the list of group IDs to be exempted.
.Ss Label Format
No labels are defined for
.Nm .