> YAMAMOTO Takashi wrote:
> >> +		/*
> >> +		 * suid proc of ours or proc not ours
> >> +		 */
> >> +		if (kauth_cred_getuid(cred) != kauth_cred_getuid(p->p_cred) ||
> >> +		    kauth_cred_getuid(cred) != kauth_cred_getsvuid(p->p_cred))
> >> +			result = KAUTH_RESULT_DENY;
> >> +
> >> +		/*
> >> +		 * sgid proc has sgid back to us temporarily
> >> +		 */
> >> +		else if (kauth_cred_getgid(p->p_cred) != kauth_cred_getsvgid(p->p_cred))
> >> +			result = KAUTH_RESULT_DENY;
> >> +
> >> +		/*
> >> +		 * our rgid must be in target's group list (ie,
> >> +		 * sub-processes started by a sgid process)
> >> +		 */
> >> +		else {
> >> +			int ismember = 0;
> >> +
> >> +			if (kauth_cred_ismember_gid(cred,
> >> +			    kauth_cred_getgid(p->p_cred), &ismember) != 0 ||
> >> +			    !ismember)
> >> +				result = KAUTH_RESULT_DENY;
> >> +		}
> >> +		break;
> > 
> > please make this a subroutine, rather than duplicating the same code
> > into three places.
> 
> several other parts of the bsd44 secmodel present some level of code
> duplication. do we want to handle this issue now, or wait with the
> introduction of a few kauth(9) helpers (for other purposes, too)?
> 
> in the former case, please let me know how you want this function to
> be called and in what file it should be in. (my assumption: kern_auth.c,
> and we should have some semi-consistent naming, along with uidmatch).

i just meant a static function in secmodel_bsd44_suser.c.
otherwise, it's difficult (for me, at least) to check if
these "duplicated at a glance" code is really identical or not.

YAMAMOTO Takashi