293246 |
06-Jan-2016 |
ngie |
MFC r292530,r292546:
r292530:
- Use 1 for an exit code instead of -1 with err, errx, and exit - Add unistd.h for getuid(3) - Sort #includes
r292546:
- Convert testcase to TAP format - Use nitems(x) instead of handrolled sizeof(x) / sizeof(*x) macro - Do not mark count != 0 case with bsde_get_rule_count as a failure; this generates false positives on systems with ugidfw rules set on it |
293138 |
04-Jan-2016 |
ngie |
MFC r292531,r292532,r292533,r292545:
r292531:
Make test_matches.sh into a series of TAP testcases
Use temporary filesystems / memory disks instead of a hardcoded path which doesn't exist on test systems
r292532:
Mark `subject matching jailid` testcase as an unexpected failure with TODO to ensure that the testcase isn't marked as a failure
PR: 205481
r292533:
Skip the testcases if mac_bsdextended(4) isn't detected on the system
r292545:
Redo the TAP integration so it works with Kyua
Kyua needs numbers in the TAP results :/, but prove doesn't |
157986 |
23-Apr-2006 |
dwmalone |
Add some new options to mac_bsdestended. We can now match on:
subject: ranges of uid, ranges of gid, jail id objects: ranges of uid, ranges of gid, filesystem, object is suid, object is sgid, object matches subject uid/gid object type
We can also negate individual conditions. The ruleset language is a superset of the previous language, so old rules should continue to work.
These changes require a change to the API between libugidfw and the mac_bsdextended module. Add a version number, so we can tell if we're running mismatched versions.
Update man pages to reflect changes, add extra test cases to test_ugidfw.c and add a shell script that checks that the the module seems to do what we expect.
Suggestions from: rwatson, trhodes Reviewed by: trhodes MFC after: 2 months
|