80     "BSD Extended MAC rule");
91     &rule_slots, 0, "Number of used rule slots");
105  * between the new mode (first rule matches) and the old functionality (all
111     "Disable/enable match first rule functionality");
114 ugidfw_rule_valid(struct mac_bsdextended_rule *rule)  in ugidfw_rule_valid()  argument
117 	if ((rule->mbr_subject.mbs_flags | MBS_ALL_FLAGS) != MBS_ALL_FLAGS)  in ugidfw_rule_valid()
119 	if ((rule->mbr_subject.mbs_neg | MBS_ALL_FLAGS) != MBS_ALL_FLAGS)  in ugidfw_rule_valid()
121 	if ((rule->mbr_object.mbo_flags | MBO_ALL_FLAGS) != MBO_ALL_FLAGS)  in ugidfw_rule_valid()
123 	if ((rule->mbr_object.mbo_neg | MBO_ALL_FLAGS) != MBO_ALL_FLAGS)  in ugidfw_rule_valid()
125 	if (((rule->mbr_object.mbo_flags & MBO_TYPE_DEFINED) != 0) &&  in ugidfw_rule_valid()
126 	    (rule->mbr_object.mbo_type | MBO_ALL_TYPE) != MBO_ALL_TYPE)  in ugidfw_rule_valid()
128 	if ((rule->mbr_mode | MBI_ALLPERM) != MBI_ALLPERM)  in ugidfw_rule_valid()
225 ugidfw_rulecheck(struct mac_bsdextended_rule *rule,  in ugidfw_rulecheck()  argument
235 	if (rule->mbr_subject.mbs_flags & MBS_UID_DEFINED) {  in ugidfw_rulecheck()
236 		match =  ((cred->cr_uid <= rule->mbr_subject.mbs_uid_max &&  in ugidfw_rulecheck()
237 		    cred->cr_uid >= rule->mbr_subject.mbs_uid_min) ||  in ugidfw_rulecheck()
238 		    (cred->cr_ruid <= rule->mbr_subject.mbs_uid_max &&  in ugidfw_rulecheck()
239 		    cred->cr_ruid >= rule->mbr_subject.mbs_uid_min) ||  in ugidfw_rulecheck()
240 		    (cred->cr_svuid <= rule->mbr_subject.mbs_uid_max &&  in ugidfw_rulecheck()
241 		    cred->cr_svuid >= rule->mbr_subject.mbs_uid_min));  in ugidfw_rulecheck()
242 		if (rule->mbr_subject.mbs_neg & MBS_UID_DEFINED)  in ugidfw_rulecheck()
248 	if (rule->mbr_subject.mbs_flags & MBS_GID_DEFINED) {  in ugidfw_rulecheck()
249 		match = ((cred->cr_rgid <= rule->mbr_subject.mbs_gid_max &&  in ugidfw_rulecheck()
250 		    cred->cr_rgid >= rule->mbr_subject.mbs_gid_min) ||  in ugidfw_rulecheck()
251 		    (cred->cr_svgid <= rule->mbr_subject.mbs_gid_max &&  in ugidfw_rulecheck()
252 		    cred->cr_svgid >= rule->mbr_subject.mbs_gid_min));  in ugidfw_rulecheck()
256 				    <= rule->mbr_subject.mbs_gid_max &&  in ugidfw_rulecheck()
258 				    >= rule->mbr_subject.mbs_gid_min) {  in ugidfw_rulecheck()
264 		if (rule->mbr_subject.mbs_neg & MBS_GID_DEFINED)  in ugidfw_rulecheck()
270 	if (rule->mbr_subject.mbs_flags & MBS_PRISON_DEFINED) {  in ugidfw_rulecheck()
272 		    (cred->cr_prison->pr_id == rule->mbr_subject.mbs_prison);  in ugidfw_rulecheck()
273 		if (rule->mbr_subject.mbs_neg & MBS_PRISON_DEFINED)  in ugidfw_rulecheck()
282 	if (rule->mbr_object.mbo_flags & MBO_UID_DEFINED) {  in ugidfw_rulecheck()
283 		match = (vap->va_uid <= rule->mbr_object.mbo_uid_max &&  in ugidfw_rulecheck()
284 		    vap->va_uid >= rule->mbr_object.mbo_uid_min);  in ugidfw_rulecheck()
285 		if (rule->mbr_object.mbo_neg & MBO_UID_DEFINED)  in ugidfw_rulecheck()
291 	if (rule->mbr_object.mbo_flags & MBO_GID_DEFINED) {  in ugidfw_rulecheck()
292 		match = (vap->va_gid <= rule->mbr_object.mbo_gid_max &&  in ugidfw_rulecheck()
293 		    vap->va_gid >= rule->mbr_object.mbo_gid_min);  in ugidfw_rulecheck()
294 		if (rule->mbr_object.mbo_neg & MBO_GID_DEFINED)  in ugidfw_rulecheck()
300 	if (rule->mbr_object.mbo_flags & MBO_FSID_DEFINED) {  in ugidfw_rulecheck()
302 		    &rule->mbr_object.mbo_fsid) == 0);  in ugidfw_rulecheck()
303 		if (rule->mbr_object.mbo_neg & MBO_FSID_DEFINED)  in ugidfw_rulecheck()
309 	if (rule->mbr_object.mbo_flags & MBO_SUID) {  in ugidfw_rulecheck()
311 		if (rule->mbr_object.mbo_neg & MBO_SUID)  in ugidfw_rulecheck()
317 	if (rule->mbr_object.mbo_flags & MBO_SGID) {  in ugidfw_rulecheck()
319 		if (rule->mbr_object.mbo_neg & MBO_SGID)  in ugidfw_rulecheck()
325 	if (rule->mbr_object.mbo_flags & MBO_UID_SUBJECT) {  in ugidfw_rulecheck()
329 		if (rule->mbr_object.mbo_neg & MBO_UID_SUBJECT)  in ugidfw_rulecheck()
335 	if (rule->mbr_object.mbo_flags & MBO_GID_SUBJECT) {  in ugidfw_rulecheck()
339 		if (rule->mbr_object.mbo_neg & MBO_GID_SUBJECT)  in ugidfw_rulecheck()
345 	if (rule->mbr_object.mbo_flags & MBO_TYPE_DEFINED) {  in ugidfw_rulecheck()
348 			match = (rule->mbr_object.mbo_type & MBO_TYPE_REG);  in ugidfw_rulecheck()
351 			match = (rule->mbr_object.mbo_type & MBO_TYPE_DIR);  in ugidfw_rulecheck()
354 			match = (rule->mbr_object.mbo_type & MBO_TYPE_BLK);  in ugidfw_rulecheck()
357 			match = (rule->mbr_object.mbo_type & MBO_TYPE_CHR);  in ugidfw_rulecheck()
360 			match = (rule->mbr_object.mbo_type & MBO_TYPE_LNK);  in ugidfw_rulecheck()
363 			match = (rule->mbr_object.mbo_type & MBO_TYPE_SOCK);  in ugidfw_rulecheck()
366 			match = (rule->mbr_object.mbo_type & MBO_TYPE_FIFO);  in ugidfw_rulecheck()
371 		if (rule->mbr_object.mbo_neg & MBO_TYPE_DEFINED)  in ugidfw_rulecheck()
382 	mac_granted = rule->mbr_mode;  in ugidfw_rulecheck()
411 	 * If the rule matched, permits access, and first match is enabled,  in ugidfw_rulecheck()