Allow file system owner to modify system flags if securelevel permits.

MFC after:	3 days

2 files changed, 6 insertions, 2 deletions

diff --git a/sys/cddl/compat/opensolaris/kern/opensolaris_policy.c b/sys/cddl/compat/opensolaris/kern/opensolaris_policy.c
index 040f27d..865fba3 100644
--- a/sys/cddl/compat/opensolaris/kern/opensolaris_policy.c
+++ b/sys/cddl/compat/opensolaris/kern/opensolaris_policy.c
@@ -358,8 +358,11 @@ secpolicy_fs_mount_clearopts(cred_t *cr, struct mount *vfsp)
  * Check privileges for setting xvattr attributes
  */
 int
-secpolicy_xvattr(xvattr_t *xvap, uid_t owner, cred_t *cr, vtype_t vtype)
+secpolicy_xvattr(struct vnode *vp, xvattr_t *xvap, uid_t owner, cred_t *cr,
+    vtype_t vtype)
 {
 
+	if (secpolicy_fs_owner(vp->v_mount, cr) == 0)
+		return (0);
 	return (priv_check_cred(cr, PRIV_VFS_SYSFLAGS, 0));
 }
diff --git a/sys/cddl/compat/opensolaris/sys/policy.h b/sys/cddl/compat/opensolaris/sys/policy.h
index 08db5ca..6731d7c 100644
--- a/sys/cddl/compat/opensolaris/sys/policy.h
+++ b/sys/cddl/compat/opensolaris/sys/policy.h
@@ -70,7 +70,8 @@ int	secpolicy_setid_setsticky_clear(struct vnode *vp, struct vattr *vap,
 int	secpolicy_fs_owner(struct mount *vfsp, struct ucred *cred);
 int	secpolicy_fs_mount(cred_t *cr, vnode_t *mvp, struct mount *vfsp);
 void	secpolicy_fs_mount_clearopts(cred_t *cr, struct mount *vfsp);
-int	secpolicy_xvattr(xvattr_t *xvap, uid_t owner, cred_t *cr, vtype_t vtype);
+int	secpolicy_xvattr(struct vnode *vp, xvattr_t *xvap, uid_t owner,
+	    cred_t *cr, vtype_t vtype);
 
 #endif	/* _KERNEL */