Change the suser() API to take advantage of td_ucred as well as do a

general cleanup of the API.  The entire API now consists of two functions
similar to the pre-KSE API.  The suser() function takes a thread pointer
as its only argument.  The td_ucred member of this thread must be valid
so the only valid thread pointers are curthread and a few kernel threads
such as thread0.  The suser_cred() function takes a pointer to a struct
ucred as its first argument and an integer flag as its second argument.
The flag is currently only used for the PRISON_ROOT flag.

Discussed on:	smp@

25 files changed, 119 insertions, 138 deletions

diff --git a/sys/kern/kern_acct.c b/sys/kern/kern_acct.c
index afb0ab0..12c72cc 100644
--- a/sys/kern/kern_acct.c
+++ b/sys/kern/kern_acct.c
@@ -123,7 +123,7 @@ acct(td, uap)
 	if (td != curthread)
 		panic("acct");		/* XXXKSE DIAGNOSTIC */
 	/* Make sure that the caller is root. */
-	error = suser_xxx(td->td_proc->p_ucred, NULL, 0);
+	error = suser(td);
 	if (error)
 		goto done2;
 
diff --git a/sys/kern/kern_acl.c b/sys/kern/kern_acl.c
index b0d0baf..55ab33e 100644
--- a/sys/kern/kern_acl.c
+++ b/sys/kern/kern_acl.c
@@ -89,7 +89,7 @@ vaccess_acl_posix1e(enum vtype type, uid_t file_uid, gid_t file_gid,
 	 * a DAC entry that matches but has failed to allow access.
 	 */
 #ifndef CAPABILITIES
-	if (suser_xxx(cred, NULL, PRISON_ROOT) == 0)
+	if (suser_cred(cred, PRISON_ROOT) == 0)
 		cap_granted = (VEXEC | VREAD | VWRITE | VADMIN);
 	else
 		cap_granted = 0;
diff --git a/sys/kern/kern_exec.c b/sys/kern/kern_exec.c
index ba68e68..36003c6 100644
--- a/sys/kern/kern_exec.c
+++ b/sys/kern/kern_exec.c
@@ -353,7 +353,7 @@ interpret:
 		 * we do not regain any tracing during a possible block.
 		 */
 		setsugid(p);
-		if (p->p_tracep && suser_xxx(oldcred, NULL, PRISON_ROOT)) {
+		if (p->p_tracep && suser_cred(oldcred, PRISON_ROOT)) {
 			struct vnode *vtmp;
 
 			if ((vtmp = p->p_tracep) != NULL) {
diff --git a/sys/kern/kern_jail.c b/sys/kern/kern_jail.c
index ac5b732..aae12be 100644
--- a/sys/kern/kern_jail.c
+++ b/sys/kern/kern_jail.c
@@ -87,7 +87,7 @@ jail(td, uap)
 	pr->pr_ip = j.ip_number;
 	PROC_LOCK(p);
 	/* Implicitly fail if already in jail.  */
-	error = suser_xxx(p->p_ucred, NULL, 0);
+	error = suser_cred(p->p_ucred, 0);
 	if (error)
 		goto badcred;
 	oldcred = p->p_ucred;
diff --git a/sys/kern/kern_ktrace.c b/sys/kern/kern_ktrace.c
index 4991b0d..b94db2a 100644
--- a/sys/kern/kern_ktrace.c
+++ b/sys/kern/kern_ktrace.c
@@ -594,7 +594,7 @@ ktrcanset(callp, targetp)
 {
 
 	if (targetp->p_traceflag & KTRFAC_ROOT &&
-	    suser_xxx(NULL, callp, PRISON_ROOT))
+	    suser_cred(callp->p_ucred, PRISON_ROOT))
 		return (0);
 
 	if (p_candebug(callp, targetp) != 0)
diff --git a/sys/kern/kern_linker.c b/sys/kern/kern_linker.c
index 1050b33..bad5e1e 100644
--- a/sys/kern/kern_linker.c
+++ b/sys/kern/kern_linker.c
@@ -703,7 +703,7 @@ kldload(struct thread *td, struct kldload_args *uap)
 	if ((error = securelevel_gt(td->td_ucred, 0)) != 0)
 		goto out;
 
-	if ((error = suser_xxx(td->td_ucred, NULL, 0)) != 0)
+	if ((error = suser(td)) != 0)
 		goto out;
 
 	pathname = malloc(MAXPATHLEN, M_TEMP, M_WAITOK);
@@ -750,7 +750,7 @@ kldunload(struct thread *td, struct kldunload_args *uap)
 	if ((error = securelevel_gt(td->td_ucred, 0)) != 0)
 		goto out;
 
-	if ((error = suser_xxx(td->td_ucred, NULL, 0)) != 0)
+	if ((error = suser(td)) != 0)
 		goto out;
 
 	lf = linker_find_file_by_id(SCARG(uap, fileid));
diff --git a/sys/kern/kern_ntptime.c b/sys/kern/kern_ntptime.c
index 91daee0..96870e0 100644
--- a/sys/kern/kern_ntptime.c
+++ b/sys/kern/kern_ntptime.c
@@ -300,7 +300,7 @@ ntp_adjtime(struct thread *td, struct ntp_adjtime_args *uap)
 	mtx_lock(&Giant);
 	modes = ntv.modes;
 	if (modes)
-		error = suser_td(td);
+		error = suser(td);
 	if (error)
 		goto done2;
 	s = splclock();
diff --git a/sys/kern/kern_prot.c b/sys/kern/kern_prot.c
index dc2a6be..3ba42b1 100644
--- a/sys/kern/kern_prot.c
+++ b/sys/kern/kern_prot.c
@@ -555,7 +555,7 @@ setuid(struct thread *td, struct setuid_args *uap)
 #ifdef POSIX_APPENDIX_B_4_2_2	/* Use BSD-compat clause from B.4.2.2 */
 	    uid != oldcred->cr_uid &&		/* allow setuid(geteuid()) */
 #endif
-	    (error = suser_xxx(oldcred, NULL, PRISON_ROOT)) != 0)
+	    (error = suser_cred(oldcred, PRISON_ROOT)) != 0)
 		goto done2;
 
 	newcred = crdup(oldcred);
@@ -568,7 +568,7 @@ setuid(struct thread *td, struct setuid_args *uap)
 #ifdef POSIX_APPENDIX_B_4_2_2	/* Use the clause from B.4.2.2 */
 	    uid == oldcred->cr_uid ||
 #endif
-	    suser_xxx(oldcred, NULL, PRISON_ROOT) == 0) /* we are using privs */
+	    suser_cred(oldcred, PRISON_ROOT) == 0) /* we are using privs */
 #endif
 	{
 		/*
@@ -629,7 +629,7 @@ seteuid(struct thread *td, struct seteuid_args *uap)
 	oldcred = p->p_ucred;
 	if (euid != oldcred->cr_ruid &&		/* allow seteuid(getuid()) */
 	    euid != oldcred->cr_svuid &&	/* allow seteuid(saved uid) */
-	    (error = suser_xxx(oldcred, NULL, PRISON_ROOT)) != 0)
+	    (error = suser_cred(oldcred, PRISON_ROOT)) != 0)
 		goto done2;
 	/*
 	 * Everything's okay, do it.  Copy credentials so other references do
@@ -687,7 +687,7 @@ setgid(struct thread *td, struct setgid_args *uap)
 #ifdef POSIX_APPENDIX_B_4_2_2	/* Use BSD-compat clause from B.4.2.2 */
 	    gid != oldcred->cr_groups[0] && /* allow setgid(getegid()) */
 #endif
-	    (error = suser_xxx(oldcred, NULL, PRISON_ROOT)) != 0)
+	    (error = suser_cred(oldcred, PRISON_ROOT)) != 0)
 		goto done2;
 
 	newcred = crdup(oldcred);
@@ -700,7 +700,7 @@ setgid(struct thread *td, struct setgid_args *uap)
 #ifdef POSIX_APPENDIX_B_4_2_2	/* use the clause from B.4.2.2 */
 	    gid == oldcred->cr_groups[0] ||
 #endif
-	    suser_xxx(oldcred, NULL, PRISON_ROOT) == 0) /* we are using privs */
+	    suser_cred(oldcred, PRISON_ROOT) == 0) /* we are using privs */
 #endif
 	{
 		/*
@@ -760,7 +760,7 @@ setegid(struct thread *td, struct setegid_args *uap)
 	oldcred = p->p_ucred;
 	if (egid != oldcred->cr_rgid &&		/* allow setegid(getgid()) */
 	    egid != oldcred->cr_svgid &&	/* allow setegid(saved gid) */
-	    (error = suser_xxx(oldcred, NULL, PRISON_ROOT)) != 0)
+	    (error = suser_cred(oldcred, PRISON_ROOT)) != 0)
 		goto done2;
 	newcred = crdup(oldcred);
 	if (oldcred->cr_groups[0] != egid) {
@@ -795,7 +795,7 @@ setgroups(struct thread *td, struct setgroups_args *uap)
 	ngrp = uap->gidsetsize;
 	mtx_lock(&Giant);
 	oldcred = p->p_ucred;
-	if ((error = suser_xxx(oldcred, NULL, PRISON_ROOT)) != 0)
+	if ((error = suser_cred(oldcred, PRISON_ROOT)) != 0)
 		goto done2;
 	if (ngrp > NGROUPS) {
 		error = EINVAL;
@@ -857,7 +857,7 @@ setreuid(register struct thread *td, struct setreuid_args *uap)
 	      ruid != oldcred->cr_svuid) ||
 	     (euid != (uid_t)-1 && euid != oldcred->cr_uid &&
 	      euid != oldcred->cr_ruid && euid != oldcred->cr_svuid)) &&
-	    (error = suser_xxx(oldcred, NULL, PRISON_ROOT)) != 0)
+	    (error = suser_cred(oldcred, PRISON_ROOT)) != 0)
 		goto done2;
 	newcred = crdup(oldcred);
 	if (euid != (uid_t)-1 && oldcred->cr_uid != euid) {
@@ -907,7 +907,7 @@ setregid(register struct thread *td, struct setregid_args *uap)
 	    rgid != oldcred->cr_svgid) ||
 	     (egid != (gid_t)-1 && egid != oldcred->cr_groups[0] &&
 	     egid != oldcred->cr_rgid && egid != oldcred->cr_svgid)) &&
-	    (error = suser_xxx(oldcred, NULL, PRISON_ROOT)) != 0)
+	    (error = suser_cred(oldcred, PRISON_ROOT)) != 0)
 		goto done2;
 	newcred = crdup(oldcred);
 	if (egid != (gid_t)-1 && oldcred->cr_groups[0] != egid) {
@@ -968,7 +968,7 @@ setresuid(register struct thread *td, struct setresuid_args *uap)
 	     (suid != (uid_t)-1 && suid != oldcred->cr_ruid &&
 	    suid != oldcred->cr_svuid &&
 	      suid != oldcred->cr_uid)) &&
-	    (error = suser_xxx(oldcred, NULL, PRISON_ROOT)) != 0)
+	    (error = suser_cred(oldcred, PRISON_ROOT)) != 0)
 		goto done2;
 	newcred = crdup(oldcred);
 	if (euid != (uid_t)-1 && oldcred->cr_uid != euid) {
@@ -1029,7 +1029,7 @@ setresgid(register struct thread *td, struct setresgid_args *uap)
 	     (sgid != (gid_t)-1 && sgid != oldcred->cr_rgid &&
 	      sgid != oldcred->cr_svgid &&
 	      sgid != oldcred->cr_groups[0])) &&
-	    (error = suser_xxx(oldcred, NULL, PRISON_ROOT)) != 0)
+	    (error = suser_cred(oldcred, PRISON_ROOT)) != 0)
 		goto done2;
 	newcred = crdup(oldcred);
 	if (egid != (gid_t)-1 && oldcred->cr_groups[0] != egid) {
@@ -1209,47 +1209,15 @@ TUNABLE_INT("security.bsd.suser_enabled", &suser_enabled);
 
 /*
  * Test whether the specified credentials imply "super-user" privilege.
- * Return 0 or EPERM.
+ * Return 0 or EPERM.  The flag argument is currently used only to
+ * specify jail interaction.
  */
 int
-suser(struct proc *p)
+suser_cred(struct ucred *cred, int flag)
 {
 
-	return (suser_xxx(0, p, 0));
-}
-
-/*
- * version for when the thread pointer is available and not the proc.
- * (saves having to include proc.h into every file that needs to do the change.)
- */
-int
-suser_td(struct thread *td)
-{
-	return (suser_xxx(0, td->td_proc, 0));
-}
-
-/*
- * wrapper to use if you have the thread on hand but not the proc.
- *
- * MPSAFE (cred must be held)
- */
-int
-suser_xxx_td(struct ucred *cred, struct thread *td, int flag)
-{
-	return(suser_xxx(cred, td->td_proc, flag));
-}
-
-int
-suser_xxx(struct ucred *cred, struct proc *proc, int flag)
-{
 	if (!suser_enabled)
 		return (EPERM);
-	if (!cred && !proc) {
-		printf("suser_xxx(): THINK!\n");
-		return (EPERM);
-	}
-	if (cred == NULL)
-		cred = proc->p_ucred;
 	if (cred->cr_uid != 0)
 		return (EPERM);
 	if (jailed(cred) && !(flag & PRISON_ROOT))
@@ -1258,6 +1226,17 @@ suser_xxx(struct ucred *cred, struct proc *proc, int flag)
 }
 
 /*
+ * Shortcut to hide contents of struct td and struct proc from the
+ * caller, promoting binary compatibility.
+ */
+int
+suser(struct thread *td)
+{
+
+	return (suser_cred(td->td_ucred, 0));
+}
+
+/*
  * Test the active securelevel against a given level.  securelevel_gt()
  * implements (securelevel > level).  securelevel_ge() implements
  * (securelevel >= level).  Note that the logic is inverted -- these
@@ -1328,7 +1307,7 @@ cr_seeotheruids(struct ucred *u1, struct ucred *u2)
 {
 
 	if (!see_other_uids && u1->cr_ruid != u2->cr_ruid) {
-		if (suser_xxx(u1, NULL, PRISON_ROOT) != 0)
+		if (suser_cred(u1, PRISON_ROOT) != 0)
 			return (ESRCH);
 	}
 	return (0);
@@ -1416,7 +1395,7 @@ cr_cansignal(struct ucred *cred, struct proc *proc, int signum)
 			break;
 		default:
 			/* Not permitted without privilege. */
-			error = suser_xxx(cred, NULL, PRISON_ROOT);
+			error = suser_cred(cred, PRISON_ROOT);
 			if (error)
 				return (error);
 		}
@@ -1431,7 +1410,7 @@ cr_cansignal(struct ucred *cred, struct proc *proc, int signum)
 	    cred->cr_uid != proc->p_ucred->cr_ruid &&
 	    cred->cr_uid != proc->p_ucred->cr_svuid) {
 		/* Not permitted without privilege. */
-		error = suser_xxx(cred, NULL, PRISON_ROOT);
+		error = suser_cred(cred, PRISON_ROOT);
 		if (error)
 			return (error);
 	}
@@ -1489,7 +1468,7 @@ p_cansched(struct proc *p1, struct proc *p2)
 		return (0);
 	if (p1->p_ucred->cr_uid == p2->p_ucred->cr_ruid)
 		return (0);
-	if (suser_xxx(0, p1, PRISON_ROOT) == 0)
+	if (suser_cred(p1->p_ucred, PRISON_ROOT) == 0)
 		return (0);
 
 #ifdef CAPABILITIES
@@ -1530,7 +1509,7 @@ p_candebug(struct proc *p1, struct proc *p2)
 	int credentialchanged, error, grpsubset, i, uidsubset;
 
 	if (!unprivileged_proc_debug) {
-		error = suser_xxx(NULL, p1, PRISON_ROOT);
+		error = suser_cred(p1->p_ucred, PRISON_ROOT);
 		if (error)
 			return (error);
 	}
@@ -1576,7 +1555,7 @@ p_candebug(struct proc *p1, struct proc *p2)
 	 * require CAP_SYS_PTRACE.
 	 */
 	if (!grpsubset || !uidsubset || credentialchanged) {
-		error = suser_xxx(NULL, p1, PRISON_ROOT);
+		error = suser_cred(p1->p_ucred, PRISON_ROOT);
 		if (error)
 			return (error);
 	}
@@ -1828,7 +1807,7 @@ setlogin(struct thread *td, struct setlogin_args *uap)
 	char logintmp[MAXLOGNAME];
 
 	mtx_lock(&Giant);
-	if ((error = suser_xxx(0, p, PRISON_ROOT)) != 0)
+	if ((error = suser_cred(td->td_ucred, PRISON_ROOT)) != 0)
 		goto done2;
 	error = copyinstr((caddr_t) uap->namebuf, (caddr_t) logintmp,
 	    sizeof(logintmp), (size_t *)0);
diff --git a/sys/kern/kern_resource.c b/sys/kern/kern_resource.c
index fbd76c2..26349bd 100644
--- a/sys/kern/kern_resource.c
+++ b/sys/kern/kern_resource.c
@@ -258,7 +258,7 @@ donice(curp, chgp, n)
 	if (n < PRIO_MIN)
 		n = PRIO_MIN;
 	if (n < chgp->p_ksegrp.kg_nice /* XXXKSE */  &&
-	    suser_xxx(curp->p_ucred, NULL, 0))
+	    suser_cred(curp->p_ucred, 0))
 		return (EACCES);
 	chgp->p_ksegrp.kg_nice /* XXXKSE */  = n;
 	(void)resetpriority(&chgp->p_ksegrp); /* XXXKSE */
@@ -320,7 +320,7 @@ rtprio(td, uap)
 		    (error = copyin(uap->rtp, &rtp, sizeof(struct rtprio))))
 			break;
 		/* disallow setting rtprio in most cases if not superuser */
-		if (suser_xxx(curp->p_ucred, NULL, 0) != 0) {
+		if (suser(td) != 0) {
 			/* can't set someone else's */
 			if (uap->pid) {
 				error = EPERM;
@@ -521,7 +521,7 @@ dosetrlimit(td, which, limp)
 
 	if (limp->rlim_cur > alimp->rlim_max ||
 	    limp->rlim_max > alimp->rlim_max)
-		if ((error = suser_xxx(0, p, PRISON_ROOT)))
+		if ((error = suser_cred(td->td_ucred, PRISON_ROOT)))
 			return (error);
 	if (limp->rlim_cur > limp->rlim_max)
 		limp->rlim_cur = limp->rlim_max;
diff --git a/sys/kern/kern_shutdown.c b/sys/kern/kern_shutdown.c
index 3312b54..fe0cbb0 100644
--- a/sys/kern/kern_shutdown.c
+++ b/sys/kern/kern_shutdown.c
@@ -148,7 +148,7 @@ reboot(struct thread *td, struct reboot_args *uap)
 	int error;
 
 	mtx_lock(&Giant);
-	if ((error = suser_td(td)) == 0)
+	if ((error = suser(td)) == 0)
 		boot(uap->opt);
 	mtx_unlock(&Giant);
 	return (error);
diff --git a/sys/kern/kern_sysctl.c b/sys/kern/kern_sysctl.c
index 9942ca1..6938706 100644
--- a/sys/kern/kern_sysctl.c
+++ b/sys/kern/kern_sysctl.c
@@ -463,7 +463,7 @@ sysctl_sysctl_debug(SYSCTL_HANDLER_ARGS)
 {
 	int error;
 
-	error = suser(req->td->td_proc);
+	error = suser(req->td);
 	if (error)
 		return error;
 	sysctl_sysctl_debug_dump_node(&sysctl__children, 0);
@@ -1084,7 +1084,7 @@ sysctl_root(SYSCTL_HANDLER_ARGS)
 			flags = PRISON_ROOT;
 		else
 			flags = 0;
-		error = suser_xxx(NULL, req->td->td_proc, flags);
+		error = suser_cred(req->td->td_ucred, flags);
 		if (error)
 			return (error);
 	}
diff --git a/sys/kern/kern_time.c b/sys/kern/kern_time.c
index 970cb93..58c81ab 100644
--- a/sys/kern/kern_time.c
+++ b/sys/kern/kern_time.c
@@ -187,7 +187,7 @@ clock_settime(td, uap)
 	int error;
 
 	mtx_lock(&Giant);
-	if ((error = suser_td(td)) != 0)
+	if ((error = suser(td)) != 0)
 		goto done2;
 	if (SCARG(uap, clock_id) != CLOCK_REALTIME) {
 		error = EINVAL;
@@ -370,7 +370,7 @@ settimeofday(td, uap)
 
 	mtx_lock(&Giant);
 
-	if ((error = suser_td(td)))
+	if ((error = suser(td)))
 		goto done2;
 	/* Verify all parameters before changing time. */
 	if (uap->tv) {
@@ -421,7 +421,7 @@ adjtime(td, uap)
 
 	mtx_lock(&Giant);
 
-	if ((error = suser_td(td)))
+	if ((error = suser(td)))
 		goto done2;
 	error = copyin((caddr_t)uap->delta, (caddr_t)&atv,
 		    sizeof(struct timeval));
diff --git a/sys/kern/kern_xxx.c b/sys/kern/kern_xxx.c
index f3f19ee..9d4136b 100644
--- a/sys/kern/kern_xxx.c
+++ b/sys/kern/kern_xxx.c
@@ -97,7 +97,7 @@ osethostname(td, uap)
 	name[0] = CTL_KERN;
 	name[1] = KERN_HOSTNAME;
 	mtx_lock(&Giant);
-	if ((error = suser_xxx(0, td->td_proc, PRISON_ROOT)) == 0) {
+	if ((error = suser_cred(td->td_ucred, PRISON_ROOT)) == 0) {
 		error = userland_sysctl(td, name, 2, 0, 0, 0,
 		    uap->hostname, uap->len, 0);
 	}
@@ -143,7 +143,7 @@ osethostid(td, uap)
 	int error;
 
 	mtx_lock(&Giant);
-	if ((error = suser_td(td)))
+	if ((error = suser(td)))
 		hostid = uap->hostid;
 	mtx_unlock(&Giant);
 	return (error);
@@ -298,7 +298,7 @@ setdomainname(td, uap)
         int error, domainnamelen;
 
 	mtx_lock(&Giant);
-        if ((error = suser_td(td)))
+        if ((error = suser(td)))
 		goto done2;
         if ((u_int)uap->len > sizeof (domainname) - 1) {
 		error = EINVAL;
diff --git a/sys/kern/subr_acl_posix1e.c b/sys/kern/subr_acl_posix1e.c
index b0d0baf..55ab33e 100644
--- a/sys/kern/subr_acl_posix1e.c
+++ b/sys/kern/subr_acl_posix1e.c
@@ -89,7 +89,7 @@ vaccess_acl_posix1e(enum vtype type, uid_t file_uid, gid_t file_gid,
 	 * a DAC entry that matches but has failed to allow access.
 	 */
 #ifndef CAPABILITIES
-	if (suser_xxx(cred, NULL, PRISON_ROOT) == 0)
+	if (suser_cred(cred, PRISON_ROOT) == 0)
 		cap_granted = (VEXEC | VREAD | VWRITE | VADMIN);
 	else
 		cap_granted = 0;
diff --git a/sys/kern/subr_prf.c b/sys/kern/subr_prf.c
index b670c67..d1c42a6 100644
--- a/sys/kern/subr_prf.c
+++ b/sys/kern/subr_prf.c
@@ -861,7 +861,7 @@ sysctl_kern_msgbuf(SYSCTL_HANDLER_ARGS)
 	int error;
 
 	if (!unprivileged_read_msgbuf) {
-		error = suser_td(req->td);
+		error = suser(req->td);
 		if (error)
 			return (error);
 	}
diff --git a/sys/kern/sysv_ipc.c b/sys/kern/sysv_ipc.c
index 42a1465..fc5fd8f 100644
--- a/sys/kern/sysv_ipc.c
+++ b/sys/kern/sysv_ipc.c
@@ -81,7 +81,7 @@ ipcperm(td, perm, mode)
 	/* Check for user match. */
 	if (cred->cr_uid != perm->cuid && cred->cr_uid != perm->uid) {
 		if (mode & IPC_M)
-			return (suser_td(td) == 0 ? 0 : EPERM);
+			return (suser(td) == 0 ? 0 : EPERM);
 		/* Check for group match. */
 		mode >>= 3;
 		if (!groupmember(perm->gid, cred) &&
@@ -93,5 +93,5 @@ ipcperm(td, perm, mode)
 	if (mode & IPC_M)
 		return (0);
 	return ((mode & perm->mode) == mode ||
-	    suser_td(td) == 0 ? 0 : EACCES);
+	    suser(td) == 0 ? 0 : EACCES);
 }
diff --git a/sys/kern/sysv_msg.c b/sys/kern/sysv_msg.c
index a26a172..4dd2249 100644
--- a/sys/kern/sysv_msg.c
+++ b/sys/kern/sysv_msg.c
@@ -421,7 +421,7 @@ msgctl(td, uap)
 		if ((error = copyin(user_msqptr, &msqbuf, sizeof(msqbuf))) != 0)
 			goto done2;
 		if (msqbuf.msg_qbytes > msqptr->msg_qbytes) {
-			error = suser_td(td);
+			error = suser(td);
 			if (error)
 				goto done2;
 		}
diff --git a/sys/kern/tty.c b/sys/kern/tty.c
index c9a56fd..1214513 100644
--- a/sys/kern/tty.c
+++ b/sys/kern/tty.c
@@ -730,9 +730,11 @@ ttioctl(tp, cmd, data, flag)
 	void *data;
 {
 	register struct proc *p;
+	struct thread *td;
 	int s, error;
 
-	p = curproc;			/* XXX */
+	td = curthread;			/* XXX */
+	p = td->td_proc;
 
 	/* If the ioctl involves modification, hang if in the background. */
 	switch (cmd) {
@@ -851,7 +853,7 @@ ttioctl(tp, cmd, data, flag)
 			    ISSET(constty->t_state, TS_CONNECTED))
 				return (EBUSY);
 #ifndef	UCONSOLE
-			if ((error = suser_xxx(p->p_ucred, NULL, 0)) != 0)
+			if ((error = suser(td)) != 0)
 				return (error);
 #endif
 			constty = tp;
@@ -1023,9 +1025,9 @@ ttioctl(tp, cmd, data, flag)
 		splx(s);
 		break;
 	case TIOCSTI:			/* simulate terminal input */
-		if ((flag & FREAD) == 0 && suser_xxx(p->p_ucred, NULL, 0))
+		if ((flag & FREAD) == 0 && suser(td))
 			return (EPERM);
-		if (!isctty(p, tp) && suser_xxx(p->p_ucred, NULL, 0))
+		if (!isctty(p, tp) && suser(td))
 			return (EACCES);
 		s = spltty();
 		(*linesw[tp->t_line].l_rint)(*(u_char *)data, tp);
@@ -1099,7 +1101,7 @@ ttioctl(tp, cmd, data, flag)
 		}
 		break;
 	case TIOCSDRAINWAIT:
-		error = suser_xxx(p->p_ucred, NULL, 0);
+		error = suser(td);
 		if (error)
 			return (error);
 		tp->t_timeout = *(int *)data * hz;
diff --git a/sys/kern/tty_cons.c b/sys/kern/tty_cons.c
index d6f805c..91713c1 100644
--- a/sys/kern/tty_cons.c
+++ b/sys/kern/tty_cons.c
@@ -456,7 +456,7 @@ cnioctl(dev_t dev, u_long cmd, caddr_t data, int flag, struct thread *td)
 	 * output from the "virtual" console.
 	 */
 	if (cmd == TIOCCONS && constty) {
-		error = suser_td(td);
+		error = suser(td);
 		if (error)
 			return (error);
 		constty = NULL;
diff --git a/sys/kern/tty_pty.c b/sys/kern/tty_pty.c
index f1aa946..9bc2360 100644
--- a/sys/kern/tty_pty.c
+++ b/sys/kern/tty_pty.c
@@ -187,7 +187,7 @@ ptsopen(dev, flag, devtype, td)
 		tp->t_lflag = TTYDEF_LFLAG;
 		tp->t_cflag = TTYDEF_CFLAG;
 		tp->t_ispeed = tp->t_ospeed = TTYDEF_SPEED;
-	} else if (tp->t_state & TS_XCLUDE && suser_xxx(td->td_ucred, NULL, 0)) {
+	} else if (tp->t_state & TS_XCLUDE && suser(td)) {
 		return (EBUSY);
 	} else if (pti->pt_prison != td->td_ucred->cr_prison) {
 		return (EBUSY);
diff --git a/sys/kern/vfs_acl.c b/sys/kern/vfs_acl.c
index b0d0baf..55ab33e 100644
--- a/sys/kern/vfs_acl.c
+++ b/sys/kern/vfs_acl.c
@@ -89,7 +89,7 @@ vaccess_acl_posix1e(enum vtype type, uid_t file_uid, gid_t file_gid,
 	 * a DAC entry that matches but has failed to allow access.
 	 */
 #ifndef CAPABILITIES
-	if (suser_xxx(cred, NULL, PRISON_ROOT) == 0)
+	if (suser_cred(cred, PRISON_ROOT) == 0)
 		cap_granted = (VEXEC | VREAD | VWRITE | VADMIN);
 	else
 		cap_granted = 0;
diff --git a/sys/kern/vfs_extattr.c b/sys/kern/vfs_extattr.c
index 9ed164b..3ecd199 100644
--- a/sys/kern/vfs_extattr.c
+++ b/sys/kern/vfs_extattr.c
@@ -374,7 +374,7 @@ vfs_nmount(td, fsflags, fsoptions)
 	}
 
 	if (usermount == 0) {
-		error = suser_td(td);
+	       	error = suser(td);
 		if (error)
 			goto bad;
 	}
@@ -382,14 +382,14 @@ vfs_nmount(td, fsflags, fsoptions)
 	 * Do not allow NFS export by non-root users.
 	 */
 	if (fsflags & MNT_EXPORTED) {
-		error = suser_td(td);
+		error = suser(td);
 		if (error)
 			goto bad;
 	}
 	/*
 	 * Silently enforce MNT_NOSUID and MNT_NODEV for non-root users.
 	 */
-	if (suser_xxx(td->td_ucred, NULL, 0) != 0) 
+	if (suser(td)) 
 		fsflags |= MNT_NOSUID | MNT_NODEV;
 	/*
 	 * Get vnode to be covered
@@ -423,7 +423,7 @@ vfs_nmount(td, fsflags, fsoptions)
 		 * permitted to update it.
 		 */
 		if (mp->mnt_stat.f_owner != td->td_ucred->cr_uid) {
-			error = suser_td(td);
+			error = suser(td);
 			if (error) {
 				vput(vp);
 				goto bad;
@@ -460,7 +460,7 @@ vfs_nmount(td, fsflags, fsoptions)
 		goto bad;
 	}
 	if (va.va_uid != td->td_ucred->cr_uid) {
-		error = suser_td(td);
+		error = suser(td);
 		if (error) {
 			vput(vp);
 			goto bad;
@@ -480,7 +480,7 @@ vfs_nmount(td, fsflags, fsoptions)
 			break;
 	if (vfsp == NULL) {
 		/* Only load modules for root (very important!). */
-		error = suser_td(td);
+		error = suser(td);
 		if (error) {
 			vput(vp);
 			goto bad;
@@ -722,7 +722,7 @@ vfs_mount(td, fstype, fspath, fsflags, fsdata)
 		return (ENAMETOOLONG);
 
 	if (usermount == 0) {
-		error = suser_td(td);
+		error = suser(td);
 		if (error)
 			return (error);
 	}
@@ -730,14 +730,14 @@ vfs_mount(td, fstype, fspath, fsflags, fsdata)
 	 * Do not allow NFS export by non-root users.
 	 */
 	if (fsflags & MNT_EXPORTED) {
-		error = suser_td(td);
+		error = suser(td);
 		if (error)
 			return (error);
 	}
 	/*
 	 * Silently enforce MNT_NOSUID and MNT_NODEV for non-root users.
 	 */
-	if (suser_xxx(td->td_ucred, NULL, 0) != 0) 
+	if (suser(td)) 
 		fsflags |= MNT_NOSUID | MNT_NODEV;
 	/*
 	 * Get vnode to be covered
@@ -769,7 +769,7 @@ vfs_mount(td, fstype, fspath, fsflags, fsdata)
 		 * permitted to update it.
 		 */
 		if (mp->mnt_stat.f_owner != td->td_ucred->cr_uid) {
-			error = suser_td(td);
+			error = suser(td);
 			if (error) {
 				vput(vp);
 				return (error);
@@ -803,7 +803,7 @@ vfs_mount(td, fstype, fspath, fsflags, fsdata)
 		return (error);
 	}
 	if (va.va_uid != td->td_ucred->cr_uid) {
-		error = suser_td(td);
+		error = suser(td);
 		if (error) {
 			vput(vp);
 			return (error);
@@ -822,7 +822,7 @@ vfs_mount(td, fstype, fspath, fsflags, fsdata)
 			break;
 	if (vfsp == NULL) {
 		/* Only load modules for root (very important!). */
-		error = suser_td(td);
+		error = suser(td);
 		if (error) {
 			vput(vp);
 			return (error);
@@ -1056,7 +1056,7 @@ unmount(td, uap)
 	 * permitted to unmount this filesystem.
 	 */
 	if (mp->mnt_stat.f_owner != td->td_ucred->cr_uid) {
-		error = suser_td(td);
+		error = suser(td);
 		if (error) {
 			vput(vp);
 			return (error);
@@ -1313,7 +1313,7 @@ statfs(td, uap)
 	if (error)
 		return (error);
 	sp->f_flags = mp->mnt_flag & MNT_VISFLAGMASK;
-	if (suser_xxx(td->td_ucred, 0, 0)) {
+	if (suser(td)) {
 		bcopy((caddr_t)sp, (caddr_t)&sb, sizeof(sb));
 		sb.f_fsid.val[0] = sb.f_fsid.val[1] = 0;
 		sp = &sb;
@@ -1356,7 +1356,7 @@ fstatfs(td, uap)
 	if (error)
 		return (error);
 	sp->f_flags = mp->mnt_flag & MNT_VISFLAGMASK;
-	if (suser_xxx(td->td_ucred, 0, 0)) {
+	if (suser(td)) {
 		bcopy((caddr_t)sp, (caddr_t)&sb, sizeof(sb));
 		sb.f_fsid.val[0] = sb.f_fsid.val[1] = 0;
 		sp = &sb;
@@ -1585,7 +1585,7 @@ chroot(td, uap)
 	struct nameidata nd;
 	struct vnode *vp;
 
-	error = suser_xxx(0, td->td_proc, PRISON_ROOT);
+	error = suser_cred(td->td_ucred, PRISON_ROOT);
 	if (error)
 		return (error);
 	FILEDESC_LOCK(fdp);
@@ -1868,10 +1868,10 @@ mknod(td, uap)
 	switch (SCARG(uap, mode) & S_IFMT) {
 	case S_IFCHR:
 	case S_IFBLK:
-		error = suser_td(td);
+		error = suser(td);
 		break;
 	default:
-		error = suser_xxx(0, td->td_proc, PRISON_ROOT);
+		error = suser_cred(td->td_ucred, PRISON_ROOT);
 		break;
 	}
 	if (error)
@@ -2831,7 +2831,7 @@ setfflags(td, vp, flags)
 	 * chown can't fail when done as root.
 	 */
 	if (vp->v_type == VCHR || vp->v_type == VBLK) {
-		error = suser_xxx(td->td_ucred, td->td_proc, PRISON_ROOT);
+		error = suser_cred(td->td_ucred, PRISON_ROOT);
 		if (error)
 			return (error);
 	}
@@ -4089,7 +4089,7 @@ revoke(td, uap)
 	}
 	VOP_UNLOCK(vp, 0, td);
 	if (td->td_ucred->cr_uid != vattr.va_uid) {
-		error = suser_xxx(0, td->td_proc, PRISON_ROOT);
+		error = suser_cred(td->td_ucred, PRISON_ROOT);
 		if (error)
 			goto out;
 	}
@@ -4158,7 +4158,7 @@ getfh(td, uap)
 	/*
 	 * Must be super user
 	 */
-	error = suser_td(td);
+	error = suser(td);
 	if (error)
 		return (error);
 	NDINIT(&nd, LOOKUP, FOLLOW | LOCKLEAF, UIO_USERSPACE, uap->fname, td);
@@ -4214,7 +4214,7 @@ fhopen(td, uap)
 	/*
 	 * Must be super user
 	 */
-	error = suser_td(td);
+	error = suser(td);
 	if (error)
 		return (error);
 
@@ -4390,7 +4390,7 @@ fhstat(td, uap)
 	/*
 	 * Must be super user
 	 */
-	error = suser_td(td);
+	error = suser(td);
 	if (error)
 		return (error);
 	
@@ -4437,7 +4437,7 @@ fhstatfs(td, uap)
 	/*
 	 * Must be super user
 	 */
-	error = suser_td(td);
+	error = suser(td);
 	if (error)
 		return (error);
 
@@ -4454,7 +4454,7 @@ fhstatfs(td, uap)
 	if ((error = VFS_STATFS(mp, sp, td)) != 0)
 		return (error);
 	sp->f_flags = mp->mnt_flag & MNT_VISFLAGMASK;
-	if (suser_xxx(td->td_ucred, 0, 0)) {
+	if (suser(td)) {
 		bcopy((caddr_t)sp, (caddr_t)&sb, sizeof(sb));
 		sb.f_fsid.val[0] = sb.f_fsid.val[1] = 0;
 		sp = &sb;
diff --git a/sys/kern/vfs_subr.c b/sys/kern/vfs_subr.c
index e3290a1..7967b04 100644
--- a/sys/kern/vfs_subr.c
+++ b/sys/kern/vfs_subr.c
@@ -3217,7 +3217,7 @@ vaccess(type, file_mode, file_uid, file_gid, acc_mode, cred, privused)
 		return (0);
 
 privcheck:
-	if (!suser_xxx(cred, NULL, PRISON_ROOT)) {
+	if (!suser_cred(cred, PRISON_ROOT)) {
 		/* XXX audit: privilege used */
 		if (privused != NULL)
 			*privused = 1;
diff --git a/sys/kern/vfs_syscalls.c b/sys/kern/vfs_syscalls.c
index 9ed164b..3ecd199 100644
--- a/sys/kern/vfs_syscalls.c
+++ b/sys/kern/vfs_syscalls.c
@@ -374,7 +374,7 @@ vfs_nmount(td, fsflags, fsoptions)
 	}
 
 	if (usermount == 0) {
-		error = suser_td(td);
+	       	error = suser(td);
 		if (error)
 			goto bad;
 	}
@@ -382,14 +382,14 @@ vfs_nmount(td, fsflags, fsoptions)
 	 * Do not allow NFS export by non-root users.
 	 */
 	if (fsflags & MNT_EXPORTED) {
-		error = suser_td(td);
+		error = suser(td);
 		if (error)
 			goto bad;
 	}
 	/*
 	 * Silently enforce MNT_NOSUID and MNT_NODEV for non-root users.
 	 */
-	if (suser_xxx(td->td_ucred, NULL, 0) != 0) 
+	if (suser(td)) 
 		fsflags |= MNT_NOSUID | MNT_NODEV;
 	/*
 	 * Get vnode to be covered
@@ -423,7 +423,7 @@ vfs_nmount(td, fsflags, fsoptions)
 		 * permitted to update it.
 		 */
 		if (mp->mnt_stat.f_owner != td->td_ucred->cr_uid) {
-			error = suser_td(td);
+			error = suser(td);
 			if (error) {
 				vput(vp);
 				goto bad;
@@ -460,7 +460,7 @@ vfs_nmount(td, fsflags, fsoptions)
 		goto bad;
 	}
 	if (va.va_uid != td->td_ucred->cr_uid) {
-		error = suser_td(td);
+		error = suser(td);
 		if (error) {
 			vput(vp);
 			goto bad;
@@ -480,7 +480,7 @@ vfs_nmount(td, fsflags, fsoptions)
 			break;
 	if (vfsp == NULL) {
 		/* Only load modules for root (very important!). */
-		error = suser_td(td);
+		error = suser(td);
 		if (error) {
 			vput(vp);
 			goto bad;
@@ -722,7 +722,7 @@ vfs_mount(td, fstype, fspath, fsflags, fsdata)
 		return (ENAMETOOLONG);
 
 	if (usermount == 0) {
-		error = suser_td(td);
+		error = suser(td);
 		if (error)
 			return (error);
 	}
@@ -730,14 +730,14 @@ vfs_mount(td, fstype, fspath, fsflags, fsdata)
 	 * Do not allow NFS export by non-root users.
 	 */
 	if (fsflags & MNT_EXPORTED) {
-		error = suser_td(td);
+		error = suser(td);
 		if (error)
 			return (error);
 	}
 	/*
 	 * Silently enforce MNT_NOSUID and MNT_NODEV for non-root users.
 	 */
-	if (suser_xxx(td->td_ucred, NULL, 0) != 0) 
+	if (suser(td)) 
 		fsflags |= MNT_NOSUID | MNT_NODEV;
 	/*
 	 * Get vnode to be covered
@@ -769,7 +769,7 @@ vfs_mount(td, fstype, fspath, fsflags, fsdata)
 		 * permitted to update it.
 		 */
 		if (mp->mnt_stat.f_owner != td->td_ucred->cr_uid) {
-			error = suser_td(td);
+			error = suser(td);
 			if (error) {
 				vput(vp);
 				return (error);
@@ -803,7 +803,7 @@ vfs_mount(td, fstype, fspath, fsflags, fsdata)
 		return (error);
 	}
 	if (va.va_uid != td->td_ucred->cr_uid) {
-		error = suser_td(td);
+		error = suser(td);
 		if (error) {
 			vput(vp);
 			return (error);
@@ -822,7 +822,7 @@ vfs_mount(td, fstype, fspath, fsflags, fsdata)
 			break;
 	if (vfsp == NULL) {
 		/* Only load modules for root (very important!). */
-		error = suser_td(td);
+		error = suser(td);
 		if (error) {
 			vput(vp);
 			return (error);
@@ -1056,7 +1056,7 @@ unmount(td, uap)
 	 * permitted to unmount this filesystem.
 	 */
 	if (mp->mnt_stat.f_owner != td->td_ucred->cr_uid) {
-		error = suser_td(td);
+		error = suser(td);
 		if (error) {
 			vput(vp);
 			return (error);
@@ -1313,7 +1313,7 @@ statfs(td, uap)
 	if (error)
 		return (error);
 	sp->f_flags = mp->mnt_flag & MNT_VISFLAGMASK;
-	if (suser_xxx(td->td_ucred, 0, 0)) {
+	if (suser(td)) {
 		bcopy((caddr_t)sp, (caddr_t)&sb, sizeof(sb));
 		sb.f_fsid.val[0] = sb.f_fsid.val[1] = 0;
 		sp = &sb;
@@ -1356,7 +1356,7 @@ fstatfs(td, uap)
 	if (error)
 		return (error);
 	sp->f_flags = mp->mnt_flag & MNT_VISFLAGMASK;
-	if (suser_xxx(td->td_ucred, 0, 0)) {
+	if (suser(td)) {
 		bcopy((caddr_t)sp, (caddr_t)&sb, sizeof(sb));
 		sb.f_fsid.val[0] = sb.f_fsid.val[1] = 0;
 		sp = &sb;
@@ -1585,7 +1585,7 @@ chroot(td, uap)
 	struct nameidata nd;
 	struct vnode *vp;
 
-	error = suser_xxx(0, td->td_proc, PRISON_ROOT);
+	error = suser_cred(td->td_ucred, PRISON_ROOT);
 	if (error)
 		return (error);
 	FILEDESC_LOCK(fdp);
@@ -1868,10 +1868,10 @@ mknod(td, uap)
 	switch (SCARG(uap, mode) & S_IFMT) {
 	case S_IFCHR:
 	case S_IFBLK:
-		error = suser_td(td);
+		error = suser(td);
 		break;
 	default:
-		error = suser_xxx(0, td->td_proc, PRISON_ROOT);
+		error = suser_cred(td->td_ucred, PRISON_ROOT);
 		break;
 	}
 	if (error)
@@ -2831,7 +2831,7 @@ setfflags(td, vp, flags)
 	 * chown can't fail when done as root.
 	 */
 	if (vp->v_type == VCHR || vp->v_type == VBLK) {
-		error = suser_xxx(td->td_ucred, td->td_proc, PRISON_ROOT);
+		error = suser_cred(td->td_ucred, PRISON_ROOT);
 		if (error)
 			return (error);
 	}
@@ -4089,7 +4089,7 @@ revoke(td, uap)
 	}
 	VOP_UNLOCK(vp, 0, td);
 	if (td->td_ucred->cr_uid != vattr.va_uid) {
-		error = suser_xxx(0, td->td_proc, PRISON_ROOT);
+		error = suser_cred(td->td_ucred, PRISON_ROOT);
 		if (error)
 			goto out;
 	}
@@ -4158,7 +4158,7 @@ getfh(td, uap)
 	/*
 	 * Must be super user
 	 */
-	error = suser_td(td);
+	error = suser(td);
 	if (error)
 		return (error);
 	NDINIT(&nd, LOOKUP, FOLLOW | LOCKLEAF, UIO_USERSPACE, uap->fname, td);
@@ -4214,7 +4214,7 @@ fhopen(td, uap)
 	/*
 	 * Must be super user
 	 */
-	error = suser_td(td);
+	error = suser(td);
 	if (error)
 		return (error);
 
@@ -4390,7 +4390,7 @@ fhstat(td, uap)
 	/*
 	 * Must be super user
 	 */
-	error = suser_td(td);
+	error = suser(td);
 	if (error)
 		return (error);
 	
@@ -4437,7 +4437,7 @@ fhstatfs(td, uap)
 	/*
 	 * Must be super user
 	 */
-	error = suser_td(td);
+	error = suser(td);
 	if (error)
 		return (error);
 
@@ -4454,7 +4454,7 @@ fhstatfs(td, uap)
 	if ((error = VFS_STATFS(mp, sp, td)) != 0)
 		return (error);
 	sp->f_flags = mp->mnt_flag & MNT_VISFLAGMASK;
-	if (suser_xxx(td->td_ucred, 0, 0)) {
+	if (suser(td)) {
 		bcopy((caddr_t)sp, (caddr_t)&sb, sizeof(sb));
 		sb.f_fsid.val[0] = sb.f_fsid.val[1] = 0;
 		sp = &sb;
diff --git a/sys/kern/vfs_vnops.c b/sys/kern/vfs_vnops.c
index f60ce7d..9eb60f9 100644
--- a/sys/kern/vfs_vnops.c
+++ b/sys/kern/vfs_vnops.c
@@ -638,7 +638,7 @@ vn_stat(vp, sb, td)
 	}
 	
 	sb->st_flags = vap->va_flags;
-	if (suser_xxx(td->td_ucred, 0, 0))
+	if (suser(td))
 		sb->st_gen = 0;
 	else
 		sb->st_gen = vap->va_gen;