git: de701f9bdbe0 - main - MAC/do: Apply a rule on real UID/GID instead of effective ones

The branch main has been updated by olce:

URL: https://cgit.FreeBSD.org/src/commit/?id=de701f9bdbe0ede691a0439d1c469082b94fe234

commit de701f9bdbe0ede691a0439d1c469082b94fe234
Author:     Olivier Certner <olce@FreeBSD.org>
AuthorDate: 2024-11-29 14:39:17 +0000
Commit:     Olivier Certner <olce@FreeBSD.org>
CommitDate: 2024-12-16 14:42:40 +0000

    MAC/do: Apply a rule on real UID/GID instead of effective ones
    
    We intend MAC/do to authorize transitions based on the "real" identity
    information of the calling process, rather than transiently-acquired
    effective IDs.
    
    Reviewed by:    bapt
    Approved by:    markj (mentor)
    Sponsored by:   The FreeBSD Foundation
    Differential Revision:  https://reviews.freebsd.org/D47845
---
 sys/security/mac_do/mac_do.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/sys/security/mac_do/mac_do.c b/sys/security/mac_do/mac_do.c
index 44c33d7cfa57..7ec34b20c882 100644
--- a/sys/security/mac_do/mac_do.c
+++ b/sys/security/mac_do/mac_do.c
@@ -1906,9 +1906,9 @@ rule_grant_setcred(const struct rule *const rule,
 static bool
 rule_applies(const struct rule *const rule, const struct ucred *const cred)
 {
-	if (rule->from_type == IT_UID && rule->from_id == cred->cr_uid)
+	if (rule->from_type == IT_UID && rule->from_id == cred->cr_ruid)
 		return (true);
-	if (rule->from_type == IT_GID && groupmember(rule->from_id, cred))
+	if (rule->from_type == IT_GID && realgroupmember(rule->from_id, cred))
 		return (true);
 	return (false);
 }