Eliminate now-unused SUSER_ALLOWJAIL arguments to priv_check_cred(); in

some cases, move to priv_check() if it was an operation on a thread and
no other flags were present.

Eliminate caller-side jail exception checking (also now-unused); jail
privilege exception code now goes solely in kern_jail.c.

We can't yet eliminate suser() due to some cases in the KAME code where
a privilege check is performed and then used in many different deferred
paths.  Do, however, move those prototypes to priv.h.

Reviewed by:	csjp
Obtained from:	TrustedBSD Project

1 files changed, 4 insertions, 10 deletions

diff --git a/sys/netinet/sctp_usrreq.c b/sys/netinet/sctp_usrreq.c
index cc69ba1..0bd92b3 100644
--- a/sys/netinet/sctp_usrreq.c
+++ b/sys/netinet/sctp_usrreq.c
@@ -386,13 +386,8 @@ sctp_getcred(SYSCTL_HANDLER_ARGS)
 	/* FIX, for non-bsd is this right? */
 	vrf_id = SCTP_DEFAULT_VRFID;
 
-	/*
-	 * XXXRW: Other instances of getcred use SUSER_ALLOWJAIL, as socket
-	 * visibility is scoped using cr_canseesocket(), which it is not
-	 * here.
-	 */
-	error = priv_check_cred(req->td->td_ucred, PRIV_NETINET_GETCRED,
-	    SUSER_ALLOWJAIL);
+	error = priv_check(req->td, PRIV_NETINET_GETCRED);
+
 	if (error)
 		return (error);
 
@@ -3439,9 +3434,8 @@ sctp_setopt(struct socket *so, int optname, void *optval, size_t optsize,
 		{
 			union sctp_sockstore *ss;
 
-			error = priv_check_cred(curthread->td_ucred,
-			    PRIV_NETINET_RESERVEDPORT,
-			    SUSER_ALLOWJAIL);
+			error = priv_check(curthread,
+			    PRIV_NETINET_RESERVEDPORT);
 			if (error)
 				break;