Add some new options to mac_bsdestended. We can now match on:

	subject: ranges of uid, ranges of gid, jail id
	objects: ranges of uid, ranges of gid, filesystem,
		object is suid, object is sgid, object matches subject uid/gid
		object type

We can also negate individual conditions. The ruleset language is
a superset of the previous language, so old rules should continue
to work.

These changes require a change to the API between libugidfw and the
mac_bsdextended module. Add a version number, so we can tell if
we're running mismatched versions.

Update man pages to reflect changes, add extra test cases to
test_ugidfw.c and add a shell script that checks that the the
module seems to do what we expect.

Suggestions from: rwatson, trhodes
Reviewed by: trhodes
MFC after: 2 months

2 files changed, 217 insertions, 8 deletions

diff --git a/tools/regression/mac/mac_bsdextended/test_matches.sh b/tools/regression/mac/mac_bsdextended/test_matches.sh
new file mode 100644
index 0000000..99d6b62
--- /dev/null
+++ b/tools/regression/mac/mac_bsdextended/test_matches.sh
@@ -0,0 +1,167 @@
+#!/bin/sh
+#
+# $FreeBSD$
+#
+
+uidrange="60000:100000"
+gidrange="60000:100000"
+uidinrange="nobody"
+uidoutrange="daemon"
+gidinrange="nobody" # We expect $uidinrange in this group
+gidoutrange="daemon" # We expect $uidinrange in this group
+
+playground="/stuff/nobody/" # Must not be on root fs
+
+#
+# Setup
+#
+rm -f $playground/test*
+ugidfw remove 1
+
+file1=$playground/test-$uidinrange
+file2=$playground/test-$uidoutrange
+cat <<EOF> $playground/test-script.pl
+if (open(F, ">" . shift)) { exit 0; } else { exit 1; }
+EOF
+command1="perl $playground/test-script.pl $file1"
+command2="perl $playground/test-script.pl $file2"
+
+echo -n "$uidinrange file: "
+su -m $uidinrange -c "$command1 && echo good"
+chown "$uidinrange":"$gidinrange" $file1
+chmod a+w $file1
+
+echo -n "$uidoutrange file: "
+$command2 && echo good
+chown "$uidoutrange":"$gidoutrange" $file2
+chmod a+w $file2
+
+#
+# No rules
+#
+echo -n "no rules $uidinrange: "
+su -fm $uidinrange -c "$command1 && echo good"
+echo -n "no rules $uidoutrange: "
+su -fm $uidoutrange -c "$command1 && echo good"
+
+#
+# Subject Match on uid
+#
+ugidfw set 1 subject uid $uidrange object mode rasx
+echo -n "subject uid in range: "
+su -fm $uidinrange -c "$command1 || echo good"
+echo -n "subject uid out range: "
+su -fm $uidoutrange -c "$command1 && echo good"
+
+#
+# Subject Match on gid
+#
+ugidfw set 1 subject gid $gidrange object mode rasx
+echo -n "subject gid in range: "
+su -fm $uidinrange -c "$command1 || echo good"
+echo -n "subject gid out range: "
+su -fm $uidoutrange -c "$command1 && echo good"
+
+#
+# Subject Match on jail
+#
+echo -n "subject matching jailid: "
+rm -f $playground/test-jail
+jailid=`jail -i / localhost 127.0.0.1 /usr/sbin/daemon -f /bin/sh -c "(sleep 3; touch $playground/test-jail) &"`
+ugidfw set 1 subject jailid $jailid object mode rasx
+sleep 6
+if [ ! -f $playground/test-jail ] ; then echo good ; fi
+
+echo -n "subject nonmatching jailid: "
+rm -f $playground/test-jail
+jailid=`jail -i / localhost 127.0.0.1 /usr/sbin/daemon -f /bin/sh -c "(sleep 3; touch $playground/test-jail) &"`
+sleep 6
+if [ -f $playground/test-jail ] ; then echo good ; fi
+
+#
+# Object uid
+#
+ugidfw set 1 subject object uid $uidrange mode rasx
+echo -n "object uid in range: "
+su -fm $uidinrange -c "$command1 || echo good"
+echo -n "object uid out range: "
+su -fm $uidinrange -c "$command2 && echo good"
+ugidfw set 1 subject object uid $uidrange mode rasx
+echo -n "object uid in range (differennt subject): "
+su -fm $uidoutrange -c "$command1 || echo good"
+echo -n "object uid out range (differennt subject): "
+su -fm $uidoutrange -c "$command2 && echo good"
+
+#
+# Object gid
+#
+ugidfw set 1 subject object gid $uidrange mode rasx
+echo -n "object gid in range: "
+su -fm $uidinrange -c "$command1 || echo good"
+echo -n "object gid out range: "
+su -fm $uidinrange -c "$command2 && echo good"
+echo -n "object gid in range (differennt subject): "
+su -fm $uidoutrange -c "$command1 || echo good"
+echo -n "object gid out range (differennt subject): "
+su -fm $uidoutrange -c "$command2 && echo good"
+
+#
+# Object filesys
+#
+ugidfw set 1 subject uid $uidrange object filesys / mode rasx
+echo -n "object out of filesys: "
+su -fm $uidinrange -c "$command1 && echo good"
+ugidfw set 1 subject uid $uidrange object filesys $playground mode rasx
+echo -n "object in filesys: "
+su -fm $uidinrange -c "$command1 || echo good"
+
+#
+# Object suid
+#
+ugidfw set 1 subject uid $uidrange object suid mode rasx
+echo -n "object notsuid: "
+su -fm $uidinrange -c "$command1 && echo good"
+chmod u+s $file1
+echo -n "object suid: "
+su -fm $uidinrange -c "$command1 || echo good"
+chmod u-s $file1
+
+#
+# Object sgid
+#
+ugidfw set 1 subject uid $uidrange object sgid mode rasx
+echo -n "object notsgid: "
+su -fm $uidinrange -c "$command1 && echo good"
+chmod g+s $file1
+echo -n "object sgid: "
+su -fm $uidinrange -c "$command1 || echo good"
+chmod g-s $file1
+
+#
+# Object uid matches subject
+#
+ugidfw set 1 subject uid $uidrange object uid_of_subject mode rasx
+echo -n "object uid notmatches subject: "
+su -fm $uidinrange -c "$command2 && echo good"
+echo -n "object uid matches subject: "
+su -fm $uidinrange -c "$command1 || echo good"
+
+#
+# Object gid matches subject
+#
+ugidfw set 1 subject uid $uidrange object gid_of_subject mode rasx
+echo -n "object gid notmatches subject: "
+su -fm $uidinrange -c "$command2 && echo good"
+echo -n "object gid matches subject: "
+su -fm $uidinrange -c "$command1 || echo good"
+
+#
+# Object type
+#
+ugidfw set 1 subject uid $uidrange object type dbclsp mode rasx
+echo -n "object not type: "
+su -fm $uidinrange -c "$command1 && echo good"
+ugidfw set 1 subject uid $uidrange object type r mode rasx
+echo -n "object type: "
+su -fm $uidinrange -c "$command1 || echo good"
+
diff --git a/tools/regression/mac/mac_bsdextended/test_ugidfw.c b/tools/regression/mac/mac_bsdextended/test_ugidfw.c
index 398b9a3..63e25f0 100644
--- a/tools/regression/mac/mac_bsdextended/test_ugidfw.c
+++ b/tools/regression/mac/mac_bsdextended/test_ugidfw.c
@@ -26,8 +26,9 @@
  * $FreeBSD$
  */
 
-#include <sys/types.h>
+#include <sys/param.h>
 #include <sys/mac.h>
+#include <sys/mount.h>
 
 #include <security/mac_bsdextended/mac_bsdextended.h>
 
@@ -104,6 +105,47 @@ static const char *test_strings[] = {
 	"subject not uid operator object uid bin mode n",
 	"subject uid bin object not uid operator mode n",
 	"subject not uid daemon object not uid operator mode n",
+	/* Ranges */
+	"subject uid root:operator object gid wheel:bin mode n",
+	/* Jail ID */
+	"subject jailid 1 object uid root mode n",
+	/* Filesys */
+	"subject uid root object filesys / mode n",
+	"subject uid root object filesys /dev mode n",
+	/* S/UGID */
+	"subject not uid root object sgid mode n",
+	"subject not uid root object sgid mode n",
+	/* Matching uid/gid */
+	"subject not uid root:operator object not uid_of_subject mode n",
+	"subject not gid wheel:bin object not gid_of_subject mode n",
+	/* Object types */
+	"subject uid root object type a mode a",
+	"subject uid root object type r mode a",
+	"subject uid root object type d mode a",
+	"subject uid root object type b mode a",
+	"subject uid root object type c mode a",
+	"subject uid root object type l mode a",
+	"subject uid root object type s mode a",
+	"subject uid root object type rbc mode a",
+	"subject uid root object type dls mode a",
+	/* Empty rules always match */
+	"subject object mode a",
+	/* Partial negations */
+	"subject ! uid root object mode n",
+	"subject ! gid wheel object mode n",
+	"subject ! jailid 2 object mode n",
+	"subject object ! uid root mode n",
+	"subject object ! gid wheel mode n",
+	"subject object ! filesys / mode n",
+	"subject object ! suid mode n",
+	"subject object ! sgid mode n",
+	"subject object ! uid_of_subject mode n",
+	"subject object ! gid_of_subject mode n",
+	"subject object ! type d mode n",
+	/* All out nonsense */
+	"subject uid root ! gid wheel:bin ! jailid 1 "
+	    "object ! uid root:daemon gid daemon filesys / suid sgid uid_of_subject gid_of_subject ! type r "
+	    "mode rsx",
 };
 static const int test_strings_len = sizeof(test_strings) / sizeof(char *);
 
@@ -111,8 +153,8 @@ static void
 test_libugidfw_strings(void)
 {
 	struct mac_bsdextended_rule rule;
-	char errorstr[128];
-	char rulestr[128];
+	char errorstr[256];
+	char rulestr[256];
 	int i, error;
 
 	for (i = 0; i < test_users_len; i++) {
@@ -129,11 +171,11 @@ test_libugidfw_strings(void)
 
 	for (i = 0; i < test_strings_len; i++) {
 		error = bsde_parse_rule_string(test_strings[i], &rule,
-		    128, errorstr);
+		    sizeof(errorstr), errorstr);
 		if (error == -1)
 			errx(-1, "bsde_parse_rule_string: '%s' (%d): %s",
 			    test_strings[i], i, errorstr);
-		error = bsde_rule_to_string(&rule, rulestr, 128);
+		error = bsde_rule_to_string(&rule, rulestr, sizeof(rulestr));
 		if (error < 0)
 			errx(-1, "bsde_rule_to_string: rule for '%s' "
 			    "returned %d", test_strings[i], error);
@@ -147,7 +189,7 @@ test_libugidfw_strings(void)
 int
 main(int argc, char *argv[])
 {
-	char errorstr[128];
+	char errorstr[256];
 	int count, slots;
 
 	if (argc != 1)
@@ -182,13 +224,13 @@ main(int argc, char *argv[])
 	 * starting, but "slots" is a property of prior runs and so we ignore
 	 * the return value.
 	 */
-	count = bsde_get_rule_count(128, errorstr);
+	count = bsde_get_rule_count(sizeof(errorstr), errorstr);
 	if (count == -1)
 		errx(-1, "bsde_get_rule_count: %s", errorstr);
 	if (count != 0)
 		errx(-1, "bsde_get_rule_count: %d rules", count);
 
-	slots = bsde_get_rule_slots(128, errorstr);
+	slots = bsde_get_rule_slots(sizeof(errorstr), errorstr);
 	if (slots == -1)
 		errx(-1, "bsde_get_rule_slots: %s", errorstr);