git: 7937bfbc0ca5 - main - mac_do(4): Enhance GID rule validation to check all groups in cr_groups

From: Li-Wen Hsu <lwhsu_at_FreeBSD.org>
Date: Mon, 28 Oct 2024 18:58:29 UTC
The branch main has been updated by lwhsu:

URL: https://cgit.FreeBSD.org/src/commit/?id=7937bfbc0ca53fe7cdd0d54414f9296e273a518e

commit 7937bfbc0ca53fe7cdd0d54414f9296e273a518e
Author:     Li-Wen Hsu <lwhsu@FreeBSD.org>
AuthorDate: 2024-10-28 18:58:12 +0000
Commit:     Li-Wen Hsu <lwhsu@FreeBSD.org>
CommitDate: 2024-10-28 18:58:12 +0000

    mac_do(4): Enhance GID rule validation to check all groups in cr_groups
    
    Previously, the rule validation only checked the primary GID (cr_gid).
    This caused issues when applying GID-based rules, as users with matching
    secondary groups were not considered valid. This patch modifies both
    functions to iterate through all groups in cr_groups to ensure all group
    memberships are considered when validating GID-based rules.
    
    For example, a user's primary group is staff (20) and they are also in
    the wheel (0) group, this change allows the rule gid=0:any to enable
    them to run commands as any user.
    
    Reviewed by:    delphij (earlier version), bapt
    Differential Revision:  https://reviews.freebsd.org/D47304
---
 sys/security/mac_do/mac_do.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/sys/security/mac_do/mac_do.c b/sys/security/mac_do/mac_do.c
index 507e64ea0175..1aad37f549bc 100644
--- a/sys/security/mac_do/mac_do.c
+++ b/sys/security/mac_do/mac_do.c
@@ -411,7 +411,7 @@ rule_is_valid(struct ucred *cred, struct rule *r)
 {
 	if (r->from_type == RULE_UID && r->f_uid == cred->cr_uid)
 		return (true);
-	if (r->from_type == RULE_GID && r->f_gid == cred->cr_gid)
+	if (r->from_type == RULE_GID && groupmember(r->f_gid, cred))
 		return (true);
 	return (false);
 }
@@ -516,7 +516,7 @@ check_setuid(struct ucred *cred, uid_t uid)
 			}
 		}
 		if (r->from_type == RULE_GID) {
-			if (cred->cr_gid != r->f_gid)
+			if (!groupmember(r->f_gid, cred))
 				continue;
 			if (r->to_type == RULE_ANY) {
 				error = 0;