Add some new options to mac_bsdestended. We can now match on:

	subject: ranges of uid, ranges of gid, jail id
	objects: ranges of uid, ranges of gid, filesystem,
		object is suid, object is sgid, object matches subject uid/gid
		object type

We can also negate individual conditions. The ruleset language is
a superset of the previous language, so old rules should continue
to work.

These changes require a change to the API between libugidfw and the
mac_bsdextended module. Add a version number, so we can tell if
we're running mismatched versions.

Update man pages to reflect changes, add extra test cases to
test_ugidfw.c and add a shell script that checks that the the
module seems to do what we expect.

Suggestions from: rwatson, trhodes
Reviewed by: trhodes
MFC after: 2 months

1 files changed, 0 insertions, 10 deletions

diff --git a/lib/libugidfw/libugidfw.3 b/lib/libugidfw/libugidfw.3
index 7e8c751..3ff407c 100644
--- a/lib/libugidfw/libugidfw.3
+++ b/lib/libugidfw/libugidfw.3
@@ -59,14 +59,6 @@ Converts the internal representation of a rule
 into its text representation;
 see
 .Xr bsde_rule_to_string 3 .
-.It Fn bsde_parse_identity
-Parses the identity of a subject or object;
-see
-.Xr bsde_parse_identity 3 .
-.It Fn bsde_parse_mode
-Parses the access mode for a ugidfw rule;
-see
-.Xr bsde_parse_mode 3 .
 .It Fn bsde_parse_rule
 Parses an entire rule
 (in argument array form);
@@ -108,8 +100,6 @@ rule number; see
 .Xr bsde_get_rule 3 ,
 .Xr bsde_get_rule_count 3 ,
 .Xr bsde_get_rule_slots 3 ,
-.Xr bsde_parse_identity 3 ,
-.Xr bsde_parse_mode 3 ,
 .Xr bsde_parse_rule 3 ,
 .Xr bsde_parse_rule_string 3 ,
 .Xr bsde_rule_to_string 3 ,