MFC r292530,r292546:

r292530:

- Use 1 for an exit code instead of -1 with err, errx, and exit
- Add unistd.h for getuid(3)
- Sort #includes

r292546:

- Convert testcase to TAP format
- Use nitems(x) instead of handrolled sizeof(x) / sizeof(*x) macro
- Do not mark count != 0 case with bsde_get_rule_count as a failure; this
generates false positives on systems with ugidfw rules set on it

Copy head (r256279) to stable/10 as part of the 10.0-RELEASE cycle.

Approved by: re (implicit)
Sponsored by: The FreeBSD Foundation

Add some new options to mac_bsdestended. We can now match on:

subject: ranges of uid, ranges of gid, jail id
objects: ranges of uid, ranges of gid, filesystem,
object is suid, object is sgid, object matches subject uid/gid
object type

We can also negate individual conditions. The ruleset language is
a superset of the previous language, so old rules should continue
to work.

These changes require a change to the API between libugidfw and the
mac_bsdextended module. Add a version number, so we can tell if
we're running mismatched versions.

Update man pages to reflect changes, add extra test cases to
test_ugidfw.c and add a shell script that checks that the the
module seems to do what we expect.

Suggestions from: rwatson, trhodes
Reviewed by: trhodes
MFC after: 2 months

Those who are ungodlike should be returned an error.

Starting point for a regression test for mac_bsdextended(4)/libugidfw(3).
Currently only performs basic tests against the library string routines,
and queries less important kernel state.

Obtained from: TrustedBSD Project
Sponsored by: SPAWAR, SPARTA
MFC after: 3 days