Rather than passing SUSER_RUID into priv_check_cred() to specify when

a privilege is checked against the real uid rather than the effective
uid, instead decide which uid to use in priv_check_cred() based on the
privilege passed in.  We use the real uid for PRIV_MAXFILES,
PRIV_MAXPROC, and PRIV_PROC_LIMIT.  Remove the definition of
SUSER_RUID; there are now no flags defined for priv_check_cred().

Obtained from:	TrustedBSD Project

1 files changed, 3 insertions, 4 deletions

diff --git a/sys/kern/kern_fork.c b/sys/kern/kern_fork.c
index c0e3204..1a7f4a7 100644
--- a/sys/kern/kern_fork.c
+++ b/sys/kern/kern_fork.c
@@ -293,9 +293,8 @@ fork1(td, flags, pages, procp)
 	 * processes, maxproc is the limit.
 	 */
 	sx_xlock(&allproc_lock);
-	if ((nprocs >= maxproc - 10 &&
-	    priv_check_cred(td->td_ucred, PRIV_MAXPROC, SUSER_RUID) != 0) ||
-	    nprocs >= maxproc) {
+	if ((nprocs >= maxproc - 10 && priv_check_cred(td->td_ucred,
+	    PRIV_MAXPROC, 0) != 0) || nprocs >= maxproc) {
 		error = EAGAIN;
 		goto fail;
 	}
@@ -306,7 +305,7 @@ fork1(td, flags, pages, procp)
 	 *
 	 * XXXRW: Can we avoid privilege here if it's not needed?
 	 */
-	error = priv_check_cred(td->td_ucred, PRIV_PROC_LIMIT, SUSER_RUID);
+	error = priv_check_cred(td->td_ucred, PRIV_PROC_LIMIT, 0);
 	if (error == 0)
 		ok = chgproccnt(td->td_ucred->cr_ruidinfo, 1, 0);
 	else {