Index: head/tools/regression/mac/mac_portacl/misc.sh
===================================================================
--- head/tools/regression/mac/mac_portacl/misc.sh	(revision 292568)
+++ head/tools/regression/mac/mac_portacl/misc.sh	(revision 292569)
@@ -1,96 +1,106 @@
 #!/bin/sh
 # $FreeBSD$
 
 sysctl security.mac.portacl >/dev/null 2>&1
 if [ $? -ne 0 ]; then
 	echo "1..0 # SKIP MAC_PORTACL is unavailable."
 	exit 0
 fi
+if [ $(id -u) -ne 0 ]; then
+	echo "1..0 # SKIP testcases must be run as root"
+	exit 0
+fi
 
 ntest=1
 
 check_bind() {
+	local host idtype name proto port udpflag
+
+	host="127.0.0.1"
+
 	idtype=${1}
 	name=${2}
 	proto=${3}
 	port=${4}
 
 	[ "${proto}" = "udp" ] && udpflag="-u"
 
-	out=`(
+	out=$(
 		case "${idtype}" in
 		uid|gid)
-			( echo -n | su -m ${name} -c "nc ${udpflag} -o -l 127.0.0.1 $port" 2>&1 ) &
+			( echo -n | su -m ${name} -c "nc ${udpflag} -l -w 10 $host $port" 2>&1 ) &
 			;;
 		jail)
 			kill $$
 			;;
 		*)
 			kill $$
 		esac
 		sleep 0.3
-		echo | nc ${udpflag} -o 127.0.0.1 $port >/dev/null 2>&1
+		echo | nc ${udpflag} -w 10 $host $port >/dev/null 2>&1
 		wait
-	)`
+	)
 	case "${out}" in
 	"nc: Permission denied"*|"nc: Operation not permitted"*)
 		echo fl
 		;;
 	"")
 		echo ok
 		;;
 	*)
 		echo ${out}
 		;;
 	esac
 }
 
 bind_test() {
+	local expect_without_rule expect_with_rule idtype name proto port
+
 	expect_without_rule=${1}
 	expect_with_rule=${2}
 	idtype=${3}
 	name=${4}
 	proto=${5}
 	port=${6}
 
 	sysctl security.mac.portacl.rules= >/dev/null
-	out=`check_bind ${idtype} ${name} ${proto} ${port}`
+	out=$(check_bind ${idtype} ${name} ${proto} ${port})
 	if [ "${out}" = "${expect_without_rule}" ]; then
 		echo "ok ${ntest}"
 	elif [ "${out}" = "ok" -o "${out}" = "fl" ]; then
-		echo "not ok ${ntest}"
+		echo "not ok ${ntest} # '${out}' != '${expect_without_rule}'"
 	else
-		echo "not ok ${ntest} # ${out}"
+		echo "not ok ${ntest} # unexpected output: '${out}'"
 	fi
-	ntest=$((ntest+1))
+	: $(( ntest += 1 ))
 
 	if [ "${idtype}" = "uid" ]; then
-		idstr=`id -u ${name}`
+		idstr=$(id -u ${name})
 	elif [ "${idtype}" = "gid" ]; then
-		idstr=`id -g ${name}`
+		idstr=$(id -g ${name})
 	else
 		idstr=${name}
 	fi
 	sysctl security.mac.portacl.rules=${idtype}:${idstr}:${proto}:${port} >/dev/null
-	out=`check_bind ${idtype} ${name} ${proto} ${port}`
+	out=$(check_bind ${idtype} ${name} ${proto} ${port})
 	if [ "${out}" = "${expect_with_rule}" ]; then
 		echo "ok ${ntest}"
 	elif [ "${out}" = "ok" -o "${out}" = "fl" ]; then
-		echo "not ok ${ntest}"
+		echo "not ok ${ntest} # '${out}' != '${expect_with_rule}'"
 	else
-		echo "not ok ${ntest} # ${out}"
+		echo "not ok ${ntest} # unexpected output: '${out}'"
 	fi
-	ntest=$((ntest+1))
+	: $(( ntest += 1 ))
 
 	sysctl security.mac.portacl.rules= >/dev/null
 }
 
-reserved_high=`sysctl -n net.inet.ip.portrange.reservedhigh`
-suser_exempt=`sysctl -n security.mac.portacl.suser_exempt`
-port_high=`sysctl -n security.mac.portacl.port_high`
+reserved_high=$(sysctl -n net.inet.ip.portrange.reservedhigh)
+suser_exempt=$(sysctl -n security.mac.portacl.suser_exempt)
+port_high=$(sysctl -n security.mac.portacl.port_high)
 
 restore_settings() {
 	sysctl -n net.inet.ip.portrange.reservedhigh=${reserved_high} >/dev/null
 	sysctl -n security.mac.portacl.suser_exempt=${suser_exempt} >/dev/null
 	sysctl -n security.mac.portacl.port_high=${port_high} >/dev/null
 }
Index: head/tools/regression/mac/mac_portacl/nobody.t
===================================================================
--- head/tools/regression/mac/mac_portacl/nobody.t	(revision 292568)
+++ head/tools/regression/mac/mac_portacl/nobody.t	(revision 292569)
@@ -1,67 +1,67 @@
 #!/bin/sh
 # $FreeBSD$
 
 dir=`dirname $0`
 . ${dir}/misc.sh
 
 echo "1..64"
 
 # security.mac.portacl.suser_exempt value doesn't affect unprivileged users
 # behaviour.
 # mac_portacl has no impact on ports <= net.inet.ip.portrange.reservedhigh.
 
+trap restore_settings EXIT INT TERM
+
 sysctl security.mac.portacl.suser_exempt=1 >/dev/null
 sysctl net.inet.ip.portrange.reservedhigh=78 >/dev/null
 
 bind_test fl fl uid nobody tcp 77
 bind_test ok ok uid nobody tcp 7777
 bind_test fl fl uid nobody udp 77
 bind_test ok ok uid nobody udp 7777
 
 bind_test fl fl gid nobody tcp 77
 bind_test ok ok gid nobody tcp 7777
 bind_test fl fl gid nobody udp 77
 bind_test ok ok gid nobody udp 7777
 
 sysctl security.mac.portacl.suser_exempt=0 >/dev/null
 
 bind_test fl fl uid nobody tcp 77
 bind_test ok ok uid nobody tcp 7777
 bind_test fl fl uid nobody udp 77
 bind_test ok ok uid nobody udp 7777
 
 bind_test fl fl gid nobody tcp 77
 bind_test ok ok gid nobody tcp 7777
 bind_test fl fl gid nobody udp 77
 bind_test ok ok gid nobody udp 7777
 
 # Verify if security.mac.portacl.port_high works.
 
 sysctl security.mac.portacl.port_high=7778 >/dev/null
 
 bind_test fl fl uid nobody tcp 77
 bind_test fl ok uid nobody tcp 7777
 bind_test fl fl uid nobody udp 77
 bind_test fl ok uid nobody udp 7777
 
 bind_test fl fl gid nobody tcp 77
 bind_test fl ok gid nobody tcp 7777
 bind_test fl fl gid nobody udp 77
 bind_test fl ok gid nobody udp 7777
 
 # Verify if mac_portacl rules work.
 
 sysctl net.inet.ip.portrange.reservedhigh=76 >/dev/null
 sysctl security.mac.portacl.port_high=7776 >/dev/null
 
 bind_test fl ok uid nobody tcp 77
 bind_test ok ok uid nobody tcp 7777
 bind_test fl ok uid nobody udp 77
 bind_test ok ok uid nobody udp 7777
 
 bind_test fl ok gid nobody tcp 77
 bind_test ok ok gid nobody tcp 7777
 bind_test fl ok gid nobody udp 77
 bind_test ok ok gid nobody udp 7777
-
-restore_settings
Index: head/tools/regression/mac/mac_portacl/root.t
===================================================================
--- head/tools/regression/mac/mac_portacl/root.t	(revision 292568)
+++ head/tools/regression/mac/mac_portacl/root.t	(revision 292569)
@@ -1,51 +1,51 @@
 #!/bin/sh
 # $FreeBSD$
 
 dir=`dirname $0`
 . ${dir}/misc.sh
 
 echo "1..48"
 
 # Verify if security.mac.portacl.suser_exempt=1 really exempts super-user.
 
+trap restore_settings EXIT INT TERM
+
 sysctl security.mac.portacl.suser_exempt=1 >/dev/null
 
 bind_test ok ok uid root tcp 77
 bind_test ok ok uid root tcp 7777
 bind_test ok ok uid root udp 77
 bind_test ok ok uid root udp 7777
 
 bind_test ok ok gid root tcp 77
 bind_test ok ok gid root tcp 7777
 bind_test ok ok gid root udp 77
 bind_test ok ok gid root udp 7777
 
 # Verify if security.mac.portacl.suser_exempt=0 really doesn't exempt super-user.
 
 sysctl security.mac.portacl.suser_exempt=0 >/dev/null
 
 bind_test fl ok uid root tcp 77
 bind_test ok ok uid root tcp 7777
 bind_test fl ok uid root udp 77
 bind_test ok ok uid root udp 7777
 
 bind_test fl ok gid root tcp 77
 bind_test ok ok gid root tcp 7777
 bind_test fl ok gid root udp 77
 bind_test ok ok gid root udp 7777
 
 # Verify if security.mac.portacl.port_high works for super-user.
 
 sysctl security.mac.portacl.port_high=7778 >/dev/null
 
 bind_test fl ok uid root tcp 77
 bind_test fl ok uid root tcp 7777
 bind_test fl ok uid root udp 77
 bind_test fl ok uid root udp 7777
 
 bind_test fl ok gid root tcp 77
 bind_test fl ok gid root tcp 7777
 bind_test fl ok gid root udp 77
 bind_test fl ok gid root udp 7777
-
-restore_settings