Rather than passing SUSER_RUID into priv_check_cred() to specify when

a privilege is checked against the real uid rather than the effective
uid, instead decide which uid to use in priv_check_cred() based on the
privilege passed in.  We use the real uid for PRIV_MAXFILES,
PRIV_MAXPROC, and PRIV_PROC_LIMIT.  Remove the definition of
SUSER_RUID; there are now no flags defined for priv_check_cred().

Obtained from:	TrustedBSD Project

sys/kern/kern_descrip.c

@@ -1332,7 +1332,7 @@ falloc(struct thread *td, struct file **resultfp, int *resultfd)
 	sx_xlock(&filelist_lock);
 
 	if ((openfiles >= maxuserfiles &&
-	    priv_check_cred(td->td_ucred, PRIV_MAXFILES, SUSER_RUID) != 0) ||
+	    priv_check(td, PRIV_MAXFILES) != 0) ||
 	    openfiles >= maxfiles) {
 		if (ppsratecheck(&lastfail, &curfail, 1)) {
 			printf("kern.maxfiles limit exceeded by uid %i, please see tuning(7).\n",

sys/kern/kern_fork.c

@@ -293,9 +293,8 @@ fork1(td, flags, pages, procp)
 	 * processes, maxproc is the limit.
 	 */
 	sx_xlock(&allproc_lock);
-	if ((nprocs >= maxproc - 10 &&
-	    priv_check_cred(td->td_ucred, PRIV_MAXPROC, SUSER_RUID) != 0) ||
-	    nprocs >= maxproc) {
+	if ((nprocs >= maxproc - 10 && priv_check_cred(td->td_ucred,
+	    PRIV_MAXPROC, 0) != 0) || nprocs >= maxproc) {
 		error = EAGAIN;
 		goto fail;
 	}
@@ -306,7 +305,7 @@ fork1(td, flags, pages, procp)
 	 *
 	 * XXXRW: Can we avoid privilege here if it's not needed?
 	 */
-	error = priv_check_cred(td->td_ucred, PRIV_PROC_LIMIT, SUSER_RUID);
+	error = priv_check_cred(td->td_ucred, PRIV_PROC_LIMIT, 0);
 	if (error == 0)
 		ok = chgproccnt(td->td_ucred->cr_ruidinfo, 1, 0);
 	else {

sys/kern/kern_priv.c

@@ -68,6 +68,10 @@ priv_check_cred(struct ucred *cred, int priv, int flags)
 	KASSERT(PRIV_VALID(priv), ("priv_check_cred: invalid privilege %d",
 	    priv));
 
+	/*
+	 * We first evaluate policies that may deny the granting of
+	 * privilege unilaterally.
+	 */
 #ifdef MAC
 	error = mac_priv_check(cred, priv);
 	if (error)
@@ -84,21 +88,28 @@ priv_check_cred(struct ucred *cred, int priv, int flags)
 
 	/*
 	 * Having determined if privilege is restricted by various policies,
-	 * now determine if privilege is granted.  For now, we allow
-	 * short-circuit boolean evaluation, so may not call all policies.
-	 * Perhaps we should.
+	 * now determine if privilege is granted.  At this point, any policy
+	 * may grant privilege.  For now, we allow short-circuit boolean
+	 * evaluation, so may not call all policies.  Perhaps we should.
 	 *
 	 * Superuser policy grants privilege based on the effective (or in
-	 * certain edge cases, real) uid being 0.  We allow the policy to be
-	 * globally disabled, although this is currently of limited utility.
+	 * the case of specific privileges, real) uid being 0.  We allow the
+	 * superuser policy to be globally disabled, although this is
+	 * currenty of limited utility.
 	 */
 	if (suser_enabled) {
-		if (flags & SUSER_RUID) {
+		switch (priv) {
+		case PRIV_MAXFILES:
+		case PRIV_MAXPROC:
+		case PRIV_PROC_LIMIT:
 			if (cred->cr_ruid == 0)
 				return (0);
-		} else {
+			break;
+
+		default:
 			if (cred->cr_uid == 0)
 				return (0);
+			break;
 		}
 	}
 

sys/sys/priv.h

@@ -457,10 +457,10 @@
 #ifdef _KERNEL
 /*
  * Privilege check interfaces, modeled after historic suser() interfacs, but
- * with the addition of a specific privilege name.  The existing SUSER_* flag
- * name space is used here.  The jail flag will likely be something that can
- * be removed at some point as jail itself will be able to decide if the priv
- * is appropriate, rather than the caller.
+ * with the addition of a specific privilege name.  No flags are currently
+ * defined for the API.  Historically, flags specified using the real uid
+ * instead of the effective uid, and whether or not the check should be
+ * allowed in jail.
  */
 struct thread;
 struct ucred;
@@ -472,12 +472,6 @@ int	priv_check_cred(struct ucred *cred, int priv, int flags);
  */
 int	suser(struct thread *td);
 int	suser_cred(struct ucred *cred, int flags);
-
-/*
- * For historical reasons, flags to priv_check_cred() retain the SUSER_
- * prefix.
- */
-#define	SUSER_RUID	2
 #endif
 
 #endif /* !_SYS_PRIV_H_ */