Page MenuHomeFreeBSD
Differential D52268

cred: Restore proper checking of effective groups in some security policies
ClosedPublic
Actions

Authored by olce on Aug 29 2025, 11:03 PM.
Tags
None
Referenced Files
Unknown Object (File)
Wed, May 20, 5:28 AM
Unknown Object (File)
Wed, May 20, 1:28 AM
Unknown Object (File)
Tue, May 19, 11:44 AM
Unknown Object (File)
Sat, May 16, 6:26 AM
Unknown Object (File)
Sat, May 16, 1:13 AM
Unknown Object (File)
Sat, May 16, 1:13 AM
Unknown Object (File)
Sat, May 16, 1:13 AM
Unknown Object (File)
Fri, May 15, 6:29 AM
View All 63 Files
Subscribers
emaste
imp

Details

Reviewers
kevans
emaste
Commits
rG0d836d126129: cred: Restore proper checking of effective groups in some security policies
rGfa1cbb02d120: cred: Restore proper checking of effective groups in some security policies
Summary

The removal of 'cr_gid' from cr_groups[] as cr_groups[0] made
cr_canseeothergids() skip considering the subject's first supplementary
group, causing the 'security.bsd.see_other_gids' policy to be too
restrictive, and cr_xids_subset() miss a check on the effective GID,
relaxing the "can debug" and "can export KTLS keys" checks.

Fix these policies.

Fixes: be1f7435ef218b1d ("kern: start tracking cr_gid outside of cr_groups[]")
Sponsored by: The FreeBSD Foundation

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Skipped
Unit
Tests Skipped
Build Status
Buildable 66671
Build 63554: arc lint + arc unit

Revision Contents
Changeset List

PathSize
sys/
kern/
3 lines

Diff 161234

View Options

sys/kern/kern_prot.c

Loading...