Page MenuHomeFreeBSD

cred: Restore proper checking of effective groups in some security policies
ClosedPublic

Authored by olce on Aug 29 2025, 11:03 PM.
Tags
None
Referenced Files
Unknown Object (File)
Tue, Jun 30, 9:35 PM
Unknown Object (File)
Tue, Jun 30, 4:13 AM
Unknown Object (File)
Tue, Jun 30, 4:13 AM
Unknown Object (File)
Mon, Jun 29, 5:40 PM
Unknown Object (File)
Sat, Jun 13, 2:58 AM
Unknown Object (File)
May 23 2026, 3:09 PM
Unknown Object (File)
May 21 2026, 11:43 AM
Unknown Object (File)
May 20 2026, 5:28 AM
Subscribers

Details

Summary

The removal of 'cr_gid' from cr_groups[] as cr_groups[0] made
cr_canseeothergids() skip considering the subject's first supplementary
group, causing the 'security.bsd.see_other_gids' policy to be too
restrictive, and cr_xids_subset() miss a check on the effective GID,
relaxing the "can debug" and "can export KTLS keys" checks.

Fix these policies.

Fixes: be1f7435ef218b1d ("kern: start tracking cr_gid outside of cr_groups[]")
Sponsored by: The FreeBSD Foundation

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Not Applicable
Unit
Tests Not Applicable