cred: Restore proper checking of effective groups in some security policies

The removal of 'cr_gid' from cr_groups[] as cr_groups[0] made
cr_canseeothergids() skip considering the subject's first supplementary
group, causing the 'security.bsd.see_other_gids' policy to be too
restrictive, and cr_xids_subset() miss a check on the effective GID,
relaxing the "can debug" and "can export KTLS keys" checks.

Fix these policies.

Fixes:          be1f7435ef218b1d ("kern: start tracking cr_gid outside of cr_groups[]")
MFC after:      5 days
MFC to:         stable/15
Sponsored by:   The FreeBSD Foundation
Differential Revision:  https://reviews.freebsd.org/D52268

1 files changed, 2 insertions, 1 deletions

diff --git a/sys/kern/kern_prot.c b/sys/kern/kern_prot.c
index 591994e92e7d..6485254d300d 100644
--- a/sys/kern/kern_prot.c
+++ b/sys/kern/kern_prot.c
@@ -1889,7 +1889,7 @@ cr_canseeothergids(struct ucred *u1, struct ucred *u2)
 		if (realgroupmember(u1->cr_rgid, u2))
 			return (0);
 
-		for (int i = 1; i < u1->cr_ngroups; i++)
+		for (int i = 0; i < u1->cr_ngroups; i++)
 			if (realgroupmember(u1->cr_groups[i], u2))
 				return (0);
 
@@ -2265,6 +2265,7 @@ cr_xids_subset(struct ucred *active_cred, struct ucred *obj_cred)
 		}
 	}
 	grpsubset = grpsubset &&
+	    groupmember(obj_cred->cr_gid, active_cred) &&
 	    groupmember(obj_cred->cr_rgid, active_cred) &&
 	    groupmember(obj_cred->cr_svgid, active_cred);