git: 0d836d126129 - stable/15 - cred: Restore proper checking of effective groups in some security policies
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Tue, 23 Sep 2025 12:03:33 UTC
The branch stable/15 has been updated by olce:
URL: https://cgit.FreeBSD.org/src/commit/?id=0d836d126129dad5c29acf920d5d820520d4476e
commit 0d836d126129dad5c29acf920d5d820520d4476e
Author: Olivier Certner <olce@FreeBSD.org>
AuthorDate: 2025-08-27 14:28:15 +0000
Commit: Olivier Certner <olce@FreeBSD.org>
CommitDate: 2025-09-23 12:02:42 +0000
cred: Restore proper checking of effective groups in some security policies
The removal of 'cr_gid' from cr_groups[] as cr_groups[0] made
cr_canseeothergids() skip considering the subject's first supplementary
group, causing the 'security.bsd.see_other_gids' policy to be too
restrictive, and cr_xids_subset() miss a check on the effective GID,
relaxing the "can debug" and "can export KTLS keys" checks.
Fix these policies.
Fixes: be1f7435ef218b1d ("kern: start tracking cr_gid outside of cr_groups[]")
MFC after: 5 days
MFC to: stable/15
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D52268
(cherry picked from commit fa1cbb02d12055db0584882d586658be643f0949)
---
sys/kern/kern_prot.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/sys/kern/kern_prot.c b/sys/kern/kern_prot.c
index 591994e92e7d..6485254d300d 100644
--- a/sys/kern/kern_prot.c
+++ b/sys/kern/kern_prot.c
@@ -1889,7 +1889,7 @@ cr_canseeothergids(struct ucred *u1, struct ucred *u2)
if (realgroupmember(u1->cr_rgid, u2))
return (0);
- for (int i = 1; i < u1->cr_ngroups; i++)
+ for (int i = 0; i < u1->cr_ngroups; i++)
if (realgroupmember(u1->cr_groups[i], u2))
return (0);
@@ -2265,6 +2265,7 @@ cr_xids_subset(struct ucred *active_cred, struct ucred *obj_cred)
}
}
grpsubset = grpsubset &&
+ groupmember(obj_cred->cr_gid, active_cred) &&
groupmember(obj_cred->cr_rgid, active_cred) &&
groupmember(obj_cred->cr_svgid, active_cred);