Lines Matching full:rule
80 "BSD Extended MAC rule");
91 &rule_slots, 0, "Number of used rule slots");
105 * between the new mode (first rule matches) and the old functionality (all
111 "Disable/enable match first rule functionality");
114 ugidfw_rule_valid(struct mac_bsdextended_rule *rule)
117 if ((rule->mbr_subject.mbs_flags | MBS_ALL_FLAGS) != MBS_ALL_FLAGS)
119 if ((rule->mbr_subject.mbs_neg | MBS_ALL_FLAGS) != MBS_ALL_FLAGS)
121 if ((rule->mbr_object.mbo_flags | MBO_ALL_FLAGS) != MBO_ALL_FLAGS)
123 if ((rule->mbr_object.mbo_neg | MBO_ALL_FLAGS) != MBO_ALL_FLAGS)
125 if (((rule->mbr_object.mbo_flags & MBO_TYPE_DEFINED) != 0) &&
126 (rule->mbr_object.mbo_type | MBO_ALL_TYPE) != MBO_ALL_TYPE)
128 if ((rule->mbr_mode | MBI_ALLPERM) != MBI_ALLPERM)
225 ugidfw_rulecheck(struct mac_bsdextended_rule *rule,
235 if (rule->mbr_subject.mbs_flags & MBS_UID_DEFINED) {
236 match = ((cred->cr_uid <= rule->mbr_subject.mbs_uid_max &&
237 cred->cr_uid >= rule->mbr_subject.mbs_uid_min) ||
238 (cred->cr_ruid <= rule->mbr_subject.mbs_uid_max &&
239 cred->cr_ruid >= rule->mbr_subject.mbs_uid_min) ||
240 (cred->cr_svuid <= rule->mbr_subject.mbs_uid_max &&
241 cred->cr_svuid >= rule->mbr_subject.mbs_uid_min));
242 if (rule->mbr_subject.mbs_neg & MBS_UID_DEFINED)
248 if (rule->mbr_subject.mbs_flags & MBS_GID_DEFINED) {
249 match = ((cred->cr_rgid <= rule->mbr_subject.mbs_gid_max &&
250 cred->cr_rgid >= rule->mbr_subject.mbs_gid_min) ||
251 (cred->cr_svgid <= rule->mbr_subject.mbs_gid_max &&
252 cred->cr_svgid >= rule->mbr_subject.mbs_gid_min));
256 <= rule->mbr_subject.mbs_gid_max &&
258 >= rule->mbr_subject.mbs_gid_min) {
264 if (rule->mbr_subject.mbs_neg & MBS_GID_DEFINED)
270 if (rule->mbr_subject.mbs_flags & MBS_PRISON_DEFINED) {
272 (cred->cr_prison->pr_id == rule->mbr_subject.mbs_prison);
273 if (rule->mbr_subject.mbs_neg & MBS_PRISON_DEFINED)
282 if (rule->mbr_object.mbo_flags & MBO_UID_DEFINED) {
283 match = (vap->va_uid <= rule->mbr_object.mbo_uid_max &&
284 vap->va_uid >= rule->mbr_object.mbo_uid_min);
285 if (rule->mbr_object.mbo_neg & MBO_UID_DEFINED)
291 if (rule->mbr_object.mbo_flags & MBO_GID_DEFINED) {
292 match = (vap->va_gid <= rule->mbr_object.mbo_gid_max &&
293 vap->va_gid >= rule->mbr_object.mbo_gid_min);
294 if (rule->mbr_object.mbo_neg & MBO_GID_DEFINED)
300 if (rule->mbr_object.mbo_flags & MBO_FSID_DEFINED) {
302 &rule->mbr_object.mbo_fsid) == 0);
303 if (rule->mbr_object.mbo_neg & MBO_FSID_DEFINED)
309 if (rule->mbr_object.mbo_flags & MBO_SUID) {
311 if (rule->mbr_object.mbo_neg & MBO_SUID)
317 if (rule->mbr_object.mbo_flags & MBO_SGID) {
319 if (rule->mbr_object.mbo_neg & MBO_SGID)
325 if (rule->mbr_object.mbo_flags & MBO_UID_SUBJECT) {
329 if (rule->mbr_object.mbo_neg & MBO_UID_SUBJECT)
335 if (rule->mbr_object.mbo_flags & MBO_GID_SUBJECT) {
339 if (rule->mbr_object.mbo_neg & MBO_GID_SUBJECT)
345 if (rule->mbr_object.mbo_flags & MBO_TYPE_DEFINED) {
348 match = (rule->mbr_object.mbo_type & MBO_TYPE_REG);
351 match = (rule->mbr_object.mbo_type & MBO_TYPE_DIR);
354 match = (rule->mbr_object.mbo_type & MBO_TYPE_BLK);
357 match = (rule->mbr_object.mbo_type & MBO_TYPE_CHR);
360 match = (rule->mbr_object.mbo_type & MBO_TYPE_LNK);
363 match = (rule->mbr_object.mbo_type & MBO_TYPE_SOCK);
366 match = (rule->mbr_object.mbo_type & MBO_TYPE_FIFO);
371 if (rule->mbr_object.mbo_neg & MBO_TYPE_DEFINED)
382 mac_granted = rule->mbr_mode;
411 * If the rule matched, permits access, and first match is enabled,