Integrate tools/regression/mac/mac_bsdextended and

tools/regression/mac/mac_portacl into the FreeBSD test suite as
tests/sys/mac/bsdextended and tests/sys/mac/portacl, respectively

MFC after: 1 month
Sponsored by: EMC / Isilon Storage Division

7 files changed, 0 insertions, 868 deletions

diff --git a/tools/regression/mac/mac_bsdextended/Makefile b/tools/regression/mac/mac_bsdextended/Makefile
deleted file mode 100644
index aaa060a..0000000
--- a/tools/regression/mac/mac_bsdextended/Makefile
+++ /dev/null
@@ -1,7 +0,0 @@
-# $FreeBSD$
-
-PROG=	test_ugidfw
-LIBADD=	ugidfw
-MAN=
-
-.include <bsd.prog.mk>
diff --git a/tools/regression/mac/mac_bsdextended/test_matches.sh b/tools/regression/mac/mac_bsdextended/test_matches.sh
deleted file mode 100644
index 5aff413..0000000
--- a/tools/regression/mac/mac_bsdextended/test_matches.sh
+++ /dev/null
@@ -1,353 +0,0 @@
-#!/bin/sh
-#
-# $FreeBSD$
-#
-
-uidrange="60000:100000"
-gidrange="60000:100000"
-uidinrange="nobody"
-uidoutrange="daemon"
-gidinrange="nobody" # We expect $uidinrange in this group
-gidoutrange="daemon" # We expect $uidinrange in this group
-
-test_num=1
-pass()
-{
-	echo "ok $test_num # $@"
-	: $(( test_num += 1 ))
-}
-
-fail()
-{
-	echo "not ok $test_num # $@"
-	: $(( test_num += 1 ))
-}
-
-#
-# Setup
-#
-
-: ${TMPDIR=/tmp}
-if [ $(id -u) -ne 0 ]; then
-	echo "1..0 # SKIP test must be run as root"
-	exit 0
-fi
-if ! sysctl -N security.mac.bsdextended >/dev/null 2>&1; then
-	echo "1..0 # SKIP mac_bsdextended(4) support isn't available"
-	exit 0
-fi
-if ! playground=$(mktemp -d $TMPDIR/tmp.XXXXXXX); then
-	echo "1..0 # SKIP failed to create temporary directory"
-	exit 0
-fi
-trap "rmdir $playground" EXIT INT TERM
-if ! mdmfs -s 25m md $playground; then
-	echo "1..0 # SKIP failed to mount md device"
-	exit 0
-fi
-chmod a+rwx $playground
-md_device=$(mount -p | grep "$playground" | awk '{ gsub(/^\/dev\//, "", $1); print $1 }')
-trap "umount -f $playground; mdconfig -d -u $md_device; rmdir $playground" EXIT INT TERM
-if [ -z "$md_device" ]; then
-	mount -p | grep $playground
-	echo "1..0 # SKIP md device not properly attached to the system"
-fi
-
-ugidfw remove 1
-
-file1=$playground/test-$uidinrange
-file2=$playground/test-$uidoutrange
-cat > $playground/test-script.sh <<'EOF'
-#!/bin/sh
-: > $1
-EOF
-if [ $? -ne 0 ]; then
-	echo "1..0 # SKIP failed to create test script"
-	exit 0
-fi
-echo "1..30"
-
-command1="sh $playground/test-script.sh $file1"
-command2="sh $playground/test-script.sh $file2"
-
-desc="$uidinrange file"
-if su -m $uidinrange -c "$command1"; then
-	pass $desc
-else
-	fail $desc
-fi
-
-chown "$uidinrange":"$gidinrange" $file1
-chmod a+w $file1
-
-desc="$uidoutrange file"
-if $command2; then
-	pass $desc
-else
-	fail $desc
-fi
-
-chown "$uidoutrange":"$gidoutrange" $file2
-chmod a+w $file2
-
-#
-# No rules
-#
-desc="no rules $uidinrange"
-if su -fm $uidinrange -c "$command1"; then
-	pass $desc
-else
-	fail $desc
-fi
-
-desc="no rules $uidoutrange"
-if su -fm $uidoutrange -c "$command1"; then
-	pass $desc
-else
-	fail $desc
-fi
-
-#
-# Subject Match on uid
-#
-ugidfw set 1 subject uid $uidrange object mode rasx
-desc="subject uid in range"
-if su -fm $uidinrange -c "$command1"; then
-	fail $desc
-else
-	pass $desc
-fi
-
-desc="subject uid out range"
-if su -fm $uidoutrange -c "$command1"; then
-	pass $desc
-else
-	fail $desc
-fi
-
-#
-# Subject Match on gid
-#
-ugidfw set 1 subject gid $gidrange object mode rasx
-
-desc="subject gid in range"
-if su -fm $uidinrange -c "$command1"; then
-	fail $desc
-else
-	pass $desc
-fi
-
-desc="subject gid out range"
-if su -fm $uidoutrange -c "$command1"; then
-	pass $desc
-else
-	fail $desc
-fi
-
-#
-# Subject Match on jail
-#
-rm -f $playground/test-jail
-
-desc="subject matching jailid"
-jailid=`jail -i / localhost 127.0.0.1 /usr/sbin/daemon -f /bin/sh -c "(sleep 5; touch $playground/test-jail) &"`
-ugidfw set 1 subject jailid $jailid object mode rasx
-sleep 10
-
-if [ -f $playground/test-jail ]; then
-	fail "TODO $desc: this testcase fails (see bug # 205481)"
-else
-	pass $desc
-fi
-
-rm -f $playground/test-jail
-desc="subject nonmatching jailid"
-jailid=`jail -i / localhost 127.0.0.1 /usr/sbin/daemon -f /bin/sh -c "(sleep 5; touch $playground/test-jail) &"`
-sleep 10
-if [ -f $playground/test-jail ]; then
-	pass $desc
-else
-	fail $desc
-fi
-
-#
-# Object uid
-#
-ugidfw set 1 subject object uid $uidrange mode rasx
-
-desc="object uid in range"
-if su -fm $uidinrange -c "$command1"; then
-	fail $desc
-else
-	pass $desc
-fi
-
-desc="object uid out range"
-if su -fm $uidinrange -c "$command2"; then
-	pass $desc
-else
-	fail $desc
-fi
-ugidfw set 1 subject object uid $uidrange mode rasx
-
-desc="object uid in range (different subject)"
-if su -fm $uidoutrange -c "$command1"; then
-	fail $desc
-else
-	pass $desc
-fi
-
-desc="object uid out range (different subject)"
-if su -fm $uidoutrange -c "$command2"; then
-	pass $desc
-else
-	fail $desc
-fi
-
-#
-# Object gid
-#
-ugidfw set 1 subject object gid $uidrange mode rasx
-
-desc="object gid in range"
-if su -fm $uidinrange -c "$command1"; then
-	fail $desc
-else
-	pass $desc
-fi
-
-desc="object gid out range"
-if su -fm $uidinrange -c "$command2"; then
-	pass $desc
-else
-	fail $desc
-fi
-desc="object gid in range (different subject)"
-if su -fm $uidoutrange -c "$command1"; then
-	fail $desc
-else
-	pass $desc
-fi
-
-desc="object gid out range (different subject)"
-if su -fm $uidoutrange -c "$command2"; then
-	pass $desc
-else
-	fail $desc
-fi
-
-#
-# Object filesys
-#
-ugidfw set 1 subject uid $uidrange object filesys / mode rasx
-desc="object out of filesys"
-if su -fm $uidinrange -c "$command1"; then
-	pass $desc
-else
-	fail $desc
-fi
-
-ugidfw set 1 subject uid $uidrange object filesys $playground mode rasx
-desc="object in filesys"
-if su -fm $uidinrange -c "$command1"; then
-	fail $desc
-else
-	pass $desc
-fi
-
-#
-# Object suid
-#
-ugidfw set 1 subject uid $uidrange object suid mode rasx
-desc="object notsuid"
-if su -fm $uidinrange -c "$command1"; then
-	pass $desc
-else
-	fail $desc
-fi
-
-chmod u+s $file1
-desc="object suid"
-if su -fm $uidinrange -c "$command1"; then
-	fail $desc
-else
-	pass $desc
-fi
-chmod u-s $file1
-
-#
-# Object sgid
-#
-ugidfw set 1 subject uid $uidrange object sgid mode rasx
-desc="object notsgid"
-if su -fm $uidinrange -c "$command1"; then
-	pass $desc
-else
-	fail $desc
-fi
-
-chmod g+s $file1
-desc="object sgid"
-if su -fm $uidinrange -c "$command1"; then
-	fail $desc
-else
-	pass $desc
-fi
-chmod g-s $file1
-
-#
-# Object uid matches subject
-#
-ugidfw set 1 subject uid $uidrange object uid_of_subject mode rasx
-
-desc="object uid notmatches subject"
-if su -fm $uidinrange -c "$command2"; then
-	pass $desc
-else
-	fail $desc
-fi
-
-desc="object uid matches subject"
-if su -fm $uidinrange -c "$command1"; then
-	fail $desc
-else
-	pass $desc
-fi
-
-#
-# Object gid matches subject
-#
-ugidfw set 1 subject uid $uidrange object gid_of_subject mode rasx
-
-desc="object gid notmatches subject"
-if su -fm $uidinrange -c "$command2"; then
-	pass $desc
-else
-	fail $desc
-fi
-
-desc="object gid matches subject"
-if su -fm $uidinrange -c "$command1"; then
-	fail $desc
-else
-	pass $desc
-fi
-
-#
-# Object type
-#
-desc="object not type"
-ugidfw set 1 subject uid $uidrange object type dbclsp mode rasx
-if su -fm $uidinrange -c "$command1"; then
-	pass $desc
-else
-	fail $desc
-fi
-
-desc="object type"
-ugidfw set 1 subject uid $uidrange object type r mode rasx
-if su -fm $uidinrange -c "$command1"; then
-	fail $desc
-else
-	pass $desc
-fi
diff --git a/tools/regression/mac/mac_bsdextended/test_ugidfw.c b/tools/regression/mac/mac_bsdextended/test_ugidfw.c
deleted file mode 100644
index 7c1dc2a..0000000
--- a/tools/regression/mac/mac_bsdextended/test_ugidfw.c
+++ /dev/null
@@ -1,257 +0,0 @@
-/*-
- * Copyright (c) 2005 McAfee, Inc.
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- *
- * $FreeBSD$
- */
-
-#include <sys/param.h>
-#include <sys/mac.h>
-#include <sys/mount.h>
-
-#include <security/mac_bsdextended/mac_bsdextended.h>
-
-#include <err.h>
-#include <errno.h>
-#include <grp.h>
-#include <pwd.h>
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include <ugidfw.h>
-#include <unistd.h>
-
-/*
- * Starting point for a regression test for mac_bsdextended(4) and the
- * supporting libugidfw(3).
- */
-
-/*
- * This section of the regression test passes some test cases through the
- * rule<->string routines to confirm they work approximately as desired.
- */
-
-/*
- * List of users and groups we must check exists before we can begin, since
- * they are used in the string test rules.  We use users and groups that will
- * always exist in a default install used for regression testing.
- */
-static const char *test_users[] = {
-	"root",
-	"daemon",
-	"operator",
-	"bin",
-};
-
-static const char *test_groups[] = {
-	"wheel",
-	"daemon",
-	"operator",
-	"bin",
-};
-
-int test_num;
-
-/*
- * List of test strings that must go in (and come out) of libugidfw intact.
- */
-static const char *test_strings[] = {
-	/* Variations on subject and object uids. */
-	"subject uid root object uid root mode n",
-	"subject uid root object uid daemon mode n",
-	"subject uid daemon object uid root mode n",
-	"subject uid daemon object uid daemon mode n",
-	/* Variations on mode. */
-	"subject uid root object uid root mode a",
-	"subject uid root object uid root mode r",
-	"subject uid root object uid root mode s",
-	"subject uid root object uid root mode w",
-	"subject uid root object uid root mode x",
-	"subject uid root object uid root mode arswx",
-	/* Variations on subject and object gids. */
-	"subject gid wheel object gid wheel mode n",
-	"subject gid wheel object gid daemon mode n",
-	"subject gid daemon object gid wheel mode n",
-	"subject gid daemon object gid daemon mode n",
-	/* Subject uids and subject gids. */
-	"subject uid bin gid daemon object uid operator gid wheel mode n",
-	/* Not */
-	"subject not uid operator object uid bin mode n",
-	"subject uid bin object not uid operator mode n",
-	"subject not uid daemon object not uid operator mode n",
-	/* Ranges */
-	"subject uid root:operator object gid wheel:bin mode n",
-	/* Jail ID */
-	"subject jailid 1 object uid root mode n",
-	/* Filesys */
-	"subject uid root object filesys / mode n",
-	"subject uid root object filesys /dev mode n",
-	/* S/UGID */
-	"subject not uid root object sgid mode n",
-	"subject not uid root object sgid mode n",
-	/* Matching uid/gid */
-	"subject not uid root:operator object not uid_of_subject mode n",
-	"subject not gid wheel:bin object not gid_of_subject mode n",
-	/* Object types */
-	"subject uid root object type a mode a",
-	"subject uid root object type r mode a",
-	"subject uid root object type d mode a",
-	"subject uid root object type b mode a",
-	"subject uid root object type c mode a",
-	"subject uid root object type l mode a",
-	"subject uid root object type s mode a",
-	"subject uid root object type rbc mode a",
-	"subject uid root object type dls mode a",
-	/* Empty rules always match */
-	"subject object mode a",
-	/* Partial negations */
-	"subject ! uid root object mode n",
-	"subject ! gid wheel object mode n",
-	"subject ! jailid 2 object mode n",
-	"subject object ! uid root mode n",
-	"subject object ! gid wheel mode n",
-	"subject object ! filesys / mode n",
-	"subject object ! suid mode n",
-	"subject object ! sgid mode n",
-	"subject object ! uid_of_subject mode n",
-	"subject object ! gid_of_subject mode n",
-	"subject object ! type d mode n",
-	/* All out nonsense */
-	"subject uid root ! gid wheel:bin ! jailid 1 "
-	    "object ! uid root:daemon gid daemon filesys / suid sgid uid_of_subject gid_of_subject ! type r "
-	    "mode rsx",
-};
-
-static void
-test_libugidfw_strings(void)
-{
-	struct mac_bsdextended_rule rule;
-	char errorstr[256];
-	char rulestr[256];
-	int error, i;
-
-	for (i = 0; i < nitems(test_users); i++, test_num++) {
-		if (getpwnam(test_users[i]) == NULL)
-			printf("not ok %d # test_libugidfw_strings: getpwnam(%s) "
-			    "failed: %s\n", test_num, test_users[i], strerror(errno));
-		else
-			printf("ok %d\n", test_num);
-	}
-
-	for (i = 0; i < nitems(test_groups); i++, test_num++) {
-		if (getgrnam(test_groups[i]) == NULL)
-			printf("not ok %d # test_libugidfw_strings: getgrnam(%s) "
-			    "failed: %s\n", test_num, test_groups[i], strerror(errno));
-		else
-			printf("ok %d\n", test_num);
-	}
-
-	for (i = 0; i < nitems(test_strings); i++) {
-		error = bsde_parse_rule_string(test_strings[i], &rule,
-		    sizeof(errorstr), errorstr);
-		if (error == -1)
-			printf("not ok %d # bsde_parse_rule_string: '%s' (%d) "
-			    "failed: %s\n", test_num, test_strings[i], i, errorstr);
-		else
-			printf("ok %d\n", test_num);
-		test_num++;
-
-		error = bsde_rule_to_string(&rule, rulestr, sizeof(rulestr));
-		if (error < 0)
-			printf("not ok %d # bsde_rule_to_string: rule for '%s' "
-			    "returned %d\n", test_num, test_strings[i], error);
-		else
-			printf("ok %d\n", test_num);
-		test_num++;
-
-		if (strcmp(test_strings[i], rulestr) != 0)
-			printf("not ok %d # test_libugidfw: '%s' in, '%s' "
-			    "out\n", test_num, test_strings[i], rulestr);
-		else
-			printf("ok %d\n", test_num);
-		test_num++;
-	}
-}
-
-int
-main(void)
-{
-	char errorstr[256];
-	int count, slots;
-
-	test_num = 1;
-
-	/* Print an error if a non-root user attemps to run the tests. */
-	if (getuid() != 0) {
-		printf("1..0 # SKIP you must be root\n");
-		return (0);
-	}
-
-	printf("1..%lu\n", nitems(test_users) + nitems(test_groups) +
-	    3 * nitems(test_strings) + 2);
-
-	/*
-	 * We can test some parts of the library without the MAC Framework
-	 * and policy loaded, so run those tests before calling
-	 * mac_is_present().
-	 */
-	test_libugidfw_strings();
-
-	switch (mac_is_present("bsdextended")) {
-	case -1:
-		printf("1..0 # SKIP mac_is_present failed: %s\n",
-		    strerror(errno));
-		return (0);
-	case 1:
-		break;
-	case 0:
-	default:
-		printf("1..0 # SKIP mac_bsdextended not loaded\n");
-		return (0);
-	}
-
-	/*
-	 * Some simple up-front checks to see if we're able to query the
-	 * policy for basic state.  We want the rule count to be 0 before
-	 * starting, but "slots" is a property of prior runs and so we ignore
-	 * the return value.
-	 */
-	count = bsde_get_rule_count(sizeof(errorstr), errorstr);
-	if (count == -1)
-		printf("not ok %d # bsde_get_rule_count: %s\n", test_num,
-		    errorstr);
-	else
-		printf("ok %d\n", test_num);
-
-	test_num++;
-
-	slots = bsde_get_rule_slots(sizeof(errorstr), errorstr);
-	if (slots == -1)
-		printf("not ok %d # bsde_get_rule_slots: %s\n", test_num,
-		    errorstr);
-	else
-		printf("ok %d\n", test_num);
-
-	return (0);
-}
diff --git a/tools/regression/mac/mac_portacl/LICENSE b/tools/regression/mac/mac_portacl/LICENSE
deleted file mode 100644
index c95c149..0000000
--- a/tools/regression/mac/mac_portacl/LICENSE
+++ /dev/null
@@ -1,27 +0,0 @@
-$FreeBSD$
-
-License for all mac_portacl regression tests:
-
-Copyright (c) 2009 Pawel Jakub Dawidek <pjd@FreeBSD.org>
-All rights reserved.
-
-Redistribution and use in source and binary forms, with or without
-modification, are permitted provided that the following conditions
-are met:
-1. Redistributions of source code must retain the above copyright
-   notice, this list of conditions and the following disclaimer.
-2. Redistributions in binary form must reproduce the above copyright
-   notice, this list of conditions and the following disclaimer in the
-   documentation and/or other materials provided with the distribution.
-
-THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND
-ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
-ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE
-FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
-DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
-OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
-LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
-OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
-SUCH DAMAGE.
diff --git a/tools/regression/mac/mac_portacl/misc.sh b/tools/regression/mac/mac_portacl/misc.sh
deleted file mode 100755
index 5a9e67b..0000000
--- a/tools/regression/mac/mac_portacl/misc.sh
+++ /dev/null
@@ -1,106 +0,0 @@
-#!/bin/sh
-# $FreeBSD$
-
-sysctl security.mac.portacl >/dev/null 2>&1
-if [ $? -ne 0 ]; then
-	echo "1..0 # SKIP MAC_PORTACL is unavailable."
-	exit 0
-fi
-if [ $(id -u) -ne 0 ]; then
-	echo "1..0 # SKIP testcases must be run as root"
-	exit 0
-fi
-
-ntest=1
-
-check_bind() {
-	local host idtype name proto port udpflag
-
-	host="127.0.0.1"
-
-	idtype=${1}
-	name=${2}
-	proto=${3}
-	port=${4}
-
-	[ "${proto}" = "udp" ] && udpflag="-u"
-
-	out=$(
-		case "${idtype}" in
-		uid|gid)
-			( echo -n | su -m ${name} -c "nc ${udpflag} -l -w 10 $host $port" 2>&1 ) &
-			;;
-		jail)
-			kill $$
-			;;
-		*)
-			kill $$
-		esac
-		sleep 0.3
-		echo | nc ${udpflag} -w 10 $host $port >/dev/null 2>&1
-		wait
-	)
-	case "${out}" in
-	"nc: Permission denied"*|"nc: Operation not permitted"*)
-		echo fl
-		;;
-	"")
-		echo ok
-		;;
-	*)
-		echo ${out}
-		;;
-	esac
-}
-
-bind_test() {
-	local expect_without_rule expect_with_rule idtype name proto port
-
-	expect_without_rule=${1}
-	expect_with_rule=${2}
-	idtype=${3}
-	name=${4}
-	proto=${5}
-	port=${6}
-
-	sysctl security.mac.portacl.rules= >/dev/null
-	out=$(check_bind ${idtype} ${name} ${proto} ${port})
-	if [ "${out}" = "${expect_without_rule}" ]; then
-		echo "ok ${ntest}"
-	elif [ "${out}" = "ok" -o "${out}" = "fl" ]; then
-		echo "not ok ${ntest} # '${out}' != '${expect_without_rule}'"
-	else
-		echo "not ok ${ntest} # unexpected output: '${out}'"
-	fi
-	: $(( ntest += 1 ))
-
-	if [ "${idtype}" = "uid" ]; then
-		idstr=$(id -u ${name})
-	elif [ "${idtype}" = "gid" ]; then
-		idstr=$(id -g ${name})
-	else
-		idstr=${name}
-	fi
-	sysctl security.mac.portacl.rules=${idtype}:${idstr}:${proto}:${port} >/dev/null
-	out=$(check_bind ${idtype} ${name} ${proto} ${port})
-	if [ "${out}" = "${expect_with_rule}" ]; then
-		echo "ok ${ntest}"
-	elif [ "${out}" = "ok" -o "${out}" = "fl" ]; then
-		echo "not ok ${ntest} # '${out}' != '${expect_with_rule}'"
-	else
-		echo "not ok ${ntest} # unexpected output: '${out}'"
-	fi
-	: $(( ntest += 1 ))
-
-	sysctl security.mac.portacl.rules= >/dev/null
-}
-
-reserved_high=$(sysctl -n net.inet.ip.portrange.reservedhigh)
-suser_exempt=$(sysctl -n security.mac.portacl.suser_exempt)
-port_high=$(sysctl -n security.mac.portacl.port_high)
-
-restore_settings() {
-	sysctl -n net.inet.ip.portrange.reservedhigh=${reserved_high} >/dev/null
-	sysctl -n security.mac.portacl.suser_exempt=${suser_exempt} >/dev/null
-	sysctl -n security.mac.portacl.port_high=${port_high} >/dev/null
-}
diff --git a/tools/regression/mac/mac_portacl/nobody.t b/tools/regression/mac/mac_portacl/nobody.t
deleted file mode 100755
index 7d8dbd6..0000000
--- a/tools/regression/mac/mac_portacl/nobody.t
+++ /dev/null
@@ -1,67 +0,0 @@
-#!/bin/sh
-# $FreeBSD$
-
-dir=`dirname $0`
-. ${dir}/misc.sh
-
-echo "1..64"
-
-# security.mac.portacl.suser_exempt value doesn't affect unprivileged users
-# behaviour.
-# mac_portacl has no impact on ports <= net.inet.ip.portrange.reservedhigh.
-
-trap restore_settings EXIT INT TERM
-
-sysctl security.mac.portacl.suser_exempt=1 >/dev/null
-sysctl net.inet.ip.portrange.reservedhigh=78 >/dev/null
-
-bind_test fl fl uid nobody tcp 77
-bind_test ok ok uid nobody tcp 7777
-bind_test fl fl uid nobody udp 77
-bind_test ok ok uid nobody udp 7777
-
-bind_test fl fl gid nobody tcp 77
-bind_test ok ok gid nobody tcp 7777
-bind_test fl fl gid nobody udp 77
-bind_test ok ok gid nobody udp 7777
-
-sysctl security.mac.portacl.suser_exempt=0 >/dev/null
-
-bind_test fl fl uid nobody tcp 77
-bind_test ok ok uid nobody tcp 7777
-bind_test fl fl uid nobody udp 77
-bind_test ok ok uid nobody udp 7777
-
-bind_test fl fl gid nobody tcp 77
-bind_test ok ok gid nobody tcp 7777
-bind_test fl fl gid nobody udp 77
-bind_test ok ok gid nobody udp 7777
-
-# Verify if security.mac.portacl.port_high works.
-
-sysctl security.mac.portacl.port_high=7778 >/dev/null
-
-bind_test fl fl uid nobody tcp 77
-bind_test fl ok uid nobody tcp 7777
-bind_test fl fl uid nobody udp 77
-bind_test fl ok uid nobody udp 7777
-
-bind_test fl fl gid nobody tcp 77
-bind_test fl ok gid nobody tcp 7777
-bind_test fl fl gid nobody udp 77
-bind_test fl ok gid nobody udp 7777
-
-# Verify if mac_portacl rules work.
-
-sysctl net.inet.ip.portrange.reservedhigh=76 >/dev/null
-sysctl security.mac.portacl.port_high=7776 >/dev/null
-
-bind_test fl ok uid nobody tcp 77
-bind_test ok ok uid nobody tcp 7777
-bind_test fl ok uid nobody udp 77
-bind_test ok ok uid nobody udp 7777
-
-bind_test fl ok gid nobody tcp 77
-bind_test ok ok gid nobody tcp 7777
-bind_test fl ok gid nobody udp 77
-bind_test ok ok gid nobody udp 7777
diff --git a/tools/regression/mac/mac_portacl/root.t b/tools/regression/mac/mac_portacl/root.t
deleted file mode 100755
index 9ed452f..0000000
--- a/tools/regression/mac/mac_portacl/root.t
+++ /dev/null
@@ -1,51 +0,0 @@
-#!/bin/sh
-# $FreeBSD$
-
-dir=`dirname $0`
-. ${dir}/misc.sh
-
-echo "1..48"
-
-# Verify if security.mac.portacl.suser_exempt=1 really exempts super-user.
-
-trap restore_settings EXIT INT TERM
-
-sysctl security.mac.portacl.suser_exempt=1 >/dev/null
-
-bind_test ok ok uid root tcp 77
-bind_test ok ok uid root tcp 7777
-bind_test ok ok uid root udp 77
-bind_test ok ok uid root udp 7777
-
-bind_test ok ok gid root tcp 77
-bind_test ok ok gid root tcp 7777
-bind_test ok ok gid root udp 77
-bind_test ok ok gid root udp 7777
-
-# Verify if security.mac.portacl.suser_exempt=0 really doesn't exempt super-user.
-
-sysctl security.mac.portacl.suser_exempt=0 >/dev/null
-
-bind_test fl ok uid root tcp 77
-bind_test ok ok uid root tcp 7777
-bind_test fl ok uid root udp 77
-bind_test ok ok uid root udp 7777
-
-bind_test fl ok gid root tcp 77
-bind_test ok ok gid root tcp 7777
-bind_test fl ok gid root udp 77
-bind_test ok ok gid root udp 7777
-
-# Verify if security.mac.portacl.port_high works for super-user.
-
-sysctl security.mac.portacl.port_high=7778 >/dev/null
-
-bind_test fl ok uid root tcp 77
-bind_test fl ok uid root tcp 7777
-bind_test fl ok uid root udp 77
-bind_test fl ok uid root udp 7777
-
-bind_test fl ok gid root tcp 77
-bind_test fl ok gid root tcp 7777
-bind_test fl ok gid root udp 77
-bind_test fl ok gid root udp 7777