cred: Restore proper checking of effective groups in some security policies

The removal of 'cr_gid' from cr_groups[] as cr_groups[0] made
cr_canseeothergids() skip considering the subject's first supplementary
group, causing the 'security.bsd.see_other_gids' policy to be too
restrictive, and cr_xids_subset() miss a check on the effective GID,
relaxing the "can debug" and "can export KTLS keys" checks.

Fix these policies.

Fixes:          be1f7435ef ("kern: start tracking cr_gid outside of cr_groups[]")
MFC after:      5 days
MFC to:         stable/15
Sponsored by:   The FreeBSD Foundation
Differential Revision:  https://reviews.freebsd.org/D52268
This commit is contained in:
Olivier Certner
2025-08-27 16:28:15 +02:00
parent 30193fce43
commit fa1cbb02d1
+2 -1
View File
@@ -1889,7 +1889,7 @@ cr_canseeothergids(struct ucred *u1, struct ucred *u2)
if (realgroupmember(u1->cr_rgid, u2))
return (0);
for (int i = 1; i < u1->cr_ngroups; i++)
for (int i = 0; i < u1->cr_ngroups; i++)
if (realgroupmember(u1->cr_groups[i], u2))
return (0);
@@ -2265,6 +2265,7 @@ cr_xids_subset(struct ucred *active_cred, struct ucred *obj_cred)
}
}
grpsubset = grpsubset &&
groupmember(obj_cred->cr_gid, active_cred) &&
groupmember(obj_cred->cr_rgid, active_cred) &&
groupmember(obj_cred->cr_svgid, active_cred);