Eliminate now-unused SUSER_ALLOWJAIL arguments to priv_check_cred(); in

some cases, move to priv_check() if it was an operation on a thread and
no other flags were present.

Eliminate caller-side jail exception checking (also now-unused); jail
privilege exception code now goes solely in kern_jail.c.

We can't yet eliminate suser() due to some cases in the KAME code where
a privilege check is performed and then used in many different deferred
paths.  Do, however, move those prototypes to priv.h.

Reviewed by:	csjp
Obtained from:	TrustedBSD Project

2 files changed, 2 insertions, 4 deletions

diff --git a/sys/compat/svr4/svr4_fcntl.c b/sys/compat/svr4/svr4_fcntl.c
index 6073e0d..8735abb 100644
--- a/sys/compat/svr4/svr4_fcntl.c
+++ b/sys/compat/svr4/svr4_fcntl.c
@@ -281,8 +281,7 @@ fd_revoke(td, fd)
 		goto out;
 
 	if (td->td_ucred->cr_uid != vattr.va_uid &&
-	    (error = priv_check_cred(td->td_ucred, PRIV_VFS_ADMIN,
-	    SUSER_ALLOWJAIL)) != 0)
+	    (error = priv_check(td, PRIV_VFS_ADMIN)) != 0)
 		goto out;
 
 	if ((error = vn_start_write(vp, &mp, V_WAIT | PCATCH)) != 0)
diff --git a/sys/compat/svr4/svr4_misc.c b/sys/compat/svr4/svr4_misc.c
index a158fd7..e4c48c0 100644
--- a/sys/compat/svr4/svr4_misc.c
+++ b/sys/compat/svr4/svr4_misc.c
@@ -612,8 +612,7 @@ svr4_sys_fchroot(td, uap)
 	struct file	*fp;
 	int		 error, vfslocked;
 
-	if ((error = priv_check_cred(td->td_ucred, PRIV_VFS_FCHROOT,
-	    SUSER_ALLOWJAIL)) != 0)
+	if ((error = priv_check(td, PRIV_VFS_FCHROOT)) != 0)
 		return error;
 	if ((error = getvnode(fdp, uap->fd, &fp)) != 0)
 		return error;