Date: Mon, 16 Dec 2024 14:46:16 GMT From: Olivier Certner <olce@FreeBSD.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org Subject: git: de701f9bdbe0 - main - MAC/do: Apply a rule on real UID/GID instead of effective ones Message-ID: <202412161446.4BGEkGX8054345@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help
The branch main has been updated by olce: URL: https://cgit.FreeBSD.org/src/commit/?id=de701f9bdbe0ede691a0439d1c469082b94fe234 commit de701f9bdbe0ede691a0439d1c469082b94fe234 Author: Olivier Certner <olce@FreeBSD.org> AuthorDate: 2024-11-29 14:39:17 +0000 Commit: Olivier Certner <olce@FreeBSD.org> CommitDate: 2024-12-16 14:42:40 +0000 MAC/do: Apply a rule on real UID/GID instead of effective ones We intend MAC/do to authorize transitions based on the "real" identity information of the calling process, rather than transiently-acquired effective IDs. Reviewed by: bapt Approved by: markj (mentor) Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D47845 --- sys/security/mac_do/mac_do.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/sys/security/mac_do/mac_do.c b/sys/security/mac_do/mac_do.c index 44c33d7cfa57..7ec34b20c882 100644 --- a/sys/security/mac_do/mac_do.c +++ b/sys/security/mac_do/mac_do.c @@ -1906,9 +1906,9 @@ rule_grant_setcred(const struct rule *const rule, static bool rule_applies(const struct rule *const rule, const struct ucred *const cred) { - if (rule->from_type == IT_UID && rule->from_id == cred->cr_uid) + if (rule->from_type == IT_UID && rule->from_id == cred->cr_ruid) return (true); - if (rule->from_type == IT_GID && groupmember(rule->from_id, cred)) + if (rule->from_type == IT_GID && realgroupmember(rule->from_id, cred)) return (true); return (false); }
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202412161446.4BGEkGX8054345>