cred: Restore proper checking of effective groups in some security policies
The removal of 'cr_gid' from cr_groups[] as cr_groups[0] made
cr_canseeothergids() skip considering the subject's first supplementary
group, causing the 'security.bsd.see_other_gids' policy to be too
restrictive, and cr_xids_subset() miss a check on the effective GID,
relaxing the "can debug" and "can export KTLS keys" checks.
Fix these policies.
Fixes: be1f7435ef ("kern: start tracking cr_gid outside of cr_groups[]")
MFC after: 5 days
MFC to: stable/15
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D52268
This commit is contained in:
@@ -1889,7 +1889,7 @@ cr_canseeothergids(struct ucred *u1, struct ucred *u2)
|
||||
if (realgroupmember(u1->cr_rgid, u2))
|
||||
return (0);
|
||||
|
||||
for (int i = 1; i < u1->cr_ngroups; i++)
|
||||
for (int i = 0; i < u1->cr_ngroups; i++)
|
||||
if (realgroupmember(u1->cr_groups[i], u2))
|
||||
return (0);
|
||||
|
||||
@@ -2265,6 +2265,7 @@ cr_xids_subset(struct ucred *active_cred, struct ucred *obj_cred)
|
||||
}
|
||||
}
|
||||
grpsubset = grpsubset &&
|
||||
groupmember(obj_cred->cr_gid, active_cred) &&
|
||||
groupmember(obj_cred->cr_rgid, active_cred) &&
|
||||
groupmember(obj_cred->cr_svgid, active_cred);
|
||||
|
||||
|
||||
Reference in New Issue
Block a user