mac_seeotheruids: allow specificgid to be a list of groupsHEADmain

The specificgid functionality has historically allowed only a single
group to be exempt, but in practice one might want a few services to
be exempt for reasons.  From a security perspective, we probably don't
want to encourage unrelated users to be grouped together solely for
this purpose, as that creates one point of shared access that could be
used for nefarious purposes.

Normalize the group list as we do cr_groups to allow for linear matching
rather than quadratic, we just need to account for the differences in
FreeBSD 15.0+ where cr_groups is entirely supplementary groups vs.
earlier versions, where cr_groups[0] is the egid and the rest is
sorted.

Reviewed by:	csjp, des (earlier version)
Sponsored by:	Klara, Inc.
Differential Revision:	https://reviews.freebsd.org/D56592

0 files changed, 0 insertions, 0 deletions