MFC r292530,r292546:

r292530:

- Use 1 for an exit code instead of -1 with err, errx, and exit
- Add unistd.h for getuid(3)
- Sort #includes

r292546:

- Convert testcase to TAP format
- Use nitems(x) instead of handrolled sizeof(x) / sizeof(*x) macro
- Do not mark count != 0 case with bsde_get_rule_count as a failure; this
generates false positives on systems with ugidfw rules set on it

MFC r292531,r292532,r292533,r292545:

r292531:

Make test_matches.sh into a series of TAP testcases

Use temporary filesystems / memory disks instead of a hardcoded path
which doesn't exist on test systems

r292532:

Mark `subject matching jailid` testcase as an unexpected failure with
TODO to ensure that the testcase isn't marked as a failure

PR: 205481

r292533:

Skip the testcases if mac_bsdextended(4) isn't detected on the
system

r292545:

Redo the TAP integration so it works with Kyua

Kyua needs numbers in the TAP results :/, but prove doesn't

MFC r292569:

Make the mac_portacl testcases work / more robust

- A trap(1) call has been added to the test scripts to better
ensure that the tests do a better job at trying to restore the
test host state at the end of the tests (if the test was
interrupted before it would leave the system in an odd state,
potentially making the test results for subsequent runs
non-deterministic).
- Add root user checks
- Fix nc(1) usage:
-- -o is deprecated
-- Using `-w 10` will make the call timeout after 10 seconds so it
doesn't block indefinitely
- Use local variables
- Be more terse in the error messages
- Parameterize out "127.0.0.1"

Sponsored by: EMC / Isilon Storage Division

MFC r291982:

Skip the MAC portacl tests if MAC_PORTACL support is missing instead of
marking them failed

Sponsored by: EMC / Isilon Storage Division

MFC r264400,r265836:

r264400:

NO_MAN= has been deprecated in favor of MAN= for some time, go ahead
and finish the job. ncurses is now the only Makefile in the tree that
uses it since it wasn't a simple mechanical change, and will be
addressed in a future commit.

r265836:

Remove last two NO_MAN= in the tree. In both of these cases, MAN= is
what is needed.

Copy head (r256279) to stable/10 as part of the 10.0-RELEASE cycle.

Approved by: re (implicit)
Sponsored by: The FreeBSD Foundation

Oops. Correct comment in the LICENSE file.

Regression tests for mac_portacl(4).

Add some new options to mac_bsdestended. We can now match on:

subject: ranges of uid, ranges of gid, jail id
objects: ranges of uid, ranges of gid, filesystem,
object is suid, object is sgid, object matches subject uid/gid
object type

We can also negate individual conditions. The ruleset language is
a superset of the previous language, so old rules should continue
to work.

These changes require a change to the API between libugidfw and the
mac_bsdextended module. Add a version number, so we can tell if
we're running mismatched versions.

Update man pages to reflect changes, add extra test cases to
test_ugidfw.c and add a shell script that checks that the the
module seems to do what we expect.

Suggestions from: rwatson, trhodes
Reviewed by: trhodes
MFC after: 2 months

Those who are ungodlike should be returned an error.

Starting point for a regression test for mac_bsdextended(4)/libugidfw(3).
Currently only performs basic tests against the library string routines,
and queries less important kernel state.

Obtained from: TrustedBSD Project
Sponsored by: SPAWAR, SPARTA
MFC after: 3 days