> +		/*
> +		 * suid proc of ours or proc not ours
> +		 */
> +		if (kauth_cred_getuid(cred) != kauth_cred_getuid(p->p_cred) ||
> +		    kauth_cred_getuid(cred) != kauth_cred_getsvuid(p->p_cred))
> +			result = KAUTH_RESULT_DENY;
> +
> +		/*
> +		 * sgid proc has sgid back to us temporarily
> +		 */
> +		else if (kauth_cred_getgid(p->p_cred) != kauth_cred_getsvgid(p->p_cred))
> +			result = KAUTH_RESULT_DENY;
> +
> +		/*
> +		 * our rgid must be in target's group list (ie,
> +		 * sub-processes started by a sgid process)
> +		 */
> +		else {
> +			int ismember = 0;
> +
> +			if (kauth_cred_ismember_gid(cred,
> +			    kauth_cred_getgid(p->p_cred), &ismember) != 0 ||
> +			    !ismember)
> +				result = KAUTH_RESULT_DENY;
> +		}
> +		break;

please make this a subroutine, rather than duplicating the same code
into three places.

otherwise, seems fine to me.

YAMAMOTO Takashi